JP2007151073A - Key generation program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a key generation program which seems to be able to compose a public key cipher system indicating that a based matter is safe (i.e. indicates NP perfection), and proves safety. <P>SOLUTION: A key generation program makes a computer function as a lattice base generator generating a lattice base V of m rows n columns (m and n are integers larger than 0) by using a random number prepared by a random number generator, a coefficient vector generator generating a coefficient vector x of n columns by using the random number prepared by the random number generator, a cipher key generator storing the coefficient vector x generated by the coefficient vector generator as a cipher key in a recording medium, and a public key generator storing in the recording medium a combination of the lattice base V generated by the lattice base generator and l<SB>p</SB>norm K obtained based on the lattice base V and the coefficient vector x generated by the coefficient vector generator. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a key generation program.

  In recent years, with the progress of computerization of society, attempts have been made to digitize various functions. In particular, attempts have been made to realize electronic voting, electronic contracts, electronic cash, and the like. For these, public key cryptosystems, public key authentication systems, electronic signature systems, etc. (these are collectively referred to as public key cryptosystems). It plays a very important role as a basic technology.

  Public key cryptosystems use two different sets of keys, a public key and a private key, but which have a mathematical relationship with each other. Here, since the public key is made public on the network, it is necessary to use a mathematical relationship that makes it difficult to calculate the secret key from the public key. Usually, a mathematical problem is used in which a one-way calculation is easy as a mathematical relationship, but a reverse calculation is difficult. Since the security of keys used in the system greatly affects the security of the entire system, it is a very important issue to construct a key generation method for generating a secure key.

  Currently, prime factorization problems and discrete logarithm problems are used as problems that are difficult to calculate in the reverse direction. However, these problems have been predicted to be difficult, but no such proof has been given. In addition, algorithms for calculating these problems have been studied for many years, and it is necessary to increase the key length in order to prevent the algorithm from functioning effectively, which makes public key cryptosystems very inefficient. . It is also known that these problems can be solved efficiently when a quantum computer is put into practical use. Therefore, it is necessary to use a problem that cannot be solved efficiently even if a quantum computer is used. As a candidate for such a problem, there is a problem that belongs to a class called NP-complete.

Among the NP complete problems, there is a problem using a lattice as a problem that has been actively studied in recent years. Here, the lattice is a space formed by linear combination of integers when v ₁ , v ₂ ,..., V _n are n linearly independent vectors belonging to the m-dimensional integer vector space. Vector _{v 1, v 2, ...,} a _{v n} abbreviated as V in matrix form is called a lattice. When the lattice vector v is expressed as a linear combination of v ₁ , v ₂ ,..., V _n such as v = a ₁ v ₁ + a ₂ v ₂ +... + _An v _n , each coefficient a _i is a vector. It is expressed in the form (a ₁ , a ₂ ,..., A _n ) and is called a coefficient vector. Among the lattice problems, particularly important problems are the shortest vector problem and the nearest neighbor vector problem. There are approximate shortest vector problems and approximate nearest vector problems as approximate versions of these problems. However, these problems are difficult to handle as problems based on the key generation method, and there is a problem that the security of the configured public key cryptosystem cannot be proved.

  As a technique related to a conventional key generation method, for example, the following Non-Patent Document 1 describes an RSA key generation method, and for example, the following Non-Patent Document 2 describes a GGH key generation method.

  Here, an example of the RSA key generation method will be described. This key generation method is configured based on the difficulty of the prime factorization problem. The key generator selects two prime numbers p and q (p and q are the same bit length), and calculates n as n = p × q. The integer e is randomly selected so that the greatest common divisor with φ (n) is 1 on the interval [1, φ (n)]. Here, φ (n) = (p−1) (q−1). Then, the integer d is calculated as a solution of the equation d × e≡1 (mod φ (n)) belonging to the interval [1, φ (n)]. The public key is a pair (n, e), and the secret key is d. In this method, if it is difficult to calculate the prime factors p and q from n, it is also difficult to calculate the secret key from the public key.

