Masao KASAHARA. Graduate School of Osaka Gakuin University

Similar documents
A New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code

A New Trapdoor in Modular Knapsack Public-Key Cryptosystem

Cryptanalysis of two knapsack public-key cryptosystems

A New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm

Lattice Reduction Attack on the Knapsack

Safer parameters for the Chor-Rivest cryptosystem

Chapter 8 Public-key Cryptography and Digital Signatures

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

A Knapsack Cryptosystem Secure Against Attacks Using Basis Reduction and Integer Programming

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Computers and Mathematics with Applications

Public Key Cryptography

Discrete Logarithm Problem

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Low-Density Attack Revisited

PAPER On the Hardness of Subset Sum Problem from Different Intervals

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

A Note on the Density of the Multiple Subset Sum Problems

Lecture 1: Introduction to Public key cryptography

RSA. Ramki Thurimella

Lecture Notes, Week 6

Cryptanalysis of a Knapsack Based Two-Lock Cryptosystem

Aitken and Neville Inverse Interpolation Methods over Finite Fields

Introduction to Modern Cryptography. Benny Chor

RSA RSA public key cryptosystem

Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA

Introduction to Modern Cryptography. Benny Chor

2 Description of McEliece s Public-Key Cryptosystem

8.1 Principles of Public-Key Cryptosystems

CPSC 467b: Cryptography and Computer Security

Polynomial Interpolation in the Elliptic Curve Cryptosystem

Public-Key Cryptosystems CHAPTER 4

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

Mathematics of Cryptography

Notes 10: Public-key cryptography

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

New Variant of ElGamal Signature Scheme

Asymmetric Encryption

Cryptanalysis of the Chor-Rivest Cryptosystem

Sharing DSS by the Chinese Remainder Theorem

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Available online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:

Short Exponent Diffie-Hellman Problems

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Public-key Cryptography and elliptic curves

Gurgen Khachatrian Martun Karapetyan

The Cryptanalysis of a New Public-Key Cryptosystem based on Modular Knapsacks

A New Key Exchange Protocol Based on DLP and FP in Centralizer Near-Ring

CPSC 467: Cryptography and Computer Security

A CRYPTANALYTIC ATTACK-ON THE LU-LEE PUBLIC-KEY CRYPTOSYSTEM

9 Knapsack Cryptography

CPSC 467b: Cryptography and Computer Security

Public Key Cryptography

Public Key Algorithms

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Looking back at lattice-based cryptanalysis

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Other Public-Key Cryptosystems

Adapting Density Attacks to Low-Weight Knapsacks

New attacks on RSA with Moduli N = p r q

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

CIS 551 / TCOM 401 Computer and Network Security

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

A message recovery signature scheme equivalent to DSA over elliptic curves

Computers and Electrical Engineering

Based On Arithmetic in Finite Fields

Compartmented Secret Sharing Based on the Chinese Remainder Theorem

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Cryptography. P. Danziger. Transmit...Bob...

Chapter 4 Asymmetric Cryptography

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Asymmetric Cryptography

Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000

Lecture V : Public Key Cryptography

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

Theory of Computation Chapter 12: Cryptography

MATH 158 FINAL EXAM 20 DECEMBER 2016

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

8 Elliptic Curve Cryptography

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Cryptography. pieces from work by Gordon Royle

Review. CS311H: Discrete Mathematics. Number Theory. Computing GCDs. Insight Behind Euclid s Algorithm. Using this Theorem. Euclidian Algorithm

Finite fields and cryptology

On the Chor-Rivest Knapsack Cryptosystem 1

A PUBLIC-KEY THRESHOLD CRYPTOSYSTEM BASED ON RESIDUE RINGS

Public-key Cryptography and elliptic curves

MaTRU: A New NTRU-Based Cryptosystem

Mathematical Foundations of Public-Key Cryptography

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

An Introduction to Probabilistic Encryption

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

On the Key-collisions in the Signature Schemes

Transcription:

