JP3883942B2 - Security device, security method, security program, and recording medium - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to a security device using a cryptographic technique, a security method, a security program for causing a computer to execute the function, and a computer-readable recording medium storing the security program, and in particular, a security apparatus using a public key cryptographic technique. The present invention relates to a security method, a security program for causing a computer to execute the function, and a computer-readable recording medium storing the security program.
[0002]
[Prior art]
  Conventionally, a Diffile-Hellman key distribution method (for example, see Non-Patent Document 1) applying the discrete logarithm problem and public key cryptography and digital signature methods as its applications have been proposed.
  First, a key distribution procedure by this conventional Diffile-Hellman key distribution method will be described. It is assumed that Party A and Party B are connected by an insecure communication line.
  When delivering a key, First, the pseudorandom number generator is used to determine an integer a that is less than or equal to N, and this a is transmitted to the second party via a communication line. Next, after determining a certain integer s using a pseudo random number generator, the former uses b = a using an integer arithmetic unit.^sModN is calculated, and the calculated b is sent to B while keeping the integer s secret.
  On the other hand, after determining an integer t using a pseudo-random number generator, B uses c = a using an integer arithmetic unit.^tcompute modN, an integertSend the calculated c to Instep, keeping the secret. In addition, B uses an integer arithmetic unit, and from the key b transmitted from the former, the key k = b^tFind modN.
  On the other hand, using an integer arithmetic unit, the key k = c^sFind modN.
  Here, the key k obtained by B is k = b^tmodN = a^stmodN, the key that Kou asked for k = c^smodN = a^stMatches modN. As a result, the common key k is delivered between Party A and Party B.
[0003]
  Next, a public key cryptosystem applying the conventional Diffile-Hellman key distribution scheme will be described. In the following, it is assumed that ciphertext is transmitted from Party B to Party A, and the encrypted text sent by Party A is decrypted.
  In this case, First, the pseudonym generator is used to determine an integer a equal to or less than N, and this a is transmitted to the second party via the communication line. Next, after determining a certain integer s using a pseudo random number generator, the former uses b = a using an integer arithmetic unit.^sModN is calculated, and the calculated b is sent to B while keeping the integer s secret. This integer s functions as a secret key, and b functions as a public key.
  On the other hand, after determining an integer t using a pseudo-random number generator, B uses c = a using an integer arithmetic unit.^tcompute modN, an integertSend the calculated c to Instep, keeping the secret. In addition, B uses an integer arithmetic unit, and b = k = b^tAfter modN is obtained and plaintext M is encrypted with this k, this ciphertext and the calculated c are transmitted to Party A.
  After receiving this, the former uses an integer arithmetic unit, and from sent c to k = c^smodN is calculated, and the sent ciphertext is decrypted using this k.
[0004]
Next, the Schnorr signature scheme, which is a digital signature scheme that applies the difficulty of the conventional discrete logarithm problem, will be described. In the following, Party A and Party B are connected by an insecure communication line, and Party B digitally signs message M sent from Party A to Party B. The verified digital signature shall be verified. In addition, it is assumed that Party A and Party B have a device for calculating a common hash function H.
In this case, first, the first public discloses the set prime number p and the natural number a, holds the natural number t determined using the pseudo-random number generator as a secret key, and^tb is set by modp, and the set b is made public as a public key.
[0005]
When Party A actually generates a signature, Party A further generates a natural number u using a pseudo random number generator, and uses this natural number u to generate c = a^uModp is calculated, and using this calculation result, an integer pair S = (c, u + tH (M, c)) is generated, and the generated integer pair S is kept in a state where the natural number u is kept secret. Send to B.
Integer pair S = (S₁, S₂) Will receive V = a according to this S and published b.^s2b^{H (M, s1)}c^-1Perform modp operations. Here, for example, if the signature is valid, the received integer pair S is S₁= c, S₂= u + tH (M, c). In this case, the value of V is V = a^{(u + tH (M, c))}b^{H (M, c)}c^-1modp, and the definition of b and c (b = a^tmodp, c = a^uFrom modp), V = 1. On the other hand, as described above, u and t that make up u + tH (M, c) are the secret information of Party A, so those other than Party A cannot properly select u and t. , S₁= c, S₂= u + tH (M, c) As a result, V = 1 is not achieved. Accordingly, the second party can determine that the signature is valid when V = 1, and can determine that the signature is invalid when V = 1. It is known that the security of this Schnorr signature scheme is safe if H is an ideal random number function and the discrete logarithm problem cannot be solved (for example, see Non-Patent Document 2).
[0006]
[Non-Patent Document 1]
Industrial book "Contemporary cryptography" Tatsuaki Okamoto, Hiroshi Yamamoto P200-202.
[Non-Patent Document 2]
Pintcheval and Stern: Security Proofs for Signature Schemes, Proc. Of Eurocrypt'96, LNCS 1070, Springer-Verlag, pp.387-398 (1996)
[0007]
[Problems to be solved by the invention]
However, in the conventional Diffile-Hellman key distribution scheme, and public key cryptography and digital signature schemes as its application, the number of four arithmetic operations required for calculating b and c is the size of s and t, which are secret parameters. It will increase depending on. Therefore, if the secret parameters s and t are increased to improve security, the amount of calculation at the time of key distribution, encryption / decryption, and signature generation / verification increases, and there is a problem in practical convenience. There are challenges.
The present invention has been made in view of such a point, and an object thereof is to provide a security device capable of improving such practical convenience.
Another object of the present invention is to provide a security method capable of improving such practical convenience.
Furthermore, another object of the present invention is to provide a security program for causing a computer to execute such a security function with improved practical convenience.
Another object of the present invention is to provide a computer-readable recording medium in which a security program for causing a computer to execute such a security function with improved practical convenience is recorded. .
[0008]
[Means for Solving the Problems]
In the present invention, in order to solve the above-described problem, a first number of parameters configured by a set of a first integer parameter and a second integer parameter are set, and the first integer parameter is set for the set. S_mAnd the second integer parameter is q_mWhere Σ is an operator that associates a polynomial g (x) -g (x-1) with an arbitrary polynomial g (x), where r is the first number,_{m = 0} ^rq_m(1-δ)^smAnd the security function is realized using the calculation result.
In this case, Σ_{m = 0} ^rq_m(1-δ)^smThe number of four arithmetic operations to act on is the first integer parameter s_m, The second integer parameter q_mIt does not increase with the size of. As a result, it is possible to improve safety against attacks from third parties while maintaining convenience during use.
[0009]
DETAILED DESCRIPTION OF THE INVENTION
Hereinafter, a first embodiment of the present invention will be described with reference to the drawings.
Here, the outline of this embodiment will be described first, and then the details of this embodiment will be described.
FIG. 1 is a diagram for explaining an outline of a security system 1 in the present embodiment.
As illustrated in FIG. 1, the security system 1 includes security devices 2 and 3, and distributes a common key between the security devices 2 and 3.
[0010]
In the case of this example, the security device 2 includes a first parameter setting means 2a configured by a set of a first integer parameter and a second integer parameter to set a first number of parameters, and a set. For the first integer parameter s_mAnd the second integer parameter is q_mWhere Σ is an operator that associates a polynomial g (x) -g (x-1) with an arbitrary polynomial g (x), where r is the first number,_{m = 0} ^rq_m(1-δ)^smSimilarly, the security device 3 has a second number of parameters composed of a combination of a third integer parameter and a fourth integer parameter. For the second parameter setting means 3a and set to be set, the third integer parameter is set to u_mAnd the fourth integer parameter is v_mΣ in the case where the second number is t and δ is an operator that associates a polynomial g (x) -g (x-1) with an arbitrary polynomial g (x)._{m = 0} ^tv_m(1-δ)^umThe linear action calculating means 3b and 3c are provided.
[0011]
Although details will be described later, in this example, the linear action calculating means 2b sets the predetermined polynomial as a (x), the degree of the polynomial as deg a (x), and the first integer parameter as s_mAnd the second integer parameter is q_mAnd the first number is r, ∂ is the differential operator, and an ideal is the result of the operation of the polynomial obtained by adding an arbitrary integer value to the integer coefficient polynomial variable performed on the ideal. Again, when the ideal set that is the set that is the ideal is I, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI is a means to calculate, and this allows linear operator Σ_{m = 0} ^rq_m(1-δ)^smThe inverse problem of the action of the ring by is generated. The same applies to the linear action calculation means 2c, 3b, and 3c.
[0012]
In the description of this embodiment and the following embodiments, δ means an operator that associates a polynomial g (x) -g (x-1) with an arbitrary polynomial g (x), and from this definition ( 1-δ)^sMeans an operator that associates a polynomial g (x-s) with an arbitrary polynomial g (x).
The ideal set I is an ideal, and a set obtained by adding an arbitrary integer value to an integer coefficient polynomial performed on the ideal is the ideal again. Is an ideal set. For “ideal”, for example, a subset I of the commutative ring R₁Is ideal if any x, y∈I₁X + y∈I₁And any x∈R and y∈I₁About xy∈I₁As an example of such an ideal set, for example, an ideal of a ring formed by a polynomial of integer coefficients, where δ is a polynomial g (x) with respect to an arbitrary polynomial g (x) -g (x-1) is the corresponding operator, and deg f (x) is the order of f (x), {f (x), δf (x), δ²f (x), ..., δ^{deg f (x)}A set generated by f (x)}.
[0013]
When distributing the common key k (x) in the security system 1 according to this embodiment, for example, the security device 2 first generates a common polynomial a (x) that is a polynomial of integer coefficients, and generates the generated common polynomial a ( x) is transmitted to the security device 3.
Then, for example, next, the security device 2 determines r integer sets (s, q) in the parameter setting means 2a, and the linear operator Σ for the common polynomial a (x) in the linear action calculation means 2b._{m = 0} ^rq_m(1-δ)^smAct. Specifically, for example, in the parameter setting means 2a, s = (s₁, s₂,…, S_r) And q = (q₁, q₂,…, Q_r), And in the linear action calculation means 2b, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI is calculated. Note that when a vector space V, V ′ on a field K is given, an operator A: V → V ′ is a linear operator. A (x + y) for any x, y∈V = A (x) + A (y) holds, and A (kx) = kA (x) holds for any x∈V and k∈K.
[0014]
After that, the common polynomial a (x)_{m = 0} ^rq_m(1-δ)^smThat is, that is, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI operation result b (x) is, for example, stored in the security device 3 in a state in which r, s, q are kept secret on the security device 2 side where these integer parameters are set. Sent.
On the other hand, the security device 3 determines t integer sets (u, v) in the parameter setting means 3a, and the linear operator Σ for the common polynomial a (x) in the linear action calculation means 3b._{m = 0} ^tv_m(1-δ)^umAct. Specifically, for example, in the parameter setting means 3a, u = (u₁, u₂, ..., u_r) And v = (v₁, v₂, ..., v_r), And in the linear action calculation means 3b, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿa (x) / n!) modI is calculated.
[0015]
After that, the common polynomial a (x)_{m = 0} ^tv_m(1-δ)^umThat is, that is, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿa (x) / n!) modI calculation result c (x) is, for example, stored in the security device 2 in a state where t, u, v are kept secret on the security device 3 side where these integer parameters are set. Sent.
The security device 2 to which the polynomial c (x) is transmitted from the security device 3 is, for example, a linear operator Σ in the polynomial c (x) in the linear operation computing means 2c._{m = 0} ^rq_m(1-δ)^smTo generate a common key. Specifically, for example, in the linear action calculating means 2b, Σ_{n = 0} ^{deg c (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿc (x) / n!) modI is calculated, and the calculation result is set as a common key K (x).
[0016]
On the other hand, the security device 3 to which the polynomial b (x) is transmitted from the security device 2 is, for example, a linear operator Σ in the polynomial b (x) in the linear operation calculation means 3c._{m = 0} ^tv_m(1-δ)^umTo generate a common key. Specifically, for example, in the linear action calculating means 3b, Σ_{n = 0} ^{deg b (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿb (x) / n!) modI is calculated, and the calculation result is set as a common key K (x).
Here, the number of four arithmetic operations required for the polynomial operation performed in the linear action calculating means 2b, 2c, 3b, 3c described above is the secret parameter (r, s, k, t, It does not depend on the size of u, v). Therefore, even when the size of the secret parameter (r, s, k, t, u, v) is increased, the number of arithmetic operations performed by the security devices 2 and 3 at the time of key distribution does not increase. As a result, the convenience is greatly improved as compared with the conventional Diffile-Hellman key distribution method in which the amount of calculation increases depending on the size of the secret parameter.
[0017]
Next, details of this embodiment will be described.
FIG. 2 is a diagram illustrating the overall configuration of the security system 10 according to this embodiment.
As illustrated in FIG. 2, the security system 10 includes, for example, security devices 20 and 30 that distribute a common key to each other, and a network 40 that connects the security devices 20 and 30 so that they can communicate with each other. The security devices 20 and 30 are electrically connected or connectable by wire or wireless so that they can exchange information with each other via the network 40.
[0018]
The security devices 20 and 30 include, for example, data line terminators such as modems, DSUs (Digital Service Units), NCUs (Network Control Units), TAs (Terminal Adapters), or are configured by connected computers. . Predetermined mail software and a WWW browser are installed in the security devices 20 and 30. By using the mail software and WWW browser, the security device 20 is connected via a mail server or WWW server (not shown). , 30 can communicate with each other.
[0019]
The network 40 is, for example, the Internet, an intranet, an extranet, a LAN (Local Area Network), a WAN (Wide Area Network), a VAN (Value Added Network), or the like, and there is no particular limitation on the form thereof. The communication line may be any line such as a dedicated line or a switched line, and the network connection form is not particularly limited, such as a ring type, a mesh type, a star type, a bus type, or a tree type. Further, the line connection method is not particularly limited and may be any method such as a point-to-point method, a multipoint method, a line concentrating method, or the like.
[0020]
The network 40 is configured based on a predetermined protocol such as OSI (Open Systems Interconnection), TCP / IP (Transmission Control Protocol / Internet Protocol), IEEE 802.3, IEEE 802.4, IEEE 802.5, and the like. The security devices 20 and 30 exchange information via the network 40 according to this protocol.
In FIG. 2, the security system 10 is configured by the two security devices 20 and 30, but a configuration in which more security devices 20 and 30 are provided and a common key is distributed between the security devices. It is good.
[0021]
FIG. 3 is a block diagram illustrating a hardware configuration of the security device 20.
As illustrated in FIG. 3, the security device 20 includes, for example, a central processing unit (CPU) 20a, a main storage device 20b, an external storage device 20c, an input device 20d, a recording medium read / write device 20e, and an output device. 20f, a communication control device 20g, and a bus 20h. The communication control device 20g is connected so as to be communicable with the network 40, or is configured to be connectable.
[0022]
The CPU 20a is, for example, a central processing unit of a CISC (Complex Instruction Set Computer) system or a RISC (Reduced Instruction Set Computer) system having a control device and an arithmetic unit, and receives a clock signal supplied from a transmitter (not shown). Synchronously executes various programs such as operating system and application program stored in the main storage device 20b, controls peripheral devices, calls necessary data, calculates and processes the called data, and stores the data after the calculation and processing. Various processes such as storage in memory and output to peripheral devices are performed.
