JP4567364B2 - Parameter generating apparatus, encryption system, decryption system, encryption apparatus, encryption method, decryption method, and program - Google Patents

Description

  The present invention relates to a cryptographic technique as an information security technique, and more particularly to parameter generation of a NTRU (registered trademark of NTR Cryptosystems Incorporated) cipher.

  As a method for realizing secret communication between a transmission device and a reception device, there is encrypted communication using public key cryptography. Briefly, the transmission device encrypts the communication content using the public key of the reception device and transmits it, and the reception device receives the encrypted communication content and decrypts it using its own private key. Thus, the original communication content is obtained (see, for example, Non-Patent Document 1). In a general encryption system using this method, there are a plurality of transmission devices and reception devices. First, the transmitting device acquires the public key of the communication destination receiving device. This public key is paired with a secret key possessed by the communication destination receiving apparatus, and is made public in the cryptographic system. Then, the transmission device encrypts the data content to be communicated with the public key acquired as described above, and transmits it. On the other hand, the receiving device receives the communication content data encrypted as described above. Then, the receiving device decrypts the encrypted communication content data with its own private key to obtain the original communication content data.

  It should be noted that the encryption is for the purpose of secret communication between the transmission device and the reception device, and it goes without saying that security against decryption by a third party is important. With public key cryptography, the communication content data (hereinafter referred to as “plaintext”) may be decrypted from the encrypted communication content data (hereinafter referred to as “ciphertext”), and the receiving device keeps it secret. There is a possibility that the secret key used when obtaining the plaintext from the ciphertext may be decrypted. In general, in public key cryptography, it is required that the decryption time of these decryption by a third party is sufficiently long (for example, it takes 1000 years using the latest computer) and cannot be decrypted within a realistic time.

  In 1996, NTRU encryption was proposed as public key encryption capable of high-speed processing (see, for example, Non-Patent Document 2). Details of this NTRU encryption are described in Non-Patent Document 2, and therefore detailed description thereof is omitted here. NTRU cryptography is encrypted with polynomial arithmetic that can be performed at high speed, compared to RSA (Rivest Shamir Adleman) cryptography that performs exponentiation and a elliptic multiplication that performs scalar multiplication of points on an elliptic curve. Perform decryption. For this reason, it is possible to perform processing at higher speed by software than conventional public key encryption.

  Therefore, an encryption system using NTRU encryption for public key encryption has an advantage that processing of a transmission apparatus and a reception apparatus can be performed at higher speed than an encryption system using conventional public key encryption.

  Note that in order to actually perform encryption and decryption using this NTRU cipher, non-negative integer parameters, N, p, q, df, dg, and d are required (for example, see Non-Patent Document 2). Currently, specific values of these parameters are presented (for example, see Non-Patent Document 5).

  In this NTRU cipher, as a method of decrypting plaintext and private key by a third party, there are cryptanalysis that searches for them brute force and cryptanalysis using LLL (Lenstra, Lenstra and Lovasz) algorithm (for example, It has been shown that if the parameters presented in Non-Patent Document 5 are used, the decryption time of these cryptanalysis is sufficiently long, and the NTRU cipher is secure (for example, Non-Patent Document 2). (Ref. Literature 3, Non-Patent Literature 4, and Non-Patent Literature 5).

  On the other hand, this NTRU cipher encrypts a plaintext using a public key to generate a ciphertext, and decrypts a ciphertext using a regular secret key to generate a decrypted text. (For example, refer nonpatent literature 2). This is called a decoding error. The probability of occurrence of this decryption error varies depending on the parameters of the NTRU encryption (for example, see Non-Patent Document 5).

With regard to this decryption error, Non-Patent Document 2 discloses that a random polynomial g, a random number polynomial r, a plaintext polynomial m, a secret key polynomial f, which are used when generating the public key polynomial h of the NTRU encryption, in order to prevent a decryption error from occurring. It is shown that all the coefficients of the polynomial (p · r × g + f × m) obtained as a result of the calculation need to fall within the range of −q / 2 to q / 2. However, the decryption time for decryption when the NTRU cipher parameters are selected in this way is unknown, and no NTRU cipher parameters that are safe against decryption and do not cause decryption errors are known.
Tatsuaki Okamoto, Hiroshi Yamamoto, “Contemporary Cryptography”, Series / Mathematics of Information Science, Industrial Books, 1997. Jeffery Hoffstein, Jill Pipher, and Joseph H. Silverman, “NTRU: A ring based public key cryptosystem”, Lecture Notes in Computer Science, 1423, pp.267-288, Springer-Verlag, 1998. Joseph H. Silverman, “NTRU Cryptosystems Technical Report # 012, Estimated Breaking Times for NTRU Lattices”, [online], March 9, 1999, [Search February 18, 2003], Internet <URL: http: // www.ntru.com/cryptolab/pdf/NTRUTech012.pdf> Joseph H. Silverman, “NTRU Cryptosystems Technical Report # 013, Dimension-Reduced Lattices, Zero-Forced Lattices, and the NTRU Public Key Cryptosystem”, [online], March 9, 1999, [February 18, 2003 search ], Internet <URL: http://www.ntru.com/cryptolab/pdf/NTRUTech013.pdf> Joseph H. Silverman, “NTRU Cryptosystems Technical Report # 011, Wraps, Gaps, and Lattice Constants”, [online], January 21, 1999, [April 18, 2003 search], Internet <URL: http: / /www.ntru.com/cryptolab/pdf/NTRUTech011_v2.pdf>

  As described above, in the NTRU cipher capable of high-speed processing, when a decryption error occurs, the receiving device may not be able to correctly obtain the plaintext encrypted by the transmitting device. That is, reliable encrypted communication cannot be performed between the transmission device and the reception device.

Needless to say, in a cryptographic system, it is important to convey plaintext correctly to the other party. In addition, it goes without saying that the security of decryption by a third party is important.
However, in the conventional technique, although the conditions for generating the parameters of the NTRU cipher that do not cause the decryption error are shown, the conditions are not formulated, and the parameters of the NTRU cipher that does not cause the decryption error are generated. Difficult to do.

  Also, conditions for generating NTRU encryption parameters that are safe against decryption by a third party and that do not cause a decryption error are not known, and such NTRU encryption parameters cannot be generated. Therefore, secure and reliable encrypted communication cannot be performed between the encryption device and the decryption device.

  Therefore, in view of the above problems, the present invention provides a parameter generation device that generates NTRU encryption parameters that do not cause a decryption error so that secure and reliable encrypted communication can be performed between the encryption device and the decryption device. This is the first purpose.

  Further, a parameter for generating a parameter of the NTRU cipher that is safe against decryption by a third party and does not cause a decryption error so that secure and reliable encrypted communication can be performed between the encryption device and the decryption device. A second object is to provide a generation device.

  Furthermore, it is a third object of the present invention to provide an encryption system, an encryption device, and a decryption device that can perform secure and reliable encrypted communication between the encryption device and the decryption device using the parameters generated by these parameter generation devices. The purpose.

  A parameter generation device according to an aspect of the present invention is a parameter generation device that generates an output parameter that is a parameter set of an NTRU cipher that does not cause a decryption error, and is error condition information that determines whether or not a decryption error has occurred in advance And an error non-occurrence output parameter generation unit for generating an output parameter that does not cause a decoding error.

  The parameter generation device generates an output parameter that is a parameter set of the NTRU encryption that does not cause a decryption error based on the error condition information. For this reason, decryption errors do not occur by performing plaintext encryption processing and ciphertext decryption processing using the generated output parameters. Therefore, it is possible to provide a parameter generation device that generates NTRU encryption parameters in which no decryption error occurs.

  Preferably, the error non-occurrence output parameter generation unit includes a temporary parameter generation unit that generates a temporary parameter set in which a decoding error does not occur, based on error condition information that determines whether or not a decoding error has occurred, An output parameter generation unit configured to generate the output parameter from the temporary parameter set based on a lattice strength coefficient calculated from the parameter set. Further, the temporary parameter generation unit is configured to generate a temporary parameter set that does not generate a decryption error based on an input parameter that is a parameter set of NTRU encryption input from the outside and error condition information that is determined in advance to determine whether or not a decryption error has occurred. Is generated. Further, the output parameter generation unit generates the output parameter from the temporary parameter set based on safety determination information based on the lattice strength coefficient and safety level information indicating security against decryption by a third party. To do.

  The parameter generation device can generate the output parameter so that the safety determination information based on the lattice strength coefficient can satisfy the safety level information. Therefore, it is possible to provide a parameter generation device that generates parameters for NTRU encryption that is safe against decryption by a third party and does not cause a decryption error.

Preferably, the error condition information is a conditional expression 2 · p · d + 2 df − representing a condition for preventing a decoding error with respect to the non-negative integer p, the non-negative integer q, the non-negative integer d, and the non-negative integer df. 1 <q / 2
It is.

In this way, it is possible to formulate parameter conditions for preventing a decoding error from occurring. For this reason, it is possible to easily obtain a parameter for preventing a decoding error from occurring.
An encryption system according to another curved surface of the present invention is an encryption system that generates a ciphertext by encrypting a plaintext with an NTRU cipher, and is based on the parameter generation device described above and an output parameter generated by the parameter generation device. A public key generating means for generating a public key, and an encrypting means for encrypting plaintext based on the public key.

  Plain text encryption is performed using a public key obtained from a parameter created based on the parameter generation apparatus described above. For this reason, the encryption system can generate a ciphertext that does not cause a decryption error.

  A decryption system according to another aspect of the present invention is a decryption system that generates a decrypted text by decrypting a ciphertext with an NTRU cipher, and includes the above-described parameter generation device and an output parameter generated by the parameter generation device. And a secret key generating unit that generates a secret key based on the secret key and a decrypting unit that decrypts the ciphertext based on the secret key.

  The ciphertext is decrypted using the secret key obtained from the parameter created based on the above-described parameter generation device. For this reason, the decryption system can decrypt the ciphertext without causing a decryption error.

  A cryptographic system according to still another curved surface of the present invention is a cryptographic system using NTRU cryptography, which generates and outputs an output parameter that is a parameter set of NTRU cryptography that does not cause a decryption error, and NTRU A key generation device that generates and outputs an encryption key and a decryption key; an encryption device that generates a ciphertext obtained by encrypting a plaintext with an NTRU cipher; and a decryption device that generates a decrypted text obtained by decrypting the ciphertext. The parameter generation device is calculated from a provisional parameter generation unit that generates a provisional parameter set that does not cause a decoding error based on error condition information that determines whether or not a decoding error has occurred, and a provisional parameter set. An output parameter generation unit that generates and outputs the output parameter from the temporary parameter set based on the lattice strength coefficient The key generation device includes a generation key output unit that generates and outputs the encryption key and the decryption key with the output parameter output from the parameter generation device as an input. The encryption device outputs the encryption key and the decryption key. An encryption unit that encrypts the plaintext and generates the ciphertext using the output parameter and the encryption key output by the key generation device as inputs, and the decryption device outputs the output output by the parameter generation device A decryption unit that decrypts the ciphertext and generates the decrypted text using the parameter and the decryption key output from the key generation apparatus as input is provided.

  The parameter generation device generates an output parameter that is a parameter set of the NTRU encryption that does not cause a decryption error based on the error condition information. The key generation device generates an encryption key and a decryption key by using the generated output parameter as an input. The encryption device and the decryption device perform encryption processing and decryption processing using the encryption key and the decryption key, respectively. For this reason, it is possible to provide an encryption system in which no decryption error occurs.

  The present invention can be realized not only as a parameter generation device, an encryption system, and a decryption system having such characteristic means, but also as a parameter generation method, encryption method, and decryption having characteristic means as steps. It can also be realized as a computerization method or as a program for causing a computer to execute the steps. Needless to say, such a program can be distributed via a recording medium such as a CD-ROM (Compact Disc-Read Only Memory) or a communication network such as the Internet.

  According to the present invention, the parameters of the NTRU cipher that are safe against decryption by a third party and that do not cause a decryption error so that secure and reliable encrypted communication can be performed between the encryption device and the decryption device. A parameter generating device for generating can be provided.

  Also provided are an encryption system, an encryption device, and a decryption device that can perform secure and reliable encrypted communication between the encryption device and the decryption device using parameters generated by these parameter devices or parameter conversion devices. Can do.

  As described above, it is possible to provide a parameter generation device, an encryption system, an encryption device, and a decryption device that could not be achieved by the prior art, and its practical value is great.

  Hereinafter, embodiments of a parameter generation device and a parameter conversion device according to the present invention will be described with reference to the drawings.

  The parameter generation device and parameter conversion device according to the present invention handle NTRU encryption parameters. Since this NTRU cipher is described in detail in Non-Patent Document 2, a detailed description thereof will be omitted here, but will be briefly described below.

(1) NTRU cipher parameters The NTRU cipher has non-negative integer parameters N, p, q, df, dg, d. In Non-Patent Document 2, as examples of NTRU encryption parameters, (N, p, q, df, dg, d) = (107, 3, 64, 15, 12, 5), (N, p, q, df, dg, d) = (167, 3, 128, 61, 20, 18), (N, p, q, df, dg, d) = (503, 3, 256, 216, 72, 55) Two examples are given.

