All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to SCIS 2011 does not prevent future submissions to any journals or conferences with proceedings.
(u|u + v)
∑
SCIS 2011 The 2011 Symposium on Cryptography and Information Security Kokura, Japan, Jan. 25-28, 2011 The Institute of Electronics, Information and Communication Engineers
PKC Along with Challenge Problems of Small Key-Size Masao Kasahara
∗
Yasuyuki Murakami
†
Abstract— In this paper, we present ∑ a new class of knapsack PKC, constructed based on (u|u + v) construction, referred to as (u|u + v) PKC. We show that our proposed scheme is secure against the low-density attack. We present a tiny challenge problem for LLL attack. We also upload a challenge problem on https://sites.google.com/site/cryptochallege/. Keywords: knapsack public-key cryptosystem, shifted-odd sequence, (u|u + v) construction, challenge problem.
1
Introduction
2
Construction
Various important studies have been made of the 2.1 Preliminaries Public-Key Cryptosystem (PKC). The security of the List of the symbols: PKC’s proposed so far, in most cases, depends on the m1 , m2 , . . . , m2n : Message sequence. difficulty of discrete logarithm problem or factoring s : Shifted odd sequence with noise. 1 , s 2 , . . . , sn problem. For this reason, it is desired to investigate t , t , . . . , t : Shifted odd sequence with noise. 1 2 n another classes of PKC’s that do not rely on the diffir1 , r2 , . . . , rh : Random sequence. culty of those two problems. α1 , α 2 , . . . , α n : Public keys in left set. Concerning knapsack-type PKC, the various interβ1 , β 2 , . . . , β n : Public keys in left set. esting schemes have been proposed. In 1978, the first : Public keys in left set. knapsack-type PKC was proposed by Merkle and Hellman[3]. λ10 , λ20 , . . . , λ0h β1 , β 2 , . . . , β n : Public keys in right set. We shall refer to this scheme as MH PKC. λ01 , λ02 , . . . , λ0h : Public keys in right set. Unfortunately MH PKC was broken by Shamir[4, 5] CL : Ciphertext given by left set. and the Low-Density Attack(LDA)[6, 7, 8]. Although CR : Ciphertext given by right set. MH PKC was broken, the MH PKC is very simple and interesting. For this reason, it has been long studied and has been revised by many researchers[9, 10]. In this paper, we present a new class of knapsack PKC, constructed based ∑ on (u|u + v) construction, referred to as (u|u + v) PKC. We show that our proposed scheme is secure against the low-density attack.
∗ †
2.2
Key Generation
Let the secret sequences si and ti for i = 1, 2, . . . , n be the shifted odd sequences with e- and f -bit noise in MSB and LSB sides, respectively. We also let the random sequence ri for i = 1, 2, . . . , h be n + e + f -bit random integers. The si , ti and ri are generated with the following Algorithm 1 where the function random(x) returns x-bit random integer and x i denotes i-bit left shifted value of x. Algorithm 1 GenSeq(n, e, f, h) Input: n: Number of components in the shifted odd sequence; e: Bit-length of noise in MSB side; f : Bit-length of noise in LSB side; h: Number of components in the random sequence. Output: s: Shifted odd sequence with noise. 1: g = f + dlog2 ne 2: for i = 1 to n do 3: si = (random(e+n−i) (g +i−1))+random(g) 4: ti = (random(e+n−i) (g +i−1))+random(g) 5: end for 6: for i = 1 to h do 7: ri = random(n + e + f ) 8: end for
Osaka Gakuin University, 2-36-1, Kishibe Minami, Suita-shi, Osaka, 564-8511,
[email protected] Osaka Electro-Communication University, 18-8, Hatsu-cho, Neyagawa-shi, Osaka, 572-8530,
[email protected]
1
where ji , ki and li are randomly chosen integers from the set {1, 2, . . . , n}. Letting ML and MR be
The secret moduli WL and WR are generated by WL /2 <
n ∑
si +
WR /2 <
ti +
n ∑
ti +
h ∑
ri < WL
i=1
i=1
i=1
and
n ∑
h ∑
ML = Ms + Mt + R and
ri < WR ,
MR = Mt + R,
i=1
i=1
respectively, ML and MR can be obtained as
respectively. The secret integers wL < WL and wR < WR are chosen at random under the conditions that gcd(wL , WL ) = 1 and gcd(wR , WR ) = 1. Let h > n. The set of keys are obtained by αi βi λi βi0 λ0i 2.3
= wL si mod WL ; = wL ti mod WL ; = wL ri mod WL ; = wR ti mod WR ; = wR ri mod WR ;
−1 M L = CL wL mod WL
and
respectively. Thus, the intermediate message Ms can be obtained as Ms = ML − MR .
