This application is based upon and claims the benefit of priority from prior Japanese Patent Application No. 2008-010960, filed Jan. 21, 2008, the entire contents of which are incorporated herein by reference.
1. Field of the Invention
The present invention relates to an encryption apparatus, a decryption apparatus, a key generation apparatus, and a program used in a public key encryption system.
2. Description of the Related Art
In a network-based society, transmitting many pieces of information, e.g., electronic mails in the network enables communication between people. In such a network society, a public key cryptography is widely exploited as a technology that protects the confidentiality or authenticity of information.
As typical public key cryptography systems, there are RSA cryptography and elliptic curve cryptosystems. Since general decryption methods for these public key cryptographies are not known, no serious problems concerning security exist, except for a later-explained decryption method using a quantum computer. As other public key cryptographies, there are a knapsack encryption, a multivariate encryption, etc. However, since there is a decryption method for knapsack encryption, the security of this encryption has been called into question. To counter this, a key size in multivariate encryption is increased, and hence a prevailing attacking method can be avoided. However, this encryption has a problem that the key size becomes enormous.
On the other hand, if a quantum computer were to be used, it would be possible to decrypt RSA cryptography and that of the elliptic curve cryptosystem. Being different from current computers, the quantum computer is a computer that can utilize a physical phenomenon called entanglement in quantum theory to execute a huge number of parallel computations. The quantum computer is an ideal computer on an experimental level, and it has been studied and developed toward realization. In 1994, Shor demonstrated that a quantum computer can efficiently solve factorization into prime factors or a discrete logarithm problem. Therefore, if the quantum computer is realized, it will become possible to decrypt RSA cryptography based on factorization into prime factors or the elliptic curve cryptosystem based on a discrete logarithm problem on an elliptic curve.
On the other hand, there has been studied a public key cryptography system that is safe even if a quantum computer is realized. For example, there is quantum public key cryptography. In the quantum public key cryptography, a quantum computer generates a key for the knapsack encryption that is secure so that the key cannot be produced by a current computer. Therefore, in the quantum public key cryptography, a secure knapsack encryption that cannot be calculated by a quantum computer can be constituted. However, in the quantum public key cryptography, a current computer cannot generate its key, and hence this cryptography cannot be utilized in the present day.
On the other hand, the multivariate encryption can be realized even in the present day, and even a quantum computer cannot decrypt this system. However, since the multivariate encryption requires a massive key size, as explained above, the realization of this encryption is questionable.
Further, as compared with a symmetric key cryptography, the public key cryptography has a larger circuit scale and a longer processing time. Therefore, there is a problem that the public key cryptography cannot be realized in a low-power environment, e.g., a mobile terminal, or a waiting time is long even if it is realized. Therefore, public key cryptography that can be realized even in a low-power environment has been demanded.
In general, the public key cryptography is configured to be equivalent to finding a problem that is difficult to calculate, e.g., a prime factorization problem or a discrete logarithm problem in advance and solving the problem that is difficult to calculate when trying to decrypt an encrypted text without knowing a private key.
However, even if a problem that is difficult to calculate is found, public key cryptography having this problem as a basis for security cannot be readily constituted. That is because a problem that generates a key also becomes problematic when a problem that is too difficult to calculate is used as a basis for security, and hence the key cannot be produced. On the other hand, when a problem allows easy generation of a key, decryption also becomes easy.
Therefore, in order to constitute public key cryptography, a problem that is difficult to calculate must be found, and the found problem must be remade into a problem having an adequate balance so that a key can be readily generated but cannot be easily decrypted. Such remake of a problem requires high creativity. Actually, remaking a problem is very difficult, and hence only a few public key cryptographies have been proposed.
Under such a situation, there is a possibility that even a quantum computer cannot efficiently perform decryption. As a public key cryptography system that can perform processing at a high speed even in a low-power environment, public key cryptography using an algebraic curve has been proposed (see, e.g., JP-A 2005-331656 (KOKAI)).
The public key cryptography system that uses an algebraic curve is explained below. That is, a private key is determined as two sections corresponding to an algebraic curve X(x,y,t), and a public key is determined as an algebraic curve X(x,y,t). At this time, an encrypted text F=E(m,s,r,f,X) is generated from a plaintext polynomial m(t) based on processing of embedding a plaintext m in the plaintext polynomial m(t), processing of randomly generating a one-variable irreducible polynomial f(t) having a degree L, processing of generating randomized polynomials s(x,y,t) and r(x,y,t) having three variable x, y, and t, and processing of calculating respective polynomials s(x,y,t), r(x,y,t), and f(t) and a definitional equation X(x,y,t). According to this system, a later-explained section finding problem on an algebraic surface is a basis for security, and hence decryption is difficult.
However, in the above-explained public key cryptography using an algebraic surface, both the plaintext polynomial m(t) and the irreducible polynomial f(t) are one-variable polynomials. Therefore, decryption may possibly be performed when an attacker aggressively utilizes the fact that a secret is hidden in the one-variable polynomials, and there is vulnerability in this sense.
In a first aspect of the present invention, there is provided an encryption apparatus comprising: a plaintext embedding device configured to embed a message m as a coefficient of a plaintext polynomial m(x,y,t) having three variables when encrypting the message m if a fibration X(x,y,t) of an algebraic surface X and k essential polynomials Gj(x,y,t) (where j=1, 2, . . . , k) are public keys and one or more sections corresponding to the fibration X(x,y,t) are private keys; an identification polynomial generation device configured to generate an identification polynomial f(x,y,t) having three variables in such a manner that a degree of a one-variable polynomial obtained when assigning the sections becomes higher than a degree of a one-variable polynomial obtained by assigning the sections to the plaintext polynomial; a polynomial generation device configured to randomly generate three-variable polynomials s1(x,y,t), s2(x,y,t), r1j(x,y,t), r2j(x,y,t), w1j(x,y,t), and w2j(x,y,t); a first encryption device configured to generate k first encrypted texts F1j=E(m,f,s1,Gj,w1j,r1j,X) (where j=1, 2, . . . , k) from the plaintext polynomial m(x,y,t) by processing of executing addition or subtraction using a multiplication result f(x,y,t)s1(x,y,t) of the identification polynomial f(x,y,t) and the polynomial s1(x,y,t), a multiplication result Gj(x,y,t)w1j(x,y,t) of the essential polynomial Gj(x,y,t) and the polynomial w1j(x,y,t), and a multiplication result X(x,y,t)r1j(x,y,t) of the fibration X(x,y,t) and the polynomial r1j(x,y,t); and a second encryption device configured to generate k second encrypted texts F2j=E(m,f,s2,Gj,w2j,r2j,X) from the plaintext polynomial m(x,y,t) by processing of executing addition or subtraction using a multiplication result f(x,y,t)s2(x,y,t) of the identification polynomial f(x,y,t) and the polynomial s2(x,y,t), a multiplication result Gj(x,y,t)w2j(x,y,t) of the essential polynomial Gj(x,y,t) and the polynomial w2j(x,y,t), and a multiplication result X(x,y,t)r2j(x,y,t) of the fibration X(x,y,t) and the polynomial r2j(x,y,t).
In a second aspect of the present invention, there is provided a decryption apparatus comprising: a first input device configured to input k first encrypted texts F1j(x,y,t)=E(m,f,s1,Gj,w1j,r1j,X) (where j=1, 2, . . . , k) generated by processing of executing addition or subtraction using a multiplication result f(x,y,t)s1(x,y,t) of a three-variable identification polynomial f(x,y,t) and a polynomial s1(x,y,t), a multiplication result Gj(x,y,t)w1j(x,y,t) of the essential polynomial Gj(x,y,t) and a polynomial w1j(x,y,t), and a multiplication result X(x,y,t)r1j(x,y,t) of a fibration X(x,y,t) and a polynomial r1j(x,y,t) with respect to a three-variable plaintext polynomial m(x,y,t) in which a message m is embedded as a coefficient thereof in a case of decrypting the message m from the first and second encrypted texts F1j(x,y,t) and F2j(x,y,t) generated by using public keys as the fibration X(x,y,t) and the k essential polynomials Gj(x,y,t) (where j=1, 2, . . . , k) based on a private key as one or more sections corresponding to the fibration X(x,y,t) of an algebraic surface X; a second input device configured to input the k second encrypted texts F2j(x,y,t)=E(m,f,s2,Gj,w2j,r2j,X) (where j=1, 2, . . . , k) generated by processing of executing addition or subtraction using a multiplication result f(x,y,t)s2(x,y,t) of the identification polynomial f(x,y,t) and a polynomial s2(x,y,t), a multiplication result Gj(x,y,t)w2j(x,y,t) of the essential polynomial Gj(x,y,t) and a polynomial w2j(x,y,t), and a multiplication result X(x,y,t)r2j(x,y,t) of the fibration X(x,y,t) and a polynomial r2j(x,y,t) with respect to the plaintext polynomial m(x,y,t); a section assignment device configured to assign the respective sections to the input respective encrypted texts F1j(x,y,t) and F2j(x,y,t) to generate 2k one-variable polynomials h1j(t) and h2j(t); a polynomial subtraction device configured to subtract the respective one-variable polynomials h1j(t) and h2j(t) to obtain a subtraction result {h1j(t)−h2j(t)}; a first residue arithmetic device configured to divide the subtraction result {h1j(t)−h2j(t)} by a one-variable polynomial Gj(ux(t),uy(t),t) obtained by assigning each section to each essential polynomial Gj(x,y,t) to obtain k residues gj(t)=−{h1j(t)−h2j(t)} mod Gj(ux(t),uy(t),t) (where j=1, 2, . . . , k); a second residue arithmetic device configured to calculate a residue g(t)≡{G1(ux(t),uy(t),t)g2(t) . . . gk(t)+G2(ux(t),uy(t),t)g1(t)g3(t) . . . gk(t)+ . . . +Gk(ux(t),uy(t),t)g1(t) . . . gk-1(t)} mod LCM{G1(ux(t),uy(t),t), . . . , Gk(ux(t),uy(t),t)} that is acquired when a least common expression LCM{G1(ux(t),uy(t),t), . . . , Gk(ux(t),uy(t),t)} of the one-variable polynomial Gj(ux(t),uy(t),t) (where j=1, 2, . . . , k) is a divisor based on the three or more residues gj(t), the same number of one-variable polynomials Gj(ux(t),uy(t),t) as the residues gj(t), and a Chinese remainder theorem; a factorization device configured to factorize the residue g(t); a polynomial extraction device configured to extract all identification polynomial candidates f(ux(t),uy(t),t) each precisely having a degree deg f(ux(t),uy(t),t) by combining factors generated as a result of the factorization; a third residue arithmetic device configured to divide each one-variable polynomial hij(t) by each one-variable polynomial Gj(ux(t),uy(t),t) to obtain k residues h′ij(t)≡hij(t) mod Gj(ux(t),uy(t),t) (where i=1 or 2, j=1, 2, . . . , k); a fourth residue arithmetic device configured to calculate a residue hi(t)≡{G1(ux(t),uy(t),t)h′i2(t) . . . h′ik(t)+G2(ux(t),uy(t),t)h′i1(t)h′i3(t) . . . h′ik(t)+ . . . +Gk(ux(t),uy(t),t)h′i1(t) . . . h′ik-1(t)} mod LCM{G1(ux(t),uy(t),t), . . . , Gk(ux(t),uy(t),t)} that is acquired when a least common expression LCM{G1(ux(t),uy(t),t), . . . , Gk(ux(t),uy(t),t)} of the one-variable polynomial Gj(ux(t),uy(t),t) (where j=1, 2, . . . , k) is a divisor based on the three or more residues h′ij(t), the same number of one-variable polynomials Gj(ux(t),uy(t),t) as the residues h′ij(t), and the Chinese remainder theorem; a fifth residue arithmetic device configured to further divide hi(t) by the identification polynomial candidate f(ux(t),uy(t),t) to obtain a plaintext polynomial candidate m(ux(t),uy(t),t); a plaintext candidate generation device configured to derive a linear simultaneous equation having a coefficient of the plaintext polynomial m(x,y,t) as a variable based on the plaintext polynomial candidate m(ux(t),uy(t),t) and a previously disclosed format of the plaintext polynomial m(x,y,t) and solve the linear simultaneous equation to generate a plaintext candidate M; a plaintext polynomial inspection device configured to inspect whether the polynomial candidate M is a true plaintext based on an error detection code included therein; and an output device configured to output the plaintext candidate M as a plaintext when the plaintext candidate M as the true plaintext is present as a result of the inspection.
In a third aspect of the present invention, there is provided a key generation apparatus comprising: a storage device configured to store a judgment value maxdegG′ of a maximum value maxdegG=deg LCM{G1(ux(t),uy(t),t), . . . , Gk(ux(t),uy(t),t)} of a section degree as a degree of a least common expression of one-variable polynomials Gj(ux(t),uy(t),t) (where j=1, 2, . . . , k) each having x and y of an essential polynomial Gj(x,y,t) being parameterized by t in the case of generating k essential polynomials Gj(x,y,t) as part of public keys in relation to public key cryptography based on the public keys as a fibration X(x,y,t) of an algebraic surface X and the k essential polynomials Gj(x,y,t) (where j=1, 2, . . . , k) and a private key as one or more sections corresponding to the fibration X(x,y,t); a polynomial generation device configured to randomly generate three-variable polynomials Gj(x,y,t) (where j=1, 2, . . . , k); a section assignment device configured to assign the sections to the generated polynomials Gj(x,y,t) to obtain k one-variable polynomials G1(ux(t),uy(t),t), . . . , Gk(ux(t),uy(t),t); a least common expression arithmetic device configured to calculate a least common expression LCM{G1(ux(t),uy(t),t), . . . , Gk(ux(t),uy(t),t)} of the one-variable polynomials G1(ux(t),uy(t),t), . . . , Gk(ux(t),uy(t),t); a degree judgment device configured to judge whether a degree of the least common expression calculated by the least common expression arithmetic device is equal to or below the judgment value maxdegG′ in the storage device; a device configured to annul the generated polynomials Gj(x,y,t) (where j=1, 2, . . . , k) to re-execute the polynomial arithmetic device, the section assignment device, the least common expression arithmetic device, and the degree judgment device when the degree of the least common expression is equal to or below the judgment value maxdegG′ as a result of the judgment; and an output device configured to output the generated polynomials Gj(x,y,t) as the k essential polynomials Gj(x,y,t) when the degree of the least common expression is not equal to or below the judgment value maxdegG′ as a result of the judgment made by the degree judgment device.
