JP2011128281A - Cipher system by public key encryption method using a plurality of knapsacks, key generating device, encrypting device, decrypting device, data exchange method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a knapsack encryption method achieving high security and high processing speed. <P>SOLUTION: A cipher system includes a key generating device, an encrypting device, and a decrypting device. The key generating device includes: a secret key generating means generating a plurality of secret key sequences which do not show a superincreasing property individually under the condition that the secret key sequences satisfy the superincreasing property when the elements of each sequence are combined as variables by a nonlinear function; and a public key generating means which further determines a modulus and a plurality of multipliers coprime to the modulus as a secret key, performs modular transformation of the elements of each of the plurality of secret key sequences, and generates a plurality of public key sequences. The encrypting device includes an encrypting means which obtains the inner product of each of the plurality of public key sequences and a plaintext to calculate a plurality of knapsacks, and calculates the plurality of calculated knapsacks in accordance with the non-linear function to generate a ciphertext. A decrypting device includes a decrypting means which performs inverse modular transformation of the received ciphertext by using the multiplicative inverse element of the multiplier by the modulus and the modulus, and decrypts the ciphertext uniquely into a plaintext by using a plurality of secret key sequences. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a public key cryptosystem based on the knapsack problem as a basis for security, and more specifically, a key generation device that performs key generation by a knapsack cryptosystem that realizes high security and high processing speed, and The present invention relates to an encryption system including an encryption device that performs encryption processing and a decryption device that performs decryption processing of ciphertext, the key generation device, the encryption device, the decryption device, a data exchange method, and a program.

  Along with the recent development of information communication technology and network broadbandization, encryption technology based on cryptography has become an increasingly important technology for ensuring the confidentiality and integrity of data transmitted over the network. Yes.

  Such an encryption method based on the cryptographic theory is based on mathematical problems such as a prime factorization problem, a discrete logarithm problem, a lattice problem, and a knapsack problem. The knapsack problem is one of the NP complete problems, and the knapsack cryptosystem is an application of this general knapsack problem to a cryptology by introducing a trapdoor such as a superincrement. The knapsack cryptosystem that introduces this super-increasing property can decrypt plaintext from ciphertext uniquely, but makes decryption easy. For this reason, many knapsack cryptosystems proposed so far, such as the Markle-Hellman knapsack cryptography (Non-Patent Document 1) and the Chor-Rivest knapsack cryptography, use attacks (non-patented) using the LLL algorithm (lattice base reduction algorithm). It is vulnerable to attacks by cryptanalysis methods such as Document 2) and the Shamir attack method (Non-Patent Document 3), and has not been put into practical use due to safety problems.

R. C. Merkle and M. E. Hellman, “Hiding Information and Signatures in Trapdoor Knapsacks”, IEEE Trans. Inf. Theory, IT-24 (5), 525-530, September, 1978. J. C. Lagarias and A. M. Odlyzko, “Solving Low-density Subset Sum Problem,” J. Assoc. Comp. Math., Vol.32, no.1, pp.229-246, Preliminary version in Proc. 24th IEEE, 1985. A. Shamir, “A Polynomial Time Algorithm for Breaking The Basic Merkle-Hellman Cryptosystems”, IEEE Trans. Inform. Theory, vol. IT-30, no.5, 699-704, 1982.

  The attack using the LLL algorithm is a method in which an appropriate lattice is formed from a given public key and ciphertext, and a plain vector is obtained by obtaining a basis vector simplified by the LLL algorithm. It is said that it can be solved. The above-mentioned Shamir attack method uses the feature of the super-increase of the introduced secret key. In order to realize an encryption method having high security, it is necessary to provide resistance to the conventional attack methods as described above.

  The present invention has been made in view of the above-mentioned conventional problems, and the present invention has resistance to attacks using a typical LLL algorithm as a decoding method and attacks by the Shamir attack method, and performs high-speed processing. A key generation device that performs key generation, an encryption device that performs encryption processing, and a decryption device that performs ciphertext decryption processing, using a novel knapsack encryption method based on the knapsack problem that can be performed And a key generation device, the encryption device, the decryption device, a data exchange method, and a program.

  The present invention has been made in view of the above prior art. In the present invention, the knapsack problem is based on security, and a key generation device, an encryption device, and a decryption device based on a public key cryptosystem using a plurality of knapsacks are provided. And a cryptographic system, a data exchange method, and a program including the same.

  The key generation apparatus according to the present invention first generates a plurality of secret key number sequences under the condition that when each element of the plurality of secret key number sequences is combined with a nonlinear function as a variable, the superincrement is satisfied. This generated secret key number sequence does not show super-increase individually. The key generation device further determines an appropriate method and a plurality of multipliers that are relatively prime to this method as a secret key, modularly converts each element of the plurality of secret key number sequences, and generates a plurality of public key number sequences. Generate.