i = 1, 2, . . . , n. i = 1, 2, . . . , n. i = 1, 2, . . . , h. i = 1, 2, . . . , n. i = 1, 2, . . . , h.
Consequently, m1 , m2 , . . . , mn can be obtained by using the trapdoor of the shifted odd sequence si . Since R can be recovered from Eq.(1), the intermediate message Mt can be obtained as
Encryption
The ciphertext C is given by
Mt = MR − R.
C = (CL , CR ),
Consequently, mn+1 , mn+2 , . . . , m2n can be obtained by using the trapdoor of the shifted odd sequence ti . We now present Algorithm 2, where the function bittest(x, i) returns i-th bit of the integer x.
where CL and CR are given by CL =
n ∑
m i αi +
n ∑
mn+i βi +
(mji ⊕ mki mli )λi
i=1
i=1
i=1
h ∑
−1 M R = CR wR mod WR ,
Algorithm 2 DecSO(s, f, M ) Input: s: Shifted odd sequence with noise; f : Bith n ∑ ∑ length of noise in LSB side; M : Intermediate mes(mji ⊕ mki mli )λ0i , mn+i βi0 + CR = sage. i=1 i=1 Output: m: Message vector. 1: g = f + dlog2 ne respectively, where ji , ki and li are randomly chosen 2: for i = 1 to n do integers from the set {1, 2, . . . , n}. 3: if bittest(M, g + i − 1) = 1 then The symbol ⊕ implies mod2 addition. 4: mi = 1 0 0 5: M ⇐ M − si Public key : {αi }, {βi }, {βi }, {λi }, {λi }, 6: else {ji }, {ki }, {li } 7: mi = 0 Secret key : {si }, {ti }, {ri } 8: end if 9: end for 2.4 Decryption and
Let the intermediate messages Ms and Mt be Ms =
n ∑
2.5
Let mji ⊕mki mli be denoted by µi . The size of the ciphertext CL in the variables m1 , m2 , . . . , mn , µ1 , µ2 , . . . , µh is given by |CL | ' n + h (bits). We thus see that our scheme would be secure against the low-density attack.
