JP2015099310A - Secrecy enhancement device, and secrecy enhancement data processing method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve the performance of finite field multiplication processing, when secrecy enhancement data processing is executed.SOLUTION: The secrecy enhancement device generates an output y constituted by an output bit string of length m using an input x constituted by an input bit string of length n and a random number r constituted by a bit string of length k. The secrecy enhancement device includes a matrix calculation processing unit (14) that satisfies the condition of k=n-m and n=kt, performs calculation of y=x+rxon a finite field GF(2), generates the output y using y=(y,...,y), and outputs it as a bit string of length m=(t-1)k.

Description

  The present invention relates to an improvement in a data processing method called privacy amplification (PA), and in particular, the secrecy aimed at improving the performance of a finite field multiplication process by improving the calculation processing speed or reducing the random number consumption. The present invention relates to a security enhancement device and a confidentiality enhancement data processing method.

  Applications for increasing confidentiality include various fields such as quantum cryptography, artifact metrics, and biometric authentication. In the following, for convenience of explanation, the case of quantum cryptography will be mainly described. However, the technology relating to the confidentiality enhancing device and the confidentiality enhancing data processing method of the present invention can be applied to other fields.

  Quantum cryptography is an encryption method for sharing a secret key used for secret communication, and is also called quantum key distribution (quantum key distribution). Typical methods include the BB84 method, the SARG04 method, the B92 method, and the BBM92 method.

  Broadly speaking, quantum cryptography devices using these methods perform data processing on a quantum communication part that transmits and receives photons and a random number sequence (referred to as a sieving key, a sieve key, and a shifted key) output therefrom. It has two functions of the key distillation part.

  Further, the latter function of key distillation is further divided into error correction and confidentiality enhancement. The error correction is for removing noise generated in the communication path and the detector from the sieving key. The corrected sieve key is called a corrected key.

  On the other hand, confidentiality enhancement is performed in order to cancel information that may have been leaked to a third party (eavesdropper) by eavesdropping on the communication path from the correction key. The output is called a secret key or a final key.

  The contents of the secret key cannot be guessed at all by the eavesdropper, and the legitimate sender and receiver can use the secret key as it is as a secret communication key. However, as a price for this high confidentiality, the length of the secret key is usually shorter than the correction key. In other words, the weak secret of the correction key is shortly compressed to obtain the secret key.

  In research and implementation of quantum cryptography so far, a kind of function called universal hash functions has been used exclusively for enhancing confidentiality. As a typical universal hash function, one using a Toelitz matrix is known (for example, see Patent Document 1). Further, it is known that this method can be executed at high speed by using a fast Fourier transform (FFT) algorithm (see, for example, Patent Document 2).

JP 2007-86170 A JP 2012-49765 A

T. Tsurumaru and M. Hayashi “Dual universality of hash functions and its application to quantum key distribution,” IEEE Transactions on Information Theory, Volume 59, Issue 7, 4700-4717 (2013); arXiv: 1101.0064 [quant-ph]. M. Hayashi, “Large deviation analysis for classical and quantum security via approximate smoothing,” arXiv: 1202.0322 [quant-ph]. J. H. Silverman, “A Friendly Introduction to Number Theory, 3rd. Ed.” (Pearson Education, New Jersey, 2006); Japanese translation: “First Number Theory, 3rd Edition”, Pearson Kirihara, 2007. G. H. Golub and C. F. Van Loan, “Matrix Computations, 3rd. Ed.” (The John Hopkins University Press, Maryland, 1996).

However, the prior art has the following problems.
As described above, an algorithm that uses a Tapelitz matrix is widely known as a confidentiality enhancement algorithm. In this method, an input bit string (correction key) is regarded as a vector, and an output bit string (secret key) is obtained by multiplying it with a Topplitz matrix. Further, Patent Document 1 proposes a method that uses a matrix in which a unit matrix and a Tapelitz matrix are concatenated (hereinafter, this matrix is referred to as a modified Tapelitz matrix) instead of the Tapelitz matrix.

