三項暗号 KM(3)-PKC の提案...

三項暗号 KM(3)-PKC の提案～公開鍵サイズが非常に小さいチャレンジ問題提出～

平成１７年１１月１４日

大阪学院大学　　　　笠原正雄大阪電気通信大学　村上恭通

内容

積和型暗号について，より安全性の高い構成法として三項暗号を提案する．

公開鍵サイズが 347 ビット，暗号文サイズ183 ビットの解読が容易と思われる挑戦問題を “ Very Simple Challenge” として提出する．

“Simple Challenges” として公開鍵サイズ 500, 700 ビット程度の比較的解読が容易と思われる問題を提出し，解読を求める．

“Challenges” として公開鍵サイズ 1000 ビット程度の問題を提出し，解読を求める．

Challenge Problems (e=2)

Class ProblemMessage

SizeCiphertext

SizePublic-key

Size

I Problem3 140 183 347

II Problem4 210 273 517

III Problem6 412 533 1011

単位 [bit]

Very Simple Challenge

Simple Challenges

Challenges

Challenge Problems

e Message Size Ciphertext Size Public-key Size

Problem 3 2 140 183 347

Problem 1 3 200 271 496

Problem 2 3 280 381 706

Problem 4 2 210 273 517

Problem 5 3 398 544 1021

Problem 6 2 412 533 1011単位 [bit]

Very Simple Challenge

Simple Challenges

Challenges

List of Symbols

| I | : size of integer I (in bits);α, β, γ, σ: random positive integers;N : modulus of a random positive integer;e : public system prarameter;d : inverse element of e (mod λ(γ));λ(γ) : Carmichael functin of γ;Spk : size of public key;

Generation of Secret Keys and Public Keys

Algorithm I

Step 1: Generate (k+1)-bit random integers, α, β

and (l+1)-bit random integer γ,

such that gcd(α,β)=gcd(β,γ)=gcd(γ,α)=1.

Step 2: Generate a public key a3

for which the relation gcd(a3, N)=1 holds.

Step 3: Given a3, σ and N, the following u is obtained:

u = a3 σ-1 (mod N).

Step 4: Given α,β,γ and N,

the public keys a1, a2 are obtained as follows:

a1 = uβγ (mod N),

a2 = uαγ (mod N).

Secret Keys and Public Keys

Secret Keys:α, β,γ, σ, N

Public Keys:a1, a2, a3

Encryption

Letting the messages,

m1 and m2 be k-bit positive integers and

m3 be an l-bit positive integer.

The ciphertext C Z is obtained as follows:∈

C = a1 m1 + a2 m2 + a3 m3e

Decryption

Algorithm II

Let the intermediate message M be

M = βγm1 + αγm2 + σ m3e.

Step 1: The intermediate message M is obtained as follows:

M = u-1 C (mod N).

Step 2: The message m3 can be obtained as follows:

m3 = (σ-1 M)d (mod γ), where d = e-1 (mod λ(γ)).

Step 3: The messages m1 and m2 can be decoded as follows:

M’ = (M-σm3e) ／ γ,

m1 = β-1 M’ (mod α),

m2 = α-1 M’ (mod β).

Design Conditions

Condition 1 (Decryption)M < N

Condition 2 (Size of the terms of M)

| βγm1 | = | αγm2 | = |σm3e |

Condition 3 (High density over 1)

| C | < | m1 | + | m2 | + e | m3 |Condition 4 (Size of the terms of C)

| a1 m1 | = | a2 m2 | = | a3 m3e|

Rate and Density

Rate R:

size of message (in bits) R=

size of ciphertext (in bits)

Density D:

size of pertinently enlarged message (in bits) D=

size of ciphertext (in bits)

Parameter Settings

From Condition 3, D > 1 must be required for being secure against LDA.

From Eqs.(21) and (22), the following relation holds:k+4 2k

e-1 e-1From Eq.(23), we recommend the following l:

3k2(e-1)

We see that e is required to take on a small valuein order to obtain a large value of l.

< l <

l ≒

Simple Challenge (Problem 1)

e=3, |m1|=|m2|=70bit, |m3|=60bit, |C|=271bit, Spk=496bit. Public Key: (a1, a2, a3)

a1=4216248180031011146690575580257341486535115078654976400520752,

a2=208869165457570245222440738684785581895155696351766440092890,

a3=4951760157160646877071445121, Ciphertext:

C=2705115812533065994890435027746622671903663976554366975771320953354957495525975980,

Density: D=1.18, Rate: R=0.738.



a1=4712050822084399355130400810152318447870501128630600393697566890496050275349179498455,

a2=2392605233304211196064298393364530250559239840634533709773526463062616120178985993857,

a3=5575186299632655790214576212283927176936387, Ciphertext:

C=3476253086803090347007542623850376181488350960561602929655103813597425611501866861363465356604826830330760227687509,


KM(3)-PKC

In KM(3)-PKC, the system parameter takes on the special value of e=2.