[0023]
The main storage device 20b is, for example, a storage device that allows the CPU 20a to directly read and write data. For example, an operating system, application programs, data, drivers for controlling peripheral devices, and the like are read into the main storage device 20b, and the CPU 20a executes a series of operations by executing the operating system and the like read into the main storage device 12. Perform the process. For example, a high-speed storage element such as a semiconductor memory is used as the main storage device 20b, and the physical address in the main storage device 20b is a virtual address of the external storage device 20c by a method such as a paging method or a segmentation method. Associated with space.
[0024]
The external storage device 20c is, for example, a hard disk device that records data by rotating a thin disk deposited with a magnetic material at high speed and magnetizing the magnetic material with a magnetic head.
The input device 20d is an input / output device such as a keyboard and a mouse, for example. The recording medium read / write device 20e is, for example, a device that reads and writes information on a flexible disk and the like, and reads information from a compact disk and the like.
The output device 20f is, for example, a CRT (Cathode-ray Tube) display that displays an image by applying an electron beam to a fluorescent material on the screen surface, or a liquid crystal whose molecular arrangement changes when a voltage is applied. A liquid crystal display or the like that is used, and displays a predetermined video based on the supplied analog signal.
[0025]
The communication control device 20g is, for example, a general-purpose synchronous / asynchronous transmission / reception circuit such as USART (Universal Synchronous and Asynchronous Receiver-Transmitter), and performs serial conversion of data during data transmission / reception via the network 40. The bus 20d includes, for example, a data bus, an address bus, a control bus, and the like, and includes a CPU 20a, a main storage device 20b, an external storage device 20c, an input device 20d, a recording medium read / write device 20e, an output device 20f, and a communication control device 20g. Exchange data, address information, and control information between them.
[0026]
Although not described here, the security device 30 also has a hardware configuration similar to that of the security device 20, for example.
FIG. 4 exemplifies the processing function of the security device 20 constructed by specific means in which the hardware and software cooperate by executing a predetermined program (software) in the hardware illustrated in FIG. It is a functional block diagram.
As illustrated in FIG. 4, the security device 20 of this example uses a common polynomial generator 21 that generates a common polynomial of integer coefficients shared with a communication partner, and a common polynomial generated by the common polynomial generator 21 as a communication partner. Common polynomial disclosure means 22 to be disclosed, parameter setting means 23 for setting a first number of parameters configured by a set of a first integer parameter and a second integer parameter, an integer coefficient shared with a communication partner Let a (x) be the common polynomial of, let deg a (x) be the degree of the common polynomial, and let s be the first integer parameter_mAnd the second integer parameter is q_mAnd the first number is r, ∂ is the differential operator, and an ideal is the result of the operation of the polynomial obtained by adding an arbitrary integer value to the integer coefficient polynomial variable performed on the ideal. Again, when the ideal set that is the set that is the ideal is I, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI calculation to generate a first calculation result, a linear action calculation means 24, and a calculation result disclosure means 25 for disclosing the generated first calculation result to the communication partner. , The calculation result acquisition means 26 for acquiring the second calculation result calculated by the communication partner, the second calculation result acquired by the calculation result acquisition means 26 as c (x), and the second calculation result c (x ) Is the degree deg c (x), and the first integer parameter is s_mAnd the second integer parameter is q_m, Where the first number is r, ∂ is the differential operator, and the ideal set is I_{n = 0} ^{deg c (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿc (x) / n!) The linear function calculation means 27 for calculating modI, the control means 28 for controlling the entire security device 20, and the storage means 29 for storing various information are provided as processing functions.
[0027]
In this example, the common polynomial generator 21 uses a pseudo-random number generation algorithm based on the computational complexity theory, which is configured using a one-way hash function such as SHA-1, and the like. Generating means 21a and a pseudo-random number generated by the pseudo-random number generating means 21a, generating a predetermined integer value, and having a polynomial generating means 21b for generating a common polynomial having the generated integer value as a coefficient, The parameter setting unit 23 uses a pseudo-random number generation algorithm based on the computational complexity theory, which is configured using a one-way hash function such as SHA-1, and the like. It has an integer value calculation means 23b for generating a predetermined integer value using the pseudo random number generated by the generation means 23a. Further, in this example, the linear action computing means 24 includes an integer computing means 24 a that performs integer computation, a polynomial addition means 24 b that performs polynomial addition computation, and a polynomial differentiation means 24 c that performs polynomial differentiation computation. Includes an integer arithmetic means 27a for performing integer arithmetic, a polynomial addition means 27b for performing polynomial addition arithmetic, and a polynomial differentiating means 27c for performing polynomial differential arithmetic.
[0028]
Further, as illustrated in FIG. 4, the common polynomial generation unit 21, the common polynomial disclosure unit 22, the parameter setting unit 23, the linear action calculation unit 24, the calculation result disclosure unit 25, the calculation result acquisition unit 26, and the linear action calculation unit 27. The storage means 29 is configured to be capable of at least one of providing information to the control means 28 and obtaining information from the control means 28, and the common polynomial disclosure means 22 and the calculation result disclosure means 25 include: For providing information to the network 40, the calculation result acquisition means 26 is configured to be able to acquire information from the network 40, respectively.
[0029]
FIG. 5 illustrates the processing function of the security device 30 constructed by specific means in which the hardware and software cooperate by executing a predetermined program (software) in the hardware illustrated in FIG. 3. It is a functional block diagram.
As illustrated in FIG. 5, the security device 30 of this example includes a common polynomial acquisition unit 32 that receives a common polynomial of integer coefficients shared with a communication partner, a parameter setting unit 33, a linear action calculation unit 34, and calculation result disclosure. Means 35, calculation result acquisition means 36, linear action calculation means 37, control means 38 for controlling the entire security device 30, and storage means 29 are provided as processing functions.
[0030]
Further, in this example, the parameter setting means 33 uses a pseudo-random number generation algorithm based on the computational complexity theory, which is configured using a one-way hash function such as SHA-1, and generates pseudo-random numbers. Means 33a and an integer value calculating means 33b for generating a predetermined integer value using the pseudo random number generated by the pseudo random number generating means 33a. Further, in this example, the linear action computing means 34 includes an integer computing means 34 a that performs integer computation, a polynomial addition means 34 b that performs polynomial addition computation, and a polynomial differentiation means 34 c that performs polynomial differentiation computation, and a linear action computation means 37. Includes an integer arithmetic unit 37a that performs integer arithmetic, a polynomial addition unit 37b that performs addition operation of polynomials, and a polynomial differentiation unit 37c that performs differential operation of polynomials.
[0031]
Further, as illustrated in FIG. 5, the common polynomial acquisition unit 32, the parameter setting unit 33, the linear action calculation unit 34, the calculation result disclosure unit 35, the calculation result acquisition unit 36, the linear action calculation unit 37, and the storage unit 39 include: It is configured so that at least one of provision of information to the control unit 38 and acquisition of information from the control unit 38 is possible, and the operation result disclosure unit 35 provides information to the network 40 by means of common polynomial acquisition unit. 32 and the calculation result acquisition means 36 are configured to be able to acquire information from the network 40, respectively.
[0032]
Next, processing operations of the security system 10 and the security devices 20 and 30 in this embodiment will be described.
FIG. 6 is a flowchart for explaining an example of processing operations of the security system 10 and the security devices 20 and 30 in this embodiment. The solid-line arrows in this flowchart exemplify a series of processing flow in the entire security system 10, and the broken-line arrows indicate a series of processing flow in the entire security system 10 and the security devices 20 and 30, respectively. FIG. 6 illustrates the processing flow of the security devices 20 and 30 alone with respect to portions where the processing flow differs. Here, for ease of explanation, the processing operation will be described along the processing flow as shown in FIG. 6 for the sake of convenience. However, the security devices 20 and 30 are each in an order different from the flow of this flowchart. Processing may be performed, and the security devices 20 and 30 may perform each processing simultaneously in parallel.
[0033]
Hereinafter, description will be given along this flowchart.
Step S1:
In this step, the security device 20 sets a common polynomial a (x) of integer coefficients.
The setting of the common polynomial a (x) is performed by, for example, the common polynomial generation unit 21 of the security device 20. Specifically, for example, first, pseudo-random number generation means 21a generates pseudo-random numbers using a pseudo-random number generation algorithm based on the computational complexity theory configured using a one-way hash function such as SHA-1. Next, in the polynomial generation means 21b, the pseudo random number is processed into a predetermined number of digits, and further, an integer coefficient of the polynomial is set by subtracting a predetermined value, etc., and this integer coefficient is used in common. Set the polynomial a (x).
The information for specifying the common polynomial a (x) set in this way is sent to the control means 28, for example, and the control means 28 sets the information for specifying the sent common polynomial a (x). To the common polynomial disclosure means 22 and the storage means 29. The information for specifying the common polynomial a (x) sent to the storage unit 29 is recorded in the storage unit 29 and used for specifying the common polynomial a (x) sent to the common polynomial disclosure unit 22, for example. The information is used for the next step S2.
[0034]
Step S2:
In this step, the security device 20 transmits the common polynomial a (x).
The transmission of the common polynomial a (x) is performed by, for example, the common polynomial disclosure unit 22 of the security device 20. Specifically, for example, information for identifying the common polynomial a (x) is presented to an e-mail addressed to the security device 30 from the security device 20 or a homepage on the Internet that can be browsed by the security device 30 And uploading information for specifying the common polynomial a (x).
When the transmission of the common polynomial a (x) is thus performed, the process proceeds to step S3.
[0035]
Step S3:
In this step, the security device 30 receives the common polynomial a (x).
The reception of the common polynomial a (x) is performed by, for example, the common polynomial acquisition unit 32 of the security device 30. Specifically, for example, the security device 30 accesses a mail server on the Internet and receives an e-mail addressed to the security device 30 sent from the security device 20, or specifies the common polynomial a (x) This is done by accessing a homepage on the Internet on which information for uploading is uploaded.
The information for specifying the common polynomial a (x) received in this way is sent to the control means 38, for example, and the control means 38 uses the information for specifying the sent common polynomial a (x). The data is sent to the storage means 39. Information for specifying the common polynomial a (x) sent to the storage means 39 is stored in the storage means 39, for example, and the process proceeds to the next step S4.
[0036]
Step S4:
In this step, the security device 20 sets r integer sets (s, q).
The setting of r integer sets (s, q) is performed by the parameter setting means 23 of the security device 20, for example. Specifically, for example, first, pseudo-random number generation means 23a generates pseudo-random numbers using a pseudo-random number generation algorithm based on the computational complexity theory, which is configured using a one-way hash function such as SHA-1. Next, in the integer value calculation means 23b, this pseudo random number is processed into a predetermined number of digits, and further, a predetermined value is subtracted, etc., so that a predetermined r number of integer sets (s, q), that is, , S = (s₁, s₂,…, S_r) And q = (q₁, q₂,…, Q_r) And set.
The information for specifying the set r integer sets (s, q) is sent to the control means 28, for example, and the control means 28 specifies the sent r integer sets (s, q). Information to be sent is sent to the linear action calculation means 24 and the storage means 29. Information for specifying r integer sets (s, q) sent to the storage means 29 is stored in the storage means 29 and sent to the linear action calculation means 24, for example. , q) is used for the process of step S5.
[0037]
Step S5:
In this step, the security device 20 calculates a polynomial.
The calculation of the polynomial in this step is performed, for example, in the linear action calculation means 24 of the security device 20. When performing this polynomial calculation, for example, first, the control means 28 reads information for specifying the common polynomial a (x) stored in the storage means 29 in step S1, and uses the information as the linear action calculation means 24. Send to. The linear action computing means 24 to which this information has been sent calculates Σ to the common polynomial a (x) through a calculation using this information and the information sent in the process of step S4._{m = 0} ^rq_m(1-δ)^smPerform the process to act. In this example, this common polynomial a (x)_{m = 0} ^rq_m(1-δ)^smAs a specific calculation method for operating the linear action calculation means 24, an integer calculation means 24a, a polynomial addition means 24b and a polynomial differentiation means 24c are used, and b (x) = Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI is calculated. Here, the reason why the remainder operation is performed by such an ideal set I will be described later.
Information for specifying the polynomial b (x) indicating the result of such calculation is sent to the control means 28, for example, and the control means 28 uses information for specifying the sent polynomial b (x). And sent to the calculation result disclosure means 25. When this information is sent to the calculation result disclosing means 25, the process proceeds to step S6.
[0038]
Step S6:
In this step, the security device 20 transmits the polynomial b (x).
The transmission of the polynomial b (x) is performed by, for example, the calculation result disclosure means 25 of the security device 20, but at this time, the r integer sets (s, q) are not disclosed, and the r integer sets ( s, q) is kept secret on the security device 20 side. Specifically, for example, information for specifying this polynomial b (x) and information for specifying r integer sets (s, q) in an e-mail addressed to the security device 30 from the security device 20 The information for specifying the polynomial b (x) is specified on the Internet homepage that can be viewed by the security device 30 without disclosure, and r integer sets (s, q) are specified. For uploading without disclosing information.
When the polynomial b (x) is thus transmitted, the process proceeds to step S7.
[0039]
Step S7:
In this step, the security device 30 receives the polynomial b (x).
Reception of the polynomial b (x) is performed, for example, by the calculation result acquisition means 36 of the security device 30. Specifically, for example, the security device 30 accesses a mail server on the Internet and receives an e-mail addressed to the security device 30 sent from the security device 20, or specifies a polynomial b (x). For example, by accessing a homepage on the Internet on which information for uploading is uploaded.
The information for specifying the received polynomial b (x) is sent to the control means 38, for example, and the control means 38 stores the information for specifying the sent polynomial b (x). Send to 39. Information for specifying the polynomial b (x) sent to the storage means 39 is stored in the storage means 39, for example, and the process proceeds to the next step S8.
[0040]
Step S8:
In this step, the security device 30 sets t integer groups (u, v).
The setting of t integer sets (u, v) is performed by the parameter setting means 33 of the security device 30, for example. Specifically, for example, first, pseudo-random number generation means 33a generates pseudo-random numbers using a pseudo-random number generation algorithm based on the computational complexity theory that is configured using a one-way hash function such as SHA-1. Next, in the integer value calculation means 33b, this pseudo random number is processed into a predetermined number of digits, and further, a predetermined value is subtracted, etc., so that a predetermined t integer set (u, v), that is, , U = (u₁, u₂, ..., u_t) And v = (v₁, v₂, ..., v_t) And set.
The information for specifying the set t integer sets (u, v) is sent to the control means 38, for example, and the control means 38 specifies the sent t integer sets (u, v). Information to be sent is sent to the linear action calculation means 34 and the storage means 39. The information for specifying the t integer sets (u, v) sent to the storage means 39 is stored in the storage means 39 and sent to the linear action calculation means 34, for example. , v) is used for the process of step S9.
[0041]
Step S9:
In this step, the security device 30 calculates a polynomial.
The calculation of the polynomial in this step is performed, for example, in the linear action calculation means 34 of the security device 30. When performing this polynomial calculation, for example, first, the control means 38 reads information for specifying the common polynomial a (x) stored in the storage means 39 in step S3, and uses the information as the linear action calculation means 34. Send to. The linear action calculating means 34 to which this information is sent calculates Σ to the common polynomial a (x) by calculation using this information and the information sent in the process of step S8._{m = 0} ^tv_m(1-δ)^umPerform the process to act. In this example, this common polynomial a (x)_{m = 0} ^rv_m(1-δ)^umAs a specific calculation method for operating the linear action calculation means 34, an integer calculation means 34a, a polynomial addition means 34b and a polynomial differentiation means 34c are used, and c (x) = Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿa (x) / n!) modI is calculated. Here, the reason why the remainder operation is performed by such an ideal set I will be described later.