In the first and second aspects, as different from the conventional technology utilizing the plaintext polynomial m(t) and the irreducible polynomial f(t) each having one variable, the plaintext polynomial m(x,y,t), the identification polynomial f(x,y,t), k essential polynomials Gj(x,y,t) (where j=1, 2, . . . , k), and polynomials w1j(x,y,t) and w2j(x,y,t) each having three variables are used.
Further, in the third aspect, as different from the conventional technology, a three-variable essential polynomial Gj(x,y,t) (where j=1, 2, . . . , k) is used.
Therefore, according to the first to third aspects, in public key cryptography using an algebraic surface, the vulnerability due to a one-variable polynomial can be eliminated.
Each embodiment according to the present invention will now be described with reference to the accompanying drawings.
An algebraic surface in each embodiment is defined as one having a two-dimensional freedom degree in a set of solutions of a simultaneous (algebraic) equation defined in a field K. For example, since a simultaneous equation in the field K represented as the following Expression (1) has three equations that constrain five variables, it has a two-dimensional freedom degree, and hence it is an algebraic surface.
In particular, as represented by Expression (2), a space defined as a set of solutions of an algebraic equation in the field K having three variables is also an algebraic surface in the field K.
f(x,y,z)=0 (2)
It is to be noted that a definitional equation of the algebraic surface represented by Expressions (1) and (2) is an equation in an affine space. A definitional equation of an algebraic surface in a projective space (in case of Expression (2)) is f(x,y,z,w)=0.
However, in each embodiment, the algebraic surface is not processed in the projective space, and hence a definitional equation of the algebraic surface is determined as Expression (1) or Expression (2). However, even if this definitional equation is expressed in the projective space, each embodiment can be achieved as it is.
On the other hand, an algebraic curve is one having a one-dimensional freedom degree in a set of solutions of a simultaneous (algebraic) equation defined in the field K. Therefore, the algebraic curve is defined by, e.g., the following expression.
g(x,y)=0
In this embodiment, since an algebraic surface that can be written in one expression like Expression (2) is used, Expression (2) is used like a definitional equation of the algebraic surface in the following explanation.
The field is a set in which addition, subtraction, multiplication, and division can be freely carried out. A real number, a rational number, and a complex number correspond to the field. A set including an element that cannot be divided except by zero, e.g., the set of integer or the set of matrix does not correspond to the field. Of the fields, there is a field constituted of a finite number of elements called a finite field. For example, a residue class Z/pZ having a modulo p with respect to a prime number p forms a field. Such a field is called a prime field, and is written as Fp or the like. As finite fields, there is, e.g., a field Fq(q=pr) having elements obtained by raising a prime number. However, in this embodiment, a prime field Fp alone is mainly used for the sake of convenience. In general, p in the prime field Fp is called a characteristic of the prime field FP.
On the other hand, even in the case of coping with a general finite field, each embodiment can be likewise achieved by carrying out a self-evident modification. It is often the case that public key cryptography is constituted in a finite field because a message is embedded as digital data. In this embodiment, likewise, an algebraic surface defined in a finite field (a prime field in particular in this embodiment) Fp is used.
As shown in
In general, a problem of finding a (non-self-evident) divisor when a definitional equation of an algebraic surface is given is a difficult problem that is unsolvable even in contemporary mathematics. Except for a primitive method, e.g., solving such a system of multivariate equations as described later or a round-robin solution, a general solving method is unknown. In particular, in an algebraic surface defined by such a finite field as used in this embodiment, there are not so many clues as compared with an infinite field (a field constituted of an infinite number of elements), e.g., a rational number field, and it is known that it is a very difficult problem.
In this embodiment, this problem is called a divisor finding problem on an algebraic surface, or simply a divisor finding problem, and a public key cryptography system having a divisor finding problem on an algebraic surface as a basis for security is constituted.
Next, on an algebraic surface X:f(x,y,z)=0 in a field K, x and y are defined by the following expression and called sections:
h(x,y,t)=0
An algebraic curve expressed in a form in which a curve represented by the following expression obtained by parameterizing x,y with t exists is called a fibration of an algebraic surface X and expressed as Xt or the like:
(x,y,t)=(ux(t),uy(t),t)
Here, a state where x is parameterized by t means that a variable x is represented by an algebraic expression which is defined on a field k and has t as a variable, like x=ux(t). It is to be noted that the term algebraic expression means a polynomial in this embodiment. Moreover, since a fibration is apparent in the following explanation, such an algebraic surface is simply represented as X.
Further, an algebraic surface obtained by assigning an element t0 of the field K to a parameter t is called a fiber, and is expressed as, e.g., Xt0. Both the fiber and the section are divisors of the algebraic surface Xt.
In general, when a fibration of an algebraic surface is given, a corresponding fiber can be immediately obtained (by assigning an element of a field to t). However, finding a corresponding section is very difficult. Therefore, it can be said that the fiber is a trivial divisor and the section is a non-trivial divisor.
A public key cryptography system in each embodiment determines a problem of obtaining a section as a basis for security when especially a fibration Xt of an algebraic surface X is given in a problem of finding divisors on an algebraic surface.
In order to obtain a section from a fibration, only a method based on the following procedure from (i) to (iv) is known even in contemporary mathematics.
(i) A section (ux(t),uy(t),t) is assumed as deg ux(t)<rx, deg uy(t)<ry, and ux(t) and uy(t) are then set, as in the following expressions:
u
x(t)=α0+α1t+ . . . +αr
u
y(t)=β0+β1t+ . . . +βr
(ii) ux(t) and uy(t) are assigned to X(x,y,t)=to obtain the following expression:
(iii) The left-hand side of the above expression is developed to express a coefficient of ti by using a function ci(α0, . . . , αr
(iv) The system of equations is solved.
Public key cryptography according to this embodiment based on a problem of finding sections on an algebraic surface will now be described specifically.
Public key cryptography according to this embodiment has the following two system parameters, p and d.
1. A size of a finite field: p
2. A maximum degree of a section (as a private key):
d=max{degux(t),deguy(t)} (3)
Further, public keys are the following five items.
1. A fibration of an algebraic surface X on Fp:
2. Two essential polynomials on Fp:
3. A format of a plaintext polynomial:
4. A format of an identification polynomial:
Here, ΛA means a set of combinations of an index i of x and an index y of y each having a non-zero coefficient when A(x,y,t) is regarded as a polynomial of x and y. Moreover, these formats are constituted of sets Λm and Λf and degrees deg mij(t) and deg fij(t) of coefficients of respective terms.
5. Section degrees of essential polynomials
mindegG=max{degG1(ux(t),uy(t),t),degG2(ux(t),uy(t),t)}
maxdegG=degLCM{G1(ux(t),uy(t),t),G2(ux(t),uy(t),t)} (4)
Here, min degG is a minimum value of section degrees of essential polynomials and represents a maximum value (max{ . . . }) of degrees of one-variable polynomials (degG1(ux(t),uy(t),t), degG2(ux(t),uy(t),t)) to which a section is assigned. max degG is a maximum value of section degrees of essential polynomials and represents a degree (deg LCM . . . ) of a least common expression (LCM{G1(ux(t),uy(t),t),G2(ux(t),uy(t),t)}) of one-variable polynomials to which the section is assigned.
A private key is the following section D.
1. A section of an algebraic surface X on Fp:
D(x,y,t)=(ux(t),uy(t),t)
However, the algebraic surface X as a public key satisfies conditions (6).
degxX(x,y,t)<degxm(x,y,t)
degyX(x,y,t)<degym(x,y,t)
degtX(x,y,t)<degtm(x,y,t) (6)
A plaintext polynomial and an identification polynomial satisfy conditions (7).
degxm(x,y,t)<degxf(x,y,t)
degym(x,y,t)<degyf(x,y,t)
degtm(x,y,t)<degtf(x,y,t) (7)
Here, there is only one term that gives a degree of a right-hand side of the inequality in each of m(x,y,t) and f(x,y,t), and these terms are equal to each other. That is, taking f(x,y,t) as an example, f(x,y,t) has only one term that is represented as follows.
cxdegxf(x,y,t)ydeg
Here, c is a source of a finite field Fp.
Further, an essential polynomial satisfies a condition (8).
mindegG<degm(ux(t),uy(t),t)<deg
f(ux(t),uy(t),t)<<maxdegG (8)
Here, a sign <<means sufficient largeness insofar as a later-explained condition (9) concerning s1(x,y,t) and s2(x,y,t) are satisfied.
They can be readily obtained by a later-explained method (a key generation method).
An outline of encryption processing will now be explained. In encryption processing, a message that should be encrypted (which will be referred to as a plaintext hereinafter) is divided into blocks to provide m=m00∥m10∥ . . . ∥mij. It is to be noted that ∥ represents a junction. Here, assuming that L=deg mij(t), the following expression is provided.
|mij|≦(|p|−1)(L+1)
It is assumed that a coefficient mijk of tk of mij(t) is obtained by dividing mij every |p|−1 bits. That is, the following expression can be achieved.
m
ij
=m
ij0∥mij1∥ . . . ∥mijL
Here, |p| represents a bit length of p. In this manner, a plaintext is embedded in a plaintext polynomial m(x,y,t) represented by the following expression.
It is to be noted that a message according to this embodiment includes an error detection code. The error detection code has a function of detecting a fact that a message is partially mutilated due to an influence of, e.g., noise produced in transmission. As the error detection code, a hash value based on a hash function may be adopted in particular.
Subsequently, an identification polynomial f(x,y,t) on Fp is randomly generated in a determined format satisfying the conditions (7). Then, a polynomial si(x,y,t) (i=1, 2) is randomly generated insofar as a condition (9) is satisfied.
SecDeg(f(x,y,t))+SecDeg(si(x,y,t))<maxdegG (9)
Here, SecDeg(A(x,y,t)) with respect to a three-variable polynomial A(x,y,t) is defined as follows (by utilizing a maximum degree d of a section).
Furthermore, polynomials wij(x,y,t) and rij(x,y,t) are randomly generated. Finally, four encrypted texts F11(x,y,t), F12(x,y,t), F21(x,y,t), and F22(x,y,t) are calculated from expressions m(x,y,t), f(x,y,t), si(x,y,t), wij(x,y,t), and rij(x,y,t) and a fibration X(x,y,t) of the algebraic surface X as the public key.
F
11(x,y,t)=m(x,y,t)+f(x,y,t)s1(x,y,t)+G1(x,y,t)w11(x,y,t)+X(x,y,t)r11(x,y,t),
F
12(x,y,t)=m(x,y,t)+f(x,y,t)s1(x,y,t)+G2(x,y,t)w12(x,y,t)+X(x,y,t)r12(x,y,t),
F
21(x,y,t)=m(x,y,t)+f(x,y,t)s2(x,y,t)+G1(x,y,t)w21(x,y,t)+X(x,y,t)r21(x,y,t),
F
22(x,y,t)=m(x,y,t)+f(x,y,t)s2(x,y,t)+G2(x,y,t)w22(x,y,t)+X(x,y,t)r22(x,y,t) (10)
Since each of the plaintext polynomial and the identification polynomial has three variables in terms of security in each embodiment, the number of encrypted texts is four for corresponding decryption processing.
A receiver who has received an encrypted text Fij(x,y,t)(i=1, 2, j=1, 2) utilizes his/her own private key D to perform decryption as follows. First, the section D is assigned to the encrypted text Fij(x,y,t). Here, the section D is assigned to an algebraic surface X(x,y,t).
Attention is paid to presence of a relationship represented by the following expression.
X(ux(t),uy(t),t)=0
Thus, it can be understood that four expressions hij(t) having the following relationship can be obtained.
Then, as to the expression hij(t), h2j(t) is subtracted from h1j(t) to obtained the following expression.
h
1
j(t)−h2j(t)=f(ux(t),uy(t),t){s1(ux(t),uy(t),t)−s2(ux(t),uy(t),t)}+Gj(ux(t),uy(t),t){w1j(ux(t),uy(t),t)−w2j(ux(t),uy(t),t)}
Here, the receiver who knows the section D as the private key can calculate Gj(ux(t),uy(t),t), and hence he/she can acquire the following Expression (11) as a residue obtained by dividing the above-explained expression by Gj(ux(t),uy(t),t).
h
1
j(t)−h2j(t)−f(ux(t),uy(t),t){s1(ux(t),uy(t),t)−s2(ux(t),uy(t),t)}(mod Gj(ux(t),uy(t),t)) (11)
Here, based on the conditions (7), (8), and (9), there is a relationship of a condition (12).
mindegG<SecDeg(m(x,y,t))<SecDeg(f(x,y,t))<SecDeg(f(x,y,t)si(x,y,t))<maxdegG (12)
Therefore, a correct f(ux(t),uy(t),t){s1(ux(t),uy(t),t)−s2(ux(t),uy(t),t)} cannot be extracted by using Expression (11) alone. Thus, the Chinese remainder theorem is applied to G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) to calculate Expression (13).
f(ux(t),uy(t),t){s1(ux(t),uy(t),t)−s2(ux(t),uy(t),t)}(mod LCM(G1(ux(t),uy(t),t),G2(ux(t),uy(t),t))) (13)
At this time, it can be understood that a correct f(ux(t),uy(t),t){s1(ux(t),uy(t),t)−s2(ux(t),uy(t),t)} can be likewise obtained based on the condition (12). Then, f(ux(t),uy(t),t){s1(ux(t),uy(t),t)−s2(ux(t),uy(t),t)} is factorized to obtain a factor f(ux(t),uy(t),t). However, since the factor f(ux(t),uy(t),t) is not necessarily an irreducible factor, a plurality of factors must be combined in such a manner that they precisely have a degree deg f(ux(t),uy(t),t). Here, although a format of the identification polynomial f(x,y,t) is known as a public key, what kind of identification polynomial a sender has actually generated and encrypted is unknown. Therefore, there is a possibility that a coefficient of a maximum degree becomes zero and an actual degree becomes lower than the above-explained degree deg f(ux(t),uy(t),t) depending on how f(x,y,t) is taken. However, such a situation does not occur as long as the conditions (7) are satisfied. The reason for this is as follows. That is, a section is first assigned to the following term.
cx
deg
x
f(x,y,t)
y
deg
f(x,y,t)
t
deg
t
f(x,y,t)
c≠0
Then, the following expression can be obtained.
cu
x(t)degxf(x,y,t)uy(t)deg
Since a degree of this term is truly larger than degrees of other terms, a coefficient of the maximum degree does not become zero.
Further, a combination of factors precisely having a degree deg f(ux(t),uy(t),t) is not necessarily uniquely determined. Therefore, the following processing is executed with respect to all possible combinations of factors.
