Masao KASAHARA. Graduate School of Osaka Gakuin University

Transcription

1 Abstract Construction of New Classes of Knapsack Type Public Key Cryptosystem Using Uniform Secret Sequence, K(II)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Graduate School of Osaka Gakuin University In this paper, we present a new class of knapsack type PKC referred to as K(II)ΣΠPKC In K(II)ΣΠPKC, Bob romly constructs a very small subset of Alice s set of public key whose order is very large, under the condition that the coding rate ρ satisfies 001 < ρ < 05 In K(II)ΣΠPKC, no secret sequence such as super-increasing sequence or shifted-odd sequence but the sequence whose component is constructed by a product of the same number of many prime numbers of the same size, is used We show that K(II)ΣΠPKC is secure against the attacks such as LLL algorithm, Shamir s attack etc, because a subset of Alice s public keys is chosen entirely in a probabilistic manner at the sending end We also show that K(II)ΣΠPKC can be used as a member of the class of common key cryptosystems because the list of the subset romly chosen by Bob can be used as a common key between Bob Alice, provided that the conditions given in this paper are strictly observed, without notifying Alice of his secret key through a particular secret channel Key words Public-key cryptosystem(pkc), Knapsack-type PKC, Product-sum type PKC, LLL algorithm, PQC 1 Introduction Various studies have been made of the Public-Key Cryptosystem (PKC) The security of the PKC s proposed so far, in most cases, depends on the difficulty of discrete logarithm problem or factoring problem For this reason, it is desired to investigate another classes of PKC s that do not rely on the difficulty of these two problems One of the promising cidates among the classes of PKC are the code-based PKC the product-sum type PKC [1] [3] In this paper, we present a new class of knapsack type PKC referred to as K(II)ΣΠPKC In K(II)ΣΠPKC, Bob romly constructs a very small subset of Alice s set of public key whose order is very large, under the condition that the coding rate ρ satisfies 001 < ρ < 05 In K(II)ΣΠPKC, no secret sequence such as super-increasing sequence or shifted-odd sequence but the sequence whose components are constructed by the products of the same number of many prime numbers of the same size, is used It should be noted that the components of the secret sequence such as super-increasing sequence or shifted-sequence have different entropies On the other h the components of the secret sequence used in K(II)ΣΠPKC take on the same entropy We show that K(II)ΣΠPKC is secure against the attacks such as LLL algorithm, Shamir s attack etc, because a subset of Alice s public keys is chosen entirely in a probabilistic manner at the sending end We also show that K(II)ΣΠPKC can be used as a member of the class of common key cryptosystems because the list of the subset romly chosen by Bob can be used as a common key between Bob Alice, provided that the conditions given in this paper are strictly observed, without notifying Alice of his secret key through a particular secret channel K(II)ΣΠPKC for two messages 1 Preliminaries Let us define several symbols : m i : Message symbol over Z; i = 1,,, λ Γ : Intermediate message p i : Prime number ; i = 1,,, n p : (p 1, p,, p n ), prime number vector s : (s 1, s,, s n ), secret sequence 1

