JP2007171412A - Key generating device, encryption device, decryption device, multiplication type knapsack encryption system, multiplication type knapsack decryption method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a public key encryption which is comparatively easily utilized by an existing computer, and uses as foothold of safety, a knapsack problem impossible to be decoded even by a quantum computer. <P>SOLUTION: A multiplication type knapsack encryption is composed in a partial cyclic group of an reduced residue class group (Z/NZ)<SP>×</SP>with a composite number N which is a product of a prime number power, as a modulus. Alternatively, the multiplication type knapsack encryption is composed in the partial cyclic group of an reduced residue class group (Z<SB>K</SB>/ν)<SP>×</SP>with a product ν of a plurality of prime ideals in an integer circle Z<SB>K</SB>of an algebra object K, as the modulus. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to information security technology, and more particularly to public key cryptography based on the knapsack problem.

  Public key cryptography is categorized according to the problem that it is based on. Problems that are the basis of safety include a prime factorization problem and a discrete logarithm problem. More specifically, public key cryptography based on the prime factorization problem includes RSA cryptography, and public key cryptography based on the discrete logarithm problem includes PSEC cryptography.

  By the way, when a so-called quantum computer is realized, it is known that the prime factorization problem and the discrete logarithm problem can be solved very efficiently by using the algorithm proposed by Shor. Therefore, the public key encryption based on these problems is completely decrypted.

On the other hand, Tatsuaki Okamoto, Yusuke Tanaka, and Shigenori Uchiyama, as public key cryptosystems based on the knapsack problem, which is considered difficult to decipher even if quantum computers are realized, There is a proposed public key encryption (hereinafter referred to as “OTU encryption”) (see Patent Document 1, Patent Document 2, Patent Document 3, and Non-Patent Document 1).
Japanese Patent No. 3615132 Japanese Patent No. 3615133 Japanese Patent No. 3615137 T. Okamoto, K. Tanaka, S. Uchiyama, "Quantum Public-Key Cryptosystems", LNCS 1880, pp.147-165, Springer-Verlag, 2000

  The OTU cipher requires a plurality of calculations related to the discrete logarithm problem over a finite field in the key generation process. The discrete logarithm problem can be easily calculated by using a quantum computer. However, when an existing computer is used, when the bit length of the prime p, which is a remainder calculation method, is long (for example, when the prime p is 1024 bits) It is not easy to solve the discrete logarithm problem of () with the current computational capability and technology.

  Therefore, the OTU cipher can be said to be an effective public key cipher after the realization of the quantum computer, but on the other hand, it is difficult to say that it is easy to use with the current computer.

  Therefore, the present invention is a public key cryptosystem (key generation, encryption and decryption) based on the knapsack problem that can be used with existing computers relatively easily but cannot be decrypted even when the quantum computer is realized. It is an object to provide each device to be realized, a system constituted by these devices, and a method thereof.

In order to solve the above-described problem, in the present invention, the key generation device includes a storage unit that stores s prime numbers 冪 q _j [1 ≦ j ≦ s], positive rational integers n and k, and s prime numbers. A composite number calculating means for calculating a composite number N by calculating a product of 冪 q _j [1 ≦ j ≦ s] and generation of each irreducible residue class group (Z / q _j Z) ^× [1 ≦ j ≦ s] A generator calculation means for calculating a rational integer g as a base, and a rational integer p _i [1 ≦ i ≦ n; both of which are relatively prime; each rational integer p _i is relatively prime with the composite number N. And private key set calculating means for calculating a] represents the i [1 ≦ i ≦ n] with respect to ^{g ai ≡p} _i (mod N) [where the index _{a i} in g by the symbol ai. ], A knapsack generation factor calculating means for calculating a rational integer a _i satisfying the above, a random number generating means for generating and outputting a random number d, and adding the random number d to each rational integer a _i [1 ≦ i ≦ n] And knapsack generating means for generating a rational integer b _i [1 ≦ i ≦ n], the public key is at least a positive rational integer k, the rational integer b _i [1 ≦ i ≦ n], and the secret key is a composite number N, a positive rational integer k, a rational integer g, a random number d, and a rational integer p _i [1 ≦ i ≦ n]. Also, the encryption device converts the public key (at least positive rational integer k, rational integer b _i [1 ≦ i ≦ n]) and plaintext M, and converts the plaintext into a code string (code conversion). , By means of a code conversion method capable of converting a code string into plain text (reverse code conversion), plain text M is a code string m of length n and weight k = {m _i } [1 ≦ i ≦ n; ^Let _{i = 1} ⁿ m _i = k. And a cipher means for generating ciphertext c = Σ _{i = 1} ⁿ m _i b _i from the code string _mi and the public key b _i . The decryption apparatus includes a storage unit that stores a secret key (composite number N, rational integer g, random number d, rational integer p _i [1 ≦ i ≦ n]) and ciphertext c, and a secret key from ciphertext c. an exponent calculation means for calculating an exponent r by subtracting the product of k and the secret key d, and calculating a power-residue calculation result u by calculating u≡g ^r (mod N) from the exponent r, the secret key g, and N Dividing the power-residue calculation means and the power-residue calculation result u by each secret key p _i [1 ≦ i ≦ n] to give different code values w _i when divided and not divided, a code sequence w = {w _i} symbol recovery means for calculating the [1 ≦ i ≦ n], the code conversion method used in the code conversion means in the encryption device, the plaintext to convert the code sequence w plaintext Decoding means for outputting. These key generation device, encryption device, and decryption device are connected to each other so as to be able to transmit data to form a multiplicative knapsack encryption system.
In this way, the multiplicative knapsack cipher is constructed in a partial cyclic group of irreducible residue class group (Z / NZ) ^× modulo the composite number N which is the product of prime numbers.

In order to solve the above-described problem, in the present invention, the key generation device includes a storage unit that stores positive rational integers n and k, and a base setting that sets an ideal ν of the integer ring Z _K of the algebraic field K Means and each irreducible residue class group (Z _K / τ _j ) ^× [1 ≦ j ≦ s; τ _j is a prime ideal in which any two norms constituting the ideal ν are disjoint. Integer p _i [1 ≦ i ≦ n integer ring Z _K and generating element calculation unit, any two norms is also relatively prime to calculate the integer g of the ring of integers Z _K as a generator of]; however, each integer The norm of p _i is relatively prime with the norm of ideal ν. And private key set calculating means for calculating a], and Knapsack generation factor calculation means for calculating a rational integer a _i satisfying g ^ai ≡p i _(mod ν) for each i [1 ≦ i ≦ n], the random number d And a knapsack generating means for generating a rational integer b _i [1 ≦ i ≦ n] by adding a random number d to each rational integer a _i [1 ≦ i ≦ n]. The public key is at least a positive rational integer k, the rational integer b _i [1 ≦ i ≦ n], the secret key is at least an ideal ν, a positive rational integer k, an integer g of an integer ring Z _K , a random number d, It is assumed that an integer p _i [1 ≦ i ≦ n] of the integer ring Z _K is satisfied. Also, the encryption device converts the public key (at least positive rational integer k, rational integer b _i [1 ≦ i ≦ n]) and plaintext M, and converts the plaintext into a code string (code conversion). , By means of a code conversion method capable of converting a code string into plain text (reverse code conversion), plain text M is a code string m of length n and weight k = {m _i } [1 ≦ i ≦ n; ^Let _{i = 1} ⁿ m _i = k. And a cipher means for generating ciphertext c = Σ _{i = 1} ⁿ m _i b _i from the code string _mi and the public key b _i . Then, the decoding apparatus, the secret key (at least ideal [nu, positive rational integer k, an integer g integer ring Z _K, the random number d, the integer p _i integer ring Z _K [1 ≦ i ≦ n]) and ciphertext storage means for storing c, exponent calculation means for calculating the index r by subtracting the product of the secret key k and the secret key d from the ciphertext c, u≡g ^r (from the index r, the secret key g and ν) mod ν) is a power residue calculation means for calculating a power residue operation result u, and the power residue remainder operation result u is divided by each secret key p _i [1 ≦ i ≦ n]. A code reproduction unit that gives different code values w _i and a code string w = {w _i } [1 ≦ i ≦ n], and a code conversion used in the code conversion unit in the encryption device Decoding means for converting the code string w into plaintext and outputting the plaintext according to the system . These key generation device, encryption device, and decryption device are connected to each other so as to be able to transmit data to form a multiplicative knapsack encryption system.
Thus, a multiplicative knapsack cipher is constructed in a cyclic subgroup of irreducible residue class group (Z _K / ν) ^× modulo a product ν of a plurality of prime ideals in integer ring Z _K of algebraic field K.

The present invention relates to a partial cyclic group of an irreducible residue class group (Z / NZ) ^× modulo a composite number N that is a product of prime numbers 積, or a product ν of a plurality of prime ideals in an integer ring Z _K of an algebraic field K By constructing a multiplicative knapsack cipher in a cyclic subgroup of irreducible residue classes (Z _K / ν) modulo ^x, a prime with a smaller norm constituting a composite number 冪 or an ideal ν Since the logarithm of the ideal is used for the discrete logarithm calculation necessary for the multiplicative knapsack cryptography, it can be used even with an existing computer. In addition, since the knapsack problem is based on safety, there is no risk of decoding even if the quantum computer is realized.

Considering the case where the composite number N is 1024 bits as an example, conventionally, a discrete logarithm calculation modulo a 1024-bit prime number has been required. However, in the present invention, the composite number N is converted to a 128-bit prime number 冪. If the product of ₈ q ₁ , q ₂ ,..., Q ₈ is used, a discrete logarithm modulo each q _i (1 ≦ i ≦ 8) may be calculated. Even in the current computer environment, a solution can be obtained in a practical time by using a number field sieving method or the like.

In the details of the key generation device, encryption device, and decryption device of the present invention described in each embodiment, numerical calculation processing in number theory may be required, but numerical calculation processing in number theory itself is Since it is achieved in the same manner as in the known technique, detailed description of the arithmetic processing method and the like is omitted (software that can perform numerical calculation processing in number theory indicating the technical level of this point includes, for example, PARI / GP, KANT, etc. / KASH etc. For PARI / GP, see the Internet <URL: http://pari.math.u-bordeaux.fr/> [searched on December 14, 2005] KANT / For KASH, refer to the Internet <URL: http://www.math.tu-berlin.de/algebra/> [searched on December 14, 2005].)
Reference literature 1 can be cited as a literature regarding this point.
(Reference 1) H. Cohen, "A Course in Computational Algebraic Number Theory", GTM 138, Springer-Verlag, 1993.