As means for obtaining factors that may possibly have deg f(ux(t),uy(t),t), there can be considered a technique of sequentially obtaining all combinations of factors output based on factorization and extracting combinations precisely having a degree deg f(ux(t),uy(t),t) alone. However, to execute this technique, if the number of factor is one, 21 combinations are present. Thus, in addition to this technique, it is possible to adopt a method of preventing combinations having a degree exceeding deg f(ux(t),uy(t),t) from being further combined with factors, thereby enabling extraction in a shorter processing time.
It is to be noted that factorization of f(ux(t),uy(t),t){s1(ux(t),uy(t),t)−s2(ux(t),uy(t),t)} can be performed within a sufficiently effective time since factorization of one-variable polynomials is easy.
Subsequently, h1j(t) is divided by Gj(ux(t),uy(t),t) to obtain a residue hj(t) as represented by the following expression.
h
j(t)=m(ux(t),uy(t),t)+f(ux(t),uy(t),t)s1(ux(t),uy(t),t)(mod Gj(ux(t),uy(t),t)) (13′)
Here, because of the relationship of Expression (12), a plaintext polynomial m(ux(t),uy(t),t) cannot be obtained from Expression (13′) alone. The Chinese remainder theorem is applied to G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) to calculate Expression (13″).
m(ux(t),uy(t),t)+f(ux(t),uy(t),t)s1(ux(t),uy(t),t)(mod LCM(G1(ux(t),uy(t),t),G2(ux(t),uy(t),t))) (13″)
Then, a plaintext polynomial candidate m(ux(t),uy(t),t) is obtained as a residue produced when divided by an identification polynomial candidate f(ux(t),uy(t),t). That is,
m(ux(t),uy(t),t)≡h1(t)(mod f(ux(t),uy(t),t))
Here, the following expression can be achieved because of the condition (12).
degm(ux(t),uy(t),t)<degf(ux(t),uy(t),t)si(ux(t),uy(t),t)<maxdegG
Therefore, it can be understood that a correct m(ux(t),uy(t),t) can be obtained on the premise that correct f(ux(t),uy(t),t) is acquired.
On the other hand, a coefficient mijk of the following expression of the plaintext polynomial m(x,y,t) is obtained by solving a linear simultaneous equation using the coefficient mijk as a variable.
Actually, mijk is used as a variable to provide the following expression.
Since the plaintext polynomial candidate m(ux(t),uy(t),t) is equal to mijkux(t)iuy(t)jtk, the linear simultaneous equation using mijk as a variable can be obtained by comparison of coefficients of tk. Here, ΓA means a set of combinations of an index i of x, an index j of y, and an index k of t each having a non-zero coefficient when a polynomial A(x,y,t) is regarded as a polynomial of x, y, and t.
In fact, a variable other than mijk is t alone on both sides of the following expression.
m(ux(t),uy(t),t)=mijkux(t)iuy(t)jtk
The following equation can be attained.
The following linear simultaneous equation can be obtained.
a
τ( . . . , mijk, . . . )=cτ (1≦τ≦K)
Solving this equation enables obtaining mijk. Here, mijk may not be uniquely determined depending on a relationship between the number of equations and the number of variables. Although this problem is solved by a method to determine a format of a plaintext polynomial as one of public keys, this will be explained in detail in the section on a key generation technique.
However, when there are a plurality of candidates for the identification polynomial f(ux(t),uy(t),t), a plaintext obtained here is not necessarily a plaintext. Thus, plaintexts extracted from all identification polynomial candidates f(ux(t),uy(t),t) by the above-explained technique are checked by using error detection codes, candidates which are successful in the check (i.e., which are not failed by the error detection codes) are determined as plaintexts.
When there is no candidate that is successful in this check, this is determined as a failure in decryption and corresponding processing is carried out. Although such a case is theoretically impossible, it may possibly occur due to reception of an incorrect encrypted text for any reason, e.g., miscalculation on a transmission side or falsification on a transmission path.
A key generation method in this embodiment will be explained next. The key generation method in this embodiment is classified into an algebraic surface generation method, an essential polynomial generation method, a plaintext polynomial format generation technique, and an identification polynomial format generation technique.
The algebraic surface generation technique will be first explained.
An algebraic surface is generated by randomly selecting the section D and calculating a corresponding fibration.
First, the section D=(ux(t),uy(t),t) is randomly determined so that {deg ux(t),deg uy(t)}=d can be achieved. Here, d is a system parameter which determines the difficulty of the problem of obtaining the section.
Then, a coefficient aij(t) except for a constant term a00(t) in the following fibration of the algebraic surface is randomly determined.
Incidentally, it is assumed that a basic format of X(x,y,t) is preset in this embodiment. Then, the constant term a00(t) is determined based on the following expression.
With the above calculation, the algebraic surface including D as the section can be generated.
The essential polynomial generation method will now be explained. Each of essential polynomials G1(x,y,t) and G2(x,y,t) is realized by assigning a randomly determined section D to a randomly generated three-variable polynomial, judging whether the condition (8) is satisfied, terminating generation when the condition is satisfied, and repeatedly performing generation until the condition is met when the condition is not satisfied. Here, when a format of Gi(x,y,t) is previously formed to adapt to the condition (8), generation is terminated in an actual time with a sufficiently high probability.
The plaintext polynomial format generation technique will now be explained. This generation technique is executed by determining a degree of each mij(t) with respect to the following basic format of the preset plaintext polynomial.
It is to be noted that this basic format in this example satisfies the following conditions (6) and the degree of each mij(t) is determined in this range. An important point in generation of the plaintext polynomial m(x,y,t) is providing the linear continuous equation constituted of the section with a unique solution. Therefore, the following processing is carried out based on the section (x,y,t)=(ux(t),uy(t),t) of the generated algebraic surface. First, the section is assigned to the determined basic format to derive the following expression.
When this expression is organized with respect to t, the linear simultaneous equation is obtained based on coefficient comparison.
Here, c0, c1, . . . , cK are coefficients of a variable tτ in the following expression generated by the decryption processing and they are sources of the finite field Fp.
Moreover, in a case where the variable mijk is represented as a Kth element in a variable vector (m000, m001, . . . , mijk, . . . ), a matrix A is a matrix represented as coefficients of (τ,K) components in the matrix A when mijk as the coefficient of tτ is represented as a non-zero source in the matrix A, and it is a matrix represented as 0 with respect to (τ,K) components when mijk is not represented. That is, it is assumed that the following expression can be achieved with respect to a variable vector (m000, m001, m002, m010, m011, m012).
In this case, the following expression can be attained.
Meanwhile, a necessary sufficient condition for this linear simultaneous equation to have a unique solution irrespective of types of produced c0, c1, cK is that the dimension number of the variable vector becomes equal to a rank of the matrix A based on the theory of linear algebra.
Therefore, calculating the rank of the matrix A and gradually reducing the dimension number of the variable vector by assigning a constant such as zero to mijk corresponding to a higher degree of t when the rank is lower than the degree number the variable vector enables achieving uniqueness. Here, since a plaintext cannot be embedded in the variable mijk set to zero, a maximum value of k in mijk which may be a non-zero value in each (i,j) is determined as a degree of mij(t). This determines the format of the plaintext polynomial. However, a higher-order term of any mij(t) must be set to a non-zero value to satisfy the conditions (6).
As to generation of a format of the identification polynomial, it is good enough to determine a basic format of the identification polynomial so that the conditions (7) can be satisfied.
<Variations>
Several variations in this embodiment will be explained. It is to be noted that s(x,y,t) will be simply written in the case of a common event that s1(x,y,t) and s2(x,y,t) do not have to be discriminated from each other, r(x,y,t) will be simply written in the case of a common event that r11(x,y,t) and r12(x,y,t), r21(x,y,t), and r22(x,y,t) do not have to be discriminated from each other, and w(x,y,t) will be simply written in the case of a common even that w11(x,y,t), w12(x,y,t), w21(x,y,t), and w22(x,y,t) do not have to be discriminated from each other. This can be likewise applied to essential texts G1(x,y,t) and G2(x,y,t) and encrypted texts F11(x,y,t), F12(x,y,t), F21(x,y,t), and F22(x,y,t).
A first variation is a variation concerning a modification of Expression (6) that generates an encrypted text in the encryption processing. Encryption/decryption can be performed even if Expression (10) is modified as follows, for example.
F
ij(x,y,t)=m(x,y,t)−f(x,y,t)si(x,y,t)−Gj(x,y,t)wij(x,y,t)+X(x,y,t)rij(x,y,t)
In this manner, the expression for encryption can be modified and decryption processing can be thereby changed without departing from the scope of the invention, and such a modification is included in the scope of the invention.
A second variation is a scheme that the identification polynomial f(x,y,t) is an irreducible polynomial in the encryption processing.
Although the restriction, i.e., the irreducible polynomial is not provided to the identification polynomial in this embodiment, if the irreducible polynomial is adopted, f(ux(t),uy(t),t) may be possibly extracted as the irreducible polynomial by factorization from the following expression which can be calculated from two one-variable polynomials obtained by assigning the section to two encrypted texts.
f(ux(t),uy(t),t){s1(ux(t),uy(t),t)−s2(ux(t),uy(t),t)}
Also, the number of factors is probabilistically reduced, and extraction of f(ux(t),uy(t),t) can be facilitated.
A third variation is a scheme of embedding a plaintext m also in the identification polynomial f(x,y,t) in the encryption processing. Although the scheme of randomly generating the identification polynomial has been explained in the foregoing embodiment, a difficulty in acquisition of f(x,y,t) without a private key is also one of properties of the public key cryptography according to the present invention, and hence the scheme of embedding plaintext information likewise in the identification polynomial can be realized. To the contrary, when embedding a plaintext in f(x,y,t) like this variation, there can be obtained an effect that the plaintext having a larger size can be once encrypted. However, when executing this variation together with the second variation, since f(x,y,t) as a result of embedding must be set as the irreducible polynomial, it is necessary to previously determine that random coefficients can be embedded in specific coefficients. Since a great many irreducible polynomials are present, even if plaintexts are embedded in some of the coefficients, the irreducible polynomials can be obtained in most cases.
A fourth variation is a scheme of generating random polynomials w(x,y,t) and r(x,y,t) in such a manner that a term G(x,y,t)w(x,y,t) and a term X(x,y,t)r(x,y,t) include the same like terms as polynomials of x and y and degrees of one-variable polynomials each including a variable t which is a coefficient in these like terms match each other in the encryption processing. According to this variation, security is increased since the term G(x,y,t)w(x,y,t) and the term X(x,y,t)r(x,y,t) cannot be discriminated from each other in an encrypted text.
A fifth variation copes with a case where two or more correct plaintexts are calculated in the decryption processing. In this embodiment,
f(ux(t),uy(t),t){s1(ux(t),uy(t),t)−s2(ux(t),uy(t),t)}
is factorized based on Expression (13) and factors are combined in such a manner that a degree precisely becomes deg f(ux(t),uy(t),t), thereby obtaining a candidate for the identification polynomial f(ux(t),uy(t),t). Then, a plaintext candidate M associated therewith is calculated, whether this plaintext candidate is correct is judged based on an error detection coder included in this plaintext candidate M, the processing is stopped to output the plaintext when it is determined that the candidate is correct. On the other hand, in this variation, plaintext candidates are calculated from all identification polynomial candidates, the above-explained examination is carried out, and the plaintext candidates which have been successful in the examination (i.e., having the error detection code from which an error is not detected) alone are recorded.
At this time, when there are a plurality of candidates or there is no candidate at all at the end of the processing involved in all the identification polynomial candidates, this is regarded as a failure in decryption, and appropriate processing is performed. When such a configuration is adopted, it is possible to cope with an error in a case where two or more plaintexts are calculated due to a low capability of the error detection code or accidental coincidence.
A sixth variation is a scheme utilizing a plurality of sections in the decryption processing. Although only one section is used in this embodiment, utilizing a plurality of sections enables calculating a correct plaintext without using the error detection code. When a plurality of sections are utilized, the decryption processing according to this embodiment is performed in accordance with each section, and a plaintext which is a common part for a set of output plaintext candidates can be output as a correct plaintext. On the other hand, although it depends on each section (which can be probabilistically substantially ignored), in the decryption operation, the following expression can be provided, and a plaintext candidate is impossible to obtain.
s
1(ux(t),uy(t),t)−s2(ux(t),uy(t),t)=0
In such a case, this variation is useful. It is to be noted that this variation can be carried out with the fifth variation. Incidentally, in the essential polynomial G(x,y,t) generation method for this variation, a part where the condition (8) is calculated in relation to one section D is carried out in a plurality of sections. This will be explained in an example using two sections for the sake of convenience. The following two sections are provided.
D
1:(x,y,t)=(ux(t),uy(t),t),
D
2:(x,y,t)=(vx(t),vy(t),t)
The above-explained calculation can be realized by selecting G(x,y,t) in such a manner that the following two expressions become sufficiently large.
mindegG=max{degG1(ux(t),uy(t),t),degG2(ux(t),uy(t),t),degG1(vx(t),vy(t),t),degG2(vx(t),vy(t),t)},
maxdegG=min{deg(LCM(G1(ux(t),uy(t),t),G2(ux(t),uy(t),t),deg(LCM(G1(vx(t),vy(t),t),G2(vx(t),vy(t),t)))}
This can be likewise applied to three or more sections.
Here, to realize the sixth variation, a technique of generating an algebraic surface having a plurality of sections must be explained. A key generation technique of generating an algebraic surface having two sections D1 and D2 will now be described.
In this key generation, the sections D1 and D2 are randomly selected, and a fibration associated with these sections is performed based on calculation. However, the following ingenuity must be exercised to enable the generated algebraic surface to have the two sections at the same time. The (fibration of) algebraic surface is written as follows.
Here, the sections D1 and D2 are determined as follows.
D
1:(x,y,t)=(ux(t),uy(t),t)
D
2:(x,y,t)=(vx(t),vy(t),t)
They are assigned to the algebraic surface X to obtain the following expressions.
Σ(i,j)aij(t)ux(t)iuy(t)j=0
Σ(i,j)aij(t)vx(t)ivy(t)j=0
When these expressions are subjected to subtraction, a constant term a00(t) which is common to both the expressions is eliminated, and Expression (15) can be obtained.
Here, a10(t) serving as a polynomial is generated from the following relational expression.
u
x(t)iuy(t)j−vx(t)ivy(t)j=(ux(t)i−vx(t)i)uy(t)j+vx(t)i(uy(t)j−vy(t)j) (16)
To realize this, setting the following expression can suffice.
ux(t)−vx(t)|uy(t)−vy(t)
(It is to be noted that the notation A|B means that the B is dividable by A, i.e., B is a multiple (a multiple expression) of A). This is apparent from Expression (16) and the following expressions.