The meaning of these parameters will be described below.
(I) Parameter N
NTRU encryption is a public key cryptosystem that performs encryption and decryption by polynomial operations. The dimension of the polynomial handled in the NTRU encryption is determined by the parameter N.

  The polynomial handled in the NTRU cryptography is an integer coefficient polynomial of (N−1) dimensions or less with respect to the parameter N, for example, a polynomial such as X ^ 4 + X ^ 3 + 1 when N = 5. Here, “X ^ a” means X to the power of a. Also, the public key h, the secret key f, the plaintext m, the random number r, and the ciphertext c used at the time of encryption or decryption are all expressed as polynomials of (N−1) dimensions or less (hereinafter, Public key polynomial h, secret key polynomial f, plaintext polynomial m, random number polynomial r, and ciphertext polynomial c).

The polynomial calculation is performed so that the calculation result is always a polynomial of (N−1) dimensions or less using the relational expression “X ^ N = 1” with respect to the parameter N. For example, when N = 5, the product of the polynomial X ^ 4 + X ^ 2 + 1 and the polynomial X ^ 3 + X is “×” for the product of the polynomial and the polynomial, and “·” for the product of the integer and the polynomial (or the product of the integer and the integer). Then, from the relationship X ^ 5 = 1,
(X ^ 4 + X ^ 2 + 1) × (X ^ 3 + X)
= X ^ 7 + 2, X ^ 5 + 2, X ^ 3 + X
= X ^ 2 × 1 + 2 ・ 1 + 2 ・ X ^ 3 + X
= 2 · X ^ 3 + X ^ 2 + X + 2
In this way, the calculation is always made to be a polynomial of (N-1) dimensions or less.

(Ii) Parameters p and q
The NTRU encryption uses non-negative integer parameters p and q. As described in Non-Patent Document 2, the parameters p and q need to be relatively prime.

(Iii) Parameters df, dg, d
The selection method of the secret key polynomial f handled in the NTRU cryptography, the random polynomial g used together with the secret key polynomial f when generating the public key polynomial, and the random number polynomial r used when encrypting the plaintext is determined by parameters df, dg, d, respectively. It depends on.

  First, the secret key polynomial f is selected such that df coefficients are “1”, (df−1) coefficients are “−1”, and the other coefficients are “0”. . That is, the random number polynomial f is a polynomial of (N−1) dimensions or less, and there are N coefficients from 0 dimension (constant term) to (N−1) dimensions. Of the N coefficients, df coefficients are “1”, (df−1) coefficients are “−1”, and (N−2df + 1) coefficients are 0. A random number polynomial f is selected.

  The random polynomial g is selected such that dg coefficients are “1”, dg coefficients are “−1”, and the other coefficients are “0”. The random number polynomial r is selected such that d coefficients are “1”, d coefficients are “−1”, and other coefficients are “0”.

(2) Decryption Error of NTRU Cipher In the NTRU cipher, when the plaintext polynomial m is encrypted to generate the ciphertext polynomial c, the decrypted text polynomial m ′ obtained by decrypting the ciphertext polynomial c is the plaintext polynomial m. And a different case occurs. In this case, the plaintext polynomial m cannot be obtained correctly at the time of decryption. This is called a decoding error.

  In Non-Patent Document 2, any one of a random polynomial g, a random polynomial r, a plaintext polynomial m, and a polynomial (p · r × g + f × m) obtained as a result of the operation of the secret key polynomial f used when generating the public key polynomial h is disclosed. It is described that a decoding error occurs when the value of the coefficient of the order does not fall between −q / 2 and q / 2. In the above-mentioned three parameters listed in Non-Patent Document 2, as described in Non-Patent Document 5, a decoding error occurs although the probability of occurrence is low (about 10 ^ (-5)).

(Embodiment 1)
A parameter generation device 1 according to Embodiment 1 of the present invention will be described.
<Outline of Parameter Generation Device 1>
First, an outline of the parameter generation device 1 will be described with reference to FIG.

  The parameter generation device 1 includes an NTRU cipher lattice strength coefficient GL of a certain parameter, an NTRU cipher decryption time evaluation formula EF having the lattice strength coefficient GL, a conditional expression ED of a parameter that does not cause a decryption error, and initial security. A determinant IF is given in advance.

  The parameter generation apparatus 1 receives as input the security level information SLI indicating the security level that the NTRU cipher should achieve. The parameter generation device 1 obtains a parameter set PS of the NTRU cipher in advance that achieves the security level indicated by the security level information SLI with respect to the brute force search and the LLL algorithm. This is a device that generates and outputs the lattice strength coefficient GL, the decoding time evaluation formula EF, the conditional formula ED, and the initial safety determination formula IF to the outside.

  The above is the outline of the parameter generation device 1. After describing how to give the lattice strength coefficient GL, the decoding time evaluation formula EF, the conditional formula ED, and the initial safety determination formula IF, the parameter generation device 1 Details will be described.

<Lattice strength coefficient GL, decoding time evaluation formula EF, conditional formula ED>
Here, first, the contents of the lattice strength coefficient GL, the decoding time evaluation formula EF, and the conditional expression ED for parameters that do not cause a decoding error will be described, and how to give them will be described.

(Lattice strength coefficient GL and decoding time evaluation formula EF)
The decryption time evaluation formula EF of the decryption time T using the LLL algorithm in the NTRU cipher is determined by the parameters df, dg, q of the NTRU cipher, and is calculated from the parameters df, dg, q. Categorized by the value of. In Non-Patent Document 3, the lattice strength coefficient GL is obtained from parameters df, dg, q of NTRU encryption.
GL = (4 · pi · e · | f | · | g | / q) ^ (0.5)
It is described that it is derived as follows. Also, in Non-Patent Document 3, if the lattice strength coefficient GL is constant, there are certain constants A and B for NTRU ciphers having such parameters df, dg, and q, and the LLL algorithm is It is described that the decoding time T of the used decoding satisfies the following decoding time evaluation formula EF for the parameter N.

EF: log (T) ≧ A · N + B
Here, log (T) is a natural logarithm of the decoding time T. Also, pi represents the circular ratio, e represents the base of the natural logarithm, | f | represents the norm of the secret key polynomial f, and | g | represents the norm of the random polynomial g. In particular,
| F | = (2 · df−1) ^ (0.5)
| G | = (2 · dg) ^ (0.5)
It is.

  In Non-Patent Document 3, the constants A and B in the above-described decryption time evaluation formula EF are measured by measuring the decryption time T when the value of the parameter N is small, and approximating it using the actual measurement data. It is described that the values of A and B can be derived.

Non-Patent Document 4 describes that if the value of the lattice strength coefficient GL increases, it becomes more difficult to decipher the NTRU cipher using the LLL algorithm. Therefore, the decryption time evaluation of the decryption time T of the decryption using the LLL algorithm for the NTRU cipher having parameters df, dg and q that take the value of the lattice strength coefficient GL1 for a certain lattice strength coefficient GL1. Formula EF1 is
EF1: log (T) ≧ A · N + B (A, B: constant)
Suppose that Then, according to the above discussion, if the value of the lattice strength coefficient GL derived from another parameter df, dg, q is larger than the value of the lattice strength coefficient GL1, the other parameter df, dg, It can be derived that the decryption time T of the NTRU cipher having q satisfies at least the decryption time evaluation formula EF1.

(Conditional expression ED for parameters that do not cause decoding errors)
In Non-Patent Document 2, if all coefficients of the polynomial, p · r × g + f × m, calculated in the decryption process of the NTRU cipher are within the range of −q / 2 to q / 2, the decryption process is correctly performed. It is described that a decoding error does not occur.

(Grating intensity coefficient GL and decoding time evaluation formula EF)
First, the values of parameters df, dg, q are determined. Here, as an example, df = 34, dg = 34, and q = 512. Then, the value of the lattice strength coefficient GL is calculated from the parameters df, dg, q, and the lattice strength coefficient GL is given to the equation storage unit 110 in advance. In the above example, the lattice strength coefficient GL is GL = 2.12.

  Next, as the decryption time evaluation formula EF, the decryption time evaluation formula EF for the decryption time T of the NTRU cipher having parameters df, dg, q taking the values of the lattice strength coefficient GL is as follows. And is given to the expression storage unit 110 in advance.

  That is, the above-described decryption time evaluation formula EF estimates the decryption time T of the NTRU cipher using the LLL algorithm when the value of the lattice strength coefficient GL calculated from the parameters df, dg, and q is 2.12 or more. It is an expression that can be evaluated without any problem.

(I) Derivation of decoding time T when parameter N is small First, measured data of decoding time T when the LLL algorithm is used for the determined parameters df, dg, and q by the method described in Non-Patent Document 3. Is obtained by experiment. Here, the actual measurement data of the decoding time T shown in FIG. 2 is obtained using a computer having a processing capacity of 1000 MIPS, and the unit of the decoding time T is seconds. Note that MIPS (Million Instruction Per Second) is a unit representing the processing capability of a computer, and 1 MIPS represents a processing capability capable of executing one million instructions per second. In this example, it is shown that the decoding time can be actually measured for the values of 70 to 90 as the parameter N.

(Ii) Derivation of decoding time evaluation formula by approximation Next, using the measured data derived by (i), the decoding time evaluation formula EF
EF: log (T) = A · N + B
Constants A and B are obtained. For example, assuming that X = N and Y = log (T), the coefficients A and B of Y = A · X + B are obtained by the least square method.

Here, in the actual measurement data of the decoding time T shown in FIG. 2, the constants A and B are approximately A = 0.093 and B = −3.8.
Basically, the decoding time evaluation formula EF derived from this
EF: log (T) = 0.093N-3.8
In the first embodiment described in detail below, the value of the decryption time T in the decryption time evaluation formula EF is treated as a MIPSyear value. Note that MIPSyear is a unit indicating the processing amount of a computer, and a processing amount that can be processed by a computer having a processing capability of 1 MIPS in one year is 1 MIPSyear.

Therefore, here, the derived decryption time evaluation formula EF is transformed into an expression in the case where the decryption time T represents a MIPSyear value. The decoding time T representing the MIPSyear value is
According to the method described in Non-Patent Document 3, the decoding time T is multiplied by the processing capacity value 1000 MIPS of the computer for which the actual measurement data was obtained, and divided by the number of seconds in one year 31557600 (one year = 365.25 days). .

  That is, by setting T ′ = 1000T / 31557600 and substituting it into the above-described decryption time evaluation formula EF, the following modified decryption time evaluation formula EF can be obtained. The modified decoding time evaluation formula EF is given to the formula storage unit 110.

EF: log (T ′) = 0.093N−14.2
The least square method is a well-known technique. Therefore, detailed description thereof will not be repeated here.

(How to give conditional expression ED for parameters that do not cause decoding errors)
Next, how to give the conditional expression ED will be described.
First, p = 3 and dg> d. The value of p is a typical value of the NTRU encryption parameter.

At this time, conditional expression ED
ED: 6 · d + 2 · df −1 <q / 2
Is given to the expression storage unit 110 in advance. This conditional expression is a conditional expression of a parameter that does not theoretically cause a decoding error.

The reason will be described below.
First, as described above, if all the coefficients of the polynomial p · r × g + f × m are within the range of −q / 2 to q / 2, no decoding error occurs.

At this time, when considering the polynomial r × g, the product of the polynomial is represented by a (k) as expressed in a non-patent document 2, where the k-th order coefficient of the polynomial a is represented by a (k).
(R x g) (k)
= R (0) .g (k) + r (1) .g (k-1) +. . .
+ R (N-1) .g (k- (N-1) (mod N))
It is. The random number polynomial r is a polynomial in which d coefficients are “1”, d coefficients are “−1”, and other coefficients are “0”. The random polynomial g is a polynomial in which dg coefficients are “1”, dg coefficients are “−1”, and other coefficients are “0”.

Therefore, the value of the k-th order coefficient (r × g) (k) of the polynomial r × g is dg> d.
(R x g) (k)
= 1 · g (i1) + 1 · g (i2) +. . . + 1 · g (id)
−1 · g (j1) −1 · g (j2) −. . . −1 · g (jd)
Thus, it is expressed by d terms 1 · g (in) (1 ≦ n ≦ d) and d terms −1 · g (jn) (1 ≦ n ≦ d).

  Therefore, (r × g) (k) is such that g (in) is all 1 (1 ≦ n ≦ d) and g (jn) is all −1 (1 ≦ n ≦ d). The maximum value is taken and the value is at most 2d (the minimum value is at most -2d).

Similarly, the value of the k-th order coefficient of the polynomial f × m is at most 2df−1 (the minimum value is at most −2df + 1).
Now, since p = 3, the value of the largest coefficient of the polynomial p · r × g + f × m is 3 · 2d + 2df−1 at most. If the largest coefficient does not exceed q / 2, all the coefficients of the polynomial p · r × g + f × m are within the range of −q / 2 to q / 2. Does not occur.