  The encryption apparatus according to the present invention calculates an inner product of each of a plurality of public key sequences and plaintext to calculate a plurality of knapsacks, and calculates the calculated knapsacks corresponding to the nonlinear function to generate a ciphertext. . On the other hand, the decryption device of the present invention obtains the multiplication inverse element of the multiplier by the modulus from the modulus and multiplier of the secret key, and using this method and the multiplication inverse element, the received ciphertext is inversely modularly transformed, The plaintext is uniquely decrypted from the ciphertext using a plurality of secret key sequences.

Further, in the present invention, as a condition for satisfying the super-increase when combined by the above nonlinear function, a plurality of secret key sequence is Q ^j (j = 1,..., N), and each of the secret key sequence Q ^j is n. The i-th element among them is q _i ^j , the sum from element q ₁ ^j to element q _i−1 ^j is S _i ^j (j = 1,..., N), and element q _i ^j or the sum _S ^{i j} as f a non-linear function whose variable, each said secret key sequence ^{Q j} i = 2 ,. . . , N, a condition that each element q _i ^j (j = 1,..., N) satisfies a nonlinear inequality (1) described later can be employed.

Furthermore, in the present invention, the key generation device selects the above-mentioned modulus p that satisfies the expression (2) described later, sets a plurality of public key number sequences to O ^j (j = 1,..., N), and sets the public key number sequence O. The i-th element of n each of ^{j is} set to o _i ^j , and a plurality of multipliers are set to r _j (j = 1,..., N). Multiple public key sequences can be generated.

Furthermore, in the present invention, the encryption apparatus sets the i-th element of n plaintexts M to m _i (ε {0,1}), knapsack to C _j , and ciphertext C to formula (4) to be described later. ). In the present invention, furthermore, the decoding apparatus includes a multiplicative inverse r _j ^-1 multiplier r _j by law p, by using the modulo p, inversely modular converting the ciphertext C received, will be described later (5 ) was calculated remainder D (C) represented by, it is possible to determine the respective elements m _i of the plain text M according to later-described determination formula (6).

  According to the above configuration, by determining an appropriate plaintext size, the lattice dimension in the LLL algorithm is increased to a dimension that cannot be decrypted, and resistance to attacks by the LLL algorithm is provided, and the number of individual secret keys is extremely increased. Therefore, it can be resistant to attacks by the Shamir algorithm, which is regarded as a linear programming method that handles linear inequalities. In addition, the key size is larger than that of the conventional knapsack cryptosystem, but the amount of calculation is increased to the extent that operations (for example, multiplication) between knapsacks are added, and high-speed encryption processing and decryption processing are realized. The

The hardware block diagram of the computer apparatus in the secure communication system of embodiment of this invention. The functional block diagram implement | achieved on each computer apparatus in the secure communication system by embodiment of this invention. The flowchart which shows the process of the secret communication using three knapsacks performed in the secure communication system of this embodiment. The conceptual diagram which shows the encryption process by the public key cryptosystem using three knapsack by embodiment of this invention.

  The present invention will be described below with reference to specific embodiments shown in the drawings, but the present invention is not limited to the embodiments shown in the drawings. In the embodiment described below, a secure communication system including a plurality of computer devices that execute secret communication via a network will be described as an example of the encryption system of the present invention.

1. Hardware Configuration The secure communication system according to the present embodiment includes a plurality of computer apparatuses 10 and 50 that establish secret communication using a public key cryptosystem based on the knapsack problem as the basis of security. Hereinafter, the hardware configuration of the computer devices 10 and 50 will be described with reference to FIG.

  FIG. 1 shows a hardware configuration of computer apparatuses 10 and 50 in a secure communication system according to an embodiment of the present invention. The computer apparatuses 10 and 50 shown in FIG. 1 are generally configured as a personal computer or a workstation. 1 are a central processing unit (CPU) 12, a cache memory 14 having levels such as L1 and L2 that enable high-speed access of data used by the CPU 12, and processing of the CPU 12. And a system memory 16 formed from a solid-state memory device such as a RAM or a DRAM. The system memory 16 provides a work space for executing a key generation process, an encryption process, or a decryption process in the embodiment of the present invention.

  The CPU 12, cache memory 14, and system memory 16 are connected via a system bus 18 to other devices or drivers, such as a graphics driver 20 and a network interface card (NIC) 22. Yes. The graphics driver 20 is connected to the display 24 via the bus, and displays the processing result by the CPU 12 on the display screen. The NIC 22 also connects the computer devices 10 and 50 to a network using an appropriate communication protocol such as TCP / IP at the physical layer level and the link layer level, and provides an interface for communication between the computer devices 10 and 50. is doing.