Abstract Construction of New Classes of Knapsack Type Public Key Cryptosystem Using Uniform Secret Sequence, K(II)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Graduate School of Osaka Gakuin University E-mail: kasahara@oguacjp In this paper, we present a new class of knapsack type PKC referred to as K(II)ΣΠPKC In K(II)ΣΠPKC, Bob romly constructs a very small subset of Alice s set of public key whose order is very large, under the condition that the coding rate ρ satisfies 001 < ρ < 05 In K(II)ΣΠPKC, no secret sequence such as super-increasing sequence or shifted-odd sequence but the sequence whose component is constructed by a product of the same number of many prime numbers of the same size, is used We show that K(II)ΣΠPKC is secure against the attacks such as LLL algorithm, Shamir s attack etc, because a subset of Alice s public keys is chosen entirely in a probabilistic manner at the sending end We also show that K(II)ΣΠPKC can be used as a member of the class of common key cryptosystems because the list of the subset romly chosen by Bob can be used as a common key between Bob Alice, provided that the conditions given in this paper are strictly observed, without notifying Alice of his secret key through a particular secret channel Key words Public-key cryptosystem(pkc), Knapsack-type PKC, Product-sum type PKC, LLL algorithm, PQC 1 Introduction Various studies have been made of the Public-Key Cryptosystem (PKC) The security of the PKC s proposed so far, in most cases, depends on the difficulty of discrete logarithm problem or factoring problem For this reason, it is desired to investigate another classes of PKC s that do not rely on the difficulty of these two problems One of the promising cidates among the classes of PKC are the code-based PKC the product-sum type PKC [1] [3] In this paper, we present a new class of knapsack type PKC referred to as K(II)ΣΠPKC In K(II)ΣΠPKC, Bob romly constructs a very small subset of Alice s set of public key whose order is very large, under the condition that the coding rate ρ satisfies 001 < ρ < 05 In K(II)ΣΠPKC, no secret sequence such as super-increasing sequence or shifted-odd sequence but the sequence whose components are constructed by the products of the same number of many prime numbers of the same size, is used It should be noted that the components of the secret sequence such as super-increasing sequence or shifted-sequence have different entropies On the other h the components of the secret sequence used in K(II)ΣΠPKC take on the same entropy We show that K(II)ΣΠPKC is secure against the attacks such as LLL algorithm, Shamir s attack etc, because a subset of Alice s public keys is chosen entirely in a probabilistic manner at the sending end We also show that K(II)ΣΠPKC can be used as a member of the class of common key cryptosystems because the list of the subset romly chosen by Bob can be used as a common key between Bob Alice, provided that the conditions given in this paper are strictly observed, without notifying Alice of his secret key through a particular secret channel K(II)ΣΠPKC for two messages 1 Preliminaries Let us define several symbols : m i : Message symbol over Z; i = 1,,, λ Γ : Intermediate message p i : Prime number ; i = 1,,, n p : (p 1, p,, p n ), prime number vector s : (s 1, s,, s n ), secret sequence 1