Regardless of which algorithm is used, in order to guarantee unconditional security of quantum cryptography, it is necessary to increase the size of the Tapelitz matrix or the modified Tapelitz matrix (in general, the number of columns is about 10 ^6. Need to be more). This is a request from the theory of security proof of quantum cryptography, and is caused by the so-called finite length effect.

  As described above, when the size of the Toeplitz matrix or the modified Toelitz matrix is large, the multiplication takes time, and there is a problem that the key generation speed as the whole quantum cryptography apparatus is slowed down. In addition, since the Tapelitz matrix or the modified Tapelitz matrix needs to be newly selected every time the confidentiality is increased, the random number consumption (that is, the mounting cost of the random number generator) at that time also increases similarly. Problems also arise.

  The present invention has been made in order to solve the above-described problems, and in executing the confidentiality enhancement data processing, the confidentiality enhancement provided with the confidentiality enhancement algorithm capable of improving the performance of the finite field multiplication processing. An object is to obtain a device and a confidentiality enhancement data processing method.

The confidentiality enhancing apparatus according to the present invention includes an output bit string having a length m using an input x including an input bit string having a length n and a random number r including a bit string having a length k. When generating the output y, a confidentiality enhancing apparatus including a matrix operation processing unit that performs multiplication processing and addition processing on a finite field GF (2 ^k ), each of which is a positive integer length n , Length k, length m
k = nm
n = kt However, t satisfies the condition of an integer of 3 or more, and the matrix operation processing unit regards the bit string r of length k as the element of GF (2 ^k ) when performing the finite field multiplication. Also, x is divided into k-bit blocks and x = (x ₁ ,..., X _t )
And each x _i is identified with an element of GF (2 ^k ). Furthermore, when performing the finite field multiplication, the matrix calculation processing unit performs i = 1,..., T−1 on the finite field GF (2 ^k ).
y _i = x _i + r ⁱ x _t
And the output y is
y = (y ₁ ,..., y _t−1 )
And output as a bit string of length m = (t−1) k.
The superscript r ⁱ of r indicates r to the power of i on the finite field GF (2 ^k ).

Further, the confidentiality enhancing apparatus according to the present invention includes an output bit string having a length m using an input x including an input bit string having a length n and a random number r including a bit string having a length u. A confidentiality enhancing device including a matrix operation processing unit that performs multiplication processing on a finite field GF (2 ^k ) when generating the output y to be performed, and u and m are integer multiples of k Satisfying the conditions, the matrix processing unit performs a finite field multiplication,
An element a of GF (2 ^k ) when length k, k + 1 is an odd prime, and a further condition that 2 is a generator in the multiplicative group GF (k + 1) ^× of the finite field GF (k + 1) , B a = (a ₀ ,..., A _k−1 )
b = (b ₀ ,..., b _k−1 )
And the parity of a and b is expressed as a _k = a ₀ +... + A _k−1 mod 2
b _k = b ₀ +... + b _k−1 mod 2
And a vector in which a _k and b _k are connected to a and b is A = (a ₀ ,..., A _k−1 , a _k )
B = (b ₀ ,..., B _k−1 , b _k )
Then, a k × k cyclic matrix having the bit string X as the first row is multiplied by the matrix M (A) and the vector B as a matrix M (A) represented by the equation (1) described later, and k + 1 bits. Vector C
C = (c ₀ , c ₁ ,..., C _k ) = BM (A)
And the last component c _k of the vector C is deleted c = (c ₀ ,..., C _k−1 )
Is calculated as a multiplication result, and the output is y.

In addition, the confidentiality enhancing data processing method according to the present invention uses an input x composed of an input bit string of length n and a random number r composed of a bit string of length k to output an output bit string of length m. Is a confidentiality enhancing data processing method executed by a confidentiality enhancing device including a matrix operation processing unit that generates an output y composed of: a length n, a length k, and a length that are all positive integers. M
k = nm
n = kt However, t satisfies the condition of an integer of 3 or more, and the matrix operation processing unit regards the bit string r of length k as the element of GF (2 ^k ) when performing the finite field multiplication. Also, x is divided into k-bit blocks and x = (x ₁ ,..., X _t )
And each x _i is identified with an element of GF (2 ^k ). Furthermore, when performing the finite field multiplication, the matrix calculation processing unit performs i = 1,..., T−1 on the finite field GF (2 ^k ).
y _i = x _i + r ⁱ x _t
And the output y is
y = (y ₁ ,..., y _t−1 )
And a step of outputting as a bit string of length m = (t−1) k.
The superscript r ⁱ of r indicates r to the power of i on the finite field GF (2 ^k ).

