JP2009128774A - Encryption communication method, encryption device, decryption device, and program therefor - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a public key encryption technology that uses a trapdoor one-way replacement function that is more efficient than the conventional art and secure against CCA (adaptive chosen-ciphertext attacks). <P>SOLUTION: An encryption device divides an n-z bit (n>z≥k) plaintext m into a v-z bit (n>v-z≥2k) first plaintext m<SB>1</SB>and an n-v bit second plaintext m<SB>2</SB>, determines the bit coupling value of a z bit random number r and the first plaintext m<SB>1</SB>as a bit string t<SB>(0)</SB>, and determines the second plaintext m<SB>2</SB>as a bit string s<SB>(0)</SB>. When a round number R (R≥4) is an even number, the encryption device sequentially calculates, starting from i=0 to i=(R/2)-1, h<SB>(2×i+1)</SB>=H<SB>(2×i+1)</SB>(t<SB>(i)</SB>), s<SB>(i+1)</SB>=s<SB>(i)</SB>(+)h<SB>(2×i+1)</SB>, h<SB>(2×i+2)</SB>=H(<SB>2×i+2)</SB>(s<SB>(i+1)</SB>), t<SB>(i+1)</SB>=t<SB>(i)</SB>¾h<SB>(2×i+2)</SB>to create bit strings t<SB>(R/2)</SB>and s<SB>(R/2)</SB>, and creates a ciphertext u=f(y) wherein a trapdoor one-way replacement function is applied to their bit coupling value y. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to telecommunications technology, and more particularly to public key cryptography communication technology.

  Publication using a one-way replacement function with a trapdoor that is safe against an adaptive selection encryption attack when using an idealized hash function represented by OAEP encryption (for example, see Non-Patent Document 1) The efficiency of key encryption will be described. Note that the one-way replacement function with a trapdoor means a one-to-one function that is easy to perform a function operation using public information but difficult to perform an inverse function without secret information. For example, the RSA function is believed to be a trapdoor unidirectional replacement function.

Let f be a one-way replacement function with trapdoors that has an n-bit region {0, 1} ⁿ as its domain, and let its inverse function be f- ¹ . In the primitive public key cryptosystem, plaintext m is directly input to f, and u = f (m) and u is a ciphertext. However, with such a method, it is impossible to show that the attacker can obtain a plaintext for an arbitrary ciphertext, that is, safety in an environment, that is, it is safe against an adaptive ciphertext attack. .

In public key cryptography represented by RSA-OAEP cryptography, the ciphertext of plaintext m is set to u = f (pd (m, r)) using the padding function pd and its inverse function pd ^-1 , and the ciphertext u Decoding is assumed to be m = pd ⁻¹ (f ⁻¹ (u)). Where r is a random number.

The length of the plaintext m that can be processed is often used as a measure for evaluating the efficiency of the padding function. That is, when the number of bits of m is represented by | m |, the longer plaintext m can be encrypted as | m | Here, k is a security parameter. Incidentally, setting the security parameter and k = 128 is equivalent to estimating the limit attacker computing power and operation of approximately ²¹²⁸ times. In the most typical OAEP padding method, 2k bits are required as the length | r | of the random number r, and a fixed character string having a k-bit length is added to the plaintext m. The sum of these bit lengths must be shorter than n, that is, n> | m | + 3k, and the bit length of plaintext m that can be processed is | m | <n−3k. The difference between the plaintext length | m | and n (3k bits in this example) is called overhead. Since the bit length of plaintext that can be encrypted becomes longer as the overhead is smaller, it can be said that this is an efficient padding method.

  Various public key cryptosystems using one-way replacement functions with trapdoors that are secure against adaptive selection cryptography when using an idealized hash function have been proposed. With greater overhead. The only OAEP 3-round padding method shown in Non-Patent Document 2 etc. has an overhead of 2k bits.

FIG. 20A is a diagram for explaining the processing of the conventional OAEP 3-round padding function pd, and FIG. 20B is a diagram for explaining the processing of the inverse function pd ⁻¹ . .
The padding function pd shown in FIG. 20B is an idealized hash function with a 2k-bit random number r (= t ₍₀₎ ) and an n-2k-bit plaintext m (= s ₍₀₎ ) as inputs. Using H ₁ , H ₂ , H ₃ and exclusive OR (the exclusive OR of α and β is expressed as “α (+) β”), h ₍₁₎ = H ₁ (t _{( 0)} ), s ₍₁₎ = s ₍₀₎ (+) h ₍₁₎ , h ₍₂₎ = H ₂ (s ₍₁₎ ), t ₍₁₎ = t ₍₀₎ (+) h _{(2 )} , h ₍₃₎ = H ₃ (t ₍₁₎ ), s ₍₂₎ = s ₍₁₎ (+) h ₍₃₎ and t ₍₁₎ and s ₍₂₎ are combined in bit t ₍₁₎ Outputs | s ₍₂₎ . Then, this is input to a trapdoor-equipped one-way replacement function f, and u calculated as u = f (t ₍₁₎ | s ₍₂₎ ) is used as a ciphertext. Α | β means bit combination of α and β.

At the time of decryption, first, the ciphertext u is input to f- ¹ , and a = f- ¹ (u) is set. Next, it is divided into the first 2k bits of a and the remaining n-2k bits, and these are input as t ₍₁₎ and s _{(2) to} the inverse function pd ^-1 of the padding function shown in FIG. Then, the calculation is performed in the reverse order of FIG. That is, h ₍₃₎ = H ₃ (t ₍₁₎ ), s ₍₁₎ = s ₍₂₎ (+) h ₍₃₎ , h ₍₂₎ = H ₂ (s ₍₁₎ ), t _{(0 )} = t ₍₁₎ (+) h ₍₂₎ , h ₍₁₎ = H ₁ (t ₍₀₎ ), m = s ₍₀₎ = s ₍₁₎ (+) h ₍₁₎ Output plaintext m.

Why overhead of this approach is the 2k bits is because it uses the hash function H ₂ having an output range of the same number of bits as the random number r. In the conventional security analysis, it is assumed that the output of the hash function does not cause a collision. In the method of FIG. 20, the output range of the hash function H ₂ must be the same as the number of bits | r | of the random number r, but the idealized output value of the hash function H ₂ for different input values is obtained q times ( That is, if the attacker calculates the hash function H ₂ q times), the probability that the outputs are all different is 1- (q ² ) / (2 ^{| r |} ). If q is less than or equal to 2 ^k , | r | is greater than ^{2k for} this probability 1− (2 ^2k ) / (2 ^{| r |} ) to be meaningful (ie, greater than 0) There must be.

  Also, in order for public key cryptography to be secure, that is, to have indistinguishability, it is inevitable to use a k-bit random number, and in that sense, the overhead cannot be made smaller than k bits. That is, k bits is the minimum overhead.

  Based on stronger assumptions, k-bit overhead can be achieved. Phan and Pointcheval, in Non-Patent Document 2, propose a method of k-bit overhead using the assumption that idealized one-way replacement with trapdoors can be used. However, Non-Patent Document 2 does not show at all what kind of function the idealized one-way replacement with trapdoors corresponds to, and it is difficult to specifically realize this method. is there. In addition, the assumption of idealized one-way replacement with trapdoors is a stronger assumption than the idealized hash function, i.e., it is more difficult to achieve, so the construction of the cryptosystem Undesirable as an element.

In addition, Jonsson has proposed a method with k-bit overhead under the assumption that an idealized symmetric key cipher can be used in Non-Patent Document 3, which is also based on a hash function as described above. Is also undesirable because it uses a stronger assumption.
M. Bellare, and P. Rogaway, “Optimal Asymmetric Encryption”, Advancecs in cryptology-Eurocrypt'94, LNCS 950, pp.92-111, Springer-Verlag, 1995. DH Phan and D. Pointcheval, “OAEP 3-Round: A Generic and Secure Asymmetric Encryption Padding”, Advances in Cryptology -Asiacrypt '04, LNCS 3329, pp.63-78, 2004, Springer-Verlag. J. Jonsson, “An OAEP variant with a tight security proof”, [online], March 18, 2002, IACR e-print Archive 2002/034, Internet <http://mirror.cr.yp.to/eprint.iacr .org / 2002 / 034.pdf>

  As described above, it is the most efficient among the conventional public key cryptosystems using a one-way replacement function with a trapdoor, which is safe against an adaptive selection cryptographic attack when an idealized hash function is used. The method overhead is 2k bits. Therefore, public key cryptography using a one-way replacement function with a trapdoor that is safe against adaptive selection cryptography attacks when using an idealized hash function encrypts only plain text up to n-2k bits. could not.

  The present invention has been made in view of these points, and is one-way with a trapdoor that is safer than an adaptive selection cryptographic attack when using an idealized hash function that is more efficient than the conventional one. An object of the present invention is to provide a public key encryption technique using a sex replacement function.

In the present invention, in order to solve the above-described problems,
(A) A plaintext storage process of storing plaintext m of nz bits (n> z ≧ k, k is a security parameter) in the storage unit of the encryption device;
(B) a random number storage process of storing a z-bit random number r in the storage unit of the encryption device;
(C) The first bit splitting unit of the encryption device bits the plaintext m into the first plaintext m ₁ with vz bits (n> vz ≧ 2k) and the second plaintext m ₂ with nv bits. Dividing the first plaintext m ₂ into a bit string s ₍₀₎ ,
(D) a first bit combination unit of the encryption device generates a bit combination value of the random number r and the first plaintext m ₁ and uses the bit combination value as a bit string t ₍₀₎ ;
(E) If the number of rounds R (R is an integer of 4 or more) is an even number, i = 0 to i = (R / 2) -1 in order (i is an integer)
The first hash function calculation unit of the encryption device operates the hash function H _{(2 · i + 1)} on the value including the bit string t _(i) to generate a hash value h _{(2 · i + 1) of} n−v bits. A first hash function calculation process for calculating

The first exclusive OR operation unit of the encryption device performs an exclusive OR operation on the bit string s _(i) and the hash value h _{(2 · i + 1),} and the operation result is represented as the bit string s _{(i + 1). )} The first exclusive OR operation process,
The second hash function calculation unit of the encryption device operates the hash function H _{(2 · i + 2)} on the value including the bit string s _{(i + 1)} to generate the v-bit hash value h _{(2 · i + 2).} A second hash function calculation process for calculating
The second exclusive OR operation unit of the encryption device performs an exclusive OR operation on the bit string t _(i) and the hash value h _{(2 · i + 2),} and the operation result is represented by the bit string t _{(i + 1). )} And a second exclusive OR operation process,
When the round number R is an odd number, the first hash function calculation process and the first exclusive OR calculation process are sequentially performed from i = 0 to i = {(R-1) / 2} -1. The second hash function calculation process and the second exclusive OR calculation process are executed, and the first hash function calculation process and the first exclusive OR calculation are performed for i = (R−1) / 2. A disturbance process,