Information for specifying the polynomial c (x) indicating the result of such an operation is sent to the control means 38, for example, and the control means 38 uses the information for specifying the sent polynomial c (x). And sent to the calculation result disclosure means 35. When this information is sent to the calculation result disclosure means 35, the process proceeds to step S10.
[0042]
Step S10:
In this step, the security device 30 transmits the polynomial c (x).
The transmission of the polynomial c (x) is performed by, for example, the calculation result disclosure means 35 of the security device 30. At this time, the t integer sets (u, v) are not disclosed, and the t integer sets ( This is performed with u, v) kept secret on the security device 30 side. Specifically, for example, information for specifying this polynomial c (x) and information for specifying t integer sets (u, v) in an e-mail addressed to the security device 20 from the security device 30 Information for specifying the polynomial c (x) is specified on a homepage on the Internet that can be browsed by the security device 20 and t integer sets (u, v) are specified. For uploading without disclosing information.
When the polynomial c (x) is thus transmitted, the process proceeds to step S11.
[0043]
Step S11:
In this step, the security device 20 receives the polynomial c (x).
The reception of the polynomial c (x) is performed by, for example, the calculation result acquisition unit 26 of the security device 20. Specifically, for example, the security device 20 accesses a mail server on the Internet and receives an e-mail addressed to the security device 20 sent from the security device 30 or specifies the polynomial c (x). For example, by accessing a homepage on the Internet on which information for uploading is uploaded.
The information for specifying the received polynomial c (x) is sent to the control means 28, for example, and the control means 28 stores the information for specifying the sent polynomial c (x). 29. Information for specifying the polynomial c (x) sent to the storage means 29 is stored in, for example, the storage means 29, and the process proceeds to the next step S12.
[0044]
Step S12:
In this step, the security device 20 calculates the common key k (x). The calculation of the common key k (x) in this step is performed by, for example, the linear action computing unit 27 of the security device 20. When calculating the common key k (x), for example, first, the control unit 28 stores the r integer sets (s, q) stored in the storage unit 29 in step S4 and the storage unit 29 in step S11. Information for specifying the stored polynomial c (x) is read, and the information is sent to the linear action computing means 27. When this information is sent to the linear action calculator 27, for example, the linear action calculator 27 converts the polynomial c (x) to Σ_{m = 0} ^rq_m(1-δ)^smPerform the process to act. In the case of this example, the integer operation means 27a, the polynomial addition means 27b, and the polynomial differentiation means 27c of the linear action calculation means 27 are used, and Σ_{n = 0} ^{deg c (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿc (x) / n!) modI is calculated and the result is output as a common key k (x). Here, the reason why the remainder operation is performed by such an ideal set I will be described later.
[0045]
Step S13:
In this step, the security device 30 calculates the common key k (x). The calculation of the common key k (x) in this step is performed by, for example, the linear action computing unit 37 of the security device 30. When calculating the common key k (x), for example, first, the control unit 38 stores t integer sets (u, v) stored in the storage unit 39 in step S8 and the storage unit 39 in step S7. The stored information for specifying the polynomial b (x) is read, and the information is sent to the linear action computing means 37. When this information is sent to the linear action calculating means 37, for example, the linear action calculating means 37 converts the polynomial b (x) into Σ_{m = 0} ^tv_m(1-δ)^umPerform the process to act. In this example, the integer operation means 37a, the polynomial addition means 37b and the polynomial differentiation means 37c of the linear action calculation means 37 are used, and Σ_{n = 0} ^{deg b (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿb (x) / n!) modI is calculated and the result is output as a common key k (x).
[0046]
Through the above processing, the common key k (x) is distributed between the security devices 20 and 30. Next, the common key k (x) calculated by each of the security devices 20 and 30 is transmitted. The reason why the remainder operation is performed by the above-described ideal set I in the above-described steps S5, S9, S12, and S13 will be described.
As described above, the ideal set I is an ideal, and an operation result of the polynomial obtained by adding an arbitrary integer value to the polynomial variable of the integer coefficient performed on the ideal again becomes the ideal and Is a set. In this case, if the polynomial of this integer coefficient is g (x) and any integer value is k, then the relationship that g (x + k) ∈I is satisfied for this ideal set I if g (x) ∈I. Will be satisfied.
[0047]
Here, w (x) ≡r (x) modI. That is, suppose that g (x) ∈I and p (x) ∈Z [x] exist and w (x) = p (x) · g (x) + r (x) can be written. Here, Z [x] represents a whole set of integer coefficient polynomials. For both sides of this equation, replacing x with x + k gives w (x + k) = p (x + k) · g (x + k) + r (x + k). Since (x + k) ∈I is satisfied, the relationship w (x + k) ≡r (x + k) modI is also established. In other words, as long as the ideal set I is as described above, if the relationship w (x) ≡r (x) modI holds, the relationship w (x + k) ≡r (x + k) modI always holds Will do. This is a relationship that does not necessarily hold when a remainder operation is performed on a set that is not the ideal set I instead of the ideal set I.
[0048]
Furthermore, if it can be said that the relationship w (x + k) ≡r (x + k) modI always holds if the relationship w (x) ≡r (x) modI holds. For any integer k and any polynomial w (x), after performing a remainder operation with I, a polynomial with x replaced with x + k, and after replacing x with x + k, a remainder operation with I It can be said that it is the same as the polynomial performed.
And as mentioned above, (1-δ)^sMeans an operator that associates a polynomial g (xs) with an arbitrary polynomial g (x), so after performing a remainder operation on I for an arbitrary integer k and an arbitrary polynomial w (x), If it can be said that the polynomial in which x is replaced with x + k and the polynomial in which the remainder operation is performed on I after replacing x with x + k are the same, for example, in the security device 20, b (x ) To calculate k (x) in order to calculate k (x) in the security device 30 after performing a remainder operation on I to calculate (1)^u, I.e., a calculation result in which b (xu) is associated with b (x), and security device 30 calculates (1-δ) to a (x) in order to calculate c (x). )^uThat is, after making a (xu) correspond to a (x), the security device 20 is equal to the result of performing a remainder operation on I to calculate k (x). I can say that. The same applies to s. As a result, when the remainder operation is performed by the ideal set I as described above, the common key k (x) calculated by each of the security devices 20 and 30 is the same.
[0049]
As described above, in the example of the present embodiment, the parameter setting means 23, 33 has a first number set of parameters (r integer sets ( s, q), t integer sets (u, v)) are set, and the linear action computing means 24, 27, 34, 37 set (a (x), b (x), c (x)) Σ_{m = 0} ^rq_m(1-δ)^smOr Σ_{m = 0} ^tv_m(1-δ)^umBecause of the action, even if the size of the secret parameters (r, s, k, t, u, v) is increased, the number of arithmetic operations performed by the security devices 20 and 30 during key distribution increases. As a result, the convenience is greatly improved as compared with the conventional Diffile-Hellman key distribution method in which the amount of calculation increases depending on the size of the secret parameter.
[0050]
In the example of the present embodiment, the configuration is such that the common key is distributed using the calculation result obtained by operating the linear operator having many secret parameters (r, s, k, t, u, v). It becomes difficult for a person to decrypt the common key, and as a result, sufficient security for the common key can be secured.
Further, in the example of the present embodiment, b (x) = Σ in the linear action calculating means 24, 27, 34, 37._{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI, c (x) = Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿa (x) / n!) modI, k (x) = Σ_{n = 0} ^{deg c (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿc (x) / n!) modI, k (x) = Σ_{n = 0} ^{deg b (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿb (x) / n!) modI is calculated, so that even when the size of the secret parameter (r, s, k, t, u, v) is increased, the security device 20 is used during key distribution. , 30 does not increase the number of arithmetic operations performed, and as a result, the convenience is greatly improved compared to the conventional Diffile-Hellman key distribution method in which the amount of calculation increases depending on the size of the secret parameter. .
[0051]
Further, in the linear action calculation means 24 and 34, b (x) = Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI, c (x) = Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿa (x) / n!) modI is calculated, the calculation results are disclosed to the communication partner in the calculation result disclosing means 25 and 35, and the calculation calculated by the communication partner is calculated in the calculation result acquiring means 26 and 36. The result is obtained, and k (x) = Σ in the linear action calculation means 27 and 37._{n = 0} ^{deg c (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿc (x) / n!) modI, k (x) = Σ_{n = 0} ^{deg b (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿb (x) / n!) modI is calculated, so that even when the size of the secret parameter (r, s, k, t, u, v) is increased, the security device 20 is used during key distribution. , 30 does not increase the number of arithmetic operations performed, and as a result, the convenience is greatly improved compared to the conventional Diffile-Hellman key distribution method in which the amount of calculation increases depending on the size of the secret parameter. .
[0052]
Further, in the example of the present embodiment, as an ideal set, a ring ideal formed by a polynomial of integer coefficients, where δ is a polynomial g (x) -g (x-1) with respect to an arbitrary polynomial g (x) {F (x), δf (x), δ when degf (x) is the order of f (x)²f (x), ..., δ^{degf (x)}By using what is a set generated by f (x)}, as described above, the common key k (x) calculated by each of the security devices 20 and 30 is the same, and the key distribution in this embodiment is substantially Is possible.
In the example of this embodiment, r integer sets (s, q) are kept secret on the security device 20 side, and t integer sets (u, v) are kept secret on the security device 30 side. The key distribution between the security devices 20 and 30 is possible without the third party knowing the contents of the common key k (x).
[0053]
Furthermore, in the example of the present embodiment, r integer sets (s, q) are generated using the random numbers generated by the pseudo random number generation means 23a of the security device 20, and are generated by the pseudo random number generation means 33a of the security device 30. T integer sets (u, v) are generated using the random numbers generated, so the maintainability of r integer sets (s, q) and t integer sets (u, v) is improved. As a result, the security for the common key k (x) is improved.
The present invention is not limited to the embodiment described above. For example, in the present embodiment, the security devices 20 and 30 in the present embodiment are configured by causing a computer to execute a predetermined program. However, at least a part of these processing contents is implemented in hardware by an electronic circuit. It may be realized.
[0054]
Further, in this embodiment, in the linear action calculating means 24, 27, 34, 37, a linear operator Σ for a (x), b (x) or c (x)._{m = 0} ^rq_m(1-δ)^smOr Σ_{m = 0} ^tv_m(1-δ)^umIf the number of integer arithmetic operations required to calculate a linear operator is less than the order of the logarithmic polynomial of the degree of the polynomial, then other linear operators are used. It is good as well.
Next, a second embodiment of the present invention will be described.
Here, the outline of this embodiment will be described first, and then the details of this embodiment will be described.
[0055]
FIG. 7 is a diagram for explaining an outline of the security system 50 in the present embodiment.
As illustrated in FIG. 7, the security system 50 includes security devices 51 and 52, and generates a ciphertext in the security device 52 using a public key disclosed by the security device 51, Decryption is performed in the security device 51.
In the case of this example, the security device 51 includes a first parameter setting unit 51a configured to set a first number of parameters configured by a set of a first integer parameter and a second integer parameter, and a set. For the first integer parameter s_mAnd the second integer parameter is q_mWhere Σ is an operator that associates a polynomial g (x) -g (x-1) with an arbitrary polynomial g (x), where r is the first number,_{m = 0} ^rq_m(1-δ)^smSimilarly, the security device 52 has a second number set of parameters, each of which includes a third integer parameter and a fourth integer parameter. For the second parameter setting means 52a to be set and the set, the third integer parameter is set to u_mAnd the fourth integer parameter is v_mΣ in the case where the second number is t and δ is an operator that associates a polynomial g (x) -g (x-1) with an arbitrary polynomial g (x)._{m = 0} ^tv_m(1-δ)^umThe linear action calculating means 52b and 52c are provided.
[0056]
Similarly to the first embodiment, in this example, the linear action calculating means 51b sets the predetermined polynomial as a (x), the degree of the polynomial as deg a (x), and the first integer parameter. S_mAnd the second integer parameter is q_mAnd the first number is r, ∂ is the differential operator, and an ideal is the result of the operation of the polynomial obtained by adding an arbitrary integer value to the integer coefficient polynomial variable performed on the ideal. Again, when the ideal set that is the set that is the ideal is I, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI is a means for calculating. The same applies to the linear action calculation means 51c, 52b, and 52c.
[0057]
In the security system 50 according to the present embodiment, when encryption is performed by the public key cryptosystem in the security device 51 and decryption is performed in the security device 52, for example, the security device 51 first has a common polynomial a which is a polynomial of integer coefficients. (x) is generated, and the generated common polynomial a (x) is transmitted to the security device 52.
Then, for example, next, the security device 51 determines r integer sets (s, q) in the parameter setting means 51a, and the linear operator Σ for the common polynomial a (x) in the linear action calculating means 51b._{m = 0} ^rq_m(1-δ)^smAct. Specifically, for example, s = (s₁, s₂,…, S_r) And q = (q₁, q₂,…, Q_r), And in the linear action calculation means 51b, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI is calculated.
[0058]
After that, the common polynomial a (x)_{m = 0} ^rq_m(1-δ)^smThat is, that is, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI calculation result b (x) is, for example, in a state where r, s, q (secret key) are kept secret on the security device 2 side where these integer parameters are set. It is transmitted to the security device 52 as a public key.
On the other hand, the plaintext M to be encrypted is M∈ {0,1}^lThe security device 52 determines t integer sets (u, v) in the parameter setting means 52a, and adds a linear operator Σ to b (x) transmitted from the security device 51._{m = 0} ^tv_m(1-δ)^umAct. Specifically, for example, in the parameter setting means 52a, u = (u₁, u₂, ..., u_r) And v = (v₁, v₂, ..., v_r), And in the linear action calculation means 52b, Σ_{n = 0} ^{deg b (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿb (x) / n!) modI is calculated to generate a common key k (x). Thereafter, for this common key k (x), a hash function H having a value in a polynomial (preferably a set having a sufficiently large range of operation results is obtained.⁸⁰H (k (x)) ∈ {0,1}^lGet. Then, the exclusive OR (H (k (x)) (+) M) of H (k (x)) and plaintext M is calculated as a ciphertext. In FIG. 7 and the description of this embodiment, “a (+) b” means an exclusive OR of a and b.
[0059]
In addition, the security device 52 uses the linear operator Σ for the common polynomial a (x) in the linear action calculation means 52b._{m = 0} ^tv_m(1-δ)^umAct. Specifically, for example, in the linear action calculating means 52b, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿa (x) / n!) modI is calculated and the calculation result c (x) is generated. And (H (k (x)) (+) M) and c (x) generated in this way are ciphertext C = (c (x), H (k (x)) (+) M ) Is transmitted to the security device 51.
The security device 51 to which the ciphertext C = (c (x), H (k (x)) (+) M) is transmitted is transmitted to the linear operator with respect to the transmitted c (x) by the linear operation computing means 51c. Σ_{m = 0} ^rq_m(1-δ)^smAct. Specifically, for example, in the linear action calculating means 51c, Σ_{n = 0} ^{deg c (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿc (x) / n!) modI is calculated to generate k (x). Then, the same hash function H as that used in the security device 52 is applied to the operation result k (x), so that H (k (x)) ∈ {0,1}^lAfter that, the exclusive OR of H (k (x)) obtained in this way and H (k (x)) (+) M of ciphertext C is calculated.