2 A : Size of A in bit #S : Order of set S The conventional knapsack type PKC s are constructed using the following sequences: (i) : super-increasing sequence[5] (ii) : shifted-odd sequence[13 15] (iii) : J-step uniform sequence[19,0] In these sequences, entropies of the components are not necessarily same On the other hs, the entropies of the components of the secret sequence used in K(II)ΣΠPKC are exactly same Entropy s n s s 1 Entropy s n s 1 s s n s s 1 Entropy (a)super-increasing (b)shifted-odd (c)k(ii)σπpkc Fig 1 Entropys of secret sequences We shall refer to such secret sequence as uniform sequence In the following sections, when the variable x i takes on an actual value x i, we shall denote the corresponding vector, x = (x 1, x,, x n), as x = ( x 1, x,, x n ) (1) The C M et al will be defined in a similar manner Summary of idea of K(II)ΣΠPKC In this sub-section let us summarize the idea of a secret system using K(II)ΣΠPKC for two messages Let the Alice s set of public key, be denoted {k i } A For the message m = (m A, m B ), Bob romly chooses two keys, k A k B, from the set of Alice s public key {k i } A Bob encrypts the message m into m C = m A k A + m B k B () Alice decrypts the ciphertext C into C m = (m A, m B ) (3) 3 Problem 1 Let us suppose that two public keys are chosen in accordance with this rom choice two secret keys q A q B are chosen from the set {q i } The intermediate message Γ is Γ = m A q A + m B q B (4) Problem 1 : Construct the set of secret keys {q i} so that Γ may be decoded as Γ m = (m A, m B), (5) under the conditions that : (i) q A q B are romly chosen from {q i } whose order is very large, (ii) coding rate ρ satisfies 001 < ρ < 05, (iii) completely uniform sequence is used In the next sub-sections we shall present a scheme for constructing {q i } based on the maximum length code [4],as one of the solutions for Problem 1 4 Maximum length code In this sub-section, we assume that n is given by n = g 1 (6) The maximum length code {F M (x)} is a cyclic code that satisfies F M (x) 0 mod xn 1 G F (x), (7) where G F (x) over F is a primitive polynomial of degree g In the followings {F M (x)} will also be denoted simply by {F M } Let the two code words of {F M }, M α M β over F, be denoted by M α = (α 1, α,, α n ) (8) M β = (β 1, β,, β n) (9) Let the sets S 1, S, S 3 be defined as follows : S 1 : Set of pairs (α i, β i ) s such that α i = 1, β i = 1 ; i = 1,,, n S : Set of pairs (α i, β i ) s such that α i = 0, β i = 0 ; i = 1,,, n S 3 : Set of pairs (α i, β i ) s such that α i = 0, β i = 1 ; i = 1,,, n S 4 : Set of pairs (α i, β i) s such that α i = 1, β i = 0 ; i = 1,,, n Theorem 1 : The orders #S 1, #S, #S 3 #S 4 are given by #S 1 = n + 1, (10) 4 #S = n 3, (11) 4 #S 3 = #S 4 = n + 1 (1)

3 Proof : The Hamming weight of any code word of the maximum length code {F M } is n+1 As the maximum length code {F M } is a member of the class of linear codes, M C = M A + M B ; M A = M B (13) is also a code word of {F M } Namely the weight of M C also n+1, which implies that the following relations hold: (#S 3 ) + (#S 4 ) = n + 1, (14) (#S 1 ) + (#S ) = n n + 1 Eqs(14) (15) imply that = n 1 (15) (#S 3 ) = (#S 4 ), (16) (#S 1 ) = (#S ) + 1 (17) From Eqs(15) (17), #S is given by #S = ( n 1 is 1)/ = n 3 n+1, which implies that #S1 = Construction of the set of composite number {q i } Let A be a code word of {F M } p, a prime number vector whose components are romly chosen prime numbers Let A p be denoted by A = (a 1, a,, a n) (18) p = (p 1, p,, p n), (19) where we assume that p i has the same size ; i = 1,, n Let w A be defined by w A = (a 1 p 1, a p,, a n p n ) (0) Let the composite number q (A) be defined by the products of non-zero components of w A Namely q (A) can be represented by q (A) = n a ip i, (1) i=1 where we let a ip i be a i p i for a i p i = p i 1, for a i p i = 0 Let another code word B be denoted B = (b 1, b,, b n) () The