(F) When the round number R is an even number, the second bit combination unit of the encryption device generates a bit combination value y including the bit string t _{(R / 2)} and the bit string s _{(R / 2).} ,
When the number of rounds R is an odd number, the second bit combination unit of the encryption device performs the bit sequence t _{((R-1) / 2)} and the bit sequence s _{(((R-1) / 2) +1)} A second bit combination process for generating a bit combination value y including
(G) The unidirectional replacement function computing unit of the encryption device calculates a ciphertext u = f (y) obtained by applying the trapdoor unidirectional replacement function f to the bit combination value y. Substitution function calculation process,
(H) a ciphertext transmission process in which the transmission unit of the encryption device transmits the ciphertext u to the decryption device;
(I) a ciphertext storage process for storing the ciphertext u in the storage unit of the decryption device;
(J) The inverse function calculation unit of the decryption device applies the inverse function f ⁻¹ of the trapdoor unidirectional replacement function f to the ciphertext u, and obtains the bit combination value y = f ⁻¹ (u) The inverse function calculation process to extract,
(K) The second bit division unit of the decoding device performs bit division on the bit combination value y, and if the round number R is an even number, at least the bit string t _{(R / 2)} and the bit string s _{(R / 2)} A second bit division process of extracting at least a bit string t _{((R-1) / 2)} and a bit string s _{(((R-1) / 2) +1)} when the round number R is an odd number When,
(L) If the number of rounds R is an even number, from i = (R / 2) -1 to i = 0,
The third hash function operation unit of the decryption device operates the hash function H _{(2 · i + 2)} on the value including the bit string s _{(i + 1)} to obtain the v-bit hash value h _{(2 · i + 2)} . A third hash function calculation process to be calculated;

A third exclusive OR operation unit of the decoding device performs an exclusive OR operation on the bit string t _{(i + 1)} and the hash value h _{(2 · i + 2),} and the operation result is represented by the bit string t _(i). A third exclusive OR operation process,
The fourth hash function calculation unit of the decryption device operates the hash function H _{(2 · i + 1)} on the value including the bit string t _(i) to obtain the n−v bit hash value h _{(2 · i + 1)} . A fourth hash function calculation process to be calculated;
A fourth exclusive OR operation unit of the decoding device performs an exclusive OR operation on the bit string s _{(i + 1)} and the hash value h _{(2 · i + 1),} and the operation result is represented as the bit string s _(i). And a fourth exclusive OR operation process,

When the round number R is an odd number, the fourth hash function calculation process and the fourth exclusive OR calculation process are executed for i = (R−1) / 2, and i = {( R-1) / 2} -1 to i = 0, in order, the third hash function calculation process, the third exclusive OR calculation process, the fourth hash function calculation process, and the fourth exclusive OR. A disturbance recovery process that performs an arithmetic process; and
(M) a third bit splitting process in which a third bit splitting unit of the decoding device splits the bit string t ₍₀₎ to extract a random number r of z bits and a first plaintext m _{1 of} vz bits;
(N) a third bit combination process in which a third bit combination unit of the decoding device generates a bit combination value between the first plaintext m ₁ and the bit string s ₍₀₎ and outputs the bit combination value as a decoding result; Execute.

Thus, in the present invention, the plaintext m is bit-sliced to a 1 plaintext m ₁ and the second plaintext m _2, input random number r and the bit connection value of the first plaintext m _1, and a second plaintext m ₂ Perform the disturbance process as As described above, in relation to the output area of the hash function, the number of bits of the bit combination value between the random number r and the first plaintext m ₁ must be 2k or more, but a part of this bit is replaced with the first plaintext m _1. As a result, the overhead can be improved as compared with the prior art.

Also, for safety, it is important that the random number r is not leaked to the attacker by a decryption request. In the present invention, the bit combination value of the random number r and the first plaintext m ₁ is used. In this case, in order to prevent the information related to the random number r from leaking to the attacker when the plaintext is given to the attacker. Treatment is required. In the present invention, such a risk is eliminated by setting the round number R to 4 or more and disturbing the coupling between the random number r and the first plaintext m ₁ .

  As described above, in the present invention, disclosure using a one-way replacement function with a trapdoor, which is safer than an adaptive selection cryptographic attack when using an idealized hash function, which is more efficient than the conventional one. Key encryption can be realized.

The best mode for carrying out the present invention will be described below with reference to the drawings.
[First Embodiment]
<Overall configuration>
FIG. 1A is a diagram illustrating a configuration of the cryptographic communication system 1 according to the first embodiment.
As illustrated in FIG. 1A, the cryptographic communication system 1 according to the present embodiment includes an encryption device 10 that performs encryption by a public key cryptosystem, and a decryption device 20 that decrypts a ciphertext generated thereby. And are communicably connected through an insecure network 30 such as the Internet. In addition, although communication between the encryption apparatus 10 and the decryption apparatus 20 is performed through the network 30, it is abbreviate | omitted and demonstrates below.

<Hardware configuration>
FIG. 1B is a block diagram illustrating a hardware configuration of the encryption device 10.

  As illustrated in FIG. 1B, the encryption device 10 of this example includes a CPU (Central Processing Unit) 10a, an input unit 10b, an output unit 10c, an auxiliary storage device 10d, a RAM (Random Access Memory) 10f, and a ROM. (Read Only Memory) 10e and bus 10g.

The CPU 10a executes various arithmetic processes in accordance with the read various programs. The input unit 10b is an input port for inputting data, a keyboard, a mouse, and the like. The output unit 10c is an output port for outputting data, a display, and the like. The auxiliary storage device 10d is, for example, a hard disk, an MO (Magneto-Optical disc), a semiconductor memory, or the like, and the RAM 10f is an SRAM (Static Random Access Memory), a DRAM (Dynamic Random Access Memory), or the like. The bus 10g connects the CPU 10a, the input unit 10b, the output unit 10c, the auxiliary storage device 10d, the RAM 10f, and the ROM 10e so that they can communicate with each other.
Note that the hardware configuration of the decryption device 20 is the same as that of the encryption device 10, and thus the description thereof is omitted.

<Cooperation between hardware and software>
The encryption device 10 and the decryption device 20 of the first embodiment are each constructed by reading a predetermined program into the hardware as described above and executing it by the CPU. The functional configuration of each device constructed in this way will be described below.

  FIG. 2 is a block diagram illustrating a functional configuration of the encryption device 10 according to the first embodiment. FIG. 3 is a block diagram illustrating a functional configuration of the decoding device 20 according to the first embodiment. The arrows in FIGS. 2 and 3 indicate the data flow, but the arrows corresponding to the data flow in and out of the control units 13a and 23a are omitted.

  As illustrated in FIG. 2, the encryption device 10 according to the present exemplary embodiment includes a storage unit 11, a transmission unit 12, a control unit 13a, a random number generation unit 13b, a first bit division unit 13c, and a first bit combination. Unit 13d, first hash function operation unit 13e, first exclusive OR operation unit 13f, second hash function operation unit 13g, second exclusive OR operation unit 13h, and second bit combination unit 13i And a unidirectional replacement function calculator 13j.

  The storage unit 11 is, for example, a cache memory, a register, a RAM, an auxiliary storage device, or a storage area that combines them. The transmission unit 12 is a communication device such as a LAN card or a modem that is driven under the control of a CPU loaded with a predetermined program. Furthermore, the control unit 13a, the random number generation unit 13b, the first bit division unit 13c, the first bit combination unit 13d, the first hash function calculation unit 13e, the first exclusive OR calculation unit 13f, and the second hash function calculation unit 13g The second exclusive OR operation unit 13h, the second bit combination unit 13i, and the unidirectional replacement function operation unit 13j are, for example, operation units constructed by reading a predetermined program into the CPU and executing it. is there. In addition, the encryption device 10 executes each process under the control of the control unit 13a.

  As illustrated in FIG. 3, the decoding device 20 according to the present embodiment includes a storage unit 21, a reception unit 22, a control unit 23 a, an inverse function calculation unit 23 b, a second bit division unit 23 c, and a third hash function. An operation unit 23d, a third exclusive OR operation unit 23e, a fourth hash function operation unit 23f, a fourth exclusive OR operation unit 23g, a third bit division unit 23h, and a third bit combination unit 23i And have.

  The storage unit 21 is, for example, a cache memory, a register, a RAM, an auxiliary storage device, or a storage area that combines them. The receiving unit 22 is a communication device such as a LAN card or a modem that is driven under the control of a CPU loaded with a predetermined program. Furthermore, the control unit 23a, inverse function calculation unit 23b, second bit division unit 23c, third hash function calculation unit 23d, third exclusive OR calculation unit 23e, fourth hash function calculation unit 23f, fourth exclusive logic The sum operation unit 23g, the third bit division unit 23h, and the third bit combination unit 23i are operation units constructed by, for example, reading a predetermined program into the CPU and executing it. Further, the decoding device 20 executes each process under the control of the control unit 23a.

<Processing>
Next, the processing of this embodiment will be described. In the following, the process when the number of rounds of the disturbance process is an even number and the process when the number of rounds is an odd number will be described separately. However, the following processes may be selectively executed depending on whether the number of rounds of the disturbance process is an even number or an odd number.

[When the number of rounds R (R ≧ 4) is an even number]
《Encryption processing》
FIG. 4 is a flowchart for explaining the encryption processing when the round number R (R ≧ 4) is an even number. Hereinafter, description will be made with reference to this figure.

  First, plaintext m of nz bits (n> z ≧ k, k is a security parameter) is stored in the storage unit 11 of the encryption device 10 (FIG. 2) (plaintext storage process / step S1). Note that n in this embodiment means the number of bits in the input area of the one-way replacement function f used by the encryption apparatus 10. Further, the value of the security parameter k is not particularly limited, and may be set according to a required safety level. In general, it is desirable that k> 80.

  Next, the random number generation unit 13b of the encryption device 10 generates a z-bit random number r and stores it in the storage unit 11 (random number storage process / step S2).

Next, the first bit dividing portion 13c of the encryption device 10, reads the plaintext m from the storage unit 11, the plaintext m, v-z bit first plaintext m ₁ of (n> v-z ≧ 2k ) and , N−v bits of the second plaintext m _2, and the first plaintext m ₁ and the second plaintext m ₂ (= s ₍₀₎ ) are stored in the storage unit 11 (first bit division process) / Step S3).

  Note that z may be any value as long as n> z ≧ k is satisfied, and v may be any value as long as n> v−z ≧ 2k is satisfied. However, when z = k and v = 3k, it is desirable to set z = k and v = 3k because overhead can be minimized while ensuring safety.