The difference of KM(3)-PKC from the KM(3)-PKC is as follows:The d, inverse element of e, does not exist; It is required that γ be a prime number; It is required that m3 be an (l-1)bit integer;

～

～

Encryption

Letting the messages, m1 and m2 be k-bit positive integers and m3 be an (l-1)-bit positive integer.

In KM(3)-PKC, m3 must be converted into l-bit positive integer m3, in one of the following manner:(A) m3 = m3,

(B) m3 = 2m3 + 1. The ciphertext, C Z is obtained as follows:∈

C = a1 m1 + a2 m2 + a3 m32

～～

～～

～

Decryption

Algorithm III

Let the intermediate message M be

M = βγm1 + αγm2 + σ m32.

Step 1: The intermediate message M is obtained as follows:

M = u-1 C (mod N).

Step 2: The message m3 can be obtained as follows:

(A) m3 = √σ-1 M (mod γ), where m3 < γ ／ 2.

(B) m3 = √σ-1 M (mod γ), where m3 is odd.

Step 3: The messages m1 and m2 can be decoded as follows:

M’ = (M-σm32) ／ γ,

m1 = β-1 M’ (mod α),

m2 = α-1 M’ (mod β).

～

～～～

～

～

Small Example

γ= 67, m3(5bit) m⇒ 3(6bit)(A) m3 = 25 m⇒ 3 = 25 m3 = 11001(2) m⇒ 3 = 011001(2)

m32 = 252 = 22 (mod 67)

√22 = 25, 42 From 25 < 32, m⇒ 3 = 25(B) m3 = 25 m⇒ 3 = 2×25+1 = 51 m3 = 11001(2) m⇒ 3 = 110011(2)

m32 = 512 = 55 (mod 67)

√55 = 16, 51 From 51 is odd, m⇒ 3=51 m⇒ 3=(51-1)/2 =25

～～

～

～～

～

～

～

Very Simple Challenge (Problem 3)


a1=6543367536282185388250417633736870201483064,

a2=2783954299710691305821534577358205710303709,

a3=2305843051400315201, Ciphertext:

C=8879117557211732475632383408224638143725814677467344967,




a1=11434125464152598144892457980791960589094734026729571667432317794,

a2=7461681489880664813018893960308318511511063634976867115019150633,

a3=2475880078581799978444855949, Ciphertext:

C=12274744908858402791000689644486737188312305593990493582056355616755673365289877034,


Security(1) against LDA

Letting (m1, m2, m3e) be (x1, x2, x3),

we see that the deciphering KM(3)-PKC is

equivalent to the solving of the following

linear Diophantine equation:

C = a1 x1 + a2 x2 + a3 x3.

Security(2) against Exhaustive Search

In KM(3)-PKC, the ciphertext C is given byC = a1 m1 + a2 m2 + a3 m3

e.Let the estimated value of m3 be denoted by m3.When m3=m3 holds, we obtain the following ciphertext C w

hich is equivalent to two terms public key cryptosystem:C = a1 m1 + a2 m2

It is easy to see that the ciphertext C can be easily deciphered.

Thus, in order to make the proposed scheme invulnerable to the exhaustive search on m3, it is recommended that m3 satisfy the following:

| m3 | 60 (in bits).≧

^^

Challenge (Problem 5)


a1=1837803766451096790650403246410048966520001915670181945732593044189042533219306827122369110561745698647344768138499333132,

a2=1641803148109663217799616945778349382618740009975895323655024165395685302638728905242673707686094190861074314211467612458,

a3=3369993333393829974333376886529224507936261198312988134821046452501,

Ciphertext: C=290472351498959655725161617766771997538617375795917060

50968803894286116602583687594295309696256305404475762113188527058446634331524729676753767760446069838803208337

Challenge (Problem 6)


a1=82605653800244341526226517325091434162878822961361419645470365947594165743936450342502652888378093446883047471041947017303219,

a2=19793565240596431573716995072900079298961058068739089615021837665711402995805209520410079245556596544010565108767377976865302,

a3=3064991081731777716716830940439406147138775777549308003, Ciphertext:

C=19192110111388738363394577407898165560182991562517650065199708087410270479472218527418970309796408019975605623115869743172503119529435179359158544847722430740294.

むすび

積和型暗号について，より安全性の高い構成法として三項暗号を提案した．

公開鍵サイズが 347 ビット，暗号文サイズ183 ビットの挑戦問題を “ Very Simple Challenge” として提出した．

“Simple Challenges” として公開鍵サイズ 500, 700 ビット程度の挑戦問題を提出した．

“Challenges” として公開鍵サイズ 1000 ビット程度の問題を提出した．

これらの問題に対して，エレガントな解読を求む．

三項暗号 KM(3)-PKC の提案...

Documents

Transcript of 三項暗号 KM(3)-PKC の提案...