Therefore, the following conditional expression ED is derived.
ED: 6 · d + 2 · df −1 <q / 2
If this conditional expression is satisfied, a decoding error does not theoretically occur from the above discussion.

<Initial safety determinant IF>
Although details will be described later, the parameter generation device 1 first uses the first parameter generation unit 102 to set the safety level information SLI in order to select parameters df, dg, and d that are safe for decoding the brute force search. It is necessary to select a parameter N that is a sufficiently large value.

Here, for this purpose, as an example of the initial safety determination formula IF, it is necessary for the decryption by the LLL algorithm in the NTRU cipher in the case of df = 61, dg = 20, q = 128, which is cited in Non-Patent Document 3. The evaluation formula for decoding time is used. That is, the initial safety determinant IF is
IF: log (T) = 0.002N−18.884
Indicated by Then, this initial safety determination formula IF is given to the formula storage unit 110.

  The initial security determinant IF is log (T) = 0.002N−7, which is an evaluation formula of the decryption time necessary for decryption by the LLL algorithm in the NTRU cipher in the case of df = 61, dg = 20, and q = 128. .608 is converted so that T represents MIPSyear.

Next, details of the parameter generation device 1 will be described.
<Configuration of Parameter Generating Device 1>
As illustrated in FIG. 1, the parameter generation device 1 includes an input unit 101, a first parameter generation unit 102, a second parameter generation unit 103, a third parameter generation unit 104, and a safety determination unit 105. A safety increase unit 106, an output unit 107, a first parameter change unit 108, a second parameter change unit 109, and an expression storage unit 110. Each component will be described below.

(1) Input unit 101
The input unit 101 receives the safety level information SLI from the outside, and receives the safety level information SLI from the first parameter generation unit 102, the second parameter generation unit 103, the safety increase unit 106, and the second parameter change unit 109. And output.

  Here, the security level information SLI is information indicating the security level of the encryption to be achieved, for example, information indicating that the security of the encryption is a safety level corresponding to the 1024-bit RSA encryption. . Here, as an example, the security level information SLI is a processing amount of a decryption algorithm. The following description will be made assuming that SLI is (10 ^ 12) MIPSyear.

(2) First parameter generation unit 102
The first parameter generation unit 102 receives the safety level information SLI from the input unit 101, reads the initial safety determination formula IF from the formula storage unit 110, and has a sufficiently large value according to the safety level information SLI. Select encryption parameter N. Then, for the selected parameter N, the first parameter generation unit 102 sets the parameter p to p = 3, sets the values of the other parameters q, df, dg, and d to 0, and sets the parameter set PS = (N, p, q, df, dg, d) are generated and output to the second parameter generation unit 103.

Specifically, the parameter N is selected so that the value of the initial safety determination formula IF is the safety level represented by the safety level information SLI.
For example, the safety level information SLI is (10 ^ 12) MIPSyear, and the initial safety determination formula IF stored in the formula storage unit 110 is IF: log (T) = 0.002N-18.884.
Is the result of substituting safety level information SLI into T IF: log (10 ^ 12) = 0.002N-18.884
N = 233 is derived by calculating.

(3) Second parameter generation unit 103
The second parameter generation unit 103 receives the parameter set PS from the first parameter generation unit 102 or the first parameter change unit 108 and receives the safety level information SLI from the input unit 101. The second parameter generation unit 103 derives a parameter candidate set DS by a method described later based on the parameter N in the parameter set PS. The second parameter generation unit 103 determines whether or not the number of elements of the parameter candidate set DS is insufficient to select the parameters df, dg, and d (for example, whether the number of elements is 3 or more) by a method described later. To do. If it is insufficient, the second parameter generation unit 103 outputs the parameter set PS to the first parameter change unit 108. If sufficient, the second parameter generation unit 103 selects the parameters df, dg, and d from the parameter candidate set DS. The second parameter generation unit 103 newly generates a parameter set PS = (N, p, q, df, dg, d) using these parameters df, dg, d, and a third parameter generation unit 104. Output to.

Hereinafter, a method for deriving the parameter candidate set DS and a method for selecting the parameters df, dg, and d will be described in detail.
(I) Method for Deriving Parameter Candidate Set DS The second parameter generation unit 103 determines whether the safety level information SLI and the parameter N are
(C (N, k) · C (N−k, k)) ^ (0.5) ≧ SLI
A parameter candidate set DS of integer k (1 ≦ k ≦ N) that satisfies is derived. Here, C (a, b) is the number of combinations for selecting b out of a.

  The parameter candidate set DS is derived as follows, for example. That is, the second parameter generation unit 103 selects k in ascending order from k = 1 to k = N / 2, and substitutes it into the left side of the inequality. The second parameter generation unit 103 sets all k satisfying the above inequality as elements of the parameter candidate set DS.

  As described in Non-Patent Document 5, when dg = k (or df = k), the left side of the above inequality indicates the decryption time for cryptanalysis that searches for the secret key of the NTRU cipher with brute force, When d = k, the decryption time for cryptanalysis for searching the plaintext of the NTRU cipher with brute force is shown. That is, here, if the parameters df, dg, and d are selected from the parameter candidate set DS, the security level information SLI input to the input unit 101 is the decryption time for decryption to search for plaintext and secret keys with brute force. A parameter candidate set DS is derived so as to achieve the security level that it represents.

(Ii) Parameter df, dg, d Selection Method The second parameter generation unit 103 arbitrarily selects the parameters df, dg, d from the parameter candidate set DS so that dg> d. Here, the second parameter generation unit 103 selects at random from the parameter candidate set DS so that df>dg> d, and assigns them to df, dg, and d, respectively.

  It should be noted that the parameter candidate set DS is sufficiently large for selecting a parameter df, dg, or d for a sufficiently large N. Actually, if SLI = 10 ^ 12, there is no DS element when N = 10, but DS = {8, 9, 10, 11, 12} (5 to 12) when N = 30. Integer), and when N = 100, DS = {4, 5, 6,. . . , 50} (47 integers from 4 to 50).

(4) Third parameter generation unit 104
The third parameter generation unit 104 receives the parameter set PS from the second parameter generation unit 103, and reads from the expression storage unit 110 a parameter conditional expression ED for preventing a decoding error from occurring. The third parameter generation unit 104 selects, as the parameter q, the minimum q that satisfies the conditional expression ED for the parameters df, dg, and d in the parameter set PS and that the parameter q is a power of 2. . The third parameter generation unit 104 newly generates a parameter set PS = (N, p, q, df, dg, d) for the selected parameter q and outputs it to the safety determination unit 105.

For example, when df = 50, dg = 24, d = 16, the conditional expression ED is ED: 6d + 2df-1 <(q / 2)
When this conditional expression is solved, q> 294. Since the minimum q that satisfies the conditional expression q> 294 and satisfies q = 2 ^ i (i is a natural number) is 512, the parameter q is set to q = 512. The reason why the parameter q is a power of 2 is to select the parameter p (p = 3) and the parameter q so as to be relatively prime. The fact that p and q are relatively prime is a condition for parameters p and q of NTRU encryption as described in Non-Patent Document 2.

(5) Safety determination unit 105
The safety determination unit 105 receives the parameter set PS from the third parameter generation unit 104 or the second parameter change unit 109. The security determination unit 105 derives the lattice strength coefficient SL of the NTRU cipher having parameters N, p, q, df, and dg in the parameter set PS using the parameters df, dg, and q according to the following expression.

SL = (4 · pi · e · | f | · | g | / q) ^ (0.5)
Here, pi represents the circular ratio, e represents the base of the natural logarithm, and | f | = (2df-1) ^ (0.5), | g | = (2dg) ^ (0.5).

  The safety determination unit 105 reads the lattice strength coefficient GL from the equation storage unit 110, and outputs the parameter set PS to the safety increase unit 106 if GL ≦ SL. If GL> SL, the safety determination unit 105 outputs the parameter set PS to the second parameter change unit 109.

(6) Safety increase unit 106
The safety increase unit 106 receives the parameter set PS from the safety determination unit 105, receives the safety level information SLI from the input unit 101, and reads the decoding time evaluation formula EF from the formula storage unit 110. The security increase unit 106 derives the decryption time T of the NTRU cipher from the parameter N in the parameter set PS and the decryption time evaluation formula EF.

For example, N = 400, the decoding time evaluation formula EF is
EF: log (T) = 0.093N-14.2
The decoding time T is approximately 9.7 × 10 9.

The safety increase unit 106 determines whether the derived decryption time T has achieved the safety level represented by the safety level information SLI. T ≧ SLI
Judgment is made based on whether or not the above is satisfied. If T <SLI, the security increase unit 106 increases the parameter N so that the decoding time T satisfies T ≧ SLI, and newly sets the parameter set PS = (N, p, q for the increased parameter N. , Df, dg, d).

For example, the safety increasing unit 106 substitutes the safety level information SLI into T of the decoding time evaluation formula EF. EF: log (SLI) = 0.040N−6.2
And a parameter N is derived to generate a new parameter set PS.

  The safety increase unit 106 determines whether the parameter N is a prime number with respect to the parameter N in the parameter set PS. If the parameter N is not a prime number, the safety increasing unit 106 increases the parameter N so as to be a prime number, and newly adds a parameter set PS = (N, p, q, df) to the increased parameter N. , Dg, d).

  For example, in the case of PS = (450, 3, 512, 50, 24, 16), the parameter N is N = 450 but not a prime number. As the value of N, PS = (451, 3, 512, 50, 24, 16).

  This is done for the purpose of avoiding the fact that the security of the NTRU cipher is lowered when the parameter N is a composite number. In addition, the method of determining whether it is a prime number is described in the nonpatent literature 1, for example, and description here is not repeated.

Finally, the safety increase unit 106 outputs the parameter set PS to the output unit 107.
(7) Output unit 107
The output unit 107 receives the parameter set PS from the safety increase unit 106 and outputs it to the outside.

(8) First parameter changing unit 108
The first parameter change unit 108 receives the parameter set PS from the second parameter generation unit 103 or the second parameter change unit 109, and increases the parameter N in the parameter set PS. Here, as an example, it is assumed that N is increased by 10. Then, for the increased parameter N, a new parameter set PS = (N, p, q, df, dg, d) is generated and output to the second parameter generation unit 103.

(9) Second parameter changing unit 109
The second parameter change unit 109 receives the safety level information SLI from the input unit 101, receives the parameter set PS from the safety determination unit 105, and sets the parameter candidate set DS in the same manner as the second parameter generation unit 103. Generate. The second parameter changing unit 109 compares the parameter dg in the parameter set PS with the maximum value M of the elements of the parameter candidate set DS. If dg <M, the second parameter changing unit 109 changes the parameter dg to a larger value among the elements of the parameter candidate set DS, and newly sets the parameter set PS = ( N, p, q, df, dg, d) are generated and output to the safety judgment unit 105. If dg ≧ M, the second parameter changing unit 109 outputs the parameter set PS to the first parameter changing unit 108.

(10) Expression storage unit 110
As shown in FIG. 3, the expression storage unit 110 stores in advance a lattice strength coefficient GL, a decoding time evaluation expression EF, a parameter conditional expression ED that does not cause a decoding error, and an initial safety determination expression IF. Here, as described above, as the lattice strength coefficient GL,
GL = 2.12
As the decoding time evaluation formula EF: EF: log (T) = 0.93N-14.2
As conditional expression ED,
ED: 6d + 2df-1 <(q / 2)
As an initial safety determinant IF: IF: log (T) = 0.002N−18.884
Is given in advance.

  Here, as described above, when the value of the lattice strength coefficient calculated from the parameters df, dg, q is equal to or greater than the value of the lattice strength coefficient GL, the decoding time evaluation formula EF (in this case, 2.12). (When it is the above), it is an expression that can be evaluated without underestimating the decoding time T of decoding using the LLL algorithm.

  In addition, the conditional expression ED is an expression representing a parameter condition for preventing a decryption error from occurring in the NTRU cipher as described above. First, the initial safety determination formula IF is sufficiently large according to the safety level information SLI in the first parameter generation unit 102 in order to select parameters df, dg, and d that are safe for decoding the brute force search. This is an expression used to select a parameter N which is a value.

<Operation of Parameter Generator 1>
The operation of the parameter generating apparatus 1 described above will be described using the flowcharts shown in FIGS.

  The parameter generation device 1 is given in advance a NTRU cipher lattice strength coefficient GL of a certain parameter, a NTRU cipher decryption time evaluation formula EF having the lattice strength coefficient GL, and a conditional expression ED of a parameter that does not cause a decryption error. When the safety level information SLI is input from the outside, the following processing is performed.

  The input unit 101 receives the safety level information SLI from the outside, and receives the safety level information SLI from the first parameter generation unit 102, the second parameter generation unit 103, the safety increase unit 106, and the second parameter change unit 109. (Step S101).

  The first parameter generation unit 102 receives the safety level information SLI from the input unit 101, reads the initial safety determination formula IF from the formula storage unit 110, and has a sufficiently large value according to the safety level information SLI. The encryption parameter N is selected (step S102).