<< First Embodiment >>
A first embodiment of the present invention will be described with reference to the drawings.
Here, the configuration and processing of each device (key generation device, encryption device, and decryption device) according to the first embodiment, the multiplicative knapsack encryption system configured by each device, and the processing in that system will be described descriptively.
The multiplicative knapsack encryption system according to the first embodiment is configured by devices “key generation device”, “encryption device”, and “decryption device” as necessary.
In the first embodiment, it should be noted that the set related to the following processing is a rational integer ring (in the first embodiment, “integer” means “rational integer”).

[Key generator]
(Realization of information processing through cooperation between hardware configuration and hardware resources and software)
FIG. 1 is a configuration block diagram illustrating the hardware configuration of the key generation device (1). As illustrated in FIG. 1, the key generation device (1) includes an input unit (11) to which an input unit such as a keyboard and a pointing device can be connected, an output unit (12) to which an output unit such as a liquid crystal display can be connected, Key generation device (1) A communication unit (13) to which a communication device (for example, a communication cable) that can communicate with the outside can be connected, and a CPU (Central Processing Unit) (14) [may include a cache memory or the like. ] RAM (15) as a memory, ROM (16), external storage device (17) as a hard disk, and these input unit (11), output unit (12), communication unit (13), CPU (14), A bus (18) is provided to connect the RAM (15), ROM (16), and external storage device (17) so that data can be exchanged between them. If necessary, the key generation device (1) may be provided with a device (drive) that can read and write a storage medium such as a CD-ROM. A physical entity having such hardware resources includes a general-purpose computer.

  The external storage device (17) of the key generation device (1) stores and stores a program for generating a key (public key, secret key) to be described later, data necessary for processing of the program, and the like. Further, data obtained by the program processing is appropriately stored in the RAM (15), the external storage device (17), or the like.

More specifically, in the external storage device (17) [or ROM, etc.], a program for generating the composite number N, and an integer g (modulo the composite number N) that is the generation source of the irreducible residue class group are obtained. A program for generating an original set (hereinafter also referred to as a “secret key set”) that is a secret key used to solve the knapsack problem, a secret with the composite number N modulo the integer g A program for giving each key element index (hereinafter referred to as “knapsack generation factor”), a program for generating random numbers, a program for generating knapsack, and a process based on these programs are controlled. For example, a control program is stored and stored.
Further, as data necessary for the processing of these programs, positive integers n and k (where n> k) and a prime number 冪 q _j (1 ≦ j ≦ s) giving a composite number N are externally provided in advance. It is assumed that the data is stored in the storage device (17). These data may not be stored in advance in the external storage device (17) of the key generation device (1), but may be input from the input unit (11), for example. The data may be read by driving the drive from the recording medium storing the data.

  In the key generation device (1), each program stored in the external storage device (17) [or ROM, etc.] and data necessary for the processing of each program are read into the RAM (15) as necessary, and appropriately. The CPU (14) interprets and executes them. As a result, the CPU (14) realizes predetermined functions (composite number calculation unit, generation source calculation unit, secret key set calculation unit, knapsack generation factor calculation unit, random number generation unit, knapsack generation unit, control unit).

(Key generation process)
Next, with reference to FIG. 2 and FIG. 3, the flow of the key generation processing in the key generation device (1) will be described descriptively.

First, the control unit (140) reads the positive integers n and k and the prime number 冪 q _j (1 ≦ j ≦ s) from the external storage device (17), and stores them in a predetermined storage area of the RAM (15). Store it. Hereinafter, when the description “reads XX from RAM” is used, it means “read XX from a predetermined storage area in which XX is stored in the RAM”.
Note that the prime number を represents the power of the prime number, and includes the case where the power number is 1.

[Step S12]
Next, the composite number calculation unit (141) reads the prime number 冪 q _j (1 ≦ j ≦ s) from the RAM (15), performs an operation according to the equation (1), and calculates the composite number N. The calculated composite number N is stored in a predetermined storage area of the RAM (15).

[Step S13]
Next, the generator calculation unit (142) reads the prime number 冪 q _j (1 ≦ j ≦ s) from the RAM (15), and the irreducible residue class group (Z / q) for all j (1 ≦ j ≦ s). _An integer g (modulo the composite number N) that is a generator of jZ) ^× is calculated, and the calculated integer g is stored in a predetermined storage area of the RAM (15).
The integer g can be calculated by a known method, for example, by the following method. That is, first, an integer g ₁ that is a generator of the irreducible residue class group (Z / q ₁ Z) ^× , an integer g ₂ that is a generator of the irreducible residue class group (Z / q ₂ Z) ^× ,. An integer g _s that is a generator of the residue class group (Z / q _s Z) ^× is obtained for each irreducible residue class group, and then, for these integers g ₁ , g ₂ ,..., G _s An integer g may be obtained by applying the Chinese remainder theorem.
More specifically, according to the Chinese remainder theorem, for each disjoint q _j (1 ≦ j ≦ s), g≡g ₁ (mod q ₁ ), g≡g ₂ (mod q ₂ ), ..., an integer g satisfying the simultaneous equations g≡g _s (mod q _s ) is uniquely determined by modulo N = Π _{j = 1} ^s q _j [Equation (1)]. j ≦ s) the irreducible coset group _(Z / q j Z) ^× of origin for (and the composite number N Act) integer g can be calculated [this case, the integer g is the g _j relating to a divisor q _j Matches the class. ].

[Step S14]
Next, the secret key set calculation unit (143) reads the positive integers n and k and the composite number N from the RAM (15), and the original sets {p ₁ , p ₂ that are relatively prime and satisfy the following conditions: ,..., P _n } are generated, and this set {p ₁ , p ₂ ,..., P _n } is stored in a predetermined storage area of the RAM (15). This set {p ₁ , p ₂ ,..., P _n } is a secret key set.
Condition (a): Each p _i (1 ≦ i ≦ n) is relatively prime to the composite number N.
Condition (b): A subset {p ₁ , p ₂ ,..., P _n }, and an arbitrary subset {p _h1 , p _h2 ,..., P _hk } having k elements The expression (2) is satisfied.

The condition (a) is a condition that the element p _i is an element of the irreducible residue class group (Z / NZ) ^× .
The condition (b) is a condition for guaranteeing the uniqueness of decoding in the decoding process described later. However, equation (2) corresponds to the case where plaintext M is counted and converted to a bit string by the encoding method in the encryption processing described later. For example, when plaintext M is converted to a natural number sequence by the powerline encoding method It should be noted that the conditional expression is adapted to the method.
The condition (b) to be satisfied in any code conversion method can be expressed by the equation (3) [Equation (3) is also a conditional expression in the power line coding method. ].

The set {p ₁ , p ₂ ,..., P _n } can be generated by a known method, for example, by the following method. _{That, p 1 <p 2 <···} < as _{p n,} from the original set of irreducible coset group _{^{(Z / NZ) ×, p}} n-k + 1 × p n-k + 2 × ··· × p n-1 It is only necessary to select n elements that satisfy _xpn <N. It is assumed that the number of elements of the original set of irreducible residue class group (Z / NZ) ^× is larger than n.

[Step S15]
Next, the knapsack generation factor calculation unit (144) reads the composite number N, the integer g, and the secret key set {p ₁ , p ₂ ,..., P _n } from the RAM (15), and formula (4) is obtained. A satisfying integer a _i (1 ≦ i ≦ n) is calculated, and the calculated integer a _i (1 ≦ i ≦ n) is stored in a predetermined storage area of the RAM (15). This integer a _i (1 ≦ i ≦ n) is a knapsack generating factor.

Equation (4) is a so-called discrete logarithm problem, and it is generally difficult to obtain the integer a _i .
However, when the prime factor q _j of the composite number N is small to some extent (the current technology level has an upper limit of about 400 bits, for example, it may be about 64 bits to 256 bits), the integer a _i can be easily set. It is possible to ask. For example, the following processing may be performed for each i (1 ≦ i ≦ n).

[Step S15-1]
For each j (1 ≦ j ≦ s), an integer a _{i, j} that satisfies Equation (5) is calculated. If the prime factor q _j is a short bit-length prime number 冪, _{ai, j} can be easily calculated by using a number field sieving method or a method called Pollard's ρ (Monte Carlo method). Is possible.

[Step S15-2]
For all j (1 ≦ j ≦ s), an integer a _i satisfying Expression (6) is calculated. Note that φ is an Euler function.

[Step S16]
Next, the random number generator (145) generates a random number d and stores the generated random number d in a predetermined storage area of the RAM (15).

[Step S17]
Next, the knapsack generation unit (146) reads the random number d and the integer a _i (1 ≦ i ≦ n) from the RAM (15), and for each i (1 ≦ i ≦ n), the random number d is added to the integer a _i. The integer b _i [1 ≦ i ≦ n] is calculated by addition, and the calculated b _i is stored in a predetermined storage area of the RAM (15). This b _i (1 ≦ i ≦ n) is a knapsack.
Here, as a specific method of “calculating the integer b _i [1 ≦ i ≦ n] by adding the random number d to the integer a _i ”, for example, b _i = a _i + d is calculated. The calculation method of b _i (1 ≦ i ≦ n), which is a knapsack, is not limited to the calculation b _i = a _i + d. In short, it is only necessary to generate n original sets that can be used as a knapsack. For example, a knapsack may be generated by the following method. That is, the knapsack generation unit (146) reads the random number d, the integer a _i (1 ≦ i ≦ n), and the composite number N from the RAM (15), and for each i (1 ≦ i ≦ n), b _i = a _i + d mod φ (N) is calculated to calculate b _i, and the calculated b _i is stored in a predetermined storage area of the RAM (15).

[Step S18]
Through the above processing, the composite number N, positive integer k, integer g, random number d, and secret key set {p ₁ , p ₂ ,..., P _n } stored in the RAM (15) become secret keys. , Knapsack b _i (1 ≦ i ≦ n), positive integers n and k are public keys. Since n of the public keys is obtained from the number of knapsacks b _i (1 ≦ i ≦ n), it is not essential to include n in the public key. In this specification, for convenience of explanation, the public key including this n is used.
The control unit (140) controls the communication unit (13) to transmit the public key (n, k, b ₁ , b ₂ ,..., B _n ) to the encryption device, and the secret key (N, k, g, d, p ₁ , p ₂ ,..., _pn ) are transmitted to the decoding device. Note that it is desirable that at least the communication path for transmitting the secret key has a guaranteed safety. When the key generation device (1) also serves as a decryption device, it is not necessary to transmit a secret key. In addition, instead of transmitting the public key to the encryption device, the public key registration server device may transmit the public key to the encryption device that has accessed the public key registration server device, for example. . After all, as long as the private key is securely supplied to the decryption device and the public key is supplied to the encryption device, the supply method is not limited.