(H (k (x)) (+) (H (k (x)) (+) M)). Here, as in the case of the first embodiment described above, k (x) generated by the security device 51 and k (x) generated by the security device 52 are the same. Therefore, the operation result of this H (k (x)) (+) (H (k (x)) (+) M) is M, and thus the plaintext M is decrypted.
[0060]
Here, the number of four arithmetic operations necessary for the polynomial operation performed in the linear action calculating means 51b, 51c, 52b, 52c described above is the secret parameter (r, s, k, t, It does not depend on the size of u, v). Therefore, even when the size of the secret parameter (r, s, k, t, u, v) is increased, the number of arithmetic operations performed by the security devices 51 and 52 at the time of encryption or decryption increases. As a result, the convenience is greatly improved as compared with the public key cryptosystem applying the conventional Diffile-Hellman key distribution scheme in which the amount of calculation increases depending on the size of the secret parameter.
[0061]
Next, details of this embodiment will be described.
FIG. 8 is a diagram illustrating the overall configuration of the security system 60 in the present embodiment.
As illustrated in FIG. 8, the security system 60 connects the security devices 70 and 80 that perform encryption and decryption of plaintext and the security devices 70 and 80 so that they can communicate with each other by, for example, public key cryptography. The network includes a network 90, and the security devices 70 and 80 are electrically connected to or connected to each other via a network 90 so that information can be exchanged between them. Yes. The details of the overall configuration are the same as those described in the first embodiment, for example, and the hardware configuration of the security devices 70 and 80 is, for example, the security in the first embodiment. The hardware configuration of the devices 20 and 30 (FIG. 3) is the same.
[0062]
FIG. 9 illustrates the processing function of the security device 70 constructed by specific means in which the hardware and software cooperate by causing a predetermined program (software) to be executed in the hardware illustrated in FIG. 3. It is a functional block diagram.
As illustrated in FIG. 9, the security device 70 of this example uses a common polynomial generation unit 71 that generates a common polynomial of integer coefficients shared with a communication partner, and a common polynomial generated by the common polynomial generation unit 71 as a communication partner. Common polynomial disclosure means 72 to be disclosed, parameter setting means 73 for setting a first number of parameters, which is constituted by a set of a first integer parameter and a second integer parameter, an integer coefficient shared with a communication partner Let a (x) be the common polynomial of, let deg a (x) be the degree of the common polynomial, and let s be the first integer parameter_mAnd the second integer parameter is q_mAnd the first number is r, ∂ is the differential operator, and an ideal is the result of the operation of the polynomial obtained by adding an arbitrary integer value to the integer coefficient polynomial variable performed on the ideal. Again, when the ideal set that is the set that is the ideal is I, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI operation to generate a first operation result, linear action operation means 74, and public key release means 75 for making the generated first operation result public as a public key. The ciphertext acquisition means 76 for acquiring the second calculation result calculated by the communication partner and the ciphertext, the decryption means 77 for decryption, the control means 78 for controlling the entire security device 70, and various information A storage means 79 for storing is provided as a processing function.
[0063]
In this example, the common polynomial generator 71 uses a pseudo-random number generation algorithm based on the computational complexity theory, which is configured by using a one-way hash function such as SHA-1, and generates pseudo-random numbers. Generating means 71a and a pseudorandom number generated by the pseudorandom number generating means 71a, generating a predetermined integer value, and having a polynomial generating means 71b for generating a common polynomial having the generated integer value as a coefficient, The parameter setting means 73 is a pseudo-random number generating means 73a that generates a pseudo-random number using a pseudo-random number generation algorithm based on the computational complexity theory, etc., which is configured using a one-way hash function such as SHA-1, and a pseudo-random number. It has an integer value calculation means 73b that generates a predetermined integer value using the pseudo random number generated by the generation means 73a. In this example, the linear action calculation means 74 includes an integer calculation means 74a that performs integer calculation, a polynomial addition means 74b that performs polynomial addition calculation, and a polynomial differentiation means 74c that performs polynomial differentiation. The means 77 sets the second calculation result acquired by the ciphertext acquisition means 76 to c (x), sets the order of the second calculation result to deg c (x), and sets the first integer parameter to s_mAnd the second integer parameter is q_m, Where the first number is r, ∂ is the differential operator, and the ideal set is I_{n = 0} ^{deg c (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿc (x) / n!) modI operation to generate a third operation result, a linear action operation unit 77a, a hash function operation unit 77b to perform a hash function H operation in common with the security device 80, and An exclusive OR operation means 77c for calculating the exclusive OR of the generated third operation result and the ciphertext is provided. Further, the linear action calculating unit 77a in this example includes an integer calculating unit 77aa that performs integer calculation, a polynomial addition unit 77ab that performs addition operation of polynomials, and a polynomial differentiation unit 77ac that performs differential operation of polynomials.
[0064]
In the example in the second embodiment, the hash function H having a value in the polynomial is, for example, Z (x) / I₁→ {0,1}^lThis function performs the operation of Where Z (x) / I₁Is an integer coefficient polynomial ring Z (x) and its ideal I₁And p-q∈I for p, q∈Z (x)₁If p and q are considered to be the same class, the elements of Z (x) are classified, and the set created when each of the classified classes is newly regarded as an element (Z (x) (Remainder ring by I). Further, as described above, the hash function H is desirably a set having a sufficiently large value range of the operation result, but such a configuration of the hash function H uses, for example, a book burger algorithm or the like, Z ( x) Ideal I₁Determines one Gröbner basis for Z (x) / I₁In each class, a polynomial representing the class is determined. Here, the ideal I of Z [x]₁The Gröbner basis of I₁A finite set G = {f₁(x), f₂(x), ..., f_n(x)} for any f (x) ∈Z (x)₁Take the remainder of dividing by (x), then the remainder is f₂Take the remainder divided by (x), repeat the same in the following, and finally f_nThe result of taking the remainder divided by (x) is f₁(x), f₂(x), ..., f_nIt has the property that does not depend on the order of (x).
[0065]
Further, as illustrated in FIG. 9, a common polynomial generation unit 71, a common polynomial disclosure unit 72, a parameter setting unit 73, a linear action calculation unit 74, a public key disclosure unit 75, a ciphertext acquisition unit 76, a decryption unit 77, and The storage unit 79 is configured to be capable of at least one of providing information to the control unit 78 and acquiring information from the control unit 78, and the common polynomial disclosure unit 72 and the public key disclosure unit 75 include the network 90. The ciphertext acquisition unit 76 is configured to be able to acquire information from the network 90.
[0066]
FIG. 10 illustrates the processing function of the security device 80 constructed by specific means in which the hardware and software cooperate by executing a predetermined program (software) in the hardware illustrated in FIG. It is a functional block diagram.
As illustrated in FIG. 10, the security device 80 of this example includes a common polynomial acquisition unit 82 that receives a common polynomial of integer coefficients shared with a communication partner, and a set of a third integer parameter and a fourth integer parameter. A parameter setting unit 83 for setting a second number of parameters, a public key acquisition unit 84 for acquiring a first calculation result disclosed by a communication partner as a public key, and generating a ciphertext. The ciphertext generation means 85, the common polynomial of the integer coefficient shared with the communication partner is a (x), the degree of the common polynomial is deg a (x), and the first integer parameter is u_mAnd the second integer parameter is v_m, Where the first number is t, ∂ is the differential operator, and the ideal set is I_{n = 0} ^{deg a (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿa (x) / n!) modI operation to generate a third operation result, a linear action operation means 86, a ciphertext calculated by the exclusive OR operation means 85c described below, and a linear action The ciphertext disclosure means 87 for disclosing the third calculation result generated by the calculation means 85a, the control means 88 for controlling the entire security device 80, and the storage means 89 for storing various information are provided as processing functions. Yes.
[0067]
In this example, the parameter setting unit 83 uses a pseudo random number generation algorithm based on the computational complexity theory, which is configured using a one-way hash function such as SHA-1, to generate pseudo random numbers. Means 83a and an integer value calculating means 83b for generating a predetermined integer value using the pseudo random number generated by the pseudo random number generating means 83a are provided. Further, in this example, the ciphertext generation unit 85 sets the first calculation result acquired by the public key acquisition unit 84 as b (x), sets the degree of the first calculation result as deg b (x), An integer parameter of 1_mAnd the second integer parameter is v_mAnd the first number is t, ∂ is the differential operator, and the result of the operation of the polynomial, which is an ideal and is obtained by adding an arbitrary integer value to the integer coefficient polynomial variable, is performed on the ideal. Again, when the ideal set that is the set that is the ideal is I, Σ_{n = 0} ^{deg b (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿb (x) / n!) modI operation to generate a second operation result, a linear action operation unit 85a, a hash function operation unit 85b to perform a hash function H operation in common with the security device 70, and It has an exclusive OR operation means 85c for calculating the exclusive OR of the generated second operation result and the plaintext as communication contents as a ciphertext, and the linear action operation means 85a is an integer. An integer operation means 85aa for performing an operation, a polynomial addition means 85ab for performing an addition operation of a polynomial, a polynomial differentiation means 85ac for performing a differentiation operation of a polynomial, a linear action operation means 86, an integer operation means 86a, a polynomial addition means 86b, and a polynomial differentiation. Each has a means 86c.
[0068]
Further, as illustrated in FIG. 10, the common polynomial acquisition unit 82, parameter setting unit 83, public key acquisition unit 84, ciphertext generation unit 85, linear action calculation unit 86, ciphertext disclosure unit 87, and storage unit 89 include The ciphertext disclosure unit 87 is configured to provide information to the network 90 and to acquire information from the control unit 88 and to acquire information from the control unit 88. The means 82 and the public key acquisition means 84 are configured to be able to acquire information from the network 90, respectively.
[0069]
Next, processing operations of the security system 60 and the security devices 70 and 80 in this embodiment will be described.
FIG. 11 is a flowchart for explaining an example of processing operations of the security system 60 and the security devices 70 and 80 in this embodiment. The solid-line arrows in this flowchart exemplify a series of processing flows in the entire security system 60, and the broken-line arrows indicate a series of processing flows in the entire security system 60 and the security devices 70 and 80, respectively. FIG. 6 illustrates the processing flow of the security devices 70 and 80 alone with respect to the different processing flow. Here, for ease of explanation, the processing operation will be described along the processing flow as shown in FIG. 11 for the sake of convenience. However, the security devices 70 and 80 are in a different order from the flow of this flowchart. Processing may be performed, or the security devices 70 and 80 may perform each processing simultaneously in parallel.
[0070]
Hereinafter, description will be given along this flowchart.
Step S20:
In this step, the security device 70 sets the common polynomial a (x).
The setting of the common polynomial a (x) is performed in, for example, the common polynomial generation unit 71 of the security device 70. Specifically, for example, first, pseudo-random number generation means 71a generates pseudo-random numbers using a pseudo-random number generation algorithm based on the computational complexity theory, which is configured using a one-way hash function such as SHA-1. Next, in the polynomial generating means 71b, this pseudo random number is processed into a predetermined number of digits, and further, an integer coefficient of the polynomial is set by subtracting a predetermined value, etc. Set the polynomial a (x).
The information for specifying the common polynomial a (x) set in this way is sent to the control means 78, for example, and the control means 78 sets the information for specifying the sent common polynomial a (x). To the common polynomial disclosure means 72 and the storage means 79. Information for specifying the common polynomial a (x) sent to the storage unit 79 is recorded in the storage unit 79 and used to specify the common polynomial a (x) sent to the common polynomial disclosure unit 72, for example. The information is used for the next step S21.
[0071]
Step S21:
In this step, the security device 70 transmits the common polynomial a (x).
The transmission of the common polynomial a (x) is performed by the common polynomial disclosure means 72 of the security device 70, for example. Specifically, for example, information for specifying the common polynomial a (x) is presented in an e-mail addressed to the security device 80 from the security device 70, or a homepage on the Internet that can be browsed by the security device 80 And uploading information for specifying the common polynomial a (x).
When the transmission of the common polynomial a (x) is thus performed, the process proceeds to step S22.
[0072]
Step S22:
In this step, the security device 80 receives the common polynomial a (x).
The reception of the common polynomial a (x) is performed by, for example, the common polynomial acquisition unit 82 of the security device 80. Specifically, for example, the security device 80 accesses a mail server on the Internet and receives an e-mail addressed to the security device 80 sent from the security device 70 or specifies a common polynomial a (x) This is done by accessing a homepage on the Internet on which information for uploading is uploaded.
The information for specifying the common polynomial a (x) received in this way is sent to the control means 88, for example, and the control means 88 uses the information for specifying the sent common polynomial a (x). The data is sent to the storage means 89. Information for specifying the common polynomial a (x) sent to the storage unit 89 is stored in the storage unit 89, for example, and the process proceeds to the next step S23.
[0073]
Step S23:
In this step, the security device 70 sets r integer groups (s, q).
The setting of r integer sets (s, q) is performed by the parameter setting means 73 of the security device 70, for example. Specifically, for example, first, pseudo-random numbers are generated in the pseudo-random number generating means 73a using a pseudo-random number generation algorithm based on the computational complexity theory configured using a one-way hash function such as SHA-1. Next, in the integer value calculation means 73b, the pseudo-random number is processed into a predetermined number of digits, and further, a predetermined value is subtracted, etc., so that a predetermined r number of integer sets (s, q), that is, , S = (s₁, s₂,…, S_r) And q = (q₁, q₂,…, Q_r) And set.
Information for specifying the set r integer sets (s, q) is sent to, for example, the control means 78, and the control means 78 specifies the sent r integer sets (s, q). Information to be sent to the linear action calculation means 74 and the storage means 79. The information for specifying r integer sets (s, q) sent to the storage means 79 is stored in the storage means 79 and sent to the linear action calculation means 74, for example. , q) is used for the process of step S24.
[0074]
Step S24:
In this step, the security device 70 calculates a polynomial.
The calculation of the polynomial in this step is performed, for example, in the linear action calculation means 74 of the security device 70. When performing this polynomial operation, for example, first, the control means 78 reads information for specifying the common polynomial a (x) stored in the storage means 79 in step S20, and uses this information as the linear action calculation means 74. Send to. The linear action calculating means 74 to which this information has been sent calculates Σ to the common polynomial a (x) by calculation using this information and the information sent in the process of step S23._{m = 0} ^rq_m(1-δ)^smPerform the process to act. In this example, this common polynomial a (x)_{m = 0} ^rq_m(1-δ)^smAs a specific calculation method for operating the linear action calculation means 74, an integer calculation means 74a, a polynomial addition means 74b and a polynomial differentiation means 74c are used, and b (x) = Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI is calculated.
Information for specifying the polynomial b (x) indicating the result of such calculation is sent to the control means 78, for example, and the control means 78 uses information for specifying the sent polynomial b (x). To the public key disclosing means 75. When this information is sent to the public key disclosure means 75, the process proceeds to step S25.
[0075]
Step S25:
In this step, the security device 70 transmits the polynomial b (x) as a public key.
The transmission of the polynomial b (x) is performed by, for example, the public key disclosure unit 75 of the security device 70. At this time, the r integer sets (s, q) are not disclosed, and the r integer sets ( s, q) is kept secret on the security device 70 side. Specifically, for example, information for identifying this polynomial b (x) and information for identifying r integer sets (s, q) in an email addressed to the security device 80 from the security device 70 The information for specifying the polynomial b (x) is specified on the home page on the Internet that can be browsed by the security device 80 without disclosure, and r integer sets (s, q) are specified. For uploading without disclosing information.
When the polynomial b (x) is thus transmitted, the process proceeds to step S26.
[0076]
Step S26:
In this step, the security device 80 receives the polynomial b (x).
