JP2010245683A - Cryptographic system, key generator, encryption device, decryption device, and encryption processing method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a public key encryption method which is IND-CCA security on a standard computer model and does not damage security reduction even in a multiuser environment. <P>SOLUTION: A key generator 110 prepares a public key and a secret key designed to return encryption security to the difficulty of a Diffie-Hellman decision problem and to the security of a family of functions satisfying a specific condition. An encryption device 130 generates cryptography from a message sentence by using the public key prepared by the key generator 110. Then, a decryption device 150 decrypts the cryptography generated by the encryption device 130 by using the secret key prepared by the key generator 110. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a technique for encrypting or decrypting a message text.

  Non-Patent Document 1 describes the concept of security of public key cryptography, and IND-CCA security is considered to be the highest level of security. In practice, public key cryptography is proved to be IND-CCA secure on a random oracle model or standard computer model.

  The random oracle model is an unreal model because it assumes an oracle access to a random function. Therefore, the safety proof on the random oracle model is not guaranteed completely in the real system, but is considered as an index. However, it is easy to design various variations of public key cryptosystems with excellent practicality, and many of the public key cryptosystems in practical use are given IND-CCA security on a random oracle model. .

  On the other hand, since the standard computer model is close to an actual computer system, the safety proof on this model is considered to be equivalent to the safety proof in the real world. As described above, from the viewpoint of safety, it is desirable that the IND-CCA is safe on the standard computer model, but practical system design is difficult, and there are very few variations compared to the random oracle model. The public key cryptosystem described in Non-Patent Document 3 is a typical scheme that is IND-CCA secure and practical on a standard computer model.

  By the way, the concept of the IND-CCA security described in Non-Patent Document 1 is formulated in a situation where a single ciphertext is given to a single sender and receiver (hereinafter, referred to as a target ciphertext). Called a single-user environment).

  However, in the real world, there are many cases where the same message text is sent to a plurality of other parties, such as broadcast mail communication. Also, when replying to e-mails, ciphertexts are often created from new message texts that include all or part of the same message text. In Non-Patent Document 2, verification of indistinguishability is performed in such a multi-user environment.

  According to Non-Patent Document 2, it is described that if indistinguishability is shown in a single user environment, indistinguishability is also shown in a multi-user environment, but security reduction is generally greatly deteriorated. Here, security reduction means reduction efficiency when reducing the security of encryption to a problem that is expected to be computationally difficult. When security reduction is poor, it is necessary to select a large parameter (key length, etc.) for the security of the encryption, and the efficiency of the encryption is often greatly impaired.

  Therefore, from a practical point of view, it is desirable to design public key cryptography so as to efficiently result in a problem in which computational difficulty is sufficiently predicted. According to Non-Patent Document 2, it is shown that Elgamal encryption having weak security (IND-CPA) does not impair security reduction even in a multi-user environment.

M. Bellare, A. Desai, D. Pointcheval and P. Rogaway. Relations among notions of security for public-key encryption schemes: http://www.cse.ucsd.edu/~mihir/crypto-research-papers.html M. Bellare, P. Boldyreva, and S. Micali.Public-key Encryption in a Multi-User Setting: Security Proofs and Improvements: http://www.cse.ucsd.edu/~mihir/crypto-research-papers. html R. Cramer and V. Shoup. A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack: http://www.shoup.net/papers/

  As described above, Non-Patent Document 3 describes an IND-CCA secure public key encryption method on a standard computer model.

  However, it has been shown that the IND-CCA secure public key encryption method on the standard computer model described in Non-Patent Document 3 partially does not impair security reduction even in a multi-user environment, but is not perfect. There is no known public key cryptography method having strong security (IND-CCA) on a standard computer model and that does not impair security reduction even in a multi-user environment.

  Accordingly, an object of the present invention is to provide a public key encryption method that is IND-CCA safe on a standard computer model and that does not impair security reduction even in a multi-user environment.

  In order to solve the above problems, the present invention designs public key cryptography so that the security of the cipher is reduced to the difficulty of the Diffie-Hellman decision problem and the security of a function family that satisfies a specific condition. .

For example, the present invention generates at least one computer that encrypts a message text using the first key information and decrypts the cipher text using the second key information. An encryption system comprising:
A control unit of the computer,
A process of accepting an input of a security parameter k;

and

(Where G is a multiplicative group with the prime number q as the order, and Z _q represents a remainder ring modulo q),
(X ₁ , x ₂ , y ₁ , y ₂ , g ₁ , g ₂ )

The process of calculating
A process of creating a pair (π, π ⁻¹ ) of unidirectional substitution π and trapdoor π ⁻¹ ;
The first key information pk and the second key information sk are

Processing to generate as
However, F _k is expressed by the following equation (5), and f ^σ is a function on G4.