(ux(t)−vx(t))|(ux(t)i−vx(t)i)
(uy(t)−vy(t))|(uy(t)i−vy(t)j)
Utilizing the above-explained settings enables performing key generation based on the following algorithm. First, two polynomials that become λx(t)|λy(t) are randomly selected.
Specifically, to obtain such a set of polynomials λx(t) and λy(t), when d is determined as a maximum degree of a section, it is good enough to, e.g., randomly give λx(t) which is a dth or lower degree and calculate λy(t)=c(t)λx(t) based on a random polynomial c(t) whose degree is d-deg λx(t) or below.
Here, the following expressions are determined.
λx(t)=ux(t)−vx(t), λy(t)=uy(t)−vy(t)
Subsequently, a polynomial vx(t) is randomly selected, and ux(t) is calculated based on the following expression.
u
x(t)=λx(t)+vx(t)
Since degrees of λx(t) and vx(t) are equal to or below d, a degree of ux(t) also becomes d or below.
Likewise, a polynomial vy(t) is randomly selected, and uy(t) is calculated based on the following expression.
u
y(t)=λy(t)+vy(t)
Likewise, since degrees of λy(t) and vy(t) are equal to or below d, a degree of uy(t) also becomes d or below.
Then, a coefficient aij(t)((i,j)≠(0,0),(1,0)) other than a00(t) and a10(t) x is randomly generated, and ux(t), vx(t), uy(t), and vy(t) calculated as explained above are utilized to calculate a10(t) based on expression (15). Further, the polynomial a00(t) can be obtained by calculating the following expression.
To obtain an algebraic surface having three or more sections, the following section is randomly determined.
D
n:(x,y,t)=(ux
Then, the following factors are generated from these polynomials.
(x−ux
Subsequently, one equation is formed in such a manner that factors associated with the same n are multiplied on both sides. For example, the following expression is an equation satisfying the conditions, and spreading this equation enables obtaining an algebraic surface as a public key.
(x−ux
On the other hand, in Expression (18), since factors of x are provided on a right-hand side whilst factors of y are provided on a left-hand side, obtaining sections based on factorization is easy. Thus, for example, it is desirable to generate an algebraic surface as public key cryptography by randomly providing factors of x and factors of y on both sides, like the following expression.
(x−ux
Generating the public key and the private key in this manner enables producing an algebraic surface generally having n or more sections.
A seventh variation is a variation that selects one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) produced when a section D:(x,y,t)=(ux(t),uy(t),t) (as a private key) is assigned to the essential polynomials G1(x,y,t) and G2(x,y,t) in such a manner that these one-variable polynomials become coprime to each other. When such selection is made, a least a common expression of G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) becomes a product G1(ux(t),uy(t),t)G2(ux(t),uy(t),t) of these polynomials, thereby enabling a more efficient structure. In regard to generation of such essential polynomials, as explained above in this embodiment, G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) are generated, and whether the essential polynomials to which the section has been assigned become coprime to each other is confirmed in addition to the condition (8) with respect to the generated essential polynomials. The polynomials are output when these conditions are met, or processing from generation of the polynomials is repeated when these conditions are not met. The judgment upon whether the polynomials become coprime to each other can be efficiently made based on an Euclidean algorithm or factorization.
An eighth variation is a method utilizing three or more essential polynomials Gj(x,y,t) (j=1, . . . , k). Although two essential polynomials are utilized in this embodiment, since a role of the essential polynomials is to satisfy Expression (8) as can be understood from the structure and the method according to this embodiment, there can be considered a scheme that modifies Expression (4) as follows to utilize three or more (k) essential polynomials Gj(x,y,t) (j=1, . . . , k).
mindegG=max{degG1(ux(t),uy(t),t), . . . , degGk(ux(t),uy(t),t)}
maxdegG=degLCM{G1(ux(t),uy(t),t), . . . , Gk(ux(t),uy(t),t)} (4)′
In this structure, an encrypted text becomes as follows.
F
ij(x,y,t)=m(x,y,t)+f(x,y,t)si(x,y,t)+Gj(x,y,t)wij(x,y,t)+X(x,y,t)rij(x,y,t)
Here, i=1, 2 and j=1, . . . , are achieved, and corresponding random polynomials wij(x,y,t) and rij(x,y,t) are generated.
Adopting such a structure increases the number of types of encrypted texts as compared with this embodiment. However, a degree of each essential polynomial must be increased to satisfy Expression (8) in this embodiment, but reducing a degree of each essential polynomial is possible, which is useful.
It is to be noted that the essential polynomial generation method is the same as that in this embodiment, and this is also true in the sixth variation.
<Review of Security>
Security of public key cryptography according to the present invention constituted in this embodiment will now be considered hereinafter.
[1] Round-Robin Attack
Respective elements m(x,y,t), f(x,y,t), s(x,y,t), r(x,y,t), and w(x,y,t) constituting an encrypted text F(x,y,t) are provided as follows with mijk, fijk, sijk, rijk, and wijk being determined as variables.
There can be considered an attack which compares these elements with the encrypted text F(x,y,t) to generate a multi-degree multi-variable simultaneous equation system and solves this equation system. However, in this case, r(x,y,t) and w(x,y,t) are regarded as polynomials of x and y, a sufficient number of terms are included, and a degree of a polynomial serving as a coefficient of each term when regarded as a polynomial of x and y is sufficiently increased. As a result, the number of variables can be increased, and a solution cannot be readily obtained. For example, at present, it is very difficult to solve a multi-degree multi-variable simultaneous equation having approximately 100 variables by a current throughput of a computer and a processing technique. Thus, this attack can be avoided by increasing terms or the degree of the coefficient in such a manner that the number of variables exceeds 100.
[2] Reduction Attack
In the public key cryptography according to the present invention, the algebraic surface X(x,y,t) and the essential polynomials G1(x,y,t) and G2(x,y,t) are disclosed. Thus, whether m(x,y,t)+f(x,y,t)s(x,y,t) can be obtained as a residue when an encrypted text F(x,y,t) is divided by X(x,y,t) must be examined. However, in a case of division of three-variable polynomials, a residue cannot be uniquely obtained. That is because a theorem of division cannot be generally attained in a case of a polynomial having two or more variables, as explained in a referenced document (D. Cox et. al., “An Introduction to Commutative Algebraic Geometry and Commutative Algebra (Volume 1)”, Springer Verlag Tokyo, (2000), p. 94, Example 4). This is also true in a case where an encrypted text F(x,y,t) is divided by Gi(x,y,t).
[3] Assignment Attack
[3-1] Attack of Assigning Algebraic Curve on Algebraic Surface
Algebraic curves (including sections) can be represented like Expression (19) with ω being used as a parameter.
(x,y,t)=(ux(ω),uy(ω),ut(ω)) (19)
If an algebraic curve included in an algebraic surface X(x,y,t) can be found from these curves, this curve can be assigned in place of the section, and the same technique as decryption using the section can be utilized to perform decryption. Here, finding such an algebraic curve means being equal to finding the given section or a difficulty in calculation beyond this finding. Such curves are classified while paying attention to deg ut(ω).
When deg ut(ω)>2
In this case, a general factor is provided, and a threat is not posed because of a difficulty in a factor acquisition problem.
When deg ut(O)=1
When this is obtained, a section is acquired by linear transformation, and hence obtaining such an algebraic curve also becomes difficult on the assumption that a section acquisition problem is difficult.
When deg ut(ω)=0
This is called a singular fiber, and it is present on almost all algebraic surfaces. However, this corresponds to a case where a general factor acquisition problem is special, and an efficient solving method is not known.
[3-2] Attack of Assigning Algebraic Curve Other than Algebraic Surface
An algebraic curve outside an algebraic surface can be likewise written as Expression (19), and it is X(ux(ω),uy(ω),ut(ω))≠0. Therefore, the following expression can be obtained.
F(ux(ω),uy(ω),ut(ω)=m(ux(ω),uy(ω),ut(ω)+f(ux(ω),uy(ω),ut(ω))si(ux(ω),uy(ω),ut(ω))+Gj(ux(ω),uy(ω),ut(ω))wij(ux(ω),uy(ω),ut(ω))+x(ux(ω),uy(ω),ut(ω))rij(ux(ω),uy(ω),ut(ω))
However, since the expressions known here are X(ux(ω),uy(ω),ut(ω)) and Gj (ux(ω),uy(ω),ut(ω)), there can be considered an attack that reduces F(ux(ω),uy(ω),ut(ω)) with X(ux(ω),uy(ω),ut(ω)) or Gj(ux(ω),uy(ω),ut(ω)). This is possible since the number of variable is one, but obtaining an accurate residue is difficult since a degree of m(ux(ω),uy(ω),ut(ω))+f(ux(ω),uy(ω),ut(ω))s(ux(ω),uy(ω),ut(ω)) is higher than a degree of each of X(ux(ω),uy(ω),ut(ω)) and Gj(ux(ω),uy(ω),ut(ω)) because of the conditions (8) and (9).
[3-3] Attack of Assigning Rational Point on Algebraic Surface
There is an attack that assigns a rational point (a point where X(x,y,t)=0 is achieved) on an algebraic surface X(x,y,t). That is, mijk, fijk, sijk, and wijk are determined as unknown numbers, and the following expressions are provided.
Since it is known that a large quantity of K rational points (xi,yi,ti) on an algebraic surface X(x,y,t)=0 (as a public key) can be relatively easily obtained (no matter what the algebraic surface is), a large quantity of the following relational expressions can be obtained by assigning these rational points to an encrypted text F(x,y,t).
F(xi,yi,ti)=m(xi,yi,ti)+f(xi,yi,ti)si(xi,yi,ti)+Gj(xi,yi,ti)wij(xi,yi,ti)
Here, K means Fp and its extension field.
When these expressions are simultaneously achieved, m(x,y,t) may be possibly solved. However, f(x,y,t), s(x,y,t), and w(x,y,t) are random polynomials. When the degree of each coefficient in s(x,y,t) or w(x,y,t) is sufficiently increased, the polynomials are also necessarily increased, thus the simultaneous equations cannot be solved, and calculation is actually impossible. Therefore, such an attack is not a threat for the public key cryptography according to the present invention.
As explained above, the public key cryptography according to the present invention is resistant to the above-explained attacks. That is (contrarily), each constituent element is set so that the public key cryptography according to the present invention becomes resistant.
(Specific Structure of One Embodiment)
An embodiment according to the present invention will now be specifically explained.
It is to be noted that each of an encryption apparatus 100, a decryption apparatus 200, and a key generation apparatus 300 explained below can be realized by using a hardware structure or a combined structure of a hardware resource and software in accordance with each apparatus 100, 200, or 300. As software in the combined structure, a program that is installed in a computer in a corresponding apparatus from a network or a storage medium 1, 2, or 3 in advance to realize a function of the corresponding apparatus is used.
Here, as shown in
The parameter storage unit 101 is a memory having information that can be read from the encrypting unit 105, and stores a characteristic p of a prime field as a system parameter.
The memory 102 is a storage device into or from which information can be read/written through the respective units 103 to 109.
The input unit 103 has a function of transmitting a format Λm, deg mij(t) of a plaintext polynomial and a plaintext m input from the outside to the plaintext embedding unit 104 and a function of transmitting public keys X(x,y,t), G1(x,y,t), G2(x,y,t), Λm, Λf, deg mij(t), and deg fij(t), mindegG, and maxdegG input from the outside to the encrypting unit 105.
The plaintext embedding unit 104 has a function of embedding the plaintext m in a coefficient of the plaintext polynomial m(x,y,t) based on the format of the plaintext polynomial and the plaintext m received from the input unit 103 and a function of transmitting the obtained plaintext polynomial m(x,y,t) to the encrypting unit 105.
The encrypting unit 105 has a function of controlling the respective units 102 and 106 to 109 based on the public keys accepted from the input unit 103 and the parameter p in the parameter storage unit 101 to execute operations denoted by ST5 to ST12 in
The identification polynomial generating unit 106 has a function of randomly generating an identification polynomial f(x,y,t) based on the format of the identification polynomial f(x,y,t) accepted from the encrypting unit 105 and the parameter p and a function of transmitting the obtained identification polynomial f(x,y,t) to the encrypting unit 105.
The polynomial generating unit 107 has a function of repeatedly requesting the random value generating unit 108 to output random values upon receiving an instruction for generating polynomials s1(x,y,t) and s2(x,y,t) from the encrypting unit 105, and utilizing the obtained random values to generate the two polynomials s1(x,y,t) and s2(x,y,t), and a function of transmitting the generated polynomials s1(x,y,t) and s2(x,y,t) to the encrypting unit 105.
Likewise, the polynomial generating unit 107 has a function of repeatedly requesting the random value generating unit 108 to output random values upon receiving an instruction for generating polynomials w11(x,y,t), w12(x,y,t), w21(x,y,t), w22(x,y,t), r11(x,y,t), r12(x,y,t), r21(x,y,t), and r22(x,y,t) from the encrypting unit 105, and utilizing the obtained random values to generate the eight polynomials w11(x,y,t), w12(x,y,t), w21(x,y,t), w22(x,y,t), r11(x,y,t), r12(x,y,t), r21(x,y,t), and r22(x,y,t), and a function of transmitting the generated polynomials w11(x,y,t), w12(x,y,t), w21(x,y,t), w22(x,y,t), r11(x,y,t), r12(x,y,t), r21(x,y,t), and r22(x,y,t) to the encrypting unit 105.
The random value generating unit 108 has a function of generating a random value in response to the output request received from the polynomial generating unit 107 and transmitting this random value to the polynomial generating unit 107.
The polynomial arithmetic unit 109 has a function of executing a polynomial arithmetic operation based on the polynomials received from the encrypting unit 105 and an arithmetic operation instruction thereof and transmitting an arithmetic operation result to the encrypting unit 105.
The output unit 110 has a function of outputting encrypted texts F11(x,y,t), F12(x,y,t), F21(x,y,t), and F22(x,y,t) accepted from the encrypting unit 105.
In the decryption apparatus 200, as shown in
The parameter storage unit 201 is a memory in which information can be read by the decrypting unit 204, and stores a characteristic p of a prime field as a system parameter.
The memory 202 is a storage apparatus from/into which information can be written through the respective units 203 to 211.
The input unit 203 has a function of transmitting encrypted texts F11(x,y,t), F12(x,y,t), F21(x,y,t), and F22(x,y,t), a public key x(x,y,t), and a section D input from the outside to the decrypting unit 204.