Also, there is no restriction on the division method when bit division of the plaintext m into the first plaintext m ₁ and the second plaintext m ₂ , for example, the upper vz bits of the plaintext m are the first plaintext m ₁ and the rest Nv bits of the second plaintext m ₂ may be used, or the lower vz bits of the plaintext m may be the first plaintext m ₁ and the remaining nv bits of the second plaintext m ₂ may be used.

Next, the first bit combination unit 13d of the encryption device 10 reads the random number r and the first plaintext m ₁ from the storage unit 11, generates these bit combination values r | m ₁ , and the bit combination value r | m ₁ bit string
t ₍₀₎ = r | m ₁
Is stored in the storage unit 11 (first bit combination process / step S4).

The bit combination method of the random number r and the first plaintext m ₁ is not limited. For example, the random number r may be combined as the upper z bits, and the first plaintext m ₁ may be combined as the remaining bits. The plaintext m ₁ may be combined as the upper vz bits and the random number r may be combined as the remaining bits.

  Next, the control unit 13a sets i = 0, and holds i in a register (not shown) (step S5).

Next, the first hash function calculation unit 13e of the encryption device 10 reads the bit string t _(i) from the storage unit 11, and applies the hash function H _{(2 · i + 1)} to the bit string t _(i). n-v bit hash value
h _{(2 ・ i + 1)} = H _{(2 ・ i + 1)} (t _(i) )
And the hash value h _{(2 · i + 1)} is stored in the storage unit 11 (first hash function calculation process / step S6). The hash function H _{(2 · i + 1)} in this embodiment is
H _{(2 · i + 1)} : {0,1} ^v → {0,1} ^n−v
Has an I / O area. Further, as the hash function H _{(2 · i + 1)} , for example, SHA-1 or the like can be used.

Next, the first exclusive OR operation unit 13f of the encryption device 10 reads the bit string s _(i) and the hash value h _{(2 · i + 1)} from the storage unit 11, and performs these exclusive OR operations.
s _{(i + 1)} = s _(i) (+) h _{(2 ・ i + 1)}
And the bit string s _{(i + 1)} as the result of the operation is stored in the storage unit 11 (first exclusive OR operation process / step S7).

Next, a second hash function operation unit 13g of the encryption device 10, from the storage unit 11 bit sequence s _{(i + 1)} reads, the bit sequence s _{(i + 1)} to the hash function H _{(2 · i + 2)} V-bit hash value
h _{(2 ・ i + 2)} = H _{(2 ・ i + 2)} (s _{(i + 1)} )
And the hash value h _{(2 · i + 2)} is stored in the storage unit 11 (second hash function calculation process / step S8). Note that the hash function H _{(2 · i + 2)} in this embodiment is
H _{(2 · i + 2)} : {0,1} ^n−v → {0,1} ^v
Has an I / O area. Further, as the hash function H _{(2 · i + 2)} , for example, SHA-1 or the like can be used.

Next, the second exclusive OR operation unit 13h of the encryption device 10 reads the bit string t _(i) and the hash value h _{(2 · i + 2)} from the storage unit 11, and performs these exclusive OR operations.
t _{(i + 1)} = t _(i) (+) h _{(2 ・ i + 2)}
And the bit string t _{(i + 1)} , which is the calculation result, is stored in the storage unit 11 (second exclusive OR calculation process / step S9).

Next, the control unit 13a determines whether i = (R / 2) -1 is satisfied (step S10). If i = (R / 2) -1 is not satisfied, the control unit 13a stores i + 1 as a new i in the register (step S11), and returns the process to step S6. On the other hand, when i = (R / 2) −1 is satisfied, the second bit combination unit 13i of the encryption device 10 receives the bit string t _{(R / 2)} , the bit string s _{(R / 2),} and the like from the storage unit 11. A bit-join value containing them
y = t _{(R / 2)} | s _{(R / 2)}
And the bit combination value y is stored in the storage unit 11 (second bit combination process / step S12).

Next, the one-way replacement function calculation unit 13j of the encryption device 10 reads the bit combination value y from the storage unit 11, and causes the one-way replacement function f with a trapdoor to act on the bit combination value y. secret message
u = f (y)
And the ciphertext u is stored in the storage unit of the encryption device (one-way replacement function calculation process / step S13). Note that the one-way replacement function with trapdoor f is, for example, an RSA encryption function that bases security on the difficulty of solving a factorization problem, or grounds of safety on the difficulty of solving a discrete logarithm problem. The encryption function of the ElGamal cipher, etc., for example (see “Tatsuaki Okamoto, Hiroshi Yamamoto,“ Contemporary Cipher ”, Sangyo Tosho Publishing, ISBN 4-7828-5353-X (reference document 1), etc.)).

  Thereafter, the transmission unit 12 of the encryption device 10 transmits the ciphertext u read from the storage unit 11 to the decryption device 20 (ciphertext transmission process / step S14).

<< Decryption process >>
FIG. 5 is a flowchart for explaining the decoding process when the round number R (R ≧ 4) is an even number. Hereinafter, description will be made with reference to this figure.
The ciphertext u transmitted as described above is received by the receiving unit 22 of the decryption device 20 (FIG. 3) and stored in the storage unit 21 (ciphertext storage process / step S21).

Next, the inverse function calculation unit 23b of the decryption device 20 reads the ciphertext u from the storage unit 21, and causes the inverse function f− ¹ of the trapdoor-equipped one-way replacement function f to act on the ciphertext u. Bit combined value
y = f ⁻¹ (u)
And the bit combination value y is stored in the storage unit 21 (inverse function calculation process / step S22).

Next, the second bit dividing unit 23c of the decoding device 20 reads the bit combination value y from the storage unit 21, divides the bit combination value y into bits, and generates a bit string t _{(R / 2)} and a bit string s _{(R / 2). )} And
y → t _{(R / 2)} , s _{(R / 2)}
They are stored in the storage unit 21 (second bit division process / step S23).
Next, the control unit 13a sets i = (R / 2) -1 and holds i in a register (not shown) (step S24).

Next, a third hash function operation unit 23d of the decoding apparatus 20 from the storage unit 21 reads the bit string s _{(i + 1),} the above bit sequence s _{(i + 1)} to the hash function H _{(2 · i + 2)} V-bit hash value
h _{(2 ・ i + 2)} = H _{(2 ・ i + 2)} (s _{(i + 1)} )
And the hash value h _{(2 · i + 2)} is stored in the storage unit 21 (third hash function calculation process / step S25). Each hash function H _{(2 · i + 2)} is the same as that of the encryption device 10.

Next, the third exclusive OR operation unit 23e of the decryption apparatus 20 reads the bit string t _{(i + 1)} and the hash value h _{(2 · i + 2)} from the storage unit 21, and these exclusive ORs. Calculation
t _(i) = t _{(i + 1)} (+) h _{(2 ・ i + 2)}
And the bit string t _(i) , which is the result of the operation, is stored in the storage unit 21 (third exclusive OR operation process / step S26).

Next, the fourth hash function calculation unit 23f of the decryption device 20 reads the bit string t _(i) from the storage unit 21, and applies the hash function H _{(2 · i + 1)} to the bit string t _(i) to make n -V-bit hash value
h _{(2 ・ i + 1)} = H _{(2 ・ i + 1)} (t _(i) )
And the hash value h _{(2 · i + 1)} is stored in the storage unit 21 (fourth hash function calculation step / step S27).

Next, the fourth exclusive OR operation unit 23g of the decoding device 20 reads the bit string s _{(i + 1)} and the hash value h _{(2 · i + 1)} from the storage unit 21, and performs exclusive OR of these. Calculation
s _(i) = s _{(i + 1)} (+) h _{(2 ・ i + 1)}
And the bit string s _(i) , which is the result of the operation, is stored in the storage unit 21 (fourth exclusive OR operation process / step S28).

Next, the control unit 23a determines whether i = 0 is satisfied (step S29). If i = 0 is not satisfied, the control unit 23a stores i-1 as a new i in the register (step S30), and returns the process to step S25. On the other hand, if i = 0 is satisfied, the third bit dividing section 23h of the decoder 20 from the memory unit 21 reads the bit string t _(0), the bit string t a ₍₀₎ to bit-sliced,
t ₍₀₎ → r, m ₁
The z-bit random number r and the vz-bit first plaintext m ₁ are extracted, and the random number r and the first plaintext m ₁ are stored in the storage unit 21 (third bit division process / step S31). Note that the bit division method in step S31 corresponds to the bit combination method in step S4 performed by the encryption apparatus 10. For example, in step S4, if the random number r is the upper z bit and the first plaintext m ₁ is the remaining bits, and the bits are combined, in step S31, the upper z bit of the bit string t ₍₀₎ is set as the random number r. Extract the remaining bits as the first plaintext m ₁ .

Next, the third bit combination unit 23i of the decryption device 20 reads the first plaintext m ₁ and the bit string s ₍₀₎ (= m ₂ ) from the storage unit 21, and these bit combination values are read.
m = m ₁ | s ₍₀₎
And outputs the bit combination value as a decoding result m (third bit combination process / step S32).

[When the round number R is an odd number]
《Encryption processing》
FIG. 6 is a flowchart for explaining the encryption process when the round number R (R ≧ 4) is an odd number. Hereinafter, description will be made with reference to this figure. Note that a description of matters common to the processing when the round number R is an even number is omitted.
First, the encryption device 10 (FIG. 2) executes the processing of steps S1 to S9 described in the processing when the round number R is an even number.

Next, the control unit 13a of the encryption device 10 determines whether i = (R−1) / 2 is satisfied (step S41). If i = (R−1) / 2 is not satisfied, the control unit 13a stores i + 1 as a new i in the register (step S42), and returns the process to step S6. On the other hand, when i = (R / 2) −1 is satisfied, the first hash function calculation unit 13e of the encryption device 10 reads the bit string t _(i) from the storage unit 11, and stores the bit string t _(i) in the bit string t _(i) . Hash value of n−v bits by applying the hash function H _{(2 · i + 1)}
h _{(2 ・ i + 1)} = H _{(2 ・ i + 1)} (t _(i) )
And the hash value h _{(2 · i + 1)} is stored in the storage unit 11 (first hash function calculation process / step S44).

Next, the first exclusive OR operation unit 13f of the encryption device 10 reads the bit string s _(i) and the hash value h _{(2 · i + 1)} from the storage unit 11, and performs these exclusive OR operations.
s _{(i + 1)} = s _(i) (+) h _{(2 ・ i + 1)}
And the bit string s _{(i + 1)} as the result of the operation is stored in the storage unit 11 (first exclusive OR operation process / step S45).

