CN103391193A - Method for detecting bit security of public key cryptosystem - Google Patents
Method for detecting bit security of public key cryptosystem Download PDFInfo
- Publication number
- CN103391193A CN103391193A CN2013103175751A CN201310317575A CN103391193A CN 103391193 A CN103391193 A CN 103391193A CN 2013103175751 A CN2013103175751 A CN 2013103175751A CN 201310317575 A CN201310317575 A CN 201310317575A CN 103391193 A CN103391193 A CN 103391193A
- Authority
- CN
- China
- Prior art keywords
- bit
- ciphertext
- key cryptosystem
- common key
- meaningful
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of bit security detection method of common key cryptosystem,Wherein,Detected bit is maximum significant bit,It the steps include: the common parameter N for 1) inputting common key cryptosystem to be detected,To the safe bit number k that plaintext x is detected,Wherein x is less than N; 2) ciphertext C is shifted,Obtain first k maximum significant bit bi of the corresponding plaintext of the ciphertext C ' obtained after displacement every time; Wherein,Ciphertext C is using the common key cryptosystem to the encrypted ciphertext of plaintext x,The shift length relative to the starting position ciphertext C is L=ki every time,I=0,1,..,M-1,
3) formula is utilized
Calculate output test result M; 4) M and plaintext x are compared, if unanimously, determining that the first k maximum significant bit of plaintext x is safe bit. The present invention can the maximum significant bit of accurate judgement public encryption system and minimum significant bit be safe bit.
Description
Technical field
The invention belongs to common key cryptosystem bit security field tests, be specifically related to a kind of bit security detection method of common key cryptosystem; The test bit fail safe, if belong to safe bit, hardware realization and software are realized must avoiding revealing.
Background technology
At present, analyzing some main results for the bit of public key cryptography is that the fail safe of each bit of RSA of providing of the people such as Sweden scientist Johan Hastad is (with reference to J.Hastad, M.Naslund:The security of all RSA and discrete log bits.J.ACM 51 (2), pp.187 – 230 (2004)), and the people such as the professor Dan Boneh of Stanford University has provided the Diffie-Hellman cipher key change, the ElGamal public key encryption, the bit safety analysis results such as Shamir transmission of messages are (with reference to D.Boneh, R.Venkatesan:Rounding in lattics and its cryptographic applications.Proc.8
thannual ACM-SIAM Symp.On Discr.Algorithms, ACM, 1997, pp.675-681. with document D.Boneh, R.Venkatesan:Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes.Lect.Notes in Comp.Sci., Springer-Verlag, Berlin, vol.1109 (1996), pp.129-142).
Since Dan Boneh initiative provided the bit safety analysis such as Diffie-Hellman cipher key change, ElGamal public key encryption, Shamir transmission of messages, numerous scientific research persons have provided further result on its basis.For example, the people such as Australian Academy of Science academician Shparlinski has reduced the size on required amount of bits and rank.But the result of analyzing for Diffie-Hellman cipher key change, ElGamal public key encryption, Shamir message transmission protocol bit at present is still not satisfied, specific as follows:
1. the algorithm of analyzing is probabilistic algorithm, can not guarantee to export correct result;
2. whether do not provide the safety results of single-bit, but provided the safety results of a string bit, not providing maximum or minimum meaningful bit is safe bit.
Summary of the invention
Be probabilistic algorithm and without the fail safe conclusion problem of single-bit in order to overcome the existing parser for ElGamal public key encryption system, the object of the present invention is to provide a kind of bit security detection method of common key cryptosystem.
The technical solution adopted for the present invention to solve the technical problems is: the binary digital expansion of an integer based under mark, adopt the mode of bit displacement, by the internal relation between bit, whether can recover expressly to judge the bit security of public key system by test bit.
Technical scheme of the present invention is:
A kind of bit security detection method of common key cryptosystem, wherein, the bit that detects is maximum meaningful bit, the steps include:
1) input the common parameter N of common key cryptosystem to be detected, the safe bit number k that plaintext x is detected, wherein x is less than N;
2) ciphertext C is shifted, is obtained the corresponding maximum meaningful bit b of front k expressly of the ciphertext C ' obtained after each displacement
i; Wherein, ciphertext C is the ciphertext of utilizing after this common key cryptosystem is encrypted plaintext x, and the displacement length with respect to ciphertext C starting position is L=ki at every turn, i=0, and 1 ..., m-1,
3) utilize formula
calculate output detections M as a result;
4) M and plaintext x are contrasted, if consistent, judged that expressly front k the maximum meaningful bit of x is safe bit.