  The first parameter generation unit 102 sets the parameter p = 3 for the selected parameter N, sets the values of the other parameters q, df, dg, d to 0, and sets the parameter set PS = (N, p, q , Df, dg, d) are generated and output to the second parameter generation unit 103 (step S103).

  The second parameter generation unit 103 receives the parameter set PS from the first parameter generation unit 102 or the first parameter change unit 108, and receives the safety level information SLI from the input unit 101 (step S104).

The second parameter generation unit 103 generates a parameter candidate set DS (step S105).
The second parameter generation unit 103 determines whether or not the number of DS elements is insufficient to select the parameters df, dg, and d (step S106).

  If the number of DS elements is insufficient (Yes in step S106), the second parameter generation unit 103 outputs the parameter set PS to the first parameter change unit 108. (Step S107).

  The first parameter change unit 108 receives the parameter set PS from the second parameter generation unit 103 or the second parameter change unit 109, increases the parameter N in the parameter set PS, and increases the parameter N with respect to the increased parameter N , A new parameter set PS = (N, p, q, df, dg, d) is generated and output to the second parameter generation unit 103. Then, the process proceeds to step S104 (step S108).

  If the number of DS elements is sufficient (No in step S106), the second parameter generation unit 103 selects parameters df, dg, d from the elements of the parameter candidate set DS, and sets the selected parameters df, dg, d to In contrast, a new parameter set PS = (N, p, q, df, dg, d) is generated and output to the third parameter generation unit 104 (step S109).

  The third parameter generation unit 104 receives the parameter set PS from the second parameter generation unit 103, and reads from the expression storage unit 110 the conditional expression ED of a parameter that does not cause a decoding error (step S110).

  The third parameter generation unit 104 selects, as the parameter q, the minimum q that satisfies the conditional expression ED for the parameters df, dg, and d in the parameter set PS and that the parameter q is a power of 2. For the selected parameter q, a new parameter set PS = (N, p, q, df, dg, d) is generated and output to the safety determination unit 105 (step S111).

  The security determination unit 105 receives the parameter set PS from the third parameter generation unit 104 or the second parameter change unit 109, and uses the NTRU cipher with parameters N, p, q, df, and dg in the parameter set PS. A lattice strength coefficient SL is derived (step S112).

The safety determination unit 105 reads the lattice strength coefficient GL from the expression storage unit 110 and determines whether or not GL ≦ SL is satisfied (step S113).
If GL ≦ SL (Yes in step S113), the safety determination unit 105 outputs the parameter set PS to the safety increase unit 106 (step S114).

  The safety increase unit 106 receives the parameter set PS from the safety determination unit 105, receives the safety level information SLI from the input unit 101, and reads the decoding time evaluation formula EF from the formula storage unit 110 (step S115).

The security increasing unit 106 derives the NTRU decryption time T from the parameter N in the parameter set PS and the decryption time evaluation formula EF (step S116).
The security increase unit 106 determines whether or not the derived decoding time T satisfies T <SLI (S117).

  If T <SLI (Yes in step S117), the security increase unit 106 increases the parameter N so that the decoding time T satisfies T ≧ SLI, and newly sets the parameter set PS for the increased parameter N. = (N, p, q, df, dg, d) is generated (step S118).

Whether T ≧ SLI is satisfied (No in step S117), and after the process of step S118, the safety increase unit 106 determines whether the parameter N is a prime number (step S119).
If the parameter N is not a prime number (No in step S119), the safety increasing unit 106 increases the parameter N so that the increased parameter N becomes a prime number, and a new parameter is added to the increased parameter N. A set PS = (N, p, q, df, dg, d) is generated (step S120).

  Whether the parameter N is a prime number (Yes in step S119), or after the process of making the parameter N a prime number (step S120), the safety increasing unit 106 outputs the parameter set PS to the output unit 107 (step S121).

The output unit 107 receives the parameter set PS from the safety increase unit 106, outputs the parameter set PS to the outside, and ends the process (step S122).
If GL> SL (No in step S113), the second parameter changing unit 109 receives the safety level information SLI from the input unit 101, receives the parameter set PS from the safety determining unit 105, and sets the parameter candidate set. A DS is generated (step S123).

The second parameter changing unit 109 compares the parameter dg in the parameter set PS with the maximum value M of the elements of the parameter candidate set DS (step S124).
If dg <M (Yes in step S124), the second parameter changing unit 109 changes the parameter dg to a larger value among the elements of the parameter candidate set DS, and newly sets the changed parameter dg. Parameter set PS = (N, p, q, df, dg, d) is generated, and the parameter set PS is output to the safety determination unit 105 (step S125). Thereafter, the process proceeds to step S112.

  If dg ≧ M (No in step S124), the second parameter changing unit 109 outputs the parameter set PS to the first parameter changing unit 108 (step S126). Thereafter, the process proceeds to step S108.

<Operation verification of parameter generation device 1>
Hereinafter, the overall operation of the parameter generation device 1 according to the first embodiment will be described.
First, the first parameter generation unit 102 selects a parameter N that is a sufficiently large value according to the safety level information SLI (step S102).

  Then, the second parameter generation unit 103 generates a parameter candidate set DS that achieves the security level represented by the security level information SLI for the brute force search for the NTRU cipher (step S105). Further, the second parameter generation unit 103 selects parameters df, dg, and d that achieve the safety level represented by the safety level information SLI from the elements of the parameter candidate set DS (step S109).

  When the number of elements in the parameter candidate set DS is insufficient, the first parameter changing unit 108 increases the parameter N (step S108). As described above, generally, as the parameter N increases, the number of elements in the parameter candidate set DS increases, so the parameters df, dg, and d can always be selected.

  Then, the third parameter generation unit 104 selects the parameter q so as to satisfy the conditional expression ED of the parameter that does not cause a decoding error, whereby the parameter set PS = (N, p, q, df, dg, d). Is determined (step S111).

  Here, when the value of the parameter q is selected so as to satisfy the conditional expression ED, it is compared with the parameter q in the NTRU encryption described in Non-Patent Document 2 and Non-Patent Document 3 having the same parameters df, dg, and d. Generally larger. That is, since the value of the lattice strength coefficient GL is small, the level of security against decryption by the LLL algorithm (compared to the NTRU ciphers described in Non-Patent Document 2 and Non-Patent Document 3 having comparable parameters df, dg, d) ( (Decoding time) may be reduced.

  Therefore, based on the lattice strength coefficient GL stored in advance, the security judgment unit 105 evaluates the decryption time of the NTRU cipher having the generated parameter set PS with the decryption time evaluation formula EF based on the lattice strength coefficient GL. It is determined whether or not it is possible (step S113). If the evaluation is possible, the safety increase unit 106 increases the parameter N so as to achieve the safety level represented by the safety level information SLI (step S118).

  When it is determined that the decryption time of the NTRU cipher cannot be evaluated by the decryption time evaluation formula EF based on the lattice strength coefficient GL, the second parameter changing unit 109 sets the parameter dg to a larger value. (Step S125), the value of the lattice strength coefficient of the NTRU cipher having the parameter is increased so that the evaluation can be performed using the decryption time evaluation formula EF. Even in such a case, when the evaluation cannot be performed using the decoding time evaluation formula EF, the first parameter changing unit 108 increases the parameter N (step S108), and again generates the parameters df, dg, d, and q. (Step S109 and subsequent steps).

  Now, if the parameter N is increased, the parameter candidate set DS generally has large elements. Therefore, when the parameters df, dg, and d are selected again in step S109, only the parameter dg can be increased without changing the values of the parameters df and d. Since the value of the parameter dg is not related to the conditional expression for the occurrence of a decoding error, the value of the lattice strength coefficient GL can be increased and the decoding time evaluation expression EF can be evaluated while ensuring that no decoding error occurs. It becomes possible to do so.

  As described above, the NTRU that achieves the security represented by the input security level information SLI for the decoding by the brute force search and the decoding by the LLL algorithm with no finite number of repetitions and no decoding error occurs. A cryptographic parameter set PS can be generated.

<Effect in Embodiment 1>
In the prior art, conditions for generating NTRU cipher parameters that are safe against decryption by a third party and that do not cause a decryption error are not known, and such NTRU cipher parameters are generated. could not. Therefore, secure and reliable encrypted communication cannot be performed between the encryption device and the decryption device.

  However, as described above, the parameter generation apparatus determines the parameter q so that a decoding error does not theoretically occur, and determines the parameter N so as to achieve the input security level. It is now possible to generate NTRU encryption parameters that are safe and theoretically free from decryption errors.

(Embodiment 2)
The parameter conversion device 2 according to the second embodiment of the present invention will be described focusing on differences from the parameter generation device 1 according to the first embodiment.

<Outline of Parameter Conversion Device 2>
First, the outline of the present embodiment will be described with reference to FIG.
The parameter conversion device 2 is a parameter conversion device configured by modifying the parameter generation device 1 according to the first embodiment. When the parameter conversion device 2 receives the NTRU cipher parameter set IPS, the parameter conversion device 2 achieves the input security level information SLI for the brute force search and the LLL algorithm for the parameter set IPS. In addition, the parameter generation apparatus 1 is different from the parameter generation apparatus 1 in that it is converted into an NTRU cipher parameter set PS in which no decryption error occurs.

  As in the parameter generation device 1 in the first embodiment, the NTRU cipher lattice strength coefficient GL for a certain parameter, the NTRU cipher decryption time evaluation formula EF having the lattice strength coefficient GL, and a parameter that does not cause a decryption error The conditional expression ED is given in advance.

<Configuration of Parameter Conversion Device 2>
As shown in FIG. 6, the parameter conversion apparatus 2 includes an input unit 101b, a second parameter generation unit 103b, a third parameter generation unit 104b, a safety determination unit 105, a safety increase unit 106, An output unit 107, a first parameter change unit 108, a second parameter change unit 109, and an expression storage unit 110 are provided.

  In this parameter conversion device 2, the input unit 101b is different, the first parameter generation unit is not present, the input / output of the second parameter generation unit 103b is different, and the third parameter generation unit 104b. Is different from the parameter generation device 1 according to the first embodiment.

Here, the description will focus on differences from the parameter generation device 1.
(1) Input unit 101b
The input unit 101b receives the security level information SLI and the NTRU cipher parameter set IPS from the outside, and receives the security level information SLI from the second parameter generation unit 103b, the security increase unit 106, and the second parameter change unit 109. Output to. The input unit 101b outputs the parameter set IPS as the parameter set PS to the third parameter generation unit 104b.

(2) Second parameter generation unit 103b
The second parameter generation unit 103b receives the parameter set PS from the first parameter change unit 108, and receives the safety level information SLI from the input unit 101b. Then, the second parameter generation unit 103b generates a parameter candidate set DS in the same manner as the second parameter generation unit 103. Then, the second parameter generation unit 103b, like the second parameter generation unit 103, determines whether or not the number of elements of the parameter candidate set DS is insufficient to select the parameters df, dg, d (for example, the element Whether the number is 3 or more) is determined. If the number is insufficient, the parameter set PS is output to the first parameter changing unit 108. If not sufficient, the second parameter generation unit 103b selects the parameters df, dg, and d from the parameter candidate set DS, and newly sets the parameter set PS = (N, p, q, df, dg, d) are generated and the parameter set PS is output to the third parameter generation unit 104b.

(3) Third parameter generation unit 104b
The third parameter generation unit 104b receives the parameter set PS from the input unit 101b or the second parameter generation unit 103b, and reads the conditional expression ED of the parameter that does not cause a decoding error from the expression storage unit 110. Then, the third parameter generation unit 104b satisfies the conditional expression ED for the parameters df, dg, and d in the parameter set PS, and the parameter q is 2 in the same manner as the third parameter generation unit 104. As a parameter q, the minimum q that satisfies the above is selected. Then, the third parameter generation unit 104b newly generates a parameter set PS = (N, p, q, df, dg, d) for the selected parameter q, and sets the parameter set PS as the safety determination unit 105. Output to.

<Operation of Parameter Conversion Device 2>
The operation of the parameter conversion apparatus 2 described above will be described using the flowcharts shown in FIGS.

  Similarly to the parameter generation device 1 according to the first embodiment, the parameter conversion device 2 includes the NTRU cipher lattice strength coefficient GL of a certain parameter, the NTRU cipher decryption time evaluation formula EF having the lattice strength coefficient GL, and decryption. A conditional expression ED for a parameter that does not cause an error is given in advance. When the security level information SLI and the NTRU cipher parameter set IPS are input from the outside, the parameter conversion device 2 performs the following processing.

  The input unit 101b receives the security level information SLI and the NTRU cipher parameter set IPS from the outside. The input unit 101b outputs the safety level information SLI to the second parameter generation unit 103b, the safety increase unit 106, and the second parameter change unit 109. Also, the input unit 101b outputs the parameter set IPS as the parameter set PS to the third parameter generation unit 104b, and moves the process to step S210 (step S201).