Next, the second bit combination unit 13 i of the encryption device 10 reads the bit string t _{((R−1) / 2)} and the bit string s _{(((R−1) / 2) +1)} from the storage unit 11. , The bit-join value that contains them
y = t _{((R-1) / 2)} | s _{(((R-1) / 2) +1)}
And the bit combination value y is stored in the storage unit 11 (step S46).

After that, the unidirectional replacement function computing unit 13j of the encryption device 10 reads the bit combination value y from the storage unit 11, and the cipher with the trapdoor unidirectional replacement function f applied to the bit combination value y. Sentence
u = f (y)
And the ciphertext u is stored in the storage unit of the encryption device (one-way replacement function calculation process / step S13), and the transmission unit 12 of the encryption device 10 reads the ciphertext read from the storage unit 11 u is transmitted to the decryption device 20 (ciphertext transmission process / step S14).

<< Decryption process >>
FIG. 7 is a flowchart for explaining a decoding process when the round number R is an odd number. Hereinafter, description will be made with reference to this figure. Note that a description of matters common to the processing when the round number R is an even number is omitted.

First, the decoding device 20 (FIG. 3) executes the processing of steps S21 and S22 described in the processing when the round number R is an even number.
Next, the second bit division unit 23c of the decoding device 20 reads the bit combination value y from the storage unit 21, divides the bit combination value y into bits, the bit string t _{((R-1) / 2)} and the bit string s. _{(((R-1) / 2) +1)}
y → t _{((R-1) / 2)} , s _{(((R-1) / 2) +1)}
They are stored in the storage unit 21 (second bit division process / step S50).

Next, the control unit 13a sets i = (R-1) / 2, and holds i in a register (not shown) (step S51).
Next, the fourth hash function calculation unit 23f of the decryption device 20 reads the bit string t _(i) from the storage unit 21, and applies the hash function H _{(2 · i + 1)} to the bit string t _(i) to make n -V-bit hash value
h _{(2 ・ i + 1)} = H _{(2 ・ i + 1)} (t _(i) )
And the hash value h _{(2 · i + 1)} is stored in the storage unit 21 (fourth hash function calculation process / step S52).

Next, the fourth exclusive OR operation unit 23g of the decoding device 20 reads the bit string s _{(i + 1)} and the hash value h _{(2 · i + 1)} from the storage unit 21, and performs exclusive OR of these. Calculation
s _(i) = s _{(i + 1)} (+) h _{(2 ・ i + 1)}
And the bit string s _(i) as the result of the operation is stored in the storage unit 21 (fourth exclusive OR operation process / step S53).

Next, the controller 13a sets i = {(R-1) / 2} -1, and holds i in a register (not shown) (step S54).
Thereafter, the processes in steps S25 to S32 described in the process when the round number R is an even number are executed, and the decoding result m is output.

<Specific examples of disturbance process and restoration process>
Next, the process of the disturbance process (steps S5-11 or S5-S9, S41, S42) and the disturbance restoration process (steps S24-30, S52-S54, S25-S30) in the case of round number R = 4, 5 are performed. Illustrate.

[When the number of rounds is R = 4]
FIG. 8A is a flowchart for explaining the disturbance process when the number of rounds R = 4. In this example,
i = 0: h ₍₁₎ = H ₍₁₎ (t ₍₀₎ ), s ₍₁₎ = s ₍₀₎ (+) h ₍₁₎ , h ₍₂₎ = H ₍₂₎ (s _{(1 )} ), t ₍₁₎ = t ₍₀₎ (+) h ₍₂₎
i = 1: h ₍₃₎ = H ₍₃₎ (t ₍₁₎ ), s ₍₂₎ = s ₍₁₎ (+) h ₍₃₎ , h ₍₄₎ = H ₍₄₎ (s _{(2 )} ), t ₍₂₎ = t ₍₁₎ (+) h ₍₄₎
Are executed, and a bit string t ₍₂₎ and a bit string s ₍₂₎ are output.

FIG. 8B is a flowchart for explaining the disturbance restoration process when the number of rounds R = 4. In this example,
i = 1: h ₍₄₎ = H ₍₄₎ (s ₍₂₎ ), t ₍₁₎ = t ₍₂₎ (+) h ₍₄₎ , h ₍₃₎ = H ₍₃₎ (t _{(1 )} ), s ₍₁₎ = s ₍₂₎ (+) h ₍₃₎
i = 0: h ₍₂₎ = H ₍₂₎ (s ₍₁₎ ), t ₍₀₎ = t ₍₁₎ (+) h ₍₂₎ , h ₍₁₎ = H ₍₁₎ (t _{(0 )} ), s ₍₀₎ = s ₍₁₎ (+) h ₍₁₎
Are executed, and a bit string t ₍₀₎ and a bit string s ₍₀₎ are output.

[When the number of rounds is R = 5]
FIG. 9A is a flowchart for explaining the disturbance process when the number of rounds R = 5. In this example,
i = 0: h ₍₁₎ = H ₍₁₎ (t ₍₀₎ ), s ₍₁₎ = s ₍₀₎ (+) h ₍₁₎ , h ₍₂₎ = H ₍₂₎ (s _{(1 )} ), t ₍₁₎ = t ₍₀₎ (+) h ₍₂₎
i = 1: h ₍₃₎ = H ₍₃₎ (t ₍₁₎ ), s ₍₂₎ = s ₍₁₎ (+) h ₍₃₎ , h ₍₄₎ = H ₍₄₎ (s _{(2 )} ), t ₍₂₎ = t ₍₁₎ (+) h ₍₄₎
i = 2: h ₍₅₎ = H ₍₅₎ (t ₍₂₎ ), s ₍₃₎ = s ₍₂₎ (+) h ₍₅₎
Are executed, and a bit string t ₍₂₎ and a bit string s ₍₃₎ are output.

FIG. 9B is a flowchart for explaining the disturbance restoration process when the number of rounds R = 5. In this example,
i = 2: h ₍₅₎ = H ₍₅₎ (t ₍₂₎ ), s ₍₂₎ = s ₍₃₎ (+) h ₍₅₎
i = 1: h ₍₄₎ = H ₍₄₎ (s ₍₂₎ ), t ₍₁₎ = t ₍₂₎ (+) h ₍₄₎ , h ₍₃₎ = H ₍₃₎ (t _{(1 )} ), s ₍₁₎ = s ₍₂₎ (+) h ₍₃₎
i = 0: h ₍₂₎ = H ₍₂₎ (s ₍₁₎ ), t ₍₀₎ = t ₍₁₎ (+) h ₍₂₎ , h ₍₁₎ = H ₍₁₎ (t _{(0 )} ), s ₍₀₎ = s ₍₁₎ (+) h ₍₁₎
Are executed, and a bit string t ₍₀₎ and a bit string s ₍₀₎ are output.

<Features of First Embodiment>
In this embodiment, the plaintext m of n−z bits (n> z ≧ k, k is a security parameter), the first plaintext m ₁ of vz bits (n> vz ≧ 2k), and the nv bit of the first 2 bits divided into a plaintext m _2, bit connection value r to the random number r and the first plaintext m ₁ of z bits | and m _1, it was decided to perform the disturbance process as input a second plaintext m _2. As described above, the number of bits v of r | m ₁ must be 2k or more in relation to the output area of the hash function. However, by making a part of these bits the first plaintext m ₁ , it is more overhead than before. Can be improved. In particular, when z = k and v = 3k, the overhead is k bits, and the overhead can be minimized.

Also, for security, it is important that the random number r is not leaked to the attacker by the decryption request, but the round number R is set to 4 or more, and the coupling between the random number r and the first plaintext m ₁ is disturbed. Therefore, safety is ensured.

  Note that the present invention is not limited to the above-described embodiment. If matching can be achieved between the encryption device 10 and the decryption device 20, further information is added to any information that is bit-coupled. Bit combination may be used.

[Second Embodiment]
Next, a second embodiment of the present invention will be described.
This embodiment is a modification of the first embodiment. (1) The bit combination value y generated in the second bit combination process performed by the encryption apparatus is a predetermined value when the round number R is an even number. When the round number R is an odd number, the additional information b indicating the predetermined value and the bit string t are set to a bit combination value including the additional information b indicating the bit string t _{(R / 2)} and the bit string s _{(R / 2). (2)} a bit combination value including _{((R-1) / 2)} and a bit string s _{(((R-1) / 2) +1)} , (2) in the second bit division process performed by the decoding device, When the combined value y is divided into bits and the round number R is an even number, at least the additional information b, the bit string t _{(R / 2),} and the bit string s _{(R / 2)} are extracted, and the round number R is an odd number. In this case, at least the additional information b, the bit string t _{((R-1) / 2)} and the bit string s _{(((R-1) / 2) +1)} are extracted and stored in the storage unit of the decoding device. And (3) in the second bit division process The disturbance restoration process, the third bit division process, and the third bit combination process are executed only when the output additional information b shows a predetermined value, and the additional information b extracted in the second bit division process is other than the predetermined value. In other words, the camouflaged decoding result generation unit of the decoding device generates an nz bit random number and outputs the random number as a decoding result.

Below, it demonstrates centering around difference with 1st Embodiment, and abbreviate | omits description about the matter which is common in 1st Embodiment.
<Overall configuration>
The encryption communication system according to the second embodiment has a configuration in which the encryption device 10 according to the first embodiment is replaced with the encryption device 110 and the decryption device 20 is replaced with the decryption device 120.

<Hardware configuration>
Since it is the same as that of 1st Embodiment, description is abbreviate | omitted.

<Cooperation between hardware and software>
The encryption device 110 and the decryption device 120 of the second embodiment are each constructed by reading a predetermined program into the hardware as described above and executing it by the CPU. The functional configuration of each device constructed in this way will be described below.

  FIG. 10 is a block diagram illustrating a functional configuration of the encryption device 110 according to the second embodiment. FIG. 11 is a block diagram illustrating a functional configuration of the decoding device 120 according to the second embodiment. In FIGS. 10 and 11, the same reference numerals as those in FIGS. 2 and 3 are assigned to portions common to the first embodiment.

  As shown in FIG. 10, the encryption device 110 according to the second embodiment is configured by replacing the second bit combination unit 13i of the encryption device 10 according to the first embodiment with a second bit combination unit 113i. The second bit combination unit 113i is an arithmetic unit that is constructed by, for example, a predetermined program being read into the CPU and executed. The encryption device 110 executes each process under the control of the control unit 13a.

  As shown in FIG. 11, the decoding device 120 of the second embodiment replaces the second bit division unit 23c of the decoding device 20 of the first embodiment with a second bit division unit 123c, and further determines a determination unit 123d. And a camouflaged decoding result generation unit 123e. Note that the second bit division unit 123c, the determination unit 123d, and the camouflaged decoding result generation unit 123e are, for example, arithmetic units that are constructed when a predetermined program is read and executed by the CPU. In addition, the decoding device 120 executes each process under the control of the control unit 23a.