  It is characterized by.

  As described above, according to the present invention, it is possible to provide a public key encryption method that is IND-CCA safe on a standard computer model and that does not impair security reduction even in a multi-user environment.

Schematic diagram of a cryptographic system. Schematic of a key generation device. Schematic diagram of a computer. 1 is a schematic diagram of an encryption device. Schematic of a decoding apparatus. The sequence diagram for demonstrating the operation | movement procedure in a cryptographic system.

  FIG. 1 is a schematic diagram of an encryption system 100 according to an embodiment of the present invention. As shown in the figure, the encryption system 100 includes a key generation device 110, an encryption device 130, and a decryption device 150, which can transmit and receive information to and from each other via a communication line 170. It has been made possible.

  In the present embodiment, in the public key cipher Π = (K, E, D), the key generation means K, the encryption means E, and the decryption means D of the public key cipher 、 are the key generation device 110, This is realized by the encryption device 130 and the decryption device 150.

  FIG. 2 is a schematic diagram of the key generation device 110. As illustrated, the key generation device 110 includes an input unit 111 that receives input of information, various operations including logical operation, power multiplication, remainder operation, hash function operation, and random function operation, and each unit of the key generation device 110. A control unit 112 that performs the above control, a storage unit 117, a communication unit 121 that communicates with the encryption device 130 or the decryption device 150 via the communication line 170, and an output unit 122 that outputs information.

Here, the control unit 112 includes a random number generation unit 113 that generates a random number, a calculation unit 114 that generates a public key and a secret key, and a trap with a one-way replacement π and a trap door π ^−1. A unidirectional replacement generation unit 115.

  The storage unit 117 includes a key information storage area 118 that stores the public key and the secret key generated by the calculation unit 114, and a temporary information storage area 119 that stores information necessary for various calculations by the control unit 112. Prepare.

  The key generation device 110 described above includes, for example, an external storage device such as a CPU (Central Processing Unit) 901, a memory 902, and an HDD (Hard Disk Drive) as shown in FIG. 3 (schematic diagram of the computer 900). 903, a reading device 905 that reads / writes information from / to a portable storage medium 904 such as a CD (Compact Disk) or a DVD (Digital Versatile Disk), an input device 906 such as a keyboard or a mouse, and an output such as a display This can be realized by a general computer 900 including a device 907 and a communication device 908 such as a NIC (Network Interface Card) for connecting to a communication network.

  For example, the input unit 111 can be realized by the CPU 901 using the input device 906, and the control unit 112 loads a predetermined program stored in the external storage device 903 into the memory 902 and executes it by the CPU 901. The storage unit 117 can be realized by the CPU 901 using the memory 902 or the external storage device 903, and the communication unit 121 can be realized by the CPU 901 using the communication device 908. The output unit 122 can be realized by the CPU 901 using the output device 907.

  The predetermined program is downloaded from the storage medium 904 via the reading device 905 or from the network via the communication device 908 to the external storage device 903, and then loaded onto the memory 902 and executed by the CPU 901. You may do it. Alternatively, the program may be directly loaded on the memory 902 from the storage medium 904 via the reading device 905 or from the network via the communication device 908 and executed by the CPU 901.

  FIG. 4 is a schematic diagram of the encryption device 130. As illustrated, the encryption device 130 includes an input unit 131 that receives input of information, various operations including logical operation, power multiplication, remainder operation, hash function operation, and random function operation, and each unit of the encryption device 130. A control unit 132 that performs the above control, a storage unit 138, a communication unit 142 that communicates with the key generation device 110 or the decryption device 150 via the communication line 170, and an output unit 143 that outputs information.

Here, the control unit 132 includes a random number generation unit 133 that generates a random number, a calculation unit 134 that receives input of a message text and controls processing to generate a ciphertext of the message text, and (π, σ). First function calculation unit 135 that outputs π (σ) as input (calculates unidirectional substitution π), and second function calculation that outputs f ^σ (x) as input Part 136.

  In addition, the storage unit 138 includes a key information storage area 139 that stores the public key generated by the key generation apparatus 110, and a temporary information storage area 140 that stores information necessary for various calculations in the control unit 132. .