Further, the confidentiality enhancing data processing method according to the present invention uses an input x configured with an input bit sequence of length n and a random number r configured with a bit sequence of length u, and an output bit sequence of length m. Is a confidentiality enhancing device including a matrix operation processing unit that performs multiplication processing on a finite field GF (2 ^k ) when generating an output y configured by: u and m are integer multiples of k Satisfying the condition that there is, the matrix operation processing unit, in performing the finite field multiplication,
An element a of GF (2 ^k ) when length k, k + 1 is an odd prime, and a further condition that 2 is a generator in the multiplicative group GF (k + 1) ^× of the finite field GF (k + 1) , B a = (a ₀ ,..., A _k−1 )
b = (b ₀ ,..., b _k−1 )
And the parity of a and b is expressed as a _k = a ₀ +... + A _k−1 mod 2
b _k = b ₀ +... + b _k−1 mod 2
A first step of _calculating, a k, a _{b k} a, the vector obtained by connecting the b A ₌ as _{(a 0, ···, a k} -1, a k)
B = (b ₀ ,..., B _k−1 , b _k )
Then, a k × k cyclic matrix having the bit string X as the first row is multiplied by the matrix M (A) and the vector B as a matrix M (A) represented by the equation (1) described later, and k + 1 bits. Vector C
C = (c ₀ , c ₁ ,..., C _k ) = BM (A)
And the last component c _k of the vector C is deleted c = (c ₀ ,..., C _k−1 )
Is calculated as a multiplication result, and the output y is provided as a third step.

  According to the present invention, an output y composed of an output bit string of length m is generated using an input x composed of an input bit string of length n and a random number r composed of a bit string of length k. When executing the confidentiality enhancement data processing by giving specific restrictions to the respective lengths n, k, and m, a confidentiality enhancement algorithm that can improve the performance of the finite field multiplication processing is provided. A confidentiality enhancing device and a confidentiality enhancing data processing method can be obtained.

It is the figure which showed the structural example at the time of applying the high-speed multiplication algorithm in Embodiment 4 of this invention to the receiver of the quantum cryptography apparatus using the secrecy enhancement algorithm.

  Hereinafter, preferred embodiments of a confidentiality enhancing device and a confidentiality enhancing data processing method of the present invention will be described with reference to the drawings.

First, the concept of the present invention will be described.
The following two points can be cited as points of the present invention for realizing the performance improvement of the finite field multiplication processing.
(Point 1) The consumption of random numbers is reduced due to the nature of the dual universal hash function.
(Point 2) A finite field multiplication is converted into a circulant matrix multiplication to reduce the amount of calculation.

  The background of the establishment of the method of the present invention is the concept of ε-almost “dual” universal hash functions (ε-almost dual universal hash functions) proposed in 2011 (see, for example, Non-Patent Document 1). . This ε-general “dual” universal hash function shows how to extend a conventional ε-general universal hash function without compromising security. And if this concept is followed, unconditional safety can be achieved, using the function which was not assumed by the conventional system.

  In fact, the function described below is an ε-general dual universal hash function, but does not belong to the conventional ε-general universal hash function. And while unconditional safety is guaranteed, the mounting performance surpasses the conventional method.

  In the following, the application to quantum cryptography will be mainly described, but this method can be applied to various security fields such as artifact metrics and biometric authentication (see Non-Patent Document 2, for example). .

In the present invention, the components of the matrix and vector are all assumed to be the original finite field F _2. Therefore, all values are 0 or 1, and multiplication and addition are performed by modulo 2.

  Based on the above concept, a specific configuration of the present invention will be described in detail below as first to fifth embodiments. Note that variables i, j, k, l, m, n, s, t, and u used in the following description mean integers of 0 or more.