  An I / O bus bridge 26 is further connected to the system bus 18. A storage device 30 such as a hard disk is connected to the downstream side of the I / O bus bridge 26 via IDE, ATA, ATAPI, serial ATA, SCSI, USB, etc. via an I / O bus 28 such as PCI. Yes. In the embodiment of the present invention, the recording device 30 can be used to store a secret key or a public key used for encryption processing. An input device 32 such as a keyboard and a pointing device such as a mouse is connected to the I / O bus 28 via a bus such as a USB. Yes.

  The computer devices 10 and 50 operate on an operating system such as Windows 7 (registered trademark), Windows (registered trademark) Vista, UNIX (registered trademark), LINUX (registered trademark), FORTRAN, COBOL, PL / I, Stores and executes application programs written in programming languages such as C, C ++, Visual C ++, Visual Basic, Java (registered trademark), Perl, Ruby, etc., and functions each functional unit described later on the computer 10 or 50 I am letting.

2. Secret communication by public key cryptosystem using a plurality of knapsacks Hereinafter, secret communication according to an embodiment of the present invention will be described with reference to FIGS. In the following, for convenience of explanation, focusing on one-way communication between two computer devices, the device on the transmission side of the message to be transmitted will be referred to as the computer device 50 on the transmission side for convenience, and the device on the message reception side will be referred to. Reference is made to the receiving computer device 10.

  FIG. 2 shows functional blocks implemented on each computer device in the secure communication system according to the embodiment of the present invention. The secure communication system shown in FIG. 2 includes a receiving-side computer device 10 and a transmitting-side computer device 50, and a secret between the computer devices 10 and 50 using a public key cryptosystem based on the knapsack problem. Communication is realized.

  In the present embodiment, the receiving-side computer device 10 functions as both a key generation device that generates a public key and a secret key used in secret communication, and a decryption device that decrypts ciphertext using the generated secret key. Have On the other hand, the transmitting computer device 50 has a function as an encryption device that encrypts plaintext of a message to be transmitted exclusively using a public key. In another embodiment, the receiving-side computer device 10 securely acquires and holds the generated private key and the computer device exclusively having the function as the key generation device, and encrypts it using the private key. It may be configured separately from a computer device exclusively having a function as a decryption device for decrypting a sentence.

  The receiving-side computer apparatus 10 according to the present embodiment includes a key generation processing unit 110 that executes secret key and public key generation processing, and a decryption processing unit that performs decryption processing on the ciphertext C from the transmission side using the secret key. 120 and a plaintext output unit 130 that outputs plaintext M obtained by decryption. On the other hand, the transmission-side computer device 50 according to the present embodiment includes a plaintext input unit 150 to which the plaintext M of a message to be transmitted securely is input, and encryption that performs encryption processing on the plaintext M using a public key that has been made public. And a processing unit 160.

More specifically, the key generation processing unit 110 of the receiving-side computer apparatus 10 includes a secret key generation unit 112 and a public key generation unit 114. The secret key generation unit 112 generates N number of secret key sequences Q ^j (j = 1,..., N) under a certain condition. The secret key number sequence Q ^j is a number sequence composed of n elements q _i ^j (i = 1,..., N). The secret key generation unit 112 first randomly selects the value of the _first element q ₁ ^j of each secret key number sequence Q ^j under the condition of q ₁ ^j > 0 or q ₁ ^j ≧ 0, and thereafter I = 2,. . . , N, the element q _i ^j is randomly selected so that each element q _i ^j satisfies the following nonlinear inequality (1).

In the above equation (1), the function f is a variable of N elements q _i ^j or a sum S _i ^j (j = 1,..., N) from element q ₁ ^j to element q _i−1 ^j. Represents a nonlinear function. This non-linear function is expressed by operations such as sum and product of a plurality of variables. The nonlinear function is not particularly limited as long as it has an order of 2 or more, but an arithmetic expression including a product of at least two variables can be preferably employed. More specifically, when N = 2, the nonlinear function f is a two-variable quadratic expression based on the product of the first variable and the second variable, and when N = 3, the product of the first variable and the second variable is , A three-variable quadratic expression based on the sum with the third variable, or a three-variable cubic expression based on a product of the three variables, and when N = 4, the product of the first variable and the second variable, and the third variable and the fourth variable A quadratic quadratic equation based on the sum of the product and the product is preferably employed. The secret key number sequence Q ^j generated in this way does not show super-increasing property individually, but when the elements q _i ^j of the secret key number sequence Q ^j are combined as a variable by a nonlinear function, it shows super-increasing property. .