A : Size of A in bit #S : Order of set S The conventional knapsack type PKC s are constructed using the following sequences: (i) : super-increasing sequence[5] (ii) : shifted-odd sequence[13 15] (iii) : J-step uniform sequence[19,0] In these sequences, entropies of the components are not necessarily same On the other hs, the entropies of the components of the secret sequence used in K(II)ΣΠPKC are exactly same Entropy s n s s 1 Entropy s n s 1 s s n s s 1 Entropy (a)super-increasing (b)shifted-odd (c)k(ii)σπpkc Fig 1 Entropys of secret sequences We shall refer to such secret sequence as uniform sequence In the following sections, when the variable x i takes on an actual value x i, we shall denote the corresponding vector, x = (x 1, x,, x n), as x = ( x 1, x,, x n ) (1) The C M et al will be defined in a similar manner Summary of idea of K(II)ΣΠPKC In this sub-section let us summarize the idea of a secret system using K(II)ΣΠPKC for two messages Let the Alice s set of public key, be denoted {k i } A For the message m = (m A, m B ), Bob romly chooses two keys, k A k B, from the set of Alice s public key {k i } A Bob encrypts the message m into m C = m A k A + m B k B () Alice decrypts the ciphertext C into C m = (m A, m B ) (3) 3 Problem 1 Let us suppose that two public keys are chosen in accordance with this rom choice two secret keys q A q B are chosen from the set {q i } The intermediate message Γ is Γ = m A q A + m B q B (4) Problem 1 : Construct the set of secret keys {q i} so that Γ may be decoded as Γ m = (m A, m B), (5) under the conditions that : (i) q A q B are romly chosen from {q i } whose order is very large, (ii) coding rate ρ satisfies 001 < ρ < 05, (iii) completely uniform sequence is used In the next sub-sections we shall present a scheme for constructing {q i } based on the maximum length code [4],as one of the solutions for Problem 1 4 Maximum length code In this sub-section, we assume that n is given by n = g 1 (6) The maximum length code {F M (x)} is a cyclic code that satisfies F M (x) 0 mod xn 1 G F (x), (7) where G F (x) over F is a primitive polynomial of degree g In the followings {F M (x)} will also be denoted simply by {F M } Let the two code words of {F M }, M α M β over F, be denoted by M α = (α 1, α,, α n ) (8) M β = (β 1, β,, β n) (9) Let the sets S 1, S, S 3 be defined as follows : S 1 : Set of pairs (α i, β i ) s such that α i = 1, β i = 1 ; i = 1,,, n S : Set of pairs (α i, β i ) s such that α i = 0, β i = 0 ; i = 1,,, n S 3 : Set of pairs (α i, β i ) s such that α i = 0, β i = 1 ; i = 1,,, n S 4 : Set of pairs (α i, β i) s such that α i = 1, β i = 0 ; i = 1,,, n Theorem 1 : The orders #S 1, #S, #S 3 #S 4 are given by #S 1 = n + 1, (10) 4 #S = n 3, (11) 4 #S 3 = #S 4 = n + 1 (1)

Proof : The Hamming weight of any code word of the maximum length code {F M } is n+1 As the maximum length code {F M } is a member of the class of linear codes, M C = M A + M B ; M A = M B (13) is also a code word of {F M } Namely the weight of M C also n+1, which implies that the following relations hold: (#S 3 ) + (#S 4 ) = n + 1, (14) (#S 1 ) + (#S ) = n n + 1 Eqs(14) (15) imply that = n 1 (15) (#S 3 ) = (#S 4 ), (16) (#S 1 ) = (#S ) + 1 (17) From Eqs(15) (17), #S is given by #S = ( n 1 is 1)/ = n 3 n+1, which implies that #S1 = 4 4 5 Construction of the set of composite number {q i } Let A be a code word of {F M } p, a prime number vector whose components are romly chosen prime numbers Let A p be denoted by A = (a 1, a,, a n) (18) p = (p 1, p,, p n), (19) where we assume that p i has the same size ; i = 1,, n Let w A be defined by w A = (a 1 p 1, a p,, a n p n ) (0) Let the composite number q (A) be defined by the products of non-zero components of w A Namely q (A) can be represented by q (A) = n a ip i, (1) i=1 where we let a ip i be a i p i for a i p i = p i 1, for a i p i = 0 Let another code word B be denoted B = (b 1, b,, b n) () The following composite number q (B) can be obtained from w B = (b 1p 1, b p,, b np n) in a similar manner as q (A) : q (B) = n b ip i (3) i=1 p : p p p p p p p : 1 1 3 M 0 0 1 0 1 1 1 M : 1 0 0 1 0 1 1 M 3 : 1 1 0 0 1 0 1 M 4 : 1 1 1 0 0 1 0 M 5 : 0 1 1 1 0 0 1 M 6 : 1 0 1 1 1 0 0 : 0 1 0 1 1 1 0 M 7 Fig Maximum length code generated by (x + 1)(x 3 + x + 1) We have the following straightforward theorem Theorem : Letting the largest common divisor (q (A), q (B) ) be denoted d A,B, it is d A,B = n i=1 4 p (A,B) i, (4) where p (A,B) i denotes the i-th prime number of p for which (a i, b i ) S 1 holds Example 1 : Maximum length code of length n = 3 1 Let G F (x) be G F (x) = x 3 + x + 1 (5) All the code words generated by (x 7 + 1)/G F (x) = (x + 1)(x 3 + x + 1) are listed in Fig Let us assume that the two code words M M 5 in Fig have been romly chosen from {F M } Let the prime number vector be represented by p = (p 1, p,, p 7) (6) From Fig, w w 5 are w = (p 1, 0, 0, p 4, 0, p 6, p 7 ) (7) w 5 = (0, p, p 3, p 4, 0, 0, p 7 ) (8) The q (M ) q (M 5) are q (M ) = p 1 p 4 p 6 p 7 (9) q (M 5) = p p 3p 4p 7 (30) From Eqs(9) (30), we see that the largest common divisor (q (M), q (M5) ), d M,M 5 is given by d M,M 5 = p 4p 7 (31) Let the largest common divisor (q (M i), q (M j ) ) be simply denoted by d i,j instead of d Mi,M j In Fig3 we show the correspondence between p ip j two code words M i, M j 5 6 7 3