  The encryption device 130 described above can be realized by, for example, a general computer 900 as shown in FIG.

  For example, the input unit 131 can be realized by the CPU 901 using the input device 906, and the control unit 132 loads a predetermined program stored in the external storage device 903 into the memory 902 and executes it by the CPU 901. The storage unit 138 can be realized by the CPU 901 using the memory 902 or the external storage device 903, and the communication unit 142 can be realized by the CPU 901 using the communication device 908. The output unit 143 can be realized by the CPU 901 using the output device 907.

  The predetermined program is downloaded from the storage medium 904 via the reading device 905 or from the network via the communication device 908 to the external storage device 903, and then loaded onto the memory 902 and executed by the CPU 901. You may do it. Alternatively, the program may be directly loaded on the memory 902 from the storage medium 904 via the reading device 905 or from the network via the communication device 908 and executed by the CPU 901.

  FIG. 5 is a schematic diagram of the decoding device 150. As illustrated, the decoding device 150 includes an input unit 151 that receives input of information, various operations including logical operation, power multiplication, remainder operation, hash function operation, and random function operation, and each unit of the decoding device 150. A control unit 152 that performs the above control, a storage unit 158, a communication unit 162 that communicates with the key generation device 110 or the encryption device 130 via the communication line 170, and an output unit 163 that outputs information.

Here, the control unit 152 receives the input of the ciphertext, the calculation unit 153 that controls the decryption process of the ciphertext, and the function calculator A303 receives (π ⁻¹ , y) as an input, and π (y) and outputs a (the calculation of trapdoor [pi ^-1) and the first function calculating unit 154, (sigma, x) as input, the second function calculating unit 155 outputs f ^sigma (the x), calculating unit 153 And an inspection unit 156 for verifying the value calculated by.

  In addition, the storage unit 158 includes a key information storage area 159 that stores the secret key generated by the key generation apparatus 110 and a temporary information storage area 160 that stores information necessary for various calculations in the control unit 152. .

  The decoding device 150 described above can be realized by, for example, a general computer 900 as shown in FIG.

  For example, the input unit 151 can be realized by the CPU 901 using the input device 906, and the control unit 152 loads a predetermined program stored in the external storage device 903 into the memory 902 and executes it by the CPU 901. The storage unit 158 can be realized by the CPU 901 using the memory 902 or the external storage device 903, and the communication unit 162 can be realized by the CPU 901 using the communication device 908. The output unit 163 can be realized by the CPU 901 using the output device 907.

  The predetermined program is downloaded from the storage medium 904 via the reading device 905 or from the network via the communication device 908 to the external storage device 903, and then loaded onto the memory 902 and executed by the CPU 901. You may do it. Alternatively, the program may be directly loaded on the memory 902 from the storage medium 904 via the reading device 905 or from the network via the communication device 908 and executed by the CPU 901.

  FIG. 6 is a sequence diagram for explaining an operation procedure in the cryptographic system 100.

  1. Processing in the key generation device 110.

First, the calculation unit 114 of the key generation device 100 receives an input of 1 ^k (k is a positive integer as a security parameter) via the input unit 111 (S10). The input value is stored in the temporary information storage area 119.

  Next, the random number generation unit 113 of the key generation device 100

and

Are randomly generated and recorded in the temporary information storage area 119 (S11, S12). Here, G is a multiplicative group with the prime number q as the order, and Z _q represents a remainder ring modulo q.

Next, the calculation unit 114 of the key generation device 100 uses (x ₁ , x ₂ , y ₁ , y ₂ , g ₁ , g ₂ ) stored in the temporary information storage area 119,

Is calculated and recorded in the temporary information storage area 119 (S13).

Furthermore, the unidirectional replacement generation unit with trapdoor 115 of the key generation device 100 creates a pair (π, π ⁻¹ ) of the unidirectional replacement π and the trapdoor π ⁻¹ and records it in the temporary information storage area 119. (S14).

  Then, the calculation unit 114 of the key generation device 100 obtains the public key pk and the secret key sk from the values stored in the temporary information storage area 119.

And (pk, sk) is output via the output unit 122 (S15). However, F _k is expressed by the following equation (10), and f ^σ is a function on G4.

  The public key pk or the secret key sk can be transmitted to the encryption device 130 or the decryption device 150 via the communication unit 121.

  2. Processing in the encryption device 130.

  The computing unit 134 of the encryption device 130 stores the public key pk acquired via the input unit 131 or the communication unit 142 in the key information storage area 139 (S16).