mi si
i=1
and Mt =
n ∑
mn+i ti , 2.6
i=1
respectively. We also let R be R=
Security considerations
Toy example
In this section, we present a toy example. Let n = 4, h = 8 and e = f = 2. Let µ = (µ1 , µ2 , . . . , µh ). h ∑
(mji ⊕ mki mli )ri ,
(1)
i=1
2
[Decryption]
[Secret Keys]
ML = 44695 · 3211−1 mod 10079 = 9123
s = (787, 547, 707, 898) t = (851, 995, 835, 899) r = (720, 923, 722, 668, 775, 851, 961, 873) s1 s2 s3 s4
= 787 = 1100010011(2) = 547 = 1000100011(2) = 707 = 1011000011(2) = 898 = 1110000010(2)
t1 t2 t3 t4
= 851 = 1101010011(2) = 995 = 1111100011(2) = 835 = 1101000011(2) = 899 = 1110000011(2)
MR = 69572 · 4936−1 mod 13033 = 7629 Ms = ML − MR = 9123 − 7629 = 1494 (m1 , m2 , m3 , m4 ) = DecSO(s, f, Ms ) = (1, 0, 1, 0) µ = (0, 1, 1, 1, 1, 1, 1, 0) R = 0 · 720 + 1 · 923 + 1 · 722 + 1 · 668 + 1 · 775 + 1 · 851 + 1 · 961 + 0 · 873 = 4900 Mt = MR − R = 7629 − 4900 = 2729
(wL , WL ) = (3211, 10079) (wR , WR ) = (4936, 13033) [Public Keys]
(m5 , m6 , m7 , m8 ) = DecSO(t, f, Mt ) = (0, 1, 1, 1)
α = (7307, 2671, 2402, 884) β = (1152, 9981, 171, 4095) λ = (3829, 527, 172, 8200, 9091, 1152, 1597, 1241) β 0 = (3910, 10912, 3132, 6244) λ0 = (8944, 7411, 5783, 12932, 6731, 3910, 12517, 8238) j = (4, 1, 3, 3, 1, 4, 1, 4) k = (2, 2, 4, 1, 4, 3, 2, 2) l = (3, 3, 2, 4, 2, 1, 4, 1)
m = (1, 0, 1, 0, 0, 1, 1, 1)
3
Tiny Challenge Problem for LLL Attack
In this section, let us summarize the tiny challenge problem that is upload in https://sites.google.com/ site/cryptochallege/. The parameters: n = 30, h = 90, e = 10, f = 10.
[Encryption] α = (64908272993819351, 358965494779679480, 204854734235200593, 444085806619864969,
m = (1, 0, 1, 0, 0, 1, 1, 1) µ = (0, 1, 1, 1, 1, 1, 1, 0) CL = 1 · 7307 + 0 · 2671 + 1 · 2402 + 0 · 884 + 0 · 1152 + 1 · 9981 + 1 · 171 + 1 · 4095 + 0 · 3829 + 1 · 527 + 1 · 172 + 1 · 8200 + 1 · 9091 + 1 · 1152 + 1 · 1597 + 0 · 1241 = 44695 CR = 0 · 3910 + 1 · 10912 + 1 · 3132 + 1 · 6244 + 0 · 8944 + 1 · 7411 + 1 · 5783 + 1 · 12932 + 1 · 6731 + 1 · 3910 + 1 · 12517 + 0 · 8238 = 69572
188200308105988688, 108807293665256373, 306267781311788638, 423004477472454089, 451700109075125090, 361311463173873999, 335576673532897485, 137629498923389406, 463245546539100428, 372235756216909656, 87411301967057274, 388721353371274734, 106795062376549709, 129836990530262465, 375830332078297197, 364895558432155645, 396145183583583298, 332625817334166643, 258851198697719148, 446318844310622472, 131278413604113121, 195967193668804701, 103121659546768883, 115632280542175452, 272521844173309805, 157335829694445774)
3
β = (127640206432169440, 96676502095321343,
λ = (71732656962528483, 245482792535568055,
420381824312020858, 404216850741577643,
388738473182079008, 135888834607487824,
338117570923309649, 189818735468445076,
48216732074779508, 430396972183628409,
20156494405645418, 81141276288986391,
182340726980167985, 288081495497175880,
380718222988382504, 442275362644780180,
10910768226436057, 397449051257212310,
118605880389926531, 233835481021691909,
452035755158022599, 470755718053469434,
327872554129776513, 198351563005573104,
145357659584351944, 230604900595162139,
356590662929013356, 197149681815441346,
437899250070644970, 380615089710481221,
408844396539620137, 93311457648939702,
13251987594120329, 441920474474080813,
232667668627414342, 451124518414129820,
454851535238100183, 20679484643000893,
73539597206615135, 26324635156256566,