Also, in this embodiment, for example, the one-way replacement function with trapdoor is a function that takes a value of 0 or more and less than N (N is a natural number) as input, and the bit length of N is | N | A bit or bit string satisfying n = | N |-| b | when the bit length of the information b is | b | and the additional information b is 0, and generated in the second bit combination process A case where y is a value obtained by bit-combining additional information b at the beginning will be described. In addition, as the one-way replacement function with trapdoors f in this example, the encryption function in the RSA encryption method is used.
f (x) = x ^e mod N
The inverse function f ⁻¹ is the decryption function in the RSA cryptosystem.
f ⁻¹ (y) = y ^d mod N
Can be illustrated. Note that e and d are a public key and a secret key of RSA encryption, respectively, and x and y are elements of an integer set Z _{N that} is 0 or more and less than N. Further, the bit length | b | of the additional information b is not particularly limited, but | b | = 1 is desirable in order to reduce overhead. As preprocessing, this additional information b is stored in the storage unit 11 of the encryption device 110, and further, additional information b ′ indicating the same value as the additional information b is stored in the storage unit 21 of the decryption device 120. . Alternatively, the additional information may be described in advance in a program for configuring each device.

<Processing>
Next, the processing of this embodiment will be described. Only the differences from the processing of the first embodiment will be described below. In this embodiment, the case where the round number R is an even number and the case where the round number R is an odd number will be described simultaneously.

<Encryption processing>
FIG. 12A is a flowchart for explaining the encryption processing of the second embodiment. First, in the encryption device 110 (FIG. 10), when the round number R is an even number, steps S1 to S11 are performed. Processing is performed, and when the round number R is an odd number, processing in steps S1 to S9 and S41 to S45 is performed.

Thereafter, when the round number R is an even number, the second bit combination unit 113i of the encryption device 110 performs additional information b indicating a predetermined value, a bit string t _{(R / 2)} , a bit string s _{(R / 2)} , Are read from the storage unit 11 and their bit combination values
y = b | t _{(R / 2)} | s _{(R / 2)} (if R is even)
And the bit combination value y is stored in the storage unit 11. When the round number R is an odd number, the second bit combination unit 113i of the encryption device 110 performs additional information b indicating a predetermined value, a bit string t _{((R-1) / 2),} and a bit string s _{(( (R-1) / 2) +1)} are read from the storage unit 11 and their bit combination values
y = b | t _{((R-1) / 2)} | s _{(((R-1) / 2) +1)} (when R is odd)
And the bit combination value y is stored in the storage unit 11 (second bit combination process / step S111).
Thereafter, the encryption device 110 executes the processing of steps S13 and S14 as in the first embodiment, and transmits the ciphertext u to the decryption device 120.

<< Decryption process >>
FIG. 12B is a flowchart for explaining the decoding process of the second embodiment.
First, in the decoding device 120 (FIG. 11), the processes of steps S21 and S22 described in the first embodiment are executed. Thereafter, the second bit division unit 123c of the decoding device 120 reads the bit combination value y from the storage unit 21, divides the bit combination value y into bits, and when the round number R is an even number, the additional information b and When bit sequence t _{(R / 2)} and bit sequence s _{(R / 2)} are extracted and round number R is an odd number, additional information b, bit sequence t _{((R-1) / 2)} and bit sequence s _{((( (R-1) / 2) +1)} are extracted and stored in the storage unit 21 (second bit division process / step S121).
y → b, t _{(R / 2)} , s _{(R / 2)} (when R is even)
y → b, t _{((R-1) / 2)} , s _{(((R-1) / 2) +1)} (when R is odd)

In this embodiment, the upper | b | bits of the bit combination value y are extracted as additional information b. Further, as described in the first embodiment, the bit position t of the bit combination value y is changed to the bit string t _{(R / 2)} and the bit string s _{(R / 2)} or the bit string t _{((R-1) /} Whether to extract as ₂₎ and bit string s _{(((R-1) / 2) +1)} is determined according to the bit combination method in the second bit combination process (step S111).

  Next, the determination unit 123d reads the additional information b stored in step S121 from the storage unit 21 and the additional information b ′ stored in the preprocessing, and determines whether the values indicated by these are the same. (Step S122). Here, when it is determined that b = b ′ is not true, the camouflaged decoding result generation unit 123e generates an n−z bit random number and outputs the random number as a decoding result m ′ (fake decoding result generation process / step) S123). On the other hand, when it is determined that b = b ′, as in the first embodiment, when the round number R is an even number, the processing of steps S24 to S32 is executed, and when the round number R is an odd number. , Steps S51 to S54, S25 to S32 are executed, and the decoding result m is output.

<Features of Second Embodiment>
In this embodiment, as in the first embodiment, it is possible to reduce overhead while ensuring safety.
In this embodiment, the bit combination value y includes the additional information b, and the decryption device 120 verifies the validity of the ciphertext u using the additional information b. The decryption process is performed in the same manner as in the first embodiment, and the nz-bit decryption result is output. When the ciphertext u is invalid, the nz-bit random number is output as the decryption result. Thereby, it is possible to prevent the decryption device 120 from performing decryption processing when the ciphertext u is invalid. Furthermore, when the ciphertext u is invalid, a random number having the same number of bits nz as the normal decryption result is output as the decryption result, thereby preventing information effective for the selected ciphertext attack from leaking to the attacker.

  In this embodiment, the one-way replacement function f with a trapdoor is a function that takes a value of 0 or more and less than N (N is a natural number) as input, and the bit length of N is | N | When the bit length is | b |, n = | N |-| b | is satisfied, and the additional information b is a bit or a bit string indicating 0, and the bit combination value y generated in the second bit combination process is The case where the additional information b is a value that is bit-coupled at the beginning has been described. However, the present invention is not limited to this, and the present embodiment may be applied when an ElGamal encryption function having an n-bit input area is used as the one-way replacement function with trapdoors f. Further, the additional information b, b ′ may indicate a value other than 0.

  In addition, as long as matching is achieved between the encryption device 110 and the decryption device 120, other information may be further bit-coupled to any information that is bit-coupled.

[Third Embodiment]
Next, a third embodiment of the present invention will be described.
The third embodiment is a modification of the second embodiment. (1) The additional information b is included in the input of at least a part of the hash function. (2) The additional information b is verified by the decryption device and encrypted. The second embodiment is different from the second embodiment in that the validity of the sentence is verified and the process of outputting the random number as the decryption result is not performed when the ciphertext is invalid. Below, it demonstrates centering on difference with 1st, 2 embodiment, and abbreviate | omits description about the matter which is common in these.

<Overall configuration>
The encryption communication system according to the third embodiment has a configuration in which the encryption device 10 according to the first embodiment is replaced with the encryption device 210 and the decryption device 20 is replaced with the decryption device 220.

<Hardware configuration>
Since it is the same as that of 1st Embodiment, description is abbreviate | omitted.

<Cooperation between hardware and software>
Each of the encryption device 210 and the decryption device 220 of the second embodiment is constructed by reading a predetermined program into the hardware as described above and executing it by the CPU. The functional configuration of each device constructed in this way will be described below.

  FIG. 13 is a block diagram illustrating a functional configuration of the encryption device 210 according to the third embodiment. FIG. 14 is a block diagram illustrating a functional configuration of the decoding device 220 according to the third embodiment. In FIGS. 13 and 14, the same reference numerals as those in FIGS.

  As illustrated in FIG. 13, the encryption device 210 according to the third embodiment replaces the first hash function calculation unit 13e of the encryption device 10 according to the first embodiment with a first hash function calculation unit 213e, and performs the second hash The function calculation unit 13g is replaced with a second hash function calculation unit 213g, and the second bit combination unit 13i is replaced with a second bit combination unit 113i. The first hash function calculation unit 213e, the second hash function calculation unit 213g, and the second bit combination unit 113i are, for example, calculation units that are constructed when a predetermined program is read and executed by the CPU. Also, the encryption device 210 executes each process under the control of the control unit 13a.

  As shown in FIG. 14, the decoding device 220 of the third embodiment replaces the second bit dividing unit 23c of the decoding device 20 of the first embodiment with a second bit dividing unit 123c, and performs a third hash function operation. The unit 23d is replaced with a third hash function calculation unit 223d, and the fourth hash function calculation unit 23f is replaced with a fourth hash function calculation unit 223f. The second bit dividing unit 123c, the third hash function calculating unit 223d, and the fourth hash function calculating unit 223f are, for example, calculating units that are constructed by reading a predetermined program into the CPU and executing it. In addition, the decoding device 220 executes each process under the control of the control unit 23a.

In the first embodiment, for all i, the hash function H _{(2 · i + 1)} has an input / output area of {0,1} ^v → {0,1} ^n−v , and the hash function H _{( 2 · i + 2)} has an input / output area of {0,1} ^n−v → {0,1} ^v , but in this embodiment, a hash value h ₍₂ corresponding to at least a part of i _{・ I + 1)} and / or hash value h _{(2 ・ i + 2)}
H _{(2 · i + 1)} : {0,1} ^{v + | b |} → {0,1} ^n−v (1)
H _{(2 · i + 2)} : {0,1} ^{n−v + | b |} → {0,1} ^v … (2)
Hash value h _{(2 · i + 1)} and / or hash value h _{(2 · i + 2)} corresponding to other i
H _{(2 · i + 1)} : {0,1} ^v → {0,1} ^n−v (3)
H _{(2 · i + 2)} : {0,1} ^n−v → {0,1} ^v … (4)
Has an I / O area. As described above, the bit length | b | of the additional information b is not limited, but | b | = 1 is desirable from the viewpoint of minimizing overhead.

In addition, each hash function H _{(2 · i + 1) is changed} to any function of formula (1) (3), and each hash function H _{(2 · i + 1) is changed} to formula (2) (4) There is no particular restriction on whether to use the function of. However, from the viewpoint of safety, if the number of rounds R is an even number, whether or not the hash function H _{(2 · i + 1)} corresponding to at least one of i ≧ 1 is a function of the expression (1) Alternatively, it is desirable that a hash function H _{(2 · i + 2)} corresponding to at least one of i ≦ (R / 2) −2 is a function of the expression (2). When the round number R is an odd number, a hash function H _{(2 · i + 2)} corresponding to at least one of i is set as a function of the expression (2). That is, it is desirable that at least a part of the hash functions other than the first round and the last round be any one of the formulas (1) and (2). Further, from the viewpoint of security, it is more preferable that all hash functions are represented by any one of formulas (1) and (2).

