WO2010024312A1 - Dispositif de calcul, dispositif de décodage, dispositif de cryptage, système de partage d'informations, système de calcul à 2 filtres dynamiques de bruit, dispositif de génération de signature, dispositif d'authentification de signature, système de traitement de signature, système d'authentification de signature, méthode de calcul et programme de calcul - Google Patents

Dispositif de calcul, dispositif de décodage, dispositif de cryptage, système de partage d'informations, système de calcul à 2 filtres dynamiques de bruit, dispositif de génération de signature, dispositif d'authentification de signature, système de traitement de signature, système d'authentification de signature, méthode de calcul et programme de calcul Download PDF

Info

Publication number
WO2010024312A1
WO2010024312A1 PCT/JP2009/064920 JP2009064920W WO2010024312A1 WO 2010024312 A1 WO2010024312 A1 WO 2010024312A1 JP 2009064920 W JP2009064920 W JP 2009064920W WO 2010024312 A1 WO2010024312 A1 WO 2010024312A1
Authority
WO
WIPO (PCT)
Prior art keywords
vector
signature
information
unit
component
Prior art date
Application number
PCT/JP2009/064920
Other languages
English (en)
Japanese (ja)
Inventor
克幸 高島
龍明 岡本
Original Assignee
三菱電機株式会社
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社, 日本電信電話株式会社 filed Critical 三菱電機株式会社
Publication of WO2010024312A1 publication Critical patent/WO2010024312A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3093Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving Lattices or polynomial equations, e.g. NTRU scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • This invention relates to cryptographic processing and signature processing.
  • Non-Patent Documents 6, 7, 11, 20, 21, etc. A proposal concerning a vector decomposition problem (VDP, Vector Decomposition Problem) has been made (Non-Patent Documents 6, 7, 11, 20, 21, etc.). In addition, a mathematical structure useful for realizing cryptographic processing and signature processing has been proposed (Non-Patent Documents 8, 9 etc.).
  • LNCS vol. 4575, pp. 152-176. Springer, Heidelberg (2007) Galbraith, S.M. D. , Hess, F. , Vercauteren, F.M. : Hyperelliptic Pairings. In: Takagi, T. , Okamoto, T .; , Okamoto, E .; , Okamoto, T .; (Eds.) Pairing 2007.
  • Mathematical (or algebraic) rich structures are useful in the implementation of various types of cryptographic primitives and cryptographic protocols. So far, simple and basic mathematical structures (cyclic group (genus 1), pairing in a genus 1 curve, etc.) have been used for encryption. For the purpose of application to cryptography, a large genus curve has been investigated, but only a cyclic group and a double cyclic group by pairing are used. It has also been proposed to apply a richer algebraic structure to cryptography, but specific results have not been obtained except for ElGamal type signature methods.
  • An object of the present invention is to provide, for example, cryptographic processing and signature processing applying a rich mathematical structure.
  • the arithmetic device is, for example, an arithmetic device that performs operations related to encryption processing or signature processing, A vector input unit for inputting an input vector in a predetermined vector space; A predetermined base vector of a predetermined base B different from the base A of the vector space using a distortion map which is a mapping from a first base vector to a second base vector in the predetermined base A of the vector space And a component calculation unit for calculating a component vector of the input vector input by the vector input unit.
  • the component calculator is The input vector in the predetermined base vector of the base B from the component vector of the input vector in the predetermined base vector of the base A using the basis conversion information from the base A to the base B and the distortion map It is characterized by calculating a component vector of.
  • the component calculator is Based on Equation 1, a component vector u j of the input vector v in each basis vector of l 2 basis vectors of the basis B is calculated.
  • a decoding device is, for example, a decoding device including the arithmetic device, An encryption information input unit for inputting, as an encryption information vector, a vector in the vector space, in which plaintext information is set as a coefficient of the base B with respect to the predetermined base vector;
  • the arithmetic unit calculates the component vector of the input vector in the predetermined base vector of the base B using the encryption information vector input by the encryption information input unit as the input vector, and the input vector in the predetermined base vector
  • a component acquisition unit for acquiring a component vector of A discrete logarithm calculation unit that solves a discrete logarithm problem and calculates plaintext information with respect to the component vector acquired by the component acquisition unit with the predetermined base vector as a base.
  • the encryption device includes, for example, a plaintext information setting unit that generates a vector in which plaintext information is set as a coefficient for a predetermined base vector in a predetermined base B in a predetermined vector space as a plaintext vector;
  • the plaintext information setting unit generates a vector that is a base vector in the base B and has a predetermined value set as a coefficient for a base vector other than the predetermined base vector for which the plaintext information setting unit has set the plaintext information.
  • an encryption information generation unit that generates an encryption information vector in addition to the plaintext vector.
  • An information sharing system is an information sharing system including, for example, a transmission device and a reception device including the arithmetic device according to any one of claims 1 to 3.
  • the transmitter is A shared information setting unit that generates, as a shared vector, a vector in which predetermined information to be transmitted to the receiving device is set as a component vector in the predetermined base vector of the base B; A vector in which a predetermined value is set as a component vector in a base vector other than the predetermined base vector for which the shared information setting unit sets the predetermined information, which is a base vector in the base B
  • An encryption information transmission unit that transmits the encryption information vector generated by the encryption information generation unit to the reception device;
  • the receiving device is: An encryption information receiving unit for receiving an encryption information vector transmitted by the encryption information transmitting unit;
  • the arithmetic unit calculates the component vector of the input vector in the base vector in which the predetermined information of the base B is set, using the cryptographic information
  • a 2DNF (Disjunctive Normal Form) calculation system includes, for example, an expression holding apparatus having a 2DNF expression and an operation apparatus according to any one of claims 1 to 3, and input information to the 2DNF expression
  • a 2DNF computing system comprising an information holding device having secret information that is The information holding device includes: An information encryption unit configured to encrypt the secret information as a coefficient with respect to a predetermined base vector of the base B of the vector space, and to transmit the encrypted secret information to the expression holding device;
  • the above-mentioned type holding device is An assigning unit for assigning the secret information encrypted by the encryption unit of the information holding device to the 2DNF expression; Encrypted c 1 and c 2 are calculated by setting two close variables of the 2DNF formula into which the encrypted secret information is substituted as coefficients for a predetermined base vector of the base B in the vector space.
  • the information holding device further includes: Based on the parameters c 1 * and c 2 * transmitted by the formula encryption unit and E k , decrypting the encryption by the information encryption unit and the formula encryption unit using the arithmetic unit, A result calculation unit for calculating a product of the c 1 and c 2 using a pairing operation is provided.
  • the formula holding device has a 2DNF formula shown in Equation 2
  • the information holding device has the secret information shown in Equation 3
  • the substitution unit substitutes the secret information encrypted by the encryption unit of the information holding device into an expression ⁇ obtained by arithmeticizing the 2DNF expression shown in Expression 2, as shown in Expression 4,
  • Equation 5 the parameters c i, 1 * , c i, 2 * , and E k are calculated based on the calculated ci , 1 and ci , 2 , respectively, and the calculated parameter c is calculated.
  • the result calculation unit calculates the result obtained by substituting the secret information into the 2DNF equation by calculating the w k shown in the equation (7) by performing the operation shown in the equation (6) using the arithmetic unit. It is characterized by.
  • the signature generation device is, for example, a signature generation device including the arithmetic device, A vector generation unit for generating transmission information vectors by converting transmission information into vectors in the vector space; Using the transmission information vector generated by the vector generation unit as the input vector, the arithmetic unit calculates a component vector of the input vector in the predetermined base vector of the base B, and calculates the input vector of the predetermined base vector.
  • a component acquisition unit for acquiring a component vector; And a signature generation unit that uses the component vector acquired by the component acquisition unit as signature information of the transmission information.
  • the vector generation unit generates the transmission information vector by converting the transmission information into a vector of l one- dimensional vector space
  • the signature verification apparatus includes, for example, transmission information and a component vector of a transmission information vector obtained by converting the transmission information into a vector of a predetermined vector space, and a predetermined base of a predetermined base B of the vector space