74405035074381625, 172950808077113721,
182688486012036618, 40860294173340779,
415429559174723821, 324495104693746710,
279381907974394376, 468419514444300794,
277251798730124295, 173365591639504557,
276609916558836417, 257344393304370391,
238328220449870886, 312920683538143206,
43784801570971345, 40057565681955349)
326317259529332287, 288705041030240590, 291017444258552294, 88575758062140179,
β 0 = [642134416964494643, 532258000089808422,
324746478888418361, 227335850411597899,
180212577505490789, 50909712948378376,
147296946098797819, 296185295381287970,
300090434594478659, 557522928680671807,
282858842543907155, 356190377113709395,
757016326483740823, 269720548537721409,
193075447176705670, 254977459002909681,
352621147789248230, 61279286833415111,
138085467728853780, 329398864688580856,
827224780722527734, 385166863309104655,
11576540187241242, 464174486699916139,
247313284682848083, 157601847145522449,
304180163875484948, 387438352742256325,
213886350976020099, 697296477259266760,
324017359947715722, 343651868052755755,
107721402611097494, 530172438784440731,
272347665650884476, 61302998524962424,
367786570948155220, 194923092238102309,
205211464618154421, 22461311013081282,
453792271548919601, 430091494741755847,
85181222415966366, 272569971696490089,
885688117008813004, 689342324845689631,
188728118891632371, 155239966246393100,
474543172270361648, 585503478470914607,
187704103432995307, 51123483170798724,
853428924121109217, 256647271724367430,
35385060185388401, 319913446016561576,
354450040216658421, 273088285018400551)
47789467255771016, 405814325385585715, 123618721767910774, 453608645969930267, 27694649748751951, 309670172844004591, 22026106197562823, 391273109403772340, 452202263320973838, 261770676684695046, 365396105466432654, 11025427097323874, 45424081820374066, 336608568569076562, 443648905904749714, 17923155925970878, 15497686212054039, 182362828025222452, 206010029516455591, 248436981148504172, 291812230838587432, 131409497845022508, 225501515062385775, 143603486228257492, 423693009295295975, 298185347924039151, 14196195238524573, 36436356531157368, 114230706495368182, 411617336665070090)
4
λ0 = [247856785949319002, 72117517707370362,
j = (10, 22, 22, 13, 10, 17, 26, 17, 10, 27,
284780124714683024, 896036683179958497,
30, 20, 14, 25, 22, 30, 4, 12, 11, 27,
364923219444008441, 4962742439914431,
3, 22, 6, 12, 16, 8, 21, 20, 11, 18,
787759162213541977, 295616469805422577,
13, 30, 5, 27, 24, 6, 24, 13, 28, 12,
699143485300453566, 830393066916291300,
1, 8, 15, 4, 17, 19, 18, 27, 1, 30,
886107501126212873, 878459098998346775,
22, 15, 22, 4, 1, 7, 24, 22, 4, 27,
74525771303001663, 310985854733603159,
15, 17, 25, 23, 16, 2, 11, 24, 12, 28,
353045622442773452, 744269907398694048,
29, 12, 25, 11, 24, 21, 2, 2, 11, 20,
739352290822695738, 397011325125957624,
16, 9, 10, 29, 19, 17, 4, 2, 1, 2)
516880629842052699, 225226745310097977, 256455598078503913, 811479062256957679,
k = (6, 19, 24, 4, 24, 6, 19, 14, 25, 3,
773994715211096143, 193271229639911631,
8, 14, 16, 9, 12, 24, 19, 22, 27, 30,
303827936972632453, 190966290189007590,
8, 21, 7, 6, 10, 30, 11, 9, 17, 6,
255393078795522754, 403906985708738202,
20, 24, 13, 16, 5, 7, 16, 14, 4, 6,
716304640998851999, 467824671140839823,
22, 15, 8, 29, 9, 1, 22, 2, 8, 4,
647545682226781252, 547124353652870172,
20, 26, 28, 7, 25, 10, 1, 16, 16, 29,
611107685038601418, 594510752686741715,