On the other hand, the public key generation unit 114 generates a plurality of corresponding public key number sequences O ^j (j = 1,..., N) from the plurality of secret key number sequences Q ^j generated by the secret key generation unit 112. The public key number sequence O ^{j is} also a number sequence composed of n elements o _i ^j (i = 1,..., N). First, the public key generation unit 114 randomly selects a modulus p satisfying the following equation (2), and further performs a modular transformation to a plurality of multipliers r _j (j = 1,. ., N) are further selected.

Here, the modulus p and the multiplier r _j satisfy gcd (r _j , p) = 1. Subsequently, the public key generation unit 114 modularly transforms each element q _i ^j of the secret key number sequence Q ^j using the modulus p and the multiplier r _j according to the following equation (3), and each element o of the public key number sequence O ^j _i ^j is calculated.

The private key sequence Q ^j , modulus p and multiplier r _j each having n elements constitute a secret key in this public key cryptosystem, while the public key sequence O ^j is composed of a total of n × N elements. Configure the public key to be configured. The transmitting-side computer device 50 acquires the public key number sequence O ^j , performs encryption using the public key number sequence O ^j , and transmits a message to the receiving-side computer device 10. On the other hand, the secret key number sequence Q ^j , modulus p, and multiplier r _j are securely stored in the storage device 30 of the computer device 10 so that the decryption processing unit 120 can refer to the ciphertext using the public key. Is done.

The encryption processing unit 160 of the transmission-side computer device 50 receives the plaintext M of the message to be transmitted from the plaintext input unit 150, encrypts the plaintext M using the public key number sequence ^Oj, and C is transmitted to the receiving computer apparatus 10. The plaintext M of the message to be transmitted is an array composed of n elements m _i (ε {0, 1}). The encryption processing unit 160 calculates the knapsack C _j (j = 1,..., N) by calculating the inner product of each of the public key number sequences O ^j and the plaintext M according to the following equation (4), The knapsack C _j is calculated corresponding to the above-described nonlinear function f to generate the ciphertext C.

Here, the receiving-side computer apparatus 10 is referred to again. Decoding processing unit 120 of the receiving computer system 10, modulus p is the private key, the multiplier _r a _j and a secret key sequence ^{Q j} read from such memory device 30, first multiplicative inverse in modulo p of the multiplier _{r j r j} ^{- 1} is calculated. Subsequently, the decryption processing unit 120 performs inverse modular transformation on the product of the received ciphertext C and the multiplicative inverse element r _j ⁻¹ to calculate a remainder D (C) in the modulus p. Here, the multiplicative inverse r _j ⁻¹ satisfies r _j × r _j ⁻¹ ≡1 (mod p), and when gcd (r _j , p) = 1, the modulus p of r _j The inverse element r _j ⁻¹ always exists. This remainder D (C) is congruent to the result of calculating the knapsack, which is the inner product of each of the secret key number sequence Q ^j and the plaintext M, corresponding to the nonlinear function f as shown in the following equation (5).

Decoding processing unit 120 is further for each element m _i of the plaintext M, by going back to the first from the n-th, the calculated remainder D (C), and the elements of the encryption key sequence Q ^j, appropriate determination already according to the following determination expression using the element of the plaintext M (6), determines the value of the element m _i of the plaintext M, uniquely decode the plaintext M of the message.

3. Secret Communication by Public Key Cryptography Using Three Knapsacks Hereinafter, the case of N = 3 will be described more specifically with reference to FIG. 3 and FIG. For N = 3, the secret key sequence is Q ¹ = (q ₁ ¹ , q ₂ ¹ ,..., Q _n ¹ ), Q ² = (q ₁ ² , q ₂ ² ,..., Q _n ² ), Q ³ = (q ₁ ³ , q ₂ ³ ,..., Q _n ³ ), and the public key sequence is O ¹ = (o ₁ ¹ , o ₂ ¹ ,..., O _n ¹ ) _{^{, O 2 = (o 1 2}} , o 2 2, ..., o n 2), Q 3 = (o 1 3, o 2 3, ..., o n 3) it becomes. In this case, as the nonlinear function f, for example, a three-variable quadratic expression (X × Y + Z) based on the sum of the product of the first variable and the second variable and the third variable can be adopted. In such a case, the multipliers are r ₁ , r ₂ , r ₃ (= r ₁ × r ₂ ).

  FIG. 3 is a flowchart showing the secret communication process when N = 3, which is executed in the secure communication system of the present embodiment. Note that the process on the left side in FIG. 3 indicates a process executed by the reception-side computer apparatus 10, and the process on the right side indicates a process executed by the transmission-side computer apparatus 50. In the process shown in FIG. 3, the process of the transmitting computer apparatus 50 is started in step S200. The transmitting computer apparatus 50 receives the input of the plaintext M of the transmission message to be transmitted in step S201, and the transmission is performed in step S202. The receiving side computer apparatus 10 which is a message destination is requested to start secret communication. Note that this secret communication request may include, for example, negotiation of security parameters such as the number of bits n of plaintext M.