Adopt formula
calculate front k the maximum meaningful bit b obtained after each displacement
i; Wherein, ms
d(2
ikxmodp) be 2
ikunder x mark binary digital expansion of an integer
D value, p is the odd number that is greater than x.
Described common key cryptosystem is the ElGamal common key cryptosystem; The ciphertext C ' obtained after each displacement=C2
kimodN.
Described common key cryptosystem is the RSA common key cryptosystem; The ciphertext C ' obtained after each displacement=C2
kie, the PKI that e is RSA.
A kind of bit security detection method of common key cryptosystem, wherein, the bit that detects is minimum meaningful bit, the steps include:
1) input the common parameter N of common key cryptosystem to be detected, the safe bit number k that plaintext x is detected, wherein x is less than N;
2) ciphertext C is shifted, is obtained the corresponding meaningful bit lsb of minimum expressly of the ciphertext C ' obtained after each displacement
1(2
ixmodN); Wherein, ciphertext C is the ciphertext of utilizing after this common key cryptosystem is encrypted plaintext x, and the displacement length with respect to ciphertext C starting position is L=ki at every turn, i=0, and 1 ..., m-1,
The meaningful bits switch of the minimum that 3) will at every turn obtain is the ms under x mark binary digital expansion of an integer
i(x); Ms
i(x) be i maximum meaningful bit expression formula under x mark binary digital expansion of an integer;
5) will
with plaintext, x is contrasted, if consistent, judges that expressly the meaningful bit of minimum of x is safe bit.
Utilize formula lsb
1(2
ixmodN)=ms
i(x) the meaningful bit lsb of the minimum that will at every turn obtain
1(2
ixmodN) be converted to the ms under x mark binary digital expansion of an integer
i(x).
Described common key cryptosystem is the ElGamal common key cryptosystem; The ciphertext C ' obtained after each displacement=C2
kimodN.
Described common key cryptosystem is the RSA common key cryptosystem; The ciphertext C ' obtained after each displacement=C2
kie, the PKI that e is RSA.
Compared with prior art, the invention has the beneficial effects as follows:
Under deterministic algorithm, accurately judged that the maximum meaningful bit of the public key encryption systems such as ElGamal, RSA and minimum meaningful bit are safe bit.
The accompanying drawing explanation
Fig. 1 is the inventive method flow chart.
Embodiment
Below in conjunction with drawings and Examples, the present invention is further described.
Inputting interface of the present invention has the zone of input common parameter N, and input detection amount of bits, and in addition also needing to select is LSB or MSB.All fill in completely when all, start to detect;
Annotate: if select LSB, k will be fixed as 1.
The information that input is obtained by detection information, according to different common parameter N and detection bit number k, have " compute " of different quantity.Compute means ciphertext C is multiplied by certain number (routine compute i=2, be multiplied by 2^{i}), then detects front k maximum meaningful bit of the plaintext of 2^{i}C.If hardware is realized or software realizes causing information leakage, repeatedly access software or hardware of meaning.
Explanation of nouns:
Maximum meaningful bit (MSB): the front k of x ∈ [0, p-1] maximum meaningful bit definitions is integer t, and t meets
(t-1)·p/2
k≤x<t·p/2
k
Minimum meaningful bit (LSB): the least meaning bit definitions of x ∈ [0, p-1] is t, and t meets:
Wherein, x is a number that is less than p, can regard that expressly p is odd number as, can be expressly any one number that is less than p.
Testing process of the present invention as shown in Figure 1, if wherein the output plaintext M is consistent with true plaintext x, can judge that testing out this bit is safe bit, in design hardware implementation or software implementation, must avoid revealing.
Below we analyze core algorithm and flow process.
Can, if C=f (x) is ciphertext, wherein x be that expressly N is common parameter, by k maximum meaningful bit number before detecting expressly, recover expressly x, the fail safe of judgement public key cryptosyst, and algorithm substantially is as follows:
2?for(i=0;i<m;i++)do
3?L=k·i;
4 C '=C2
lmodN, need to guarantee C '=f (x2
l);
5 b
i=obtain front k the maximum meaningful bit of the plaintext of ciphertext C '.;
6?End?for
If M is consistent with x, illustrate when hardware or software are realized, the k detected a maximum meaningful bit is safe bit, leak case can not occur.