  Further, in the preprocessing, information Rb for specifying rounds using the hash functions of the expressions (1) and (2) is stored in the storage units 11 and 21, respectively, and the control units 13a and 23a of each device use the information Rb. Identify each hash function. Further, Rb may be configured in advance in the program.

<Processing>
《Encryption processing》
The difference from the first embodiment is that (1) the encryption device 210 executes the processing of step S111 described in the second embodiment instead of step S12 or S46, and the bit combination value
y = b | t _{(R / 2)} | s _{(R / 2)} (if R is even)
y = b | t _{((R-1) / 2)} | s _{(((R-1) / 2) +1)} (when R is odd)
(2) Corresponding to at least a part of i calculated by the first hash function calculation unit 213e and / or the second hash function calculation unit 213g in the disturbance process (2 · i + 1 = Hash value h _{(2 · i + 1)} and / or hash value h _{(2 · i + 2) (where} Rb and / or 2 · i + 2 = Rb ₎ are added between the additional information b and the bit string t _(i) . Hash value obtained by applying hash function H _{(2 · i + 1)} to bit combination value
h _{(2 ・ i + 1)} = H _{(2 ・ i + 1)} (b | t _(i) )… (5)
And / or a hash value obtained by applying the hash function H _{(2 · i + 2)} to the bit combination value of the additional information b and the bit string s _{(i + 1)}
h _{(2 ・ i + 2)} = H _{(2 ・ i + 2)} (b | s _{(i + 1)} )… (6)
The other hash values are the same as those in the first and second embodiments.

The hash functions H _{(2 · i + 1)} and H _{(2 · i + 2)} for calculating the expressions (5) and (6) are the functions of the above expressions (1) and (2), The other hash functions H _{(2 · i + 1)} and H _{(2 · i + 2)} are functions of the above formulas (3) and (4).

<< Decryption process >>
Differences from the first embodiment are as follows: (1) Instead of step S23 or S50, the decoding device 220 executes the process of step S121 described in the second embodiment, and starts from the bit combination value y.
y → b, t _{(R / 2)} , s _{(R / 2)} (when R is an even number)
y → b, t _{((R−1) / 2)} , s _{(((R−1) / 2) +1)} (when R is an odd number)
(2) Corresponding to at least a part of i calculated by the fourth hash function calculation unit 223f and / or the third hash function calculation unit 223d in the disturbance restoration process (2 · i + 1). Hash value h _{(2 · i + 1)} and / or hash value h _{(2 · i + 2)} are equal to additional information b and bit string t _(i) . Hash value obtained by applying the hash function H _{(2 · i + 1)} to the bit combination value of
h _{(2 ・ i + 1)} = H _{(2 ・ i + 1)} (b | t _(i) )… (5)
And / or a hash value obtained by applying the hash function H _{(2 · i + 2)} to the bit combination value of the additional information b and the bit string s _{(i + 1)}
h _{(2 ・ i + 2)} = H _{(2 ・ i + 2)} (b | s _{(i + 1)} )… (6)
The other hash values are the same as those in the first and second embodiments.

<Specific examples of disturbance process and restoration process>
Next, a specific example of the disturbance process / disturbance restoration process of this embodiment will be described.
FIG. 15A is a diagram for explaining an example of the disturbance process when R = 4 in the third embodiment, and FIG. 15B is a diagram for explaining the disturbance restoration process. .

In this example of the disturbance process,
i = 0: h ₍₁₎ = H ₍₁₎ (t ₍₀₎ ), s ₍₁₎ = s ₍₀₎ (+) h ₍₁₎ , h ₍₂₎ = H ₍₂₎ (s _{(1 )} ), t ₍₁₎ = t ₍₀₎ (+) h ₍₂₎
i = 1: h ₍₃₎ = H ₍₃₎ (b | t ₍₁₎ ), s ₍₂₎ = s ₍₁₎ (+) h ₍₃₎ , h ₍₄₎ = H ₍₄₎ (s ₍₂₎ ), t ₍₂₎ = t ₍₁₎ (+) h ₍₄₎
Are executed, and a bit string t ₍₂₎ and a bit string s ₍₂₎ are output.

Also, in this example of the disturbance restoration process,
i = 1: h ₍₄₎ = H ₍₄₎ (s ₍₂₎ ), t ₍₁₎ = t ₍₂₎ (+) h ₍₄₎ , h ₍₃₎ = H ₍₃₎ (b | t ₍₁₎ ), s ₍₁₎ = s ₍₂₎ (+) h ₍₃₎
i = 0: h ₍₂₎ = H ₍₂₎ (s ₍₁₎ ), t ₍₀₎ = t ₍₁₎ (+) h ₍₂₎ , h ₍₁₎ = H ₍₁₎ (t _{(0 )} ), s ₍₀₎ = s ₍₁₎ (+) h ₍₁₎
Are executed, and a bit string t ₍₀₎ and a bit string s ₍₀₎ are output.

  FIG. 16A is a diagram for explaining another example of the disturbance process when R = 4 in the third embodiment, and FIG. 16B is a diagram for explaining the disturbance restoration process. It is.

In this example of the disturbance process,
i = 0: h ₍₁₎ = H ₍₁₎ (t ₍₀₎ ), s ₍₁₎ = s ₍₀₎ (+) h ₍₁₎ , h ₍₂₎ = H ₍₂₎ (b | s ₍₁₎ ), t ₍₁₎ = t ₍₀₎ (+) h ₍₂₎
i = 1: h ₍₃₎ = H ₍₃₎ (b | t ₍₁₎ ), s ₍₂₎ = s ₍₁₎ (+) h ₍₃₎ , h ₍₄₎ = H ₍₄₎ (s ₍₂₎ ), t ₍₂₎ = t ₍₁₎ (+) h ₍₄₎
Are executed, and a bit string t ₍₂₎ and a bit string s ₍₂₎ are output.

Also, in this example of the disturbance restoration process,
i = 1: h ₍₄₎ = H ₍₄₎ (s ₍₂₎ ), t ₍₁₎ = t ₍₂₎ (+) h ₍₄₎ , h ₍₃₎ = H ₍₃₎ (b | t ₍₁₎ ), s ₍₁₎ = s ₍₂₎ (+) h ₍₃₎
i = 0: h ₍₂₎ = H ₍₂₎ (b | s ₍₁₎ ), t ₍₀₎ = t ₍₁₎ (+) h ₍₂₎ , h ₍₁₎ = H ₍₁₎ (t ₍₀₎ ), s ₍₀₎ = s ₍₁₎ (+) h ₍₁₎
Are executed, and a bit string t ₍₀₎ and a bit string s ₍₀₎ are output.

  FIG. 17A is a diagram for explaining another example of the disturbance process when R = 4 in the third embodiment, and FIG. 17B is a diagram for explaining the disturbance restoration process. It is.

In this example of the disturbance process,
i = 0: h ₍₁₎ = H ₍₁₎ (b | t ₍₀₎ ), s ₍₁₎ = s ₍₀₎ (+) h ₍₁₎ , h ₍₂₎ = H ₍₂₎ (b | s ₍₁₎ ), t ₍₁₎ = t ₍₀₎ (+) h ₍₂₎
i = 1: h ₍₃₎ = H ₍₃₎ (b | t ₍₁₎ ), s ₍₂₎ = s ₍₁₎ (+) h ₍₃₎ , h ₍₄₎ = H ₍₄₎ (b | s ₍₂₎ ), t ₍₂₎ = t ₍₁₎ (+) h ₍₄₎
Are executed, and a bit string t ₍₂₎ and a bit string s ₍₂₎ are output.

Also, in this example of the disturbance restoration process,
i = 1: h ₍₄₎ = H ₍₄₎ (b | s ₍₂₎ ), t ₍₁₎ = t ₍₂₎ (+) h ₍₄₎ , h ₍₃₎ = H ₍₃₎ (b | t ₍₁₎ ), s ₍₁₎ = s ₍₂₎ (+) h ₍₃₎
i = 0: h ₍₂₎ = H ₍₂₎ (b | s ₍₁₎ ), t ₍₀₎ = t ₍₁₎ (+) h ₍₂₎ , h ₍₁₎ = H ₍₁₎ (b | t ₍₀₎ ), s ₍₀₎ = s ₍₁₎ (+) h ₍₁₎
Are executed, and a bit string t ₍₀₎ and a bit string s ₍₀₎ are output.

  FIG. 18A is a diagram for explaining an example of the disturbance process when R = 5 in the third embodiment, and FIG. 18B is a diagram for explaining the disturbance restoration process. .

In this example of disturbance process, in this example,
i = 0: h ₍₁₎ = H ₍₁₎ (t ₍₀₎ ), s ₍₁₎ = s ₍₀₎ (+) h ₍₁₎ , h ₍₂₎ = H ₍₂₎ (s _{(1 )} ), t ₍₁₎ = t ₍₀₎ (+) h ₍₂₎
i = 1: h ₍₃₎ = H ₍₃₎ (b | t ₍₁₎ ), s ₍₂₎ = s ₍₁₎ (+) h ₍₃₎ , h ₍₄₎ = H ₍₄₎ (s ₍₂₎ ), t ₍₂₎ = t ₍₁₎ (+) h ₍₄₎
i = 2: h ₍₅₎ = H ₍₅₎ (t ₍₂₎ ), s ₍₃₎ = s ₍₂₎ (+) h ₍₅₎
Are executed, and a bit string t ₍₂₎ and a bit string s ₍₃₎ are output.

Also, in this example of the disturbance restoration process,
i = 2: h ₍₅₎ = H ₍₅₎ (t ₍₂₎ ), s ₍₂₎ = s ₍₃₎ (+) h ₍₅₎
i = 1: h ₍₄₎ = H ₍₄₎ (s ₍₂₎ ), t ₍₁₎ = t ₍₂₎ (+) h ₍₄₎ , h ₍₃₎ = H ₍₃₎ (b | t ₍₁₎ ), s ₍₁₎ = s ₍₂₎ (+) h ₍₃₎
i = 0: h ₍₂₎ = H ₍₂₎ (s ₍₁₎ ), t ₍₀₎ = t ₍₁₎ (+) h ₍₂₎ , h ₍₁₎ = H ₍₁₎ (t _{(0 )} ), s ₍₀₎ = s ₍₁₎ (+) h ₍₁₎
Are executed, and a bit string t ₍₀₎ and a bit string s ₍₀₎ are output.

  FIG. 19A is a diagram for explaining another example of the disturbance process when R = 5 in the third embodiment, and FIG. 19B is a diagram for explaining the disturbance restoration process. It is.