  Next, the computing unit 134 of the encryption device 130 acquires the message text m via the input unit 131 or the communication unit 142 and stores it in the temporary information storage area 140 (S17).

  Then, the random number generator 133 of the encryption device 130

Is randomly selected (S18).

Next, the calculation unit 134 of the encryption device 130 uses g ₁ and g ₂ (part of the public key pk) as follows:

Is calculated and stored in the temporary information storage area 140 (S19).

  Next, the random number generator 133 of the encryption device 130

Are randomly selected (S20).

  Then, the first function calculation unit 135 of the encryption device 130 calculates π (σ) using the one-way function π (S21).

Further, the calculation unit 134 of the encryption device 130 obtains the public key (part) h ₁ from

Is calculated and stored in the temporary information storage area 140 (S22).

In addition, the calculation unit 134 of the encryption device 130 obtains the message sentence m and the public key (part) h ₂ from

Is calculated and stored in the temporary information storage area 140 (S23).

  Then, the second function calculation unit 136 of the encryption device 130

Is calculated and stored in the temporary information storage area 140 (S24).

  Further, the calculation unit 134 of the encryption device 130 calculates C from each value stored in the temporary information storage area 140.

And output from the output unit 143 as ciphertext C for the message text m (S25).

  Note that the ciphertext C can be transmitted to the decryption device 150 via the communication unit 142.

  3. Processing in the decryption device 150.

  The calculation unit 153 of the decryption apparatus 150 stores the secret key sk acquired via the input unit 151 or the communication unit 162 in the key information storage area 159 (S26).

  Next, the arithmetic unit 153 of the decryption device 150 acquires the ciphertext C via the input unit 151 or the communication unit 162 and stores it in the temporary information storage area 160 (S27).

  Next, the calculation unit 153 and the first function calculation unit 154 of the decoding device 150 are:

Is calculated and stored in the temporary information storage area 160 (S28).

  Further, the calculation unit 153 of the decryption device 150 includes:

Is calculated and stored in the temporary information storage area 160 (S29).

  Then, the second function calculation unit 155 of the decoding device 150

Is calculated (S30).

  Then, the inspection unit 156 of the decoding device 150 performs inspection (verification) of the value calculated in step S30 (S31). If the inspection (verification) succeeds, the inspection unit 156 stores the temporary information storage area 160 in step S29. The output m is output from the output unit 163 as a message text for the ciphertext C. On the other hand, if the inspection (verification) fails, an error message is output from the output unit 163.

Here, in the public key encryption method in the present embodiment, IND-CCA is secure under the assumption of the computational difficulty of the Diffie-Hellman decision problem and the conditions (A) and (B) of the function family F _k. (It is described in Non-Patent Document 1 etc. regarding the definition of IND-CCA safety).

The Diffie-Hellman decision problem is a randomly given instance (g, X, Y, K) (where g, X, Y, K∈G, and G is a multiplicative group having a prime number). On the other hand, when X = g ^a and Y = g ^b , it is a problem of determining whether K = g ^ab or not. The difficulty of the Diffie-Hellman decision problem is used as a basis for the security of many ciphers such as Elgamal cipher and Cramer-Shoup public key cipher.

Further, the condition (A) of the function family F _k is “when the value of σ is randomly selected, the value of f ^σ (x) is predicted for an arbitrary x without knowing the value of ^σ. It is difficult. "

Furthermore, the condition (B) of the function family F _k is that “when the attacker obtains the value of π (σ) and the value of f ^{σ ′} (x) (π is a unidirectional substitution), 'It is difficult to determine whether or not σ matches σ.'

In addition, since the Diffie-Hellman decision problem has a property called random self-reduction, the computational difficulty when multiple instances are given is the same as the computational difficulty when one instance is given . Therefore, when the function family F _k is selected so as to have the properties of the conditions (A ′) and (B ′), the public key encryption method described in the present embodiment does not deteriorate security reduction in a multi-user environment. Is proved.

And the condition (A ′) of the function family F _k is that any one of “σ ₁ ,..., Σ _n (n is a natural number) is selected at random without knowing these values. For i (i is a natural number 1 ≦ i ≦ n) and any x,

It is difficult to predict the value of. "Means.

In addition, the condition (B ′) of the function family F _k is “the attacker is the value of π ₁ (σ ₁ ),..., Π _n (σ _n ) (n is a natural number)

Is obtained (π _i is a one-way replacement), and for all i (i is a natural number 1 ≦ i ≦ n), it is determined whether or not σ ′ _i matches σ _i Difficult to do. "Means.