  Here, an example of the GGH key generation method will also be described. This key generation method is configured on the basis of the difficulty of calculating a lattice base having a small value called a dual orthogonal defect rate. The secret key in this method is the lattice base R, and the public key is the lattice base B that generates the same lattice as R and a positive real number σ. R is configured to reduce the dual orthogonal defect rate, and B is configured to increase the dual orthogonal defect rate. One method for generating such a basis is to randomly select a lattice basis R from a finite range (that is, randomly select each basis component from a finite interval) and mix the basis vectors (that is, The lattice base B can be generated by applying a basic deformation to the base matrix). If it is difficult to calculate a small lattice basis R from a lattice basis B having a large dual orthogonal defect rate, it is also difficult to calculate a secret key from the public key.

R. Rivest et al., “A method for obtaining digital signatures and public-key cryptosystems”, Communications of the ACM, vol. 21, no. 2, pp. 120-126, 1978. O. Goldreich et al., "Public-Key Cryptossystems From Lattice Reduction Problems", Proceedings of Crypt '97, LNCS 1294, Springer-Verlag, 1997.

  However, the technique described in Non-Patent Document 1 does not mathematically prove the difficulty of the prime factorization problem (the NP integrity cannot be proved). Moreover, in the public key cryptosystem based on the prime factorization problem, since the key length has to be increased, there is a problem in that the calculation efficiency is poor.

  The technique described in Non-Patent Document 2 also has a problem in that the difficulty of calculating a lattice basis (NP difficulty) having a small dual orthogonal defect rate has not been proved. Yes.

  Therefore, the present invention solves the above-described problems, shows that the problem based on it is safe (that is, shows that it is NP-complete), and generates a key that can constitute a public key cryptosystem with high computational efficiency The purpose is to provide a program.

The inventors of the present invention have made extensive studies on the above-mentioned problems. As a result, a new problem using a lattice, Binary Exact Vector Probe (BELVP), is defined, and by verifying its NP integrity, it is difficult to achieve BELVP. As a result, the present invention has been completed. BELVP is a problem of calculating a lattice vector having a norm K in a lattice spanned by the lattice base V and a coefficient vector being a binary vector when a lattice base V and a norm K of the lattice vector are given as inputs. It is. And BELVP proves to be NP-complete. It is also possible to configure the calculation problem as an integer vector without limiting the coefficient vector to a binary vector. In this case, it is not proved that the NP is complete, but it is expected to be a difficult calculation problem like the BELVP. In BELVP, if each component of the lattice base V is a non-negative integer and the norm to be used is limited to l ₁ norm, it is considered to be particularly useful in constructing an efficient public key cryptosystem. With respect to the l ₁ norm, | x + y | = | x | + | y | and | αx | = α | x | hold for vectors x and y having two positive components and a scalar α ≧ 0. In the calculation of the l ₁ norm, only at most m additions are performed, so the calculation of the l ₁ norm is performed very efficiently. Therefore, the public key cryptosystem using the l ₁ norm can be efficiently calculated.

  In other words, the key generation program according to the present invention shows that the problem based on it is safe and can constitute an efficient public key cryptosystem.

More specifically, the present key generation program causes the computer to generate a lattice base generation unit that generates a lattice base V of m rows and n columns (m and n are integers greater than 0) using random numbers generated by the random number generation unit. A coefficient vector generation unit that generates an n-column coefficient vector x using a random number generated by the random number generation unit, and a secret key generation that stores the coefficient vector x generated by the coefficient vector generation unit as a secret key in a recording medium storing the parts, lattice V of the lattice generator has generated, and the recording medium a set of l _p norm K obtained based on the coefficient vector x lattice V and the coefficient vector generating unit has generated a public key And function as a public key generation unit.