[Encryption device]
(Realization of information processing through cooperation between hardware configuration and hardware resources and software)
FIG. 4 is a block diagram illustrating the hardware configuration of the encryption device (2). As illustrated in FIG. 4, the encryption device (2) includes an input unit (21) to which an input unit such as a keyboard and a pointing device can be connected, an output unit (22) to which an output unit such as a liquid crystal display can be connected, Encryption unit (2) A communication unit (23) to which a communication device (for example, a communication cable) that can communicate with the outside can be connected, and a CPU (Central Processing Unit) (24) [may include a cache memory or the like. ], A RAM (25) as a memory, a ROM (26), an external storage device (27) as a hard disk, and an input unit (21), an output unit (22), a communication unit (23), a CPU (24), A bus (28) is provided to connect the RAM (25), ROM (26), and external storage device (27) so that data can be exchanged between them. If necessary, the encryption device (2) may be provided with a device (drive) that can read and write a storage medium such as a CD-ROM. A physical entity having such hardware resources includes a general-purpose computer.

  The external storage device (27) of the encryption device (2) stores and stores a program for encrypting plaintext, data necessary for processing of this program, and the like. Data obtained by the program processing is appropriately stored in the RAM (25), the external storage device (27), or the like.

More specifically, the external storage device (27) [or ROM, etc.] includes a program for encoding plaintext M into a predetermined bit length, a program for encrypting the encoded plaintext, and these programs. A control program for controlling the processing based on the data is stored and stored.
Further, as data necessary for the processing of these programs, plain text M and public keys (n, k, b ₁ , b ₂ ,..., B _n ) are stored and stored in the external storage device (27) in advance. Suppose that The plaintext M may not be stored and stored in advance in the external storage device (27) of the encryption device (2), but may be input from the input unit (21), or these The drive may be read from a recording medium storing data, and can be changed as appropriate. The public key (n, k, b ₁ , b ₂ ,..., B _n ) is received from the key generation device (1) by the communication unit (23) of the encryption device (2) and externally stored. It is stored in the device (27).

  In the encryption device (2), each program stored in the external storage device (27) [or ROM, etc.] and data necessary for the processing of each program are read into the RAM (25) as necessary, and appropriately. The CPU (24) interprets and executes the processing. As a result, the CPU (24) realizes predetermined functions (code conversion unit, encryption unit, control unit).

(Encryption processing)
Next, with reference to FIG. 5 and FIG. 6, the flow of the encryption processing in the encryption device (2) will be described descriptively.

First, the control unit (240) reads the plaintext M and the public keys (n, k, b ₁ , b ₂ ,..., B _n ) from the external storage device (27), and stores them in the RAM (25). Stored in a predetermined storage area. Hereinafter, when the description “reads XX from RAM” is used, it means “read XX from a predetermined storage area in which XX is stored in the RAM”.

[Step S22]
Next, the code conversion unit (241) reads the plaintext M and the public keys n and k from the RAM (25), and the plaintext M is a code string m = (m ₁ ) having a length n bits and a Hamming weight k. , M ₂ ,..., M _n ), and the converted plaintext is stored in a predetermined storage area of the RAM (25).
Here, the bit length of the plaintext M is, _┗ log ₂ to _n C _k┛ bits (corresponding to the case of the later-described counting encoding method.). In addition, m _i (1 ≦ i ≦ n) ∈ {0, 1} and Σ _{i = 1} ⁿ m _i = k. That is, in the bit string m, the number 1 has k and the value 0 has nk.
Note that the symbol _┗ * _┛ represents the maximum integer not exceeding *, and _n C _k represents the total number of combinations in which k items are extracted from n items (corresponding to so-called binomial coefficients).

A method of converting the plaintext M into a bit string m having a length n bits and a Hamming weight k may be a known method, and a method called “enumerable encoding” may be used (see Reference 2). .). It is not intended to be limited to this method, but it is sufficient that the code string m satisfies the condition of Σ _{i = 1} ⁿ m _i = k in order to be able to perform the decoding process described later. The sequence m = (m ₁ , m ₂ ,..., M _n ) may be a natural number sequence instead of a bit sequence. As a method for converting the plaintext M into such a natural number sequence, there is a method called “powerline encoding” (see Reference 3). When this power line coding method is used, the plaintext M may be set to a bit length adapted to this method. In the case of the power line coding method, the bit length is set to _┗ log _{2 n} H _k ＝ = _┗ log _{2 n + k-1} C _{k ┛} . In the case of the power line coding method, the total number of integers that can be encoded is equal to “the total number of combinations that allow duplication from n items and extract k items (overlapping combinations) _n H _k ”.
(Reference 2) TM Cover, "Enumerable source encoding", IEEE Trans. Inform. Theory, vol.IT-19, pp.73-77, 1973.
(Reference 3) P. Camion, H. Chabanne, "On the Powerline system", AAECC, vo1 9, pp.405-432, Springer-Verlag, 1999.

In the first embodiment, since the counting coding method is used, the bit length of the plaintext M is set to _┗ log _{2 n} C _{k ┛} bits. However, this is not intended to limit the plaintext M to such a bit length. A plaintext with a certain bit length _may be divided into bit lengths _┗ log _{2 n} C _{k 、,} and encoding may be performed for each divided plaintext (divided plaintext). If the split plaintext shorter than the bit length _┗ log _{2 n} C _{k で} is created by the division, the insufficient bit length may be filled with 0 and the bit length may be aligned to _┗ log _{2 n} C _{k ┛} . The same applies to the case of the power line coding method.

[Step S23]
Next, the encryption unit (242) reads the bit string m and the public keys b ₁ , b ₂ ,..., B _n from the RAM (25), and performs an operation of c = Σ _{i = 1} ⁿ m _i b _i. Then, the ciphertext c is calculated, and the calculated ciphertext c is stored in a predetermined storage area of the RAM (25).

[Step S24]
The control unit (240) controls the communication unit (23) to transmit the ciphertext c stored in the RAM (25) to the decryption device.

[Decryption device]
(Realization of information processing through cooperation between hardware configuration and hardware resources and software)
FIG. 7 is a block diagram illustrating the hardware configuration of the decoding device (3). As illustrated in FIG. 7, the decoding device (3) includes an input unit (31) to which an input unit such as a keyboard and a pointing device can be connected, an output unit (32) to which an output unit such as a liquid crystal display can be connected, Decryption device (3) A communication unit (33) to which a communication device (for example, a communication cable) that can communicate with the outside can be connected, and a CPU (Central Processing Unit) (34) [may include a cache memory or the like. ], A memory (RAM) 35, a ROM (36), a hard disk external storage device (37), an input unit (31), an output unit (32), a communication unit (33), a CPU (34), A bus (38) is provided to connect the RAM (35), ROM (36), and external storage device (37) so that data can be exchanged between them. If necessary, the decryption device (3) may be provided with a device (drive) that can read and write a storage medium such as a CD-ROM. A physical entity having such hardware resources includes a general-purpose computer.

  The external storage device (37) of the decryption device (3) stores and stores a program for decrypting the ciphertext, data necessary for processing of this program, and the like. Further, data obtained by the program processing is appropriately stored in the RAM (35), the external storage device (37), or the like.

More specifically, in the external storage device (37) [or ROM, etc.], a program for obtaining an exponent used for cryptographic processing from the ciphertext c and the secret key, and a power-residue calculation from the secret key and the exponent A program, a program for reproducing a code string from a power residue calculation result, a program for converting the reproduced code string into plain text, a control program for controlling processing based on these programs, and the like are stored and stored. Yes.
In addition, as data necessary for the processing of these programs, a secret key (N, k, g, d, p ₁ , p ₂ ,..., P _n ) and a ciphertext c are preliminarily stored in the external storage device (37). Is stored and stored in The secret key (N, k, g, d, p ₁ , p ₂ ,..., P _n ) is received from the key generation device (1) by the communication unit (33) of the decryption device (3). It is stored and stored in the external storage device (37). The ciphertext c is received from the encryption device (2) and stored in the external storage device (37) by the communication unit (33) of the decryption device (3). Note that the drive may be read from a recording medium storing these data, and can be changed as appropriate.

  In the decryption device (3), each program stored in the external storage device (37) [or ROM, etc.] and data necessary for the processing of each program are read into the RAM (35) as necessary, and appropriately. The CPU (34) interprets and executes the processing. As a result, the CPU (34) realizes predetermined functions (an exponent calculation unit, a power residue calculation unit, a code string reproduction unit, a decoding unit, and a control unit).

(Decryption process)
Next, with reference to FIG. 8 and FIG. 9, the flow of the decoding process in the decoding device (3) will be described descriptively.

First, the control unit (340) reads the secret key (N, k, g, d, p ₁ , p ₂ ,..., P _n ) and the ciphertext c from the external storage device (37). It is stored in a predetermined storage area of the RAM (35). Hereinafter, when the description “reads XX from RAM” is used, it means “read XX from a predetermined storage area in which XX is stored in the RAM”.

[Step S32]
Next, the exponent calculation unit (341) reads the ciphertext c and the secret keys k and d from the RAM (35), performs an operation of r = c−kd, calculates the index r, and calculates the calculated index r. The data is stored in a predetermined storage area of the RAM (35).
Here, the calculation method of the index r corresponds to step S17 of the key generation process in the key generation device (1), and the knapsack b _i (1 ≦ i ≦ n) is calculated as b _i = a _i + d. In this case, the index r is calculated by calculating r = c−kd. For example, knapsack b _i (1 ≦ i ≦ n) is calculated by b _i = a _i + d mod φ (N). Therefore, it should be noted that the index r is calculated by performing the operation r = c−kd mod φ (N).

[Step S33]
Next, the power-residue calculating unit (342) reads the exponent r and the secret keys N and g from the RAM (35), calculates u = g ^r mod N, and calculates the power-residue calculation result u. The calculated power residue calculation result u is stored in a predetermined storage area of the RAM (35).

[Step S34]
Next, the code string reproduction unit (343) reads the power residue calculation result u and the secret keys p ₁ , p ₂ ,..., _Pn from the RAM (35), and each i (1 ≦ i ≦ n). Is divided by the secret key p _i , and when the power residue operation result u is divisible by the secret key p _i , m _i = 1, and the power residue operation result u is the secret key p _i. If it is not divisible by m _i = 0, a code string (bit string) m = (m ₁ , m ₂ ,..., M _n ) is obtained. Then, the code string reproduction unit (343) stores the obtained code string (bit string) m = (m ₁ , m ₂ ,..., M _n ) in a predetermined storage area of the RAM (35).