decoded (See Fig3) M i, M j M 1,M M 1,M 3 M 1,M 4 M 1,M 5 di, j p 6 p 7 p 5 p 7 p 3 p 6 p 3 p 7 M i, M j M 3,M 4 M 3,M 5 M 3,M 6 M 3,M 7 di, j p 1 p p p 7 p 1 p 5 p p 5 Proof : The column vectors shown in Fig are proved the { } code words of F M, whose generator polynomial G F (x) is x 3 (x 3 + x 1 + 1) = x 3 + x + 1, which is obtained as x 3 G F (x 1 ) From Theorem 1, #S 1 =, yielding the proof that Let w W be relatively prime positive integers such M 1,M 6 p 3 p 5 M 4,M 5 p p 3 w < W, (37) M 1,M 7 M,M 3 M,M 4 p 5 p 6 p 1 p 7 p 1 p 6 M 4,M 6 M 4,M 7 M 5,M 6 p 1 p 3 p p 6 p 3 p 4 (w, W ) = 1 (38) The set of public keys, {k i }, is given by wq i k i mod W ; i = 1,, n (39) M,M 5 p 4 p 7 M 5,M 7 p p 4 Public key : {k i } M,M 6 p 1 p 4 p 4 p 5 M 6,M 7 ーー Secret key : w, W, {q i }, M i M,M p 7 4 p 6 Fig 3 d i,j for M i, M j We see that all the pair (M i, M j ) s can be decoded uniquely from d i,j s 6 Construction of intermediate message Bob romly selects two public keys k A k B from {k i } A In accordance with this rom choice, two code words M A M B {F M } are chosen As a result the intermediate message Γ is given by Γ = m A q (A) + m B q (B) (3) Let q (A) q (B) be represented by q (A) = q (A) d A,B (33) q (B) = q (B) d A,B (34) From Eqs(3), (33) (34), the intermediate message is given by Γ = (m A q (A) + m B q (B) )d A,B (35) When a component of p, p i, satisfies d A,B 0 mod p i, (36) we let p i be denoted by p i Theorem 3 : From the set {p i }, the two code words, M A M B, romly chosen at the sending end are correctly [Decryption Process] Given Γ, the messages m A m B are decoded by { Γ q (A)} 1 ma mod q (B) (40) { Γ q (B)} 1 mb mod q (A) (41) respectively 3 A new class of PKC scheme based on K(II)ΣΠPKC Possible applications to the field of common key cryptosystem 3 1 Construction Bob romly chooses λ code words of {F M } Without loss of generality let us assume that the list of the romly chosen code words by Bob are the followings: M 1 = (t 11, t 1,, t 1n ), M = (t 1, t,, t n ), M λ = (t λ1, t λ,, t λn ) Let the column vector t i be denoted by t i = t 1i t i t λi (4) (43) 4