The reception of the polynomial b (x) is performed by, for example, the calculation result acquisition unit 86 of the security device 80. Specifically, for example, the security device 80 accesses a mail server on the Internet and receives an e-mail addressed to the security device 80 sent from the security device 70, or the calculation result of the polynomial b (x) This is performed by accessing a homepage on the Internet on which information for specifying the URL is uploaded.
The information for specifying the polynomial b (x) received in this way is sent to the control means 88, for example, and the control means 88 stores the information for specifying the sent polynomial b (x). Send to 89. Information for specifying the polynomial b (x) sent to the storage unit 89 is stored in the storage unit 89, for example, and the process proceeds to the next step S27.
[0077]
Step S27:
In this step, the security device 80 sets t integer groups (u, v).
The setting of t integer sets (u, v) is performed by the parameter setting means 83 of the security device 80, for example. Specifically, for example, first, the pseudo-random number generator 83a generates pseudo-random numbers using a pseudo-random number generation algorithm based on the computational complexity theory configured using a one-way hash function such as SHA-1. Next, in the integer value calculation means 83b, this pseudo random number is processed into a predetermined number of digits, and further, a predetermined value is subtracted, etc., so that a predetermined t integer set (u, v), that is, , U = (u₁, u₂, ..., u_t) And v = (v₁, v₂, ..., v_t) And set.
The information for specifying the set t integer sets (u, v) is sent to, for example, the control means 88, and the control means 88 specifies the sent t integer sets (u, v). Information to be sent to the linear action calculation means 84 and the storage means 89. The information for specifying the t integer sets (u, v) sent to the storage means 89 is stored in the storage means 89 and sent to the linear action calculation means 84, for example. , v) is used for the process of step S28.
[0078]
Step S28:
In this step, the security device 80 calculates a polynomial.
The calculation of the polynomial in this step is performed, for example, in the linear action calculation means 86 of the security device 80. When performing this polynomial calculation, for example, first, the control means 88 reads information for specifying the common polynomial a (x) stored in the storage means 89 in step S3, and uses the information as the linear action calculation means 86. Send to. The linear action calculating means 86 to which this information is sent calculates Σ to the common polynomial a (x) by calculation using this information and the information sent in step S27._{m = 0} ^tv_m(1-δ)^umPerform the process to act. In this example, this common polynomial a (x)_{m = 0} ^rv_m(1-δ)^umAs a specific calculation method for operating the linear action calculation means 86, an integer calculation means 86a, a polynomial addition means 86b and a polynomial differentiation means 86c are used, and c (x) = Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿa (x) / n!) modI is calculated.
Information for specifying the polynomial c (x) indicating the result of such calculation is sent to the control means 88, for example, and the control means 88 uses information for specifying the sent polynomial c (x). To the storage means 89. Information for specifying the polynomial c (x) sent to the storage unit 89 is stored in the storage unit 89, for example, and the process proceeds to the next step S29.
[0079]
Step S29:
In this step, the security device 80 generates a ciphertext C by calculation.
The calculation of the ciphertext C is performed, for example, in the ciphertext generation unit 85 of the security device 80. Here, plaintext M∈ {0,1}^lAn example of encrypting the password will be described.
When performing the operation on the ciphertext C, the security device 80 first stores, for example, information for specifying the polynomial b (x) stored in the storage unit 89 in step S26 by the control unit 88 and in step S26. Information for specifying t integer sets (u, v) stored in the means 89 is read, and these pieces of information are sent to the ciphertext generating means 85. The ciphertext generation means 85 to which these pieces of information are sent, for example, in the linear action calculation means 85a, converts the polynomial b (x) to Σ_{m = 0} ^tv_m(1-δ)^umPerform the process to act. In this example, this polynomial b (x)_{m = 0} ^rv_m(1-δ)^umAs a specific calculation method for operating the linear action calculation means 85a, the integer calculation means 85aa, the polynomial addition means 85ab, and the polynomial differentiation means 85ac are used, and k (x) = Σ_{n = 0} ^{deg b (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿb (x) / n!) modI is calculated.
[0080]
Next, for example, the hash function H is applied to the calculation result k (x) by the hash function calculation means 85b (H (k (x)) ∈ {0,1}.^l), The exclusive OR operation means 85c calculates the exclusive OR (H (k (x)) (+) M) of the operation result H (k (x)) and the plaintext M as a ciphertext. Thereafter, the ciphertext generation means 85 uses the ciphertext C = (c) using (H (k (x)) (+) M) calculated in this way and c (x) calculated in step S28. (x), H (k (x)) (+) M) are generated. The generated ciphertext C is sent to the control means 88, for example, and the control means 88 sends the sent ciphertext C to the ciphertext disclosure means 87. When the ciphertext C is sent to the ciphertext disclosure means 87, the process proceeds to step S30.
[0081]
Step S30:
In this step, the security device 80 transmits the ciphertext C.
The ciphertext C is transmitted by, for example, the ciphertext disclosure means 87 of the security device 80. At this time, the t integer sets (u, v) are not disclosed, and the t integer sets (u, v) are not disclosed. v) is performed with the security device 80 kept secret. Specifically, for example, information for specifying this ciphertext C and information for specifying t integer pairs (u, v) are disclosed in an email addressed to the security device 70 from the security device 80 Information for specifying this ciphertext C and information for specifying t integer sets (u, v) on a homepage on the Internet that can be presented without security or browsed by the security device 70 This is done by uploading without disclosure.
When the ciphertext C is thus transmitted, the process proceeds to step S31.
[0082]
Step S31:
In this step, the security device 70 receives the ciphertext C.
The ciphertext C is received by, for example, the ciphertext acquisition unit 76 of the security device 70. Specifically, for example, the security device 70 accesses a mail server on the Internet and receives an e-mail addressed to the security device 70 sent from the security device 80, or for specifying the ciphertext C This is done by accessing a website on the Internet where information is uploaded.
The information for specifying the ciphertext C received in this way is sent to the control means 78, for example, and the control means 78 sends the information for specifying the sent ciphertext C to the decryption means 77, The process proceeds to the next step S32.
[0083]
Step S32:
In this step, the security device 70 decrypts the ciphertext C.
The decryption of the ciphertext C is performed by, for example, the decryption unit 77 of the security device 70. Specifically, for example, first, in the linear action calculation unit 77a of the decryption unit 77, a polynomial constituting the ciphertext C = (c (x), H (k (x)) (+) M) received in step S31. c (x) is Σ_{m = 0} ^rq_m(1-δ)^smPerform the process to act. In this example, this polynomial c (x)_{m = 0} ^rq_m(1-δ)^smAs a specific calculation method for operating the linear action calculation means 77a, the integer calculation means 77aa, the polynomial addition means 77ab and the polynomial differentiation means 77ac are used, and k (x) = Σ_{n = 0} ^{deg c (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿc (x) / n!) modI is calculated.
When this calculation is performed, for example, the same hash function H as that used in the security device 80 is then applied to the calculation result k (x) by the hash function calculation means 77b, and H (k (x) ) ∈ {0,1}^lGet. Thereafter, for example, in the exclusive OR operation means 77c, H (k (x)) thus obtained and the ciphertext C = (c (x), H (k (x)) ( Calculates an exclusive OR with H (k (x)) (+) M that constitutes (+) M) (H (k (x)) (+) H (k (x)) (+) M) . As a result, the plaintext M is decrypted as described above.
[0084]
As described above, in the example of the present embodiment, the parameter setting means 73 and 83 use the first number of parameters (r integer sets ( s, q), t integer sets (u, v)) are set, and in the linear action computing means 74, 77a, 85a, 86, the set (a (x), b (x), c (x)) Σ_{m = 0} ^rq_m(1-δ)^smOr Σ_{m = 0} ^tv_m(1-δ)^umEven when the size of the secret parameters (r, s, k, t, u, v) is increased, the public key is generated, the plaintext is encrypted, and the ciphertext is decrypted. The public key cryptography applying the conventional Diffile-Hellman key distribution method in which the number of arithmetic operations performed by the security devices 70 and 80 does not increase, and as a result, the calculation amount increases depending on the size of the secret parameter. Compared with the method, the convenience is greatly improved.
[0085]
In the example of this embodiment, by generating a linear operator having many secret parameters (r, s, k, t, u, v), public key generation, plaintext encryption, and ciphertext decryption are performed. As a result, it is very difficult for a third party to decrypt the ciphertext C, and as a result, sufficient security for the common key can be secured.
Further, in the example of the present embodiment, b (x) = Σ in the linear action calculating means 74, 77, 85a, 86._{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI, c (x) = Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿa (x) / n!) modI, k (x) = Σ_{n = 0} ^{deg c (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿc (x) / n!) modI, k (x) = Σ_{n = 0} ^{deg b (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿb (x) / n!) modI is calculated, so even when the size of the secret parameters (r, s, k, t, u, v) is increased, the plaintext is generated when the public key is generated. The number of arithmetic operations performed by the security devices 70 and 80 during encryption and decryption of ciphertext does not increase, and as a result, the amount of calculation increases depending on the size of the secret parameter. Compared with the public key cryptosystem that applies the key distribution method, the convenience is greatly improved.
[0086]
Further, in the security device 70 in the example of the present embodiment, the linear action calculation means 74 performs the Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI is performed to generate a polynomial b (x) as the first calculation result, and the public key public means 75 discloses the polynomial b (x) as a public key. The ciphertext acquisition means 76 acquires the polynomial c (x), which is the second calculation result calculated by the security device 80, and the ciphertext (H (k (x)) (+) M)), In the linear action calculating means 77a, Σ_{n = 0} ^{deg c (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿc (x) / n!) modI is calculated to generate a polynomial k (x) as the third calculation result. In the exclusive OR operation means 77c, k (x) and H (k (x)) (+) M) and the exclusive OR of them, so even if the size of the secret parameters (r, s, k, t, u, v) is increased, The number of arithmetic operations performed by the security devices 70 and 80 does not increase at the time of public key generation, plaintext encryption, and ciphertext decryption. As a result, the amount of calculation depends on the size of the secret parameter. Compared with the public key cryptosystem that applies the conventional Diffile-Hellman key distribution scheme, the convenience is greatly improved.
[0087]
Further, in the security device 80 in the example of the present embodiment, the public key acquisition unit 84 acquires the polynomial b (x) that is the first calculation result disclosed by the security device 70 as the public key, and the linear action calculation unit 85a. Σ_{n = 0} ^{deg b (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿb (x) / n!) modI is calculated to generate a polynomial k (x) that is the second calculation result. In the exclusive OR operation means 85c, the polynomial k (x) and communication contents are used. An exclusive OR with a certain plaintext M is calculated as a ciphertext (H (k (x)) (+) M), and the linear action calculation means 86_{n = 0} ^{deg a (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿa (x) / n!) modI is calculated to generate a polynomial c (x) which is the third calculation result, and the ciphertext disclosure unit 87 calculates the result by the exclusive OR calculation unit 85c. Since the ciphertext (H (k (x)) (+) M) and the polynomial c (x) generated by the linear action calculation means 86 are disclosed, the secret parameters (r, s, k, t, Even when the size of u, v) is increased, the number of arithmetic operations performed by the security devices 70 and 80 is increased at the time of public key generation, plaintext encryption, and ciphertext decryption. As a result, the convenience is greatly improved as compared with the public key cryptosystem applying the conventional Diffile-Hellman key distribution scheme, which increases the calculation amount depending on the size of the secret parameter.
[0088]
In the example of the present embodiment, as an ideal set, an ideal of a ring formed by a polynomial of integer coefficients, where δ is a polynomial g (x) -g (x-1) with respect to an arbitrary polynomial g (x) {F (x), δf (x), δ when degf (x) is the order of f (x)²f (x), ..., δ^{degf (x)}By using what is a set generated by f (x)}, as in the case of the first embodiment described above, the polynomial k (x) calculated by each of the security devices 70 and 80 is the same. Since H (k (x)), which is the result of applying the same hash function to the same, is also the same, decryption in this embodiment is substantially possible.
[0089]
Furthermore, in the example of this embodiment, r integer sets (s, q) are kept secret on the security device 70 side, and t integer sets (u, v) are kept secret on the security device 80 side. The decryption between the security devices 70 and 80 is possible without the third party knowing the content of the parameters for decryption.
In the example of the present embodiment, r integer sets (s, q) are generated using the random numbers generated by the pseudo random number generation means 73a of the security device 70, and are generated by the pseudo random number generation means 83a of the security device 80. T integer sets (u, v) are generated using the random numbers generated, so the maintainability of r integer sets (s, q) and t integer sets (u, v) is improved. As a result, the security against encryption is improved.
[0090]
The present invention is not limited to the embodiment described above. For example, in this embodiment, the security devices 70 and 80 in this embodiment are configured by causing a computer to execute a predetermined program. However, at least a part of these processing contents is implemented in hardware by an electronic circuit. It may be realized.
Further, in this embodiment, in the linear operator computing means 74, 77a, 85a, 86, a linear operator Σ_{m = 0} ^rq_m(1-δ)^smOr Σ_{m = 0} ^tv_m(1-δ)^umIf the number of integer arithmetic operations required to calculate a linear operator is less than the order of the logarithmic polynomial of the degree of the polynomial, then other linear operators are used. It is good as well.
[0091]
Next, a third embodiment of the present invention will be described.
Here, the outline of this embodiment will be described first, and then the details of this embodiment will be described.
FIG. 12 is a diagram for explaining the outline of the security system 100 according to the present embodiment.
As illustrated in FIG. 12, the security system 100 includes security devices 101 and 102, and the digital signature generated by the security device 101 is verified by the security device 102.
[0092]
In the case of this example, the security device 101 includes a first parameter setting unit 101a that sets a first number of parameters configured by a set of a first integer parameter and a second integer parameter, a third parameter A second parameter setting means 101b for setting a second number of parameters configured by a set of an integer parameter and a fourth integer parameter, and a first integer parameter s_mAnd the second integer parameter is q_mWhere Σ is an operator that associates a polynomial g (x) -g (x-1) with an arbitrary polynomial g (x), where r is the first number,_{m = 0} ^rq_m(1-δ)^smLinear action calculation means 101c and 101d for causing
[0093]
Further, as in the first embodiment, in this example, the linear action computing means 101c sets the predetermined polynomial as a (x), the degree of the polynomial as deg a (x), and the first integer parameter. S_mAnd the second integer parameter is q_mAnd the first number is r, ∂ is the differential operator, and an ideal is the result of the operation of the polynomial obtained by adding an arbitrary integer value to the integer coefficient polynomial variable performed on the ideal. Again, when the ideal set that is the set that is the ideal is I, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI is a means for calculating. This also applies to the linear action computing unit 101d.
[0094]
In the security system 100 according to the present embodiment, when a digital signature and verification thereof are performed, for example, the security device 101 first has a common polynomial a (x) that is a polynomial of integer coefficients common to the security device 102 and the security device 102. G (x) is generated, and the parameter setting means 101a generates r integer sets (s, q), specifically s = (s₁, s₂,…, S_r) And q = (q₁, q₂,…, Q_r) Is set.
Thereafter, for example, in the linear action computing means 101c, the linear operator Σ is applied to the common polynomial a (x)._{m = 0} ^rq_m(1-δ)^smSpecifically, for example, in the linear action calculating means 51b, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI is calculated. This common polynomial a (x) has a linear operator Σ_{m = 0} ^rq_m(1-δ)^smThat is, that is, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI calculation result b (x) is, for example, in a state where r, s, q (secret key) are kept secret on the security device 101 side where these integer parameters are set. It is transmitted to the security device 102 as a public key.