Embodiment 1 FIG. (Dual universal hash function by finite field multiplication)
In various ciphers including quantum cryptography, data processing called enhancement of confidentiality is important. Conventionally, the universal hash function has been widely used for enhancing confidentiality. On the other hand, as described above, the inventor of the present application proposed a wider class of hash functions called “dual” universal hash functions in Non-Patent Document 1 in 2011. Furthermore, it was shown that this dual universal hash function can guarantee the same safety as the conventional universal hash function.

  Therefore, in the first embodiment, a specific example of a new dual universal hash function using finite field multiplication will be described. By using this method, the amount of random numbers consumed for enhancing confidentiality is reduced compared to the conventional method.

  The “dual” universal hash function of the first embodiment is a truly new hash function that does not satisfy the conditions of the conventional universal hash function and is out of the framework of the conventional universal hash function.

(Description of method)
First, the input is a bit string x having a length n, and the output is a bit string y having a length m. Here, it is assumed that n is divisible by k = n−m, n = tk, and t> 2. Further, the hash function of the method in the first embodiment is specified by a bit string r having a length k. Therefore, when this hash function is applied to the confidentiality enhancement, the random number r having a length k is consumed each time the confidentiality enhancement is performed.

(Step 1: Formatting the input bit string)
The bit string x obtained in this way is divided into bit strings of length k,
x = (x ₁ ,..., x _t )
x _i = (x _i1 ,..., x _ik )
And Here, x _i is a bit string of length k, and x _ij is a bit value.

(Step 2: Multiplication over a finite field)
Bit sequence _x 1 length k, ···, _{x t,} and r, finite GF ^{(2 k)} of the original regarded none, i = 1, ···, for ^{t-1, GF (2 k} ) above Where y _i = x _i + r ⁱ x _t
To obtain elements y ₁ ,..., Y _t−1 of GF (2 ^k ). Here, r ⁱ represents r to the power of i.

(Step 3: Output)
Again, y ₁ ,..., Y _t-1 is a bit string of length k, and a bit string of length m = (t−1) k obtained by concatenating the bit strings y = (y ₁ ,. y _t-1 )
Is the output of the hash function.

(Effect of Embodiment 1)
When this hash function is used to increase confidentiality, the bit length of the random number to be consumed is nm, that is, the difference between the input length and the output length m. On the other hand, a conventionally used method (using a Toeplitz matrix or finite field multiplication) requires a random number having a length of about m. Therefore, when the compression ratio m / n of the hash function is sufficiently larger than 1/2, the consumption amount of random numbers is dramatically reduced.

Embodiment 2. FIG. (Finite field multiplication algorithm using cyclic matrix)
Finite field multiplication is widely used in various cryptographic algorithms including universal hash functions. Therefore, in the second embodiment, a new algorithm for executing this finite field multiplication at high speed will be described.

The multiplication of the finite field GF (2 ^k ) takes O (k ² ) in the normal method. On the other hand, when this method is used, it is possible to perform finite field multiplication in O (k log k) time. However, the size k is not arbitrary and needs to satisfy the following conditions.

(Conditions for finite fields)
In this method, among the finite field GF (2 ^k ), the integer k has the following properties.
K + 1 is an odd prime number, and 2 is a generator in the multiplicative group GF (k + 1) ^× of the finite field GF (k + 1).
According to the Artin conjecture, there are an infinite number of such k (see, for example, Chapter 21 of Non-Patent Document 3).
Also, the search by the computer can also be easily performed, if ^{10 50} or less of the original, using Mathematica on typical personal computers, can be produced in less than 1 second. For example, when the smallest elements that do not fall below 10 ⁱ (i = 1,..., 12) among such integers k are obtained, k = 10,
100,
10 ³ + 18,
10 ⁴ + 36,
10 ⁵ + 2,
10 ⁶ + 2,
10 ⁷ + 138,
10 ⁸ + 36,
10 ⁹ + 20,
10 ¹⁰ + 18,
10 ¹¹ + 2,
10 ¹² + 90
It can be seen that it is.

(Description of algorithm)
The elements a and b of GF (2 ^k ) are input and the product c = ab is output.