following composite number q (B) can be obtained from w B = (b 1p 1, b p,, b np n) in a similar manner as q (A) : q (B) = n b ip i (3) i=1 p : p p p p p p p : M M : M 3 : M 4 : M 5 : M 6 : : M 7 Fig Maximum length code generated by (x + 1)(x 3 + x + 1) We have the following straightforward theorem Theorem : Letting the largest common divisor (q (A), q (B) ) be denoted d A,B, it is d A,B = n i=1 4 p (A,B) i, (4) where p (A,B) i denotes the i-th prime number of p for which (a i, b i ) S 1 holds Example 1 : Maximum length code of length n = 3 1 Let G F (x) be G F (x) = x 3 + x + 1 (5) All the code words generated by (x 7 + 1)/G F (x) = (x + 1)(x 3 + x + 1) are listed in Fig Let us assume that the two code words M M 5 in Fig have been romly chosen from {F M } Let the prime number vector be represented by p = (p 1, p,, p 7) (6) From Fig, w w 5 are w = (p 1, 0, 0, p 4, 0, p 6, p 7 ) (7) w 5 = (0, p, p 3, p 4, 0, 0, p 7 ) (8) The q (M ) q (M 5) are q (M ) = p 1 p 4 p 6 p 7 (9) q (M 5) = p p 3p 4p 7 (30) From Eqs(9) (30), we see that the largest common divisor (q (M), q (M5) ), d M,M 5 is given by d M,M 5 = p 4p 7 (31) Let the largest common divisor (q (M i), q (M j ) ) be simply denoted by d i,j instead of d Mi,M j In Fig3 we show the correspondence between p ip j two code words M i, M j

4 decoded (See Fig3) M i, M j M 1,M M 1,M 3 M 1,M 4 M 1,M 5 di, j p 6 p 7 p 5 p 7 p 3 p 6 p 3 p 7 M i, M j M 3,M 4 M 3,M 5 M 3,M 6 M 3,M 7 di, j p 1 p p p 7 p 1 p 5 p p 5 Proof : The column vectors shown in Fig are proved the { } code words of F M, whose generator polynomial G F (x) is x 3 (x 3 + x 1 + 1) = x 3 + x + 1, which is obtained as x 3 G F (x 1 ) From Theorem 1, #S 1 =, yielding the proof that Let w W be relatively prime positive integers such M 1,M 6 p 3 p 5 M 4,M 5 p p 3 w < W, (37) M 1,M 7 M,M 3 M,M 4 p 5 p 6 p 1 p 7 p 1 p 6 M 4,M 6 M 4,M 7 M 5,M 6 p 1 p 3 p p 6 p 3 p 4 (w, W ) = 1 (38) The set of public keys, {k i }, is given by wq i k i mod W ; i = 1,, n (39) M,M 5 p 4 p 7 M 5,M 7 p p 4 Public key : {k i } M,M 6 p 1 p 4 p 4 p 5 M 6,M 7 ーー Secret key : w, W, {q i }, M i M,M p 7 4 p 6 Fig 3 d i,j for M i, M j We see that all the pair (M i, M j ) s can be decoded uniquely from d i,j s 6 Construction of intermediate message Bob romly selects two public keys k A k B from {k i } A In accordance with this rom choice, two code words M A M B {F M } are chosen As a result the intermediate message Γ is given by Γ = m A q (A) + m B q (B) (3) Let q (A) q (B) be represented by q (A) = q (A) d A,B (33) q (B) = q (B) d A,B (34) From Eqs(3), (33) (34), the intermediate message is given by Γ = (m A q (A) + m B q (B) )d A,B (35) When a component of p, p i, satisfies d A,B 0 mod p i, (36) we let p i be denoted by p i Theorem 3 : From the set {p i }, the two code words, M A M B, romly chosen at the sending end are correctly [Decryption Process] Given Γ, the messages m A m B are decoded by { Γ q (A)} 1 ma mod q (B) (40) { Γ q (B)} 1 mb mod q (A) (41) respectively 3 A new class of PKC scheme based on K(II)ΣΠPKC Possible applications to the field of common key cryptosystem 3 1 Construction Bob romly chooses λ code words of {F M } Without loss of generality let us assume that the list of the romly chosen code words by Bob are the followings: M 1 = (t 11, t 1,, t 1n ), M = (t 1, t,, t n ), M λ = (t λ1, t λ,, t λn ) Let the column vector t i be denoted by t i = t 1i t i t λi (4) (43) 4