The decrypting unit 204 has a function of controlling the respective units 202 and 205 to 211 to execute operations denoted by ST23 to ST37 in
The section assigning unit 205 has a function of assigning the section D to a three-variable polynomial A(x,y,t) to obtain a one-variable polynomial A(t) upon receiving the arbitrary three-variable polynomial A(x,y,t) and the section D from the decrypting unit 204, and a function of transmitting the obtained one-variable polynomial A(t) to the decrypting unit 204, Here, as the three-variable polynomial A(x,y,t), there are, e.g., the encrypted texts F11(x,y,t), F12(x,y,t), F21(x,y,t), and F22(x,y,t) or the essential polynomials G1(x,y,t) and G2(x,y,t). Further, as the obtained one-variable polynomial A(t), there are, e.g., one-variable polynomials h11(t), h12(t), h21(t), and h22(t) or one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t).
The one-variable polynomial arithmetic unit 206 has a function of executing adding/subtracting/multiplying/dividing operations with respect to the one-variable polynomial received from the section assigning unit 205 or the decrypting unit 204, and a function of transmitting an arithmetic operation result to the section assigning unit 205 or the decrypting unit 204.
The one-variable polynomial factorizing unit 207 has a function of factorizing a one-variable polynomial, e.g., a residue g(t) received from the decrypting unit 204 and a function of transmitting a factorization result as an alignment in which factors are sequenced to the decrypting unit 204.
The one-variable polynomial residue arithmetic unit 208 has a function of executing a residue arithmetic operation with respect to one-variable polynomials as a dividend polynomial and a divisor polynomial received from the decrypting unit 204, and a function of transmitting a residue as an arithmetic operation result to the decrypting unit 204.
The linear simultaneous equation solving unit 209 has a function of solving a linear simultaneous equation received from the decrypting unit 204 based on a matrix operation, and a function of transmitting an obtained solution to the decrypting unit 204.
The plaintext inspecting unit 210 has a function of inspecting an error detection code in a plaintext candidate M received from the decrypting unit 204, and a function of transmitting an inspection result to the decrypting unit 204.
The output unit 211 has a function of outputting a plaintext m received from the decrypting unit 204.
In the key generation apparatus 300, as shown in
The fixed parameter storage unit 301 is a memory from which information can be read by the control unit 304, and stores a prime number p and a maximum degree d of a section as fixed parameters.
The memory 302 is a storage device from/into which information can be read/written through the respective units 303 to 312.
The input unit 303 has a function of temporarily storing a basic format of an algebraic surface X input from the outside, or a basic format of a plaintext polynomial in the memory 302 and transmitting the basic format of the algebraic surface X or the basic formation of the plaintext polynomial in the memory 302 to the control unit 304.
The control unit 304 has a function of controlling the respective units 302 and 305 to 314 to execute operations denoted by ST44 to ST47 depicted in
The section generating unit 305 has a function of generating a section D:(x,y,t)=(ux(t),uy(t),t) from two one-variable polynomials ux(t) and uy(t) generated by the one-variable polynomial generating unit 306 based on the fixed parameters p and d received from the control unit 304 and transmitting the generated section to the control unit 304.
The one-variable polynomial generating unit 306 has a function of generating one-variable polynomials ux(t) and uy(t) having a degree d on a prime field Fp based on the fixed parameters p and d received from the section generating unit 305 and transmitting these one-variable polynomials ux(t) and uy(t) to the section generating unit 305.
The algebraic surface generating unit 307 has a function of generating a term other than a constant term by randomly producing a coefficient of a term other than the constant term based on the section D, the basic format of the algebraic surface, and the prime number p received from the control unit 304, a function of using the polynomial arithmetic unit 308 to generate a constant term having a negative sign by assigning the section D to a term other than the constant term, and further generating an algebraic surface X as a fibration X(x,y,t) constituted of a term other than the constant term and the constant term, and a function of transmitting this algebraic surface X to the control unit 304.
The polynomial arithmetic unit 308 is controlled by the algebraic surface generating unit 307 and has a function of executing a polynomial arithmetic operation and transmitting an arithmetic operation result to the algebraic surface generating unit 307.
The plaintext polynomial generating unit 309 has a function of assigning a section with a coefficient mijk in a plaintext polynomial being used as a variable based on the basic format of the plaintext polynomial and data of the prime number p received from the control unit 304 and the section in the memory 302, a function of transmitting a polynomial having a variable vector (m000, m001, . . . , mijk, . . . ) obtained by sequencing mijk acquired as a result of assignment and t as variables to the matrix generating unit 310, a function of transmitting to the rank arithmetic unit 311 an instruction for calculating a rank of a coefficient matrix A accepted from the matrix generating unit 310, a function of comparing the rank received from the rank arithmetic unit 311 with a dimension number of the variable vector to judge whether the rank is equal to or below the dimension number of the variable vector, a function of using some of the variables mijk as constants and again issuing an instruction to the rank arithmetic unit 311 if the rank is not equal to or below the degree number as a result of the judgment, and a function of transmitting a format of a plaintext polynomial to the control unit 304 if the rank is equal to or below the degree number of the vector as a result of the judgment.
The matrix generating unit 310 has a function of organizing a plaintext polynomial m(ux(t),uy(t),t) in relation to a variable t upon receiving the variable vector (m000, m001, . . . , mijk, . . . ) and the plaintext polynomial m(ux(t),uy(t),t) from the plaintext polynomial generating unit 309 and generating a coefficient matrix A representing coefficients including the variables mijk by using a variable vector, and a function of transmitting the coefficient matrix A to the plaintext polynomial generating unit 309.
The rank arithmetic unit 311 has a function of calculating a rank of the coefficient matrix A and transmitting the calculated rank to the plaintext polynomial generating unit 309 based on an instruction of calculating the rank of the coefficient matrix A upon receiving this instruction from the plaintext polynomial generating unit 309.
The identification polynomial generating unit 312 is controlled by the control unit 304, and has a function of forming a format of an identification polynomial f(x,y,t) insofar as the conditions (7) can be satisfied and a function of transmitting the generated format of the identification polynomial f(x,y,t) to the control unit 304.
The essential polynomial generating unit 313 has a function of generating essential polynomials G1(x,y,t) and G2(x,y,t) insofar as the condition (8) can be satisfied upon receiving an instruction for generating essential polynomials from the control unit 304 and a function of transmitting the generated essential polynomials G1(x,y,t) and G2(x,y,t) and section degrees mindegG and maxdegG to the control unit 304.
The output unit 314 has a function of outputting data received from the control unit 304.
Operations of the encryption apparatus, the decryption apparatus, and the key generation apparatus having the above-described structures will now be explained with reference to flowcharts in
(Encryption Processing)
In the encryption apparatus 100, as shown in
The plaintext embedding unit 104 divides the plaintext m separately received from the input unit 103 into blocks, e.g., m=m00∥m10∥ . . . ∥mij based on the format of the plaintext polynomial received from the input unit 103. Here, assuming that L=deg mij(t), the following expression can be achieved.
|mij|≦(|p|−1)(L+1)
It is assumed that a coefficient mijk of tk of mij(t) is obtained by dividing mij every |p|−1 bits. That is, the following expression can be attained.
m
ij
=m
ij0
∥m
ij1
∥ . . . ∥m
ijL
Here, |p| represents a bit length of p. In this manner, the plaintext m is embedded in the coefficient of the plaintext polynomial m(x,y,t) (ST4).
The plaintext embedding unit 104 transmits the plaintext polynomial m(x,y,t) to the encrypting unit 105. On the other hand, the input unit 103 transmits the public keys to the encrypting unit 105. The parameter storage unit 101 transmits the parameter p to the encrypting unit 105.
Upon receiving the plaintext polynomial m(x,y,t), the parameter p, and the public keys, the encrypting unit 105 writes them in the memory 102. Then, the encrypting unit 105 transmits a format of the identification polynomial f(x,y,t) and the parameter p in the memory 102 to the identification polynomial generating unit 106.
The identification polynomial generating unit 106 randomly generates the identification polynomial f(x,y,t) based on the format of the identification polynomial f(x,y,t) and the parameter p (ST5), and transmits the obtained identification polynomial f(x,y,t) to the encrypting unit 105.
The encrypting unit 105 stores this identification polynomial f(x,y,t) in the memory 102, and then transmits an instruction for generation of three-variable polynomials s1(x,y,t) and s2(x,y,t) to the polynomial generating unit 107.
The polynomial generating unit 107 repeatedly requests the random value generating unit 108 to output random values, and utilizes these random values as outputs from this unit to generate the two polynomials s1(x,y,t) s2(x,y,t) (ST6). The generated polynomials s1(x,y,t) and s2(x,y,t) are transmitted to the encrypting unit 105 from the polynomial generating unit 107.
The encrypting unit 105 stores the received polynomials s1(x,y,t) and s2(x,y,t) in the memory 102, and then transmits an instruction for generating three-variable polynomials w11(x,y,t), w12(x,y,t), w21(x,y,t), w22(x,y,t), r11(x,y,t), r12(x,y,t), r21(x,y,t), and r22(x,y,t) to the polynomial generating unit 107.
The polynomial generating unit 107 repeatedly requests the random value generating unit 108 to output random values, and utilizes random values as outputs from this unit to generate the eight polynomials w11(x,y,t), w12(x,y,t), w21(x,y,t), w22(x,y,t), r11(x,y,t), r12(x,y,t), r21(x,y,t), and r22(x,y,t) (ST7). The generated polynomials w11(x,y,t), w12(x,y,t), w21(x,y,t), w22(x,y,t), r11(x,y,t), r12(x,y,t), r21(x,y,t), and r22(x,y,t) are transmitted to the encrypting unit 105 from the polynomial generating unit 107.
The encrypting unit 105 stores the received polynomials w11(x,y,t), w12(x,y,t), w21(x,y,t), w22(x,y,t), r11(x,y,t), r12(x,y,t), r21(x,y,t), and r22(x,y,t) in the memory 102, and then calculates a first encrypted text F11(x,y,t) based on the following expression while sequentially transmitting the polynomials and an arithmetic operation instruction to the polynomial arithmetic unit 109 (ST8).
F
11(x,y,t)=m(x,y,t)+f(x,y,t)s1(x,y,t)+G1(x,y,t)w11(x,y,t)+X(x,y,t)r11(x,y,t)
The calculated first encrypted text F11(x,y,t) is stored in the memory 102 by the encrypting unit 105.
Likewise, the encrypting unit 105 calculates a second encrypted text F12(x,y,t) based on the following expression by using the polynomial arithmetic unit 109 (ST9), and stores the obtained second encrypted text F12(x,y,t) in the memory 102.
F
12(x,y,t)=m(x,y,t)+f(x,y,t)s1(x,y,t)+G2(x,y,t)w12(x,y,t)+X(x,y,t)r12(x,y,t)
Likewise, the encrypting unit 105 calculates a third encrypted text F21(x,y,t) based on the following expression by using the polynomial arithmetic unit 109 (ST10), and stores the obtained third encrypted text F21(x,y,t) in the memory 102.
F
21(x,y,t)=m(x,y,t)+f(x,y,t)s2(x,y,t)+G1(x,y,t)w21(x,y,t)+X(x,y,t)r21(x,y,t)
Likewise, the encrypting unit 105 calculates a fourth encrypted text F22(x,y,t) based on the following expression by using the polynomial arithmetic unit 109 (ST11), and stores the obtained fourth encrypted text F22(x,y,t) in the memory 102.
F
22(x,y,t)=m(x,y,t)+f(x,y,t)s2(x,y,t)+G2(x,y,t)w22(x,y,t)+X(x,y,t)r22(x,y,t)
Then, the encrypting unit 105 transmits the encrypted texts F11(x,y,t), F21(x,y,t), F21(x,y,t), and F22(x,y,t) in the memory 102 to the output unit 110. The output unit 110 (deforms the encrypted texts F11(x,y,t), F21(x,y,t), F21(x,y,t), and F22(x,y,t) in accordance with a predetermined format as required) and outputs the encrypted texts F11(x,y,t), F21(x,y,t), F21(x,y,t), and F22(x,y,t) (ST12).
Then, the encryption apparatus 100 terminates the encryption processing.
(Decryption Processing)
As shown in
The decrypting unit 204 transmits the encrypted texts F11(x,y,t), F12(x,y,t), F21(x,y,t), and F22(x,y,t) and the section D in the memory 202 to the section assigning unit 205.
The section assigning unit 205 assigns the section D to the encrypted text F11(x,y,t), F12(x,y,t), F21(x,y,t), and F22(x,y,t), and utilizes the one-variable polynomial arithmetic unit 206 as required to obtain one-variable polynomials h11(t), h12(t), h21(t), and h22(t) (ST23). Here, the one-variable polynomial arithmetic unit 206 performs adding/subtracting/multiplying/dividing operations with respect to one-variable polynomials. The obtained one-variable polynomials h11(t), h12(t), h21(t), and h22(t) are transmitted to the decrypting unit 204 from the section assigning unit 205.
The decrypting unit 204 transmits h11(t), h21(t), h12(t), and h22(t) to the one-variable polynomial arithmetic unit 206 to be subtracted. The one-variable polynomial arithmetic unit 206 transmits subtraction results {h11(t)−h21(t)} and {h12(t)−h22(t)}to the decrypting unit 204.
The decrypting unit 204 supplies essential polynomials G1(x,y,t) and G2(x,y,t) and the section D in the memory 202 to the section assigning unit 205.
The section assigning unit 205 assigns the section D to each of the essential polynomials G1(x,y,t) and G2(x,y,t) and utilizes the one-variable polynomial arithmetic unit 206 as required to obtain one variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t). The obtained one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) are transmitted to the decrypting unit 204 from the section assigning unit 205.
The decrypting unit 204 transmits the subtraction results {h11(t)−h21(t)} and {h12(t)−h22(t)} and the one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) to the one-variable polynomial residue arithmetic unit 208. The one-variable polynomial residue arithmetic unit 208 divides each of the subtraction results {h11(t)−h21(t)} and {h12(t)−h22(t)} by each of the one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) to obtain two residues g1(t)≡{h11(t)−h21(t)} mod G1(ux(t),uy(t),t) and g2(t)≡{h12(t)−h22(t)} mod G2(ux(t),uy(t),t) (ST24). The obtained g1(t) and g2(t) are supplied from the one-variable polynomial residue arithmetic unit 208 to the decrypting unit 204.
Based on the two residues g1(t) and g2(t), the one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t), and the Chinese remainder theorem, the decrypting unit 204 utilizes the one-variable polynomial arithmetic unit 206 and the one-variable polynomial residue arithmetic unit 208 as required to obtain a residue g(t)≡{G2(ux(t),uy(t),t)g1(t)+G1(ux(t),uy(t),t)g2(t)} mod LCM{G1(ux(t),uy(t),t),G2(ux(t),uy(t),t)} that is acquired when a least common expression LCM{G1(ux(t),uy(t),t),G2(ux(t),uy(t),t)} of the one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) is used as a divisor (ST25).