  The second parameter generation unit 103b receives the parameter set PS from the first parameter change unit 108, and receives the safety level information SLI from the input unit 101b (step S204).

The second parameter generation unit 103b generates a parameter candidate set DS (step S205).
The second parameter generation unit 103b determines whether or not the number of elements of the parameter candidate set DS is insufficient to select the parameters df, dg, d (step S206).

  If the number of elements in the parameter candidate set DS is insufficient (Yes in step S206), the second parameter generation unit 103b outputs the parameter set PS to the first parameter change unit 108 (step S207).

  The first parameter changing unit 108 receives the parameter set PS from the second parameter generating unit 103b or the second parameter changing unit 109. The first parameter changing unit 108 increases the parameter N in the parameter set PS, and newly generates a parameter set PS = (N, p, q, df, dg, d) for the increased parameter N. And output to the second parameter generation unit 103b. Then, the process proceeds to step S204 (step S208).

  If the number of elements in the parameter candidate set DS is sufficient (No in step S206), the second parameter generation unit 103b selects parameters df, dg, and d from the elements in the parameter candidate set DS. The second parameter generation unit 103b newly generates a parameter set PS = (N, p, q, df, dg, d) for the selected parameters df, dg, and d, and sends it to the third parameter generation unit 104b. Output (step S209).

  The third parameter generation unit 104b receives the parameter set PS from the input unit 101b, and reads the conditional expression ED of the parameter that does not cause a decoding error from the expression storage unit 110 (step S210).

  The third parameter generation unit 104b selects, as the parameter q, the minimum q that satisfies the conditional expression ED for the parameters df, dg, and d in the parameter set PS and that the parameter q is a power of 2. . The third parameter generation unit 104b newly generates a parameter set PS = (N, p, q, df, dg, d) for the selected parameter q and outputs it to the safety determination unit 105 (step S211). ).

  The security judgment unit 105 receives the parameter set PS from the third parameter generation unit 104b or the second parameter change unit 109, and uses the NTRU cipher with parameters N, p, q, df, dg in the parameter set PS. A lattice strength coefficient SL is derived (step S212).

The safety determination unit 105 reads the lattice strength coefficient GL from the expression storage unit 110 and determines whether or not GL ≦ SL is satisfied (step S213).
If GL ≦ SL (Yes in step S213), the safety determining unit 105 outputs the parameter set PS to the safety increasing unit 106 (step S214).

  The safety increase unit 106 receives the parameter set PS from the safety determination unit 105, receives the safety level information SLI from the input unit 101b, and reads the decoding time evaluation formula EF from the formula storage unit 110 (step S215).

The security increase unit 106 derives the decryption time T of the NTRU cipher from the parameter N in the parameter set PS and the decryption time evaluation formula EF (step S216).
The safety increase unit 106 determines whether or not the derived decryption time T satisfies T <SLI (step S217).

  If T <SLI (Yes in step S217), the security increasing unit 106 increases the parameter N so that the decoding time T satisfies T ≧ SLI, and newly sets the parameter set PS for the increased parameter N. = (N, p, q, df, dg, d) is generated (step S218).

Whether T ≧ SLI is satisfied (No in step S217), and after the process of step S218, the safety increase unit 106 determines whether the parameter N is a prime number (step S219).
If the parameter N is not a prime number (No in step S219), the safety increase unit 106 increases the parameter N so that the increased parameter N becomes a prime number, and a new parameter is added to the increased parameter N. A set PS = (N, p, q, df, dg, d) is generated (step S220).

  Whether the parameter N is a prime number (Yes in step S219), or after the process of making the parameter N a prime number (step S220), the safety increase unit 106 outputs the parameter set PS to the output unit 107 (step S221).

The output unit 107 receives the parameter set PS from the safety increase unit 106, outputs the parameter set PS to the outside, and ends the process (step S222).
If GL> SL (No in step S213), the second parameter changing unit 109 receives the safety level information SLI from the input unit 101b, receives the parameter set PS from the safety determining unit 105, and sets the parameter candidate set. A DS is generated (step S223).

The second parameter changing unit 109 compares the parameter dg in the parameter set PS with the maximum value M of the elements of the parameter candidate set DS (step S224).
If dg <M (Yes in step S224), the second parameter changing unit 109 changes the parameter dg to a larger value among the elements of the parameter candidate set DS, and newly sets the changed parameter dg. Parameter set PS = (N, p, q, df, dg, d) is generated, and the parameter set PS is output to the safety judgment unit 105 (step S225). Thereafter, the process proceeds to step S212.

  If dg ≧ M (No in step S224), the second parameter changing unit 109 outputs the parameter set PS to the first parameter changing unit 108 (step S226). Thereafter, the process proceeds to step S208.

<Operation verification of parameter converter 2>
Hereinafter, the overall operation of the parameter conversion apparatus 2 according to the second embodiment will be described.
First, the input unit 101b outputs the input NTRU cipher parameter set IPS as the parameter set PS to the third parameter generation unit 104b (step S201).

  Then, in the same way as in the first embodiment, the second parameter generation unit 103b determines a parameter candidate set DS that achieves the security level represented by the security level information SLI for the cryptanalysis that searches the NTRU cipher in a brute force manner. Generate (step S205).

  Then, the third parameter generation unit 104b selects the parameter q so as to satisfy the conditional expression ED of the parameter in which no decoding error occurs, whereby the parameter set PS = (N, p, q, df, dg, d). Is determined (step S211).

  Here, as in the first embodiment, if the value of the parameter q is selected so as to satisfy the conditional expression ED, the security level (decoding time) against decoding by the LLL algorithm may be lowered. For this reason, the security judgment unit 105 calculates the decryption time of the NTRU cipher having the generated parameter set PS based on the lattice strength coefficient GL stored in advance by the decryption time evaluation formula EF based on the lattice strength coefficient GL. It is determined whether or not evaluation is possible (step S213). If the evaluation is possible, the safety increasing unit 106 increases the parameter N so as to achieve the safety level represented by the safety level information SLI (step S218).

  If the evaluation cannot be performed, the second parameter changing unit 109 increases the value of the lattice strength coefficient of the NTRU cipher having the parameter by setting the parameter dg to a larger value (step S225). The time evaluation formula EF enables evaluation. If the evaluation cannot be performed even after that, the first parameter changing unit 108 increases the parameter N (step S208), and again generates the parameters df, dg, d, and q (after step S209). ).

  Now, if the parameter N is increased, the parameter candidate set DS generally has large elements. Therefore, when the parameters df, dg, d are selected again (step S209), only the parameter dg can be increased without changing the values of the parameters df, d. Since the value of the parameter dg is not related to the conditional expression for occurrence of a decoding error, the value of the safety strength index GL can be increased and evaluated by the decoding time evaluation expression EF while ensuring that no decoding error occurs. It becomes possible to do so.

  As described above, the security level represented by the input security level information SLI is achieved for the decryption by the brute force search and the decryption by the LLL algorithm for the input NTRU cipher parameter IPS with a finite number of repetitions at most. In addition, it is possible to convert the parameter set PS to the NTRU cipher that does not cause a decryption error.

<Effect in Embodiment 2>
In the prior art, conditions for generating NTRU cipher parameters that are safe against decryption by a third party and that do not cause a decryption error are not known, and such NTRU cipher parameters are generated. could not. Therefore, secure and reliable encrypted communication cannot be performed between the encryption device and the decryption device.

  However, as described above, the parameter conversion apparatus determines the parameter q so that a decryption error does not theoretically occur for the input NTRU encryption parameter, and achieves the input security level. Since the parameter N is determined, the parameter can be converted into the NTRU encryption parameter which is safe and theoretically causes no decryption error.

(Embodiment 3)
An encryption system 3 as Embodiment 3 according to the present invention will be described.
<Configuration of encryption system 3>
As shown in FIG. 11, the encryption system 3 includes an encryption device 31, a decryption device 32, and a communication channel 33, and is generated by the parameter generation device 1 in the first embodiment or the parameter conversion device 2 in the second embodiment. This is a system for performing encrypted communication using parameters of NTRU encryption that is safe against decryption by a third party and does not cause a decryption error.

<Configuration of Encryption Device 31>
The encryption device 31 is a device that encrypts the plaintext polynomial m and generates a ciphertext polynomial c, and includes a parameter storage unit 311, a public key storage unit 312, and an encryption unit 313 as shown in FIG.

(1) Parameter storage unit 311
The parameter storage unit 311 is a parameter N, a parameter p, a parameter q, a parameter df, a parameter dg, which are parameters of the NTRU cipher generated by the parameter generation device 1 in the first embodiment or the parameter conversion device 2 in the second embodiment. , Parameter d is stored in advance.

(2) Public key storage unit 312
The public key storage unit 312 acquires and stores the public key polynomial h of the decryption device 32 in advance.
This public key polynomial h is a polynomial expressed with respect to the parameter N by a polynomial of (N-1) dimensions or less.

(3) Encryption unit 313
The encryption unit 313 receives the parameter N, the parameter p, the parameter q, and the parameter d from the parameter storage unit 311, receives the public key polynomial h from the public key storage unit 312, and (N− 1) Receive a plaintext polynomial m expressed by a polynomial of a dimension or less.

  The encryption unit 313 uses the parameter N and the parameter d so that the d coefficients are “1”, the d coefficients are “−1”, and the other coefficients are “0”. Then, the (N-1) -dimensional random number polynomial r is selected at random.

  The encryption unit 313 performs NTRU encryption processing on the plaintext polynomial m using the random number polynomial r, the public key polynomial h, the parameter N, the parameter p, and the parameter q, and calculates the ciphertext polynomial c.

  Since the details of the method of calculating the ciphertext polynomial c are described in Non-Patent Document 2, description thereof is omitted here. The encryption unit 313 transmits the generated ciphertext polynomial c to the decryption device 32 via the communication path 33.

<Configuration of Decoding Device 32>
The decryption device 32 is a device that decrypts the ciphertext polynomial c and calculates the decrypted text polynomial m ′. As shown in FIG. 13, the parameter storage unit 321, the key generation unit 322, the secret key storage unit 323, the decryption Part 324.

(1) Parameter storage unit 321
The parameter storage unit 321 stores the same NTRU encryption parameters as the NTRU encryption parameters stored in the parameter storage unit 311 of the encryption device 31.

  That is, the parameter storage unit 321 stores in advance the same parameters N, parameters p, parameters q, parameters df, parameters dg, and parameters d as those stored by the parameter storage unit 311.

(2) Key generation unit 322
The key generation unit 322 receives the parameter N, the parameter p, the parameter q, the parameter df, and the parameter dg from the parameter storage unit 321, and uses the parameter N, the parameter p, the parameter q, the parameter df, and the parameter dg to (N−1). ) A secret key polynomial f and a public key polynomial h expressed by a polynomial of dimension or less are generated. Since the method for generating the secret key polynomial f and the public key polynomial h is described in Non-Patent Document 2, description thereof is omitted here.

  Then, the key generation unit 322 makes the encryption device 31 obtainable by making the public key polynomial h public. The key generation unit 322 stores the secret key polynomial f in the secret key storage unit 323.

(3) Secret key storage unit 323
The secret key storage unit 323 stores the secret key polynomial f of the decryption device 32 in advance.
The secret key polynomial f is a polynomial expressed with respect to the parameter N by a polynomial of (N-1) dimensions or less.

(4) Decoding unit 324
The decryption unit 324 receives the parameter N, the parameter p, and the parameter q from the parameter storage unit 321, receives the secret key polynomial f from the secret key storage unit 323, and transmits the ciphertext polynomial from the encryption device 31 via the communication path 33. c is received.

  The decryption unit 324 performs NTRU decryption processing on the ciphertext polynomial c using the secret key polynomial f, the parameter N, the parameter p, and the parameter q, and calculates the decrypted text polynomial m ′. Details of the decryption process of the NTRU cipher are described in Non-Patent Document 2, and thus the description thereof is omitted here.

The decryption unit 324 outputs the generated decrypted text polynomial m ′ to the outside.
<Operation of cryptographic system 3>
The operation of the cryptographic system 3 described above will be described. FIG. 14 is a flowchart showing the operation of the cryptographic system 3.

  The encryption system 3 encrypts at least the parameter N, the parameter p, the parameter q, and the parameter d among the NTRU encryption parameters generated by the parameter generation device 1 in the first embodiment or the parameter conversion device 2 in the second embodiment. It is stored in the parameter storage unit 311 of the device 31, and at least the parameter N, the parameter p, the parameter q, the parameter df, and the parameter dg are stored in the parameter storage unit 321 of the decoding device 32 (step S301).

  The key generation unit 322 of the decryption device 32 receives the parameter N, the parameter p, the parameter q, the parameter df, and the parameter dg from the parameter storage unit 321. The key generation unit 322 generates the secret key polynomial f and the public key polynomial h, and makes the cryptographic device 31 obtainable by making the public key polynomial h public. The key generation unit 322 stores the secret key polynomial f in the secret key storage unit 323 (step S302).

