1 / 25

三項暗号 KM(3)-PKC の提案 ~公開鍵サイズが非常に小さいチャレンジ問題提出~

三項暗号 KM(3)-PKC の提案 ~公開鍵サイズが非常に小さいチャレンジ問題提出~. 平成17年11月14日 大阪学院大学    笠原 正雄 大阪電気通信大学 村上 恭通. 内容. 積和型暗号について,より安全性の高い構成法として三項暗号を提案する. 公開鍵サイズが 347 ビット,暗号文サイズ 183 ビットの解読が容易と思われる挑戦問題を “ Very Simple Challenge” として提出する. “ Simple Challenges” として公開鍵サイズ 500, 700 ビット程度の比較的解読が容易と思われる問題を提出し,解読を求める.

colin-guerrero
Download Presentation

三項暗号 KM(3)-PKC の提案 ~公開鍵サイズが非常に小さいチャレンジ問題提出~

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 三項暗号KM(3)-PKCの提案~公開鍵サイズが非常に小さいチャレンジ問題提出~三項暗号KM(3)-PKCの提案~公開鍵サイズが非常に小さいチャレンジ問題提出~ 平成17年11月14日 大阪学院大学    笠原 正雄 大阪電気通信大学 村上 恭通

  2. 内容 • 積和型暗号について,より安全性の高い構成法として三項暗号を提案する. • 公開鍵サイズが 347 ビット,暗号文サイズ183 ビットの解読が容易と思われる挑戦問題を “Very Simple Challenge” として提出する. • “Simple Challenges” として公開鍵サイズ 500, 700 ビット程度の比較的解読が容易と思われる問題を提出し,解読を求める. • “Challenges” として公開鍵サイズ 1000 ビット程度の問題を提出し,解読を求める.

  3. Challenge Problems (e=2) Very Simple Challenge Simple Challenges Challenges 単位 [bit]

  4. Challenge Problems Very Simple Challenge Simple Challenges Challenges 単位 [bit]

  5. List of Symbols • | I | : size of integer I (in bits); • α, β, γ, σ: random positive integers; • N : modulus of a random positive integer; • e : public system prarameter; • d : inverse element of e (mod λ(γ)); • λ(γ) : Carmichael functin of γ; • Spk : size of public key;

  6. Generation of Secret Keys and Public Keys Algorithm I Step 1: Generate (k+1)-bit random integers, α, β and (l+1)-bit random integer γ, such that gcd(α,β)=gcd(β,γ)=gcd(γ,α)=1. Step 2: Generate a public key a3 for which the relation gcd(a3, N)=1 holds. Step 3: Given a3, σ and N, the following u is obtained: u = a3 σ-1 (mod N). Step 4: Given α,β,γ and N, the public keys a1, a2 are obtained as follows: a1 = uβγ (mod N), a2 = uαγ (mod N).

  7. Secret Keys and Public Keys • Secret Keys: α, β,γ, σ, N • Public Keys: a1, a2, a3

  8. Encryption • Letting the messages, m1 and m2 be k-bit positive integers and m3 be an l-bit positive integer. • The ciphertext C∈Z is obtained as follows: C = a1 m1 + a2 m2 + a3 m3e

  9. Decryption Algorithm II Let the intermediate message M be M = βγm1 + αγm2 + σ m3e. Step 1: The intermediate message M is obtained as follows: M = u-1 C (mod N). Step 2: The message m3 can be obtained as follows: m3 = (σ-1 M)d (mod γ), where d = e-1 (mod λ(γ)). Step 3: The messages m1 and m2 can be decoded as follows: M’ = (M-σm3e)/γ, m1 = β-1 M’ (mod α), m2 = α-1 M’ (mod β).

  10. Design Conditions • Condition 1 (Decryption) M < N • Condition 2 (Size of the terms of M) | βγm1 | = | αγm2 | = |σm3e | • Condition 3 (High density over 1) | C | < | m1 | + | m2 | + e | m3 | • Condition 4 (Size of the terms of C) | a1 m1 | = | a2 m2 | = | a3 m3e|

  11. Rate and Density • Rate R: size of message (in bits) R= size of ciphertext (in bits) • Density D: size of pertinently enlarged message (in bits) D= size of ciphertext (in bits)

  12. Parameter Settings From Condition 3, D > 1 must be required for being secure against LDA. From Eqs.(21) and (22), the following relation holds: k+4 2k e-1 e-1 From Eq.(23), we recommend the following l: 3k 2(e-1) We see that e is required to take on a small valuein order to obtain a large value of l. < l < l ≒

  13. Simple Challenge (Problem 1) • e=3, |m1|=|m2|=70bit, |m3|=60bit, • |C|=271bit, Spk=496bit. • Public Key: (a1, a2, a3) a1=4216248180031011146690575580257341486535115078654976400520752, a2=208869165457570245222440738684785581895155696351766440092890, a3=4951760157160646877071445121, • Ciphertext: C=2705115812533065994890435027746622671903663976554366975771320953354957495525975980, • Density: D=1.18, • Rate: R=0.738.

  14. Simple Challenge (Problem 2) • e=3, |m1|=|m2|=100bit, |m3|=80bit, • |C|=381bit, Spk=706bit. • Public Key: (a1, a2, a3) a1=4712050822084399355130400810152318447870501128630600393697566890496050275349179498455, a2=2392605233304211196064298393364530250559239840634533709773526463062616120178985993857, a3=5575186299632655790214576212283927176936387, • Ciphertext: C=3476253086803090347007542623850376181488350960561602929655103813597425611501866861363465356604826830330760227687509, • Density: D=1.15, • Rate: R=0.735.