5 Let the total number of t i s such that t i s take on the same value a (i) over F be denoted by N(a (i) ) Theorem 4 : The N(a (i) ) is given by N(a (i) ) = g λ for t i = 0, = g λ 1 for t i = 0 Proof : See, for example, Ref[4] (44) When User J, in accordance with a rom choice of λ public keys, selects λ code words among the code words of {F M } for given messages m 1, m,, m λ, the largest common divisor of q (M 1), q (M ),, q (M λ) is given by a product of g λ prime numbers (Theorem 4) As a generalized form of Eq(4), the intermediate message Γ is given as Γ = m 1 q (M 1) + m q (M ) + + m λ q (M λ) (45) The q (M i), the product of prime numbers a 1p 1,, a np n, romly chosen according to the code word M i, can be represented as q (M i) = q (M i) d 1 λ ; i = 1,, λ, (46) where d 1 λ is the largest common divisor of q (M 1),, q (M λ) 3 Brief sketch of a communication system using K(II)ΣΠPKC In Fig4 let us show a brief sketch of a communication system where K(II)ΣΠPKC for λ messages can be successfully applied Encryption process can be performed as follows : Step 1 : User J romly chooses λ keys k J1, k J,, k Jλ by just taking a look at Alice s public key set {k i} A Step : User J encrypts messages m 1, m,, m λ into C J = m 1 k J1 + m k J + + m λ k Jλ (47) Step 3 : User J sends the ciphertext C J to Alice Decryption process by Alice is given as follows : Step 1 : Alice decrypts C J by Fig 4 User 1 1 { k i } 1 S = User { k i } S = Alice {k} i A User J ={ S } J k i J User N N ={ k i N S } A new class of communication scheme using K(II)ΣΠPKC w 1 CJ Γ J = m 1 q J1 + m q J + + m λ q Jλ mod W (48) Step : By simply calculating the largest common divisor of q J1, q J,, q Jλ, Alice decodes M J1, M J,, M Jλ romly chosen by User J Theorem 5 : For the given messages m 1, m,, m λ, the ciphertext can be uniquely decoded, as far as log λ + g λ g (49) is satisfied Proof : We see that when all the code words whose generator polynomial is given by (x n 1)/G F (x) are listed as shown in the example given in Fig, any column vector is a code word generated by (x n 1)/x g G F (x 1 ) We then see that the following relation: λ t n + 1, (50) where t = (n+1) λ is required to be satisfied, for uniquely decoding m 1, m,, m λ, yielding the proof It is easy to see that when λ is a, a = 1,, 3,, the equality holds in Eq(49) we shall refer to such λ as optimum λ denote it by λ o We shall also refer to the largest λ such that it satisfies the inequality of Eq(49) as quasi-optimum λ denote it by λ qo Evidently λ qo is given by g Parameters Let the size of m i be m i = g λ p i 1 (bit) (51) The size of the intermediate message, Γ, is Γ = m i + g 1 p i + log λ (bit) (5) where x denotes the smallest integer larger than x The sizes of W, k i C are W = Γ + 1, (53) k i = W (54) (55) C = m i + k i + log λ (56) The coding rate ρ is ρ = λ m i C (57) Let the probability that all the elements of S J is correctly estimated by an attacker be denoted P C [ŜJ] The P C [ŜJ] is P C [ŜJ] = ( n λ ) 1 (58) 5

6 T K J 3 4 Example that In Table 1 we present several examples under the condition P C [ŜJ] < 80 = , p i = 80(bit) Table 1 n λ ρ P C [ŜJ ] Examples of K(II)ΣΠPKC for λ {k i } A (MB) {k i } J (KB) (59) C (KB) Although the details of doing so are omitted we can show that the coding rate can be improved by increasing n by decreasing λ under the condition that P C [ŜJ] takes on a sufficiently small value In Appendix, in order to improve the coding rate, we present a generalized version of K(II)ΣΠPKC, referred to as K(III)ΣΠPKC 3 5 Security considerations Attack 1 : Exhaustive attack on {k i} J By letting n be sufficiently large appropriately determing the size of λ, the probability of successfully estimating the subset of {k i} J, P C[ŜJ], can be made sufficiently small Attack : Shamir s attack on secret keys In a sharp contrast with the conventional knapsack type PKC where super-increasing sequence