  • a receiving unit for receiving signature information that is a component vector in the vector A vector generation unit that generates transmission information vectors by converting transmission information received by the reception unit into vectors in the vector space;
  • a signature verification unit that determines whether the signature information received by the reception unit is a component vector in the predetermined base vector of the base B of the transmission information vector generated by the vector generation unit; It is characterized by providing.
  • the receiving unit receives transmission information and signature information that is a component vector in each base vector of the plurality of base vectors of the base B
  • the signature verification unit determines whether the direction indicated by the component vector in each base vector included in the signature information is the same as the direction indicated by each base vector, and Verifying the signature by determining whether or not the size of the vector summing the component vectors in each of the basis vectors as the signature information is the same as the size of the transmission information vector generated by the vector generation unit.
  • the vector generation unit converts the transmission information received by the reception unit into a vector of the l one- dimensional vector space to generate a transmission information vector
  • a signature processing system is, for example, a signature processing system including a signature generation device including the arithmetic device, and a signature requesting device that requests the signature generation device for a signature,
  • the signature requesting device A vector generation unit for generating transmission information vectors by converting transmission information into vectors in the vector space; A blind unit that blindly generates the vector information by adding blind information to the transmission information vector generated by the vector generation unit; and A signature request unit that sends a blind vector generated by the blind unit to the signature generation device and requests a signature;
  • the signature generation device includes: The arithmetic unit calculates a component vector of an input vector in the predetermined base vector of the base B of the input vector using the blind vector transmitted by the signature requesting unit as the input vector, and the predetermined vector of the base B A component acquisition unit for acquiring a component vector of an input vector in a basis vector; A signature generation unit that transmits the component vector acquired by the component acquisition unit to the signature requesting device as signature information of the blind vector;
  • the vector generation unit generates transmission information vector by converting transmission information into a vector of l one- dimensional vector space,
  • the signature generation device is, for example, a signature generation device including the arithmetic device, a vector generation unit that converts transmission information into a vector in a one- dimensional vector space to generate a transmission information vector;
  • a signature generation device including the arithmetic device, a vector generation unit that converts transmission information into a vector in a one- dimensional vector space to generate a transmission information vector;
  • a signature verification system is, for example, a signature verification system including the signature generation device and a signature verification device that verifies signature information generated by the signature generation device
  • a certifying unit is provided for certifying that the signature information is generated by a signature generation device by certifying without being known.
  • the proof section determines whether Equation 9 is satisfied, The signature verification unit of the signature generation apparatus, when it is determined that the number 9 is established, the signature to the verification device, prove without to be known gamma i to the signature verification apparatus having a gamma i satisfying Equation 10 By doing so, it is proved that the signature information is generated by the signature generation apparatus.
  • the proof unit When the signature unit receives the signature information from the signature verification unit of the signature verification apparatus, the proof unit generates u i shown in Equation 11 and w shown in Equation 12, and uses the generated u i and w as the signature verification.
  • the signature verification apparatus includes a signature selection change unit that enables verification of the signature information.
  • the calculation method according to the present invention is, for example, a calculation method related to encryption processing or signature processing,
  • a vector input step in which the input device inputs an input vector in a predetermined vector space;
  • a processing device uses a distortion map that is a mapping from a first basis vector to a second basis vector in a predetermined base A of the vector space, and uses a predetermined base B different from the base A of the vector space.
  • the arithmetic program according to the present invention is, for example, an arithmetic program that performs arithmetic operations related to encryption processing or signature processing.
  • Vector input processing for inputting an input vector in a predetermined vector space; A predetermined base vector of a predetermined base B different from the base A of the vector space using a distortion map which is a mapping from a first base vector to a second base vector in the predetermined base A of the vector space
  • a component calculation process for calculating a component vector of the input vector input in the vector input process in.
  • the arithmetic device can apply a rich mathematical structure to cryptographic processing and signature processing. As a result, highly secure cryptographic processing, signature processing, and the like can be realized.
  • FIG. 3 is a functional block diagram showing functions of the arithmetic device 100.
  • FIG. 5 is a flowchart showing the operation of the arithmetic device 100.
  • 5 is a flowchart showing the operation of the key generation apparatus 200.
  • 5 is a flowchart showing the operation of the encryption device 300.
  • 5 is a flowchart showing the operation of the decoding device 400.
  • the functional block diagram which shows the function of a key sharing system. 6 is a flowchart showing the operation of the transmission apparatus 500.
  • 5 is a flowchart showing the operation of the receiving apparatus 600.
  • formula evaluation system The functional block diagram which shows the function of a signature processing system.
  • 6 is a flowchart showing the operation of the signature generation apparatus 900.
  • 5 is a flowchart showing the operation of the signature verification apparatus 1000.
  • the functional block diagram which shows the function of a non-repudiation signature processing system. 10 is a flowchart showing an operation of generating a non-repudiation signature by the signature generation apparatus 1300.
  • the flowchart which shows the process of a denial protocol The flowchart which shows the process which determines whether a confirmation protocol or a denial protocol is performed.
  • FIG. 3 is a diagram illustrating an example of hardware resources of a signature generation apparatus 1200, a signature generation apparatus 1300, a signature verification apparatus 1400, a signature request apparatus 1500, a signature generation apparatus 1600, and a signature verification apparatus 1700.
  • the processing device is a CPU 1911 described later.
  • the storage device is a ROM 1913, a RAM 1914, a magnetic disk 1920, and the like which will be described later.
  • the communication device is a communication board 1915 described later.
  • Input devices are a keyboard 1902 and a communication board 1915 which will be described later.
  • the output device is a RAM 1914, a magnetic disk 1920, a communication board 1915, an LCD 1901, and the like which will be described later. That is, the processing device, the storage device, the communication device, the input device, and the output device are hardware.
  • Equation 18 represents randomly selecting y from A according to the distribution.
  • Equation 19 represents selecting y from A uniformly.
  • Expression 20 indicates that y is designated and defined by A, or that A is substituted for y.
  • Equation 21 indicates that a is a constant, and machine (algorithm) A outputs a for input x.
  • encryption processing includes both encryption processing and decryption processing.
  • signature process includes both a signature generation process and a signature verification process.
  • signature generation process includes a signature generation request process.
  • Embodiment 1 an arithmetic device 100 (vector decomposition device) that performs basic operations such as encryption processing and signature processing will be described.
  • examples of encryption processing, signature processing, and the like using the arithmetic device 100 described in this embodiment will be described.
  • a space having a rich mathematical structure called “distortion eigenvector space” will be described.
  • “calculation vector decomposition problem (CVDP, Computational Vector Decomposition Problem)” will be described as a calculation problem for applying the distortion eigenvector space to encryption processing and signature processing.
  • CVDP Computational Vector Decomposition Problem
  • the computational vector decomposition problem is a problem that is considered difficult to solve (it takes a lot of time to solve). However, when the “trap door” described below is given, the computational vector decomposition problem can be solved efficiently.
  • An operation that solves a calculation vector decomposition problem in the distortion eigenvector space is an operation that is a basis of an encryption process, a signature process, and the like that will be described in the following embodiment, and is an operation that is executed by the operation device 100.
  • a “trap door bijection function” for the calculation vector decomposition problem will be described.
  • the distortion eigenvector space will be described.
  • the distortion eigenvector space V is a (high-dimensional) vector for a finite field F r of odd order r having (1) distortion map and (2) bilinear pairing operations. It is space.
  • the distortion eigenvector space V is an l-dimensional vector space on the finite field F r that satisfies the following conditions 1 to 3.