Step 1: Formatting of input bit string A and b are expressed as bit strings a = (a ₀ ,..., A _k−1 )
b = (b ₀ ,..., b _k−1 )
And These parities a _k = a ₀ +... + A _k−1 mod 2
b _k = b ₀ +... + b _k−1 mod 2
Is calculated.

_Then, a k, a material obtained by concatenating _{b k} a, the _{b A = (a 0, ···} , a k-1, a k)
B = (b ₀ ,..., B _k−1 , b _k )
far.
Hereinafter, such a bit string is identified with a horizontal vector.

Step 2: Matrix-Vector Multiplication First, a k × k cyclic matrix having the bit string X as the first row is set as M (A). The specific component of M (A) is as follows.

The matrix M (A) and the vector B are multiplied to obtain a k + 1 bit vector C.
C = (c ₀ , c ₁ ,..., C _k ) = BM (A)
Note that the multiplication of the circulant matrix and the vector can be executed at high speed with a calculation time of (O (k log k)) using fast Fourier transform (see, for example, Non-Patent Document 4).

Step 3: Formatting of output bit string The last component c _k of bit string C is deleted c = (c ₀ ,..., C _k−1 )
Is output as the result of multiplication.

(Operating principle)
The reason why the multiplication of GF (2 ^k ) can be executed by the method described above will be described below.
Polynomial over GF (2 ^k ) F (X) = X ^{k + 1} +1
Is always F (X) = (X + 1) (X ^k + X ^k−1 +... + X + 1)
= (X + 1) G (X)
Can be disassembled.

When the integer k satisfies the condition of this method, it can be shown that the second factor G (X) of F (X) is an irreducible polynomial. Applying the Chinese remainder theorem to this, it can be seen that executing a modulo F (X) polynomial is equivalent to simultaneously executing a modulo X + 1 multiplication and a modulo G (X) multiplication. .
That is, a polynomial of order k or less A (X) = Σ _{i = 0} ^k a _i X ⁱ , B (X) = Σ _{i = 0} ^k b _i X ⁱ
Multiplied by A (X) B (X) ≡C (X) modulo F (X)
To perform the multiplication
A (X) B (X) ≡C (X) modulo X + 1
A (X) B (X) ≡C (X) modulo G (X)
This is equivalent to executing two types of multiplications.

Modulo F (X) multiplication is equivalent to cyclic matrix multiplication. Since G (X) is a k-th irreducible polynomial, the multiplication of modulo G (X) is equivalent to the multiplication on GF (2 ^k ).
On the other hand, modulo X + 1 multiplication always gives the obvious result of 0 × 0≡0. Because the coefficients a _i and b _i of the polynomials A (X) and B (X) are generated by the method of paragraphs 0040 to 0041, their Hamming weights are always even,
A (X) ≡B (X) ≡0 modulo X + 1
And the product C (X) is also C (X) ≡0 modulo X + 1
It is because it always satisfies.
Therefore, by performing multiplication of the circulant matrix, multiplication of GF (2 ^k ) can be performed. This is the operating principle of this method.

(Effect of Embodiment 2) Speeding up of finite field multiplication Multiplication of GF (2 ^k ) usually takes time of O (k ² ), but if this method is used, O (k log k) It is possible to execute finite field multiplication in time. This makes it possible to speed up the processing of various cryptographic algorithms including the universal hash function.

Embodiment 3 FIG. (High-speed implementation of dual universal hash function)
In the third embodiment, a method for reducing both the amount of random number used and the calculation time by combining the methods of the first and second embodiments will be described.

Specifically, the output length m and the input length n in the first embodiment are appropriately selected so that k = mn satisfies the following condition specified in the third embodiment. That is, the condition that “m and n are odd prime numbers and m and n are selected so that 2 is a generation source in the multiplicative group GF (m−n + 1) ^× of the finite field GF (m−n + 1)” is satisfied. Suppose that it meets.

Then, the fast algorithm of the second embodiment is used for the multiplication on GF (2 ^k ) included in the first embodiment. Further, in order to perform addition, exclusive OR is performed on the elements of GF (2 ^k ) represented by a bit string.