In this example of disturbance process, in this example,
i = 0: h ₍₁₎ = H ₍₁₎ (b | t ₍₀₎ ), s ₍₁₎ = s ₍₀₎ (+) h ₍₁₎ , h ₍₂₎ = H ₍₂₎ (b | s ₍₁₎ ), t ₍₁₎ = t ₍₀₎ (+) h ₍₂₎
i = 1: h ₍₃₎ = H ₍₃₎ (b | t ₍₁₎ ), s ₍₂₎ = s ₍₁₎ (+) h ₍₃₎ , h ₍₄₎ = H ₍₄₎ (b | s ₍₂₎ ), t ₍₂₎ = t ₍₁₎ (+) h ₍₄₎
i = 2: h ₍₅₎ = H ₍₅₎ (b | t ₍₂₎ ), s ₍₃₎ = s ₍₂₎ (+) h ₍₅₎
Are executed, and a bit string t ₍₂₎ and a bit string s ₍₃₎ are output.

Also, in this example of the disturbance restoration process,
i = 2: h ₍₅₎ = H ₍₅₎ (b | t ₍₂₎ ), s ₍₂₎ = s ₍₃₎ (+) h ₍₅₎
i = 1: h ₍₄₎ = H ₍₄₎ (b | s ₍₂₎ ), t ₍₁₎ = t ₍₂₎ (+) h ₍₄₎ , h ₍₃₎ = H ₍₃₎ (b | t ₍₁₎ ), s ₍₁₎ = s ₍₂₎ (+) h ₍₃₎
i = 0: h ₍₂₎ = H ₍₂₎ (b | s ₍₁₎ ), t ₍₀₎ = t ₍₁₎ (+) h ₍₂₎ , h ₍₁₎ = H ₍₁₎ (b | t ₍₀₎ ), s ₍₀₎ = s ₍₁₎ (+) h ₍₁₎
Are executed, and a bit string t ₍₀₎ and a bit string s ₍₀₎ are output.

<Features of Third Embodiment>
Also in this embodiment, as described in the first embodiment, it is possible to reduce overhead while ensuring safety. In the present embodiment, the bit combination value y includes the additional information b, and the additional information b is included in at least a part of the input values of the hash function, so that the safety is further improved. Further, for this purpose, it is not necessary to verify the value of the additional information b at the time of decoding or to generate a random number as a decoding result as in the second embodiment.
Further, as long as matching can be achieved between the encryption device 210 and the decryption device 220, other information may be bit-coupled to any information that is bit-coupled.

[Other variations]
Needless to say, other modifications are possible without departing from the spirit of the present invention. In addition, the various processes described above are not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processes or as necessary.
Further, when the above-described configuration is realized by a computer, processing contents of functions that each device should have are described by a program. The processing functions are realized on the computer by executing the program on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. The computer-readable recording medium may be any medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, or a semiconductor memory. Specifically, for example, the magnetic recording device may be a hard disk device or a flexible Discs, magnetic tapes, etc. as optical discs, DVD (Digital Versatile Disc), DVD-RAM (Random Access Memory), CD-ROM (Compact Disc Read Only Memory), CD-R (Recordable) / RW (ReWritable), etc. As the magneto-optical recording medium, MO (Magneto-Optical disc) or the like can be used, and as the semiconductor memory, EEP-ROM (Electronically Erasable and Programmable-Read Only Memory) or the like can be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

  The present invention can be used in, for example, a cryptographic communication technique using public key cryptography.

FIG. 1A is a diagram illustrating a configuration of the cryptographic communication system 1 according to the first embodiment. FIG. 1B is a block diagram illustrating the hardware configuration of the encryption apparatus. FIG. 2 is a block diagram illustrating a functional configuration of the encryption device according to the first embodiment. FIG. 3 is a block diagram illustrating a functional configuration of the decoding device according to the first embodiment. FIG. 4 is a flowchart for explaining the encryption processing when the round number R (R ≧ 4) is an even number. FIG. 5 is a flowchart for explaining the decoding process when the round number R (R ≧ 4) is an even number. FIG. 6 is a flowchart for explaining the encryption process when the round number R (R ≧ 4) is an odd number. FIG. 7 is a flowchart for explaining a decoding process when the round number R is an odd number. FIG. 8A is a flowchart for explaining the disturbance process when the number of rounds R = 4. FIG. 8B is a flowchart for explaining the disturbance restoration process when the number of rounds R = 4. FIG. 9A is a flowchart for explaining the disturbance process when the number of rounds R = 5. FIG. 9B is a flowchart for explaining the disturbance restoration process when the number of rounds R = 5. FIG. 10 is a block diagram illustrating a functional configuration of the encryption device according to the second embodiment. FIG. 11 is a block diagram illustrating a functional configuration of the decoding device according to the second embodiment. FIG. 12A is a flowchart for explaining the encryption processing of the second embodiment. FIG. 12B is a flowchart for explaining the decoding process of the second embodiment. FIG. 13 is a block diagram illustrating a functional configuration of the encryption device according to the third embodiment. FIG. 14 is a block diagram illustrating a functional configuration of the decoding device according to the third embodiment. FIG. 15A is a diagram for explaining an example of the disturbance process when R = 4 in the third embodiment, and FIG. 15B is a diagram for explaining the disturbance restoration process. . FIG. 16A is a diagram for explaining another example of the disturbance process when R = 4 in the third embodiment, and FIG. 16B is a diagram for explaining the disturbance restoration process. It is. FIG. 17A is a diagram for explaining another example of the disturbance process when R = 4 in the third embodiment, and FIG. 17B is a diagram for explaining the disturbance restoration process. It is. FIG. 18A is a diagram for explaining an example of the disturbance process when R = 5 in the third embodiment, and FIG. 18B is a diagram for explaining the disturbance restoration process. . FIG. 19A is a diagram for explaining another example of the disturbance process when R = 5 in the third embodiment, and FIG. 19B is a diagram for explaining the disturbance restoration process. It is. FIG. 20A is a diagram for explaining the processing of the conventional OAEP 3-round padding function pd, and FIG. 20B is a diagram for explaining the processing of the inverse function pd ⁻¹ . .

Explanation of symbols

10, 110, 210 Encryption device 20, 120, 220 Decryption device

Claims (10)