The processing of the receiving side computer device 10 is started in step S100, and in step S101, a request for starting secret communication from the transmitting side computer device 50 is received, and key generation processing is started. In step S102, the secret key generation unit 112 of the receiving-side computer apparatus 10 firstly sets each secret key number sequence Q ¹ , Q ² , Q under the conditions of q ₁ ¹ > 0, q ₁ ² > 0 and q ₁ ³ ≧ 0. ³ first elements q ₁ ¹ , q ₁ ² , q ₁ ³ are selected, and then i = 2,. . . , The elements _q ^{i j} of n, randomly selects the element _q ^{i j} to satisfy the following inequality (7).

In step S103, the public key generation unit 114 of the reception-side computer apparatus 10 first selects a modulus p that satisfies the following equation (8), and further selects a plurality of multipliers r ₁ and r ₂ that are relatively prime to the modulus p. Subsequently, each element of each secret key number sequence Q ¹ , Q ² , Q ³ is modularly transformed according to the following formula (3 ′) using the modulus p and the multipliers r ₁ and r ₂ , and the public key number sequence O ¹ , O ² and O ³ are calculated.

In step S104, the generated public key number sequences O ¹ , O ² , and O ³ are transmitted to the transmission side computer device 50 that is the request source of the secret communication, and in response to this, the transmission side computer device 50 in step S203. The public key number sequences O ¹ , O ² , and O ³ are received and stored in a memory or the like. In step S204, the encryption processing unit 160 of the transmission-side computer device 50 obtains the inner product of the public key number sequence O ¹ , O ² , O ³ and the plaintext M according to the following equation (9), and the knapsack C ₁ , C ₂ , C ₃ to generate a ciphertext C.

FIG. 4 is a diagram conceptually showing an encryption process by a public key cryptosystem using three knapsacks according to the embodiment of the present invention. Figure 4 As shown in, computation of the knapsack _{C 1,} C 2, _{C 3,} respectively knapsack _{C 1} element _q ^{i j} secret key number sequence values in the plaintext M corresponds to the element _{m i} is 1 , C ₂ , and C ₃ . The final ciphertext C is calculated as the sum of the weight product of the knapsacks C ₁ and C _{2 and} the weight of the knapsack C ₃ .

Referring to FIG. 3 again, in step S205, the transmission-side computer device 50 transmits the generated ciphertext C to the destination reception-side computer device 10 and ends the process. Correspondingly, the receiving side computer apparatus 10 receives the ciphertext C in step S105. In step S106, the decryption processing unit 120 of the receiving-side computer apparatus 10 reads the secret key modulus p, the multipliers r ₁ and r ₂ and the secret key number sequences Q ¹ , Q ² , and Q ^3. First, the multipliers r ₁ , r multiplicative inverse multiplier _r ¹ -1 in modulo _{two p,} calculates ^{r 2 -1,} according to the following formula (10), the ciphertext C and the multiplicative inverse _r ¹ _-1, the product of the ^{r 2 -1} inverse Modular transformation is performed to calculate the remainder D (C) in the modulus p.

In step S107~ step S109, for each element _{m i} of the plaintext M, by going back to the first from the n-th, to determine the value of the element _{m i} of the plaintext M, uniquely decode the plaintext M of the message. In step S108, the decoding processing unit 120, the i th element _{m i,} the a remainder D (C), an encryption key sequence ^{Q j} elements _{I i} calculated by the elements and elements of the appropriate decision already plaintext M of according to the following determination formula (11) using a preparative, it determines the value of the element m _i.

  More specifically, the determination formula (11) is as follows.

  Subsequently, in step S110, the plaintext output unit 130 outputs the plaintext M of the uniquely restored message to an output device such as the storage device 30 or the display 24, and the reception-side computer device 10 ends the processing.

4. Secret Communication by Public Key Cryptography Using Two Knapsacks So far, the embodiment in the case of N = 3 has been described. From the viewpoint of achieving both the key size of the public key and the high speed of calculation, a value of about N = 3 is suitable, but there is no particular limitation as long as N ≧ 2. In other embodiments, even if N = 2, it can be similarly applied to a public key cryptosystem using a plurality of knapsacks according to an embodiment of the present invention. When N = 2, the secret key sequence is Q ¹ = (q ₁ ¹ , q ₂ ¹ ,..., Q _n ¹ ), Q ² = (q ₁ ² , q ₂ ² ,..., Q _n ^2), and public key sequence _{^{is, O 1 = (o 1 1}} , o 2 1, ..., o n 1), O 2 = (o 1 2, o 2 2, ..., o n 2) It becomes. In this case, the nonlinear function f can employ, for example, a two-variable quadratic expression (X × Y) based on the product of the first variable and the second variable.