Design as above algorithmic technique background:
In public key cryptosyst, expressly x is less than N, and under the x mark, binary digital expansion of an integer is
ms
i(x) ∈ { 0,1}, ms
i(x) be i maximum meaningful bit expression formula under the x mark; The binary digital expansion of an integer of x is
lsb
i(x) ∈ { 0,1}, lsb
i(x) be x i minimum meaningful bit.Wherein, under the x mark, the binary digital expansion of an integer of binary digital expansion of an integer and x has following relation:
1)lsb
1(2
ixmodN)=ms
i(x),(i=1,2,…);
3)ms
j+k(x)=ms
j(2
kxmodN),j=1,2…k;
4) if integer t is front k the maximum meaningful bit of x, meet:
meet (t-1) p/2
k≤ x<tp/2
k.
By above-mentioned four relations, if k maximum meaningful bit security before our known detection, we can change and try to achieve binary digital expansion of an integer under the x mark, more further utilize and concern 2) try to achieve expressly.In algorithm 2-5 step, the first step (i=0), obtain expressly front k the maximum meaningful bit of x, and utilize concern 3), ciphertext C is multiplied by 2
kafter obtain again corresponding plaintext x2
kfront k maximum meaningful bit.When algorithm 2-5 step is carried out
after inferior, obtain corresponding
Wherein, ms
d(2
ikxmodp) be
D value.
Utilize and concern 2), 3), 4) and obtain testing result M by algorithm the 7th step, utilize testing result M and plaintext x to be contrasted, judge whether its expressly front k maximum meaningful bit is the bit that can not reveal.Wherein, concern 3) guarantee that algorithm the 4th step can obtain more ms
i(x), concern 4) guarantee the relation of the meaningful bit of maximum of maximum meaningful bit and x under the x mark to concern 2) guarantee to have maximum meaningful bit under abundant mark, can obtain x.
For detecting expressly minimum meaningful bit, algorithm utilization concerns 1) by the meaningful bits switch of minimum, be that maximum meaningful bit is detected.Obtain the expressly meaningful bit of minimum of x, first obtain lsb
1(2
1xmodp)=ms
1(x), then allow corresponding ciphertext C be multiplied by 2, lsb reentries
1(2
2xmodp)=ms
2(x); Utilize and concern lsb
1(2
ixmodp)=ms
i(x), (i=1,2 ...), obtain abundant ms
i(x) time, just can utilize and concern 2).
Merit attention, different for different public key encryption system algorithm the 4th steps, guarantee 2
ldirectly act on expressly.For example ElGamal is adopted to top the 4th step, but need to adopt C '=C2 for RSA
le, the PKI that e is RSA here.
Below provide the instantiation for ElGamal public key encryption system and the analysis of RSA bit:
Whether A. detect front 4 the meaningful bits of maximum of RSA can not reveal
1) common parameter of input RSA, and detect bit number k, and select LSB or MSB, click " start ";
2) allow 2
kie(PKI of eRSA) is multiplied by C (ciphertext), obtains 2
kiek maximum meaningful bit before the plaintext of C, and click " start " calculates result.
Example: N=984863712293=992449 * 992357, PKI e=988213, ciphertext C=204418673441=(1111)
emodN.Hard-wired defect causes front 4 meaningful bits of maximum to survey.
In information leakage, we need to obtain successively:
1) (1111)
ethe maximum meaningful bit of the ciphertext of modN front 4 (value is 1);
2) 2
e(1111)
efront 4 meaningful bits of maximum (value is 1) of modN;
3) 2
2e(1111)
efront 4 meaningful bits of maximum (value is 1) of modN;
4) 2
3e(1111)
efront 4 meaningful bits of maximum (value is 1) of modN;
5) 2
4e(1111)
efront 4 meaningful bits of maximum (value is 1) of modN;
6) 2
5e(1111)
efront 4 meaningful bits of maximum (value is 1) of modN;
7) 2
6e(1111)
efront 4 meaningful bits of maximum (value is 1) of modN;
8) 2
7e(1111)
efront 4 meaningful bits of maximum (value is 5) of modN;
9) 2
8e(1111)
efront 4 meaningful bits of maximum (value is 14) of modN;
10) 2
9e(1111)
efront 4 meaningful bits of maximum (value is 9) of modN;
11) 2
10e(1111)
efront 4 meaningful bits of maximum (value is 6) of modN,
We have recovered plaintext 1111.We may safely draw the conclusion: when RSA hardware or software are realized, front 4 meaningful bits of maximum necessarily can not be revealed.
Annotate: LSB or front 1 maximum are had a mind to bit can be proved equally.