The public key storage unit 312 of the encryption device 31 acquires and stores the public key polynomial h of the decryption device 32 (step S303).
The encryption unit 313 of the encryption device 31 receives the parameter N, the parameter p, the parameter q, and the parameter d from the parameter storage unit 311, receives the public key polynomial h from the public key storage unit 312, and externally outputs the parameter N to the parameter N , (N−1) plaintext polynomial m expressed by a polynomial of dimension or less is received (step S304).

  The encryption unit 313 of the encryption device 31 uses the parameter N and the parameter d, the d coefficients are “1”, the d coefficients are “−1”, and the other coefficients are “0”. The (N-1) -dimensional random number polynomial r is selected at random so that The encryption unit 313 performs an NTRU encryption process on the plaintext polynomial m using the random number polynomial r, the public key polynomial h, the parameter N, the parameter p, and the parameter q, and calculates the ciphertext polynomial c ( Step S305).

The encryption unit 313 of the encryption device 31 transmits the ciphertext polynomial c to the decryption device 32 via the communication path 33 (step S306).
The decryption unit 324 of the decryption device 32 receives the parameter N, the parameter p, and the parameter q from the parameter storage unit 321, receives the secret key polynomial f from the secret key storage unit 323, and receives the secret key polynomial f through the communication path 33. The ciphertext polynomial c is received from (step S307).

  The decryption unit 324 of the decryption device 32 decrypts the NTRU cipher using the secret key polynomial f, the parameter N, the parameter p, and the parameter q for the ciphertext polynomial c, and calculates the decrypted text polynomial m ′. (Step S308).

  The decryption unit 324 of the decryption device 32 outputs the decrypted text polynomial m ′ to the outside and ends the processing (step S309).

<Operation verification of cryptographic system 3>
First, the decryption device 32 generates the secret key polynomial f and the public key polynomial h using the NTRU encryption parameters generated by the parameter generation device 1 in the first embodiment or the parameter conversion device 2 in the second embodiment. (Step S302).

  Then, the encryption device 31 encrypts the plaintext polynomial m using the NTRU encryption parameters generated by the parameter generation device 1 in the first embodiment or the parameter conversion device 2 in the second embodiment (step S305). .

  As described above, the secret key polynomial f and the public key polynomial h are generated and encrypted using the parameters generated by the parameter generation device 1 in the first embodiment or the parameter conversion device 2 in the second embodiment. For this reason, it can be said that the encrypted communication according to the present embodiment is safe against decryption by a third party and does not cause a decryption error.

<Effect in Embodiment 3>
In the prior art, conditions for generating NTRU cipher parameters that are safe against decryption by a third party and that do not cause a decryption error are not known, and such NTRU cipher parameters are generated. could not. Therefore, secure and reliable encrypted communication cannot be performed between the encryption device and the decryption device.

  However, as described above, this cryptographic system uses the parameters generated by the parameter generation device 1 in the first embodiment or the parameter conversion device 2 in the second embodiment to generate the secret key polynomial f and the public key polynomial h. Since it is generated and encrypted, secure and reliable encrypted communication can be performed between the encryption device and the decryption device.

(Embodiment 4)
A cryptographic system 4 according to Embodiment 4 of the present invention will be described.
<Configuration of encryption system 4>
The encryption system 4 includes an encryption device 41, a decryption device 42, and communication paths 33 and 43 as shown in FIG.

<Configuration of Encryption Device 41>
The encryption device 41 is a device that encrypts the plaintext polynomial m and generates a ciphertext polynomial c, and includes a parameter generation device 1, an encryption unit 313, and a public key storage unit 411 as shown in FIG.

(1) Parameter generation device 1 and encryption unit 313
The parameter generation device 1 has the same configuration as the parameter generation device 1 described in the first embodiment, and the encryption unit 313 has the same configuration as the encryption unit 313 described in the third embodiment. Therefore, detailed description thereof will not be repeated here.

(2) Public key storage unit 411
The public key storage unit 411 is a storage unit that receives and stores the public key polynomial h of the decryption device 42.

<Configuration of communication path 43>
The communication channel 43 is a secure communication channel used for transmitting and receiving the parameter set PS between the encryption device 41 and the decryption device 42.

<Configuration of Decoding Device 42>
The decryption device 42 is a device that decrypts the ciphertext polynomial c and calculates the decrypted text polynomial m ′. As shown in FIG. 17, the parameter reception unit 421, the key generation unit 422, the secret key storage unit 323, and the decryption Part 324 is provided.

(1) Parameter receiving unit 421
The parameter receiving unit 421 is a processing unit that receives the NTRU encryption parameter generated by the parameter generating device 1 of the encryption device 41 via the communication path 43.

(2) Key generation unit 422
The key generation unit 422 is a processing unit that transmits the generated public key polynomial h to the encryption device 41 via the communication path 33 in addition to the configuration of the key generation unit 322 described in the third embodiment.

(3) Secret key storage unit 323 and decryption unit 324
The secret key storage unit 323 and the decryption unit 324 have the same configuration as in the first embodiment. Therefore, detailed description thereof will not be repeated here.

<Operation of cryptographic system 4>
The operation of the cryptographic system 4 described above will be described. FIG. 18 is a flowchart showing the operation of the cryptographic system 4.

  The parameter generation device 1 of the encryption device 41 generates NTRU encryption parameters (parameter N, parameter p, parameter q, parameter d, parameter df, and parameter dg) (step S401).

  The parameter receiving unit 421 of the decoding device 42 receives the parameter N, the parameter p, the parameter q, the parameter df, and the parameter dg from the parameter generating device 1 (step S402).

  The key generation unit 422 acquires the parameter N, the parameter p, the parameter q, the parameter df, and the parameter dg from the parameter reception unit 421, and generates a secret key polynomial f and a public key polynomial h. The key generation unit 422 transmits the public key polynomial h to the public key storage unit 411 of the encryption device 41. The key generation unit 422 stores the secret key polynomial f in the secret key storage unit 323 (step S403).

The public key storage unit 411 of the encryption device 41 acquires and stores the public key polynomial h of the decryption device 32 (step S404).
The encryption unit 313 of the encryption device 41 receives the parameter N, the parameter p, the parameter q, and the parameter d from the parameter generation device 1, receives the public key polynomial h from the public key storage unit 411, and receives the parameter N from the outside. , A plaintext polynomial m represented by a polynomial of (N-1) dimensions or less is received (step S405).

  The encryption unit 313 of the encryption device 41 uses the parameter N and the parameter d, the d coefficients are “1”, the d coefficients are “−1”, and the other coefficients are “0”. The (N-1) -dimensional random number polynomial r is randomly selected so that the random number polynomial r, the public key polynomial h, the parameter N, the parameter p, and the parameter q are used for the plaintext polynomial m. The ciphertext polynomial c is calculated (step S406).

The encryption unit 313 of the encryption device 41 transmits the ciphertext polynomial c to the decryption device 42 via the communication path 33 (step S407).
The decryption unit 324 of the decryption device 42 receives the parameter N, the parameter p, and the parameter q from the parameter reception unit 421, receives the secret key polynomial f from the secret key storage unit 323, and receives the secret key polynomial f through the communication path 33. The ciphertext polynomial c is received from (step S408).

  The decryption unit 324 of the decryption device 42 decrypts the NTRU cipher using the secret key polynomial f, the parameter N, the parameter p, and the parameter q with respect to the ciphertext polynomial c, and calculates the decrypted text polynomial m ′. (Step S409).

The decryption unit 324 of the decryption device 42 outputs the decrypted text polynomial m ′ to the outside and ends the processing (step S410).
According to the present embodiment, unlike the cryptographic system 3 according to the third embodiment, the parameter generation device 1 of the cryptographic device 41 is activated instead of storing parameters created in advance in the parameter storage units 311 and 421. The plaintext polynomial m is encrypted and the ciphertext polynomial c is decrypted using the generated parameters. For this reason, it is possible to periodically change the parameters, and it is possible to improve the security of encrypted communication.

<Modification>
The embodiment described above is an example of the implementation of the present invention, and the present invention is not limited to this embodiment, and can be implemented in various modes without departing from the scope of the present invention. is there. The following cases are also included in the present invention.

  (1) The lattice strength coefficient GL and the decoding time evaluation formula EF stored in the expression storage unit 110 are stored as a plurality of sets as shown in FIG. 10, and the safety determination unit 105 satisfies the lattice strength coefficient GL satisfying GL ≦ SL. And the decoding time evaluation formula EF may be read.

Further, the lattice strength coefficient GL and the decoding time evaluation formula EF stored in the formula storage unit 110 may be changed later.
(2) The method of selecting the parameter N in the first parameter generation unit 102 is not limited to this method, and any method may be used as long as N is sufficiently large. For example, the parameter N may be selected from N = F (SLI) for a monotonically increasing function F such as F (x) = 10 · log (x). For example, the parameter N may be a fixed value.

  (3) The selection method of the parameters df, dg, d in the second parameter generation unit 103 is not limited to this method, and the security level of the secret key and the security level of the plaintext for the brute force search Can achieve any of the safety levels represented by the safety level information SLI, and any method can be selected so that dg> d.

  (4) The parameters q, df, dg, and d in the parameter set PS are selected by the second parameter generator 103 using the method described above, and the third parameter generator 104 is selected. Is generated by applying the values of the parameters df, dg, d to the conditional expression ED and determining the value of the parameter q, the parameter q is given in advance from the outside, and the conditional expression ED and the parameter q It may be generated by selecting the parameters df, dg, and d so that dg> d based on the relational expression derived from the values.

Specifically, for example, when q = 256 is given in advance as the parameter q from the outside, from the conditional expression ED and the value of the parameter q,
6d + 2df-1 <128
The parameters df, dg, and d may be selected so that the relational expression is satisfied and dg> d, and the parameters q, df, dg, and d in the parameter set PS may be generated.

  In this case, with the parameters df, dg, d, there is a possibility that the security level represented by the security level information SLI is not achieved with respect to the decryption searched for brute force. . Therefore, as described above, the security increasing unit 106 increases the parameter N so that the decoding time T according to the LLL algorithm achieves the safety level information SLI, and then the configuration of the second parameter generating unit 103 is described. The parameter N may be increased so that the decryption time for cryptanalysis that searches the secret key or plaintext in a brute force manner achieves the security level represented by the security level information SLI.

  Also, after the parameter N is increased so that the decryption time for cryptanalysis that searches for the secret key and plaintext with brute force reaches the security level represented by the security level information SLI, the decryption time T by the LLL algorithm is secure. The parameter N may be increased to achieve the sex level information SLI.

  (5) The method for selecting the parameter q in the third parameter generation unit 104 is not limited to this method, and any method can be used as long as it satisfies the conditional expression ED and is selected so as to be relatively prime with the parameter p. Good.

  (6) The parameter p generated by the first parameter generation unit 102 and the parameter p in the parameter set IPS, PS handled by the parameter conversion device 2 are not limited to p = 3, and may be other.

For example, when p = k is set for a certain non-negative integer k, the conditional expression ED stored in the expression storage unit 110 is expressed as ED: 2 · k · d + 2df-1 <q / 2.
Then, the same effect can be obtained.

(7) With respect to the modification (6), p = b may be set for a certain polynomial b. For example, when p = (X + 2), the conditional expression ED stored in the expression storage unit 110 is ED: 6d + 2df-1 <q / 2
Then, the same effect can be obtained.

This is because, as described above, if all the coefficients of the polynomial p × r × g + f × m are within the range of −q / 2 to q / 2, no decoding error occurs.
At this time, considering the polynomial r × g, the maximum value of the coefficient is at most 2d (the minimum value is also −2d at most).

Now, since p = (X + 2), the k-th order coefficient of the polynomial a is represented by a (k).
p (0) = 2, p (1) = 1, p (i) = 0 (i> 1)
So
(P × (r × g)) (k)
= P (0). (R * g) (k) + p (1). (R * g) (k-1) +
. . . + P (N-1). (R * g) (k- (N-1) (mod N))
= (R * g) (k) + 2 * (r * g) (k-1)
It is.

  Therefore, considering the polynomial p × r × g, the maximum value of the coefficient is 3 · 2d. On the other hand, the value of the coefficient of the polynomial f × m is at most 2df−1 (the minimum value is also −2df + 1 at most).

Accordingly, it can be derived that the value of the largest coefficient of the polynomial p × r × g + f × m is 3 · 2d + 2df−1 at most, as described in the above embodiment. As a conditional expression ED that does not cause a decoding error theoretically,
ED: 6d + 2df-1 <q / 2
Can guide you.

  Of course, the polynomial b is not limited to b = (X + 2). In that case, if the above-described processing is performed, the conditional expression ED can be derived, and the same effect can be obtained.

  (8) In the parameter conversion device 2, in addition to inputting the parameter set IPS from the outside, the input unit 101b holds a list of parameter sets IPS that achieve the safety level represented by the safety level information SLI. Also good. In this case, only the safety level information SLI is input from the outside to the input unit 101b. That is, the input unit 101b holds a list of parameter sets IPS as shown in FIG. 9, and when safety level information SLI is input from the outside, the parameter set IPS associated with this SLI is changed to the parameter set PS. May be output to the third parameter generation unit 105.