[0095]
Next, for example, the security device 101 uses the parameter setting unit 101b to set t integer sets (u, v), specifically u = (u₁, u₂, ..., u_t) And v = (v₁, v₂, ..., v_t) And the linear operator Σ for the common polynomial a (x)_{m = 0} ^tv_m(1-δ)^umAct. In the case of this example, specifically, for example, in the linear action calculation unit 101d, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿa (x) / n!) modI is calculated, and the calculation result c (x) is calculated. Further, the security device 101 uses the set r integer sets (s, q), t integer sets (u, v), and the polynomial c (x), and Σ_{m = 0} ^tv_mx^um+ Σ_{m = 0} ^rq_mx^smThe calculation of H (M, c (x)) is performed, and the calculation result d (x) is calculated. Here, M means a message to be signed, and H means a hash function having a value in a polynomial commonly used in the security devices 101 and 102. The polynomials c (x) and d (x) generated in this way are transmitted to the security device 102 as a polynomial pair (c (x), d (x)), which functions as a signature. At this time, r integer sets (s, q) and t integer sets (u, v) are kept secret on the security device 101 side, and these parameters r, s, q, u, v are It is not open to the public.
[0096]
On the other hand, the polynomial pair (S₁, S₂) Is transmitted to the security device 102 as to whether or not this signature is valid, that is, S₁= c (x) and S₂Verify whether = d (x) is satisfied. In order to perform this verification, the security device 102 generates a common polynomial a (x) that is a polynomial of integer coefficients common to the security device 102, and g (x) that is a polynomial common to the security device 102, and V ( x) = S₂(1-δ) a (x) -H (M, S₁(x)) (1-δ) b (x) -S₁(x) Calculate modI. If this signature is valid, S₁= c (x) and S₂= d (x), V (x) = d (x) (1-δ) a (x) -H (M, c (x)) (1-δ) b (x)- c (x) = (Σ_{m = 0} ^tv_mx^um+ Σ_{m = 0} ^rq_mx^smH (M, c (x))) (1-δ) a (x) -H (M, c (x)) (1-δ) b (x) -c (x) = (Σ_{m = 0} ^tv_m(1-δ)^um+ Σ_{m = 0} ^rq_m(1-δ)^smH (M, c (x)) (1-δ)) a (x) -H (M, c (x)) (1-δ) b (x) -c (x) From the definition of b (x) and c (x), V (x) = Σ_{m = 0} ^tv_m(1-δ)^uma (x) + Σ_{m = 0} ^rq_m(1-δ)^smH (M, c (x)) (1-δ) a (x) -H (M, c (x)) (1-δ) Σ_{m = 0} ^rq_m(1-δ)^sma (x) -Σ_{m = 0} ^tv_m(1-δ)^uma (x) = 0 holds. Therefore, it can be determined from the calculation result that V (x) = 0 that the signature is valid. In this case, the security device 102 outputs that the signature is valid. On the other hand, as described above, d (x) = Σ_{m = 0} ^tv_mx^um+ Σ_{m = 0} ^rq_mx^smSince the parameters r, s, q, u, v constituting H (M, c (x)) are kept secret on the security device 101 side, these parameters r, s, q, u, v cannot be selected properly, the result is S₂= d (x) and V (x) = 0. Therefore, based on the calculation result that V (x) = 0 does not hold, the security device 102 can determine that the verified signature is invalid. In this case, the security device 102 indicates that the signature is invalid. Output.
[0097]
Here, the number of four arithmetic operations required for the polynomial operation performed in the linear action calculating means 101c and 101d described above is the secret parameter (r, s, k, t, u, v) as indicated by the above-described arithmetic expression. It does not depend on the size of Therefore, even when the size of the secret parameter (r, s, k, t, u, v) is increased, the number of arithmetic operations performed by the security device 101 at the time of public key generation and signature generation is As a result, the convenience is greatly improved as compared with the digital signature scheme that applies the difficulty of the conventional discrete logarithm problem, in which the amount of calculation increases depending on the size of the secret parameter.
[0098]
Next, details of this embodiment will be described.
FIG. 13 is a diagram illustrating the overall configuration of the security system 110 according to this embodiment.
As illustrated in FIG. 13, the security system 110 includes, for example, a security device 120 that performs a digital signature, a security device 130 that verifies the digital signature, and a network 140 that connects the security devices 120 and 130 so that they can communicate with each other. The security devices 120 and 130 are electrically connected by wire or wireless so that they can exchange information with each other via the network 140, or are in a connectable state. The details of the overall configuration are the same as those described in the first embodiment, for example, and the hardware configuration of the security devices 120 and 130 is, for example, the security in the first embodiment. The hardware configuration of the devices 20 and 30 (FIG. 3) is the same.
[0099]
FIG. 14 exemplifies the processing function of the security device 120 constructed by specific means in which the hardware and software cooperate by executing a predetermined program (software) in the hardware illustrated in FIG. 3. It is a functional block diagram.
As illustrated in FIG. 14, the security device 120 of this example sets a first number set of parameters configured by a set of a first integer parameter and a second integer parameter, and sets a third integer. A parameter setting means 121 for setting a second number of parameters configured by a set of a parameter and a fourth integer parameter, and a common polynomial of integer coefficients shared with a communication partner is a (x), and a common polynomial Deg a (x) and the first integer parameter is s_mAnd the second integer parameter is q_mAnd the first number is r, ∂ is the differential operator, and an ideal is the result of the operation of the polynomial obtained by adding an arbitrary integer value to the integer coefficient polynomial variable performed on the ideal. Again, when the ideal set that is the set that is the ideal is I, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI operation to generate the first operation result, and the first operation result generated by the linear operation operation unit 122 is disclosed as a public key. Public key public means 123, signature generation means 124 for generating a signature, polynomial pair transmission means 125 for transmitting the generated polynomial pair to a communication partner, and a common polynomial generation for generating a common polynomial of integer coefficients shared with the security device 130 Means 126, information storage means 127 for storing various information, and control means 128 for controlling the entire security device 120 are provided as processing functions.
[0100]
In this example, the parameter setting unit 121 uses a pseudo-random number generation algorithm based on the computational complexity theory, which is configured using a one-way hash function such as SHA-1, to generate pseudo-random numbers. Means 121a and pseudo random numbers generated by the pseudo random number generator 121a have integer value arithmetic means 121b that generates a predetermined integer value. The linear action arithmetic means 122 performs integer arithmetic to perform integer arithmetic. Means 122a, polynomial addition means 122b for performing addition of polynomials, and polynomial differentiation means 122c for performing differentiation of polynomials. The signature generation means 124 sets the common polynomial to a (x), sets the degree of the common polynomial to deg a (x), and sets the third integer parameter to u._mAnd the fourth integer parameter is v_m, Where the second number is t, ∂ is the differential operator, and the ideal set is I._{n = 0} ^{deg a (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿa (x) / n!) modI operation to generate a second operation result, a linear action operation unit 124a, a hash function operation unit 124b to perform a hash function H operation in common with the security device 130, and S the first integer parameter_mAnd the second integer parameter is q_m, The first number is r, and the third integer parameter is u_mAnd the fourth integer parameter is v_mΣ in the case where t is the second number, H is the hash function shared with the communication partner, M is the plaintext, and c (x) is the second operation result._{m = 0} ^tv_mx^um+ Σ_{m = 0} ^rq_mx^smIt has a polynomial pair generation means 124c that performs an operation of H (M, c (x)) and generates a polynomial pair (c (x), d (x)) when the operation result is d (x). ing. In the example of the third embodiment, the hash function H calculated by the hash function calculating unit 124b is, for example, {0, 1}^*× Z (x) / I₁→ This function performs Z (x) calculation. Further, the linear action calculation unit 124a includes an integer calculation unit 124aa that performs integer calculation, a polynomial addition unit 124ab that performs addition operation of polynomials, and a polynomial differentiation unit 124ac that performs differential operation of polynomials.
[0101]
Further, as illustrated in FIG. 14, the parameter setting unit 121, the linear action calculation unit 122, the public key disclosure unit 123, the signature generation unit 124, the polynomial pair transmission unit 125, the common polynomial generation unit 126, and the information storage unit 127 are The public key disclosure unit 123 and the polynomial pair transmission unit 125 are configured to provide information to the network 140. The public key disclosure unit 123 and the polynomial pair transmission unit 125 are configured to be capable of providing information to the control unit 128 and acquiring information from the control unit 128. Is configured to be possible.
FIG. 15 illustrates the processing function of the security device 130 constructed by specific means in which the hardware and software cooperate by causing a predetermined program (software) to be executed in the hardware illustrated in FIG. 3. It is a functional block diagram.
[0102]
As illustrated in FIG. 15, the security device 130 of this example receives a public key acquisition unit 131 that receives a public key disclosed by a communication partner, and a polynomial pair that includes a first polynomial and a second polynomial. The polynomial pair acquisition means 132 for performing the processing, the common polynomial of the integer coefficients shared with the communication partner is a (x), the public key is b (x), and the first polynomial is S₁And the second polynomial in the previous term is S₂H is a hash function having a value in a polynomial shared with the communication partner, H is a plaintext, and δ is a polynomial g (x) -g (x-1) for any polynomial g (x) An ideal set that is an ideal that is obtained by adding an arbitrary integer value to a variable of an integer coefficient polynomial performed on the ideal. Where S is I₂(1-δ) a (x) -H (M, S₁(x)) (1-δ) b (x) -S₁(x) modI operation is performed, and when the operation result is 0, the signature is output to be valid, and when the operation result is not 0, the signature is invalid A signature verification unit 133 that outputs a message, a common polynomial generation unit 134 that generates a common polynomial shared with the security device 120, a storage unit 135 that stores various types of information, and a control unit 136 that controls the entire security device 130. It has a processing function. In this example, the signature verification means 133 is a hash common to the integer arithmetic means 133 a that performs integer arithmetic, the polynomial addition means 133 b that performs polynomial addition arithmetic, the polynomial differentiation means 133 c that performs polynomial differential arithmetic, and the security device 120. A hash function calculation unit 133d for calculating the function H and a polynomial comparison unit 133e for comparing polynomials are provided.
[0103]
Also, as illustrated in FIG. 15, the public key acquisition unit 131, the polynomial pair acquisition unit 132, the signature verification unit 133, the common polynomial generation unit 134, and the storage unit 135 provide information to the control unit 136 and control unit The public key acquisition unit 131 and the polynomial pair acquisition unit 132 are configured to be able to acquire information from the network 140.
Next, processing operations of the security system 110 and the security devices 120 and 130 in this embodiment will be described.
[0104]
FIG. 16 is a flowchart for explaining an example of processing operations of the security system 110 and the security devices 120 and 130 in this embodiment. The solid-line arrows in this flowchart exemplify a series of processing flows in the entire security system 110, and the broken-line arrows indicate a series of processing flows in the entire security system 110 and the security devices 120 and 130, respectively. FIG. 9 illustrates an example of the flow of processing in the security devices 120 and 130 alone with respect to portions where the processing flow differs. Here, for ease of explanation, the processing operation will be described along the processing flow as shown in FIG. 16 for the sake of convenience. However, the security devices 120 and 130 are each in an order different from the flow of this flowchart. Processing may be performed, or the security devices 120 and 130 may perform each processing simultaneously in parallel.
[0105]
Hereinafter, description will be given along this flowchart.
Step S40:
In this step, the security device 120 sets common polynomials a (x) and g (x) of integer coefficients.
The common polynomials a (x) and g (x) are set by, for example, the common polynomial generation unit 126 of the security device 120. The common polynomials a (x) and g (x) are set so that the set common polynomials a (x) and g (x) are the same as the common polynomial set by the security device 130. Is called. Specifically, for example, a common polynomial a (x) shared by the security devices 120 and 130 by performing a predetermined hash operation using a hash function commonly held by the security devices 120 and 130, Generate g (x).
Information for specifying the common polynomials a (x) and g (x) set in this way is sent to the control means 128, for example, and the control means 128 sends the common polynomials a (x) and g Information for specifying (x) is sent to the storage means 127. Information for specifying the common polynomials a (x) and g (x) sent to the storage unit 127 is recorded in the storage unit 127, for example.
[0106]
Step S41:
In this step, the security apparatus 130 sets common polynomials a (x) and g (x) of integer coefficients.
The setting of the common polynomials a (x) and g (x) is performed by, for example, the common polynomial generation unit 134 of the security device 130. The common polynomials a (x) and g (x) are set so that the set common polynomials a (x) and g (x) are the same as the common polynomial set in the security device 120. Is called. Specifically, for example, a common polynomial a (x) shared by the security devices 120 and 130 by performing a predetermined hash operation using a hash function commonly held by the security devices 120 and 130, Generate g (x).
Information for specifying the common polynomials a (x) and g (x) set in this way is sent to the control means 136, for example, and the control means 136 sends the common polynomials a (x) and g sent thereto. Information for specifying (x) is sent to the storage means 135. Information for specifying the common polynomials a (x) and g (x) sent to the storage unit 135 is recorded in the storage unit 135, for example.
[0107]
Step S42:
In this step, the security device 120 sets r integer sets (s, q).
The setting of r integer sets (s, q) is performed by the parameter setting means 121 of the security device 120, for example. Specifically, for example, first, pseudo-random number generation means 121a generates pseudo-random numbers using a pseudo-random number generation algorithm based on the computational complexity theory configured using a one-way hash function such as SHA-1. Next, in the integer value calculation means 121b, this pseudo random number is processed into a predetermined number of digits, and further, a predetermined value is subtracted, etc., so that a predetermined r number of integer sets (s, q), that is, , S = (s₁, s₂,…, S_r) And q = (q₁, q₂,…, Q_r) And set.
The information for specifying the set r integer sets (s, q) is sent to the control means 128, for example, and the control means 128 specifies the sent r integer sets (s, q). Information to be sent to the linear action calculation means 122 and the storage means 127. Information for specifying r integer sets (s, q) sent to the storage means 127 is stored in the storage means 127 and sent to the linear action calculation means 122, for example. , q) is used for the process of step S43.
[0108]
Step S43:
In this step, the security device 120 calculates a polynomial.
The calculation of the polynomial in this step is performed, for example, in the linear action calculation means 122 of the security device 120. When performing this polynomial operation, for example, first, the control unit 128 reads information for specifying the common polynomials a (x) and g (x) stored in the storage unit 127 in step S40, and stores the information. This is sent to the linear action calculation means 122. The linear action computing means 122 to which this information has been sent calculates Σ to the common polynomial a (x) by computing using this information and the information sent in the process of step S42._{m = 0} ^rq_m(1-δ)^sm(Note that, as described above, δ is an operator that associates a polynomial g (x) -g (x-1) with an arbitrary polynomial g (x)). In this example, this common polynomial a (x)_{m = 0} ^rq_m(1-δ)^smAs a specific calculation method for operating the linear action calculation means 122, the integer calculation means 122a, the polynomial addition means 122b, and the polynomial differentiation means 122c are used, and b (x) = Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI is calculated. Information for specifying the polynomial b (x) indicating the result of such calculation is sent to, for example, the control means 128, and the control means 128 uses information for specifying the sent polynomial b (x). To the public key disclosing means 123. When this information is sent to the public key disclosing means 123, the process proceeds to step S44.
[0109]
Step S44:
In this step, the security device 120 discloses the calculation result polynomial b (x) as a public key.