A supplementary description will be given of the processing in steps S32 to S34.
Corresponding to the case where the knapsack b _i (1 ≦ i ≦ n) is calculated by calculating b _i = a _i + d in step S17 of the key generation process, an operation r = c−kd is performed in step S32. If the index r is calculated by performing the calculation, the calculation r = c−kd means the following calculation. That is, r = Σ _{i = 1} ⁿ m _i b _i −kd = Σ _{i = 1} ⁿ m _i (a _i + d) −kd = Σ _{i = 1} ⁿ m _i a _i + d × Σ _{i = 1} ^{n n} m _i − kd = Σ _{i = 1} ⁿ m _i a _i + kd−kd = Σ _{i = 1} ⁿ m _i a _i (∵Σ _{i = 1} ⁿ m _i = k).
Therefore, the power-residue operation is as follows: u = g ^r mod N = g ^ (Σ _{i = 1} ⁿ _mi a _i ) mod N = g ^ (m ₁ a ₁ ) × g ^ (m ₂ a ₂ ) × * G ^ (m _n a _n ) mod N [where symbol ^ represents a power. ]. Here, it should be noted that any _two elements of the equation (4) and the secret key set {p ₁ , p ₂ ,..., P _n } are relatively prime. _The case where it is divisible by _i is that the power residue operation result u has g ^ a _i as a prime factor, and further, m _i (1 ≦ i ≦ n) ∈ {0, 1} Note that there are m _i = 1. On the other hand, the case where the power residue calculation result u is not divisible by the secret key p _i is that the power residue calculation result u does not have g ^ a _i as a prime factor, and _mi ( Note that 1 ≦ i ≦ n) ε {0,1}, it turns out that m _i = 0.

[Step S35]
Next, the decryption unit (344) reads the code string (bit string) m = (m ₁ , m ₂ ,..., M _n ) from the RAM (35), and performs encryption processing in the encryption device (2). The inverse transformation corresponding to step S22 is performed (see Reference 2), and the plaintext M is restored and stored in a predetermined storage area of the RAM (35).

  In the case of split plaintext, the entire plaintext can be obtained by performing the processes of steps S31 to S35 on each split ciphertext encrypted for each split plaintext and combining the obtained split plaintexts. it can.

[Multiplicative knapsack cryptosystem and its processing]
The multiplicative knapsack cryptosystem of the first embodiment can have various system configurations. Here, two typical configurations will be described.

(System 1)
The multiplicative knapsack encryption system (1000) is composed of the key generation device (1), the encryption device (2), the decryption device (3), and the public key registration server device (4). FIG. 10 is a diagram illustrating a configuration example of the multiplicative knapsack encryption system (1000).

  The key generation device (1), the encryption device (2), the decryption device (3), and the public key registration server device (4) can communicate with a network (5) such as the Internet or a LAN (Local Area Network). Connected. A plurality of encryption devices (2) may be connected to the network (5).

The public keys (n, k, b ₁ , b ₂ ,..., B _n ) generated by the key generation device (1) are all made public in the multiplicative knapsack cryptosystem (1000). The public key disclosed in the multiplicative knapsack encryption system (1000) is stored and stored in the external storage device (17) of the key generation device (1), and the encryption device (2) is transmitted via the network (5). It is good also as what is distributed by accessing from. However, since the key generation device (1), a private key _{(N, g, k, d} , p 1, p 2, ···, p n) are also generated, addressed leakage of secret key or the like by unauthorized access Therefore, it is preferable to store the public key disclosed in the multiplicative knapsack encryption system (1000) in the external storage device of the public key registration server device (4). That is, in the multiplicative knapsack cryptosystem (1000), the public key registration server apparatus (4) receives the access from the encryption apparatus (2), thereby providing the public key.

  The secret key generated in the key generation device (1) is highly required to be confidential. Therefore, it is desirable that at least the communication channel for transmitting the secret key is guaranteed to be secure. If the network (5) has a possibility of intercepting communication, the private key is not sent to the decryption device (3) via this, but is stored separately in a storage medium. The storage medium may be sent to the decryption device (3) by mail or the like and stored in the external storage device (37) of the decryption device (3) from the storage medium.

  One or a plurality of encryption devices (2) access the public key registration server device (4) to obtain a public key, and generate a ciphertext c from the plaintext M. The encryption device (2) transmits the generated ciphertext c to the decryption device (3) via the network (5).

  The decryption device (3) decrypts the ciphertext c generated by the encryption device (2) received via the network (5) using the secret key.

FIG. 11 is a diagram showing a processing flow of the multiplicative knapsack encryption / decryption method in the multiplicative knapsack encryption system (1000).
First, the key generation device (1) generates a public key and a secret key (step S100). For the specific processing of step S100, see steps S12 to S17 above. Next, the communication unit (13) of the key generation device (1) transmits the public key to the public key registration server device (4) (step S101). Then, the communication unit (not shown) of the public key registration server device (4) receives the public key from the key generation device (1) (step S102). Further, the communication unit (13) of the key generation device (1) transmits the secret key to the decryption device (3) (step S103). Then, the communication unit (33) of the decryption device (3) receives the secret key from the key generation device (1) (step S104). The encryption device (2) accesses the public key registration server device (4) through the communication unit (23) of the encryption device (2), and acquires the public key (step S105). Next, the encryption device (2) generates a ciphertext c using the plaintext M and the public key (step S106). For the specific processing in step S106, see steps S22 and S23 above. Then, the communication unit (23) of the encryption device (2) transmits the ciphertext c to the decryption device (3) (step S107). The communication unit (33) of the decryption device (3) receives the ciphertext c from the encryption device (2) (step S108). The decryption device (3) obtains the plaintext M from the ciphertext c using the secret key (step S109). For the specific processing of step S109, see steps S32 to S35 above.
When the multiplicative knapsack encryption system (1000) does not include the public key registration server device (4), steps S101 and S102 are not necessary, and the processing of step S105 is performed by the encryption device (2). The key generation device (1) is accessed by the communication unit (23) of (2), and the public key is acquired.

(System 2)
A multiplicative knapsack cryptosystem (1001) is composed of the above-described encryption device (2) and a decryption device (3 ′) that also serves as a key generation device. FIG. 12 is a diagram illustrating a configuration example of the multiplicative knapsack encryption system (1001).

  The encryption device (2) and the key generation / decryption device (3 ') are communicably connected to a network (5) such as the Internet or a LAN (Local Area Network). A plurality of encryption devices (2) may be connected to the network (5).

The public key (n, k, b ₁ , b ₂ ,..., B _n ) and the secret key (N, g, k, d, p ₁ ) generated by the key generation / decryption device (3 ′) p ₂ ,..., p _n ) are stored and stored in the external storage device (37 ′) of the key generation device / decryption device (3 ′), for example, the key generation device / decryption device (3 ′). And the encryption device (2) through peer-to-peer communication via the network (5), the key generation device / decryption device (3 ′) transmits the public key to the encryption device (2).

  One or a plurality of encryption devices (2) generate a ciphertext c from the plaintext M using the public key received from the key generation device / decryption device (3 '). The encryption device (2) transmits the generated ciphertext c to the key generation device / decryption device (3 ') via the network (5).

  The key generation device / decryption device (3 ') uses the secret key to decrypt the ciphertext c received by the encryption device (2) received via the network (5).

  By the way, the key generation device / decryption device (3 ') generally exists as one casing from the viewpoint of a physical entity. However, this does not mean that the key generation device / decryption device (3 ') is completely different from the key generation device (1) and the decryption device (3). For example, one general-purpose computer functions as both the key generation device (1) and the decryption device (3) depending on the program to be processed, and further, by having both programs, one general-purpose computer can operate the key generation device (1 ) And playing the role as the decoding device (3), it can be considered that one general-purpose computer has two-sidedness (multi-facetedness) in terms of functional aspects. If “device” is defined corresponding to this “function”, it can be said that one general-purpose computer as a physical entity is the key generation device (1) and the decryption device (3). In other words, the key generation device / decryption device (3 ′) realized by one general-purpose computer is the key generation device (1) and the decryption device (3), as if the key generation device (1 ) And the decryption device (3) can be regarded as having two physical entities. Therefore, it should be noted that the system configuration described in System No. 2 is not substantially different from the system configuration of System No. 1 (although there is a difference that transmission of a secret key is not necessary).

FIG. 13 is a diagram showing a processing flow of the multiplicative knapsack encryption / decryption method in the multiplicative knapsack encryption system (1001).
First, the key generation device / decryption device (3 ′) generates a public key and a secret key (step S200). For the specific processing of step S200, see steps S12 to S17 above. Next, the communication unit of the key generation device / decryption device (3 ′) transmits the public key to the encryption device (2) (step S201). The encryption device (2) receives the public key from the key generation device / decryption device (3 ′) (step S202). Next, the encryption device (2) generates a ciphertext c using the plaintext M and the public key (step S203). For the specific processing of step S203, see steps S22 and S23 above. Then, the communication unit (23) of the encryption device (2) transmits the ciphertext c to the key generation device / decryption device (3 ′) (step S204). The communication unit of the key generation device / decryption device (3 ′) receives the ciphertext c from the encryption device (2) (step S205). The key generation device / decryption device (3 ′) obtains the plaintext M from the ciphertext c using the secret key (step S206). For the specific processing of step S206, see steps S32 to S35 above.

<< Second Embodiment >>
A second embodiment of the present invention will be described with reference to the drawings. In addition, about the hardware component corresponding to 1st Embodiment, the same referential mark is attached | subjected and duplication description is abbreviate | omitted.

In the first embodiment, the set related to each process is a rational integer ring, but the set related to each process in the second embodiment is an integer ring of an algebraic field. Accordingly, in order to facilitate comparison with the first embodiment, description will be made using the same symbols (eg, g, p _i , a _i , b _i, etc.) as much as possible. It should be noted that the meaning is not the same as when used (do not ignore that the set related to each processing in the second embodiment is an algebraic integer ring).
In the following, algebraic and K, and the ring of integers of Z _K. Also, it represents an element of Z _K is the "integer", "rational integer" represents an element of rational integers set Z.

[Key generator]
(Realization of information processing through cooperation between hardware configuration and hardware resources and software)
The hardware configuration and resources of the key generation device (1s) according to the second embodiment are the same as those of the key generation device (1) of the first embodiment (see FIG. 1).