  • l is an integer of 2 or more.
  • map F be a polynomial-time computable automorphism of vector space V.
  • the automorphism ⁇ i, j capable of polynomial time calculation is called a distortion map. That is, the distortion map ⁇ i, j is a mapping from a predetermined basis vector a j to another basis vector a i in the distortion eigenvector basis A.
  • the distortion eigenvector space is characterized in that (1) a distortion map exists and (2) a bilinear pairing operation exists.
  • the calculation vector decomposition problem is a problem in which, when a vector is given, the vector is decomposed into component vectors of each base vector in a predetermined base.
  • the calculation vector decomposition problem in a two-dimensional distortion eigenvector space will be described with reference to the drawings.
  • a calculation vector decomposition problem in the distortion eigenvector space will be described based on a generalized equation.
  • FIG. 1 is a diagram for explaining a calculation vector decomposition problem in a two-dimensional distortion eigenvector space V.
  • a basis A ⁇ (a 0 , a 1 ) is a distortion eigenvector basis in the distortion eigenvector space V.
  • a 0 and a 1 are basis vectors of the basis A.
  • the basis B ⁇ (b 0 , b 1 ) is a basis that is not a distortion eigenvector basis of the distortion eigenvector space V.
  • b 0 and b 1 are basis vectors of the basis B.
  • a problem of decomposing the vector v into component vectors of the base vectors b 0 and b 1 of the base B when the vector v of the distortion eigenvector space V is given is referred to as a calculation vector decomposition problem in the distortion eigenvector space V. That is, in FIG. 1, the calculation vector decomposition problem in the distortion eigenvector space V is a problem of decomposing the vector v into component vectors of y 0 b 0 and y 1 b 1 when the vector v is given.
  • each component vector of the automorphism F distortion eigenvector base A can be calculated in polynomial time.
  • each component vector of the base B different from the base A cannot be calculated in polynomial time (in the case where the trapdoor X described later is not provided). That is, in FIG. 1, it is easy to decompose the vector v into c 0 a 0 and c 1 a 1 , but it is difficult to decompose the vector v into y 0 b 0 and y 1 b 1 .
  • the difficulty of decomposing the vector v into y 0 b 0 and y 1 b 1 that is, the difficulty of the calculation vector problem will be described later.
  • the problem of calculating the component vector of each base vector for l 2 dimensions of the vector v is calculated by (l 1 , l 2 ) calculation vector decomposition. Called the problem (CVDP (l 1 , l 2 )).
  • the problem of calculating only the component vector of the basis vector b 0 of the vector v is a (2, 1) calculation vector decomposition problem.
  • This problem is also difficult like the calculation vector decomposition problem described above. That is, in the two-dimensional distortion eigenvector space V shown in FIG. 1, it is not possible to calculate only the component vector of the basis vector b 0 of the vector v (in the case where the trap door X described later is not provided) in polynomial time. .
  • a method for calculating a component vector in each base vector of the input vector v in a two-dimensional distortion eigenvector space will be described.
  • Expression 2 and Expression 3 can be expressed as in Expression 26.
  • X shown in Equation 26 is referred to as a basis transformation matrix (basis transformation information). This basis conversion matrix X is a trapdoor. That is, when the basis conversion matrix X is included, the calculation vector decomposition problem can be solved in polynomial time.
  • Equation 6 c 0 t 00 b 0 + c 1 t 10 b 0 in Equation 6 is the component vector (y 0 b 0 ) of the basis vector b 0 of v, and c 0 t 01 b 1 + c 1 t 11 b 1 is This is the component vector (y 1 b 1 ) of the basis vector b 1 of v.
  • Expression 2 is assigned to an expression indicating the component vector of the basis vector b 0
  • Expression 3 is assigned to an expression indicating the component vector of the basis vector b 1 .
  • c 0 a 1 and c 1 a 0 have no value.
  • c 0 a 0 and c 1 a 1 are known, but c 0 and c 1 are not known.
  • To calculate c 0 and c 1 from c 0 a 0 and c 1 a 1 it is necessary to solve the discrete logarithm problem with each base vector a 0 and a 1 and the base, and the calculation is performed in polynomial time. I can't.
  • the distortion map ⁇ i, j exists in the base A as in Condition 1 of the distortion eigenvector space, and can be obtained by calculation. That is, c 0 a 1 and c 1 a 0 can be converted into known values by using the distortion map ⁇ i, j .
  • component vector (y 0 b 0) and component vector of basis vectors b 1 basis vectors b 0 and (y 1 b 1) can all be expressed in known values, component vector of basis vectors b 0 (y 0 b 0 ) and the component vector (y 1 b 1 ) of the basis vector b 1 can be calculated.
  • the input vector is decomposed into component vectors of the distortion eigenvector base A.
  • the component vector of the distortion eigenvector base A is converted into the component vector in the base B using the base transformation matrix X, the inverse matrix X ⁇ 1 , and the distortion map ⁇ i, j .
  • the component vector in the base B of the input vector can be calculated.
  • the basis B matrix decomposition can be reduced to the basis A vector decomposition using the basis transformation matrix X, the inverse matrix X ⁇ 1 , and the distortion map ⁇ i, j .
  • the distortion eigenvector space has a distortion map in the distortion eigenvector base A and the distortion eigenvector base A can be decomposed to solve the calculation vector problem in the distortion eigenvector space. Can do. However, it is necessary to have the basis conversion matrix X as the condition.
  • Equation 29 The component vector u of the input vector v in the l 2 basis vectors of the basis B is calculated by Equation 29.
  • the component vector u j of the input vector v of the basis vector b j of the basis B can be calculated by Equation 30.
  • the component vector u j is y j b j in Equation 28.
  • the output u of the algorithm Deco is the sum of the component vectors of the input vector v of the algorithm Deco shown in Equation 31 (Equation 32). That is, it is shown that the algorithm Deco can solve the (l 1 , l 2 ) calculation vector decomposition problem using the basis conversion matrix X ⁇ (x i, j ) as in Expression 33.
  • Equation 32 the output u of the algorithm Deco is Equation 32.
  • the calculation vector decomposition problem can be solved in polynomial time.
  • the basis conversion matrix X when the basis conversion matrix X is not given, the calculation vector decomposition problem cannot be solved in polynomial time.
  • the basis conversion matrix X cannot be calculated in polynomial time even when the basis B is given.
  • FIG. 2 is a functional block diagram illustrating functions of the arithmetic device 100.
  • FIG. 3 is a flowchart showing the operation of the arithmetic device 100.
  • the arithmetic device 100 includes an input unit 110 (vector input unit), an inverse matrix calculation unit 120, a component calculation unit 130, and a component output unit 140.
  • the inverse matrix calculation unit 120 calculates the inverse matrix t i, k ⁇ X ⁇ 1 of the basis conversion matrix X input by the input unit 110 by the processing device and stores it in the storage device.
  • the component calculation unit 130 solves the (l 1 , l 2 ) calculation vector decomposition problem.
  • the calculation vector decomposition problem in the distortion eigenvector space V can be solved when the basis conversion matrix X is given. That is, according to the arithmetic device 100 according to this embodiment, when the basis conversion matrix X is given, the component vector of the input vector v in each basis vector of the basis B can be calculated.
  • the trapdoor bijection function will be described. If the function f is a one-way function and is bijective (one-to-one and bijective, that is, the domain and range are the same type), the function f is called a trapdoor bijective function. In general, the domain representation is different from the range. If the representation of the domain is the same as the range, the trapdoor bijection function f is referred to as a trapdoor permutation function.
  • Equation 39 The function f for the computational vector decomposition problem shown in Equation 39 is a trapdoor bijection function.
  • the domain of the function f is the same type as the range. That is, the function f is a bijective function.
  • the characteristic of being a one-way function and the characteristic of being a bijective function can be applied to cryptographic processing and signature processing.
  • the computing device 100 performs the reverse calculation using the trapdoor (basic transformation matrix X).
  • This function f is the first trapdoor bijection function except for the RSA function based on integer factorization and its modification (see Non-Patent Document 16) (hereinafter referred to as RSA system function).
  • RSA system function is a trapdoor bijection function and a trapdoor replacement function.
  • Embodiment 2 a cryptographic process using the trapdoor bijection function described in the first embodiment will be described.
  • the encryption process described here is a multivariate homomorphic encryption process (Multivariate Homomorphic Encryption).
  • FIG. 4 is a functional block diagram showing functions of the cryptographic processing system.
  • the cryptographic processing system includes a key generation device 200, an encryption device 300, and a decryption device 400.
  • FIG. 5 is a flowchart showing the operation of the key generation device 200.
  • FIG. 6 is a flowchart showing the operation of the encryption device 300.
  • FIG. 7 is a flowchart showing the operation of the decoding device 400.
  • the l one- dimensional distortion eigenvector space V is used.
  • l Two dimensions out of one dimension are used as a message space. remaining (l 1 -l 2) dimension of l 1-dimensional and space for randomization.
  • the key generation device 200 includes a key generation unit 210 and a key distribution unit 220.
  • the key distribution unit 220 transmits the secret key and public key generated by the key generation unit 210 to the decryption device 400 via the communication device, and transmits the public key to the encryption device 300 via the communication device.