or shifted-odd sequence is used, K(II)ΣΠPKC uses a uniform sequence whose components have the same entropy Namely a rom product of the same number of prime numbers of the same size ( > 80 bit) Thus it seems very hard to attack on the secret keys k 1, k,, k n, with Shamir s attack Attack 3 : LLL attack on the ciphertext In K(II)ΣΠPKC, n takes on a sufficiently large value, realizing a sufficiently high security, for the LLL attack 3 6 Key trace its application As shown in Fig4, Alice s group members,1,,,n, are communicating with Alice through a secret channel using K(II)ΣΠPKC Assuming that a member of the group, U J romly chooses a sequence of keys k J1, k J,, k Jλ, for a given message sequence m 1, m,, m λ, we shall refer to the order of the key sequence as key trace denote it by Remark 1 : It would be very hard for any user to forge UserJ s ciphertext sent to Alice provided that P C [ŜJ] is made sufficiently small The K(II)ΣΠPKC realizes a secret communication system having the following features : F1 : Key trace, T K J, is not necessarily required to be revised each time when User J sends his or her message to Alice, as far as T K J, is kept secret F : As a result, for a period, T J, the trace can be used as a secret key between Alice User J just as like in the conventional common key cryptosystem We define the period T J as the time required for sending λ 1 or less ciphertexts It should be noted that no secret channel for notifying their common key is required Besides during this period, Alice s decryption process performed on the User J s ciphertext can be made much simplified, because it requires no decoding process for Bob s trace T K J When User J wants to revise the trace T K J, it is only required to append a short note to the message sequence being sent, for notifying Alice of the revision of T K J F3 : K(II)ΣΠPKC can be used as a common key cryptosystem provided that the T K J non-linear transformation 4 Conclusion is successfully hided through a We have presented a new class of PKC, K(II)ΣΠPKC In a sharp ccontrast with the convetional knapsack PKC where the super-increasing sequence or shifted-odd sequence is used, in K(II)ΣΠPKC, a uniform sequence is used As any component of the secret sequence used in K(II)ΣΠPKC has the same entropy, K(II)ΣΠPKC would be secure against the Shamair s attack K(II)ΣΠPKC can be used as a common key cryptosystem provided that the T K J is successfully hided through a nonlinear transformation As a generalized version of K(II)ΣΠPKC, we have presented K(III)ΣΠPKC, yielding a higher rate compared with K(II)ΣΠPKC References [1] RMcEliece, A Public-Key Cryptosystem Based on Algebraic Coding Tehory, DSN Progress Report, pp4-44, (1978) [] MKasahara, A New Class of Public Key Cryptosystems Constructed Based on Perfect Error-Correcting Codes Realizing Coding Rate of Exactly 10, Cryptdogy eprint Archive, 010/139 (010) [3] MKasahara, A New Class of Public Key Cryptosystems 6

7 Constructed Based on Error-Correcting Codes Using K(III) Scheme, Cryptdogy eprint Archive, 010/341 (010) [4] MKasahara, Public Key Cryptosystems Constructed Based on Rom Pseudo Cyclic Codes, K(IX)SE(1)PKC, Realizing Coding Rate of Exactly 10, Cryptdogy eprint Archive, 011/545 (011) [5] RC Merkle ME Hellman, Hiding information signatures in trapdoor knapsacks, IEEE Trans Inf Theory, IT-4(5), pp55-530, (1978) [6] A Shamir, A polynomial-time algorithm for breaking the basic Merkle-Hellman cryptosystem, Proc Crypto 8, LNCS, pp79-88, Springer-Verlag, Berlin, (198) [7] EF Brickell, Solving low density knapsacks, Proc Crypto 83, LNCS, pp5-37, Springer-Verlag, Berlin, (1984) [8] JC Lagarias AM