  In the public key cryptosystem using the two knapsacks, the nonlinear inequality (1), the equation (2), the equation (4), the equation (5), and the determination equation (6) have a more specific form. Are expressed by the following nonlinear inequalities (12), (13), (14), (15) and (16).

5). Calculation Example Hereinafter, description will be given with reference to a calculation example using a specific number sequence. The following calculation example illustrates the case of N = 3. First, the secret key generation unit 112 has a secret key number sequence Q ¹ = (1,2,3,6) and Q ² = (2,1,3,7) under the condition satisfying the expression (7). And Q ³ = (1, 2, 4, ³ ). These secret key sequences do not necessarily satisfy the super increase property by themselves. The public key generation unit 114 further defines a modulus p = 167 (> 12 × 13 + 10), a multiplier r ₁ = 90, and a multiplier r ₂ = 13 as secret keys, and according to the above equation (3 ′), the public key The sequence O ¹ = (90, 13, 103, 39), O ² = (33, 100, 133, 32), and O ³ = (149, 131, 95, 113) are calculated.

  Here, assuming that the plaintext is M = (0, 1, 0, 1), the cryptographic processing unit 160 converts the plaintext M to the ciphertext C = (13 + 39) × (100 + 32) + (131 + 113) according to the above equation (9). = 7108 is calculated.

The decoding processing unit 120 corresponds to the modulus p = 167, the multiplier r ₁ = 90, the multiplier r ₂ = 13, the multiplier inverse element r ₁ ⁻¹ = 13, and the multiplier inverse element r ₂ ⁻¹ = 162. And D (C) ≡13 × 162 × 7108 (mod 167) ≡69 is calculated according to the above equation (10). Furthermore, the decoding processing unit 120 performs size determination from the fourth element to the first element according to the determination formula (11). Through this size determination, m ₄ = 1 is determined from q ₄ ¹ × q ₄ ² + q ₄ ³ = 6 × 7 + 3 = 45 <D (C), and (q ₄ ¹ + q ₃ ¹ ) × (q ₄ ² + q ₃ ² ) + (q ₄ ³ + q ₃ ³ ) = (6 + 3) × (7 + 3) + (3 + 4) = 97> D (C), m ₃ = 0 is determined, and (q ₄ ¹ + q ₂ ¹ ) × From (q ₄ ² + q ₂ ² ) + (q ₄ ³ + q ₂ ³ ) = (6 + 2) × (7 + 1) + (3 + 2) = 69 = D (C), m ₂ = 1 is determined, and (q ₄ ¹ + Q ₂ ¹ + q ₁ ¹ ) × (q ₄ ² + q ₂ ² + q ₁ ² ) + (q ₄ ³ + q ₂ ³ + q ₁ ³ ) = (6 + 2 + 1) × (7 + 1 + 2) + (3 + 2 + 1) = 96> D (C) Therefore, m ₁ = 0 is determined. As a result, the plain text (0, 1, 0, 1) is restored.

6). Examination of safety and processing speed of public key cryptosystem using a plurality of knapsacks The security of the public key cryptosystem using a plurality of knapsacks as described above will be examined below. In order to provide resistance to brute force attacks, if the number of bits n of plaintext M is set to 100 or more, the number of elements in each public key number sequence is 100 or more. Therefore, even when N = 2, the elements are combined. The total number is at least 10,000. Considering an attack using the LLL algorithm, since the lattice dimension is 10,000 or more, it is considered that the attack using the LLL algorithm does not substantially work.

  Consider resistance to attacks by the Shamir algorithm. As described above, the Shamir attack method uses the feature of the super increase property of the introduced secret key. In this public key cryptosystem, the inequality in the algorithm does not hold because each private key number sequence does not have a superincrement. This can be seen as a kind of linear programming that treats linear inequalities, but the Shamir algorithm deals with nonlinear inequalities that represent higher-order superintensity obtained by combining multiple public key elements. This is because they cannot. Therefore, it is difficult to obtain a key that can be decrypted even if the Shamir algorithm is applied to the public key, and it is considered that the key is resistant to attacks by the Shamir algorithm.

More specifically, when the public key cryptosystem using the three knapsacks described above is examined, a numerical sequence element q _i ¹ × q _i ² + q _i ³ having a super-increasing property by applying the Shamir algorithm is Even if it is obtained, it is necessary to separate it into at least q _i ¹ × q _i ² and q _i ³ in order to decipher, but this sum decomposition is usually difficult. Therefore, it is considered that the public key cryptosystem based on the product and sum of the three knapsacks is more resistant to attacks by the Shamir algorithm than the scheme based on the two knapsack products.