For example, the respective terms G2(ux(t),uy(t),t)g1(t) and G1(ux(t),uy(t),t)g2(t) and the least common expression LCM{G1(ux(t),uy(t),t),G2(ux(t),uy(t),t)} are calculated by utilizing the one-variable polynomial arithmetic unit 206. The residue g(t) is calculated by utilizing the one-variable polynomial residue arithmetic unit 208.
The decrypting unit 204 transmits the residue g(t) to the one-variable polynomial factorizing unit 207 to be factorized (ST26). The one-variable polynomial factoring unit 207 transmits a result of factorization to the decrypting unit 204 as an alignment in which factors are sequenced.
The decrypting unit 204 extracts all combinations having a degree that is precisely deg f(ux(t),uy(t),t) as identification polynomial candidates from combinations of these factors (ST27). Specifically, the decrypting unit 204 can use a technique of sequentially obtaining all combinations from factors sequenced as the alignment in ascending order and extracting combinations having the degree that is precisely deg f(ux(t),uy(t),t) alone from the obtained combinations. However, in case of executing this technique, if the number of factor is one, there are 21 combinations. Thus, in addition to this technique, there is adopted a method of preventing combinations whose degree exceeds deg f(ux(t),uy(t),t) from being further combined with factors, thereby extracting combinations of factors in a shorter processing time.
Then, the decrypting unit 204 sequentially extracts candidates for the identification polynomial f(ux(t),uy(t),t) (ST28), and sequentially transmits h11(t), h12(t), G1(ux(t),uy(t),t), and G2(ux(t),uy(t),t) to the one-variable polynomial residue arithmetic unit 208.
The one-variable polynomial residue arithmetic unit 208 divides each of h11(t) and h12(t) by each of the one-variable polynomials G1(ux(t),uy(t),t), and G2(ux(t),uy(t),t) to obtain two residues h′11(t)≡h11(t) mod G1(ux(t),uy(t),t) and h′12(t)≡h12(t) mod G2(ux(t),uy(t),t) (ST29). The obtained residues h′11(t) and h′12(t) are transmitted from the one-variable polynomial residue arithmetic unit 208 to the decrypting unit 204.
Based on the two residues h′11(t) and h′12(t), the one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t), and the Chinese remainder theorem, the decrypting unit 204 utilizes the one-variable polynomial arithmetic unit 206 and the one-variable polynomial residue arithmetic unit 208 as required to obtain a residue h1(t)≡{G2(ux(t),uy(t),t)h′11(t)+G1(ux(t),uy(t),t)h′12(t)} mod LCM{G1(ux(t),uy(t),t), G2(ux(t),uy(t),t)} which is acquired when a least common expression LCM{G1(ux(t),uy(t),t), G2(ux(t),uy(t),t)} of the one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) is used as a divisor (ST30).
For example, the respective terms G2(ux(t),uy(t),t)h′11(t) and G1(ux(t),uy(t),t)h′12(t) and the least common expression LCM{G1(ux(t),uy(t),t),G2(ux(t),uy(t),t)} are calculated by utilizing the one-variable polynomial arithmetic unit 206. The residue h1(t) is calculated by utilizing the one-variable polynomial residue arithmetic unit 208.
Subsequently, as represented by the following expression, h1(t) is further divided by a candidate for the identification polynomial f(ux(t),uy(t),t) to obtain a residue m(ux(t),uy(t),t) (ST31), and this residue is supplied to the decrypting unit 204.
m(ux(t),uy(t),t)≡h1(t)(mod f(ux(t),uy(t),t))
It is to be noted that this step ST31 is not restricted to the above expression and it may be executed in the form of a step ST31′ represented by the following expression and the following steps ST29′ to ST30′ as previous steps of the step ST31′.
m(ux(t),uy(t),t)≡h2(t)(mod f(ux(t),uy(t),t))
Here, h2(t) is obtained as follows. Each of h21(t) and h22(t) is divided by each of the one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) to obtain two residues h′21(t)−h21(t) mod G1(ux(t),uy(t),t) and h′22(t)≡h22(t) mod G2(ux(t),uy(t),t) (ST29′). The obtained residues h′21(t) and h′22(t) are transmitted from the one-variable polynomial residue arithmetic unit 208 to the decrypting unit 204.
Based on the two residues h′21(t) and h′22(t), the one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t), and the Chinese remainder theorem, the decrypting unit 204 utilizes the one-variable polynomial arithmetic unit 206 and the one-variable polynomial residue arithmetic unit 208 as required to obtain a residue h2(t)≡{G2(ux(t),uy(t),t)h′21(t)+G1(ux(t),uy(t),t)h′22(t)} mod LCM{G1(ux(t), uy(t),t),G2(ux(t),uy(t),t)} which is acquired when a least common expression LCM{G1(ux(t),uy(t),t), G2(ux(t),uy(t),t)} of the one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) is used as a divisor (ST30′).
For example, the respective terms
G
2(ux(t),uy(t),t)h′21(t) and G1(ux(t),uy(t),t)h′22(t)
and the least common expression LCM{G1(ux(t),uy(t),t),G2(ux(t),uy(t),t)} are calculated by utilizing the one-variable polynomial arithmetic unit 206. The residue h2(t) is calculated by utilizing the one-variable polynomial residue arithmetic unit 208.
Here, since deg m(ux(t),uy(t),t)<deg f(ux(t),uy(t),t)si(ux(t),uy(t),t)<maxdegG is achieved because of the condition (12), it can be understood that correct m(ux(t),uy(t),t) can be obtained on the assumption that correct f(ux(t),uy(t),t) is acquired.
Subsequently, the decrypting unit 204 determines a coefficient mijk in the following plaintext polynomial m(x,y,t) as a variable.
Further, the decrypting unit 204 generates a linear simultaneous equation having mijk as a variable by comparing coefficients of m(ux(t),uy(t),t) acquired at the step ST31 and of tk in mijkux(t)iuy(t)jtk, and transmits the generated equation to the linear simultaneous equation solving unit 209.
The linear simultaneous equation solving unit 209 solves this linear simultaneous equation based on a matrix operation and outputs a solution to the decrypting unit 204.
The decrypting unit 204 restores this solution into a form of a message to generate a plaintext candidate M (ST32). This restoration method is as explained above.
Then, the decrypting unit 204 transmits the plaintext candidate M to the plaintext inspecting unit 210. The plaintext inspecting unit 210 inspects an error detection code contained in the plaintext candidate M (ST33), and transmits an inspection result to the decrypting unit 204. When the inspection result obtained at the step ST31 indicates annulment, the decrypting unit 204 judges whether there is another identification polynomial candidate (ST34). If there is another candidate, the decrypting unit 204 determines the next identification polynomial candidate as f(ux(t),uy(t),t) (ST35) and repeats the steps ST29 to ST34. If there is no identification polynomial candidate as a result of the judgment at the step ST34, the decrypting unit 204 outputs an error (ST36) to terminate the processing.
On the other hand, when the inspection result at the step ST33 indicates acceptance, the decrypting unit 204 determines the plaintext candidate M as a correct plaintext m and outputs this plaintext from the output unit 211 (ST37).
After these operations, the decryption apparatus 200 terminates the decryption processing.
(Key Generation Processing)
Generation of an algebraic surface will be first explained, and then generation of a format of a plaintext polynomial will be described.
[Generation of Algebraic Surface]
As shown in
Input data is constituted of each element of ΛX and a degree of each coefficient aij(t) associated with the element of ΛX. The input unit 303 temporarily stores the basic format of the algebraic surface in the memory 302, and transmits the basic form of the algebraic surface in the memory 302 to the control unit 304.
Upon receiving the basic format of the algebraic surface, the control unit 304 reads a prime number p and a maximum degree d of a section as fixed parameters from the fixed parameter storage unit 301 (ST42, ST43), and transmits these fixed parameters p and d to the section generating unit 305.
The section generating unit 305 uses the one-variable polynomial generating unit 306 to generate one-variable polynomials ux(t) and uy(t) each having a degree d on a prime field Fp, and generates a section D:(x,y,t)=(ux(t),uy(t),t) from the two one-variable polynomials ux(t) and uy(t) to be transmitted to the control unit 304 (ST44).
The control unit 304 transmits this section D, and the basic format of the algebraic surface and the prime number p in the memory 302 to the algebraic surface generating unit 307.
Upon receiving the section D, the basic format of the algebraic surface, and the prime number p, the algebraic surface generating unit 307 randomly generates aij(t) other than constant terms (ST45). Further, the algebraic surface generating unit 307 assigns the section D:(x,y,t)=(ux(t),uy(t),t) to portions other than constant terms of the algebraic surface, and provides an assignment result with a negative sign to produce a constant term a00(t) (ST46), thereby producing an algebraic surface formed of portions other than the constant term and the constant term a00(t). It is to be noted that an instruction is supplied to the polynomial arithmetic unit 308 at the time of this calculation to perform adding/subtracting/multiplying operations. Moreover, the algebraic surface X generated in this example is a fibration X(x,y,t) in the algebraic surface X.
The produced algebraic surface X is transmitted to the control unit 304 from the algebraic surface generating unit 307. The control unit 304 outputs the algebraic surface X from the output unit 312 (ST47).
[Generation of Format of Plaintext Polynomial]
As shown in
Input data is constituted of elements of Λm and degrees of respective coefficients mij(t) associated with the elements of Λm. The input unit 303 temporarily stores a basic format of a plaintext polynomial and a section in the memory 302, and supplies the basic format of the plaintext polynomial in the memory 302 to the control unit 304.
Upon receiving the basic format of the plaintext polynomial, the control unit 304 reads a prime number p as a fixed parameter from the fixed parameter storage unit 301 (ST53). The control unit 304 transmits data of the basic format of the plaintext polynomial and the prime number p to the plaintext polynomial generating unit 309.
The plaintext polynomial generating unit 309 assigns a section (x,y,t)=(ux(t),uy(t),t) in the memory 302 to this basic format of the plaintext polynomial to calculate m(ux(t),uy(t),t) in the following expression (ST54).
Here, mijk is a variable. The plaintext polynomial generating unit 309 sequences the variables mijk to generate a variable vector (m000, m001, mijk, . . . ) (ST55), and transmits the variable vector (m000, m001, . . . , mijk, . . . ) and a one-variable polynomial m(ux(t),uy(t),t) to the matrix generating unit 310.
The matrix generating unit 310 organizes m(ux(t),uy(t),t) in regard to a variable t and generates a coefficient matrix A representing a coefficient mijkux(t)iuy(t)j containing the variable mijk by using the variable vector (m000, m001, mijk, . . . ) (ST56). Specifically, the matrix generating unit 310 extracts a polynomial in which t has a coefficient mijkux(t)iuy(t)j from the polynomial organized in relation to the variable t and generates the coefficient matrix in such a manner that a product obtained from the variable vector (m000, m001, mijk, . . . ) precisely becomes the coefficient mijkux(t)iuy(t)j of t. The generated coefficient matrix A is transmitted to the plaintext polynomial generating unit 309 from the matrix generating unit 310.
The plaintext polynomial generating unit 309 supplies an instruction for calculating a rank of this coefficient matrix A to the rank arithmetic unit 311. The rank arithmetic unit 311 calculates a rank of the coefficient matrix A in response to this instruction and supplies this rank to the plaintext polynomial generating unit 309 (ST57).
The plaintext polynomial generating unit 309 compares this rank with a dimension number of the variable vector to judge whether the rank is lower than the dimension number of the variable vector (ST58).
If the rank is lower than the dimension number as a result of this judgment, since a unique solution cannot be obtained, the plaintext polynomial generating unit 309 determines some of the variables mijk as constants (ST59) and again executes the processing from the calculation of the rank at the step ST57. Further, if the rank is equal to the dimension number of the vector as a result of the judgment at the step ST58, since a unique solution can be obtained, a format of the plaintext polynomial m(x,y,t) associated with the one-variable polynomial m(ux(t),uy(t),t) is output to the control unit 304. Incidentally, it is guaranteed that a rank does not exceed a dimension number of a variable vector in a linear simultaneous equation whose solution is present based on the theory of linear algebra.
The control unit 304 writes the format of the plaintext polynomial m(x,y,t) in the memory 302 and outputs a format of the plaintext polynomial m(x,y,t) from the output unit 314 (ST60).
[Generation of Format of Identification Polynomial]
As shown in
Input data is constituted of elements of Λf and degrees of respective coefficients fij(t) associated with the elements of Λf. The input unit 303 temporarily stores the basic format of the identification polynomial in the memory 302, and transmits the basic format of the identification polynomial in the memory 302 to the control unit 304.
The control unit 304 transmits the basic format of the identification polynomial to the identification polynomial generating unit 312.
Upon receiving the basic format of the identification polynomial, the identification polynomial generating unit 312 reads a maximum degree d of a section from the fixed parameter storage unit 301 and also reads a format of a plaintext polynomial from the memory 302 (ST72).
The identification polynomial generating unit 312 calculates degrees degx m(x,y,t), degy m(x,y,t), and degt m(x,y,t) based on the maximum degree d of the section D and the format of the plaintext polynomial (ST73).
The identification polynomial generating unit 312 generates a format of a term having a maximum degree of an identification polynomial f(x,y,t) insofar as the conditions (7) are satisfied, and also produces a format of another term of the identification polynomial f(x,y,t) (ST74, ST75). Then, the identification polynomial generating unit 312 transmits the generated identification polynomial f(x,y,t) to the control unit 304.
The control unit 304 writes the generated format of the identification polynomial f(x,y,t) in the memory 302, and outputs the format of the identification polynomial f(x,y,t) from the output unit 314 (ST76).
[Generation of Essential Polynomials]
As shown in
The control unit 304 transmits the essential polynomial generation command to the essential polynomial generation unit 313.
Upon receiving an essential polynomial generation command, the essential polynomial generating unit 313 reads a maximum degree d of a section from a fixed parameter storage unit 301 and reads a format of a plaintext polynomial and a format of an identification polynomial from the memory 302 (ST81).
The essential polynomial generating unit 313 calculates a section degree SecDeg(m(x,y,t)) of a plaintext polynomial based on the maximum degree d of a section D and the format of the plaintext polynomial (ST82). Likewise, the essential polynomial generating unit 313 calculates degrees deg f(ux(t),uy(t),t) and deg m(ux(t),uy(t),t) based on the section D as a private key (ST83).