  The external storage device (17) of the key generation device (1s) stores and stores a program for generating a key (public key, secret key) to be described later, data necessary for processing of the program, and the like. Further, data obtained by the program processing is appropriately stored in the RAM (15), the external storage device (17), or the like.

More specifically, the external storage device (17) [or ROM, etc.] of the key generation device (1s) is used to solve the knapsack problem, a program for obtaining the integer g that is the generation source of the irreducible residue class group. A program for generating an original set of secret keys (hereinafter also referred to as a “secret key set”), an exponent of each element to be a secret key (hereinafter referred to as “knapsack generation” modulo an ideal ν and an integer g as a base) A program for generating a random number, a program for generating a random number, a program for generating a knapsack, a control program for controlling processing based on these programs, setting an algebraic field, etc. Stored and stored.
Further, as data necessary for processing of these programs, positive rational integers n, k, and f (where n> k) are stored in advance in the external storage device (17) of the key generation device (1s). Suppose that it is remembered. Note that these data are not stored in advance in the external storage device (17) of the key generation device (1s), but are input from the input unit (11) of the key generation device (1s), for example. Alternatively, the drive may be driven and read from a recording medium storing these data, and can be changed as appropriate.

  In the key generation device (1s), each program stored in the external storage device (17) [or ROM, etc.] and data necessary for the processing of each program are read into the RAM (15) as necessary, and appropriately. The CPU (14) interprets and executes them. As a result, the CPU (14) realizes predetermined functions (generator calculation unit, secret key set calculation unit, knapsack generation factor calculation unit, random number generation unit, knapsack generation unit, control unit).

(Key generation process)
Next, with reference to FIG. 14 and FIG. 15, the flow of the key generation processing in the key generation device (1s) will be described descriptively.

  First, the control unit (140s) reads positive rational integers n, k, and f from the external storage device (17), and stores them in a predetermined storage area of the RAM (15). Hereinafter, when the description “reads XX from RAM” is used, it means “read XX from a predetermined storage area in which XX is stored in the RAM”.

[Step S12s]
Next, the control unit (140s) reads the positive rational integer f from the RAM (15), sets the algebraic field K as the f-order algebraic field, and further the integer ring Z of the algebraic field K expressed by the equation (7). to set the ideal ν of _K. The control unit (140s) stores information necessary for setting the algebraic field K and the ideal ν (for example, f-th order rational coefficient polynomial) in a predetermined storage area of the RAM (15). Note that τ _j (1 ≦ j ≦ s) in the equation (7) is a prime ideal in which any two norms are disjoint. The control unit (140s) fixes one complete representative system of the remainder ring Z _K / ν, sets the set as R (ν), and stores R (ν) in a predetermined storage of the RAM (15). Store in the area.

A brief description of the information necessary for setting the algebraic field and ideal is added.
The f-order algebraic field is a monic rational integer coefficient f-th irreducible polynomial F (x) = x ^f + c _f−1 x ^f−1 +... + c ₁ x + c ₀ [c is a rational integer coefficient] Is set. The element of the f-order algebraic field is expressed as a rational coefficient polynomial whose degree is less than f-order. An integer ring or ideal is represented by a basis ω ₁ , ω ₂ ,..., Ω _f on a rational integer ring (where ω is a rational coefficient coefficient of less than f order) (an integer ring or an ideal is Zω ₁ + Zω ₂ +... + Zω _f , where Z is a rational integer set.

  Although the algebraic field K is set in the second embodiment, it does not necessarily mean that the algebraic field K must be set. If the key generation device (1s) and the decryption device (3s), which will be described later, are preliminarily specified to perform operations on the algebraic field K (that is, the algebraic field K is set in the external storage devices of both devices in advance) It is only necessary to store and store necessary information.), It is not necessary to set the algebraic field K, and it is not necessary to use information necessary for setting the algebraic field K as a public key.

[Step S13s]
Next, the generator calculation unit (142s) is the generator of the irreducible remainder class group (Z _K / τ _j ) ^× for all j (1 ≦ j ≦ s) (modulo the ideal ν). And the calculated integer g is stored in a predetermined storage area of the RAM (15).
The integer g can be calculated by a known method, for example, by the following method. That is, first, an integer g ₁ that is a generator of the irreducible residue class group (Z _K / τ ₁ ) ^× , an integer g ₂ that is a generator of the irreducible residue class group (Z _K / τ ₂ ) ^× , irreducible coset group _{(Z K} / τ _s) determined by brute ^× of origin as made integral _{g s} a for each irreducible coset group, these integers _{g 1,} g 2, Chinese ... for _{g s} The integer g may be obtained by applying the remainder theorem. Although details are as described in the first embodiment, it should be noted that in the second embodiment, the modulo is ideal ν.
Here, the congruence a≡b (mod ν) modulo the ideal ν of the algebraic field means (ab) ∈ν.

[Step S14s]
Next, the secret key set calculation unit (143s) reads the positive rational integers n and k from the RAM (15), and satisfies the following conditions. The original sets {p ₁ , p ₂ , each norm being relatively prime ,..., P _n } ⊂Z _K is generated, and this set {p ₁ , p ₂ ,..., P _n } ⊂Z _K is stored in a predetermined storage area of the RAM (15). This set {p ₁ , p ₂ ,..., P _n } ⊂Z _K is a secret key set.
Condition (c): The norm of each integer p _i (1 ≦ i ≦ n) is relatively prime with the norm of the ideal ν.
Condition (d): the set _{{p 1, p 2, ···} , p n} is a subset of, any subset number of elements is _{k {p h1, p h2,} ..., p hk} is The expression (8) is satisfied.

The condition (c) is a condition that the integer p _i is an element of R (ν).
The condition (d) is a condition for guaranteeing the uniqueness of decoding in the decoding process. However, equation (8) corresponds to the case where plain text M is counted and converted to a bit string by the encoding method in the encryption process. For example, when plain text M is converted to a natural number sequence by the power line encoding method, this method is used. It should be noted that the conditional expression is adapted to.

The set {p ₁ , p ₂ ,..., P _n } Z _K can be generated by a known method, for example, by the following method. The norm of the prime ideal τ _j (1 ≦ j ≦ s) is 冪 of the prime number q _j [however, it is not necessarily the same as the prime number 冪 q _j constituting the composite number N of the first embodiment. And N ₁ = Π _{j = 1} ^s q _j , N ₁ is relatively prime, is an integer greater than or equal to _{1 and} less than N ₁ and satisfies the following condition (e). Prime integers p ₁ , p ₂ ,..., _Pn may be selected (rational integers greater than or _equal to 0 and less than N ₁ can be included in a fully representative system of Z _K / ν).
Condition (e): A subset {p ₁ , p ₂ ,..., P _n }, and an arbitrary subset {p _h1 , p _h2 ,..., P _hk } having k elements. The expression (9) is satisfied.

[Step S15s]
Next, the knapsack generation factor calculation unit (144s) reads the integer g and the secret key set {p ₁ , p ₂ ,..., P _n } from the RAM (15) and satisfies the expression (10). _i (1 ≦ i ≦ n) is calculated, and the calculated rational integer a _i (1 ≦ i ≦ n) is stored in a predetermined storage area of the RAM (15). The rational integers _{a i (1 ≦ i ≦ n} ) is knapsack generation factor.

Equation (10) is a so-called discrete logarithm problem, and it is generally difficult to obtain a rational integer a _i .
However, the ideal ν _{j is selected so that} the norm of τ _j is somewhat small (the upper limit is about 400 bits in the current state of the art, but it may be, for example, about 64 bits to 256 bits). By doing so, it is possible to easily find the rational integer a _i . For example, the following processing may be performed for each i (1 ≦ i ≦ n).

[Step S15s-1]
For each j (1 ≦ j ≦ s), a rational integer a _{i, j} that satisfies equation (11) is calculated. If a prime power of the bit length norm short prime ideal tau _j, a _i, in order to determine the _j, by using a method called ρ number field sieve and Pollard (Monte Carlo method), easily calculated Is possible.

[Step S15s-2]
For all j (1 ≦ j ≦ s), a rational integer a _i satisfying the equation (12) is calculated. N (τ _j ) represents the norm of τ _j .

[Step S16s]
Next, the random number generation unit (145s) generates a random number d that is a rational integer, and stores the generated random number d in a predetermined storage area of the RAM (15).

[Step S17s]
Next, the knapsack generation unit (146s) reads the random number d and the rational integer a _i (1 ≦ i ≦ n) from the RAM (15), and for each i (1 ≦ i ≦ n), the random number a _i is a random number. The rational integer b _i [1 ≦ i ≦ n] is calculated by adding d, and the calculated b _i is stored in a predetermined storage area of the RAM (15). This b _i (1 ≦ i ≦ n) is a knapsack.
Here, as a specific method of “calculating the rational integer b _i [1 ≦ i ≦ n] by adding the random number d to the rational integer a _i ”, for example, b _i = a _i + d is performed. . The calculation method of b _i (1 ≦ i ≦ n), which is a knapsack, is not limited to the calculation b _i = a _i + d. In short, it is only necessary to generate n original sets that can be used as a knapsack. For example, a knapsack may be generated by the following method. That is, the knapsack generation unit (146s) reads the random number d and the rational integer a _i (1 ≦ i ≦ n) from the RAM (15), and for each i (1 ≦ i ≦ n), b _i = a _i + d mod _{Ｊ j = 1} ^s (N (τ _j ) −1) is calculated to calculate b _i, and the calculated b _i is stored in a predetermined storage area of the RAM (15).

[Step S18s]
Through the above processing, the positive rational integer k, integer g, random number d, secret key set {p ₁ , p ₂ ,..., P _n }, algebraic field K and ideal ν stored in the RAM (15). Is a secret key, and knapsack b _i (1 ≦ i ≦ n) and positive rational integers n and k are public keys. Since n of the public keys is obtained from the number of knapsacks b _i (1 ≦ i ≦ n), it is not essential to include n in the public key. In this specification, for convenience of explanation, the public key including this n is used. In addition, as described above, the information for setting the algebraic field K in the secret key is stored in the decryption device when the information for setting the algebraic field K is stored in advance in the decryption device. Inclusion is not essential. In this specification, for convenience of explanation, the secret key including information for setting the algebraic field K is used. Hereinafter, information for setting the algebraic field K and the ideal ν is simply represented by symbols K and ν.
The control unit (140s) controls the communication unit (13) to transmit the public key (n, k, b ₁ , b ₂ ,..., B _n ) to the encryption device, and the secret key (K, ν, g, k, d, p ₁ , p ₂ ,..., _pn ) are transmitted to the decoding device. Note that it is desirable that at least the communication path for transmitting the secret key has a guaranteed safety. When the key generation device (1s) also serves as a decryption device, it is not necessary to transmit a secret key. In addition, instead of transmitting the public key to the encryption device, the public key registration server device may transmit the public key to the encryption device that has accessed the public key registration server device, for example. . After all, as long as the private key is securely supplied to the decryption device and the public key is supplied to the encryption device, the supply method is not limited.