(A) A plaintext storage process of storing plaintext m of nz bits (n> z ≧ k, k is a security parameter) in the storage unit of the encryption device;
(B) a random number storage process of storing a z-bit random number r in the storage unit of the encryption device;
(C) The first bit splitting unit of the encryption device bits the plaintext m into the first plaintext m ₁ with vz bits (n> vz ≧ 2k) and the second plaintext m ₂ with nv bits. Dividing the first plaintext m ₂ into a bit string s ₍₀₎ ,
(D) a first bit combination unit of the encryption device generates a bit combination value of the random number r and the first plaintext m ₁ and uses the bit combination value as a bit string t ₍₀₎ ;
(E) If the number of rounds R (R is an integer of 4 or more) is an even number, i = 0 to i = (R / 2) -1 in order (i is an integer)
The first hash function calculation unit of the encryption device operates the hash function H _{(2 · i + 1)} on the value including the bit string t _(i) to generate a hash value h _{(2 · i + 1) of} n−v bits. A first hash function calculation process for calculating
The first exclusive OR operation unit of the encryption device performs an exclusive OR operation on the bit string s _(i) and the hash value h _{(2 · i + 1),} and the operation result is represented as the bit string s _{(i + 1). )} The first exclusive OR operation process,
The second hash function calculation unit of the encryption device operates the hash function H _{(2 · i + 2)} on the value including the bit string s _{(i + 1)} to generate the v-bit hash value h _{(2 · i + 2).} A second hash function calculation process for calculating
The second exclusive OR operation unit of the encryption device performs an exclusive OR operation on the bit string t _(i) and the hash value h _{(2 · i + 2),} and the operation result is represented by the bit string t _{(i + 1). )} And a second exclusive OR operation process,
When the round number R is an odd number, the first hash function calculation process and the first exclusive OR calculation process are sequentially performed from i = 0 to i = {(R-1) / 2} -1. The second hash function calculation process and the second exclusive OR calculation process are executed, and the first hash function calculation process and the first exclusive OR calculation are performed for i = (R−1) / 2. A disturbance process,
(F) When the round number R is an even number, the second bit combination unit of the encryption device generates a bit combination value y including the bit string t _{(R / 2)} and the bit string s _{(R / 2).} ,
When the number of rounds R is an odd number, the second bit combination unit of the encryption device performs the bit sequence t _{((R-1) / 2)} and the bit sequence s _{(((R-1) / 2) +1)} A second bit combination process for generating a bit combination value y including
(G) The unidirectional replacement function computing unit of the encryption device calculates a ciphertext u = f (y) obtained by applying the trapdoor unidirectional replacement function f to the bit combination value y. Substitution function calculation process,
(H) a ciphertext transmission process in which the transmission unit of the encryption device transmits the ciphertext u to the decryption device;
(I) a ciphertext storage process for storing the ciphertext u in the storage unit of the decryption device;
(J) The inverse function calculation unit of the decryption device applies the inverse function f ⁻¹ of the trapdoor unidirectional replacement function f to the ciphertext u, and obtains the bit combination value y = f ⁻¹ (u) The inverse function calculation process to extract,
(K) The second bit division unit of the decoding device performs bit division on the bit combination value y, and if the round number R is an even number, at least the bit string t _{(R / 2)} and the bit string s _{(R / 2)} A second bit division process of extracting at least a bit string t _{((R-1) / 2)} and a bit string s _{(((R-1) / 2) +1)} when the round number R is an odd number When,
(L) If the number of rounds R is an even number, from i = (R / 2) -1 to i = 0,
The third hash function operation unit of the decryption device operates the hash function H _{(2 · i + 2)} on the value including the bit string s _{(i + 1)} to obtain the v-bit hash value h _{(2 · i + 2)} . A third hash function calculation process to be calculated;
A third exclusive OR operation unit of the decoding device performs an exclusive OR operation on the bit string t _{(i + 1)} and the hash value h _{(2 · i + 2),} and the operation result is represented by the bit string t _(i). A third exclusive OR operation process,
The fourth hash function calculation unit of the decryption device operates the hash function H _{(2 · i + 1)} on the value including the bit string t _(i) to obtain the n−v bit hash value h _{(2 · i + 1)} . A fourth hash function calculation process to be calculated;
A fourth exclusive OR operation unit of the decoding device performs an exclusive OR operation on the bit string s _{(i + 1)} and the hash value h _{(2 · i + 1),} and the operation result is represented as the bit string s _(i). And a fourth exclusive OR operation process,
When the round number R is an odd number, the fourth hash function calculation process and the fourth exclusive OR calculation process are executed for i = (R−1) / 2, and i = {( R-1) / 2} -1 to i = 0, in order, the third hash function calculation process, the third exclusive OR calculation process, the fourth hash function calculation process, and the fourth exclusive OR. A disturbance recovery process that performs an arithmetic process; and
(M) a third bit splitting process in which a third bit splitting unit of the decoding device splits the bit string t ₍₀₎ to extract a random number r of z bits and a first plaintext m _{1 of} vz bits;
(N) a third bit combination process in which a third bit combination unit of the decoding device generates a bit combination value between the first plaintext m ₁ and the bit string s ₍₀₎ and outputs the bit combination value as a decoding result;
A cryptographic communication method comprising: The encryption communication method according to claim 1,
The bit combination value y generated in the second bit combination process is
When the round number R is an even number, the bit combination value includes the additional information b indicating the predetermined value, the bit string t _{(R / 2),} and the bit string s _{(R / 2)} , and the round number R is an odd number. A bit combination value including additional information b indicating a predetermined value, bit string t _{((R-1) / 2)} and bit string s _{(((R-1) / 2) +1)} ,
The second bit division process includes:
When bit combination value y is divided into bits and round number R is an even number, at least additional information b, bit sequence t _{(R / 2)} and bit sequence s _{(R / 2)} are extracted, and round number R is an odd number. In some cases, at least the additional information b, the bit string t _{((R-1) / 2)} and the bit string s _{(((R-1) / 2) +1)} are extracted,
At least the third bit combining process is:
A process executed only when the additional information b extracted in the second bit division process indicates the predetermined value;
When the additional information b extracted in the second bit division process indicates a value other than the predetermined value, the camouflaged decoding result generation unit of the decoding device generates an nz bit random number, and the random number is converted into the decoding result. Further comprising a process of generating a camouflaged decoding result output as
An encryption communication method characterized by the above. The encryption communication method according to claim 1,
The bit combination value y generated in the second bit combination process is
When the round number R is an even number, the bit combination value includes the additional information b indicating the predetermined value, the bit string t _{(R / 2),} and the bit string s _{(R / 2)} , and the round number R is an odd number. A bit combination value including additional information b indicating a predetermined value, bit string t _{((R-1) / 2)} and bit string s _{(((R-1) / 2) +1)} ,
The second bit division process includes:
When bit combination value y is divided into bits and round number R is an even number, at least additional information b, bit sequence t _{(R / 2)} and bit sequence s _{(R / 2)} are extracted, and round number R is an odd number. In some cases, at least the additional information b, the bit string t _{((R-1) / 2)} and the bit string s _{(((R-1) / 2) +1)} are extracted,
The hash value h _{(2 · i + 1)} and / or the hash value h _{(2 · i + 2)} corresponding to at least a part of i calculated in the disturbance process and the disturbance restoration process, respectively,
A hash value h _{(2 · i + 1) obtained} by applying a hash function H _{(2 · i + 1)} to a bit combination value including the additional information b and the bit sequence t _{(i )} and / or the additional information b and the bit sequence A hash value h _{(2 · i + 2) obtained} by applying a hash function H _{(2 · i + 2)} to a bit combination value including s _{(i + 1)} ,
An encryption communication method characterized by the above. The encryption communication method according to claim 3,
If the round number R is an even number,
The hash value h _{(2 · i + 1)} corresponding to at least one of i ≧ 1 calculated in the disturbance process and the disturbance restoration process is a bit including the additional information b and the bit string t _(i). A hash value obtained by applying a hash function H _{(2 · i + 1)} to the combined value, or at least one of the hash values h _{(2 · i +} ) corresponding to i ≦ (R / 2) −2 ₂₎ is a hash value obtained by applying a hash function H _{(2.i + 2)} to a bit combination value including the additional information b and the bit string s _{(i + 1)} .
If the round number R is odd,
The hash value h _{(2 · i + 2)} corresponding to at least one of i calculated in the disturbance process and the disturbance restoration process is a bit including the additional information b and the bit string s _{(i + 1).} A hash value obtained by applying a hash function H _{(2 · i + 2)} to the combined value.
An encryption communication method characterized by the above. The encryption communication method according to any one of claims 2 to 4,
The trapezoidal one-way replacement function f is a function that takes a value of 0 or more and less than N (N is a natural number) as an input,
n satisfies n = | N |-| b | when the bit length of N is | N | and the bit length of additional information b is | b |
The additional information b is a bit or a bit string indicating 0,
The bit combination value y generated in the second bit combination process is a value obtained by bit combination of the additional information b at the head.
An encryption communication method characterized by the above. The encryption communication method according to any one of claims 1 to 5,
z = k and v = 3k,
An encryption communication method characterized by the above. a storage unit in which plaintext m of n−z bits (n> z ≧ k, k is a security parameter) and a z-bit random number r are stored;
The plaintext m is read from the storage unit, the plaintext m is bit-divided into a first plaintext m ₁ of vz bits (n> vz ≧ 2k) and a second plaintext m _{2 of} nv bits, A first bit division unit that stores the first plaintext m ₁ and the bit string s ₍₀₎ that is the second plaintext m ₂ in the storage unit of the encryption device;
A first bit combination unit that reads the random number r and the first plaintext m ₁ from the storage unit, generates a bit combination value thereof, and stores the bit combination value as a bit string t ₍₀₎ in the storage unit;
A bit string t _(i) is read from the storage unit, and a hash function H _{(2 · i + 1)} is applied to a value including the bit string t _(i) to obtain a hash value h _{(2 · i + 1 )} of n−v bits. _{) And} a first hash function calculation unit that stores the hash value h _{(2 · i + 1)} in the storage unit;
The bit string s _(i) and the hash value h _{(2 i + 1)} are read from the storage unit, the exclusive OR operation of these is performed, and the operation result is stored in the storage unit as the bit string s _{(i + 1).} A first exclusive OR operation unit for storing;
A bit string s _{(i + 1)} is read from the storage unit, and a hash function H _{(2 · i + 2)} is applied to a value including the bit string s _{(i + 1)} to obtain a v-bit hash value h _{(2 · i +2),} and a second hash function calculation unit that stores the hash value h _{(2 · i + 2)} in the storage unit;
The bit string t _(i) and the hash value h _{(2 · i + 2)} are read from the storage unit, the exclusive OR operation of these is performed, and the operation result is stored in the storage unit as the bit string t _{(i + 1).} A second exclusive OR operation unit for storing;
When the round number R (R is an integer greater than or equal to 4) is an even number, the first hash function calculation unit and the above are sequentially performed from i = 0 to i = (R / 2) -1 (i is an integer). When the first exclusive OR operation unit, the second hash function operation unit, and the second exclusive OR operation unit are executed and the round number R is an odd number, i = 0 to i = { (R-1) / 2} -1 in order, the first hash function operation unit, the first exclusive OR operation unit, the second hash function operation unit, and the second exclusive OR operation unit. A control unit that executes processing, and further executes processing of the first hash function computing unit and the first exclusive OR computing unit for i = (R−1) / 2,
When the round number R is an even number, the bit string t _{(R / 2)} and the bit string s _{(R / 2)} are read from the storage unit, a bit combined value y including them is generated, and the bit combined value y Is stored in the storage unit, and when the round number R is an odd number, the bit sequence t _{((R-1) / 2)} and the bit sequence s _{(((R-1) / 2) +1)} are stored from the storage unit. A second bit combination unit that generates a bit combination value y including them, and stores the bit combination value y in the storage unit;
The bit combination value y is read from the storage unit, and the ciphertext u = f (y) obtained by applying the trapdoor unidirectional replacement function f to the bit combination value y is calculated. A one-way replacement function calculation unit stored in the storage unit;
A transmission unit that transmits the ciphertext u read from the storage unit to a decryption device;
An encryption device characterized by comprising: A storage unit for storing the ciphertext u transmitted from the encryption device according to claim 7;
The ciphertext u is read from the storage unit, the inverse function f− ¹ of the trapdoor unidirectional replacement function f is applied to the ciphertext u, and the bit combination value y = f− ¹ (u) is extracted. , An inverse function calculation unit that stores the bit combination value y in the storage unit,
Read the bit combination value y from the storage unit, divide the bit combination value y into bits, and if the round number R is an even number, extract at least the bit string t _{(R / 2)} and the bit string s _{(R / 2)} If the round number R is an odd number, at least the bit sequence t _{((R-1) / 2)} and the bit sequence s _{(((R-1) / 2) +1)} are extracted and stored in the storage unit. A second bit division unit stored in
A bit string s _{(i + 1)} is read from the storage unit, and a hash function H _{(2 · i + 2)} is applied to a value including the bit string s _{(i + 1)} to obtain a v-bit hash value h _{(2 · i +2)} , a third hash function calculation unit that stores the hash value h _{(2 · i + 2)} in the storage unit,
The bit string t _{(i + 1)} and the hash value h _{(2 · i + 2)} are read from the storage unit, the exclusive OR operation of these is performed, and the calculation result is stored in the storage unit as the bit string t _(i). A third exclusive OR operation unit for storing;
A bit string t _(i) is read from the storage unit, and a hash function H _{(2 · i + 1)} is applied to a value including the bit string t _(i) to obtain a hash value h _{(2 · i + 1 )} of n−v bits. _{) And} a fourth hash function calculation unit that stores the hash value h _{(2 · i + 1)} in the storage unit;
The bit string s _{(i + 1)} and the hash value h _{(2 i + 1)} are read from the storage unit, the exclusive OR operation of these is performed, and the operation result is stored in the storage unit as the bit string s _(i). A fourth exclusive OR operation unit for storing;
When the round number R (R is an integer of 4 or more) is an even number, the third hash function operation unit and the third exclusive logic are sequentially performed from i = (R / 2) -1 to i = 0. When the sum operation unit, the fourth hash function operation unit, and the fourth exclusive OR operation unit are executed, and the round number R is an odd number, for i = (R−1) / 2, The fourth hash function operation unit and the fourth exclusive OR operation unit are processed, and the third hash function is sequentially performed from i = {(R-1) / 2} -1 to i = 0. A control unit that executes processing of the operation unit, the third exclusive OR operation unit, the fourth hash function operation unit, and the fourth exclusive OR operation unit;
Reading a bit string t ₍₀₎ from the storage unit, the bit string t a ₍₀₎ bit divided, and the random number r of z bits, v-z first extracts the plaintext m ₁ bits, and the random number r first A third bit division unit for storing one plaintext m ₁ in the storage unit;
A third bit combination unit that reads the first plaintext m ₁ and the bit string s ₍₀₎ from the storage unit, generates these bit combination values, and outputs the bit combination values as decoding results;
A decoding device comprising:   A program for causing a computer to function as the encryption device according to claim 7.   A program for causing a computer to function as the encryption device according to claim 8.

Images