Whether B. detect front 4 the meaningful bits of maximum of ElGamal can not reveal
1) common parameter of input ElGamal public key encryption system, and detect bit number, and select LSB or MSB, click " start ";
2) allow 2
kibe multiplied by C (ciphertext when information is returned), obtain 2
kik maximum meaningful bit before the plaintext of C, and click " start " calculates result;
Example: Bob PKI y=g
xmodN and g (establishing g=98932, N=976817837417), Alice selects r at random, sends (g
rmodN, C=13333y
rmodN) give Bob.Bob utilizes 13333=(g
r)
-x13333y
rmodN obtains expressly.If Bob can survey because hard-wired defect causes front 4 meaningful bits of maximum.We can obtain in proper order:
1) front 4 of C maximum meaningful bits (value is 1);
2) 2
4front 4 meaningful bits of maximum (value is 1) of Cmodp;
3) 2
8front 4 meaningful bits of maximum (value is 1) of Cmodp;
4) 2
12front 4 meaningful bits of maximum (value is 1) of Cmodp;
5) 2
16front 4 meaningful bits of maximum (value is 1) of Cmodp;
6) 2
20front 4 meaningful bits of maximum (value is 1) of Cmodp;
7) 2
24front 4 meaningful bits of maximum (value is 4) of Cmodp;
8) 2
28front 4 meaningful bits of maximum (value is 11) of Cmodp;
9) 2
32front 4 meaningful bits of maximum (value is 10) of Cmodp;
10) 2
36front 4 meaningful bits of maximum (value is 16) of Cmodp;
11) 2
40front 4 meaningful bits of maximum (value is 12) of Cmodp;
We have recovered expressly 13333, and we may safely draw the conclusion: when ElGamal hardware or software are realized, front 4 meaningful bits of maximum necessarily can not be revealed.
Annotate: the related logarithm of this specification number, all take 2 the end of as and common parameter N is odd number.
Claims (8)
1. the bit security detection method of a common key cryptosystem, wherein, the bit that detects is maximum meaningful bit, the steps include:
1) input the common parameter N of common key cryptosystem to be detected, the safe bit number k that plaintext x is detected, wherein x is less than N;
2) ciphertext C is shifted, is obtained the corresponding maximum meaningful bit b of front k expressly of the ciphertext C ' obtained after each displacement
i; Wherein, ciphertext C is the ciphertext of utilizing after this common key cryptosystem is encrypted plaintext x, and the displacement length with respect to ciphertext C starting position is L=ki at every turn, i=0, and 1 ..., m-1,
4) M and plaintext x are contrasted, if consistent, judged that expressly front k the maximum meaningful bit of x is safe bit.
3. want 1 or 2 described methods as right, it is characterized in that described common key cryptosystem is the ElGamal common key cryptosystem; The ciphertext C ' obtained after each displacement=C2
kimodN.
4. method as claimed in claim 1 or 2, is characterized in that described common key cryptosystem is the RSA common key cryptosystem; The ciphertext C ' obtained after each displacement=C2
kie, the PKI that e is RSA.
5. the bit security detection method of a common key cryptosystem, wherein, the bit that detects is minimum meaningful bit, the steps include:
1) input the common parameter N of common key cryptosystem to be detected, the safe bit number k that plaintext x is detected, wherein x is less than N;
2) ciphertext C is shifted, is obtained the corresponding meaningful bit lsb of minimum expressly of the ciphertext C ' obtained after each displacement
1(2
ixmodN); Wherein, ciphertext C is the ciphertext of utilizing after this common key cryptosystem is encrypted plaintext x, and the displacement length with respect to ciphertext C starting position is L=ki at every turn, i=0, and 1 ..., m-1,
The meaningful bits switch of the minimum that 3) will at every turn obtain is the ms under x mark binary digital expansion of an integer
i(x); Ms
i(x) be i maximum meaningful bit expression formula under x mark binary digital expansion of an integer;
6. method as claimed in claim 5, is characterized in that utilizing formula lsb
1(2
ixmodN)=ms
i(x) the meaningful bit lsb of the minimum that will at every turn obtain
1(2
ixmodN) be converted to the ms under x mark binary digital expansion of an integer
i(x).
7. want 5 or 6 described methods as right, it is characterized in that described common key cryptosystem is the ElGamal common key cryptosystem; The ciphertext C ' obtained after each displacement=C2
kimodN.