[Encryption device and encryption processing]
The hardware configuration and resources of the encryption device (2s) according to the second embodiment are the same as those of the encryption device (2) of the first embodiment, and the encryption processing in the encryption device (2s) is also the first. Since it is the same as the encryption processing of the first embodiment, the description of the encryption device (2) and the encryption processing in the first embodiment is used, and the encryption device (2s) and the encryption processing in the second embodiment are used. The description is omitted (see FIGS. 4, 5, and 6). The public key used for the encryption process of the encryption device (2s) is a public key (n, k, b ₁ , b ₂ ,..., B _n ) generated by the key generation device (1s). The communication unit of the encryption device (2s) receives the data from the key generation device (1s) and stores it in the external storage device (27). Also in the second embodiment, it is assumed that plaintext M is encoded by the counting encoding method to generate a bit string m having a bit length n and a Hamming weight k.

[Decryption device]
(Realization of information processing through cooperation between hardware configuration and hardware resources and software)
The hardware configuration / resource, functional configuration, and program of the decoding device (3s) according to the second embodiment are the same as those of the decoding device (3) of the first embodiment (see FIG. 7).

(Decryption process)
Next, with reference to FIG. 16 and FIG. 17, the flow of the decoding process in the decoding device (3s) will be described descriptively.
In the decryption process described below, the secret key K is not explicitly used, but this does not mean that the algebraic field K is unnecessary as the secret key. In general, the (algebraic) field K is defined by the irreducible polynomial F (x). The element of the (algebraic) field K is expressed as a polynomial of x. However, since the element of the (algebraic) field K cannot be expressed only by the polynomial of x, information on the (algebraic) field K is required. (In the PARI / GP, the element of the field K is expressed as a remainder obtained by dividing the polynomial of x by the irreducible polynomial F (x)). That is, the following decoding process is performed as an operation in the algebraic field K.

First, the control unit (340s) reads the secret key (K, ν, g, k, d, p ₁ , p ₂ ,..., P _n ) and the ciphertext c from the external storage device (37). Each is stored in a predetermined storage area of the RAM (35). The secret key is received from the key generation device (1s) by the communication unit of the decryption device (3s) and stored and stored in the external storage device (37). The ciphertext c is received from the encryption device (2) and stored in the external storage device (37) by the communication unit of the decryption device (3). Note that the drive may be read from a recording medium storing these data, and can be changed as appropriate. Hereinafter, when the description “reads XX from RAM” is used, it means “read XX from a predetermined storage area in which XX is stored in the RAM”.

[Step S32s]
Next, the exponent calculation unit (341s) reads the ciphertext c and the secret keys k and d from the RAM (35), performs an operation of r = c−kd, calculates the exponent r, and calculates the calculated exponent r. The data is stored in a predetermined storage area of the RAM (35).
The method of calculating the herein index r corresponds to the step S17s of the key generation process in the key generation device (1s), a knapsack _b i a _{(1 ≦ i ≦ n) b} i = a i + d becomes operational In this case, the index r is calculated by calculating r = c−kd. For example, knapsack b _i (1 ≦ i ≦ n) is converted to b _i = a _i + d mod _{ｊ j = 1} ^s ( When N (τ _j ) −1) is calculated and calculated, an index r is calculated by performing an operation of r = c−kd mod _{ｊ j = 1} ^s (N (τ _j ) −1). You have to be careful.

[Step S33s]
Next, the power residue calculation unit (342s) reads the exponent r, the secret keys ν and g from the RAM (35), performs the operation u = g ^r mod v, and calculates the power residue calculation result u. The calculated power residue calculation result u is stored in a predetermined storage area of the RAM (35).

[Step S34s]
Next, the code string reproduction unit (343s) reads the power residue calculation result u and the secret keys p ₁ , p ₂ ,..., _Pn from the RAM (35), and each i (1 ≦ i ≦ n). Is divided by the secret key p _i , and when the power residue operation result u is divisible by the secret key p _i , m _i = 1, and the power residue operation result u is the secret key p _i. If it is not divisible by m _i = 0, a code string (bit string) m = (m ₁ , m ₂ ,..., M _n ) is obtained. The code string reproducing unit (343s) stores the obtained code string (bit string) m = (m ₁ , m ₂ ,..., M _n ) in a predetermined storage area of the RAM (35).

A supplementary description will be given of the processing in steps S32 to S34.
Corresponding to the case where the knapsack b _i (1 ≦ i ≦ n) is calculated by calculating b _i = a _i + d in step S17s of the key generation process, the operation r = c−kd is performed in step S32s. If the index r is calculated by performing the calculation, the calculation r = c−kd means the following calculation. That is, r = Σ _{i = 1} ⁿ m _i b _i −kd = Σ _{i = 1} ⁿ m _i (a _i + d) −kd = Σ _{i = 1} ⁿ m _i a _i + d × Σ _{i = 1} ^{n n} m _i − kd = Σ _{i = 1} ⁿ m _i a _i + kd−kd = Σ _{i = 1} ⁿ m _i a _i (∵Σ _{i = 1} ⁿ m _i = k).
Therefore, the power-residue operation is as follows: u = g ^r mod N = g ^ Σ _{i = 1} ⁿ _mi a _i mod v = g ^ (m ₁ a ₁ ) × g ^ (m ₂ a ₂ ) ×. g ^ (m _n a _n ) mod ν. Here, it should be noted that any _two elements of equation (10) and the secret key set {p ₁ , p ₂ ,..., P _n } are relatively prime. _The case of being divisible by _i is that the power-residue result u has g ^ a _i as a prime factor, and m _i (1 ≦ i ≦ n) ∈ {0, 1}. Note that there are m _i = 1. On the other hand, the case where the power residue calculation result u is not divisible by the secret key p _i is that the power residue calculation result u does not have g ^ a _i as a prime factor, and _mi ( Note that 1 ≦ i ≦ n) ε {0,1}, it turns out that m _i = 0.

[Step S35s]
Next, the decoding unit (344S) is, RAM (35) from the bit stream (bit _{string) m = (m 1, m} 2, ···, m n) reads, the encryption processing in the encryption device (2s) (Refer to Reference 2), plaintext M is restored and stored in a predetermined storage area of the RAM (35).

[Multiplicative knapsack cryptosystem and its processing]
In the multiplicative knapsack cryptosystem of the second embodiment, the physical entities constituting the system are: key generation device (1) → key generation device (1s), encryption device (2) → encryption device (2s), decryption The first embodiment except that the device (3) is changed to the decryption device (3s) (this corresponds to the system 1 and the same applies to the system 2). Since the system configuration is the same as that of the first embodiment and the processing in the system is the same as that of the first embodiment, the multiplication type knapsack cryptosystem in the first embodiment and the description of the processing are used, and the multiplication in the second embodiment is used. A description of the type knapsack cryptosystem and its processing is omitted (see FIGS. 10 to 13).

<Difference between the first embodiment and the second embodiment>
○ Easy implementation and calculation speed.
In the first embodiment, since the set related to each process is a rational integer ring, the existing computer is compared with the case of the second embodiment where the set related to each process is an integer ring of an algebraic field. It is relatively easy to function as a key generation device or the like, and arithmetic processing can be performed at a relatively high speed.
○ About safety.
For the first embodiment, when the private key is _{(N, k, g, d} , p 1, p 2, ···, p n), a public key _{b 1,} b 2, · · · , B _n can obtain the upper limit of the bit length of N and d. Here, the total number of secret keys estimated from the bit lengths of N and d is finite. Therefore, “theoretically” the secret key cannot be estimated (actually, the bit length of the composite number N is set so that it is difficult to estimate in real time).
In the case of the second embodiment, the secret key is (K, ν, g, d, p ₁ , p ₂ ,..., P _n ), but b ₁ , b ₂ ,. , B _n can obtain the norm of the ideal ν and the upper limit of the bit length of d. However, algebraic K may be configured in an infinite (even fixed the order _f), b _1, b 2 are merely _integer, ..., to obtain information algebraic K from b _n is Can not. This is the same even when the algebraic field K is not included in the secret key. If the algebraic field K is unknown, it is extremely difficult to determine the ideal ν or p ₁ , p ₂ ,..., _Pn , and the secret key (K, ν, g, d, p ₁ , p ₂ ,. It is not an exaggeration to say that there is no possibility of guessing _pn ). Therefore, in the case of the second embodiment, the safety is higher than that of the first embodiment.

<About the above devices in general>
Each of the above devices according to the present invention is not limited to the above-described embodiment, and can be appropriately changed without departing from the spirit of the present invention. In addition, the processing described in each of the above devices may be executed not only in time series according to the order of description but also in parallel or individually as required by the processing capability of the device that executes the processing. .

  Further, when the processing functions in the above devices are realized by a computer, the processing contents of the functions that each device should have are described by a program. Then, by executing this program on a computer, the processing functions in the above-described devices are realized on the computer.

  In addition, each of the above devices may be configured independently as a different computer, for example, in one computer, a program in which processing contents of functions that the key generation device should have and a decryption device should exist. By having a program in which the processing content of the function is described, the computer can be made to function in a complex manner so that one computer functions as both a key generation device and a decryption device.

  The program describing the processing contents can be recorded on a computer-readable recording medium. The computer-readable recording medium may be any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory. Specifically, for example, as a magnetic recording device, a hard disk device, a flexible disk, a magnetic tape or the like, and as an optical disk, a DVD (Digital Versatile Disc), a DVD-RAM (Random Access Memory), a CD-ROM (Compact Disc Read Only). Memory), CD-R (Recordable) / RW (ReWritable), etc., magneto-optical recording medium, MO (Magneto-Optical disc), etc., semiconductor memory, EEP-ROM (Electronically Erasable and Programmable-Read Only Memory), etc. Can be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its storage device. When executing the process, the computer reads the program stored in its own recording medium and executes the process according to the read program. As another execution form of the program, the computer may directly read the program from the portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, each of the above devices is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

  Since the present invention is a public key cryptosystem that is practical in the current computer environment but difficult to decipher even if the quantum computer is realized, it is considered that it will continue to be the center of the social infrastructure even after the realization of the quantum computer (quantum communication). It can be used as a public key encryption in a communication network such as the Internet (classical compared to the road).