In this key generation program, the coefficient vector x is preferably a binary vector having 0 or 1 as components, and the basis vectors obtained by the lattice basis V are linearly independent from each other, and the components are non-negative integers. It is also desirable that _p in the l _p norm is also 1. The key generation program can be used for all public key cryptosystems represented by an electronic signature scheme program, a public key cryptosystem program, a public key authentication scheme program, and the like.

Here, the l _p norm is a value obtained by taking the absolute value of each of m components to the p-th power when x is an m-dimensional integer vector, taking the sum, and taking the p-th root of the sum. It is. A problem Y is an NP-complete problem when Y belongs to NP and any problem belonging to NP results in Y in polynomial time many-to-one. Polynomial time many-to-one reduction means that for some two problems X and Y, there exists a polynomial time computable function f such that f (x) belongs to Y only when x belongs to X. Problem X belongs to NP when there is a non-deterministic polynomial time Turing machine that determines whether x belongs to X.

  The above gives a proof of the difficulty of the problem based on the key generation method, and the arithmetic operation on the grid is defined, which indicates that the problem based on the security is safe and an efficient public key cryptosystem. A configurable key generation program can be provided.

  Furthermore, since there is no efficient algorithm that breaks the problem based on it, it is possible to shorten the key length, and the calculation used when configuring the public key cryptosystem is also efficient. It is expected that a public-key cryptosystem using Mathematica will be able to perform efficient calculations.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. However, the present invention can be implemented in many different modes and is not limited to the present embodiment.

(Embodiment 1)
FIG. 1 is a diagram illustrating processing when the key generation program according to the present embodiment is used in an electronic signature scheme. The key generation program 11 functions by being incorporated in the electronic signature scheme program 1. The electronic signature scheme program 1 creates signed document data for the created document data based on the document data and the secret key generated by the key generation program 11. This signed document data can be sent to others, and the sent others can verify that the signed document data has not been altered by referring to the public key. Can do.

  FIG. 2 is a diagram showing functional blocks of the electronic signature scheme program. This electronic signature scheme program is configured to have at least a key generation program 11 and a signature creation program 12. The key generation program 11 further includes a random number generation unit 111, a lattice base generation unit 112, a public key generation unit 113, a coefficient vector generation unit 114, and a secret key generation unit 115. The signature creation program 12 creates signed document data based on the secret key generated by the key generation program and the document data. The electronic signature method program is stored in a storage medium such as a hard disk in a personal computer, for example, and is executed according to the user's needs.

  Here, the processing in the key generation program 11 will be specifically described. First, the key generation program 11 creates an m-by-n lattice base V in the lattice base generation unit 112 (m and n are integers greater than 0, m is a lattice dimension, and n is a lattice rank (security Parameter)). Here, each component of the lattice base V is selected by the random number generation unit 111 as a random number having a certain bit length. Note that the lattice base V created by the lattice base generation unit 112 becomes a part of the public key generated by the public key generation unit 113 and is stored as data in the storage medium. In addition, the lattice basis generation unit 112 determines whether the basis vectors obtained from the created lattice basis V are linearly independent from each other. The basis vector refers to each column vector when the lattice basis V is decomposed into a column vector of m rows and 1 column. Judgment whether the basis vectors are linearly independent from each other can be calculated by a well-known method and is not particularly limited, but can be confirmed by calculating a determinant of the lattice basis V. In this embodiment, it is highly desirable that all the components of the base matrix are non-negative integers for the sake of simplification of calculation. However, it is possible to use non-integers as long as the case involving difficulty in calculation is allowed. It is.

  On the other hand, the coefficient vector creation unit 114 creates a coefficient vector x of an n-dimensional binary vector. This component is randomly selected by the random number generator 111, and each component is 0 or 1. The coefficient vector created by the coefficient vector creating unit 114 serves as a secret key, and is stored in the storage medium as data by the secret key generating unit 115. Here, the component of the coefficient vector x is preferably binary data of 0 or 1, from the viewpoint of the key length, but an integer can be arbitrarily selected as long as this is acceptable.