  (9) Non-Patent Document 4 describes that there is a possibility that the decoding time of the LLL algorithm may be reduced by decoding using Zero-Run Lattice, but the decoding time evaluation expression EF is this Zero-Run. It is good also as the decoding time of the LLL algorithm in consideration of decoding using Lattice.

  (10) In the cryptographic system 3, the secret key polynomial f and the public key polynomial h need not be generated by the key generation unit 322 of the decryption device 32. For example, the secret key polynomial f and the public key polynomial h may be generated outside the decryption device 32 such as a key management server and input to the secret key storage unit 323 and the public key storage unit 312 respectively.

  (11) The encryption system 3 further includes the parameter generation device 1 or the parameter conversion device 2 so that the NTRU encryption parameters output from the parameter generation device 1 or the parameter conversion device 2 are input to the parameter storage units 311 and 321. It may be.

  (12) The encryption device 31 of the encryption system 3 may further include the parameter generation device 1 or the parameter conversion device 2. In this case, the encryption device 31 generates an NTRU encryption parameter, and the generated NTRU encryption parameter is input to the parameter storage unit 311 and transmitted to the decryption device 32 via the communication path 33. The decryption device 32 receives the NTRU encryption parameters and stores them in the parameter storage unit 321.

  (13) NTRU encryption parameters stored in the parameter storage unit 311 may be any one of parameters N, p, q, df, dg, and d, including at least parameter N, parameter p, parameter q, and parameter d. It may be anything. The NTRU encryption parameters stored in the parameter storage unit 321 may be any as long as at least the parameter N, the parameter p, the parameter q, the parameter df, and the parameter dg are included. For example, p = 2 may be sufficient. In that case, the coefficients of all polynomials are assumed to be 1 or 0. By doing so, operations between polynomials can be performed at high speed, and thereby parameter generation processing, parameter conversion processing, encryption processing, and decryption processing can be performed at high speed.

(14) In the encryption device 41 of the encryption system 4 shown in the fourth embodiment, the parameter conversion device 2 may be used instead of the parameter generation device 1.
(15) In the cryptographic device 41 of the cryptographic system 4 shown in the fourth embodiment, a parameter receiving device that receives parameters similar to those generated by the parameter generating device 1 is provided instead of the parameter generating device 1. May be.

  (16) The present invention may be the method described above. Further, the present invention may be a computer program that realizes these methods by a computer, or may be a digital signal composed of the computer program.

  The present invention also relates to a computer-readable recording medium such as a semiconductor memory, a hard disk drive, a CD-ROM, a DVD-ROM (Digital Versatile Disc-ROM), a DVD-RAM, etc. It may be recorded.

  (17) You may combine the said embodiment and the said modification, respectively.

  The present invention can be applied to encryption processing and decryption processing, and in particular, can be applied to electronic signatures, electronic authentication technology, encrypted communication, and the like.

It is a figure which shows the structure of the parameter production | generation apparatus 1 in Embodiment 1 of this invention. It is a figure which shows the actual measurement data of the decoding time T in the parameter N. It is a figure for demonstrating the formula and data which are stored in the formula storage part 110 in Embodiment 1 of this invention. It is a flowchart which shows the first half part of the process of the parameter generation apparatus 1 in Embodiment 1 of this invention. It is a flowchart which shows the second half part of the process of the parameter generation apparatus 1 in Embodiment 1 of this invention. It is a figure which shows the structure of the parameter converter 2 in Embodiment 2 of this invention. It is a flowchart which shows the first half of the process of the parameter converter 2 in Embodiment 2 of this invention. It is a flowchart which shows the latter half part of the process of the process of the parameter converter 2 in Embodiment 2 of this invention. It is a figure which shows the security level information and the parameter set of the NTRU encryption which achieves the security level. It is a figure for demonstrating the formula and data which are stored in the formula storage part 110 in the modification (1) of this invention. It is a figure which shows the structure of the encryption system 3 in Embodiment 3 of this invention. It is a figure which shows the structure of the encryption apparatus 31 in Embodiment 3 of this invention. It is a figure which shows the structure of the decoding apparatus 32 in Embodiment 3 of this invention. It is a flowchart which shows operation | movement of the encryption system 3 in Embodiment 3 of this invention. It is a figure which shows the structure of the encryption system 4 in Embodiment 4 of this invention. It is a figure which shows the structure of the encryption apparatus 41 in Embodiment 4 of this invention. It is a figure which shows the structure of the decoding apparatus 42 in Embodiment 4 of this invention. It is a flowchart which shows operation | movement of the encryption system 4 in Embodiment 4 of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Parameter generation apparatus 2 Parameter conversion apparatus 3, 4 Cryptographic system 31, 41 Encryption apparatus 32, 42 Decoding apparatus 33, 43 Communication path 101, 101b Input part 102 1st parameter generation part 103, 103b 2nd parameter generation part 104 104b Third parameter generation unit 105 Safety determination unit 106 Safety increase unit 107 Output unit 108 First parameter change unit 109 Second parameter change unit 110 Expression storage unit 311, 321 Parameter storage unit 312, 411 Public key Storage unit 313 Encryption unit 322, 422 Key generation unit 323 Private key storage unit 324 Decryption unit 421 Parameter reception unit

Claims (34)