Odlyzko, Solving Low Density Subset Sum Problems, J Assoc Comp Math, vol3, pp9-46, Preliminary version in Proc 4th IEEE, (1985) [9] MJ Coster, BA LaMacchia, AM Odlyzko CP Schnorr, An Improved Low-Density Subset Sum Algorithm, Advances in Cryptology Proc EUROCRYPT 91, LNCS, pp54-67 Springer-Verlag, Berlin, (1991) [10] Leonard MAdleman, On Breaking Generalized Knapsack Public Key Cryptosystms, In Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing AXM, pp40-41, (1983) [11] M Morii M Kasahara, New public key cryptosystem using discrete logarithms over GF (P ), IEICE Trans on Information & Systems, volj71-d, no, pp , (1978) [1] B Chor RL Rivest, A knapsack-type public-key cryptosystem based on arithmetic in finite fields, IEEE Trans on Inf Theory, IT-34, pp , (1988) [13] MKasahara YMurakami, New Public-Key Cryptosystems, Tecnical Report of IEICE, ISEC 98-3 ( ) [14] MKasahara YMurakami, Several Methods for Realizing New Public Key Cryptosystems, Technical Report of IEICE, ISEC ( ) [15] RSakai YMurakami MKasahara, Notes on Product-Sum Type Public Key Cryptosystem, Technical Report of IEICE, ISEC ( ) [16] MKasahara, A Construction of New Class of Knapsack- Type Public Key Cryptosystem, K(I)ΣPKC, Constructed Based on K(I)Scheme, IEICE Technical Report, ISEC, Sept, (010-09) [17] MKasahara, A Construction of New Class of Knapsack- Type Public Key Cryptosystem, K(II)ΣPKC, IEICE Technical Report, ISEC, Sept, (010-09) [18] M Kasahara: Construction of A New Class of Product- Sum Type Public Key Cryptosystem, K(IV)ΣPKC K(I)ΣPKC, IEICE Tech Report, ISEC (011-07) [19] M Kasahara: On OGU(I)PKC, Memorom for File at Kasahara Lab, Osaka Gakuin University (011-03) [0] M Kasahara: New development of OGU PKC(I), Memorom for File at Kasahara Lab, Osaka Gakuin University (011-11) [1] Y Murakami M Kasahara: A Probabilistic Knapsack Public-Key Cryptosystem, SITA010, 30-pdf, pp (010-11) [] Y Murakami, S Hamasho M Kasahara: A probabilistic encryption scheme based on subset sum problem, Proc 01 Symposium on Cryptograpy Information Security, SCIS01, 3A1-, 3A1-pdf (01-01) [3] Y Murakami, S Hamasho M Kasahara: A Knapsack Public-Key Cryptosystem using Rom Secret sequence, Proc 01 Symposium on Cryptograpy Information Security, SCIS01, 3A-1, 3A-1pdf (01-01) [4] W W Peterson: Error correcting Codes, MIT Press (1961) Appendix : K(III)ΣΠPKC In this appendix, we present a generalized version of K(II)ΣΠPKC, referred to as K(III)ΣΠPKC Let us denote µ classes of the maximum length code of length n, by {F M } 1, {F M },, {F M } µ K(II)ΣΠPKC is a particular class of K(III)ΣΠPKC for which µ = 1 holds Let the intermediate message Γ be given by Γ = Γ 1 + Γ A + + Γ µ A A 3 A µ, (60) where A i is a prime number, i =,, µ The sizes of Γ i A i are Γ i = Γ 1 = m 1 + g λ ( m 1 + 1) + log λ, A = A 3 = = A µ = Γ i + 1 (61) With the method given in Ref[13], all the intermediate messages Γ 1, Γ,, Γ µ can be successfully decoded From Γ i, the message m (i) 1, m(i),, m(i) λ assigned to Γi are decoded in the same manner as we have discussed in Section 3 Example A : µ =, n = 4095, λ = 4 The P C [ŜJ] is P C[ŜJ] = ( ) = (6) The coding rate ρ is approximately given by ρ = 040 (63) The sizes of public key are {k i} A = 377MB (64) {k} J = 368KB (65) Although the details of doing so are omitted K(III)ΣΠPKC presented in this example would be secure against the various attacks Example B : µ = 3, n = 103, λ = 3 The P C[ŜJ] is P C [ŜJ] = ( The coding rate ρ is ) 3 = < 80 (66) 7

8 ρ = 043 (67) The sizes of public key are {k i} A = 601MB (68) {k i } J = 176KB (69) We see that the sizes of key in Examples A B take on much smaller values than those for K(II)ΣΠPKC 8