Let the total number of t i s such that t i s take on the same value a (i) over F be denoted by N(a (i) ) Theorem 4 : The N(a (i) ) is given by N(a (i) ) = g λ for t i = 0, = g λ 1 for t i = 0 Proof : See, for example, Ref[4] (44) When User J, in accordance with a rom choice of λ public keys, selects λ code words among the code words of {F M } for given messages m 1, m,, m λ, the largest common divisor of q (M 1), q (M ),, q (M λ) is given by a product of g λ prime numbers (Theorem 4) As a generalized form of Eq(4), the intermediate message Γ is given as Γ = m 1 q (M 1) + m q (M ) + + m λ q (M λ) (45) The q (M i), the product of prime numbers a 1p 1,, a np n, romly chosen according to the code word M i, can be represented as q (M i) = q (M i) d 1 λ ; i = 1,, λ, (46) where d 1 λ is the largest common divisor of q (M 1),, q (M λ) 3 Brief sketch of a communication system using K(II)ΣΠPKC In Fig4 let us show a brief sketch of a communication system where K(II)ΣΠPKC for λ messages can be successfully applied Encryption process can be performed as follows : Step 1 : User J romly chooses λ keys k J1, k J,, k Jλ by just taking a look at Alice s public key set {k i} A Step : User J encrypts messages m 1, m,, m λ into C J = m 1 k J1 + m k J + + m λ k Jλ (47) Step 3 : User J sends the ciphertext C J to Alice Decryption process by Alice is given as follows : Step 1 : Alice decrypts C J by Fig 4 User 1 1 { k i } 1 S = User { k i } S = Alice {k} i A User J ={ S } J k i J User N N ={ k i N S } A new class of communication scheme using K(II)ΣΠPKC w 1 CJ Γ J = m 1 q J1 + m q J + + m λ q Jλ mod W (48) Step : By simply calculating the largest common divisor of q J1, q J,, q Jλ, Alice decodes M J1, M J,, M Jλ romly chosen by User J Theorem 5 : For the given messages m 1, m,, m λ, the ciphertext can be uniquely decoded, as far as log λ + g λ g (49) is satisfied Proof : We see that when all the code words whose generator polynomial is given by (x n 1)/G F (x) are listed as shown in the example given in Fig, any column vector is a code word generated by (x n 1)/x g G F (x 1 ) We then see that the following relation: λ t n + 1, (50) where t = (n+1) λ is required to be satisfied, for uniquely decoding m 1, m,, m λ, yielding the proof It is easy to see that when λ is a, a = 1,, 3,, the equality holds in Eq(49) we shall refer to such λ as optimum λ denote it by λ o We shall also refer to the largest λ such that it satisfies the inequality of Eq(49) as quasi-optimum λ denote it by λ qo Evidently λ qo is given by g 3 3 3 Parameters Let the size of m i be m i = g λ p i 1 (bit) (51) The size of the intermediate message, Γ, is Γ = m i + g 1 p i + log λ (bit) (5) where x denotes the smallest integer larger than x The sizes of W, k i C are W = Γ + 1, (53) k i = W (54) (55) C = m i + k i + log λ (56) The coding rate ρ is ρ = λ m i C (57) Let the probability that all the elements of S J is correctly estimated by an attacker be denoted P C [ŜJ] The P C [ŜJ] is P C [ŜJ] = ( n λ ) 1 (58) 5