The essential polynomial generating unit 313 determines a judgment value maxdegG′ for a maximum value of the section degree of an essential polynomial insofar as the condition (8): mindegG<deg m(ux(t),uy(t),t)<deg f(ux(t),uy(t),t)<<maxdegG is satisfied (ST84), and writes the respective section degrees deg m(ux(t),uy(t),t) and deg f(ux(t),uy(t),t) and the judgment value maxdegG′ in the memory 302.
It is to be noted that the judgment value maxdegG′ is substantially equal to the maximum value maxdegG of the condition (8) but it is a value that is less than the maximum value maxdegG (maxdegG′≈maxdegG and maxdegG′<maxdegG). Actually, it is good enough to determine the judgment value maxdegG′ as a value of the arbitrary maximum value maxdegG satisfying the condition (8).
Then, the essential polynomial generating unit 313 randomly generates three-variable polynomials G1(x,y,t) and G2(x,y,t) (ST85). Then, the essential polynomial generating unit 313 assigns the section D in the memory 302 to the three-variable polynomials G1(x,y,t) and G2(x,y,t) to obtain two one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) (ST86).
Subsequently, the essential polynomial generating unit 313 judges whether the obtained two one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) satisfy the condition (8) (ST87 to ST89).
That is, the essential polynomial generating unit 313 determines a maximum value deg max{degG1(ux(t),uy(t),t),degG2(ux(t),uy(t),t)} of a degree of these one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) as a minimum value mindegG of the section degree of the essential polynomial, and judges whether a condition mindegG<deg m(ux(t),uy(t),t) is achieved, i.e., whether the minimum value mindegG is smaller than a polynomial m(ux(t),uy(t),t) obtained by assigning a section to a plaintext polynomial m(x,y,t) (ST87).
When this condition is not achieved as a result of the judgment at the step ST87, the essential polynomial generating unit 313 advances to a step ST90 to annul the polynomials G1(x,y,t) and G2(x,y,t) (ST90), and re-executes the processing at the steps ST85 to ST87.
On the other hand, when mindegG<deg m(ux(t),uy(t),t) is achieved as a result of the judgment at the step ST87, the essential polynomial generating unit 313 calculates a least common expression LCM{G1(ux(t),uy(t),t),G2(ux(t),uy(t),t)} of the one-variable polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) (ST88).
Further, the essential polynomial generating unit 313 judges whether a degree of the calculated least common expression is equal to or below the judgment value maxdegG′ of the section degree in the memory 302 (ST89).
When the degree of the least common expression is equal to or below the judgment value maxdegG′ of the section degree as a result of the judgment at the step ST89, the essential polynomial generating unit 313 annuls the generated polynomials G1(x,y,t) and G2(x,y,t) (ST90) and re-executes the processing at the steps ST85 to ST89.
On the other hand, when the degree of the least common expression is not equal to or below the judgment value maxdegG′ of the section degree as a result of the judgment at the step ST89, the essential polynomial generating unit 313 transmits the generated polynomials G1(x,y,t) and G2(x,y,t) to the control unit 304 as essential polynomials G1(x,y,t) and G2(x,y,t). Further, the essential polynomial generating unit 313 also transmits section degrees mindegG and maxdegG of the essential polynomials G1(x,y,t) and G2(x,y,t) to the control unit 304.
It is to be noted that the maximum value maxdegG of the section degrees of the essential polynomials is the degree deg LCM{G1(ux(t),uy(t),t),G2(ux(t),uy(t),t)} of the least common expression used for the judgment at the step ST89 and it is not the judgment value maxdegG′ of the section degree. That is, since the polynomials are annulled when the degree is not greater than the judgment value maxdegG′ at the step ST89, the judgment value maxdegG′ and the maximum value maxdegG of the section degree have a relationship of maxdegG′<maxdegG. To sum up, they have a relationship of
maxdegG′<maxdegG=degLCM{G1(ux(t),uy(t),t),G2(ux(t),uy(t),t)}.
The control unit 304 writes the essential polynomials G1(x,y,t) and G2(x,y,t) supplied from the essential polynomial generating unit 313 and their section degrees mindegG and maxdegG in the memory 302, and outputs the essential polynomials G1(x,y,t) and G2(x,y,t) and the section degrees mindegG and maxdegG of the essential polynomials from the output unit 314 (ST91).
After the above-explained operations, the key generation apparatus 300 terminates the key generation processing.
As explained above, according to this embodiment, as different from the conventional example using a one-variable plaintext polynomial m(t) and an irreducible polynomial f(t), the structure adopting the three-variable plaintext polynomial m(x,y,t), the identification polynomial f(x,y,t), the essential polynomials G1(x,y,t) and G2(x,y,t), and the polynomials w11(x,y,t), w12(x,y,t), w21(x,y,t), and w22(x,y,t) enables eliminating a vulnerability produced due to a one-variable polynomial in the public key cryptography using an algebraic surface.
A first variation can be realized by creating encrypted texts F11(x,y,t), F12(x,y,t), F21(x,y,t), and F22(x,y,t) based on, e.g., the following expressions in place of Expression (10) by the encrypting unit 107 at the steps ST8 and ST11.
F
11(x,y,t)=m(x,y,t)−f(x,y,t)s1(x,y,t)−G1(x,y,t)w11(x,y,t)−X(x,y,t)r11(x,y,t),
F
12(x,y,t)=m(x,y,t)−f(x,y,t)s1(x,y,t)−G2(x,y,t)w12(x,y,t)−X(x,y,t)r12(x,y,t),
F
21(x,y,t)=m(x,y,t)−f(x,y,t)s2(x,y,t)−G1(x,y,t)w21(x,y,t)−X(x,y,t)r21(x,y,t),
F
22(x,y,t)=m(x,y,t)−f(x,y,t)s2(x,y,t)−G2(x,y,t)w22(x,y,t)−X(x,y,t)r22(x,y,t)
On the other hand, decryption processing can be likewise realized by performing axiomatic modification in accordance with an encryption arithmetic operation in this variation.
A second variation can be realized by adding an irreducibility judgment function of judging irreducibility to the identification polynomial generating unit 106 in the encryption apparatus 100, judging whether an identification polynomial f(x,y,t) generated at the step ST5 is an irreducible polynomial, and repeating the processing at the step ST5 when the identification polynomial is not an irreducible polynomial. As a judgment on irreducibility, it is good enough to judge whether an identification polynomial f(x,y,t) can be factorized, determine that the identification polynomial is not an irreducible polynomial to annul the identification polynomial if factorization is possible as a result of the judgment, and determine that the identification polynomial is an irreducible polynomial if factorization is impossible as a result of the judgment, for example.
A third variation can be realized when the plaintext embedding unit 104 executes processing of dividing a plaintext m to be embedded in a coefficient of a plaintext polynomial m(x,y,t) and a coefficient of an identification polynomial f(x,y,t) in place of processing of embedding the plaintext m in a plaintext polynomial m(x,y,t) at the step ST4 in the encryption processing. In this case, in decryption processing, a plaintext candidate M can be generated by solving a linear simultaneous equation that is produced when a coefficient of a plaintext polynomial m(ux(t),uy(t),t) is compared with that of a plaintext polynomial candidate M with a coefficient of the plaintext polynomial m(x,y,t) being determined as a variable, and the same processing as that performed to obtain the plaintext m can be executed with respect to the identification polynomial f(x,y,t). That is, in the decryption processing, like the decryption processing from a plaintext polynomial, a plaintext candidate M can be generated by solving a linear simultaneous equation produced when a coefficient of an identification polynomial f(ux(t),uy(t),t) is compared with that of an identification polynomial candidate M with a coefficient of the identification polynomial f(x,y,t) being determined as a variable, thereby obtaining a plaintext m. Moreover, in the case of also adopting the second variation, when embedding a plaintext m in each identification polynomial f(x,y,t), it is good enough to execute a method of embedding the plaintext m in coefficients in some of f(x,y,t) and adjusting to form an irreducible polynomial with remaining coefficients.
In regard to a fourth variation, when the polynomial generating unit 107 generates polynomials wij, rij(x,y,t) (i=1, 2, j=1, 2) at the step ST7, it is good enough to satisfy the conditions that X(x,y,t)rij(x,y,t) and Gj(x,y,t)wij(x,y,t) include the same like term as a polynomial of x and y and that degrees of one-variable polynomials containing t which is a coefficient of a polynomial of x and y as a variable match each other. The conditions can be satisfied by matching a format of one polynomial rij(x,y,t) with a format of an essential polynomial Gj(x,y,t) and matching a format of the other polynomial wij(x,y,t) with a format of a fibration X(x,y,t) to produce the polynomials rij(x,y,t) and wij(x,y,t). Specifically, it is good enough to generate the polynomial rij(x,y,t) in such a manner that each term has the same degree of x and y as a degree of x and y of each term in the essential polynomial Gj(x,y,t) and produce the polynomial wij(x,y,t) in such a manner that each term has the same degree of x and y as a degree of x and y of each term in the fibration X(x,y,t).
In regard to a fifth variation, in a period between the steps ST27 and ST28 in the decryption processing, a value k of a non-illustrated counter is set to zero, the plaintext candidate M is stored in the memory 202 when a result of the inspection at the step ST33 is acceptable, the value k of the counter is incremented by “+1”, and the same processing is performed with respect to the next candidate f(ux(t),uy(t),t) from the step ST28. When there is no next candidate f(ux(t),uy(t),t), an error is output in a case where the value k of the counter is two or above or equal to zero, and the plaintext candidate M in the memory 202 is output as the plaintext m when the value k of the counter is one. The fifth variation can be realized as explained above.
In regard to a sixth variation, the steps ST23 to ST35 (however, ST33 is omitted) in the decryption processing are repeated for the number of the sections D, a set Mn of plaintext candidates associated with the respective sections Dn is obtained, and the plaintext candidates included in this set Mn are stored in the memory 202. Thereafter, a plaintext candidate common to the plaintext candidate set Mn is output to the output unit 211 as the plaintext m.
Supplementarily, at the steps ST23 and ST24 in the sixth variation, the section assigning unit 205 assigns respective sections Dn (where n=1, 2, . . . , n) to input four encrypted texts Fij(x,y,t) (where i=1, 2, j=1, 2) to generate four one-variable polynomials {h11(n)(t),h12(n)(t),h21(n)(t),h22n(t)}. These one-variable polynomials hij(n)(t) are supplied to the decrypting unit 204 from the section assigning unit 205.
The decrypting section 204 acquires subtraction results {h11(n)(t)−h21(n)(t)} and {h12(n)(t)−h22(n)(t)} by transmitting the respective one-variable polynomials {h11(n)(t),h21(n)(t)} and {h12(n)(t),h22(n)(t)} to the one-variable polynomial arithmetic unit 206 where they are subjected to subtraction.
At the step ST24, the decrypting unit 204 transmits the essential polynomials G1(x,y,t) and G2(x,y,t) and the respective sections Dn in the memory 202 to the section assigning unit 205 to obtain one-variable polynomials G1(ux(n)(t),uy(n)(t),t) and G2(ux(n)(t),uy(n)(t),t).
Furthermore, the decrypting unit 204 transmits the subtraction results {h11(n)(t)−h21(n)(t)} and {h12(n)(t)−h22(n)(t)} and the one-variable polynomials G1(ux(n)(t),uy(n)(t),t) and G2(ux(n)(t),uy(n)(t),t) to the one-variable polynomial residue arithmetic unit 208 to obtain two residues g1(t)≡{h11(n)(t)−h21(n)(t)} mod G1(ux(n)(t),uy(n)(t),t) and g2(t)≡{h12(n)(t)−h22(n)(t)} mod G2(ux(n)(t),uy(n)(t),t).
At the step ST25, based on the two residues g1(n)(t) and g2(n)(t), the one-variable polynomials G1(ux(n)(t),uy(n)(t),t) and G2(ux(n)(t),uy(n)(t),t), and the Chinese remainder theorem, the decrypting unit 204 utilizes the one-variable polynomial arithmetic unit 206 and the one-variable polynomial residue arithmetic unit 208 as required to obtain a residue
g(n)(t)≡{G2(ux(n)(t),uy(n)(t),t)g1(n)(t)+G1(ux(n)(t),uy(n)(t),t)g2(n)(t)} mod LCM{G1(ux(n)(t),uy(n)(t),t),G2(ux(n)(t),uy(n)(t),t)}
that is acquired when a least common expression LCM{G1(ux(n)(t),uy(n)(t),t),G2(ux(n)(t),uy(n)(t),t)} of the one-variable polynomials G1(ux(n)(t),uy(n)(t),t) and G2(ux(n)(t),uy(n)(t),t) is used as a divisor.
At the step ST26, the decrypting unit 204 transmits the residue g(n)(t) to the one-variable polynomial factorizing unit 207 where the residue is factorized.
The one-variable polynomial factorizing unit 207 transmits a result of factorization to the decrypting unit 204 as an alignment in which factors are sequenced.
At the step ST27, the decrypting unit 204 combines factors generated as a result of factorization to extract all identification polynomial candidates f(ux(n)(t),uy(n)(t),t) each precisely having deg f(ux(n)(t),uy(n)(t),t) as a degree.
At the step ST28, the decrypting unit 204 sequentially extracts the candidates for the identification polynomial f(ux(n)(t),uy(n)(t),t) and sequentially transmits them together with h11(n)(t) and h12(n)(t) and G1(ux(n)(t),uy(n)(t),t) and G2(ux(n)(t),uy(n)(t),t) to the one-variable polynomial residue arithmetic unit 208.
At the step ST29, the one-variable polynomial residue arithmetic unit 208 divides each of h11(n)(t) and h12(n)(t) by each of the identification polynomial candidates G1(ux(n)(t),uy(n)(t),t) and G2(ux(n)(t),uy(n)(t),t) to obtain two residues h′11(n)(t)=h11(n)(t) mod G1(ux(n)(t),uy(n)(t),t) and h′12(n)(t)−h12(n)(t) mod G2(ux(n)(t),uy(n)(t),t). The obtained residues h′11(n)(t) and h′12(n)(t) are supplied to the decrypting unit 204 from the one-variable polynomial residue arithmetic unit 208.