Next, the public key generation unit 113 obtains a lattice vector Vx based on the created lattice base V and the coefficient vector x, calculates the l _p norm K of the lattice vector Vx, and stores it as a data in a storage medium. . Here, the l _p norm K, is given by the following equation. Note that p is not particularly limited as long as it is an integer of 1 or more, but in the present embodiment, the case of 1 is adopted from the viewpoint of ease of calculation.

As a result, the public key generation unit 113 stores the set of lattice V and obtained l _p norm K keys (V, K) as the storage medium. Thereby, the key generation program can generate a secret key and a public key.

Signature generation is performed as follows when the lattice basis component is a non-negative integer, the coefficient vector is a binary vector, and _{p of} the l _p norm is 1. First, the signature generator selects a random coefficient vector r. This is randomly selected from the space [0, N] ⁿ by the signer's random number generator. Here, N is a positive constant having a certain size. Then, a lattice vector Vr is generated based on the coefficient vector r created above and the lattice base V stored in the signer's public key storage unit, and the l ₁ norm c of this lattice vector is calculated. Then, the signer calculates a document m to be signed and a hash value e = h (m, c) of l ₁ norm c. Here, any hash function can be used as long as the hash function h used is shown to be cryptographically secure. Finally, the signature component y is calculated as y = r + ex. Here, x is the signer's private key stored in the signer's private key storage unit. Finally, the signer outputs (e, y) as a signature for the document m.

With respect to signature verification, the verifier performs the following calculation on the document m received as input and the signature (e, y) relating to the document m, using the signer's public key (V, K). Here, it is assumed that the public key of the signer is made public and distributed, and the verifier obtains the public key and stores it in the public key storage unit of his computer. First, a lattice vector Vy having the vector y as a coefficient vector is calculated, and its l ₁ norm d is calculated. Then, eK is subtracted from d, and whether or not the hash value h (m, d−eK) calculated based on the value and the document m is equal to e is verified. If equal, the signature (e, y) is a signature created correctly by the signer. If not equal, the verifier rejects the signature as the signature has been forged or the document has been altered. This signature verification can be incorporated as a part of a digital signature scheme program as a program, or can be executed as a single program.

Here, the security of the above signature scheme will be described. In order to strictly prove the security of the electronic signature method, it is necessary to show that a forger who performs a selected document attack cannot forge any document. In order to prove the security of the above signature scheme, an authentication scheme corresponding to the above signature scheme (the following authentication scheme) requires a property called zero knowledge. Here, zero knowledge is a property that in the authentication method, when the prover communicates with the verifier, the verifier does not know any partial information regarding the secret information held by the prover. If the corresponding authentication method is shown to have zero knowledge, then the ID Reduction lemma, Heavy
It is possible to prove the security of the above signature scheme using the Row lemma. At present, this property has not been shown, so the above safety proof cannot be constructed. However, considering a realistic attack, if the hash function is random, it is considered difficult to construct a signature that satisfies the verification formula.

  As described above, the key generation program according to the present embodiment can provide a key generation program that indicates that the problem based on it is safe and that can constitute an efficient public key cryptosystem.

(Embodiments 2 and 3)
In the first embodiment, an example in which a key generation program is used as an electronic signature scheme program has been described. However, this key generation program can also be applied to a public key cryptosystem and a public key authentication scheme. FIG. 3 shows an example in which the key generation program is incorporated into a public key cryptosystem program, and FIG. 4 shows an example in which the key generation program is incorporated into a public key authentication scheme program.

  The public key cryptography program shown in FIG. 3 converts the created document data into ciphertext data using the public cryptography program. In this case, the public key encryption scheme program 2 is configured to include a key generation program 21 and an encryption program 22, and the key generation program 21 may employ substantially the same configuration as in the first embodiment. it can. In this case, the created secret key is used for decrypting the ciphertext data, and the created public key is used for encrypting the document data, thereby realizing a public key cryptosystem. The encryption program 22 can create encrypted document data using the public key created by the key generation program 21.