11, 21, 28, 20, 17, 8, 24, 29, 8, 18,
231883389520189939, 888482032855134905,
23, 26, 9, 12, 29, 2, 13, 19, 1, 25,
253659565142514781, 702464701464492222,
24, 3, 1, 2, 7, 23, 25, 7, 10, 8)
222128071274787066, 621192448245024957, 235363241258202288, 422076992097362017,
l = (30, 9, 14, 26, 12, 22, 2, 22, 21, 13,
667817929776281539, 42413178849054109,
24, 4, 20, 26, 5, 28, 11, 20, 30, 18,
799496221983979673, 701677604855471856,
14, 14, 24, 10, 8, 24, 4, 12, 16, 11,
532992341783907561, 26745916887219385,
19, 21, 3, 22, 19, 4, 17, 22, 7, 22,
555412035583088900, 809071204020760802,
4, 7, 3, 8, 14, 18, 28, 30, 18, 14,
803771543336021280, 184197869966493793,
17, 13, 19, 6, 8, 18, 11, 15, 9, 6,
890179460555584063, 425690297056081860,
6, 7, 30, 18, 23, 16, 25, 6, 18, 20,
723882192622982276, 635438884331644216,
3, 17, 16, 25, 11, 6, 1, 13, 30, 24,
560036864134035090, 509265509001485036,
26, 26, 21, 3, 26, 14, 19, 20, 25, 29)
142489665258974087, 25905353120842910, 884561688982979056, 631930267626644668,
C = (CL, CR)
399020935630264964, 288300408129507182,
= (16213561209341793758, 25392371822990561121)
854268400680143938, 59335448739071051,
4
320358504566057887, 662556812254003209,
Conclusion
In this paper, we have presented a new class of knapsack PKC, constructed P based on (u|u + v) construction, referred to as (u|u + v) PKC. We have shown that our proposed scheme is secure against the low-density attack.
395193986953372530, 425145401772694755, 374631685242000744, 457952737878064305, 300824062241719818, 198143749079575124, 280939162410680256, 725512866799985357,
Acknowledgement
557868005729972153, 331151157762765642, 606497743543303255, 309975284114060808,
We are thankful for the support of SCOPE.
172057966562099488, 401002582118119882,
References
828402288943703548, 576432642762842806,
∑ [1] M. Kasahara, “(u|u + v) PKC,” Memorandum for File at Kasahara Lab., Osaka Gakuin University, Sept. 13, 2010. ∑ [2] M. Kasahara, “(u|u + v) PKC,” 2010 2nd SCOPE Meeting in Osaka, Sept. 24, 2010.
317843371879840969, 609710482918371655, 246273232003534058, 94662354268283790, 366787158848958055, 313176259102010138)
[3] R.C. Merkle and M.E. Hellman, “Hiding information and signatures in trapdoor knapsacks,” IEEE Trans. Inf. Theory, IT-24(5), pp.525–530, 1978.
5
[4] A. Shamir, “A polynomial-time algorithm for breaking the basic Merkle-Hellman cryptosystem,” Proc. Crypto’82, LNCS, pp.279–288, Springer-Verlag, Berlin, 1982. [5] A. Shamir, “A polynomial-time algorithm for breaking the basic Merkle-Hellman cryptosystem,” IEEE Trans. Inf. Theory, IT-30, pp.699– 704, 1984. [6] E.F. Brickell, “Solving low density knapsacks,” Proc. Crypto’83, LNCS, pp.25–37, SpringerVerlag, Berlin, 1984. [7] J.C. Lagarias and A.M. Odlyzko, “Solving Low Density Subset Sum Problems,” J. Assoc. Comp. Math., vol.32, pp.229–246, Preliminary version in Proc. 24th IEEE, 1985. [8] M.J. Coster, B.A. LaMacchia, A.M. Odlyzko and C.P. Schnorr, “An Improved Low-Density Subset Sum Algorithm,” Advances in Cryptology Proc. EUROCRYPT’91, LNCS, pp.54–67. Springer-Verlag, Berlin, 1991. [9] A. Shamir and R. Zippel: “On the security of the Merkle-Hellman cryptographic scheme,” IEEE Trans. on Information Theory, vol.IT-26, no.3, pp.339-340, 1980. [10] M. Kasahara and Y. Murakami, “New public key cryptosystems and the application,” Technical Report of IEICE, ISEC99–55(1999–11), pp.21–28, 1999.
6