  Furthermore, in the present public key cryptosystem, even if one key number sequence can be derived from a plurality of public key number sequences, for decryption, a key number sequence corresponding to N secret key number sequences is obtained from N public key number sequences. Therefore, there is an advantage that decoding becomes difficult. Furthermore, in this public key cryptosystem, the key size is larger than that of a normal knapsack cryptosystem, but the amount of computation is increased to the extent that operations between knapsack (for example, multiplication) are added. And the decoding process is realized.

  As described above, according to the embodiment of the present invention, a novel knapsack that is resistant to attacks using the typical LLL algorithm as a cryptanalysis method and attacks using the Shamir attack method and capable of high-speed processing. Cryptographic system based on knapsack cryptosystem based on security problem, key generation device for executing key generation, encryption device for executing encryption processing, decryption device for executing decryption processing of ciphertext, data exchange method and program Can be provided.

  In the above-described embodiments, the secure communication system including a plurality of computer apparatuses that execute secret communication via a network has been described as an example of the encryption system. However, in addition to the communication system, authentication, signature, The present invention can be applied to any system to which an encryption method can be applied conventionally such as information storage. In the above-described embodiment, a computer device has been described as an example of a key generation device, an encryption device, and a decryption device. However, the public key encryption method using a plurality of knapsacks described above is hardware or software and hardware. It can be configured as any device that can be implemented in cooperation with each other.

  Although the present invention has been described in order to facilitate understanding of the invention, each function unit and the process of each function unit have been described. However, the present invention is not limited to the above-described specific function unit executing a specific process. A function for executing the above-described processing can be assigned to any functional unit in consideration of efficiency such as programming for implementation and implementation.

  The above functions of the present invention include object-oriented programming languages such as C ++, Fortran, Pascal, Java (registered trademark), Java (registered trademark) Beans, Java (registered trademark) Applet, JavaScript (registered trademark) Script, Perl, and Ruby. It can be realized by a device-executable program described in the above, and can be stored in a device-readable recording medium and distributed or transmitted and distributed.

  Although the present invention has been described with specific embodiments, the present invention is not limited to the embodiments, and other embodiments, additions, changes, deletions, and the like can be conceived by those skilled in the art. It can be changed within the range, and any embodiment is included in the scope of the present invention as long as the effects and effects of the present invention are exhibited.

DESCRIPTION OF SYMBOLS 10 ... Computer apparatus, 12 ... CPU, 14 ... Cache memory, 16 ... System memory, 18 ... System bus, 20 ... Graphics driver, 22 ... NIC, 24 ... Display, 26 ... I / O bus bridge 28 ... I / O bus, 30 ... storage device, 32 ... input device, 50 ... computer device, 110 ... key generation processing unit, 112 ... secret key generation unit, 114 ... public key generation unit, 120 ... decryption processing unit, 130 ... plaintext output unit, 150 ... plaintext input unit, 160 ... encryption processing unit

Claims (14)