The block diagram which illustrated the hardware constitutions of the key generation apparatus (1). The functional block diagram which shows the processing function of the key (public key, secret key) generation in a key generation apparatus (1). The key generation processing flow in the key generation device (1). The block diagram which illustrated the hardware constitutions of the encryption apparatus (2). The functional block diagram which shows the processing function of the ciphertext production | generation in an encryption apparatus (2). The processing flow of ciphertext generation in an encryption apparatus (2). The block diagram which illustrated the hardware constitutions of the decoding apparatus (3). The functional block diagram which shows the processing function of the plaintext decoding in a decoding apparatus (3). Processing flow of plaintext decryption in the decryption device (3). The figure which illustrates the system configuration | structure of a multiplicative knapsack encryption system (1000). The processing flow of the multiplicative knapsack encryption method in a multiplicative knapsack encryption system (1000). The figure which illustrates the system configuration | structure of a multiplicative knapsack encryption system (1001). The processing flow of the multiplicative knapsack encryption method in a multiplicative knapsack encryption system (1001). The functional block diagram which shows the processing function of the key (public key, secret key) generation in a key generation apparatus (1s). The key generation processing flow in the key generation device (1s). The functional block diagram which shows the processing function of the plaintext decoding in a decoding apparatus (3s). Processing flow of plaintext decryption in the decryption device (3s).

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Key generation apparatus 1s Key generation apparatus 2 Encryption apparatus 3 Decryption apparatus 3 'Key generation and decryption apparatus 3s Decryption apparatus 4 Public key registration server apparatus 5 Network 140 Control part 140s Control part 141 Composite number calculation part 142 Generation | occurrence | production Element calculation unit 142s Generation source calculation unit 143 Secret key set calculation unit 143s Secret key set calculation unit 144 Knapsack generation factor calculation unit 144s Knapsack generation factor calculation unit 145 Random number generation unit 145s Random number generation unit 146 Knapsack generation unit 146s Knapsack generation unit 241 Code Transform unit 242 Encryption unit 341 Exponent calculation unit 341s Exponent calculation unit 342 Power residue remainder operation unit 342s Power residue remainder operation unit 343 Code reproduction unit 343s Code reproduction unit 344 Decoding unit 344s Decoding unit 1000 Multiplicative knapsack cryptosystem 1001 Multiplication method Type knapsack cryptosystem System

Claims (13)