The disclosure of the polynomial b (x) is performed by, for example, the public key disclosure unit 123 of the security device 120. At this time, the r integer sets (s, q) are not disclosed, and the r integer sets ( s, q) is kept secret on the security device 120 side. Specifically, for example, information for specifying this polynomial b (x) and information for specifying r integer sets (s, q) in an email addressed to the security device 130 from the security device 120 The information for specifying this polynomial b (x) is specified on the Internet homepage that can be viewed by the security device 130 without disclosure, and r integer sets (s, q) are specified. For uploading without disclosing information.
When the polynomial b (x) is disclosed in this manner, the process proceeds to step S45.
[0110]
Step S45:
In this step, the security apparatus 130 receives the polynomial b (x). The reception of the polynomial b (x) is performed by, for example, the public key acquisition unit 131 of the security device 130. Specifically, for example, the security device 130 accesses a mail server on the Internet and receives an e-mail addressed to the security device 130 sent from the security device 120 or specifies the polynomial b (x). For example, by accessing a homepage on the Internet on which information for uploading is uploaded.
The information for specifying the polynomial b (x) received in this way is sent to the control means 136, for example, and the control means 136 stores the information for specifying the sent polynomial b (x). Send to 135. Information for specifying the polynomial b (x) sent to the storage unit 135 is stored in the storage unit 135, for example.
[0111]
Step S46:
In this step, the security device 120 sets t integer groups (u, v).
The setting of t integer sets (u, v) is performed, for example, by the parameter setting means 121 of the security device 120 in the same manner as in step S42, whereby predetermined t integer sets (u, v) are set. ), That is, u = (u₁, u₂, ..., u_t) And v = (v₁, v₂, ..., v_t) And set.
The information for specifying the set t integer sets (u, v) is sent to the control means 128, for example, and the control means 128 specifies the sent t integer sets (u, v). Information to be sent is sent to the signature generation means 124 and the storage means 127. The information for specifying t integer sets (u, v) sent to the storage means 127 is stored in the storage means 127 and sent to the signature generation means 124, for example, t integer sets (u, v). The information for specifying v) is used for the process of step S47.
[0112]
Step S47:
In this step, the security device 120 calculates a polynomial.
The calculation of the polynomial in this step is performed, for example, in the linear action calculation unit 124a of the signature generation unit 124. When performing this polynomial operation, for example, first, the control unit 128 reads information for specifying the common polynomials a (x) and g (x) stored in the storage unit 127 in step S40, and stores the information. It is sent to the linear action calculation means 124a of the signature generation means 124. The linear action computing means 124a to which this information has been sent calculates Σ to the common polynomial a (x) by computing using this information and the information sent in the process of step S46._{m = 0} ^tv_m(1-δ)^umPerform the process to act. In this example, this common polynomial a (x)_{m = 0} ^rv_m(1-δ)^umAs a specific calculation method for operating the linear action calculation means 124a, the integer calculation means 124aa, the polynomial addition means 124ab, and the polynomial differentiation means 124ac are used, and c (x) = Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿa (x) / n!) modI is calculated.
Information for specifying the polynomial c (x) indicating the result of such calculation is sent to the control means 128, for example, and the control means 128 uses the information for specifying the sent polynomial c (x). And stored in the storage means 127. When this information is stored in the storage means 127, the process proceeds to step S48.
[0113]
Step S48:
In this step, the security device 120 generates a polynomial pair. The generation of the polynomial pair in this step is performed in, for example, the hash function calculation unit 124b and the polynomial pair generation unit 124c of the signature generation unit 124. When generating this polynomial pair, for example, first, the control unit 128 extracts information for specifying the polynomial c (x) from the storage unit 127, and sends the extracted information to the signature generation unit 124. When information for specifying the polynomial c (x) is sent to the signature generation means 124, for example, the hash function calculation means 124b then has a value in the polynomial for the message M and the polynomial c (x) for signing. The hash function H is applied (H (M, c (x)). After that, for example, r integer sets (s, q) and t pieces stored in the storage means 127 in the processing of steps S42 and S46. The integer pair (u, v) is extracted by the control means 128 and sent to the polynomial pair generation means of the signature generation means 124. The polynomial pair generation means 124c to which these pieces of information have been sent includes these information, the hash Using the calculation result (H (M, c (x))) of the function calculation means 124b, Σ_{m = 0} ^tv_mx^um+ Σ_{m = 0} ^rq_mx^smThe calculation of H (M, c (x)) is performed, and the calculation result d (x) is calculated.
The polynomials c (x) and d (x) generated as described above are sent to the control means 128 as polynomial pairs (c (x), d (x)), and the control means 128 sends the polynomial pairs ( c (x), d (x)) are sent to the polynomial pair transmission means 125. When the polynomial pair (c (x), d (x)) is sent to the polynomial pair transmission means 125, the process proceeds to step S49.
[0114]
Step S49:
In this step, the security device 120 transmits the polynomial pair (c (x), d (x)).
Transmission of the polynomial pair (c (x), d (x)) in this step is performed, for example, by the polynomial pair transmission means 125. At this time, r integer sets (s, q) and t integers are transmitted. The set (u, v) is kept secret on the security device 101 side, and these parameters r, s, q, u, v are not disclosed. Specifically, for example, information for identifying this polynomial pair (c (x), d (x)) is sent from the security device 120 to the email addressed to the security device 130 using parameters r, s, q, u , v for specifying the polynomial pair (c (x), d (x)) on the homepage on the Internet that can be presented without disclosing information for specifying the security device 130 This is done by uploading information without disclosing information for specifying parameters r, s, q, u, v. When transmission of the polynomial pair (c (x), d (x)) is performed in this way, the process proceeds to step S50.
[0115]
Step S50:
In this step, the security device 130 receives the polynomial pair (c (x), d (x)).
The reception of the polynomial pair (c (x), d (x)) is performed by the polynomial pair acquisition unit 132 of the security device 130, for example. Specifically, for example, the security device 130 accesses a mail server on the Internet and receives an email addressed to the security device 130 sent from the security device 120, or a polynomial pair (c (x), This is done by accessing a homepage on the Internet where information for specifying d (x)) is uploaded.
The polynomial pair (c (x), d (x)) received by the polynomial pair acquisition unit 132 is sent to the signature verification unit 133, for example, and used for the next step S51.
[0116]
Step S51:
In this step, the security device 130 verifies the signature.
The signature verification in this step is performed by, for example, the signature verification apparatus 133. For example, the signature is a polynomial pair (S₁, S₂) Is transmitted to the security device 130, first, the control means 136 causes the common polynomials a (x), g (x) and polynomial b (x) stored in the storage means 135 by the processing of steps S41 and S45. And the extracted information is sent to the signature verification means 133. The signature verification means 133 to which these pieces of information are sent next uses, for example, an integer calculation means 133a, a polynomial addition means 133b, a polynomial differentiation means and a hash function calculation means 133d, and V (x) = S₂(1-δ) a (x) -H (M, S₁(x)) (1-δ) b (x) -S₁(x) modI is calculated and the calculation result is sent to the polynomial comparison means 133e. As described above, the polynomial comparison means 133e to which the calculation result is sent determines that the signature is valid when the calculation result is V (x) = 0, and indicates that the signature is valid. If the calculation result is not V (x) = 0, it is determined that the signature is invalid, and output indicating that the signature is invalid.
[0117]
As described above, in the example of the present embodiment, the parameter setting unit 121 includes a first number of parameters (r integer groups (s, q), t integer sets (u, v)) are set, and in the linear action computing means 122, 124a, for the set (a (x)), Σ_{m = 0} ^rq_m(1-δ)^smOr Σ_{m = 0} ^tv_m(1-δ)^umEven if the size of the secret parameters (r, s, k, t, u, v) is increased, the four rules performed by the security device 120 at the time of public key generation and signature generation The number of operations does not increase, and as a result, the convenience is greatly improved compared to the digital signature method that applies the difficulty of the conventional discrete logarithm problem, which increases the amount of calculation depending on the size of the secret parameter. .
[0118]
In the example of the present embodiment, the generation of the public key and the generation of the signature are performed by operating a linear operator having many secret parameters (r, s, k, t, u, v). Sufficient security against signatures by the three parties can be secured.
Furthermore, in the example of the present embodiment, b (x) = Σ in the linear action calculation means 122 and 124a._{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI, c (x) = Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿa (x) / n!) modI is calculated, so even when the size of the secret parameters (r, s, k, t, u, v) is increased, the signature is At the time of generation, the number of four arithmetic operations performed by the security device 120 does not increase, and as a result, a digital signature that applies the difficulty of the conventional discrete logarithm problem in which the amount of calculation increases depending on the size of the secret parameter Compared with the method, the convenience is greatly improved.
[0119]
Further, in the security device 120 in the example of the present embodiment, the linear action calculation unit 122 performs Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^r(q_ms_m ⁿ∂ⁿa (x) / n!) modI is calculated to generate a first calculation result b (x). In the public key disclosure unit 123, the calculation result b (x generated by the linear action calculation unit 122 is generated. ) As a public key, and in the linear action calculation means 124a, Σ_{n = 0} ^{deg a (x)}Σ_{m = 0} ^t(v_mu_m ⁿ∂ⁿa (x) / n!) modI is calculated to generate a second calculation result c (x). In the polynomial pair generation unit 124c, Σ_{m = 0} ^tv_mx^um+ Σ_{m = 0} ^rq_mx^smH (M, c (x)) is calculated to generate a polynomial pair (c (x), d (x)), and the polynomial pair transmission unit 125 transmits the generated polynomial pair to the security device 130. Therefore, even when the size of the secret parameters (r, s, k, t, u, v) is increased, the four arithmetic operations performed by the security device 120 at the time of public key generation and signature generation The number of times does not increase, and as a result, the convenience is greatly improved as compared with the digital signature scheme that applies the difficulty of the conventional discrete logarithm problem in which the calculation amount increases depending on the size of the secret parameter.
[0120]
Further, in the security device 130 according to the present embodiment, the public key acquisition unit 131 receives the polynomial b (x) that is the public key released by the security device 120, and the polynomial pair acquisition unit 132 receives the first polynomial and the first polynomial. A polynomial pair consisting of two polynomials (S₁, S₂) And the signature verification means 133 receives S₂(1-δ) a (x) -H (M, S₁(x)) (1-δ) b (x) -S₁(x) modI operation is performed, and if the operation result is 0, the signature is output to be valid, and if the operation result is not 0, the signature is invalid In the security device 120, even when the size of the secret parameter (r, s, k, t, u, v) is increased, the public key is generated and the signature is generated. The number of four arithmetic operations performed by the security device 120 does not increase, and as a result, compared with a digital signature method that applies the difficulty of the conventional discrete logarithm problem in which the amount of calculation increases depending on the size of the secret parameter. , Greatly improve convenience.
[0121]
Further, in the example of this embodiment, r integer sets (s, q) and t integer sets (u, v) are kept secret on the security device 120 side, so that the security of the signature is ensured. .
Further, in the example of the present embodiment, r integer sets (s, q) and t integer sets (u, v) are generated using the random numbers generated by the pseudo-random number generator 121a of the security device 120. Therefore, the maintainability of r integer sets (s, q) and t integer sets (u, v) is improved, and as a result, the security for the signature is improved.
The present invention is not limited to the embodiment described above. For example, in the present embodiment, the security devices 120 and 130 in the present embodiment are configured by causing a computer to execute a predetermined program. However, at least a part of these processing contents is implemented in hardware by an electronic circuit. It may be realized.
[0122]
Further, in this embodiment, the linear operator Σ for the a (x), b (x) or c (x) in the linear operator calculation means 122, 124a._{m = 0} ^rq_m(1-δ)^smOr Σ_{m = 0} ^tv_m(1-δ)^umIf the number of integer arithmetic operations required to calculate a linear operator is less than the order of the logarithmic polynomial of the degree of the polynomial, then other linear operators are used. It is good as well.
Furthermore, as described above, the processing functions in the first embodiment, the second embodiment, and the third embodiment can be realized by a computer. In this case, the processing contents of the functions that the security devices 1, 2, 20, 30, 51, 52, 70, 80, 101, 102, 120, and 130 should have are described by a program (security program). By executing the above, the above processing functions can be realized on a computer.
[0123]
The program describing the processing contents can be recorded on a computer-readable recording medium. The computer-readable recording medium may be any medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, or a semiconductor memory. Specifically, for example, the magnetic recording device may be a hard disk device or a flexible Discs, magnetic tapes, etc. as optical discs, DVD (Digital Versatile Disc), DVD-RAM (Random Access Memory), CD-ROM (Compact Disc Read Only Memory), CD-R (Recordable) / RW (ReWritable), etc. An MO (Magneto-Optical disc) or the like can be used as the magneto-optical recording medium.
[0124]
The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.
A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its storage device. When executing the process, the computer reads the program stored in its own recording medium and executes the process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good.
[0125]
【The invention's effect】
As described above, in the present invention, a first number of parameters configured by a set of a first integer parameter and a second integer parameter are set, and the first integer parameter is set to s for the set._mAnd the second integer parameter is q_mWhere Σ is an operator that associates a polynomial g (x) -g (x-1) with an arbitrary polynomial g (x), where r is the first number,_{m = 0} ^rq_m(1-δ)^smFor example, even when the secret parameter value is increased, the amount of calculation at the time of key distribution, encryption / decryption, signature generation / verification does not increase, and the conventional discrete logarithm problem Compared with the digital signature method that applies the above difficulties, the convenience is greatly improved.
[Brief description of the drawings]
FIG. 1 is a diagram for explaining an outline of a security system.
FIG. 2 is a diagram illustrating the overall configuration of a security system.
FIG. 3 is a block diagram illustrating a hardware configuration of a security device.
FIG. 4 is a functional block diagram illustrating processing functions of the security device.
FIG. 5 is a functional block diagram illustrating processing functions of the security device.
FIG. 6 is a flowchart for explaining an example of processing operations of the security system and the security device.
FIG. 7 is a diagram for explaining the outline of a security system.
FIG. 8 is a diagram illustrating the overall configuration of a security system.
FIG. 9 is a functional block diagram illustrating processing functions of the security device.
FIG. 10 is a functional block diagram illustrating processing functions of the security device.
FIG. 11 is a flowchart for explaining an example of processing operations of the security system and the security device.
FIG. 12 is a diagram for explaining the outline of a security system.
FIG. 13 is a diagram illustrating the overall configuration of a security system.
FIG. 14 is a functional block diagram illustrating processing functions of the security device.
FIG. 15 is a functional block diagram illustrating processing functions of the security device.