  • the secret key is secretly transmitted to the decryption apparatus 400, but any method may be used for secretly transmitting the secret key to the decryption apparatus 400. For example, transmission may be performed using conventional cryptographic processing.
  • Equation 44 The operation of the key generation device 200 is summarized as shown in Equation 44.
  • the encryption device 300 includes a plaintext information input unit 310, a random number generation unit 320, a plaintext information setting unit 330, an encryption information generation unit 340, and an encryption information output unit 350.
  • m i 0,..., L 2 ⁇ 1
  • ⁇ 1 ⁇ l2 indicates l 2 .
  • it is generally known that many applications are possible even when the plaintext information m i (i 0,..., L 2 ⁇ 1) is limited to a small value.
  • Equation 47 is calculated by the processing device.
  • the encryption information generation unit 340 adds the random number vector rv to the plaintext vector mv generated by the plaintext information setting unit 330 and generates the encryption information vector c by the processing device. That is, the encryption information generation unit 340 calculates Formula 48 by the processing device.
  • the encryption information output unit 350 transmits the encryption information vector c generated by the encryption information generation unit 340 to the decryption device 400 via the communication device.
  • Equation 49 The operation of the encryption device 300 is summarized as shown in Equation 49.
  • the decryption device 400 includes the arithmetic device 100 described in the first embodiment, an encryption information input unit 410, a component acquisition unit 420, a discrete logarithm calculation unit 430, and a plaintext information output unit 440.
  • the basis vector b i of the basis B corresponding to the corresponding component vector u i is, for example, if the component vector u 0 is a component vector of the basis vector b 0 , the basis vector corresponding to the component vector u 0 is the basis vector b. 0 . That is, the discrete logarithm calculation unit 430 calculates Formula 51 by the processing device.
  • the plaintext information mi is a number smaller than a predetermined small integer ⁇ . Accordingly, the discrete logarithm calculation unit 430 can solve the above discrete logarithm problem in a short time even if, for example, all the possible values of the plaintext information mi are searched.
  • the plaintext information m i (i 0,..., L 2 ⁇ 1) input by the plaintext information input unit 310 of the encryption device 300 and the m i ′ output by the plaintext information output unit 440.
  • (I 0,..., L 2 ⁇ 1) is the same.
  • the key generation device 200 generates a secret key and a public key and distributes them to the encryption device 300 and the decryption device 400.
  • the decryption device 400 may generate a secret key and a public key and distribute the public key to the encryption device 300.
  • the cryptographic processing system need not include the key generation device 200.
  • the cryptographic processing described in this embodiment has some characteristics common to those of Boneh-Goh-Nissim (hereinafter, BGN) cryptographic processing.
  • BGN encryption processing requires a composite order subgroup. Therefore, the size of the ciphertext for the encryption processing described in this embodiment can be made smaller than the size of the ciphertext for the BGN encryption processing.
  • the main advantage of the cryptographic processing described in this embodiment is that the algebraic structure is richer than BGN cryptographic processing.
  • the cryptographic processing described in this embodiment is a multivariable homomorphic encryption with a distortion map and at the same time has a bilinear pairing. Based on such an algebraic structure, new applications to various encryption protocols can be considered using high-dimensional secret information together with the homomorphic nature and the 2DNF protocol described in the following embodiments.
  • cryptographic processing can be realized by using a rich mathematical structure called distortion eigenvector space.
  • Embodiment 3 An information sharing system (key sharing system) that shares information such as a common key in a common key cryptosystem between two devices will be described.
  • the decryption apparatus 400 it is necessary for the decryption apparatus 400 to calculate a discrete logarithm problem in order to obtain plaintext information.
  • the coefficient for the basis vector is calculated from the component vector.
  • information such as a common key can be shared between the two devices without calculating the discrete logarithm problem.
  • a key sharing system that shares a key between two devices will be described as an example of an information sharing system that shares predetermined information between two devices.
  • the key is used as the information to be shared, but the information to be shared is not limited to the key, but may be other information.
  • FIG. 8 is a functional block diagram showing functions of the key sharing system.
  • the key sharing system includes a transmission device 500 and a reception device 600.
  • FIG. 9 is a flowchart showing the operation of the transmission apparatus 500.
  • FIG. 10 is a flowchart showing the operation of the receiving device 600. It is assumed that transmitting apparatus 500 has a public key that is paired with the private key of receiving apparatus 600, and receiving apparatus 600 has a private key and a public key.
  • the private key and public key of receiving apparatus 600 may be generated by receiving apparatus 600, or may be generated by key generating apparatus 200 as in the second embodiment.
  • the transmission apparatus 500 includes a shared information input unit 510, a random number generation unit 520, a shared information setting unit 530, an encryption information generation unit 540, an encryption information output unit 550, and a key generation unit 560.
  • (S502: random number generation step) is the same as (S302: random number generation step).
  • the coefficient is set and generated as shared information s by the processing device. That is, the shared information setting unit 530 calculates the number 53 by the processing device.
  • the encryption information generation unit 540 calculates Formula 54 by the processing device.
  • the encryption information generation unit 540 adds the random number vector rv to the shared information s generated by the shared information setting unit 530 and generates the encryption information vector c by the processing device. That is, the encryption information generation unit 540 calculates Formula 55 by the processing device.
  • the encryption information output unit 550 transmits the encryption information vector c generated by the encryption information generation unit 540 to the reception device 600 via the communication device.
  • the key generation unit 560 inputs the shared information s generated by the shared information setting unit 530 to a predetermined function (hash function), and generates key information key by the processing device. That is, the key generation unit 560 calculates Formula 56 by the processing device. Note that the function used to generate the key information key is shared with the receiving apparatus 600 in advance.
  • the receiving device 600 includes the arithmetic device 100 described in Embodiment 1, an encryption information input unit 610, a component acquisition unit 620, a key generation unit 630, and a key output unit 640.
  • the key generation unit 630 inputs the shared information s acquired by the component acquisition unit 620 to a predetermined function (hash function) used by the transmission device 500 to generate key information, and generates key information key by the processing device. . That is, the key generation unit 630 calculates Formula 59 by the processing device.
  • the key output unit 640 outputs the key information key generated by the key generation unit 630 to the output device.
  • receiving apparatus 600 The operation of receiving apparatus 600 is summarized as shown in Equation 60.
  • the decryption device 400 solves the discrete logarithm problem to obtain the plaintext information.
  • the key sharing system since the transmitting apparatus 500 sets the shared information s as a component vector in a predetermined base vector of the base B, the receiving apparatus 600 can obtain the shared information s without calculating the discrete logarithm problem. . As a result, the transmitting apparatus 500 and the receiving apparatus 600 can share key information without the receiving apparatus 600 calculating the discrete logarithm problem.
  • the transmission apparatus 500 does not need to perform a decryption process and does not need to generate a private key / public key pair. That is, information can be efficiently shared between the transmission device 500 and the reception device 600.
  • Embodiment 4 FIG. In this embodiment, a 2DNF safe evaluation method between two parties will be described.
  • the vector symbol represents a vector representation for the finite field F r .
  • F r the finite field
  • Formula 61 The following notation is used.
  • the safe evaluation method of the 2DNF type between the two parties is that when one (the formula holding device 700) has the 2DNF formula and the other (the information holding device 800) has the input information to the 2DNF formula, the formula holding device This is to obtain the result of evaluating the input information by the 2DNF formula without the information (2DNF formula and input information) each of the 700 and the information holding device 800 have being known to the other party.
  • the expression holding apparatus 700 and the information holding apparatus 800 use the encryption processing described in the second embodiment to hold the respective secrets (2DNF expression and input information) in a secret manner while maintaining the input information as 2DNF.
  • the result evaluated by the formula can be obtained.
  • FIG. 11 is a functional block diagram illustrating functions of the 2DNF evaluation system.
  • the 2DNF type evaluation system includes an expression holding device 700 and an information holding device 800.
  • FIG. 12 is a flowchart showing the operation of the 2DNF evaluation system.
  • the expression holding device 700 has a public key pk that is paired with the secret key sk of the information holding device 800
  • the information holding device 800 has a secret key sk and a public key pk.