T K J 3 4 Example that In Table 1 we present several examples under the condition P C [ŜJ] < 80 = 87 10 5, p i = 80(bit) Table 1 n λ ρ P C [ŜJ ] Examples of K(II)ΣΠPKC for λ {k i } A (MB) {k i } J (KB) (59) C (KB) 4095 8 0059 513 10 5 845 1651 08 8191 8 00615 00 10 7 3381 330 416 16383 7 0106 159 10 6 1356 5779 83 3767 6 018 518 10 5 54105 9907 1664 Although the details of doing so are omitted we can show that the coding rate can be improved by increasing n by decreasing λ under the condition that P C [ŜJ] takes on a sufficiently small value In Appendix, in order to improve the coding rate, we present a generalized version of K(II)ΣΠPKC, referred to as K(III)ΣΠPKC 3 5 Security considerations Attack 1 : Exhaustive attack on {k i} J By letting n be sufficiently large appropriately determing the size of λ, the probability of successfully estimating the subset of {k i} J, P C[ŜJ], can be made sufficiently small Attack : Shamir s attack on secret keys In a sharp contrast with the conventional knapsack type PKC where super-increasing sequence or shifted-odd sequence is used, K(II)ΣΠPKC uses a uniform sequence whose components have the same entropy Namely a rom product of the same number of prime numbers of the same size ( > 80 bit) Thus it seems very hard to attack on the secret keys k 1, k,, k n, with Shamir s attack Attack 3 : LLL attack on the ciphertext In K(II)ΣΠPKC, n takes on a sufficiently large value, realizing a sufficiently high security, for the LLL attack 3 6 Key trace its application As shown in Fig4, Alice s group members,1,,,n, are communicating with Alice through a secret channel using K(II)ΣΠPKC Assuming that a member of the group, U J romly chooses a sequence of keys k J1, k J,, k Jλ, for a given message sequence m 1, m,, m λ, we shall refer to the order of the key sequence as key trace denote it by Remark 1 : It would be very hard for any user to forge UserJ s ciphertext sent to Alice provided that P C [ŜJ] is made sufficiently small The K(II)ΣΠPKC realizes a secret communication system having the following features : F1 : Key trace, T K J, is not necessarily required to be revised each time when User J sends his or her message to Alice, as far as T K J, is kept secret F : As a result, for a period, T J, the trace can be used as a secret key between Alice User J just as like in the conventional common key cryptosystem We define the period T J as the time required for sending λ 1 or less ciphertexts It should be noted that no secret channel for notifying their common key is required Besides during this period, Alice s decryption process performed on the User J s ciphertext can be made much simplified, because it requires no decoding process for Bob s trace T K J When User J wants to revise the trace T K J, it is only required to append a short note to the message sequence being sent, for notifying Alice of the revision of T K J F3 : K(II)ΣΠPKC can be used as a common key cryptosystem provided that the T K J non-linear transformation 4 Conclusion is successfully hided through a We have presented a new class of PKC, K(II)ΣΠPKC In a sharp ccontrast with the convetional knapsack PKC where the super-increasing sequence or shifted-odd sequence is used, in K(II)ΣΠPKC, a uniform sequence is used As any component of the secret sequence used in K(II)ΣΠPKC has the same entropy, K(II)ΣΠPKC would be secure against the Shamair s attack K(II)ΣΠPKC can be used as a common key cryptosystem provided that the T K J is successfully hided through a nonlinear transformation As a generalized version of K(II)ΣΠPKC, we have presented K(III)ΣΠPKC, yielding a higher rate compared with K(II)ΣΠPKC References [1] RMcEliece, A Public-Key Cryptosystem Based on Algebraic Coding Tehory, DSN Progress Report, pp4-44, (1978) [] MKasahara, A New Class of Public Key Cryptosystems Constructed Based on Perfect Error-Correcting Codes Realizing Coding Rate of Exactly 10, Cryptdogy eprint Archive, 010/139 (010) [3] MKasahara, A New Class of Public Key Cryptosystems 6