storage means for storing s prime numbers 冪 q _j [1 ≦ j ≦ s], positive rational integers n and k;
a composite number calculating means for calculating a composite number N by calculating a product of s prime numbers 冪 q _j [1 ≦ j ≦ s];
Generator calculating means for calculating a rational integer g that is a generator of each irreducible residue class group (Z / q _j Z) ^× [1 ≦ j ≦ s];
Any two integers that are relatively prime p _i [1 ≦ i ≦ n; where each rational integer p _i is relatively prime with the composite number N. A secret key set calculating means for calculating
And Knapsack generation factor calculation means for calculating a rational integer _{a i} satisfying ^{g ai ≡p} _i (mod N) for each i [1 ≦ i ≦ n],
Random number generating means for generating a random number d and outputting it,
Knapsack generating means for generating a rational integer b _i [1 ≦ i ≦ n] by adding a random number d to each rational integer a _i [1 ≦ i ≦ n],
The public key is at least a positive rational integer k, a rational integer b _i [1 ≦ i ≦ n],
A secret key is a composite number N, a positive rational integer k, a rational integer g, a random number d, and a rational integer p _i [1 ≦ i ≦ n]. Storage means for storing a public key (at least a positive rational integer k, a rational integer b _i [1 ≦ i ≦ n]) and plaintext M generated by the key generation device according to claim 1;
Convert plaintext into code sequence (code conversion) by converting the code sequence into plaintext (inverse code conversion) can a code conversion scheme, the length of the plaintext M n, weight k code sequence m = {m _i } [1 ≦ i ≦ n; where Σ _{i = 1} ⁿ m _i = k. Code conversion means for converting to
Encrypting apparatus comprising the encryption means for generating a code string _{m i} and the ciphertext from the public key ^{_{b i c = Σ i = 1}} n m i b i. Storage means for storing a secret key (combined number N, rational integer g, random number d, rational integer p _i [1 ≦ i ≦ n]) and ciphertext c generated by the key generation device according to claim 1;
Exponent calculation means for calculating an exponent r by subtracting the product of the secret key k and the secret key d from the ciphertext c;
A power residue calculating means for calculating a power residue operation result u obtained by calculating u≡g ^r (mod N) from the index r, the secret key g, and N;
The power-residue calculation result u is divided by each secret key p _i [1 ≦ i ≦ n] to give different code values w _i when divided and not divided, and a code string w = {w _i } Code reproducing means for calculating [1 ≦ i ≦ n];
3. A decoding apparatus comprising: a decoding means for converting the code string w into plain text by the code conversion method used in the code conversion means in the encryption apparatus according to claim 2 and outputting the plain text. . A key generation device, an encryption device, and a decryption device are connected so as to be able to transmit data, respectively.
The key generator is
storage means for storing s prime numbers 冪 q _j [1 ≦ j ≦ s], positive rational integers n and k;
a composite number calculating means for calculating a composite number N by calculating a product of s prime numbers 冪 q _j [1 ≦ j ≦ s];
Generator calculating means for calculating a rational integer g that is a generator of each irreducible residue class group (Z / q _j Z) ^× [1 ≦ j ≦ s];
Any two integers that are relatively prime p _i [1 ≦ i ≦ n; where each rational integer p _i is relatively prime with the composite number N. A secret key set calculating means for calculating
And Knapsack generation factor calculation means for calculating a rational integer _{a i} satisfying ^{g ai ≡p} _i (mod N) for each i [1 ≦ i ≦ n],
Random number generating means for generating a random number d and outputting it,
Knapsack generating means for generating a rational integer b _i [1 ≦ i ≦ n] by adding a random number d to each rational integer a _i [1 ≦ i ≦ n];
The public key is at least a positive rational integer k, a rational integer b _i [1 ≦ i ≦ n], the secret key is a composite number N, a positive rational integer k, a rational integer g, a random number d, a rational integer p _i [1 ≦ i ≦ n],
An encryption device transmitting means capable of transmitting the public key to the encryption device;
A pair decryption device transmitting means capable of transmitting a secret key to the decryption device,
The encryption device
A key generation device receiving means capable of receiving a public key from the key generation device;
Storage means for storing the public key (at least positive rational integer k, rational integer b _i [1 ≦ i ≦ n]) and plaintext M received by the pair-key generating device receiving means of the encryption device;
Convert plaintext into code sequence (code conversion) by converting the code sequence into plaintext (inverse code conversion) can a code conversion scheme, the length of the plaintext M n, weight k code sequence m = {m _i } [1 ≦ i ≦ n; where Σ _{i = 1} ⁿ m _i = k. Code conversion means for converting to
Encryption means for generating ciphertext c = Σ _{i = 1} ⁿ m _i b _i from code string _mi and public key b _i ;
A pair decryption device transmitting means capable of transmitting the ciphertext c to the decryption device;
The decryption device
A key generation device receiving means capable of receiving a secret key from the key generation device;
An encryption device receiving means capable of receiving the ciphertext c from the encryption device;
Secret key (combined number N, rational integer g, random number d, rational integer p _i [1 ≦ i ≦ n]) received by the pair key generation device reception unit of the decryption device and the pair encryption device reception unit of the decryption device Storage means for storing the ciphertext c received by
Exponent calculation means for calculating an exponent r by subtracting the product of the secret key k and the secret key d from the ciphertext c;
A power residue calculating means for calculating a power residue operation result u obtained by calculating u≡g ^r (mod N) from the index r, the secret key g, and N;
The power-residue calculation result u is divided by each secret key p _i [1 ≦ i ≦ n] to give different code values w _i when divided and not divided, and a code string w = {w _i } Code reproducing means for calculating [1 ≦ i ≦ n];
A multiplicative knapsack encryption system comprising: a decoding means for converting a code string w into plain text by the code conversion method used in the code conversion means in the encryption apparatus and outputting the plain text. A key generation device, an encryption device, and a decryption device are connected so as to be able to transmit data, respectively.
The storage means of the key generation device stores s prime numbers 冪 q _j [1 ≦ j ≦ s], positive rational integers n and k,
The plaintext M is stored in the storage means of the encryption device,
A composite number calculating step in which a composite number calculating means of the key generation device calculates a composite number N by calculating a product of s prime numbers 合成 q _j [1 ≦ j ≦ s];
A generation source calculation step in which a generation source calculation unit of the key generation device calculates a rational integer g that is a generation source of each irreducible residue class group (Z / q _j Z) ^× [1 ≦ j ≦ s];
The secret key set calculation means of the key generation device is a rational integer p _i [1 ≦ i ≦ n; any two are relatively prime; where each rational integer p _i is relatively prime with the composite number N. A secret key set calculating step for calculating
Knapsack generation factor calculation means of the key generation device, a knapsack generation factor calculation step of calculating a rational integer _{a i} satisfying ^{g ai ≡p} _i (mod N) for each i [1 ≦ i ≦ n],
A random number generating means of the key generation device generates a random number d and outputs the random number d;
A knapsack generating step of generating a rational integer b _i [1 ≦ i ≦ n] by adding a random number d to each rational integer a _i [1 ≦ i ≦ n];
The public key is at least a positive rational integer k, a rational integer b _i [1 ≦ i ≦ n], the secret key is a composite number N, a positive rational integer k, a rational integer g, a random number d, a rational integer p _i [1 ≦ i ≦ n],
The encryption device transmission means of the key generation device is capable of transmitting the public key to the encryption device.
A pair decryption device transmitting means of the key generation device, wherein the pair decryption device transmission step is capable of transmitting the secret key to the decryption device;
A key generation device reception step in which the key generation device reception means of the encryption device receives a public key from the key generation device; and
The code conversion means of the encryption device converts the plaintext into a code string (code conversion) and converts the code string into a plaintext (reverse code conversion), and the plaintext M has a length n and a weight. Code sequence m of k = {m _i } [1 ≦ i ≦ n; where Σ _{i = 1} ⁿ m _i = k. A code conversion step for converting to
An encryption means for generating an encrypted text c = Σ _{i = 1} ⁿ m _i b _i from a code string m _i and a public key b _i ;
A pair decryption device transmission unit in which the pair decryption device transmission means of the encryption device transmits the ciphertext c to the decryption device;
A key generation device receiving means for receiving a secret key from the key generation device by the key generation device reception means of the decryption device; and
A receiving device for encrypting device of the decrypting device receives the ciphertext c from the encrypting device;
An exponent calculation step in which the exponent calculation means of the decryption device subtracts the product of the secret key k and the secret key d from the ciphertext c to calculate the exponent r;
A power-residue calculating step in which a power-residue calculating unit of the decryption device calculates a power-residue calculating result u obtained by calculating u≡g ^r (mod N) from the exponent r, the secret key g, and N;
The code reproduction means of the decryption device divides the power residue calculation result u by each secret key p _i [1 ≦ i ≦ n], and gives different code values w _i depending on whether the result is divisible or not divisible. A code reproduction step of calculating a code string w = {w _i } [1 ≦ i ≦ n];
The multiplicative knapsack cryptography characterized in that the decoding means of the decoding apparatus has a decoding step of converting the code string w into plain text by the code conversion method used in the code conversion step and outputting the plain text Decryption method. Storage means for storing positive rational integers n and k;
Base setting means for setting an ideal ν of an integer ring Z _K of at least an algebraic field K;
Each irreducible residue class group (Z _K / τ _j ) ^× [1 ≦ j ≦ s; τ _j is a disjoint prime ideal for any two norms constituting the ideal ν. A generating element calculation means for calculating the integer g of the ring of integers Z _K as a generator of]
An integer p _i [1 ≦ i ≦ n] of the integer ring Z _K in which any two norms are relatively prime, where the norm of each rational integer p _i is relatively prime with the norm of the ideal ν. A secret key set calculating means for calculating
And Knapsack generation factor calculation means for calculating a rational integer _{a i} satisfying ^{g ai ≡p} _i (mod ^ν) for each i [1 ≦ i ≦ n],
Random number generating means for generating a random number d and outputting it,
Knapsack generating means for generating a rational integer b _i [1 ≦ i ≦ n] by adding a random number d to each rational integer a _i [1 ≦ i ≦ n],
The public key is at least a positive rational integer k, a rational integer b _i [1 ≦ i ≦ n],
The private key is least ideal [nu, positive rational integer k, an integer g integer ring Z _K, the random number d, the key generation device, characterized in that an integer p _i [1 ≦ i ≦ n] integer ring Z _K. Storage means for storing a public key (at least positive rational integer k, rational integer b _i [1 ≦ i ≦ n]) and plaintext M generated by the key generation device according to claim 6;
Convert plaintext into code sequence (code conversion) by converting the code sequence into plaintext (inverse code conversion) can a code conversion scheme, the length of the plaintext M n, weight k code sequence m = {m _i } [1 ≦ i ≦ n; where Σ _{i = 1} ⁿ m _i = k. Code conversion means for converting to
Encrypting apparatus comprising the encryption means for generating a code string _{m i} and the ciphertext from the public key ^{_{b i c = Σ i = 1}} n m i b i. A secret key (at least an ideal ν, a positive rational integer k, an integer g of an integer ring Z _K , a random number d, an integer p _i of an integer ring Z _K [1 ≦ i ≦ n]) and the ciphertext c,
Exponent calculation means for calculating an exponent r by subtracting the product of the secret key k and the secret key d from the ciphertext c;
A power residue calculating means for calculating a power residue operation result u obtained by calculating u≡g ^r (mod v) from the index r, the secret key g, and ν;
The power-residue calculation result u is divided by each secret key p _i [1 ≦ i ≦ n] to give different code values w _i when divided and not divided, and a code string w = {w _i } Code reproducing means for calculating [1 ≦ i ≦ n];
8. A decoding apparatus comprising: a decoding means for converting the code string w into plain text and outputting the plain text by the code conversion method used in the code conversion means in the encryption apparatus according to claim 7. . A key generation device, an encryption device, and a decryption device are connected so as to be able to transmit data, respectively.
The key generator is
Storage means for storing positive rational integers n and k;
Base setting means for setting an ideal ν of an integer ring Z _K of at least an algebraic field K;
Each irreducible residue class group (Z _K / τ _j ) ^× [1 ≦ j ≦ s; τ _j is a disjoint prime ideal for any two norms constituting the ideal ν. A generating element calculation means for calculating the integer g of the ring of integers Z _K as a generator of]
Integer p _i of integer ring Z _K in which any two norms are relatively prime [1 ≦ i ≦ n; provided that the norm of each integer p _i is relatively prime with the norm of ideal ν. A secret key set calculating means for calculating
And Knapsack generation factor calculation means for calculating a rational integer _{a i} satisfying ^{g ai ≡p} _i (mod ^ν) for each i [1 ≦ i ≦ n],
Random number generating means for generating a random number d and outputting it,
Knapsack generating means for generating a rational integer b _i [1 ≦ i ≦ n] by adding a random number d to each rational integer a _i [1 ≦ i ≦ n];
Public key is at least positive rational integer k, rational integer b _i [1 ≦ i ≦ n], secret key is at least ideal ν, positive rational integer k, integer g of integer ring Z _K , random number d, integer ring Z _K As an integer p _i [1 ≦ i ≦ n],
An encryption device transmitting means capable of transmitting the public key to the encryption device;
A pair decryption device transmitting means capable of transmitting a secret key to the decryption device,
The encryption device
A key generation device receiving means capable of receiving a public key from the key generation device;
Storage means for storing the public key (at least positive rational integer k, rational integer b _i [1 ≦ i ≦ n]) and plaintext M received by the pair-key generating device receiving means of the encryption device;
Convert plaintext into code sequence (code conversion) by converting the code sequence into plaintext (inverse code conversion) can a code conversion scheme, the length of the plaintext M n, weight k code sequence m = {m _i } [1 ≦ i ≦ n; where Σ _{i = 1} ⁿ m _i = k. Code conversion means for converting to
Encryption means for generating ciphertext c = Σ _{i = 1} ⁿ m _i b _i from code string _mi and public key b _i ;
A pair decryption device transmitting means capable of transmitting the ciphertext c to the decryption device;
The decryption device
A key generation device receiving means capable of receiving a secret key from the key generation device;
An encryption device receiving means capable of receiving the ciphertext c from the encryption device;
The secret key (at least ideal ν, positive rational integer k, integer g of integer ring Z _K , random number d, integer p _i of integer ring Z _K [1 ≦ i ≦) received by the pair key generation device receiving means of the decryption device n]) and storage means for storing the ciphertext c received by the encryption apparatus reception means of the decryption apparatus;
Exponent calculation means for calculating an exponent r by subtracting the product of the secret key k and the secret key d from the ciphertext c;
A power residue calculating means for calculating a power residue operation result u obtained by calculating u≡g ^r (mod v) from the index r, the secret key g, and ν;
The power-residue calculation result u is divided by each secret key p _i [1 ≦ i ≦ n] to give different code values w _i when divided and not divided, and a code string w = {w _i } Code reproducing means for calculating [1 ≦ i ≦ n];
A multiplicative knapsack encryption system comprising: a decoding means for converting a code string w into plain text by the code conversion method used in the code conversion means in the encryption apparatus and outputting the plain text. A key generation device, an encryption device, and a decryption device are connected so as to be able to transmit data, respectively.
The storage means of the key generation device stores positive rational integers n and k,
The plaintext M is stored in the storage means of the encryption device,
A basis setting step in which the basis setting means of the key generation device sets at least the ideal ν of the integer ring Z _K of the algebraic field K;
The generation source calculation means of the key generation apparatus has each irreducible residue class group (Z _K / τ _j ) ^× [1 ≦ j ≦ s; τ _j is a prime ideal in which any two norms constituting the ideal ν are different. A generating element calculation step of calculating the integer g of the ring of integers Z _K as a generator of]
Private key set calculating unit of the key generation device, the integer p _i [1 ≦ i ≦ n any two norms is also relatively prime integers ring Z _K; however, the norm of each integer p _i is the norm of an ideal ν mutually It is prime. A secret key set calculating step for calculating
Knapsack generation factor calculation means of the key generation device, a knapsack generation factor calculation step of calculating a rational integer a _i satisfying g ^ai ≡p i _(mod ν) for each i [1 ≦ i ≦ n],
A random number generating means of the key generation device generates a random number d and outputs the random number d;
A knapsack generating step of generating a rational integer b _i [1 ≦ i ≦ n] by adding a random number d to each rational integer a _i [1 ≦ i ≦ n];
Public key is at least positive rational integer k, rational integer b _i [1 ≦ i ≦ n], secret key is at least ideal ν, positive rational integer k, integer g of integer ring Z _K , random number d, integer ring Z _K As an integer p _i [1 ≦ i ≦ n],
The encryption device transmission means of the key generation device is capable of transmitting the public key to the encryption device.
A pair decryption device transmitting means of the key generation device, wherein the pair decryption device transmission step is capable of transmitting the secret key to the decryption device;
A key generation device reception step in which the key generation device reception means of the encryption device receives a public key from the key generation device; and
The code conversion means of the encryption device converts the plaintext into a code string (code conversion) and converts the code string into a plaintext (reverse code conversion), and the plaintext M has a length n and a weight. Code sequence m of k = {m _i } [1 ≦ i ≦ n; where Σ _{i = 1} ⁿ m _i = k. A code conversion step for converting to
An encryption means for generating an encrypted text c = Σ _{i = 1} ⁿ m _i b _i from a code string m _i and a public key b _i ;
A pair decryption device transmission unit in which the pair decryption device transmission means of the encryption device transmits the ciphertext c to the decryption device;
A key generation device receiving means for receiving a secret key from the key generation device by the key generation device reception means of the decryption device; and
A receiving device for encrypting device of the decrypting device receives the ciphertext c from the encrypting device;
An exponent calculation step in which the exponent calculation means of the decryption device subtracts the product of the secret key k and the secret key d from the ciphertext c to calculate the exponent r;
A power-residue calculating step in which a power-residue calculating unit of the decryption apparatus calculates a power-residue calculating result u obtained by calculating u≡g ^r (mod ν) from the exponent r, the secret key g, and ν;
The code reproduction means of the decryption device divides the power residue calculation result u by each secret key p _i [1 ≦ i ≦ n], and gives different code values w _i depending on whether the result is divisible or not divisible. A code reproduction step of calculating a code string w = {w _i } [1 ≦ i ≦ n];
The multiplicative knapsack cryptography characterized in that the decoding means of the decoding apparatus has a decoding step of converting the code string w into plain text by the code conversion method used in the code conversion step and outputting the plain text Decryption method.       A key generation program for causing a computer to function as the key generation device according to claim 1.       An encryption program for causing a computer to function as the encryption device according to claim 2.       A decoding program for causing a computer to function as the decoding apparatus according to claim 3 or 8.

Images