A parameter generation device that generates an output parameter that is a parameter set of an NTRU cipher that does not cause a decryption error,
An error non-occurrence output parameter generation unit that generates an output parameter that does not cause a decoding error, based on error condition information that determines whether or not a decoding error has occurred in advance,
The error non-occurrence output parameter generation unit,
A temporary parameter generation unit that generates a temporary parameter set in which a decoding error does not occur, based on error condition information that determines whether or not a decoding error has occurred in advance;
Based on said grating strength factor calculated from the temporary parameter set, the features and to Rupa parameter generating apparatus further comprising an output parameter generation unit for generating the output parameter from the temporary parameter set. The temporary parameter generation unit generates a temporary parameter set that does not cause a decryption error based on an input parameter that is a parameter set of NTRU encryption input from the outside and error condition information that is determined in advance to determine whether or not a decryption error has occurred. The parameter generation device according to claim 1 , wherein: The output parameter generation unit generates the output parameter from the temporary parameter set based on security determination information based on the lattice strength coefficient and security level information indicating security against decryption by a third party. parameter generating apparatus according to claim 1 or 2, characterized in. The parameter generation apparatus according to claim 3 , wherein the output parameter generation unit includes a safety determination information holding unit that holds the safety determination information, and the safety determination information is given from outside. The temporary parameter set and the output parameter include a dimension N in the NTRU cipher, a non-negative integer p, a non-negative integer q, a non-negative integer df that defines the number of coefficients whose coefficient value in the secret key polynomial f is 1, and a public key polynomial. A non-negative integer dg that defines the number of coefficients for which the coefficient value of the random polynomial g used for generation is 1 and the number of coefficients for which the coefficient value of the random polynomial r used for encryption of plaintext is 1 are specified. The parameter generation device according to claim 4 , wherein the parameter generation device includes a set of non-negative integers d. The output parameter generation unit further includes safety decision information selection means for selecting one of the safety decision information stored in the safety decision information holding means based on the lattice strength coefficient. The parameter generation device according to claim 5 . The temporary parameter generation unit generates the non-negative integer df, the non-negative integer dg, and the non-negative integer d included in the temporary parameter set based on the safety level information and the dimension N. The parameter generation device according to 5 or 6 . The temporary parameter generating unit, a parameter generating device according to any one of claims 5 to 7, characterized in that to generate the non-negative integer q included in the formal parameter sets based on the error condition information. Said output parameter generating unit, a parameter generating device according to 8 claim 5, characterized in that to generate the dimension N included in the output parameter set based on the safety determination information and the security level information . It said error condition information, parameter generating apparatus according to any one of claims 1 to 9, characterized in that a conditional expression representing the condition for decoding error does not occur. The error condition information includes a conditional expression 2 · p · d + 2 df −1 <q representing a condition for preventing a decoding error from occurring with respect to the non-negative integer p, the non-negative integer q, the non-negative integer d, and the non-negative integer df. / 2
Parameter generating device according to any one of claims 5 to 10, characterized in that it. The output parameter generation unit includes lattice strength coefficient storage means for storing a set of one or more lattice strength coefficients and safety determination information,
The parameter generation apparatus according to claim 3 , wherein the lattice strength coefficient and the safety determination information are given from outside. The parameter according to claim 12 , wherein the output parameter generation unit further includes safety determination information selection means for selecting the safety determination information from the safety determination information based on the lattice strength coefficient. Generator. The output parameter generation unit
Based on the lattice strength coefficient and the safety determination information, change determination means for determining whether to change the temporary parameter set;
Temporary parameter set changing means for generating a changed temporary parameter set from the temporary parameter set when the change determining means determines to change the temporary parameter set;
The parameter generation device according to claim 12 , further comprising: generation means for generating the output parameter from the changed temporary parameter set based on the safety level information. The temporary parameter set changing means is a non-negative integer df that defines the number N of coefficients in the dimension N, non-negative integer p, non-negative integer q, and secret key polynomial f in the NTRU cipher included in the temporary parameter set. , claim and generates the modified temporary parameter set by changing the non-negative integer dg which the value of the coefficient of the random polynomial g defines the number of coefficients to be 1 used when generating the public key polynomial 14 The parameter generation device described in 1. The NTRU cipher is
A selection step of selecting ideals p and q of the ring R for a ring R that is a set of N-dimensional arrays in which addition, subtraction, and multiplication are defined;
Generating the elements f and g of the ring R, generating an element Fq that is the reciprocal of f (mod q), and an element Fp that is the reciprocal of f (mod p);
A public key generation step of generating, as a public key, the element g and an element h that is congruent with the product of the element Fq and mod q;
A secret key generation step of generating information that can obtain the element f and the element Fp (the information depends on both f and Fp) as a secret key;
Using the public key and the element i randomly selected from the ring R to encrypt the plaintext to generate the ciphertext; and
And a decrypting step of decrypting the ciphertext using the secret key to generate the decrypted text, wherein the plaintext is encrypted and the ciphertext is decrypted. The parameter generation device according to any one of claims 1 to 15 . An encryption system that generates plaintext by encrypting plaintext with NTRU encryption,
The parameter generation device according to any one of claims 1 to 16 ,
Public key generation means for generating a public key based on the output parameter generated by the parameter generation device;
An encryption system comprising: encryption means for encrypting plaintext based on the public key. A decryption system for decrypting a ciphertext with an NTRU cipher to generate a decrypted text,
The parameter generation device according to any one of claims 1 to 16 ,
A secret key generating means for generating a secret key based on the output parameter generated by the parameter generating device;
A decrypting system comprising decrypting means for decrypting a ciphertext based on the secret key. An encryption system using NTRU encryption,
A parameter generation device that generates and outputs an output parameter that is a parameter set of an NTRU cipher that does not cause a decryption error;
A key generation device that generates and outputs an NTRU encryption key and decryption key;
An encryption device that generates ciphertext obtained by encrypting plaintext with NTRU encryption;
A decryption device that generates a decrypted text obtained by decrypting the ciphertext,
The parameter generation device includes:
A temporary parameter generation unit that generates a temporary parameter set in which a decoding error does not occur, based on error condition information that determines whether or not a decoding error has occurred in advance;
An output parameter generation unit that generates and outputs the output parameter from the temporary parameter set based on a lattice strength coefficient calculated from the temporary parameter set;
The key generation device includes:
A generation key output unit configured to generate and output the encryption key and the decryption key with the output parameter output from the parameter generation device as an input;
The encryption device is:
An encryption unit that generates the ciphertext by encrypting the plaintext with the output parameter output by the parameter generation device and the encryption key output by the key generation device as inputs;
The decoding device
A decryption unit configured to decrypt the ciphertext and generate the decrypted text by using the output parameter output from the parameter generation device and the decryption key output from the key generation device as inputs; system. An encryption system using NTRU encryption,
A parameter generation device that generates and outputs an output parameter that is a parameter set of an NTRU cipher that does not cause a decryption error;
A key generation device that generates and outputs an NTRU encryption key;
An encryption device that generates ciphertext obtained by encrypting plaintext with NTRU cipher,
The parameter generation device includes:
A temporary parameter generation unit that generates a temporary parameter set in which a decoding error does not occur, based on error condition information that determines whether or not a decoding error has occurred in advance;
An output parameter generation unit that generates and outputs the output parameter from the temporary parameter set based on a lattice strength coefficient calculated from the temporary parameter set;
The key generation device includes:
A generation key output unit configured to generate and output the encryption key with the output parameter output from the parameter generation device as an input;
The encryption device is:
An encryption system comprising: an encryption unit that encrypts the plaintext and generates the ciphertext by using the output parameter output from the parameter generation device and the encryption key output from the key generation device as inputs. . An encryption device that generates plaintext by encrypting plaintext with NTRU encryption,
A temporary parameter generation unit that generates a temporary parameter set in which a decoding error does not occur, based on error condition information that determines whether or not a decoding error has occurred in advance;
An output parameter generation unit that generates and outputs an output parameter that is a parameter set of an NTRU cipher that does not cause a decryption error from the temporary parameter set based on a lattice strength coefficient calculated from the temporary parameter set;
A parameter transmitter for transmitting the output parameter to a decoding device;
An encryption key receiving unit for receiving an NTRU encryption key generated based on the output parameter from the decryption device;
An encryption apparatus comprising: a ciphertext generation unit that generates the ciphertext by encrypting the plaintext based on the output parameter and the encryption key. An encryption system including a parameter generation device, a key generation device, and an encryption device is an encryption method for generating a ciphertext obtained by encrypting plaintext with NTRU encryption,
A temporary parameter generation unit provided in the parameter generation device generates a temporary parameter set in which a decoding error does not occur, based on error condition information for determining whether or not a decoding error has occurred in advance;
The output parameter generation unit that is provided in the parameter generation device generates an output parameter that is a parameter set of NTRU encryption that does not cause a decryption error from the temporary parameter set, based on a lattice strength coefficient calculated from the temporary parameter set. And output step,
A generation key output unit included in the key generation device generates an NTRU encryption key based on the output parameter;
An encryption method, comprising: an encryption unit included in the encryption device generating a ciphertext by encrypting the plaintext based on the output parameter and the encryption key. Configuring the computer with an encryption system using NTRU encryption;
A parameter generation device that generates and outputs an output parameter that is a parameter set of an NTRU cipher that does not cause a decryption error;
A key generation device that generates and outputs an NTRU encryption key;
A program for functioning as an encryption device that generates ciphertext obtained by encrypting plaintext with NTRU ciphertext,
The parameter generation device includes the computer.
A temporary parameter generation unit that generates a temporary parameter set in which a decoding error does not occur, based on error condition information that determines whether or not a decoding error has occurred in advance;
Based on the lattice strength coefficient calculated from the temporary parameter set, function as an output parameter generation unit that generates and outputs the output parameter from the temporary parameter set,
The key generation device includes the computer.
Function as a generation key output unit that generates and outputs the encryption key with the output parameter output from the parameter generation device as an input;
The encryption device includes the computer.
A program for functioning as an encryption unit that encrypts the plaintext and generates the ciphertext by using the output parameter output from the parameter generation device and the encryption key output from the key generation device as inputs. A decryption system using NTRU encryption,
A parameter generation device that generates and outputs an output parameter that is a parameter set of an NTRU cipher that does not cause a decryption error;
A key generation device that generates and outputs a decryption key for NTRU encryption;
A decryption system including a decryption device that generates a decrypted text obtained by decrypting a ciphertext using the NTRU cipher,
The parameter generation device includes:
A temporary parameter generation unit that generates a temporary parameter set in which a decoding error does not occur, based on error condition information that determines whether or not a decoding error has occurred in advance;
An output parameter generation unit that generates and outputs the output parameter from the temporary parameter set based on a lattice strength coefficient calculated from the temporary parameter set;
The key generation device includes:
A generation key output unit that generates and outputs the decryption key with the output parameter output from the parameter generation device as an input;
The decoding device
A decryption unit configured to decrypt the ciphertext and generate the decrypted text by using the output parameter output from the parameter generation device and the decryption key output from the key generation device as inputs; system. A decryption system including a parameter generation device, a key generation device, and a decryption device is a decryption method for generating a decrypted text obtained by decrypting a ciphertext with the NTRU cipher.
A temporary parameter generation unit provided in the parameter generation device generates a temporary parameter set in which a decoding error does not occur, based on error condition information for determining whether or not a decoding error has occurred in advance;
An output parameter generation unit included in the parameter generation device generates an output parameter that is a parameter set of the NTRU cipher that does not cause a decryption error from the temporary parameter set based on a lattice strength coefficient calculated from the temporary parameter set. Output step;
A generation key output unit included in the key generation device generates a decryption key for NTRU encryption based on the output parameter;
A decrypting method comprising: a decrypting unit included in the decrypting device decrypting the ciphertext based on the output parameter and the decryption key to generate a decrypted text. Configuring the computer with a decryption system using the NTRU cipher;
A parameter generation device that generates and outputs an output parameter that is a parameter set of an NTRU cipher that does not cause a decryption error;
A key generation device that generates and outputs a decryption key for NTRU encryption;
A program for causing a decryption device to generate a decrypted text obtained by decrypting a ciphertext using the NTRU cipher,
The parameter generation device includes the computer.
A temporary parameter generation unit that generates a temporary parameter set in which a decoding error does not occur, based on error condition information that determines whether or not a decoding error has occurred in advance;
Based on the lattice strength coefficient calculated from the temporary parameter set, function as an output parameter generation unit that generates and outputs the output parameter from the temporary parameter set,
The key generation device includes the computer.
Function as a generation key output unit that generates and outputs the decryption key with the output parameter output from the parameter generation device as an input;
The decoding device includes the computer.
A program for functioning as a decryption unit that receives the output parameter output from the parameter generation device and the decryption key output from the key generation device as input and generates the decrypted text by decrypting the ciphertext. An encryption system using NTRU encryption,
A parameter conversion device that converts an input parameter that is a parameter set of NTRU cipher input from the outside into an output parameter that is a parameter set of NTRU cipher that does not cause a decryption error; and
A key generation device that generates and outputs an NTRU encryption key and decryption key;
An encryption device that generates ciphertext obtained by encrypting plaintext with NTRU encryption;
A decryption device that generates a decrypted text obtained by decrypting the ciphertext,
The parameter converter is
A temporary parameter generation unit that generates a temporary parameter set in which a decoding error does not occur based on the input parameter and error condition information that is determined in advance to determine whether or not a decoding error has occurred;
An output parameter generation unit that generates and outputs the output parameter from the temporary parameter set based on a lattice strength coefficient calculated from the temporary parameter set;
The key generation device includes:
A generation key output unit that generates and outputs the encryption key and the decryption key with the output parameter output from the parameter conversion device as an input;
The encryption device is:
An encryption unit that encrypts the plaintext and generates the ciphertext by using the output parameter output from the parameter conversion device and the encryption key output from the key generation device as inputs; and
The decoding device
And a decryption unit configured to decrypt the ciphertext and generate the decrypted text by using the output parameter output from the parameter conversion device and the decryption key output from the key generation device as inputs. system. An encryption system using NTRU encryption,
A parameter generation device that generates and outputs an output parameter that is a parameter set of the NTRU cipher that does not cause a decryption error from an input parameter that is a parameter set of the NTRU cipher input from the outside;
A key generation device that generates and outputs an NTRU encryption key;
An encryption device that generates ciphertext obtained by encrypting plaintext with NTRU cipher,
The parameter generation device includes:
A temporary parameter generation unit that generates a temporary parameter set that does not cause a decoding error based on the input parameter and error condition information that is determined in advance to determine whether or not a decoding error has occurred;
An output parameter generation unit that generates and outputs the output parameter from the temporary parameter set based on a lattice strength coefficient calculated from the temporary parameter set;
The key generation device includes:
A generation key output unit configured to generate and output the encryption key with the output parameter output from the parameter generation device as an input;
The encryption device is:
An encryption unit comprising: an encryption unit configured to encrypt the plaintext and generate the ciphertext by using the output parameter output from the parameter generation device and the encryption key output from the key generation device as inputs. system. An encryption device that generates ciphertext obtained by encrypting plaintext with NTRU cipher,
A temporary parameter generation unit that generates a temporary parameter set that does not cause a decryption error based on an input parameter that is a parameter set of a NTRU cipher given in advance and error condition information that determines whether or not a decryption error occurs;
An output parameter generation unit that generates and outputs an output parameter that is a parameter set of an NTRU cipher that does not cause a decryption error from the temporary parameter set based on a lattice strength coefficient calculated from the temporary parameter set;
A parameter transmitter for transmitting the output parameter to a decoding device;
An encryption key receiving unit for receiving an NTRU encryption key generated based on the output parameter from the decryption device;
An encryption apparatus comprising: a ciphertext generation unit that generates the ciphertext by encrypting the plaintext based on the output parameter and the encryption key. An encryption device is an encryption method for generating a ciphertext obtained by encrypting plaintext with NTRU encryption,
The temporary parameter generation unit included in the encryption device has a temporary parameter that does not cause a decryption error based on an input parameter that is a pre-given NTRU cipher parameter set and error condition information that is given in advance to determine whether or not a decryption error has occurred. Generating a tuple;
An output parameter generation unit included in the encryption device generates and outputs an output parameter that is a parameter set of the NTRU cipher that does not cause a decryption error from the temporary parameter set based on a lattice strength coefficient calculated from the temporary parameter set. And steps to
An encryption key receiving unit included in the encryption device generating an NTRU encryption key based on the output parameter;
An encryption method comprising: a ciphertext generation unit included in the encryption device encrypting the plaintext and generating a ciphertext based on the output parameter and the encryption key. Configuring the computer with an encryption system using NTRU encryption;
A parameter generation device that generates and outputs an output parameter that is a parameter set of the NTRU cipher that does not cause a decryption error from an input parameter that is a parameter set of the NTRU cipher input from outside
A key generation device that generates and outputs an NTRU encryption key;
A program for functioning as an encryption device that generates ciphertext obtained by encrypting plaintext with NTRU ciphertext,
The parameter generation device includes the computer.
A temporary parameter generation unit that generates a temporary parameter set in which a decoding error does not occur, based on the input parameter and error condition information that is determined in advance to determine whether or not a decoding error has occurred;
Based on the lattice strength coefficient calculated from the temporary parameter set, function as an output parameter generation unit that generates and outputs the output parameter from the temporary parameter set,
The key generation device includes the computer.
Function as a generation key output unit that generates and outputs the encryption key with the output parameter output from the parameter generation device as an input;
The encryption device includes the computer.
A program for functioning as an encryption unit that generates the ciphertext by encrypting the plaintext with the output parameter output from the parameter generation device and the encryption key output from the key generation device as inputs. A decryption system using NTRU encryption,
A parameter generation device that generates and outputs an output parameter that is a parameter set of the NTRU cipher that does not cause a decryption error from an input parameter that is a parameter set of the NTRU cipher input from the outside;
A key generation device that generates and outputs a decryption key for NTRU encryption;
A decryption device for generating a decrypted text obtained by decrypting a ciphertext with the NTRU cipher,
The parameter generation device includes:
A temporary parameter generation unit that generates a temporary parameter set in which no decoding error occurs, based on the input parameter and error condition information that determines whether or not a decoding error has occurred in advance;
An output parameter generation unit that generates and outputs the output parameter from the temporary parameter set based on a lattice strength coefficient calculated from the temporary parameter set;
The key generation device includes:
A generation key output unit that generates and outputs the decryption key with the output parameter output from the parameter generation device as an input;
The decoding device
A decryption unit that decrypts the ciphertext and generates the decrypted text by using the output parameter output from the parameter generation device and the decryption key output from the key generation device as inputs; system. A decryption system including a parameter generation device, a key generation device, and a decryption device is a decryption method for generating a decrypted text obtained by decrypting a ciphertext with the NTRU cipher.
A temporary parameter generation unit included in the parameter generation apparatus is configured to generate a temporary error that does not generate a decryption error based on an input parameter that is a parameter set of a NTRU cipher given in advance and error condition information that is determined in advance as to whether or not a decryption error has occurred. Generating a parameter set;
An output parameter generation unit included in the parameter generation device generates an output parameter that is a parameter set of the NTRU cipher that does not cause a decryption error from the temporary parameter set based on a lattice strength coefficient calculated from the temporary parameter set. Output step;
A generation key output unit included in the key generation device generates a decryption key for NTRU encryption based on the output parameter;
A decrypting method comprising: a decrypting unit included in the decrypting device decrypting the ciphertext based on the output parameter and the decryption key to generate a decrypted text. Configuring the computer with a decryption system using the NTRU cipher;
A parameter generation device that generates and outputs an output parameter that is a parameter set of the NTRU cipher that does not cause a decryption error from an input parameter that is a parameter set of the NTRU cipher input from outside
A key generation device that generates and outputs a decryption key for NTRU encryption;
A program for causing a decryption device to generate a decrypted text obtained by decrypting a ciphertext using the NTRU cipher,
The parameter generation device includes the computer.
A temporary parameter generation unit that generates a temporary parameter set in which a decoding error does not occur based on the input parameter and error condition information that is determined in advance to determine whether or not a decoding error has occurred;
Based on the lattice strength coefficient calculated from the temporary parameter set, function as an output parameter generation unit that generates and outputs the output parameter from the temporary parameter set,
The key generation device includes the computer.
Function as a generation key output unit that generates and outputs the decryption key with the output parameter output from the parameter generation device as an input;
The decoding device includes the computer.
A program for functioning as a decryption unit that receives the output parameter output from the parameter generation device and the decryption key output from the key generation device as input and generates the decrypted text by decrypting the ciphertext.

Images