  • the secret key sk and the public key pk of the information holding device 800 may be generated by the information holding device 800 or may be generated by the key generation device 200 as in the second embodiment. .
  • the expression holding device 700 includes an expression storage unit 710, an assignment unit 720, and an expression encryption unit 730.
  • the information holding device 800 includes the arithmetic device 100 described in Embodiment 1, an input information storage unit 810, an information encryption unit 820, and a result calculation unit 830.
  • the expression storage unit 710 of the expression holding apparatus 700 stores the 2DNF expression ⁇ shown in Equation 63 in the storage device in advance.
  • the input information storage unit 810 of the information holding device 800 stores the input information m to the 2DNF expression ⁇ shown in Formula 64 in advance in the storage device. That is, the input information m is an n ⁇ (l 2 ⁇ 1) matrix.
  • the information encryption unit 820 of the information holding device 800 encrypts the input information m stored in the input information storage unit 810 with the public key pk by the processing device.
  • the information encryption unit 820 performs encryption by the method executed by the encryption device 300 described in the second embodiment. That is, the information encryption unit 820 calculates Formula 65 by the processing device.
  • the information encryption unit 820 transmits the encrypted input information Em to the expression holding device 700 via the communication device.
  • the expression holding apparatus 700 cannot know the input information m.
  • the assigning unit 720 of the expression holding device 700 arithmetically operates the 2DNF expression ⁇ stored in the expression storage unit 710 to generate the evaluation expression ⁇ by the processing device.
  • the assigning unit 720 generates an evaluation expression ⁇ shown in Formula 66 from the 2DNF expression ⁇ by replacing “ ⁇ ” in the 2DNF expression ⁇ with “+” and “ ⁇ ” with “•”. Further, the assigning unit 720 arithmetically processes the input information Em received from the information holding device 800 by the processing device.
  • the expression holding device 700 arithmetically converts the input information Em by replacing it as shown in Expression 67.
  • the assignment unit 720 of the expression holding device 700 assigns the arithmeticized input information Em ′ to the generated evaluation expression ⁇ . That is, the assigning unit 720 generates Formula 68 by the processing device.
  • the expression encryption unit 730 performs encryption by the method executed by the encryption apparatus 300 described in the second embodiment. That is, the formula encryption unit 730 calculates the number 69 by the processing device.
  • Equation 73 shows the molecule of Equation 71.
  • Equation 74 shows the denominator of Equation 71.
  • the input information is substituted into the 2DNF expression ⁇ by using the feature that the plaintext can be multiplied once in the ciphertext by using the pairing operation. I'm getting results.
  • the information holding device 800 transmits the encrypted input information to the expression holding device 700. Therefore, the expression holding device 700 cannot know the content of the input information received from the information holding device 800.
  • the expression holding apparatus 700 transmits the evaluation expression ⁇ encrypted by adding a random number to the evaluation expression ⁇ substituted with the encrypted input information, to the information holding apparatus 800. Therefore, the information holding device 800 cannot know the content of the evaluation formula ⁇ . That is, even if the above processing is performed, the expression holding device 700 and the information holding device 800 hold the respective information (2DNF expression and input information) in a secret manner.
  • the expression holding apparatus 700 does not know the 2DNF expression to the information holding apparatus 800, and the information holding apparatus 800 does not know the input information to the expression holding apparatus 700.
  • the result of evaluating the input information by the 2DNF formula can be obtained.
  • Embodiment 5 FIG. In this embodiment, a signature process using the trapdoor bijection function described in the first embodiment will be described.
  • FIG. 13 is a functional block diagram illustrating functions of the signature processing system.
  • the signature processing system includes a signature generation device 900 and a signature verification device 1000.
  • FIG. 14 is a flowchart showing the operation of the signature generation apparatus 900.
  • FIG. 15 is a flowchart showing the operation of the signature verification apparatus 1000.
  • the signature generation apparatus 900 has a secret key sk and a public key pk
  • the signature verification apparatus 1000 has a public key pk that is paired with the secret key sk of the signature generation apparatus 900. It shall be.
  • the secret key sk and the public key pk of the signature generation apparatus 900 may be generated by the signature generation apparatus 900 or may be generated by the key generation apparatus 200 as in the second embodiment. .
  • the signature generation device 900 includes the arithmetic device 100 described in the first embodiment, a transmission information input unit 910, a hash value calculation unit 920 (transmission information vector generation unit), a component acquisition unit 930, a signature generation unit 940, and a transmission unit 950. With.
  • the hash value calculation unit 920 converts the transmission information m input by the transmission information input unit 910 into a vector in the distortion eigenvector space V by the processing device, and calculates the hash value hh (transmission information vector) of the transmission information m by the processing device. To do. That is, the hash value calculation unit 920 calculates Formula 77 by the processing device. To convert the transmission information m into a vector in the distortion eigenvector space V is to map the transmission information m into the distortion eigenvector space V, and to embed the transmission information m in the distortion eigenvector space V.
  • the signature verification apparatus 1000 includes a reception unit 1010, a hash value calculation unit 1020 (transmission information vector generation unit), and a signature verification unit 1030.
  • the receiving unit 1010 inputs the public key pk and the hash function h using an input device.
  • the hash value calculation unit 1020 converts the transmission information m input by the transmission information input unit 910 into a vector in the distortion eigenvector space V by the processing device, and calculates a hash value hh (transmission information vector) of the transmission information m. That is, the hash value calculation unit 920 calculates Equation 79 by the processing device.
  • the signature verification unit 1030 determines that the signature information is valid.
  • the signature verification unit 1030 determines whether or not the direction indicated by the signature information and the direction indicated by the basis vector of the basis B are the same, and the size of the signature information and the size of the hash value hh. The signature is verified by determining whether or not the signatures are the same.
  • signature processing can be realized by using a rich mathematical structure called a distortion eigenvector space.
  • the signature processing system according to this embodiment can efficiently verify a signature by using a pairing operation.
  • Embodiment 6 FIG. In this embodiment, a blind signature applying the signature processing described in the fifth embodiment will be described.
  • the blind signature is a signature that is attached in a state where the signer (signature generation apparatus 900 in the fifth embodiment) cannot know the contents of the subject to which the signature is attached.
  • the signer performs an operation on a target to which a signature is attached (transmission information in the fifth embodiment). Therefore, the signer can know the contents of the object to be signed.
  • the signer gives the signature in a state where the contents of the subject to be signed cannot be known.
  • FIG. 16 is a functional block diagram showing functions of the blind signature processing system.
  • the signature processing system includes a signature request apparatus 1100, a signature generation apparatus 1200, and a signature verification apparatus.
  • FIG. 17 is a flowchart showing operations of the signature request apparatus 1100 and the signature generation apparatus 1200. Since the function and operation of the signature verification apparatus according to this embodiment are the same as those of the signature verification apparatus 1000 according to the fifth embodiment, description thereof is omitted here.
  • the signature generation apparatus 1200 has a secret key sk and a public key pk
  • the signature request apparatus 1100 has a public key pk that is paired with the secret key sk of the signature generation apparatus 1200. It shall be.
  • the secret key sk and the public key pk of the signature generation apparatus 1200 may be generated by the signature generation apparatus 1200, or may be generated by the key generation apparatus 200 as in the second embodiment. .
  • the signature generation device 1200 includes the arithmetic device 100 described in Embodiment 1, the blind information reception unit 1210, the component acquisition unit 1220, and the signature generation unit 1230.
  • the signature request apparatus 1100 includes a transmission information input unit 1110, a hash value calculation unit 1120, a blind unit 1130, a signature request unit 1140, an unblind unit 1150, and a transmission unit 1160.
  • the transmission information input unit 1110 inputs the transmission information m, the public key pk, and the hash function h using an input device.
  • the hash value calculation unit 1120 converts the transmission information m input by the transmission information input unit 1110 into a vector in the distortion eigenvector space V by the processing device, and calculates the hash value hh (transmission information vector) of the transmission information m by the processing device. To do. That is, the hash value calculation unit 1120 calculates the number 82 by the processing device.
  • the signature request unit 1140 transmits the blind transmission information d generated by the blind unit 1130 to the signature generation device 1200 via the communication device, and requests the signature generation device 1200 to generate a signature.
  • the blind information receiving unit 1210 of the signature generating apparatus 1200 receives the blind transmission information d transmitted by the signature requesting unit 1140 of the signature requesting apparatus 1100 via the communication apparatus.
  • blind information d blind information is added to the hash value hh of the transmission information m. Therefore, the signature generation apparatus 1200 that has received the blind transmission information d cannot know the content of the transmission information m.
  • a blind signature can be realized by using a rich mathematical structure called a distortion eigenvector space.
  • Embodiment 7 FIG. In this embodiment, a non-repudiation signature applying the signature processing described in the fifth embodiment will be described.
  • Non-repudiation signatures require the cooperation of a signer (signature generation apparatus 900 in the case of the fifth embodiment) when the signature verifier (signature verification apparatus 1000 in the case of the fifth embodiment) verifies the signature.
  • Signature means that if the signature of the signature verifier is a valid signature (a signature attached by the signer), the signer indicates that the signature is valid. This is a signature that can be shown.
  • a non-repudiation signature means that if a signature verifier has an invalid signature (not a signature attached by the signer), the signer has an illegal signature. It is a signature that can indicate.
  • the process indicating that the signature is valid is referred to as “confirmation protocol”, and the process indicating that the signature is invalid is referred to as “denial protocol”.
  • confirmation protocol the process indicating that the signature is valid
  • denial protocol the process indicating that the signature is invalid
  • FIG. 18 is a functional block diagram illustrating functions of the non-repudiation signature processing system.
  • the non-repudiation signature processing system includes a signature generation device 1300 and a signature verification device 1400.
  • FIG. 19 is a flowchart illustrating an operation in which the signature generation apparatus 1300 generates a non-repudiation signature.
  • FIG. 20 is a flowchart showing the confirmation protocol process.
  • FIG. 21 is a flowchart showing processing of the denial protocol.
  • the signature generation device 1300 includes the arithmetic device 100 described in Embodiment 1, the transmission information input unit 1310, the hash value calculation unit 1320, the component acquisition unit 1330, the signature generation unit 1340, the transmission unit 1350, and the certification unit 1360.
  • the signature verification apparatus 1400 includes a reception unit 1410 and a signature verification unit 1420.
  • (S1101: transmission information input step) and (S1102: hash value calculation step) are the same as (S801: transmission information input step) and (S802: hash value calculation step) according to the fifth embodiment.
  • the processing device determine whether or not each is an element of the same one-dimensional space.
  • the processing device determines whether or not the directions indicated by 1-1-1) are the same.
  • the processor determines whether or not the elements are in the same one-dimensional space.
  • (S1301: Signature verification step) is the same as (S1201: Signature verification step).
  • a zero knowledge proof for example, ⁇ protocol
  • the denial protocol is not executed in normal times, but is executed when an attacker is attacked by a malicious attacker. That is, normally, when the signature verification apparatus 1400 transmits the first signature verification request, it is assumed that the signature verification apparatus 1400 has valid signature information. Therefore, in the confirmation protocol, when the signature generation apparatus 1300 receives the first signature verification request from the signature verification apparatus 1400, the signature generation apparatus 1300 verifies whether the signature information included in the signature verification apparatus 1400 is a valid signature. And the process of proving that the signature information is valid was executed.
  • the signature generation apparatus 1300 receives the signature information included in the signature verification apparatus 1400 together with the first signature verification request, and the signature information included in the signature verification apparatus 1400 is a valid signature. It may be verified whether or not. That is, the confirmation protocol may be executed if the signature information received together with the first signature verification request is valid signature information, and the denial protocol may be executed if the signature information is invalid. In other words, whether the confirmation protocol or the denial protocol is executed may be determined depending on whether the signature information received together with the first signature verification request is valid signature information.
  • FIG. 22 is a flowchart illustrating processing for determining whether to execute a confirmation protocol or a denial protocol depending on whether the signature information received together with the first signature verification request is valid signature information.
  • the process from (S1401: signature verification step) to (S1403: signature verification step) is the same as (S1301: signature verification step) to (S1303: signature verification step).
  • a non-repudiation signature can be realized using a rich mathematical structure called a distortion eigenvector space.
  • Embodiment 8 FIG. In this embodiment, a method for changing a non-repudiation signature described in Embodiment 7 to a normal signature will be described. That is, a method for changing a non-repudiation signature to a signature that can be verified by the signature verifier (signature verification apparatus 1400) without cooperation of the signer (signature generation apparatus 1300) will be described.
  • a “selection change” to change a specific non-repudiation signature to a normal signature and all non-repudiation signatures (all non-repudiations generated with the same secret key sk)
  • a “universal change” that changes a signature to a normal signature.
  • FIG. 23 is a functional block diagram illustrating functions of the signature generation apparatus 1300. 23, in addition to the function of signature generation apparatus 1300 according to Embodiment 7, further includes a signature selection change unit 1370.
  • FIG. 24 is a functional block diagram illustrating functions of the signature generation apparatus 1300.
  • a signature generation apparatus 1300 shown in FIG. 24 includes a signature batch change unit 1380 in addition to the function of the signature generation apparatus 1300 according to the seventh embodiment.
  • hh * and s i * are vectors in which hh and s i are limited to l 2 dimensions, respectively.
  • a non-repudiation signature can be changed to a normal signature.
  • Embodiment 9 FIG.
  • a combination (blind non-repudiation signature) of the blind signature described in the sixth embodiment and the non-repudiation signature described in the seventh and eighth embodiments will be described. That is, in the blind non-repudiation signature, the signer attaches a non-repudiation signature in a state where the signer cannot know the contents of the subject to be signed.
  • FIG. 26 is a functional block diagram showing functions of the blind non-repudiation signature system.
  • FIG. 27 is a flowchart showing an operation in which the signature requesting device 1500 and the signature generating device 1600 generate a blind non-repudiation signature.
  • Signature request apparatus 1500 includes transmission information input unit 1510, hash value calculation unit 1520, blind unit 1530, signature request unit 1540, unblind unit 1550, transmission unit 1560, certification unit 1570, and signature selection change unit 1580.
  • the signature generation apparatus 1600 includes the arithmetic device 100 described in Embodiment 1, the blind information reception unit 1610, the component acquisition unit 1620, the signature generation unit 1630, the certification unit 1640, and the signature batch change unit 1650.
  • the confirmation protocol can be realized by the certification unit 1570 of the signature requesting device 1500 performing the operation of the certification unit 1360 of the signature generation device 1300 according to the seventh embodiment.
  • the selection change can be realized by the signature selection change unit 1580 of the signature request apparatus 1500 performing the operation of the signature selection change unit 1370 of the signature generation apparatus 1300 in the eighth embodiment. That is, the confirmation protocol and the selection change can be realized by the signature requesting device 1500 and the signature verification device 1700.
  • the denial protocol and universal change cannot be executed by the signature requesting device 1500. Therefore, the signature generation apparatus 1600 executes on behalf of the signature request apparatus 1500.
  • the denial protocol can be realized by the certification unit 1640 of the signature generation device 1600 performing the operation of the certification unit 1360 of the signature generation device 1300 according to the seventh embodiment.
  • the universal change can be realized by the signature batch change unit 1650 of the signature generation device 1600 performing the operation of the signature batch change unit 1380 of the signature generation device 1300 according to the eighth embodiment. That is, the denial protocol and universal change are realized by the signature generation apparatus 1600 that has received a request from the signature request apparatus 1500 and the signature verification apparatus 1700.
  • Embodiment 10 FIG. In this embodiment, two specific examples of the distortion eigenvector space used in the first to ninth embodiments are shown.
  • ⁇ Example 1 Jacobian variety of genus g ⁇ 1 (Jacobivariate of a Supersonic Curve of Genus g ⁇ 1)>
  • a distortion eigenvector space can be realized by a hyperbolic Jacobian manifold with genus g ⁇ 1 as follows.
  • w ⁇ 2g + 1 is a prime number.
  • Equation 110 the vector space V of F r that is the same type as the formula 111 and is included in the formula 112 is defined as a formula 113.
  • the basis of the distortion eigenvector is efficiently constructed on the Jacobian expressed by Equation 113.
  • the base of the distortion eigenvector on such a Jacobian is given by Non-Patent Document 18 when r> w as in typical cryptographic processing.
  • the Jacobian has an automorphism ⁇ derived from the curve shown in Formula 114.
  • the number 115 is a Jacobian non-zero point. That is, a * ⁇ 0.
  • the distortion map ⁇ i, j is given by Equation 119.
  • Non-Patent Document 15 describes the calculation of Weil pairing for a hyperelliptic curve.
  • the distortion eigenvector space V can be obtained by finding a prime pair (p, r) that satisfies the above-described conditions and the security level determined by the security parameter k.
  • the security parameter k is, for example, Formula 121.
  • Example 2 Product of Super Elliptic Curve> Of the non-cyclic group in Section 5 of Non-Patent Document 11, the product of the super elliptic curve shown in Formula 122 can be used as the distortion eigenvector space.
  • (p, r) be a set of prime numbers and d be a positive integer such as the number 123. Then, the expression 124 becomes a distortion eigenvector space.
  • the automorphism F of the vector space V is defined as the diagonal action of the formula 126 with respect to the formula 125.
  • (a k , a k + 1 ) is a distortion eigenvector basis of E k [r] for F k
  • (a 0 ,..., A 2d ⁇ 1 ) is Distortion eigenvector basis.
  • the distortion map for the distortion eigenvector space V is constructed from all the distortion maps for E k as follows. If a projection operator for E k is used, an arbitrary vector v ⁇ V (V is a vector space) can be decomposed as shown in Equation 128. Therefore, the distortion map ⁇ i, j can be calculated efficiently.
  • the automorphism map ⁇ is a direct product of the automorphism map ⁇ k of E k , and the pairing operation e can be defined by components.
  • e u, v
  • Embodiment 11 the difficulty of the above-described calculation vector decomposition problem ((l 1 , l 2 ) calculation vector decomposition problem (hereinafter, (l 1 , l 2 ) CVDP)) will be described.
  • the difficulty of the calculation vector decomposition problem is explained by showing that the calculation vector decomposition problem is difficult even when compared with other problems believed to be difficult.
  • the difficulty of the computational vector decomposition problem is related to the security of cryptographic processing and signature processing.
  • P ⁇ p Q represents that P is reduced to Q by the stochastic polynomial time algorithm
  • Equation 133 can be said. This is because the following holds. There is an adversary A for the number 136 when and only if there is an adversary B for the number 135, such as the number 134 (if and only if). Also, if there is an adversary A for equation 137, there is an adversary B for equation 139, such as equation 138. Also, if there is an advisory B for the formula 140, there is an adversary A for the formula 142 such as the formula 141.
  • the encryption process described in the second embodiment and the information sharing process described in the third embodiment are secure (separately secure, IND-CPA secure) under the assumption of (l 1 , l 2 ) DSP.
  • the 2DNF expression evaluation process described in the fourth embodiment is also safe under the assumption of (l 1 , l 2 ) DSP.
  • the definition of safety follows Non-Patent Document 4.
  • the number h of disjunctive clases of 2DNF type ⁇ can be disclosed.
  • the security of the signature processing described in the fifth embodiment is as follows: the message m is embedded in the vector space V by the hash value h (m), and h is a random oracle.
  • the security under the assumption of CVDP can be proved in the same manner as in the case of the all-region hash RSA signature (see Non-Patent Documents 2 and 5).
  • the security of signature processing is the unforgeability against attacks on selected messages (unforgeability again chosen message attacks).
  • non-repudiation signature described in the seventh and eighth embodiments is unforgeable under the assumption of CVDP in the random oracle model. It is also invisible under the assumed DVDP variant. That is, it is difficult to distinguish Formula 158 from Formula 159. here, It is.
  • the verification protocol is completely zero knowledge and the denial protocol is computationally zero knowledge under the assumption of DVDP.
  • Embodiment 12 FIG. The above embodiment can be summarized as follows.
  • FIG. 28 illustrates the arithmetic device 100, the key generation device 200, the encryption device 300, the decryption device 400, the transmission device 500, the reception device 600, the expression storage device 700, the information storage device 800, the signature generation device 900, and the like in the above embodiment.
  • FIG. 3 is a diagram illustrating an example of hardware resources of a signature verification apparatus 1000, a signature request apparatus 1100, a signature generation apparatus 1200, a signature generation apparatus 1300, a signature verification apparatus 1400, a signature request apparatus 1500, a signature generation apparatus 1600, and a signature verification apparatus 1700.
  • the arithmetic device 100, the key generation device 200, the encryption device 300, the decryption device 400, the transmission device 500, the reception device 600, the expression storage device 700, the information storage device 800, the signature generation device 900, the signature verification device 1000, Signature request apparatus 1100, signature generation apparatus 1200, signature generation apparatus 1300, signature verification apparatus 1400, signature request apparatus 1500, signature generation apparatus 1600, and signature verification apparatus 1700 are CPU 1911 (Central Processing Unit, Central Processing) that executes a program. Device, processing device, microprocessor, microcomputer, and processor).
  • CPU 1911 Central Processing Unit, Central Processing
  • the CPU 1911 is connected to the ROM 1913, the RAM 1914, the LCD 1901 (Liquid Crystal Display), the keyboard 1902 (K / B), the communication board 1915, and the magnetic disk device 1920 via the bus 1912 and controls these hardware devices.
  • a storage device such as an optical disk device or a memory card read / write device may be used.
  • An operating system 1921 (OS), a window system 1922, a program group 1923, and a file group 1924 are stored in the magnetic disk device 1920 or the ROM 1913. Programs in the program group 1923 are executed by the CPU 1911, operating system 1921, and window system 1922.
  • the program group 1923 includes functions described in the above embodiments (for example, “ ⁇ unit”, “ ⁇ function”, “ ⁇ mapping”, “ ⁇ operator”, “ ⁇ calculation”, etc.). ) Is stored. The program is read and executed by the CPU 1911.
  • the file group 1924 the information, data, signal values, variable values, and parameters (for example, “ ⁇ information”, “ ⁇ vector”, “ ⁇ value”, “ ⁇ key”, etc.) described in the above embodiment are described. Information, etc.) are stored as items of “file” and “database”.
  • the “file” and “database” are stored in a recording medium such as a disk or a memory.
  • Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 1911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for the operation of the CPU 1911 such as calculation / processing / output / printing / display. Information, data, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory during the operation of the CPU 1911 for extraction, search, reference, comparison, calculation, processing, output, printing, and display. Is remembered.
  • the arrows in the flowchart in the above description mainly indicate input / output of data and signals, and the data and signal values are recorded in the memory of the RAM 1914 and other recording media such as an optical disk.
  • Data and signals are transmitted online via a bus 1912, signal lines, cables, or other transmission media.
  • what is described as “to part” in the above description may be “to circuit”, “to device”, “to device”, “to means”, and “to function”. It may be “step”, “ ⁇ procedure”, “ ⁇ processing”. Also, what is described as “ ⁇ device” may be “ ⁇ method”, “ ⁇ program”, “ ⁇ circuit”, “ ⁇ device”, “ ⁇ equipment”, “ ⁇ means”, “ ⁇ function”. Alternatively, it may be “ ⁇ step”, “ ⁇ procedure”, or “ ⁇ processing”. Further, what is described as “to process” may be “to step”. That is, what is described as “ ⁇ unit” may be realized by firmware stored in the ROM 1913.
  • firmware and software are stored in a recording medium such as a ROM 1913 as a program.
  • the program is read by the CPU 1911 and executed by the CPU 1911. That is, the program causes a computer or the like to function as the “ ⁇ unit” described above. Alternatively, the procedure or method of “to unit” described above is executed by a computer or the like.
  • the signature generation device 1200, the signature generation device 1300, the signature verification device 1400, the signature request device 1500, the signature generation device 1600, and the signature verification device 1700 “ ⁇ device” is read as “ ⁇ method” and “ ⁇ program”. be able to.
  • “ ⁇ unit” included in each apparatus can be read as “ ⁇ step” and “ ⁇ processing”.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Analysis (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Computing Systems (AREA)
  • Mathematical Optimization (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de cryptage et un procédé de signature qui emploient une structure mathématique riche.  Le procédé de cryptage et le procédé de signature sont configurés en utilisant "un problème de décomposition vectorielle" dans "un espace vectoriel unique de distorsion".  Ici, l'espace vectoriel unique de distorsion est un espace vectoriel de dimension élevée pour un corps fini Fr d'ordre impair "r" ayant un plan de distorsion et une opération d'appariement bilinéaire.  De plus, le problème de décomposition vectorielle est un problème qui calcule un vecteur composant
PCT/JP2009/064920 2008-08-29 2009-08-27 Dispositif de calcul, dispositif de décodage, dispositif de cryptage, système de partage d'informations, système de calcul à 2 filtres dynamiques de bruit, dispositif de génération de signature, dispositif d'authentification de signature, système de traitement de signature, système d'authentification de signature, méthode de calcul et programme de calcul WO2010024312A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2008220649A JP2010054875A (ja) 2008-08-29 2008-08-29 演算装置、復号装置、暗号化装置、情報共有システム、2dnf演算システム、署名生成装置、署名検証装置、署名処理システム、署名検証システム、演算方法及び演算プログラム
JP2008-220649 2008-08-29