  In the embodiment described above, the method for realizing each of the key generation, encryption, and decryption means of public key cryptography has been described. Specifically, public key cryptography is electronic shopping based on cryptographic communication. The system is applied to various systems such as a file encryption system in addition to a system, an electronic mail system, a member information distribution system, a content distribution system.

  In addition, each calculation in the embodiment is performed by the CPU executing each program in the memory, and any one of them is an arithmetic device implemented in hardware, and the other arithmetic device, the CPU, and the data An exchange may be performed.

  Furthermore, in the embodiment described above, the encryption system 100 is configured by the key generation device 110, the encryption device 130, and the decryption device 150. However, the present invention is not limited to this, and the key generation device 110 It is possible to eliminate the key generation device 110 by performing either of the encryption device 130 and the decryption device 150.

DESCRIPTION OF SYMBOLS 100 Encryption system 110 Key generation apparatus 111 Input part 112 Control part 117 Storage part 121 Communication part 122 Output part 130 Encryption apparatus 131 Input part 132 Control part 138 Storage part 142 Communication part 143 Output part 150 Decryption apparatus 151 Input part 152 Control Unit 158 storage unit 162 communication unit 163 output unit

Claims (13)

An encryption system including at least one computer that generates ciphertext obtained by encrypting a message text using first key information and decrypts the ciphertext using second key information. And
A control unit of the computer,
A process of accepting an input of a security parameter k;

and

(Where G is a multiplicative group with the prime number q as the order, and Z _q represents a remainder ring modulo q),
(X ₁ , x ₂ , y ₁ , y ₂ , g ₁ , g ₂ )

The process of calculating
A process of creating a pair (π, π ⁻¹ ) of unidirectional substitution π and trapdoor π ⁻¹ ;
The first key information pk and the second key information sk are

Processing to generate as
However, F _k is expressed by the following equation (5), and f ^σ is a function on G4.

A cryptographic system characterized by The cryptographic system according to claim 1,
A control unit of the computer,
A process of accepting an input of a message sentence m;

A process of randomly selecting
From the first key information pk,

The process of calculating

A process of randomly selecting
A process of calculating π (σ) using a one-way function π;
From the first key information pk,

The process of calculating
From the message sentence m and the first key information pk,

The process of calculating

The process of calculating
Ciphertext C

Processing to generate as
A cryptographic system characterized by The cryptographic system according to claim 2,
A control unit of the computer,
Processing for accepting input of the ciphertext C;
Using the trapdoor π ⁻¹ ,

The process of calculating

The process of calculating

Whether or not is satisfied, and if it is satisfied, the calculated m is used as a message for the ciphertext C.
A cryptographic system characterized by The cryptographic system according to any one of claims 1 to 3,
The function F _k is
a first condition that when the value of σ is randomly selected, it is difficult to predict the value of f ^σ (x) for any x without knowing the value of ^σ ;
When an attacker obtains the value of π (σ) and the value of f ^{σ ′} (x) (π is a one-way replacement), it is difficult to determine whether σ ′ matches σ. A second condition that
Satisfying
A cryptographic system characterized by The cryptographic system according to any one of claims 1 to 3,
The function F _k is
When values of σ ₁ ,..., σ _n (n is a natural number) are randomly selected, any i (i is a natural number satisfying 1 ≦ i ≦ n), without knowing these values, and For any x

A third condition that it is difficult to predict the value of
If the attacker has a value of π ₁ (σ ₁ ),..., Π _n (σ _n ) (n is a natural number),

Is obtained (π _i is a one-way replacement), and for all i (i is a natural number 1 ≦ i ≦ n), it is determined whether or not σ ′ _i matches σ _i A fourth condition that is difficult to do,
Satisfying
A cryptographic system characterized by A key generation device that generates first key information for encrypting a message text and second key information for decrypting a ciphertext encrypted with the first key information,
A process of accepting an input of a security parameter k;

and

(Where G is a multiplicative group with the prime number q as the order, and Z _q represents a remainder ring modulo q),
(X ₁ , x ₂ , y ₁ , y ₂ , g ₁ , g ₂ )

The process of calculating
A process of creating a pair (π, π ⁻¹ ) of unidirectional substitution π and trapdoor π ⁻¹ ;
The first key information pk and the second key information sk are

A control unit that performs processing to be generated as
However, F _k is expressed by the following equation (22), and f ^σ is a function on G4.