Constructed Based on Error-Correcting Codes Using K(III) Scheme, Cryptdogy eprint Archive, 010/341 (010) [4] MKasahara, Public Key Cryptosystems Constructed Based on Rom Pseudo Cyclic Codes, K(IX)SE(1)PKC, Realizing Coding Rate of Exactly 10, Cryptdogy eprint Archive, 011/545 (011) [5] RC Merkle ME Hellman, Hiding information signatures in trapdoor knapsacks, IEEE Trans Inf Theory, IT-4(5), pp55-530, (1978) [6] A Shamir, A polynomial-time algorithm for breaking the basic Merkle-Hellman cryptosystem, Proc Crypto 8, LNCS, pp79-88, Springer-Verlag, Berlin, (198) [7] EF Brickell, Solving low density knapsacks, Proc Crypto 83, LNCS, pp5-37, Springer-Verlag, Berlin, (1984) [8] JC Lagarias AM Odlyzko, Solving Low Density Subset Sum Problems, J Assoc Comp Math, vol3, pp9-46, Preliminary version in Proc 4th IEEE, (1985) [9] MJ Coster, BA LaMacchia, AM Odlyzko CP Schnorr, An Improved Low-Density Subset Sum Algorithm, Advances in Cryptology Proc EUROCRYPT 91, LNCS, pp54-67 Springer-Verlag, Berlin, (1991) [10] Leonard MAdleman, On Breaking Generalized Knapsack Public Key Cryptosystms, In Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing AXM, pp40-41, (1983) [11] M Morii M Kasahara, New public key cryptosystem using discrete logarithms over GF (P ), IEICE Trans on Information & Systems, volj71-d, no, pp448-453, (1978) [1] B Chor RL Rivest, A knapsack-type public-key cryptosystem based on arithmetic in finite fields, IEEE Trans on Inf Theory, IT-34, pp901-909, (1988) [13] MKasahara YMurakami, New Public-Key Cryptosystems, Tecnical Report of IEICE, ISEC 98-3 (1998-09) [14] MKasahara YMurakami, Several Methods for Realizing New Public Key Cryptosystems, Technical Report of IEICE, ISEC 99-45 (1999-09) [15] RSakai YMurakami MKasahara, Notes on Product-Sum Type Public Key Cryptosystem, Technical Report of IEICE, ISEC 99-46 (1999-09) [16] MKasahara, A Construction of New Class of Knapsack- Type Public Key Cryptosystem, K(I)ΣPKC, Constructed Based on K(I)Scheme, IEICE Technical Report, ISEC, Sept, (010-09) [17] MKasahara, A Construction of New Class of Knapsack- Type Public Key Cryptosystem, K(II)ΣPKC, IEICE Technical Report, ISEC, Sept, (010-09) [18] M Kasahara: Construction of A New Class of Product- Sum Type Public Key Cryptosystem, K(IV)ΣPKC K(I)ΣPKC, IEICE Tech Report, ISEC 011-4 (011-07) [19] M Kasahara: On OGU(I)PKC, Memorom for File at Kasahara Lab, Osaka Gakuin University (011-03) [0] M Kasahara: New development of OGU PKC(I), Memorom for File at Kasahara Lab, Osaka Gakuin University (011-11) [1] Y Murakami M Kasahara: A Probabilistic Knapsack Public-Key Cryptosystem, SITA010, 30-pdf, pp615-618 (010-11) [] Y Murakami, S Hamasho M Kasahara: A probabilistic encryption scheme based on subset sum problem, Proc 01 Symposium on Cryptograpy Information Security, SCIS01, 3A1-, 3A1-pdf (01-01) [3] Y Murakami, S Hamasho M Kasahara: A Knapsack Public-Key Cryptosystem using Rom Secret sequence, Proc 01 Symposium on Cryptograpy Information Security, SCIS01, 3A-1, 3A-1pdf (01-01) [4] W W Peterson: Error correcting Codes, MIT Press (1961) Appendix : K(III)ΣΠPKC In this appendix, we present a generalized version of K(II)ΣΠPKC, referred to as K(III)ΣΠPKC Let us denote µ classes of the maximum length code of length n, by {F M } 1, {F M },, {F M } µ K(II)ΣΠPKC is a particular class of K(III)ΣΠPKC for which µ = 1 holds Let the intermediate message Γ be given by Γ = Γ 1 + Γ A + + Γ µ A A 3 A µ, (60) where A i is a prime number, i =,, µ The sizes of Γ i A i are Γ i = Γ 1 = m 1 + g λ ( m 1 + 1) + log λ, A = A 3 = = A µ = Γ i + 1 (61) With the method given in Ref[13], all the intermediate messages Γ 1, Γ,, Γ µ can be successfully decoded From Γ i, the message m (i) 1, m(i),, m(i) λ assigned to Γi are decoded in the same manner as we have discussed in Section 3 Example A : µ =, n = 4095, λ = 4 The P C [ŜJ] is P C[ŜJ] = ( 4095 4 ) = 79 10 7 (6) The coding rate ρ is approximately given by ρ = 040 (63) The sizes of public key are {k i} A = 377MB (64) {k} J = 368KB (65) Although the details of doing so are omitted K(III)ΣΠPKC presented in this example would be secure against the various attacks Example B : µ = 3, n = 103, λ = 3 The P C[ŜJ] is P C [ŜJ] = ( 103 3 The coding rate ρ is ) 3 = 178 10 5 < 80 (66) 7

ρ = 043 (67) The sizes of public key are {k i} A = 601MB (68) {k i } J = 176KB (69) We see that the sizes of key in Examples A B take on much smaller values than those for K(II)ΣΠPKC 8

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback