JP2020052215A - Public key encryption system, public key encryption method, and public key encryption program - Google Patents

Abstract

To provide a public key encryption system capable of reducing arithmetic costs.SOLUTION: A public key encryption system includes: a transmission device 100 for encrypting plain text with a public key and transmitting cypher text; and a reception device 200 for receiving the transmitted cypher text and decrypting it with a secret key corresponding to the public key to return it to the plain text. The transmission device 100 includes encryption means 102 that performs a Bernoulli shift mapping with the public key to convert plain text to cipher text, and the reception device 200 includes decryption means 202 that performs the Bernoulli shift mapping with the secret key to convert the cypher text to the plain text.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a public key encryption system, a public key encryption method, and a public key encryption program.

  Conventionally, RSA encryption has been known as a public key encryption method. The basics of the RSA cryptosystem are operations that take powers and take modulo. A method of multiplying the remainder to reduce the operation cost such as performing the remainder without increasing the operation accuracy width, It is known that the power method is used. That is, in the invention of Patent Document 1, in the RSA encryption of the idle time of the CPU, the remainder calculation is indispensable in the calculation that modulates, and the calculation cost is required to perform the division.

  Japanese Patent Application Laid-Open Publication No. HEI 10-163566 discloses an apparatus employing the above-described RSA (Rivest-Shamir-Adleman) encryption processing. Patent Document 1 points out that the RSA encryption has a large computational load, and a CPU of an embedded device having a low processing capability requires a long time to occupy the CPU. It is disclosed that the time is divided as unequally as possible so that the RSA encryption processing is completed in a short time.

  Further, the weak point of the RSA encryption is that if the plaintext is composed of only “Yes” or “No” as a definite plaintext, and if the same plaintext is continuously encrypted with the same public key, the ciphertext is limited, the plaintext is limited. There is a problem that can be found. In order to solve this, a method of adding a random number to the plaintext, apparently changing the encrypted text every time, and transmitting the encrypted text is adopted. However, in this method, there is a problem that the receiver needs to remove the random number part after decryption, and the size of the plain text increases due to the addition of the random number. Then, in such a form in which a random number is added, if the private key of the public key cryptosystem is known to a third party, there is a disadvantage that the plain text is specified by removing the random number part after decryption. .

  Patent Document 2 discloses an encryption method capable of safely sharing a shared key. In this Patent Document 2, the temporary key generation means 22 generates a temporary key ri which is a random number, and the encryption means 14 encrypts the temporary key ri using the first initial key ki1 to obtain a ciphertext ci1. The transmitting unit 20 transmits the ciphertext ci1 to the receiving device 50. The encryption means 14 encrypts the temporary key ri with the second initial key ki2 to obtain a shared key ks. On the other hand, the receiving device 50 receives the cipher text ci1 and supplies it to the decrypting means 56. The decrypting means 56 decrypts the cipher text ci1 to obtain the original temporary key ri. The encryption unit 54 encrypts the temporary key ri using the second initial key ki2, so that the shared key ks can be obtained on the receiving device 50 side as well as on the transmitting device 10 side. Thereafter, secret communication is performed using the shared key ks.

  Patent Document 3 discloses an encryption communication system suitable for encrypting and transmitting information. According to Patent Document 3, the transmitting device 131 and the receiving device 151 of the cryptographic communication system 101 generate a secret key and a public key, respectively, generate a random number based on the current time, and use the random number. A session key is created, and the session key is shared using RSA encryption technology. The shared session key is also used for encrypting the random number, and authenticates the session key by matching the original random number when the encrypted random number is decrypted. By encrypting the information to be transmitted with the authenticated session key using the vector stream encryption and transmitting the encrypted information, communication confidentiality can be maintained.

  Patent Literature 4 discloses that a new chaotic time series capable of high-speed operation is searched for, and a chaos generator or a chaos encryption device is realized using the chaotic time series. More specifically, this chaos generating device has a prime mi [i = 1 to L, L ≧ 1] for a function fi (n) [i = 1 to L, L ≧ 1] that rapidly increases as the variable n increases. ]; Initial value computing means for deriving a remainder ri (n0) [i = 1 to L, L ≧ 1] from fi (n0) with respect to an initial value n0 of a variable n by using a prime mi as a modulus; fi In the calculation of (n + 1), it is an iterative operation means for deriving a remainder ri (n + 1) derived modulo the prime number mi using the remainder ri (n), and while increasing the variable n sequentially from n0, the remainder ri (n) The chaotic signal output unit outputs a chaotic time series Xn having a unique value generated through [i = 1 to L, L ≧ 1].

  Further, Patent Literature 5 discloses that an initial value of random number generation is included / sent from an R / W in an encryption frame, and the random number seed is changed for each encryption frame, thereby ensuring the convenience of RFID while ensuring decryption. An encryption method that makes it difficult is disclosed. According to the invention of Patent Document 5, before the transmission of the downlink encrypted frame, the reader / writer uses the random number based on the value stored in the first additional data storage unit that stores the additional data included in the previously transmitted downlink encrypted frame. A seed is generated, and encryption / decryption is performed based on random number data generated by a first random number generation unit using the random number seed as an initial value. On the other hand, in the tag, before receiving the downlink encrypted frame, a random number seed is generated based on the value stored in the second additional data storage unit that stores the additional data included in the previously received downlink encrypted frame, and the random number seed is generated. The decryption / encryption is performed based on random number data generated by the second random number generation means as an initial value.

JP 2011-75611 A JP 2006-254417 A JP 2006-67412 A JP 2005-17612 A JP 2009-10597 A

  According to the above-described conventional encryption methods, many methods are used from the viewpoint of confidentiality, and do not lead to a reduction in processing having a high operation cost such as division included in the processing process. In the present embodiment, a public key encryption system, a public key encryption method, and a public key encryption program capable of reducing the operation cost are provided.

  A public key cryptosystem according to an embodiment includes a transmitting device that encrypts a plaintext using a public key and sends the ciphertext, receives the transmitted ciphertext, and decrypts the plaintext using a secret key corresponding to the public key. And a receiving device that returns to the public key cryptosystem, the transmitting device includes an encryption unit that performs a Bernoulli shift mapping using the public key to convert a plaintext into a ciphertext, and the receiving device includes: And decrypting means for executing a Bernoulli shift mapping using the secret key to convert a ciphertext into a plaintext.

FIG. 1 is a block diagram showing a configuration of a first embodiment of a public key cryptosystem according to the present invention. FIG. 2 is a block diagram showing a configuration of a second embodiment of the public key cryptosystem according to the present invention. FIG. 9 is a block diagram showing a configuration of a third embodiment of the public key cryptosystem according to the present invention. FIG. 11 is a block diagram showing a configuration of a fourth embodiment of the public key cryptosystem according to the present invention. FIG. 13 is a block diagram showing a configuration of a fifth embodiment of the public key cryptosystem according to the present invention. FIG. 3 is a diagram showing a map of Bernoulli shift mapping used in the embodiment of the public key cryptosystem according to the present invention. FIG. 9 is a diagram showing a time series of a result of Bernoulli shift mapping used in the embodiment of the public key cryptosystem according to the present invention. The figure which shows the time series of the Bernoulli shift mapping and joint arithmetic at the time of the inclination coefficient A = 2. The figure which shows the Bernoulli shift map of inclination coefficient A = 5. The figure which shows the time series of the Bernoulli shift mapping and joint arithmetic at the time of coefficient A = 5. The figure which shows the source code in C language of Bernoulli shift map and joint arithmetic. FIG. 8 is a diagram showing a calculation result by Bernoulli shift mapping and joint arithmetic in FIG. 7. The figure which shows the process which calculates | requires "x" and "y" used as the secret key SK by the integer solution of a one-dimensional indefinite equation. 4 is a flowchart showing the operation of the first embodiment of the public key cryptosystem according to the present invention. FIG. 9 is a diagram showing a result of three types of plaintext encryption by Bernoulli shift mapping) and a result of decryption. The figure which shows the encryption / decryption image of public key encryption by Bernoulli shift mapping. 9 is a flowchart showing an operation of the third embodiment of the public key cryptosystem according to the present invention. 13 is a flowchart showing the operation of the fourth embodiment of the public key cryptosystem according to the present invention. X _i when the initial value X ₀ of the Bernoulli shift map is changed 14 is a flowchart showing the operation of the fifth embodiment of the public key cryptosystem according to the present invention.

  An embodiment of a public key encryption system, a public key encryption method, and a public key encryption program according to the present invention will be described below with reference to the accompanying drawings.

  As an embodiment of the present invention, a public key is encrypted based on a public key, and a public key cryptography operation by Bernoulli shift mapping is performed by a receiving device having a secret key to perform decryption. We propose a cryptographic system. RSA encryption is known as one of the conventional representative public key encryption. The mathematics used in the RSA cryptography is based on Euler's theorem which extends Fermat's small theorem so that it can be applied to numerical values other than prime numbers.

  The inventor of the present application has found that a Bernoulli shift map known as a one-dimensional map is converted to an integer operation, and that when a slope is uniformly changed and a repeated value is tracked, it is synchronized with Fermat's small theorem known as a joint arithmetic theorem. . Focusing on this point, Euler's theorem also synchronizes with the repetition period of the Bernoulli shift mapping, so that the operation by the joint arithmetic of the RSA encryption can be applied as the public key encryption by the Bernoulli shift mapping.

  The RSA encryption is based on joint arithmetic, which is a modulo operation, and division is essential for this joint arithmetic. On the other hand, in the public key encryption algorithm based on the Bernoulli shift mapping according to the embodiment of the present invention, the division is not performed and the subtraction needs to be performed only once, so that the operation cost can be reduced as compared with the one using the joint arithmetic. Further, as a weak point of the RSA encryption, when a definite plain text is composed of only “Yes” or “No”, if the same plain text is encrypted with the same public key, the cipher text is limited. As mentioned above, there is a problem of being easily detected. In order to solve this, there is a method of adding a random number to the plaintext and transmitting it. However, it also mentioned that the work on the receiving side increases.

On the other hand, in the operation of the public key cryptography based on the Bernoulli shift mapping according to the present embodiment, the initial value X ₀ has a degree of freedom to be changed. In other words, by changing the initial value X ₀ as an initial vector, even if the same plaintext is encrypted with the same public key, the pattern of the ciphertext changes every time, so that the third party is not allowed to use the same plaintext. It can be expected that it will be difficult to realize.

Public key cryptography is used as a hybrid type cryptography that uses public key cryptography when passing a common key to a communication partner due to the problem of key distribution in common key cryptography, but when the same common key is repeatedly used Output the same ciphertext, which reduces security. The public key cryptosystem using the Bernoulli shift mapping according to the embodiment employs a configuration in which a different ciphertext can be generated each time by changing the initial value X ₀ with a random number every time. It can be expected that the safety will be improved because the people will not understand. For this reason, the key exchange method is also suitable for applications where the same passcode is reused. The security of the encryption according to the present embodiment is based on the fact that, as in the case of the RSA encryption, the composite number obtained by multiplying prime numbers of large digits requires an enormous amount of calculation for the factorization of the prime numbers.

  Next, an embodiment will be described with reference to the drawings. In the respective drawings, the same components are denoted by the same reference numerals, and redundant description will be omitted. As shown in FIG. 1, the public key encryption system according to the first embodiment includes a transmitting device 100 and a receiving device 200.

  The transmitting device 100 and the receiving device 200 are not particularly limited as long as they have a computer function and a communication function, and can be configured by a personal computer, a workstation, a smartphone, a PDA (personal digital assistant), or the like. The transmitting apparatus 100 encrypts a plaintext using a public key and transmits the encrypted text, and includes a transmitting unit 101 for transmission. The receiving apparatus 200 receives the transmitted ciphertext, decrypts the ciphertext using the secret key corresponding to the public key, and returns the plaintext to the plaintext. The receiving apparatus 200 includes a receiving unit 201 for reception.

  The transmitting device 100 and the receiving device 200 are connected by a wired or wireless transmission path 300. The transmission device 100 includes an encryption unit 102. The encrypting means 102 converts a plaintext into a ciphertext by executing Bernoulli shift mapping using the public key. The receiving device 200 includes a decoding unit 202. The decryption means 202 converts the ciphertext into plaintext by executing Bernoulli shift mapping using the secret key.

  The receiving device 200 includes a public key generation unit 203 for generating the public key and a secret key generation unit 204 for generating the secret key. Since the public key encryption system of the present embodiment having the configuration shown in FIG. 1 basically uses a Bernoulli shift mapping, the description starts with the Bernoulli shift mapping.

ベルヌーイシフト写像のマップを図２に示し、式（１）による横軸をｉ、縦軸をｘ_i+1とした時系列を図３に示す。 About Bernoulli shift mapping Bernoulli shift mapping is defined by the following equation (1).

FIG. 2 shows a map of Bernoulli shift mapping, and FIG. 3 shows a time series in which the horizontal axis according to equation (1) is i and the vertical axis is x _{i + 1} .

In FIG. 3, since the initial value x ₀ = 0.234 and “x ₀ <0.5”, the calculation “x ₁ = 2x ₀ ” is performed, and x ₁ = 0.468 is obtained. For x ₁ are the "x ₁ <0.5", performs an operation of _{"x 2 = 2x 1",} x 2 = 0.936 is obtained, since _{"x 3, x 4, ...} " and The open section (0, 1) is repeated to make a transition.

Next, the synchronization between the Bernoulli shift mapping and the joint arithmetic will be described. Fermat's little theorem is known as an important theorem in the joint arithmetic of elementary number theory. When P is a prime number and A is an integer that is not a multiple of P (A and P are mutually prime [the greatest common divisor is 1], that is, P is a prime number), it is known that the following equation holds. I have.

For example, in the case of 2 ¹¹ ≡2 (mod ¹¹ ), if 2 ¹¹ = 2048 is divided by a prime number 11 to perform an operation, it indicates that the remainder is 2, and the remainder obtained by taking the modulus of 11 is 2 It is an expression indicating that there is. When “P−1” is a multiplier (both sides are divided by A), the remainder is 1 as in the following equation (2).

Here, “1/11” is set as the initial value x ₀ of the equation (1), “ _i = 2” is set in the equation (2), and the value of the repeated x _i is set as a modulus P = 11 is set, and the remainder after the index P on the left side is changed from 0 to 11 is as shown in FIG. Here, the larger the exponent in equation (2), the greater the number of digits. Therefore, in the joint arithmetic, modulo is used to multiply the value Q by another value once more. Therefore, when the remainder is taken out, it has the property that it becomes equal to the remainder of the original multiplication (Q ³ ), and the calculation can be performed with a reduced number of digits. Therefore, the calculation is performed using this technique.

As shown in FIG. 4A, the Bernoulli shift map is calculated by a fraction, and the numerical value of the numerator of X _i in this calculation becomes the same as the surplus numerical value by the joint arithmetic in FIG. 4B. And that they are synchronized. This is because the indivisible number is a provisional fraction (2 ⁱ / 11), for example, when i = 6, 64/11 = 55/11 + 9/11 = 5 + 9/11. However, the value of the numerator “9” in the true fraction (9/11) is also indicated as the remainder of division by 11. From Figure 4 above, return to 1/11 and X ₀ at time x _10, Bernoulli shift map is seen to be repeated in the cycle length of 10.

Next, a Bernoulli shift mapping equation corresponding to a case where A in equation (2) is a numerical value other than 2 is considered. Considering the case where A = 5 as an example, the Bernoulli shift mapping synchronized with this is expressed by the following five equations (3). FIG. 5 shows the map of the equation (3).

Equation (3) is set to a value obtained by performing an iterative operation by giving an initial value X ₀ = 1/11, “A = 5” in Equation (2), and a prime number P = 11 as a modulus. The transition of the values is shown in FIG. Referring to FIG. 6, similarly to the case where A = 2, the numerator of X _i in the iterative operation of equation (3) shown in FIG. 6 (A) and the remainder value by the joint arithmetic shown in FIG. 6 (B) Have the same value and are synchronized. This is also because the numerator of the true fraction indicates the remainder of the joint arithmetic in the operation of the fraction, and any value of the slope A may have the same value as the remainder of the joint arithmetic with the numerator of the true fraction. I understand. Then, X ₅ = 1/11, and the cycle length is repeated at 5 to return to the initial value X ₀ . From these considerations, it can be seen that the numerator of the exact fraction of the repetition value of the Bernoulli shift map corresponds to the remainder of the joint arithmetic, and is synonymous with the remainder of the joint arithmetic. From the above, it was shown that the joint arithmetic using the power of the gradient A can be replaced with the Bernoulli shift map.

上記式（４）のＭ_kの下付き添え字ｋは、式（４）の各一次式（一次式の数はＡ個）を選択する範囲毎の変数を示し、ｋは０（Ｍ₀＝０）から傾きＡ（Ｍ_k+1＝Ａ）までを表している。例えば、Ｐ＝１（拡大無し）とすれば、傾きＡ＝２では式（１）、傾きＡ＝５では式（３）が得られる。 Up to this point, the Bernoulli shift mapping has dealt with the open interval (0, 1). However, by multiplying the interval by a prime number P so that the integer operation can be performed to make the open interval (0, P), The corresponding X _i can be obtained. The Bernoulli shift map obtained by enlarging the slope to “A” and expanding to the open interval (0, P) and converting it into an integer is a simple expression that summarizes a linear equation of each slope A and is expressed by the following equation (4). I do.

The subscript _k of M _{k in} the above equation (4) indicates a variable for each range for selecting each linear equation (the number of linear equations is A) of the equation (4), and k is 0 (M ₀ = 0) to the gradient A (M _{k + 1} = A). For example, if P = 1 (no enlargement), equation (1) is obtained when the slope A = 2, and equation (3) is obtained when the slope A = 5.

FIG. 7A shows a source code of a program in which the expression (4) of the Bernoulli shift mapping converted into an integer operation is described in C language, and FIG. 7B shows the expression of the joint arithmetic expression (2) in C language. Shows the source code of the described program. FIG. 8 shows a calculation result obtained by executing the program of FIG. FIG. 8 (A) shows the result of X _{i obtained} by repeating Bernoulli shift mapping equation (4) up to X ₁₀ with coefficient A = 5, maximum interval P = 11, and number of repetitions ret = 11. Indicates a value. FIG. 8B shows that the joint arithmetic equation (2) has a coefficient A = 5, a modulus P = 11, and the power P-1 on the left side is “0, 1, 2,..., 10” (r = 11). To the remainder of dividing each power of 5 by modulo 11. According to FIG. 8, the value X _i of the iteration i of the Bernoulli shift map shown in FIG. 8A and the value of the power (5 ⁱ (mod 11)) correspond to the same solution. Can be confirmed.

Note that in the program of the Bernoulli shift mapping equation (4) in FIG. 7A, the sections (0, P, M) are such that the boundaries “P × M _k / A” and “P × M _{k + 1} / A” of each section are divisible. ) Is further multiplied by A so that the maximum section (0, A × P) can be set and the boundary of each section can be handled only by integers. In a specific example, when the coefficient A = 5, the boundary value of the section is “0/5, 11/5, 22/5, 33/5, 44/5, 55/5” from equation (4). Since it is not divisible, the value of “0, 11, 22, 33, 44, 55” is obtained as a boundary value by multiplying by 5, and stored in a memory (array [A]). The value “P × M _k ” to be subtracted is selected by the search processing for the section corresponding to the value of X _i (in the program of FIG. 7, the search is performed in descending order and the search is completed when found). Therefore, the X _i is "printf" statement outputs the result to the monitor in the program output from the divided by A, the return value is also X _i of the function is a value obtained by dividing by A.

  The joint arithmetic operation of the joint arithmetic expression (2) is performed by multiplying the remainder of the modulus 11 by A = 5 to obtain the remainder of the modulus 11 as shown in the source code shown in FIG. A method of performing the remainder arithmetic by repeating A = 5 is used. On the other hand, in the formula (4) of the Bernoulli shift mapping, a process for searching the memory area for storing the boundary value of the section and the section occurs. However, the operation only requires one subtraction, and the remainder is left after performing the division. It can be expected that the operation cost is reduced as compared with the division remainder.

  Actually, the repetition part of the operation of the source code of FIG. 7 is repeated 1 million times (A = 5, P = 11, FIG. 7 (A): ret = 1000000, FIG. 7 (B): r = When "printf" is set to 1000000 and the "printf" part is commented out) and the processing time is examined using the command tool "time" provided by the operation system Linux (registered trademark), the operation by Bernoulli shift mapping is approximately the joint arithmetic. It was confirmed that the processing time was reduced to half. In the Bernoulli shift mapping of the equation (4), it is estimated that a large value of the slope A increases the number of divisions of the section and takes a long time to search, but the search processing of the section uses a bipartite search method or the like. It is more desirable to reduce search costs.

From the above considerations and the experimental results, it is estimated that the power of joint arithmetic and the number of iterations of the Bernoulli shift map are synchronized, and the relationship that the remainder of the power of joint arithmetic and X _{i of the} Bernoulli shift map have the same value is obtained. You. Therefore, it is estimated that Euler's theorem extended so that the Fermat's small theorem used in the RSA cryptography can be applied to numbers other than prime numbers is also synchronized with the Bernoulli shift mapping.

上記式（５）におけるφ（Ｎ）は、オイラーのトーシェント関数と呼ばれ、φ（Ｎ）はＮより小さい正の整数のうちＮと互いに素な数の個数を表す。例えばＮ＝１０のときを考えると１０と互いに素な１０より小さい数をピックアップすると｛１，３，７，９｝の４個となるため、φ（１０）＝４となる。 Euler's Theorem Euler's theorem is that when N is a positive integer and A is a positive integer which is relatively prime to N, the following equation (5) holds.

Φ (N) in the above formula (5) is called Euler's torsional function, and φ (N) represents the number of positive integers smaller than N and relatively prime to N. For example, considering N = 10, picking up a number smaller than 10 that is relatively prime to 10 results in four {1, 3, 7, 9}, so that φ (10) = 4.

  Also, when N is a prime number P, since the prime numbers relatively prime to P are {1, 2,..., P-2, P-1}, φ (P) = P−1, It can be seen that equation (5) becomes equation (2) of Fermat's little theorem. For this reason, Euler's theorem is an extended version of Fermat's little theorem that can be applied to other than prime numbers. In particular, it is known that when the prime numbers P and Q are prepared and “N = P × Q”, “φ (N) = (P−1) × (Q−1)” holds. In cryptography, N obtained by multiplying these two prime numbers is used as a part of a public key as a modulo value. Note that A does not use primes P or Q because A and N must be relatively prime integers.

Regarding RSA (Rivest-Shamir-Adleman) encryption RSA encryption is a public key cryptosystem based on Euler's theorem focusing on the periodicity of the remainder of the exponentiation by joint arithmetic. The public key cryptosystem is a cryptosystem in which encryption is performed using a public key that is disclosed to a third party, and only a person having a secret key can perform decryption, and separate keys are used for encryption and decryption. The common key cryptosystem in which the sender and the receiver share the same key is widely used for exchanging and authenticating the common key because of the problem of key distribution. The public key is PK (Public Key) and modulus N, and the secret key is SK (Secret Key) and modulus N. Since these keys can be used equally for the RSA encryption in the encryption and decryption operations by Bernoulli shift mapping, the present embodiment uses them, and a key generation method will be described below.

暗号文Ｃから復号鍵となる秘密鍵ＳＫを用意し、以下の合同算術の式（７）で復号を行い平文に復元する。

ここで式（６）に式（７）を代入し暗号文Ｃを消去すると、

と復号を行うことができる。 In the RSA encryption, assuming that the plaintext is PL (Plain) and the public key PK and the public key N are, the ciphertext C (Cipher) is obtained by the following joint arithmetic expression (6) using two public keys.

A secret key SK serving as a decryption key is prepared from the ciphertext C, and decrypted by the following joint arithmetic expression (7) to restore the plaintext.

Here, when equation (7) is substituted into equation (6) and ciphertext C is deleted,

And decryption can be performed.

In the RSA encryption, a ciphertext C of Expression (6) is generated using a public key PK and a public key N, and only a person having a decryption key (secret key) SK and a decryption key N can obtain a correct plaintext PL from the ciphertext C. It is structured as a public key cryptosystem by finding PK and SK that satisfy Expression (8). Considering that equation (8) is satisfied, Euler's theorem of equation (5) can be used. Substituting the plaintext PL into A in equation (5), introducing a positive integer “y”, and raising it to the power of y yields the following equation (8A).

In the above equation (8A), “1” is repeated with a period length φ (N), which is a value obtained by multiplying the exponentiation φ (N) by an integer with y, and taking the modulus. As described above, when “N = P × Q”, “φ (N) = (P−1) × (Q−1)” holds, and N is a value obtained by multiplying a prime number P and a prime number Q (prime numbers Is used as the basis for the security of the RSA encryption). Further, when both sides of the equation (8A) are multiplied by “PL”, the following equation (9) is obtained.

が成り立つようなＰＫとＳＫを見つけることで、式（８）は成り立つため暗号文Ｃは復号できる。ここで、上記式（９Ａ）の右辺の“φ（Ｎ）・ｙ”を左辺に移項すると以下の式（１０）が得られる。

式（１０）からベズーの等式としても知られる一次不定方程式の整数解を利用することで、ＰＫとＳＫが導出できる。以下に、一次不定方程式の解法により具体的な例を提示しＰＫとＳＫの導出例を示す。 Comparing the exponents of equation (8) and equation (9),

By finding PK and SK such that holds, the equation (8) holds and the ciphertext C can be decrypted. Here, when “φ (N) · y” on the right side of the above equation (9A) is transposed to the left side, the following equation (10) is obtained.

PK and SK can be derived from equation (10) by using an integer solution of a linear indeterminate equation, also known as a Bézout equation. In the following, a specific example is presented by solving a linear indefinite equation, and an example of deriving PK and SK is shown.

式（１０）と式（１１）を見比べると、ａ＝ＰＫ，ｘ＝ＳＫ，φ（Ｎ）＝ｂに相当することが判る。“ｙ”は“−ｙ”に置き換える。
前述から、“φ（Ｎ）＝（Ｐ−１）×（Ｑ−１）”のため、例として素数Ｐ＝１１と素数Ｑ＝１３を用意してＮとφ（Ｎ）を求めると、
Ｎ＝１１×１３＝１４３，φ（Ｎ）＝１０×１２＝１２０
となる。次にＰＫを導出するが式（１１）は定理より、“ａ”と“ｂ”を互いに素（最大公約数が１）な整数とするため、φ（Ｎ）＝１２０と素な整数を公開鍵ＰＫ（＝ａ）としてランダムに選択できる。 <Theorem> Integer solutions of linear indefinite equations When “a” and “b” are relatively prime integers, there are integer solutions “x” and “y” that satisfy the following binary linear equation.

Comparing Equation (10) and Equation (11), it can be seen that a = PK, x = SK, and φ (N) = b. “Y” is replaced with “−y”.
From the above, since “φ (N) = (P−1) × (Q−1)”, for example, when prime numbers P = 11 and Q = 13 are prepared and N and φ (N) are obtained,
N = 11 × 13 = 143, φ (N) = 10 × 12 = 120
Becomes Next, PK is derived. Equation (11) discloses a prime integer of φ (N) = 120 in order to make “a” and “b” mutually prime integers (the greatest common divisor is 1) from the theorem. The key PK (= a) can be randomly selected.

が成り立つ。上記から１０と１２で共に割り切れる最小の値（最小公倍数）は６０となるため、“ＬＣＭ（１０，１２）＝６０”であり、上記の式の素数Ｐか素数Ｑ以外の適当な整数Ａの指数に“６０”を当て嵌めると“６０，１２０，１８０，…”と６０刻みに周期的に“Ｐ×Ｑ”で法をとった値は１になる。 In Equation (5), since φ (N) also holds as the least common multiple LCM (Least Common Multiple) of “P−1” and “Q−1”, the function that takes the least common multiple is LCM (P−1, Q-1) is replaced with “φ (N)”, and since “N = P × Q”, this is also replaced.

Holds. From the above, since the minimum value (least common multiple) divisible by 10 and 12 is 60, “LCM (10, 12) = 60”, and an appropriate integer A other than the prime number P or the prime number Q in the above equation When “60” is applied to the exponent, a value obtained by modulating “P × Q” periodically by 60 such as “60, 120, 180,...” Becomes 1.

一次不定方程式の整数解「拡張されたユークリッドの互除法」によって秘密鍵ＳＫとなる“ｘ”と“ｙ”を求める。“ｘ”と“ｙ”を求める例を図９に示す。

The public key PK (= a) is selected by applying the least common multiple that satisfies φ (N) = LCM (P−1, Q−1) according to the literature, and a smaller prime value “0 <PK <LCM (P -1, Q-1) ”is introduced, but the least common multiple“ φ (N) = 60 ”is used here.
For example, the public key PK (= a) is appropriately assigned a prime number 7 (a prime value equal to 60).
Thus, “a” and “b” in equation (11) are determined as follows.

"X" and "y" to be secret keys SK are obtained by an integer solution of a linear indefinite equation "extended Euclidean algorithm". FIG. 9 shows an example of obtaining “x” and “y”.

式（１２）の“ａ×ｂ”の部分は差し引きで消去できるため式（１１）と等しい。
求めた値は“ｘ＝−１７，ｂ＝６０”、また“ｙ＝２，ａ＝７”であるため、これを式（１２）に代入すると、

と“ｘ＝４３，ｙ＝−５”になり、式（１０）の形式が得られこれで残りの秘密鍵ＳＫ＝４３が得られた。
以上、ＲＳＡ暗号は平文を底の数値として、公開鍵ＰＫで冪乗を行い“Ｎ＝素数Ｐ×素数Ｑ”で法をとり暗号文を生成し、暗号文を底の数値として秘密鍵ＳＫで冪乗を行い、“Ｎ＝素数Ｐ×素数Ｑ”で法をとり、復号を行い平文に戻すことを示した。 Although “x = −17, y = 2” is obtained as in the above equation, “x” is minus and “y” is plus. When compared with equation (10), “y” is minus. To make “y = −y”, the following technique is used so that “x” becomes positive. Equation (11) is transformed into the following equation (12).

Since the portion of “a × b” in the equation (12) can be deleted by subtraction, it is equal to the equation (11).
Since the obtained values are “x = −17, b = 60” and “y = 2, a = 7”, when these values are substituted into Expression (12),

And "x = 43, y = -5", and the form of Expression (10) is obtained, and the remaining secret key SK = 43 is obtained.
As described above, the RSA cryptosystem generates a ciphertext by raising the plaintext to the base number, raising the power to the public key PK, performing a modulus by “N = prime number P × prime number Q”, and setting the ciphertext to the base number as the secret key SK. It has been shown that the power is raised, the modulus is calculated by “N = prime number P × prime number Q”, and the decryption is performed to return to the plain text.

  As shown in FIG. 1, the public key generation means 203 of the receiving device 200 generates a public key, and the secret key generation means 204 generates a secret key. The generated public keys PK and N are disclosed to the user of the transmission device 100 as a third party. If PK and φ (N) are applied to equation (10) by prime factorization of N to obtain prime numbers P and Q, the secret key SK can be easily found, but the prime numbers of large digits are multiplied. The prime factorization of a composite number requires an enormous amount of calculation and is based on the fact that the prime numbers P and Q cannot be determined. In January 2011, the National Institute of Standards and Technology (NIST) of the United States Department of Commerce (NIST SP800-131) announced that the law N used for RSA encryption should be 2048 bits or more.

が成り立つ”ＳＫ”を見つけることであると、紹介されている。しかしながら、これは被除数ＰＫ×ＳＫを除数φ（Ｎ）で割った商ｙの剰余が１ということであり、以下の式が成り立つ。

この式は、式（１０）と同じであり、本実施形態では一次不定方程式の整数解により秘密鍵ＳＫを導出することとした。 In addition, regarding the method of deriving the secret key SK, according to the literature,

Is to find “SK” that holds. However, this means that the remainder of the quotient y obtained by dividing the dividend PK × SK by the divisor φ (N) is 1, and the following equation is established.

This expression is the same as Expression (10), and in the present embodiment, the secret key SK is derived by an integer solution of a linear indeterminate equation.

<First embodiment>
Using the public key and secret key obtained as described above, the public key cryptosystem according to the first embodiment shown in FIG. 1 performs an operation based on the flowchart shown in FIG. Perform encryption and decryption. In FIG. 10, it is assumed that the public key PK, the secret key SK, and the modulus N have already been generated in the receiving device 200 from the prime numbers P and Q, and the public key PK and the modulus N have been passed to the transmitting device 100.

  That is, the transmitting apparatus 100 obtains the public key PK and the public key N (law N) (S11), obtains the plaintext (S12), sets the public key PK to the number of repetitions of the Bernoulli shift mapping, and sets the public key N Is set to the maximum section of the Bernoulli shift mapping, the plain text is set to the inclination coefficient of the Bernoulli shift mapping (S13), and the preparation is completed.

Next, encryption is performed by Bernoulli shift mapping (S14). The process of step S14 is a process by executing the program shown in FIG. The process of step S14 is performed, and a value X _PK resulting from the repetition _PK is generated as a cipher text (S15). This ciphertext _XPK is transmitted to receiving apparatus 200 via transmission path 300.

  On the other hand, the receiving device 200 obtains the secret key SK and the secret key N (law N) (S21), and receives the ciphertext (S22). Next, the secret key SK is set to the number of iterations of the Bernoulli shift mapping, the secret key N is set to the maximum section of the Bernoulli shift mapping, and the ciphertext is set to the inclination coefficient of the Bernoulli shift mapping (S23), and the preparation is completed. Becomes

Next, decoding is performed by Bernoulli shift mapping (S24). The process of step S24 is a process by executing the program shown in FIG. The process in step S24 is performed, and a value _XSK resulting from the repetition of the number of repetitions _SK is generated as a decrypted text (plaintext) (S25).

The processing of the public key cryptosystem will be described with a specific example. As an example, it provides three plaintext (A = 5, A = 19 , A = 101), shown in Figure 11 the value of each iteration X _i when the decoding by encryption and a secret key by the public key. As described above, the plaintext A does not include the same value as the prime number P = 11 or the prime number Q = 13. For this reason, in practical use, the plaintext is restricted to a value equal to or less than the prime number P and the prime number Q. In each plaintext, “X ₇ ” shown in the row of “i = 7” in FIG. 11A obtained by repeatedly performing the operation of the value of the public key seven times by the equation (4) is a ciphertext. In the row of “i = 43” in FIG. 11B, X ₄₃ obtained by performing a repetitive operation on the cipher text for 43 times as the value of the secret key using equation (4) is decrypted into the original plain text. You can check. Note that the initial value X ₀ is set to “1” for both encryption and decryption.

FIG. 12 shows an image of this encryption and decryption as a map of Bernoulli shift mapping. According to FIG. 12, when the plain text is set to 5, the slope in the equation (4) becomes A = 5, and the encryption is performed by repeating the decryption key (PK = 7) times and encrypting the encrypted text X ₇ = 47 is obtained. At the time of decryption, the plaintext 5 of X ₄₃ = 5 is restored by setting X ₇ = 47 to the gradient A = 47 in equation (4) and performing repetitive mapping for the number of times of the secret key (SK = 43). .

Consider the computational load. As shown in the source code of FIG. 7, since the number of divisions of the section is determined by the value of the slope A, for example, when the sender transmits 64-bit data such as a password of 8 characters, the plaintext (tilt A) is divided into 8 bits. ) Is reduced and encrypted, and transmitted eight times. As a result, the maximum number of divisions (up to 255) of a section in one (8-bit) encryption process is reduced, and the number of times of section search can be reduced. Since the cipher text X _{i to be} transmitted (slope A used for decryption) becomes larger depending on the value of the modulus N, the transmitting side performs encryption with a portable terminal having low processing capability, and the receiving side performs processing with a server having high processing capability. This is suitable for a form such as passcode authentication in which decryption is performed by using.

  In the calculation by the conventional joint arithmetic, the number of steps “r” in the source code of FIG. 7B corresponds to the value of the public key or the secret key. It is no longer a target. For this reason, a technique is used in which the amount of calculation is reduced by using the “power method”.

指数部分の秘密鍵ＳＫ＝４３から図７では４３ステップの計算が必要となる。冪乗法ではこの計算に補助項

を計算する。この手法はその前の項の２乗

から得られるため計算ステップは５回となる。

となり、計算ステップが３回となるため、合計８回のステップで計算が可能となり演算負荷を軽減できる。 As an example, when the ciphertext 47 in FIG. 11 is returned to the decryption text 5, the following joint arithmetic expression is established from Expression (7).

In FIG. 7, 43 steps of calculation are required from the secret key SK = 43 in the exponent part. In the power method, an auxiliary term is used for this calculation.

Is calculated. This method is the square of the previous term

, The number of calculation steps is five.

Thus, the number of calculation steps is three, so that calculation can be performed in a total of eight steps, and the calculation load can be reduced.

の箇所ついて“５３×２７＝１４３１”となるが、２７を２進展開すると
“２⁴＋２³＋２¹＋２⁰”となり、補助項を求めると、

となり、

となり、足し算の計算は

となり、ここまでのすべての途中の計算は最大桁を、“１４３×２＝２８６”以下にできている。 In the calculations so far, since the modulus N = 143, the maximum digit may be handled up to “143 ² = 20449”. However, there is a method of reducing the maximum digit to “143 × 2 = 286”. For example,

Is obtained as "53 × 27 = 1431", but when 27 is binary-expanded, it becomes "2 ⁴ +2 ³ +2 ¹ +2 ⁰ ".

Becomes

And the calculation of addition is

, And the maximum digit in all the intermediate calculations up to this point can be set to “143 × 2 = 286” or less.

であるが、同様に４７を２進展開すると“２⁵＋２³＋２²＋２¹＋２⁰”となり、補助項を求めると

となり、

が最終的に導かれ、足し算部分は上記のように一回の足し算の余りの結果を次の値と足し算して余りを順に求めて行く。 Also,

However, similarly, when 47 is binary-expanded, it becomes “2 ⁵ +2 ³ +2 ² +2 ¹ +2 ⁰ ”.

Becomes

Is finally derived, and in the addition part, the remainder of one addition is added to the next value to obtain the remainder in order, as described above.

  Compared with Expression (13), the number of calculation steps is increased, but the maximum number of digits in all intermediate calculations can be reduced to “143 × 2 = 286” or less, and the number of digits can be reduced. By adopting a technique of reducing the maximum digit required for such an operation and replacing the joint arithmetic part with the operation of Bernoulli shift mapping as shown in FIG. 7, the number of digits of the slope A is reduced, and the number of searches for the section is reduced. Therefore, it is expected that the calculation load can be reduced.

  FIG. 1A shows a public key encryption system according to the second embodiment. In the public key encryption system according to the second embodiment according to the second embodiment, the transmission device 100A includes a transmission-side initial value change control unit 105 that changes the initial value of the Bernoulli shift mapping every time encryption is performed. Each time the receiving device 200A decrypts the ciphertext, the receiving-side initial value change control unit 205 changes the initial value of the Bernoulli shift mapping to the same value as the initial value changed by the transmitting-side initial value change control unit 105. And an inverse element calculating means 206 for calculating an inverse element of the ciphertext using the initial value changed by the receiving-side initial value changing control means 205. The encryption means 102 performs Bernoulli shift mapping using the initial value changed by the transmission-side initial value change control means 105 to perform encryption. The decryption means 202 performs Bernoulli shift mapping on the inverse ciphertext obtained using the initial value changed by the reception-side initial value change control means 205 to perform decryption. This inverse element will be described in detail in the next third embodiment. According to the present embodiment, the initial value is changed each time the ciphertext is encrypted. Therefore, when the plaintext is composed of only “Yes” or “No”, the same plaintext is encrypted with the same public key. If the encryption is continued, the risk that the plaintext can be detected is reduced because the ciphertext is limited.

  FIG. 1B shows a public key cryptosystem according to the third embodiment. This embodiment includes a random number seed generating unit 400 that generates a random number seed that is an initial value when executing the Bernoulli shift mapping. The random number seed generation means 400 is provided in a device other than the transmitting device 100B and the receiving device 200B, and the generated random number seed is provided to the transmitting device 100B and the receiving device 200B in a secret state. Here, in the case of distribution using the transmission path 300, the data can be encrypted and transmitted, and can be decrypted and used by the transmitting device 100B and the receiving device 200B. Of course, the random number seed generation means 400 may be provided in at least one of the transmitting device 100B and the receiving device 200B.

  The encryption unit 102B sets a random number seed generated by the random number seed generation unit 400 and given via the transmission-side initial value change control unit 105 as an initial value, and uses this initial value and the public key to perform a Bernoulli shift mapping. To convert the plaintext into ciphertext. In addition, the receiving apparatus 200B calculates the inverse of the ciphertext by using the random number seed generated by the random number seed generation unit 400 and given through the receiving-side initial value change control unit 205. Source calculation means 206 is provided. The decryption means 202B performs decryption using the Bernoulli shift map on the inverse ciphertext calculated by the inverse element calculation means 206, and converts the encrypted text into plaintext.

FIG. 13 shows a flowchart of the process according to the third embodiment. The processing in this flowchart is a modification of the processing in FIG. 10, and the transmitting device 100B and the receiving device 200B additionally include a random number seed acquisition step (S16, S26). Then, on the transmitting side, in step S17, the public key PK is set to the number of iterations of the Bernoulli shift mapping, the public key N is set to the maximum section of the Bernoulli shift mapping, and the plain text is set to the slope coefficient of the Bernoulli shift mapping, set the random number seed to the initial value X ₀ (S17), preparation is completed. After receiving the ciphertext, the receiving device 200B performs a process of obtaining an inverse using a random number seed (S27), and sets the ciphertext calculated by the inverse as a ciphertext to be decrypted (S28). Other processes are the same as the processes according to the first embodiment.

The processing of the public key cryptosystem will be described with a specific example. The flowchart of encryption by the transmitting device 100B in FIG. 13, in addition to when the plain text and 5 of the initial value X ₀ = 1, the two initial value X ₀ of X ₀ = 3 and X ₀ = 67 as an example Prepared. FIG. 14 is a table showing “X _i ” obtained by setting these two X ₀ = 3 and X ₀ = 67 to initial values and repeatedly calculating the number of times of the decryption key (PK = 7). When the initial value X ₀ is set to 3, the cipher text is expressed as C _3, and C ₃ = 141 is obtained. With the initial value X ₀ = 1, assuming that the cipher text is C ₁ , the cipher text C ₁ = 47, whereas by changing the initial value X ₀ = 3, a different cipher text can be obtained. Here, the first X ₀ from the initial value X _0, X _1, X _2, paying attention to the value of the X _i that changes ..., becomes _{X 0 = 3, X 1 =} 15, X 2 = 75 Oil. When these are divided by X ₀ = 3, X ₀ = 1, X ₁ = 5, and X ₂ = 25, which are the same values as when the initial value X ₀ = 1 is set. As described above, since the ciphertext obtained when the initial value is changed differs from the ciphertext when the initial value X ₀ = 1, the initial value changed from the ciphertext obtained by changing the initial value. Is used to calculate the cipher text when the initial value X ₀ = 1. Then, the inverse calculation means executes the “process of calculating the inverse”.

が成り立つ暗号文Ｃ₁を求めればよいため、“１４１／３”を計算した結果のＣ₁＝４７が該当することが判る。ただし、注意点がある。初期値Ｘ₀＝１の場合と同等になる暗号文Ｃ₁は乱数で決めた初期値Ｘ₀で逆数をとることで求められるが、合同算術において乗法逆元は上記合同式を満たすＣ₁＝４７のみでなく複数の解が得られることである。 For each value of ciphertext when starting from the initial value X ₀ = 3 until ciphertext C ₃ = 141, Taking the reciprocal of the modular arithmetic at 3, each time the initial value X ₀ = 1 " X _i ″ can be obtained, and the ciphertext C ₁ = 47 that is X ₇ can be obtained. In this case,

Because may be obtained ciphertext C ₁ to holds, "141/3" is C ₁ = 47 of the calculated results it can be seen that appropriate. However, there is a caveat. The ciphertext C ₁ equivalent to the case of the initial value X ₀ = 1 can be obtained by taking the reciprocal with the initial value X ₀ determined by the random number. In the joint arithmetic, the multiplicative inverse is C ₁ = That is, not only 47 but also a plurality of solutions can be obtained.

変形すると

となり、“ｙ＝０，３，６，…”とすることで、“Ｃ₁＝４７，１９０，３３３，…”と際限なく複数の解が得られて元の暗号文が１つに識別できなくなる。そこで、「初期値Ｘ₀とする乱数種と平文の数値は、法Ｎ以下の値とする」と言うルールを設けることで１つに絞る。この例では、Ｃ₁＝４７のみが取得されることになる。 In the above equation, the remainder of the quotient y obtained by dividing the dividend 3 × C ₁ by the divisor 143 is 141, and the following equation is established.

When deformed

By setting “y = 0, 3, 6,...”, “C ₁ = 47, 190, 333,. Disappears. Therefore, the rule of “the random number seed and the plaintext numerical value to be set to the initial value X ₀ is a value equal to or smaller than the modulus N” is provided, and the rule is reduced to one. In this example, only C ₁ = 47 will be obtained.

が成り立つ暗号文Ｃ₁を求めればよい。以下の式の解が整数になるＣ₁を求めると、

“ｙ＝２２，８９，１５６，…”とすることで、“Ｃ₁＝４７，１９０，３３３，…”と複数の解が得られる。そこで、前述のルールに従って法Ｎ（ここでは１４３）以下の値とするためＣ₁＝４７のみを取得することができる。 Next, when the setting is changed to the initial value X ₀ = 67, (X ₇ =) C ₆₇ = 3 is obtained with the cipher text as C ₆₇ , and a cipher text different from that when the initial value X ₀ = 1 is obtained. It can be confirmed that it is done.
in this case

It may be obtained ciphertext C _1, which is true. When obtaining the C ₁ the solution of the following formulas is an integer,

By setting “y = 22, 89, 156,...”, A plurality of solutions are obtained as “C ₁ = 47, 190, 333,. Therefore, only C ₁ = 47 can be obtained in order to make the value equal to or less than the modulus N (here, 143) according to the above-described rule.

From the ciphertext C _x0 which is generated when setting the random seed to the initial value X ₀ from the above, when returning to the ciphertext C ₁ that is generated when setting the initial value X ₀ = 1, the following equation (14 ) may be determined to a C ₁ to hold.

The initial value X ₀ of the random number seed needs to be kept secret between the transmitting device (sender) and the receiving device (receiver). FIG. 1C shows a public key cryptosystem according to the fourth embodiment having the configuration for this purpose. The random number seed generation means 400 is provided in the transmitting device 100C. The encrypting means 102C provided in the transmitting apparatus 100C encrypts the random number seed generated by the random number seed generating means 400 by executing Bernoulli shift mapping in the encrypting means 102C using the public key. Further, the encrypted random number seed is sent to the receiving device 200C via the sending means 101. In the receiving apparatus 200C, the decrypted means 202C executes the Bernoulli shift mapping to decrypt the received encrypted random number seed and uses it. In the fourth embodiment, similarly to the third embodiment, the inverse calculation unit 206 calculates the inverse using the changed initial value (random number seed).

  FIG. 13A is a flowchart illustrating a process of random number seed, a process of encrypting and transmitting a plaintext, and a process of decrypting an encrypted ciphertext in the fourth embodiment. The receiving device 200C generates a prime number P and a prime number Q, creates a public key N = PxQ and a public key PK from P and Q (S41), and sends the public key PK and the public key N to the sender (S42). ). Further, a secret key SK is generated from the public key N and the public key PK (S43). The transmitting apparatus 100C generates a random number seed and encrypts the random number seed by Bernoulli shift mapping using the public key received from the receiving apparatus 200C as described above (S31). Next, the encrypted random number seed is sent to the receiving device 200C (S32). On the other hand, the receiving device 200C decrypts the received encrypted random number seed by Bernoulli shift mapping using the secret key to restore the random number seed (S44). As described above, the same random number seed is updated in the transmitting apparatus 100C and the receiving apparatus 200C every time a ciphertext is generated and decrypted.

The transmitter and 100C, performs encryption of the plaintext by Bernoulli shift map which sets the random number seed to the initial value X ₀ using a public key (S33), and transmits the ciphertext to the receiver 200C (S34). The receiving device 200C receives the cipher text from the transmitting device 100C, and calculates the inverse of the received cipher text using the random number seed as the reciprocal (S45). As a result, the encrypted text encrypted with the random number seed as the initial value is converted into the encrypted text whose initial value is 1 (an inverse encrypted text is obtained). The receiving apparatus 200C decrypts the inverse ciphertext into a plaintext by Bernoulli shift mapping using a secret key (S46). Thus, the plaintext before being encrypted in transmitting apparatus 100C is safely restored in receiving apparatus 200C.

  FIG. 1D shows a configuration of a public key cryptosystem according to the fifth embodiment. In the present embodiment, the random number seed generation means 400D provided in the transmission device 100D generates one elementary random number seed that is a source of the random number seed when generating the ciphertext. This original random number seed is provided to the receiving device 200D via the transmitting means 101. The random number seed generation means 400D generates a random number seed by a predetermined algorithm based on the original random number seed every time the plaintext is encrypted, and supplies the random number seed to the encryption means 102D via the transmission-side initial value change control means 105 to perform encryption. Let it be used as an initial value.

  In the receiving device 200D, the encrypted original random number seed received by the receiving unit 201D is sent to the decrypting unit 202D and decrypted to be the original random number seed. The receiving device 200D includes a receiving-side random number seed generation unit 208. The receiving-side random number generation means 208 generates a random number seed by the same algorithm as the random number seed generation means 400D based on the original random number seed every time the encrypted text is decrypted. The receiving device 200D performs decoding using the random number seed generated by the receiving-side random number seed generation means 208. That is, the random number seed generated above is provided to the inverse element calculating means 206, and the inverse element of the ciphertext is calculated using the random number seed as an initial value. The ciphertext for which the inverse element has been calculated is decrypted by the decryption means 202D in the same manner as in the other embodiments, and a plaintext is obtained.

Point of the fifth embodiment is to the initial value X ₀ sent from the transmitting device (the sender) to a receiving apparatus (receiver) and confidentiality. In the third embodiment shown in FIG. 1B, each time the transmitting device sends the ciphertext to the receiving device, a random number seed (initial value X ₀ ) is generated, and the seed is encrypted with a public key and transmitted. The side performs decryption using a secret key and obtains a random number seed (initial value X ₀ ) to share secret information with each other. However, according to this embodiment, there is a problem that it takes a relatively long time to generate a random number for each communication and perform encryption and decryption using a public key cryptosystem.

For this reason, in the fifth embodiment, an original random number seed, which is a random number to be kept secret from each other only in the first time, is transmitted and received, and in the second and subsequent times, the secret random number (original random number seed) is used as a seed to generate secret information. By generating a certain initial value X ₀ , it is possible to reduce the time and effort required for the transmitting apparatus to encrypt and transmit the random number seed each time and for the receiving apparatus to receive and decrypt the encrypted random number seed.

  FIG. 15 shows a flowchart of the present embodiment. The receiving device 200D generates a prime number P and a prime number Q, creates a public key N = PxQ and a public key PK from P and Q (S41), and sends the public key PK and the public key N to the sender (S42). ). Further, a secret key SK is generated from the public key N and the public key PK (S43). The transmitting device 100D generates an original random number seed (S31D) and transmits it to the receiving device 200D (S32D). The transmitting device 100D and the receiving device 200D share a secret random seed (one) in advance. There is no limitation on the method of sharing the information confidentially. For example, the method may be transmitted to the receiving device 200D in the same manner as the method of the fourth embodiment in FIG. 1C in which the random number seed for each encryption is shared. it can. The transmitting device 100D and the receiving device 200D generate random numbers using the same algorithm. The secret random number seed and the random number seed generated each time by the transmitting device 100D are converted (generated) by the same random number generation algorithm shared by the receiving device 200D and the transmitting device 100D (S35, S47).

The converted random number seed is set to the initial value X ₀ of the Bernoulli shift mapping, and the transmitting device 100D performs encryption by the encryption means 102D of FIG. 1D (S33), and transmits the ciphertext to the receiving device 200D (S34). . In the receiving device 200D, the receiving-side random number seed generation means 208 converts the random number seed based on the original random number seed received from the transmitting device 100D (S47), and calculates the inverse with the random number seed obtained by converting the received cipher text (S47). S45). The ciphertext obtained as a result of the inverse operation is decrypted using the secret key SK to obtain a plaintext (S46). By adopting such a configuration, it is possible to omit the calculation of the public key cryptography, which has a relatively high calculation cost, such as encrypting the random number seed generated at every communication by the transmitting device 100D and decoding by the receiving device 200D.

The random number generation algorithm shared by the receiving device 200D and the transmitting device 100D uses, for example, Bernoulli shift mapping. In this case, the random number seed generated by the transmitting device 100D with the secret random number as the slope value is set to the initial value X ₀ , and a predetermined number of times (preferably the random number seed concealed by the receiving device 200D and the transmitting device 100D) is used. It is conceivable to obtain a random number seed converted by an iterative operation.

  In recent years, a service that uses a password card when accessing (logging in) a bank account from the Internet has been provided. Here, the random number generated by the server and the random number generated by the password card possessed by the user are generated from the same random number generation conversion algorithm using time as a seed. Then, the random number of the password card held by the server and the random number of the password card held by the user are always held as random numbers to be kept secret so that they can be synchronized. Such a random number seed may be used.

According to the second to fifth embodiments, the plaintext is encrypted by the Bernoulli shift mapping by changing the initial value X ₀ as the initial vector every time of transmission (every time ciphertext is generated). Even plaintext (passcode) is a different ciphertext in communication, so it is difficult to determine that a third party (attacker) is communicating the same plaintext, and an improvement in security can be expected.

  As described above, if the mutually confidential random seeds are captured as the common key of the common key cryptosystem, it is possible to provide security strength in which the common key cryptosystem is added to the public key cryptosystem. The key length of the public key modulus N tends to increase year by year for the purpose of ensuring security along with the improvement of computer processing performance. However, as the key length of the public key increases, the operation cost also increases. By giving a secret random number seed as a common key to secure the security, a configuration can be made to trade off the strength of the security and the calculation cost.

  The RSA cryptosystem is based on the operation based on joint arithmetic, but in the present embodiment, the operation is performed by Bernoulli shift mapping, so that the division remainder becomes unnecessary and the operation can be performed by one subtraction, so that the operation cost can be reduced. Further, the number of divisions of the section is determined by the value of the slope A in Expression (4). Therefore, in the present embodiment, in the encryption process, the transmitting device may reduce the value of the plaintext (slope A) by dividing the plaintext into small parts, thereby reducing the calculation cost of the number of search times of the section. For this reason, it is suitable for a form such as passcode authentication in which the transmitting side performs encryption with a portable terminal having low processing capability and the receiving side performs decryption with a server having high processing capability.

This embodiment employs a configuration in which the initial value X ₀ of the Bernoulli shift mapping is changed by a random number seed as an initial vector. For this reason, if the same plaintext is encrypted with the same public key, a different ciphertext can be output every time according to the random number seed. The effect that the property becomes high can be expected. Further, when the present embodiment regards the mutually confidential random number seeds having the initial value X ₀ as those using the common key of the common key cryptosystem, the security strength obtained by adding the common key cryptosystem to the public key cryptosystem is added. Can be expected to have an effect.

  The key length of the public key modulus N tends to increase year by year for the purpose of improving security as well as improving computer processing performance. Since the operation cost increases as the key length of the public key increases, the present embodiment assumes that the length of the public key is reduced and the secret random number seed is adopted as the common key. And a configuration that trades off operation cost.

100, 100A, 100B, 100C, 100D Transmission device 101 Transmission means 102, 102B, 102C, 102D Encryption means 105 Transmission-side initial value change control means 200, 200A, 200B, 200C, 200D Receiving device 201 Receiving means 202, 202B 202C, 202D Decryption means 203 Public key generation means 204 Private key generation means 205 Reception-side initial value change control means 206 Inverse element calculation means 208 Reception-side random number seed generation means 300 Transmission path 400, 400D Random number seed generation means

Claims (17)

A public key cryptosystem comprising: a transmitting device that encrypts a plaintext using a public key and sends the ciphertext; and a receiving device that receives the transmitted ciphertext, decrypts the encrypted text using a secret key corresponding to the public key, and returns the plaintext. In the system,
The transmitting device includes an encryption unit that performs a Bernoulli shift mapping using the public key and converts a plaintext into a ciphertext.
The public key cryptosystem according to claim 1, wherein the receiving device includes a decryption unit that performs a Bernoulli shift mapping using the secret key to convert a ciphertext into a plaintext. The transmission device, comprises a transmission-side initial value change control means to change the initial value of the Bernoulli shift mapping for each encryption,
The receiving apparatus, the receiving-side initial value change control unit that changes the initial value of the Bernoulli shift mapping to the same value as the initial value changed by the transmitting-side initial value change control unit every time the ciphertext is decrypted, 2. The public key cryptosystem according to claim 1, further comprising: an inverse element calculating means for calculating an inverse element of the cipher text using an initial value changed by a receiving-side initial value change control means. . Having a random number seed generating means for generating a random number seed to be the initial value,
The encryption unit converts a plaintext into a ciphertext by executing a Bernoulli shift mapping using the random number seed generated by the random number seed generation unit and the public key,
The receiving device includes inverse element calculating means for calculating the inverse of the cipher text using the random number seed generated by the random number seed generating means for the cipher text,
3. The public key cryptosystem according to claim 2, wherein the decryption unit converts the ciphertext into a plaintext by executing Bernoulli shift mapping on the inverse calculated by the inverse calculation unit.   4. The method according to claim 3, wherein the random number seed generation means generates a new random number seed every time a ciphertext is generated, and supplies the random number seed to the transmission-side initial value change control means and the reception-side initial value change control means. Public key cryptosystem. The random number seed generating means is provided in the transmitting device, and the transmitting device encrypts the generated random number seed by executing Bernoulli shift mapping in the encrypting means using the public key, and encrypts the random number seed. Send to the receiving device,
5. The public key cryptosystem according to claim 4, wherein the receiving device decrypts and uses the received encrypted random number seed by the decryption unit. The random number seed generation means generates one original random number seed that is a source of the random number seed when generating the ciphertext, generates a new random number seed based on the original random seed every time the ciphertext is generated, and While giving to the initial value change control means, the receiving device performs a process of giving the original random seed,
The receiving device includes a receiving-side random number seed generation unit that generates a random number seed synchronized with the new random number seed generated by the random number seed generation unit based on the original random number seed every time a ciphertext is decrypted. 4. The public key cryptosystem according to claim 3, wherein the random number seed generated by the receiving random number seed generation means is given to the inverse element calculation means to calculate an inverse element.   The public key cryptosystem according to any one of claims 1 to 6, wherein a public key generating means for generating the public key is provided in the receiving device.   The public key cryptosystem according to any one of claims 1 to 7, wherein a secret key generating means for generating the secret key is provided in the receiving device. A public key cryptosystem comprising: a transmitting device that encrypts a plaintext using a public key and sends the ciphertext; and a receiving device that receives the transmitted ciphertext, decrypts the encrypted text using a secret key corresponding to the public key, and returns the plaintext. In the public key encryption method performed by the system,
The transmitting device includes an encryption step of performing a Bernoulli shift mapping using the public key to convert a plaintext to a ciphertext,
A public key encryption method, comprising: a decryption step of performing a Bernoulli shift mapping using the secret key to convert a ciphertext into a plaintext. The transmission device includes a transmission-side initial value change control step of changing the initial value of the Bernoulli shift mapping for each encryption,
The receiving device, the initial value of the Bernoulli shift mapping each time a ciphertext is decrypted, a receiving-side initial value change control step of changing to the same value as the initial value changed by the transmitting-side initial value change control unit, The public key cryptosystem according to claim 9, further comprising: an inverse element calculating step of calculating an inverse element of the cipher text using an initial value changed by the receiving side initial value change control step. Method. Having a random number seed generation step of generating a random number seed to be the initial value,
In the encrypting step, by using the random number seed generated in the random number seed generating step and the public key, performs a Bernoulli shift mapping to convert a plaintext into a ciphertext,
The receiving device includes an inverse element calculating step of calculating the inverse of the cipher text using the random number seed generated by the random number seed generating step for the cipher text,
The public key encryption method according to claim 10, wherein the decryption step performs a Bernoulli shift mapping on the inverse calculated by the inverse calculation step to convert a ciphertext into a plaintext.   The method according to claim 11, wherein in the random number seed generation step, a new random number seed is generated every time a ciphertext is generated, and is provided to the transmission-side initial value change control step and the reception-side initial value change control step. Public key cryptography. The random number seed generating step is provided in the transmitting device, and the transmitting device encrypts the generated random number seed by executing Bernoulli shift mapping in the encryption unit using the public key, and encrypts the random number seed. Sending to a receiving device,
The public key encryption method according to claim 12, wherein the receiving device decrypts and uses the received encrypted random number seed in the decrypting step. The random number seed generation step includes generating one elemental random number seed that is a source of the random number seed when generating the ciphertext, generating a new random number seed based on the original random number seed for each generation of the ciphertext, and While giving to the initial value change control step, the receiving device performs a process of giving the original random seed,
The receiving apparatus includes a receiving-side random number seed generation step of generating a random number seed synchronized with the new random number seed generated by the random number seed generation step based on the original random number seed every time a ciphertext is decrypted. The public key encryption method according to claim 11, wherein the random number seed generated in the receiving-side random number seed generation step is given to the inverse element calculation step to calculate the inverse element.   The public key encryption method according to claim 9, wherein the public key generation step of generating the public key is provided in the receiving device.   The public key encryption method according to any one of claims 9 to 15, wherein a secret key generation step of generating the secret key is provided in the receiving device.   A public key encryption program for causing a computer of a public key encryption system to function as each of the means of claim 1.

Images