A key generation device characterized by the above. The first key information pk and the second key information sk are

However,

(G is a multiplicative group with the prime number q as the order, and Z _q represents a remainder ring modulo q)

π is a unidirectional substitution, π ^-1 is a trap for π F _k is expressed by the following equation (27), and f ^σ is a function on G4.

An encryption device that generates a ciphertext obtained by encrypting a message text using the first key information pk defined as
A process of accepting an input of a message sentence m;

A process of randomly selecting
From the first key information pk,

The process of calculating

A process of randomly selecting
A process of calculating π (σ) using a one-way function π;
From the first key information pk,

The process of calculating
From the message sentence m and the first key information pk,

The process of calculating

The process of calculating
Ciphertext C

A control unit that performs processing to be generated as
An encryption device. The first key information pk and the second key information sk are

However,

(G is a multiplicative group with the prime number q as the order, and Z _q represents a remainder ring modulo q)

π is a unidirectional substitution, π ^-1 is a trap for π F _k is expressed by the following equation (39), and f ^σ is a function on G4.

A decryption device that decrypts a ciphertext C obtained by encrypting a message text using the first key information pk defined as
Processing for accepting input of the ciphertext C;
Using the trapdoor π ⁻¹ ,

The process of calculating

The process of calculating

A control unit that performs a process of making the calculated m a message text for the ciphertext C.
A decoding device characterized by the above. Performed by an encryption system having at least one computer that generates ciphertext obtained by encrypting a message text using the first key information and decrypts the ciphertext using the second key information. A cryptographic processing method,
A process in which the control unit of the computer performs a process of receiving an input of a security parameter k;
A control unit of the computer,

and

And a process of randomly generating (where G is a multiplicative group with the prime number q as the order, and Z _q represents a remainder ring modulo q),
The control unit of the computer uses (x ₁ , x ₂ , y ₁ , y ₂ , g ₁ , g ₂ ),

The process of calculating
A process in which the control unit of the computer performs a process of creating a set (π, π ⁻¹ ) of unidirectional substitution π and trapdoor π ⁻¹ ;
The control unit of the computer obtains the first key information pk and the second key information sk,

Having a process of generating as
However, F _k is expressed by the following equation (47), and f ^σ is a function on G4.

A cryptographic processing method characterized by the above. The cryptographic processing method according to claim 9, comprising:
A process in which the control unit of the computer performs a process of receiving an input of a message sentence m;
A control unit of the computer,

A process of randomly selecting, and
From the first key information pk, the control unit of the computer

The process of calculating
A control unit of the computer,

A process of randomly selecting, and
A process in which the control unit of the computer performs a process of calculating π (σ) using a unidirectional function π,
From the first key information pk, the control unit of the computer

The process of calculating
The control unit of the computer, from the message sentence m and the first key information pk,

The process of calculating
A control unit of the computer,

The process of calculating
The control unit of the computer converts the ciphertext C,

Having a process of generating as
A cryptographic processing method characterized by the above. The cryptographic processing method according to claim 10, comprising:
A process in which the control unit of the computer performs a process of accepting an input of the ciphertext C;
The control unit of the computer uses the trapdoor π ⁻¹ ,

The process of calculating
A control unit of the computer,

The process of calculating
A control unit of the computer,

A process of using the calculated m as the message text for the ciphertext C.
A cryptographic processing method characterized by the above. The cryptographic processing method according to any one of claims 9 to 11,
The function F _k is
a first condition that when the value of σ is randomly selected, it is difficult to predict the value of f ^σ (x) for any x without knowing the value of ^σ ;
When an attacker obtains the value of π (σ) and the value of f ^{σ ′} (x) (π is a one-way replacement), it is difficult to determine whether σ ′ matches σ. A second condition that
Satisfying
A cryptographic processing method characterized by the above. The cryptographic processing method according to any one of claims 9 to 11,
The function F _k is
When values of σ ₁ ,..., σ _n (n is a natural number) are randomly selected, any i (i is a natural number satisfying 1 ≦ i ≦ n), without knowing these values, and For any x

A third condition that it is difficult to predict the value of
If the attacker has a value of π ₁ (σ ₁ ),..., Π _n (σ _n ) (n is a natural number),

Is obtained (π _i is a one-way replacement), and for all i (i is a natural number 1 ≦ i ≦ n), it is determined whether or not σ ′ _i matches σ _i A fourth condition that is difficult to do,
Satisfying
A cryptographic processing method characterized by the above.

Images