Embodiment 4 FIG. (High-speed implementation of conventional universal hash function 1)
In the fourth embodiment, a case where the fast multiplication algorithm of the second embodiment is applied to a conventional universal hash function using finite field multiplication will be described.

(Description of method)
The input is a bit string x of length n, which is regarded as an element of a finite field, and is operated using a random number r composed of a bit string of length u to obtain a bit string y of length m. Here, it is assumed that the number m of output bits satisfies the same condition as k in the second embodiment. That is, it is assumed that the condition that “m + 1 is an odd prime number and 2 is a generation source in the multiplicative group GF (m + 1) ^× of the finite field GF (m + 1)” is satisfied. Also, the input length n is assumed to satisfy n> m, and s is the smallest integer equal to or greater than n / m. Also, let u be an integer multiple of m.

  At this time, the hash function of the method according to the fourth embodiment is specified by a bit string r of length (s−1) m. Therefore, when the hash function is applied to the confidentiality enhancement, the random number sequence r having a length (s−1) m is consumed every time the confidentiality enhancement is performed.

(Step 1: Formatting the input bit string)
When the length n of the input bit x is not a multiple of m, 0 is concatenated to x until it becomes a multiple of m. X obtained in this way is divided into bit strings of length m,
x = (x ₀ ,..., x _s−1 )
x _i = (x _i1 ,..., x _im )
And Here, x _i is a bit string having a length m, and x _ij is a single bit.

Similarly, the random number r is divided into bit strings of length m,
r = (r ₁ ,..., r _s−1 )
r _i = (r _i1 ,..., r _im )
And

(Step 2: Multiplication over a finite field)
The bit string x ₁ ,..., X _{s of} length m and the bit string r ₁ ,..., R _s−1 of random numbers are regarded as elements of the finite field GF (2 ^m ), and the following calculation is performed. , Obtain the element y of GF (2 ^m ).
y = x ₀ + Σ _{i = 1} ^s−1 r _i x _i
= X ₀ + r ₁ x _l + r ₂ x ₂ +... + R _s−1 x _s−1

In this multiplication, the algorithm of the second embodiment is used. Further, in order to perform addition, exclusive OR is performed on the elements of GF (2 ^m ) represented by a bit string.

(Step 3: Output)
y is output as a bit string of length m.

(Effect of Embodiment 4) Improvement in processing speed for enhancing confidentiality In the conventional universal hash using multiplication of a finite field, it was assumed that it took O (m ² ) time for multiplication. On the other hand, in this method, the computational complexity is reduced to O (m log m) by using a high-speed multiplication algorithm.

  Next, a specific application example of the fast multiplication algorithm described in the fourth embodiment will be described with reference to the drawings. FIG. 1 is a diagram illustrating a configuration example when the fast multiplication algorithm according to Embodiment 4 of the present invention is applied to a receiver of a quantum cryptography device using a confidentiality enhancement algorithm. The quantum cryptography apparatus 10 shown in FIG. 1 is connected to a sender via a quantum communication path 20 made of an optical fiber or the like.

  The quantum cryptography device 10 includes a quantum communication device 11, an error correction device 12, a random number generator 13, and a matrix operation processing unit 14. Here, the fast multiplication algorithm described in the fourth embodiment is used in the matrix operation processing unit 14.

  The quantum communication device 11 is a device composed of a photon modulator and a photon detector, modulates an optical signal transmitted from the quantum communication path 20, detects it, and outputs a sieve key as a bit string.

The error correction device 12 is a computer for correcting an error generated in the sieve key due to noise of the quantum communication channel 20 or the quantum communication device 11 using an error correction code, and is a personal computer (PC) or FPGA. Consists of. Then, the error correction device 12 outputs the correction key k _rec as a bit string as a result of error correction. The bit string of the correction key k _rec corresponds to the input bit x having the length n described above.

The random number generator 13 is for outputting a random number bit string for designating the cyclic matrix M (R _i ) (R _i is an m-bit random number string r _i and m + 1 bits by the operation of paragraph 0040). A physical random number generator, or a pseudo-random number generator mounted on a PC or FPGA. Here, the random number generator 13 may generate the above-described random number bit string r ₁ ,..., R _s−1 .

The matrix calculation processing unit 14 regards the random number bit string r ₁ ,..., R _s−1 generated by the random number generator 13 as an element of the finite field GF (2 ^m ), and performs the above-described calculation. Get the element y of GF (2 ^m ). Then, the matrix calculation processing unit 14 outputs the bit string y having the length m as the secret key k _sec . In this way, it is possible to improve the processing speed for enhancing confidentiality.

Embodiment 5 FIG. (High-speed implementation of conventional universal hash function 2)
In the fifth embodiment, as in the fourth embodiment, another specific example in the case where the fast multiplication algorithm of the second embodiment is applied to the conventional universal hash function using the finite field multiplication. An example will be described.

(Description of method)
The conditions for the input length n and the output length m, and the definition of s are the same as in the fourth embodiment.

On the other hand, the hash function of the method in the fifth embodiment is specified by only one bit string r having a length m. In the fifth embodiment, instead of r _i (i = 1,..., S-1, each r _i was m bits) in the fourth embodiment, r ⁱ ( r to the power of i). Therefore, when such a hash function is applied to the confidentiality enhancement, only the random number sequence r of length m is consumed each time the confidentiality enhancement is performed.

(Step 1: Formatting the input bit string)
The operation for the input bit x is the same as in the fourth embodiment. That is, when the length n of the input bit x is not a multiple of m, 0 is concatenated to x until it becomes a multiple of m. X obtained in this way is divided into bit strings of length m,
x = (x ₀ ,..., x _s−1 )
x _i = (x _i1 ,..., x _im )
And Here, x _i is a bit string having a length m, and x _ij is a single bit.

On the other hand, the random number r in the fifth embodiment is a bit string having a length m.
r = (r ₁ ,..., r _m )

(Step 2: Multiplication over a finite field)
The bit string x ₁ ,..., X _s and the random number r of length m are regarded as elements of the finite field GF (2 ^m ), and the following calculation is performed to obtain an element y of GF (2 ^m ).
y = Σ _{i = 0} ^s−1 r ⁱ x _i
= X ₀ + rx ₁ + r ² x ₂ +... + R ^s−1 x _s−1
Here, r ⁱ represents r to the power of i.

In this multiplication, the algorithm of the second embodiment is used. Further, in order to perform addition, exclusive OR is performed on the elements of GF (2 ^m ) represented by a bit string.

(Step 3: Output)
y is output as a bit string of length m.

(Effect of Embodiment 5) Improvement of processing speed for enhancing confidentiality In the conventional universal hash using multiplication of a finite field, it was assumed that it took O (m ² ) time for multiplication. On the other hand, in this method, the computational complexity is reduced to O (m log m) by using a high-speed multiplication algorithm.

In the above description, a characteristic 2 finite field, that is, a method on GF (2 ^k ) has been described, but the present invention is not limited to this. It is also possible to apply the present invention by changing the characteristic 2 to a system on a finite field GF (p ^k ) of a general characteristic p (where p is a prime number).

  DESCRIPTION OF SYMBOLS 10 Quantum cryptography apparatus, 11 Quantum communication apparatus, 12 Error correction apparatus, 13 Random number generator, 14 Matrix calculation process part, 20 Quantum communication path.

Claims (6)

When generating an output y consisting of an output bit string of length m using an input x consisting of an input bit string of length n and a random number r consisting of a bit string of length k, a finite field A confidentiality enhancing apparatus including a matrix operation processing unit that performs multiplication processing on GF (2 ^k ),
The length n, the length k, and the length m, all of which are positive integers,
k = nm
n = kt where t satisfies an integer condition of 3 or more,
In performing the finite field multiplication, the matrix calculation processing unit performs i = 1,..., T−1 on the finite field GF (2 ^k ).
y _i = x _i + r ⁱ x _t
And the output y is
y = (y ₁ ,..., y _t−1 )
The confidentiality enhancing device that generates and outputs a bit string of length m = (t−1) k. When generating an output y consisting of an output bit string of length m using an input x consisting of an input bit string of length n and a random number r consisting of a bit string of length u, a finite field A confidentiality enhancing apparatus including a matrix operation processing unit that performs multiplication processing on GF (2 ^k ),
The length n, the length u, and the length m are all positive integers and satisfy the condition that u and m are integer multiples of k.
In performing the finite field multiplication, the matrix calculation processing unit,
An element a of GF (2 ^k ) when length k, k + 1 is an odd prime, and a further condition that 2 is a generator in the multiplicative group GF (k + 1) ^× of the finite field GF (k + 1) , B a = (a ₀ ,..., A _k−1 )
b = (b ₀ ,..., b _k−1 )
And the parity of a and b is expressed as a _k = a ₀ +... + A _k−1 mod 2
b _k = b ₀ +... + b _k−1 mod 2
As
a _k and b _k are vectors connected to a and b, respectively. A = (a ₀ ,..., a _k−1 , a _k )
B = (b ₀ ,..., B _k−1 , b _k )
And a k × k cyclic matrix having the bit string X as the first row is represented by a matrix M (A) represented by the following equation:

The matrix M (A) and the vector B are multiplied to obtain a k + 1 bit vector C
C = (c ₀ , c ₁ ,..., C _k ) = BM (A)
And the last component c _k of the vector C is deleted c = (c ₀ ,..., C _k−1 )
As a result of multiplication and set as the output y. The confidentiality enhancing device according to claim 1,
The matrix operation processing unit
When m−n + 1 is an odd prime number and the further condition that m and n are selected so that 2 is a generator in the multiplicative group GF (mn + 1) ^× of the finite field GF (m−n + 1) ,
A confidentiality enhancing device that employs the finite field multiplication method according to claim 2 in generating the output y. In the confidentiality enhancing device according to claim 2,
The matrix calculation processing unit adopts the finite field multiplication method according to claim 2 in generating the output y in the confidentiality enhancing device using a conventional universal hash function using finite field multiplication. apparatus. A matrix operation processing unit that generates an output y composed of an output bit string of length m using an input x composed of an input bit string of length n and a random number r composed of a bit string of length k. A confidentiality enhancing data processing method executed by the confidentiality enhancing device provided,
The length n, the length k, and the length m, all of which are positive integers,
k = nm
n = kt where t satisfies an integer condition of 3 or more,
In performing the finite field multiplication in the matrix calculation processing unit,
On the finite field GF (2 ^k ), for i = 1,..., T−1,
y _i = x _i + r ⁱ x _t
And the output y is
y = (y ₁ ,..., y _t−1 )
And a confidentiality enhancing data processing method comprising: a step of generating a bit string of length m = (t−1) k. A matrix operation processing unit that generates an output y composed of an output bit string of length m using an input x composed of an input bit string of length n and a random number r composed of a bit string of length u. A confidentiality enhancing data processing method executed by the confidentiality enhancing device provided,
The length n, the length u, and the length m are all positive integers and satisfy the condition that u and m are integer multiples of k.
In performing the finite field multiplication in the matrix calculation processing unit,
An element a of GF (2 ^k ) when length k, k + 1 is an odd prime, and a further condition that 2 is a generator in the multiplicative group GF (k + 1) ^× of the finite field GF (k + 1) , B a = (a ₀ ,..., A _k−1 )
b = (b ₀ ,..., b _k−1 )
And the parity of a and b is expressed as a _k = a ₀ +... + A _k−1 mod 2
b _k = b ₀ +... + b _k−1 mod 2
A first step of calculating as
a _k and b _k are vectors connected to a and b, respectively. A = (a ₀ ,..., a _k−1 , a _k )
B = (b ₀ ,..., B _k−1 , b _k )
And a k × k cyclic matrix having the bit string X as the first row is represented by a matrix M (A) represented by the following equation:

The matrix M (A) and the vector B are multiplied to obtain a k + 1 bit vector C
C = (c ₀ , c ₁ ,..., C _k ) = BM (A)
A second step of generating
The last component c _k of the vector C is deleted c = (c ₀ ,..., C _k−1 )
As a result of multiplication, and a third step of setting the output y as the output y.

Images