Publications (1)

Publication Number Publication Date
WO2010024312A1 true WO2010024312A1 (fr) 2010-03-04

Family

ID=41721478

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2009/064920 WO2010024312A1 (fr) 2008-08-29 2009-08-27 Dispositif de calcul, dispositif de décodage, dispositif de cryptage, système de partage d'informations, système de calcul à 2 filtres dynamiques de bruit, dispositif de génération de signature, dispositif d'authentification de signature, système de traitement de signature, système d'authentification de signature, méthode de calcul et programme de calcul

Country Status (2)

Country Link
JP (1) JP2010054875A (fr)
WO (1) WO2010024312A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8615668B2 (en) 2010-01-15 2013-12-24 Mitsubishi Electric Corporation Confidential search system and cryptographic processing system

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2680488B1 (fr) 2011-02-22 2019-08-21 Mitsubishi Electric Corporation Système de calcul de similitude, dispositif de calcul de similitude, programme informatique et procédé de calcul de similitude
JP5679344B2 (ja) * 2012-02-17 2015-03-04 日本電信電話株式会社 署名鍵難読化システム、署名鍵難読化方法、難読化された署名鍵を用いた暗号化署名システム、難読化された署名鍵を用いた暗号化署名方法とプログラム

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
DAN BONEH ET AL.: "Evaluating 2-DNF Formulas on Ciphertexts", LECTURE NOTES IN COMPUTER SCIENCE, vol. 3378, 2005, pages 325 - 341 *
IWAN DUURSMA ET AL.: "The Vector Decomposition Problem for Elliptic and Hyperelliptic Curves", CRYPTOLOGY EPRINT ARCHIVE, REPORT 2005/031, February 2005 (2005-02-01) *
KATSUYUKI TAKASHIMA: "Efficiently Computable Distortion Maps for Supersingular Curves", LECTURE NOTES IN COMPUTER SCIENCE, vol. 5011, May 2008 (2008-05-01), pages 88 - 101 *
STEVEN D. GALBRAITH ET AL.: "An Analysis of the Vector Decomposition Problem", LECTURE NOTES IN COMPUTER SCIENCE, vol. 4939, March 2008 (2008-03-01), pages 308 - 327 *
TATSUAKI OKAMOTO ET AL.: "Homomorphic Encryption and Signatures from Vector Decomposition", LECTURE NOTES IN COMPUTER SCIENCE, vol. 5209, 25 August 2008 (2008-08-25), pages 57 - 74 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8615668B2 (en) 2010-01-15 2013-12-24 Mitsubishi Electric Corporation Confidential search system and cryptographic processing system

Also Published As

Publication number Publication date
JP2010054875A (ja) 2010-03-11

Similar Documents

Publication Publication Date Title
Bernstein et al. Elligator: elliptic-curve points indistinguishable from uniform random strings
JP5424974B2 (ja) 暗号処理システム、鍵生成装置、暗号化装置、復号装置、署名処理システム、署名装置及び検証装置
JP5412626B2 (ja) 暗号化装置、復号化装置、署名装置、検証装置、暗号化方法、復号化方法、署名方法、検証方法、暗号化プログラム、復号化プログラム、認証プログラム及び検証プログラム
JP5618881B2 (ja) 暗号処理システム、鍵生成装置、暗号化装置、復号装置、暗号処理方法及び暗号処理プログラム
JP5693206B2 (ja) 暗号処理システム、鍵生成装置、暗号化装置、復号装置、暗号処理方法及び暗号処理プログラム
JP5606344B2 (ja) 署名処理システム、鍵生成装置、署名装置、検証装置、署名処理方法及び署名処理プログラム
WO2013133158A1 (fr) Système de chiffrement, procédé de chiffrement et programme de chiffrement
Gu et al. New public key cryptosystems based on non‐Abelian factorization problems
EP2792098B1 (fr) Procédés et dispositifs de cryptage de groupe
EP2846492A1 (fr) Procédés et dispositifs de signature de groupe cryptographique
WO2014061324A1 (fr) Système de cryptage
Wei et al. Remove key escrow from the BF and Gentry identity-based encryption with non-interactive key generation
KR101432462B1 (ko) 암호 처리 시스템, 키 생성 장치, 암호화 장치, 복호 장치, 키 위양 장치, 암호 처리 방법 및 암호 처리 프로그램을 기록한 컴퓨터 판독 가능한 기록 매체
WO2018043049A1 (fr) Dispositif de chiffrement, procédé de chiffrement et programme de chiffrement
JP6053983B2 (ja) 暗号システム、署名システム、暗号プログラム及び署名プログラム
WO2010024312A1 (fr) Dispositif de calcul, dispositif de décodage, dispositif de cryptage, système de partage d'informations, système de calcul à 2 filtres dynamiques de bruit, dispositif de génération de signature, dispositif d'authentification de signature, système de traitement de signature, système d'authentification de signature, méthode de calcul et programme de calcul
Sayid et al. Certificateless public key cryptography: A research survey
Chen et al. Blockchain as a CA: A provably secure signcryption scheme leveraging blockchains
Doegar et al. On-demand digital signature schemes using Multivariate Polynomial systems
Kumar Design and Analysis of Pairing-Friendly Elliptic Curves for Cryptographic Primitives
Menon An identity based proxy re-signature scheme
Bashir et al. Cryptanalysis and improvement of an encryption scheme that uses elliptic curves over finite fields
Sahana Raj et al. Identity based cryptography using matrices
Goswami et al. A new public key encryption scheme based on two cryptographic assumptions
Sharma et al. Boneh-Franklin IBE

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09809962

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09809962

Country of ref document: EP

Kind code of ref document: A1