FIG. 16 is a flowchart for explaining an example of processing operations of the security system and the security device;
[Explanation of symbols]
1, 10, 50, 60, 100, 110 Security system
2, 3, 20, 30, 51, 52, 70, 80, 101, 102, 120, 130 Security device

Claims (14)

In a security device that shares a common key k (x) with a communication partner ,
First parameter setting means configured to set a first number of parameters, each of which is constituted by a set of a first integer parameter and a second integer parameter;
Common polynomial of integer coefficients that are shared with the communication partner and a (x), the order of the common polynomial with deg a (x), the first integer parameter and s _m, the second integer parameter q _m , the first number is r, ∂ is a differential operator, and an ideal is an arithmetic operation of the polynomial obtained by adding a variable of an integer coefficient polynomial to the ideal by an arbitrary integer value. The result is again that Σ _{n = 0} ^{deg a (x)} Σ _{m = 0} ^r (q _m s _m ⁿ ∂ ⁿ a (x) / n! ) first linear action calculation means for generating a first calculation result by performing a calculation of modI;
Calculation result disclosure means for transmitting the generated first calculation result to the communication partner;
Calculation result acquisition means for receiving a second calculation result calculated by the communication partner;
Said second operation result received by the calculation result acquisition means as c (x), the order of the second operation result c (x) and deg c (x), the first integer parameter s _m , the second integer parameter is q _m , the first number is r, ∂ is a differential operator, and the ideal set is I. Σ _{n = 0} ^{deg c (x)} Σ _{m ^{= 0 r (q m s m}} n ∂ n c (x) / n!) have line calculation of MODI, and a second linear acting operating means for outputting the operation result the common key k (x),
Security device further comprising a. First parameter setting means configured to set a first number of parameters, each of which is constituted by a set of a first integer parameter and a second integer parameter;
Common polynomial of integer coefficients that are shared with the communication partner and a (x), the order of the common polynomial with deg a (x), the first integer parameter and s _m, the second integer parameter q _m , the first number is r, ∂ is a differential operator, and an ideal is an arithmetic operation of the polynomial obtained by adding a variable of an integer coefficient polynomial to the ideal by an arbitrary integer value. The result is again that Σ _{n = 0} ^{deg a (x)} Σ _{m = 0} ^r (q _m s _m ⁿ ∂ ⁿ a (x) / n! ) first linear action calculation means for generating a first calculation result by performing a calculation of modI;
Public key disclosure means for transmitting the generated first calculation result as a public key;
Ciphertext acquisition means for receiving the second calculation result calculated by the communication partner and the ciphertext;
Said second operation result received by the ciphertext acquisition unit and c (x), the order of the second operation results and deg c (x), the first integer parameter and s _m, the When a second integer parameter is q _m , the first number is r, ∂ is a differential operator, and the ideal set is I, Σ _{n = 0} ^{deg c (x)} Σ _{m = 0} ^r ( q _m s _m ⁿ ∂ ⁿ c (x) / n!) modI to perform a second linear action operation means for generating a third operation result;
An exclusive OR operation means for calculating an exclusive OR of the generated third operation result and the ciphertext;
Security device further comprising a. First parameter setting means configured to set a first number of parameters, each of which is constituted by a set of a first integer parameter and a second integer parameter;
Public key acquisition means for receiving, as a public key, a first calculation result disclosed by a communication partner;
The first calculation result received by the public key acquisition means is b (x), the degree of the first calculation result is deg b (x), the first integer parameter is u _m , The second integer parameter is v _m , the first number is t, ∂ is a differential operator, and an ideal is a variable of an integer coefficient polynomial performed on the ideal with an arbitrary integer value. When the ideal set that is the set that becomes the ideal is again I, the calculation result of the polynomial summed only by Σ _{n = 0} ^{deg b (x)} Σ _{m = 0} ^t (v _m u _m ⁿ ∂ ⁿ b (x) / n!) modI, a first linear action calculation means for generating a second calculation result,
An exclusive OR operation means for calculating, as ciphertext, an exclusive OR of the generated second operation result and plaintext as communication content;
The common polynomial of integer coefficients shared with the communication partner is a (x), the degree of the common polynomial is deg a (x), the first integer parameter is u _m, and the second integer parameter is v Σ _{n = 0} ^{deg a (x)} Σ _{m = 0} ^t (v _m u _m ⁿ ∂ ^{n where} _m is the first number, t is the differential operator, and the ideal set is I a (x) / n!) modI, a second linear action calculation means for generating a third calculation result by performing a calculation of modI;
Ciphertext disclosing means for disclosing the ciphertext calculated by the exclusive OR operation means and the third operation result generated by the second linear action operation means;
Security device further comprising a. First parameter setting means configured to set a first number of parameters, each of which is constituted by a set of a first integer parameter and a second integer parameter;
Common polynomial of integer coefficients that are shared with the communication partner and a (x), the order of the common polynomial with deg a (x), the first integer parameter and s _m, the second integer parameter q _m , the first number is r, ∂ is a differential operator, and an ideal is an arithmetic operation of the polynomial obtained by adding a variable of an integer coefficient polynomial to the ideal by an arbitrary integer value. The result is again that Σ _{n = 0} ^{deg a (x)} Σ _{m = 0} ^r (q _m s _m ⁿ ∂ ⁿ a (x) / n! ) first linear action calculation means for generating a first calculation result by performing a calculation of modI;
Public key disclosure means for transmitting the first calculation result generated by the first linear action calculation means as a public key;
A second parameter setting means configured to set a second number of parameters configured by a set of a third integer parameter and a fourth integer parameter;
The common polynomial is a (x), the degree of the common polynomial is deg a (x), the third integer parameter is u _m , the fourth integer parameter is v _m, and the second number T _{n = 0} ^{deg a (x)} Σ _{m = 0} ^t (v _m u _m ⁿ ∂ ⁿ a (x) / n!) a second linear action calculation means for generating a second calculation result by performing a modI calculation;
And the first integer parameter and s _m, the second integer parameter and q _m, the first number and r, the third integer parameter of the u _m, the fourth integer parameters v _m , the second number is t, the hash function having a value in the polynomial shared with the communication partner is H, the plaintext is M, and the second operation result is c (x) Σ _{m = 0} ^t v _m x ^um + Σ _{m = 0} ^r q _m x ^sm H (M, c (x)) is calculated and the result of the calculation is d (x) (c ( x), d (x)) generating polynomial pair,
A polynomial pair transmission means for transmitting the polynomial pair generated by the polynomial pair generation means to the communication partner;
Security device further comprising a. In security devices that verify digital signatures,
A public key acquisition means for receiving a public key disclosed by a communication partner;
A polynomial pair acquisition means for receiving a polynomial pair composed of a first polynomial and a second polynomial;
The common polynomial of integer coefficients shared with the communication partner is a (x), the public key is b (x), the first polynomial is S ₁ , the second polynomial is S ₂ , An operator that associates a polynomial g (x) -g (x-1) with an arbitrary polynomial g (x), where H is a hash function having a value in a polynomial shared with the communication partner, M is a plaintext An ideal set, which is an ideal, and is obtained by adding the integer coefficient polynomial variable added to the ideal by an arbitrary integer value, is the ideal. S ₂ (1-δ) a (x) -H (M, S ₁ (x)) (1-δ) b (x) -S ₁ (x) modI A signature verification means for outputting that the signature is valid if the result is 0, and outputting that the signature is invalid if the calculation result is not 0;
A security device comprising: The ideal set is
An ideal of a ring formed by a polynomial of integer coefficients, where δ is an operator that associates a polynomial g (x) -g (x-1) with an arbitrary polynomial g (x), and degf (x) is f ( x) is a set generated by {f (x), δf (x), δ ² f (x), ..., δ ^{degf (x)} f (x)}
Security device according to claim 1, wherein the 5. The first integer parameter, the second integer parameter, the third integer parameter, and the fourth integer parameter are secret information that is kept secret on the security device side that sets the integer parameter. The security device according to any one of claims 1 to 6 , wherein In a security method for sharing a common key k (x) between a first security device and a second security device using cryptographic technology,
A first parameter setting step in which the first parameter setting means of the first security device sets a first number of parameters configured by a set of a first integer parameter and a second integer parameter. When,
In the first linear operation of the first security device, a common polynomial of integer coefficients shared with the second security device is a (x), the degree of the common polynomial is deg a (x), and The first integer parameter is s _m , the second integer parameter is q _m , the first number is r, ∂ is a differential operator, and an ideal is performed on the ideal, Σ _{n = 0} ^{deg a (x)} Σ _m when the result of the calculation of the polynomial obtained by adding the integer coefficient polynomial variable to the integer is again the ideal set that is the ideal set. _{= 0} ^r (q _m s _m ⁿ ∂ ⁿ a (x) / n!) Mod I, a first linear action calculation step for generating a first calculation result;
A first calculation result that the first calculation result disclosure means of the first security device transmits the first calculation result generated by the first linear action calculation step to the second security device. A disclosure step;
A first calculation result acquisition step in which the first calculation result acquisition means of the first security device receives the second calculation result calculated by the second security device;
Said second linear effect computing unit of the first security device, the second operation result received by said first calculation result acquisition step and c (x), the second operation result c (x the order of) the deg c (x), the first integer parameter and s _m, the second integer parameter and q _m, the first number and r, and differential operator of ∂, the ideal in the case of a set was ^{_{I, Σ n = 0 deg c}} (x) Σ m = 0 r (q m s m n ∂ n c (x) / n!) have line calculation of MODI, the result of the operation A second linear action calculating step for outputting as a common key k (x) ;
A second parameter setting step in which the second parameter setting means of the second security device sets a second number of sets of parameters configured by a set of a third integer parameter and a fourth integer parameter; When,
A third linear action computing means of the second security device, wherein the common polynomial is a (x), the degree of the common polynomial is deg a (x), the third integer parameter is u _m , Σ _{n = 0} ^{deg a (x)} Σ _{m = 0} ^{t when} the fourth integer parameter is v _m , the second number is t, ∂ is a differential operator, and the ideal set is I (v _m u _m ⁿ ∂ ⁿ a (x) / n!) A third linear action calculation step for generating the second calculation result by calculating modI;
The second operation result disclosure means the second security device, the generated second operation result, a second operation result disclosed sending to the first security device,
A second calculation result acquisition step in which the second calculation result acquisition means of the second security device receives the first calculation result calculated by the first security device;
Said fourth linear effect computing unit of the second security device, said received by the second calculation result acquisition step the first operation result and b (x), the second operation result b (x ) Is deg b (x), the third integer parameter is u _m , the fourth integer parameter is v _m , the second number is t, ∂ is a differential operator, and the ideal in the case of a set was ^{_{I, Σ n = 0 deg b}} (x) Σ m = 0 t (v m u m n ∂ n b (x) / n!) have line calculation of MODI, the result of the operation A fourth linear action calculation step to output as a common key k (x) ;
A security method characterized by comprising: In security methods using cryptography,
In the first security device,
Setting a first number of parameters configured by a set of a first integer parameter and a second integer parameter;
Common polynomial integer coefficients shared with the second security system and a (x), the order of the common polynomial with deg a (x), the first integer parameter and s _m, the second integer The parameter is q _m , the first number is r, ∂ is a differential operator, and an ideal is obtained by adding an integer value to an integer coefficient polynomial variable performed on the ideal. Σ _{n = 0} ^{deg a (x)} Σ _{m = 0} ^r (q _m s _m ⁿ ∂ ⁿ a (x) where I is the ideal set that is the ideal set again / n!) modI operation generates the first operation result,
Transmitting the generated first calculation result as a public key;
In the second security device,
Setting a second number of parameters configured by a set of a third integer parameter and a fourth integer parameter;
Receiving the first calculation result transmitted by the first security device as a public key;
The received first calculation result is b (x), the order of the first calculation result is deg b (x), the third integer parameter is u _m, and the fourth integer parameter is v Σ _{n = 0} ^{deg b (x)} Σ _{m = 0} ^t (v _m u _m ⁿ ∂ ^{n, where} _m is the second number, t is the differential operator, and the ideal set is I b (x) / n!) The second operation result is generated by performing modI operation.
An exclusive OR of the second calculation result and plaintext as communication contents is calculated as ciphertext,
The common polynomial of integer coefficients shared with the first security device is a (x), the degree of the common polynomial is deg a (x), the third integer parameter is u _m, and the fourth Σ _{n = 0} ^{deg a (x)} Σ _{m = 0} ^t (v _m u in the case where the integer parameter is v _m , the second number is t, ∂ is a differential operator, and the ideal set is I _m ⁿ ∂ ⁿ a (x) / n!) modI operation generates the third operation result,
Sending the computed ciphertext and the third computation result;
In the first security device,
Receiving the ciphertext computed by the first security device and the third computation result;
Received the third operation results as c (x), the order of the second operation results and deg c (x), the first integer parameter and s _m, the second integer parameter q _m , where the first number is r, ∂ is a differential operator, and the ideal set is I, Σ _{n = 0} ^{deg c (x)} Σ _{m = 0} ^r (q _m s _m ⁿ ∂ ⁿ c (x) / n!) modI operation generates the fourth operation result,
Calculating an exclusive OR of the fourth operation result and the ciphertext;
A security method characterized by the above. In a security method for generating and verifying a digital signature,
In the first security device,
Setting a first number of parameters configured by a set of a first integer parameter and a second integer parameter;
Common polynomial integer coefficients shared with the second security system and a (x), the order of the common polynomial with deg a (x), the first integer parameter and s _m, the second integer The parameter is q _m , the first number is r, ∂ is a differential operator, and an ideal is obtained by adding an integer value to an integer coefficient polynomial variable performed on the ideal. Σ _{n = 0} ^{deg a (x)} Σ _{m = 0} ^r (q _m s _m ⁿ ∂ ⁿ a (x) where I is the ideal set that is the ideal set again / n!) modI operation generates the first operation result,
Transmitting the generated first calculation result as a public key;
Setting a second number of parameters configured by a set of a third integer parameter and a fourth integer parameter;
The common polynomial is a (x), the degree of the common polynomial is deg a (x), the third integer parameter is u _m , the fourth integer parameter is v _m, and the second number Σ _{n = 0} ^{deg a (x)} Σ _{m = 0} ^t (v _m u _m ⁿ ∂ ⁿ a (x) / n!), Where t is t, ∂ is a differential operator, and the ideal set is I By performing a modI operation, a second operation result is generated,
And the first integer parameter and s _m, the second integer parameter and q _m, the first number and r, the third integer parameter of the u _m, the fourth integer parameters v _m , the second number as t, a hash function having a value in a polynomial shared with the second security device as H, plaintext as M, and the second operation result as c (x) Σ _{m = 0} ^t v _m x ^um + Σ _{m = 0} ^r q _m x ^sm H (M, c (x)) is calculated and the result of the calculation is d (x). (C (x), d (x))
Sending the generated polynomial pair to the second security device;
In the second security device,
Receiving the public key published by the first security device;
Receiving a polynomial pair composed of a first polynomial and a second polynomial;
The common polynomial of integer coefficients shared with the first security device is a (x), the public key is b (x), the first polynomial is S _1, and the second polynomial is S _2. H is a hash function having a value in a polynomial shared with the communication partner, H is a plaintext, and δ is a polynomial g (x) -g (x-1) for an arbitrary polynomial g (x) S ₂ (1-δ) a (x) -H (M, S ₁ (x)) (1-δ) b (x) -S ₁ (where the ideal set is I and the corresponding operator is I x) When modI operation is performed and the operation result is 0, an output indicating that the signature is valid is output. When the operation result is not 0, the signature is invalid. Output,
A digital signature verification apparatus characterized by the above. The ideal set is
An ideal of a ring formed by a polynomial of integer coefficients, where δ is an operator that associates a polynomial g (x) -g (x-1) with an arbitrary polynomial g (x), and degf (x) is f ( x) is a set generated by {f (x), δf (x), δ ² f (x), ..., δ ^{degf (x)} f (x)}
Security method according to claims 8 to any one of 10, wherein. The first number, the first integer parameter, the second integer parameter, the second number, the third integer parameter, and the fourth integer parameter are the security device side on which the integer parameter is set. security method according to any one of claims 8, characterized in that the secret information to be kept secret 11 in. Security program for causing a computer to function as a security device according to any of claims 1 to 7. A computer-readable recording medium on which the program according to claim 13 is recorded.

Images