  The public key authentication method program described in FIG. 4 proves the self-validity of the user (certifier). In this case, the public key authentication scheme program 3 is configured using a key generation program 31, a prover program 32, and a verifier program 33, and the key generation program 31 employs a configuration that is substantially the same as that of the first embodiment. be able to. The private key created in this case is used to prove the self-validity of the prover, the public key is used when the verifier verifies the validity of the prover, and the prover program and the verifier program Authentication work can be performed by communicating with each other.

The public key authentication method when the lattice base component is a non-negative integer, the coefficient vector is a binary vector, and _{p of} the l _p norm is 1, is performed as follows. First, the prover selects a random coefficient vector r. This is randomly selected from the space [0, N] ⁿ by the prover's random number generator. Here, N is a positive constant having a certain size. Then, a lattice vector Vr is generated based on the coefficient vector r created above and the lattice basis V stored in the public key storage unit of the prover, and the l ₁ norm c of this lattice vector is calculated. Then, the prover transmits l ₁ norm c to the verifier. The verifier picks an integer e at random after receiving c. Here, e is randomly selected from the interval [0, L] by the verifier's random number generator. The verifier sends e to the prover. After receiving e, the prover calculates the coefficient vector y as y = r + ex. Here, x is the prover's private key stored in the prover's private key storage unit. The prover transmits the coefficient vector y to the verifier.

After the verifier receives y, the verifier performs the following calculation using the prover's public key (V, K). Here, it is assumed that the public key of the prover is made public and distributed, and the verifier obtains the public key and stores it in the public key storage unit of his computer. First, a lattice vector Vy having the vector y as a coefficient vector is calculated, and its l ₁ norm d is calculated. Then, eK is subtracted from d to verify whether the value is equal to c transmitted by the prover. If they are equal, the verifier can recognize the prover as a valid user.

Here, the security of the above authentication method will be described. It is not known whether the above authentication method has zero knowledge. However, it is shown to have a property called soundness. Soundness means that if an attacker who does not have the prover's confidential information interacts with the verifier by impersonating the prover, the verifier does not recognize the attacker as a legitimate user with a high probability. is there.
As described above, the key generation program can be applied to various systems, the problem based on it is shown to be safe, and an efficient public key cryptosystem can be configured.

The figure which shows the process in the electronic signature system program which concerns on embodiment. The figure which shows the functional block of the key generation program which concerns on embodiment. The figure which shows the process in the public key encryption system program which concerns on other embodiment. The figure which shows the process in the public key authentication system program which concerns on other embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Electronic signature system program, 11 ... Key generation program, 12 ... Signature generation program, 21 ... Key generation program, 111 ... Random number generation part, 112 ... Lattice base generation part, 113 ... Public key generation part, 114 ... Coefficient vector generation 115, a secret key generation unit,

Claims (5)

On the computer,
A lattice base generation unit that generates a lattice base V of m rows and n columns (m and n are integers greater than 0) using random numbers generated by the random number generation unit;
A coefficient vector generation unit that generates an n-column coefficient vector x using a random number generated by the random number generation unit;
A secret key generation unit that stores the coefficient vector x generated by the coefficient vector generation unit in a recording medium as a secret key;
The lattice V of the lattice generator has generated, and the recording medium a set of l _p norm K obtained based on the coefficient vector x that the coefficient vector generating unit and the lattice V is generated as the public key A key generation program for functioning as a public key generation unit to be stored.   2. The key generation program according to claim 1, wherein the coefficient vector x is a binary vector having 0 or 1 as a component.   The key generation program according to claim 1, wherein basis vectors obtained by the lattice basis V are linearly independent from each other. The key generation program according to claim 1, wherein _{p of the} l _p norm is 1. 2. The key generation program according to claim 1, wherein all the components of the lattice base V are non-negative integers.