8. method as described as claim 5 or 6, is characterized in that described common key cryptosystem is the RSA common key cryptosystem; The ciphertext C ' obtained after each displacement=C2
kie, the PKI that e is RSA.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310317575.1A CN103391193B (en) | 2013-07-25 | 2013-07-25 | A kind of bit security detection method of common key cryptosystem |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310317575.1A CN103391193B (en) | 2013-07-25 | 2013-07-25 | A kind of bit security detection method of common key cryptosystem |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103391193A true CN103391193A (en) | 2013-11-13 |
CN103391193B CN103391193B (en) | 2016-03-16 |
Family
ID=49535358
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310317575.1A Expired - Fee Related CN103391193B (en) | 2013-07-25 | 2013-07-25 | A kind of bit security detection method of common key cryptosystem |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103391193B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105678083A (en) * | 2016-01-11 | 2016-06-15 | 成都卫士通信息产业股份有限公司 | Rapid detection method capable of performing single-bit frequency detection and frequency detection within block |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080096530A1 (en) * | 2006-10-20 | 2008-04-24 | Innovative Sonic Limited | Method for calculating start value for security for user equipment in a wireless communications system and related apparatus |
US20130124784A1 (en) * | 2011-11-15 | 2013-05-16 | Samsung Electronics Co., Ltd. | Memory system comprising nonvolatile memory device and related method of operation |
CN103118009A (en) * | 2013-01-08 | 2013-05-22 | 深圳大学 | Authentication key exchange method and system |
-
2013
- 2013-07-25 CN CN201310317575.1A patent/CN103391193B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080096530A1 (en) * | 2006-10-20 | 2008-04-24 | Innovative Sonic Limited | Method for calculating start value for security for user equipment in a wireless communications system and related apparatus |
US20130124784A1 (en) * | 2011-11-15 | 2013-05-16 | Samsung Electronics Co., Ltd. | Memory system comprising nonvolatile memory device and related method of operation |
CN103118009A (en) * | 2013-01-08 | 2013-05-22 | 深圳大学 | Authentication key exchange method and system |
Non-Patent Citations (1)
Title |
---|
苏东,王克,吕克伟: "Paillier陷门函数的两个变体的比特安全性分析", 《计算机学报》 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105678083A (en) * | 2016-01-11 | 2016-06-15 | 成都卫士通信息产业股份有限公司 | Rapid detection method capable of performing single-bit frequency detection and frequency detection within block |
Also Published As
Publication number | Publication date |
---|---|
CN103391193B (en) | 2016-03-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8401179B2 (en) | Encryption parameter setting apparatus, key generation apparatus, cryptographic system, program, encryption parameter setting method, and key generation method | |
Imem | Comparison and evaluation of digital signature schemes employed in NDN network | |
EP2582085A1 (en) | Generating implicit certificates | |
US20130091362A1 (en) | Generating implicit certificates | |
Clarke et al. | Cryptanalysis of the dragonfly key exchange protocol | |
Tahat et al. | A new RSA public key encryption scheme with chaotic maps | |
US7043018B1 (en) | Prime number generation method, prime number generation apparatus, and cryptographic system | |
Niu et al. | Lossy data aggregation integrity scheme in wireless sensor networks | |
US7177423B2 (en) | Method and apparatus for exponentiation in an RSA cryptosystem | |
JP2004534971A (en) | Public key cryptosystem using finite non-commutative group | |
Raghunandan et al. | Secure RSA variant system to avoid factorization attack using phony modules and phony public key exponent | |
Saho et al. | Securing document by digital signature through RSA and elliptic curve cryptosystems | |
Dubey et al. | Cryptanalytic attacks and countermeasures on RSA | |
Wu et al. | On the improvement of wiener attack on rsa with small private exponent | |
HS et al. | Comparative study and performance analysis of encryption in RSA, ECC and Goldwasser-Micali cryptosystems | |
US20100150343A1 (en) | System and method for encrypting data based on cyclic groups | |
CN103391193B (en) | A kind of bit security detection method of common key cryptosystem | |
Mazlisham et al. | Analysis of Rabin-P and RSA-OAEP Encryption Scheme on Microprocessor Platform | |
Zhigang et al. | Review of how to construct a fully homomorphic encryption scheme | |
Li et al. | A novel algorithm for scalar multiplication in ECDSA | |
Sarma et al. | Public key cryptosystem based on Pell's equation using the Gnu Mp library | |
Wu et al. | Batch public key cryptosystem with batch multi-exponentiation | |
Chen et al. | An Efficient Fog-Assisted Unstable Sensor Detection Scheme with Privacy Preserved | |
JP5912281B2 (en) | Decryption result verification apparatus, method, system, and program | |
Lee et al. | Efficient fault-tolerant scheme based on the RSA system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160316 Termination date: 20210725 |