At the step ST30, based on the two residues h′11(n)(t) and h′12(n)(t), the one-variable polynomials G1(ux(n)(t),uy(n)(t),t) and G2(ux(n)(t),uy(n)(t),t), and the Chinese remainder theorem, the decrypting unit 204 utilizes the one-variable polynomial arithmetic unit 206 and the one-variable polynomial residue arithmetic unit 208 as required to obtain a residue
h
1(n)(t)≡{G2(ux(n)(t),uy(n)(t),t)h′11(n)(t)+G1(ux(n)(t),uy(n)(t),t)h′12(n)(t)} mod LCM{G1(ux(n)(t),uy(n)(t),t),G2(ux(n)(t),uy(n)(t),t)}
that is acquired when a least common expression LCM{G1(ux(n)(t),uy(n)(t),t),G2(ux(n)(t),uy(n)(t),t)} of the one-variable polynomials G1(ux(n)(t),uy(n)(t),t) and G2(ux(n)(t),uy(n)(t),t) is used as a divisor.
For example, the respective terms G2(ux(n)(t),uy(n)(t),t)h′11(n)(t) and G1(ux(n)(t),uy(n)(t),t)h′12(n)(t) and the least common expression LCM{G1(ux(n)(t),uy(n)(t),t),G2(ux(n)(t),uy(n)(t),t)} are calculated by utilizing the one-variable polynomial arithmetic unit 206. The residue h1(n)(t) is calculated by utilizing the one-variable polynomial residue arithmetic unit 208.
At the step ST31, as represented by the following expression, h1(t) is further divided by a candidate for the identification polynomial f(ux(n)(t),uy(n)(t),t) to obtain a residue, and the residue is supplied to the decrypting unit 204.
m(ux(n)(t),uy(n)(t),t)≡h1(n)(t)(mod f(ux(n)(t),uy(n)(t),t)
It is to be noted that this step is not restricted to the above expression and it may be executed as represented by the following expression.
m(ux(n)(t),uy(n)(t),t)≡h2(n)(t)(mod f(ux(n)(t),uy(n)(t),t)
Here, h2(n)(t) is obtained as follows. Each of h21(n)(t) and h22(n)(t) is divided by each of the one-variable polynomials G1(ux(n)(t),uy(n)(t),t) and G2(ux(n)(t),uy(n)(t),t) to obtain two residues h′21(n)(t)≡h21(n)(t) mod G1(ux(n)(t),uy(n)(t),t) and h′22(n)(t)≡h22(n)(t) mod G2(ux(n)(t),uy(n)(t),t). The obtained residues h′21(n)(t) and h′22(n)(t) are supplied to the decrypting unit 204 from the one-variable polynomial residue arithmetic unit 208.
Based on the two residues h′21(n)(t) and h′22(n)(t), the one-variable polynomials G1(ux(n)(t),uy(n)(t),t) and G2(ux(n)(t),uy(n)(t),t), and the Chinese remainder theorem, the decrypting unit 204 utilizes the one-variable polynomial arithmetic unit 206 and the one-variable polynomial residue arithmetic unit 208 as required to obtain a residue
h
2(t)≡{G2(ux(n)(t),uy(n)(t),t)h′21(n)(t)+G1(ux(n)(t),uy(n)(t),t)h′22(n)(t)} mod LCM{G1(ux(n)(t),uy(n)(t),t),G2(ux(n)(t),uy(n)(t),t)}
that is acquired when a least common expression LCM{G1(ux(n)(t),uy(n)(t),t),G2(ux(n)(t),uy(n)(t),t)} of the one-variable polynomials G1(ux(n)(t),uy(n)(t),t) and G2(ux(n)(t),uy(n)(t),t) is used as a divisor.
For example, the respective terms G2(ux(n)(t),uy(n)(t),t)h′21(n)(t) and G1(ux(n)(t),uy(n)(t),t)h′22(n)(t) and the least common expression LCM{G1(ux(n)(t),uy(n)(t),t),G2(ux(n)(t),uy(n)(t),t)} are calculated by utilizing the one-variable polynomial arithmetic unit 206. The residue h1(t) is calculated by utilizing the one-variable polynomial residue arithmetic unit 208.
As in the above explanation, the decrypting unit 204 derives a linear simultaneous equation having a coefficient of the plaintext polynomial m(x,y,t) as a variable based on the plaintext polynomial candidate m(ux(n)(t),uy(n)(t),t) and a previously disclosed format of the plaintext polynomial m(x,y,t).
At the step ST32, when the linear simultaneous equation solving unit 209 solves this linear simultaneous equation, the decrypting unit 204 generates each plaintext candidate M from this solution. This plaintext candidate M is transmitted to the plaintext inspecting unit 210 from the decrypting unit 204.
At the step ST33, the plaintext inspecting unit 210 judges whether there is a common plaintext candidate M in n plaintext candidates M(n) obtained from n plaintext polynomial candidates m(ux(n)(t),uy(n)(t),t) acquired by dividing each of the one-variable polynomials h11(n)(t).
At the step ST37, the decrypting unit 204 outputs the common plaintext candidate M(n) from the output unit 211 as a plaintext when there is a common plaintext candidate M(n) as a result of the judgment performed by the plaintext inspecting unit 210.
The sixth variation can be realized as explained above. It is to be noted that, when there are a plurality of plaintext candidates, an error may be output. In this case, however, when the fifth variation is also adopted and inspection of an error detection code is used for the plurality of plaintext candidates to narrow down the plaintext candidates, the sixth variation can be highly possibly carried out while avoiding output of an error.
In regard to a seventh variation, when the degree of the least common expression is equal to or below the judgment value maxdegG′ of the section degree at the step ST89, the essential polynomial generating unit 313 judges whether the essential polynomials G1(ux(t),uy(t),t) and G2(ux(t),uy(t),t) having the section D further assigned thereto are coprime to each other, the processing can advance to a step ST91 when they are coprime to each other, and the processing can return to the step ST85 from the step ST90 to repeat generation of polynomials when these polynomials are not coprime to each other. The judgment as to whether they are coprime to each other can be efficiently made based on, e.g., an Euclidean algorithm or factorization.
As shown in
F
ij(x,y,t)=m(x,y,t)+f(x,y,t)si(x,y,t)+Gj(x,y,t)wij(x,y,t)+X(x,y,t)rij(x,y,t)
The obtained result is output at ST12.
As shown in
g
j(t)≡{h1j(t)−h2j(t)} mod Gj(ux(t),uy(t),t) (j=1, . . . , k)
At ST25, based on three or more residues gj(t) (j=1, . . . , k), the one-variable polynomials G1(ux(t),uy(t),t) (j=1, . . . , k), and the Chinese remainder theorem, the decrypting unit 204 utilizes the one-variable polynomial arithmetic unit 206 and the one-variable polynomial residue arithmetic unit 208 as required to obtain a residue
g(t)≡{G1(ux(t),uy(t),t)g2(t) . . . gk(t)+G2(ux(t),uy(t),t)g1(t)g3(t) . . . gk(t)+ . . . +Gk(ux(t),uy(t),t)g1(t) . . . gk-1(t)} mod LCM{G1(ux(t),uy(t),t), . . . Gk(ux(t),uy(t),t)}
that is acquired when a least common expression LCM{G1(ux(t),uy(t),t), . . . , Gk(ux(t),uy(t),t)} of the one-variable polynomials Gj(ux(t),uy(t),t) (j=1, . . . , k) is used as a divisor.
At the step ST29, the decrypting unit 204 sequentially extracts candidates for the identification polynomial f(ux(t),uy(t),t) and sequentially supplies both h1j(t) (j=1, . . . , k) and Gj(ux(t),uy(t),t) (j=1, . . . , k) to the one-variable polynomial residue arithmetic unit 208. Additionally, the one-variable polynomial residue arithmetic unit 208 divides each h1j(t) by each one-variable polynomial Gj(ux(t),uy(t),t) to obtain two residues h′1j(n)(t)≡h1j(t) mod Gj(ux(t),uy(t),t) (j=1, . . . , k). The obtained residues h′1j(t) (j=1, . . . , k) are supplied to the decrypting unit 204 from the one-variable polynomial residue arithmetic unit 208.
At the step ST30, based on the three or more residues h′1j(t), the same number of one-variable polynomials Gj(ux(t),uy(t),t) (j=1, . . . , k), and the Chinese Remainder theorem, the decrypting unit 204 utilizes the one-variable polynomial arithmetic unit 206 and the one-variable polynomial residue arithmetic unit 208 as required to obtain a residue h1(t)≡{G1(ux(t),uy(t),t)h′12 . . . h′1k(t)+ . . . +Gk(ux(t),uy(t),t)h′11 . . . h′1k-1(t)} mod LCM{G1(ux(t),uy(t),t), . . . Gk(ux(t),uy(t),t)} that is acquired when a least common expression LCM{G1(ux(t),uy(t),t), . . . , Gk(ux(t),uy(t),t)} of the one-variable polynomials Gj(ux(t),uy(t),t) (j=1, . . . , k) is used as a divisor.
For example, the respective terms G1(ux(t),uy(t),t)h′12 . . . h′1k(t)+ . . . +Gk(ux(t),uy(t),t)h′11h′1-1(t) and the least common expression LCM{G1(ux(t),uy(t),t), . . . , Gk(ux(t),uy(t),t)} are calculated by utilizing the one-variable polynomial arithmetic unit 206. The residue h1(t) is calculated by utilizing the one-variable polynomial arithmetic unit 208.
At the step ST31, as represented by the following expression, h1(t) is further divided by a candidate for the identification polynomial f(ux(t),uy(t),t) to obtain a residue, and the obtained residue is supplied to the decrypting unit 204.
m(ux(t),uy(t),t)≡h1(t)(mod f(ux(t),uy(t),t))
It is to be noted that this step is not restricted to the above expression and it may be executed as represented by the following expression.
m(ux(t),uy(t),t)≡h2(t)(mod f(ux(t),uy(t),t))
Here, h2(t) is obtained as follows. Each h2j(t) (j=1, . . . , k) is divided by each one-variable polynomial Gj(ux(t),uy(t),t) (j=1, . . . , k) to obtain two residues h′2j(t)≡h2j(t) mod Gj(ux(t),uy(t),t) (j=1, . . . , k). The obtained residues h′2j(t) (j=1, . . . , k) are supplied to the decrypting unit 204 from the one-variable polynomial residue arithmetic unit 208.
Based on the two residues h′2j(t), the one-variable polynomials Gj(ux(t),uy(t),t) (j=1, . . . , k), and the Chinese Remainder theorem, the decrypting unit 204 utilizes the one-variable polynomial arithmetic unit 206 and the one-variable polynomial residue arithmetic unit 208 as required to obtain a residue h2(t)≡{G1(ux(t),uy(t),t)h′22 . . . h′2k(t)+ . . . +Gk(ux(t),uy(t),t)h′21 . . . h′2k-1(t)} mod LCM{G1(ux(t),uy(t),t), . . . Gk(ux(t),uy(t),t)} that is acquired when a least common expression LCM{G1(ux(t),uy(t),t), . . . , Gk(ux(t),uy(t),t)} of the one-variable polynomials Gj(ux(t),uy(t),t) (j=1, . . . , k) is used as a divisor.
For example, the respective terms G1(ux(t),uy(t),t)h′22 . . . h′2k(t)+ . . . +Gk(ux(t),uy(t),t)h′21 . . . h′2k-1(t) and the least common expression LCM{G1(ux(t),uy(t),t), . . . , Gk(ux(t),uy(t),t)} are calculated by utilizing the one-variable polynomial arithmetic unit 206. The residue h2(t) is calculated by utilizing the one-variable polynomial arithmetic unit 208.
In the key generation processing, as shown in
mindegG=max{degG1(ux(t),uy(t),t), . . . , degGk(ux(t),uy(t),t)}
Further, calculating a least common expression of the three or more polynomials having the section D assigned thereto at ST88 can suffice. It is to be noted that the following expression is calculated at ST89.
maxdegG=degLCM{G1(ux(t),uy(t),t), . . . , Gk(ux(t),uy(t),t)}
Although outputting k essential polynomials Gj(x,y,t) (j=1, . . . , k) at the ST91 is obvious, this is mentioned here.
Further, the eighth variation is a conformation where the two essential polynomials G1(x,y,t) and G2(x,y,t) are generalized as the k essential polynomials Gj(x,y,t) (j=1, 2, . . . , k), and it can be said that the two essential polynomials G1(x,y,t) and G2(x,y,t) correspond to a special case of the eighth variation (Gj(x,y,t) (j=1, 2) (i.e., k=2)). Therefore, the respective apparatuses 100, 200, and 300 can be appropriately combined with corresponding respective variations to be executed. For example, the encryption apparatus 100 in the eighth variation can be appropriately combined with the first to fourth variations corresponding to the encryption processing to be executed. Likewise, the decryption apparatus 200 in the eighth variation can be appropriately combined with the fifth or sixth variation concerning the decryption processing to be executed. For example, when the eighth variation is combined with the sixth variation, the steps ST23 to ST35 (however, ST33 is omitted) in the decryption processing depicted in
Moreover, the key generation apparatus 300 in the eighth variation can be likewise appropriately combined with the seventh variation to be executed.
The technique described above for the embodiment can be stored as a program to be executed by a computer in memory mediums including magnetic disks (Floppy™ disks, hard disks, etc.), optical disks (CD-ROMs, DVDs, etc.), magneto-optical disks (MOs) and semiconductor memories for distribution.
Memory mediums that can be used for the purpose of the present invention are not limited to those listed above and memory mediums of any type can also be used for the purpose of the present invention so long as they are computer-readable ones.
Additionally, the operating system (OS) operating on a computer according to the instructions of a program installed in the computer from a memory medium, data base management software and/or middleware such as network software may take part in each of the processes for realizing the above embodiment.
Still additionally, memory mediums that can be used for the purpose of the present invention are not limited to those independent from computers but include memory mediums adapted to download a program transmitted by LANs and/or the Internet and permanently or temporarily store it.
It is not necessary that a single memory medium is used with the above described embodiment. In other words, a plurality of memory mediums may be used with the above-described embodiment to execute any of the above described various processes. Such memory mediums may have any configuration.
For the purpose of the present invention, a computer executes various processes according to one or more than one programs stored in the memory medium or mediums as described above for the preferred embodiment. More specifically, the computer may be a stand alone computer or a system realized by connecting a plurality of computers by way of a network.
For the purpose of the present invention, computers include not only personal computers but also processors and microcomputers contained in information processing apparatus. In other words, computers generally refer to apparatus and appliances that can realize the functional features of the present invention by means of a computer program.
The present invention is by no means limited to the above described embodiment, which may be modified in various different ways without departing from the spirit and scope of the invention. Additionally, any of the components of the above described embodiment may be combined differently in various appropriate ways for the purpose of the present invention. For example, some of the components of the above described embodiment may be omitted. Alternatively, components of different embodiments may be combined appropriately in various different ways for the purpose of the present invention.
Number | Date | Country | Kind |
---|---|---|---|
2008-010960 | Jan 2008 | JP | national |