  15. KM(3)-PKC • In KM(3)-PKC, the system parameter takes on the special value of e=2. • The difference of KM(3)-PKC from the KM(3)-PKC is as follows: • The d, inverse element of e, does not exist; • It is required that γ be a prime number; • It is required that m3 be an (l-1)bit integer; ~

  16. Encryption • Letting the messages, m1 and m2 be k-bit positive integers and m3 be an (l-1)-bit positive integer. • In KM(3)-PKC, m3 must be converted into l-bit positive integer m3, in one of the following manner: (A) m3 = m3, (B) m3 = 2m3 + 1. • The ciphertext, C∈Z is obtained as follows: C = a1 m1 + a2 m2 + a3 m32 ~ ~ ~ ~ ~

  17. Decryption Algorithm III Let the intermediate message M be M = βγm1 + αγm2 + σ m32. Step 1: The intermediate message M is obtained as follows: M = u-1 C (mod N). Step 2: The message m3 can be obtained as follows: (A) m3 = √σ-1 M (mod γ), where m3 < γ/2. (B) m3 = √σ-1 M (mod γ), where m3 is odd. Step 3: The messages m1 and m2 can be decoded as follows: M’ = (M-σm32)/γ, m1 = β-1 M’ (mod α), m2 = α-1 M’ (mod β). ~ ~ ~ ~ ~ ~

  18. Small Example ~ • γ= 67, m3(5bit) ⇒ m3(6bit) (A) m3 = 25 ⇒ m3 = 25 m3 = 11001(2) ⇒ m3 = 011001(2) m32 = 252 = 22 (mod 67) √22 = 25, 42 From 25 < 32, ⇒ m3 = 25 (B) m3 = 25 ⇒ m3 = 2×25+1 = 51 m3 = 11001(2) ⇒ m3 = 110011(2) m32 = 512 = 55 (mod 67) √55 = 16, 51 From 51 is odd, ⇒ m3=51 ⇒ m3=(51-1)/2 =25 ~ ~ ~ ~ ~ ~ ~

  19. Very Simple Challenge (Problem 3) • e=2, |m1|=|m2|=40bit, |m3|=60bit, • |C|=183bit, Spk=347bit. • Public Key: (a1, a2, a3) a1=6543367536282185388250417633736870201483064, a2=2783954299710691305821534577358205710303709, a3=2305843051400315201, • Ciphertext: C=8879117557211732475632383408224638143725814677467344967, • Density: D=1.10, • Rate: R=0.765.

  20. Simple Challenge (Problem 4) • e=2, |m1|=|m2|=60bit, |m3|=90bit, • |C|=273bit, Spk=517bit. • Public Key: (a1, a2, a3) a1=11434125464152598144892457980791960589094734026729571667432317794, a2=7461681489880664813018893960308318511511063634976867115019150633, a3=2475880078581799978444855949, • Ciphertext: C=12274744908858402791000689644486737188312305593990493582056355616755673365289877034, • Density: D=1.11, • Rate: R=0.769.

  21. Security(1) against LDA Letting (m1, m2, m3e) be (x1, x2, x3), we see that the deciphering KM(3)-PKC is equivalent to the solving of the following linear Diophantine equation: C = a1 x1 + a2 x2 + a3 x3.

  22. Security(2) against Exhaustive Search In KM(3)-PKC, the ciphertext C is given by C = a1 m1 + a2 m2 + a3 m3e. Let the estimated value of m3 be denoted by m3. When m3=m3 holds, we obtain the following ciphertext C which is equivalent to two terms public key cryptosystem: C = a1 m1 + a2 m2 It is easy to see that the ciphertext C can be easily deciphered. Thus, in order to make the proposed scheme invulnerable to the exhaustive search on m3, it is recommended that m3 satisfy the following: | m3 | ≧ 60 (in bits). ^ ^

  23. Challenge (Problem 5) • e=3, |m1|=|m2|=145bit, |m3|=108bit, • |C|=544bit, Spk=1021bit. • Public Key: (a1, a2, a3) a1=1837803766451096790650403246410048966520001915670181945732593044189042533219306827122369110561745698647344768138499333132, a2=1641803148109663217799616945778349382618740009975895323655024165395685302638728905242673707686094190861074314211467612458, a3=3369993333393829974333376886529224507936261198312988134821046452501, • Ciphertext: C=29047235149895965572516161776677199753861737579591706050968803894286116602583687594295309696256305404475762113188527058446634331524729676753767760446069838803208337

  24. Challenge (Problem 6) • e=2, |m1|=|m2|=118bit, |m3|=176bit, • |C|=533bit, Spk=1011bit. • Public Key: (a1, a2, a3) a1=82605653800244341526226517325091434162878822961361419645470365947594165743936450342502652888378093446883047471041947017303219, a2=19793565240596431573716995072900079298961058068739089615021837665711402995805209520410079245556596544010565108767377976865302, a3=3064991081731777716716830940439406147138775777549308003, • Ciphertext: C=19192110111388738363394577407898165560182991562517650065199708087410270479472218527418970309796408019975605623115869743172503119529435179359158544847722430740294.

  25. むすび • 積和型暗号について,より安全性の高い構成法として三項暗号を提案した. • 公開鍵サイズが 347 ビット,暗号文サイズ183 ビットの挑戦問題を “Very Simple Challenge” として提出した. • “Simple Challenges” として公開鍵サイズ 500, 700 ビット程度の挑戦問題を提出した. • “Challenges” として公開鍵サイズ 1000 ビット程度の問題を提出した. • これらの問題に対して,エレガントな解読を求む.

More Related