An encryption system including a key generation device, an encryption device, and a decryption device by a public key cryptosystem based on a knapsack problem as a safety ground, wherein the key generation device includes:
A secret key generating means for generating a plurality of secret key sequences that do not exhibit super-increasing properties under the condition that the super-increasing properties are satisfied when the elements of each of the plurality of secret key sequences are combined as a variable by a nonlinear function; ,
And a public key generating means for generating a plurality of public key sequences by modularly transforming each element of the plurality of secret key sequences by further defining a modulus and a plurality of multipliers that are relatively prime to the modulus The encryption device is:
Calculating a plurality of knapsacks by calculating an inner product of each of the plurality of public key sequences and plaintext, calculating the plurality of knapsacks corresponding to the nonlinear function, and including encryption means for generating a ciphertext, The decoding device
Decryption means for performing inverse modular transformation on the received ciphertext using the multiplication inverse element of the multiplier according to the method and the method, and uniquely decrypting the plaintext from the ciphertext using the plurality of secret key sequences Including,
Crypto system. The condition that the super-increasing property is satisfied when combined by the nonlinear function is that the plurality of secret key sequences are Q ^j (j = 1,..., N), and there are n each of the secret key sequences Q ^j. The i-th element is q _i ^j , the sum from element q ₁ ^j to element q _i−1 ^j is S _i ^j (j = 1,..., N), and element q _i ^j or sum _S ^{i j} of the non-linear function whose variable as f, the secret key sequence ^{Q j} of each i = 2,. . . , N for each element q _i ^j (j = 1,..., N) is represented by the following inequality (1)
The cryptographic system according to claim 1, wherein the cryptographic system is a condition satisfying: The method p is represented by the following formula (2)
The modular transformation for generating the plurality of public key sequences is set to O ^j (j = 1,..., N), and the public key sequence O is selected. The i-th element out of n of each ^{j is} set to o _i ^j , and the plurality of multipliers are set to r _j (j = 1,..., N).
The cryptographic system according to claim 2, represented by: Of the n plaintext M, the i-th element is m _i (∈ {0,1}), the knapsack is C _j , and the ciphertext C is expressed by the following formula (4).
The cryptographic system according to claim 3, wherein the cryptographic system is calculated by: Said decoding means, said multiplicative inverse r _j ^-1 of the multiplier r _j by the method p, by using the above method p, inverse modular converting the ciphertext C received by the following formula (5)
The remainder D (C) represented by is calculated and the following judgment formula (6)
Accordingly determines element m _i of the plaintext M, according to claim 4 cryptosystem. N = 3, the multiplier r ₃ is equal to r ₁ × r _2, and the nonlinear function f is a sum of a product of two variables and a variable, and the inequalities (1), (2), and Formula (4), Formula (5), and Judgment Formula (6) are the following Inequality (7), Formula (8), Formula (9), Formula (10), and Formula (11) below.
The cryptographic system according to claim 5 represented by: N = 2, the nonlinear function f is a product of two variables, and the inequality (1), the expression (2), the expression (4), the expression (5), and the determination expression (6) are The following inequality (12), the following formula (13), the following formula (14), the following formula (15), and the following judgment formula (16)
The cryptographic system according to claim 5 represented by: A key generation device that performs key generation by a public key cryptosystem based on a knapsack problem as a basis of security, wherein the key generation device includes:
A secret key generating means for generating a plurality of secret key sequences that do not exhibit super-increasing properties under the condition that the super-increasing properties are satisfied when the elements of each of the plurality of secret key sequences are combined as a variable by a nonlinear function; ,
A public key generating means for generating a plurality of public key sequences by modularly transforming each element of the plurality of secret key sequences by further defining a modulus and a plurality of multipliers that are relatively prime to the modulus , Key generation device. An encryption device that performs an encryption process using a plurality of public key sequences by a public key cryptosystem based on a knapsack problem as a basis of security, wherein the encryption device includes:
Encryption means for calculating a plurality of knapsacks by calculating an inner product of each of the plurality of public key sequences and plaintext, calculating the plurality of knapsacks corresponding to a nonlinear function used for generating a secret key, and generating a ciphertext And the plurality of public key sequences are:
Each is a plurality of secret key sequences that do not exhibit super-increasing properties, and from the plurality of secret key sequences that are generated under the condition that they are super-increasing when combined by the nonlinear function with each element as a variable, An encryption apparatus, which is generated by modularly transforming each element of a plurality of secret key sequences using a modulus and a plurality of multipliers that are relatively prime to the modulus as secret keys. A decryption device that executes a decryption process by a public key cryptosystem based on a knapsack problem as a safety ground, the decryption device,
Each is a plurality of secret key sequences that do not exhibit super-increasing properties, and the plurality of secret key sequences that are generated under conditions that exhibit super-increasing properties when the respective elements are combined as a variable by a nonlinear function, and the secret key Using the modulus as a secret key used when generating a plurality of public key sequences from a sequence and a plurality of multipliers that are relatively prime to each other, the multiplication inverse element of the multiplier according to the modulus is calculated and received A decryption device comprising decryption means for performing inverse modular transformation on a ciphertext and uniquely decrypting a plaintext from the ciphertext using the plurality of secret key sequences. A data exchange method using a public key cryptosystem based on the knapsack problem as a security ground,
Generating a plurality of secret key sequences, each of which does not exhibit super-increasing properties, under the condition that the super-increasing properties are satisfied when the elements of each of the plurality of secret key sequences are combined using a nonlinear function as a variable;
A modulus, a plurality of multipliers that are relatively prime to the modulus, and further defining a secret key, modularly transforming each element of the plurality of secret key sequences, and generating a plurality of public key sequences;
Holding the plurality of secret key sequence, the modulus, and the plurality of multipliers in a data receiving device, and holding the plurality of public key sequence in a data delivery device;
The device on the data delivery side calculates a plurality of knapsacks by calculating the inner product of each of the plurality of public key sequences and plaintext, calculates the plurality of knapsacks corresponding to the nonlinear function, and obtains a ciphertext. Generating step;
The device on the data receiving side performs inverse modular transformation on the received ciphertext using the multiplication inverse element of the multiplier according to the modulo and the modulo, and the plaintext is converted from the ciphertext using the plurality of secret key sequences. And a method of exchanging data uniquely.   An apparatus-executable program for causing a computer to function as each means according to claim 8.   An apparatus-executable program for causing a computer to function as each means according to claim 9.   An apparatus-executable program for causing a computer to function as each means according to claim 10.