Subclass 29	Subclass 30	Subclass 287
Public key

Encryption method, decryption method, encryption/decryption method, cryptographic communications system, and computer usable medium

6798884

Abstract

A product-sum type cryptosystem is employed to obtain ciphertext C=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 by (an) inner product(s) using a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) and base vectors D=(D.sub.0, D.sub.1, . . . , D.sub.K-1). D.sub.i (0.ltoreq.i.ltoreq.K-1) is set to D.sub.i =d/d.sub.i, where d=d.sub.0 d.sub.1 . . . d.sub.K-1, and any two numbers d.sub.i and d.sub.j are prime relative to each other.

Claims

What is claimed is:

1. An encryption method comprising the steps of:

providing a plaintext vector m=(m.sub.0, m.sub.1, . . . m.sub.K-1) that is obtained by dividing plaintext by K;

providing base vectors D=(D.sub.0, D.sub.1, . . . D.sub.K-1), with D.sub.i (0.ltoreq.i.ltoreq.K-1) being set to D.sub.i =d/d.sub.i (where d=d.sub.0 d.sub.1 . . . d.sub.K-1, and any two numbers d.sub.i and d.sub.j are prime relative to each other); and

yielding ciphertext C=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 from the plaintext vector m and base vectors D.

2. The encryption method according to claim 1 further including the step of using a random number vector v=(v.sub.0, v.sub.1, . . . , v.sub.K-1) to yield ciphertext C=m.sub.0 v.sub.0 D.sub.0 +m.sub.1 v.sub.1 D.sub.1 + . . . +m.sub.K-1 v.sub.K-1 D.sub.K-1 '

3. The encryption method according to claim 1 further including the step of providing a plurality of sets each containing K terms of d.sub.i (i=0, 1, 2, . . . , K-1) elements, and wherein the ciphertext is obtained for each of those sets, respectively.

4. An encryption method comprising the steps of:

providing a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) that is obtained by dividing plaintext by K;

providing base vectors D=(D.sub.0, D.sub.1, . . . , D.sub.K-1), with D.sub.1 (0.ltoreq.i.ltoreq.K-1) being set to D.sub.i =d/d.sub.i v.sub.i (where d=d.sub.0 d.sub.1 . . . d.sub.K-1, and v.sub.i is a random number); and

yielding ciphertext C=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 from the plaintext vector m and base vectors D.

5. The encryption method according to claim 4 further including the step of providing a plurality of sets each containing K terms of d.sub.i (i=0, 1, 2 . . . K-1) elements, and wherein the ciphertext is obtained for each of those sets, respectively.

6. A decryption method for decrypting ciphertext C encrypted by any one of the following three encryption methods, the decryption method including the step of finding a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) by formula (a) below, and the step of obtaining an original plaintext from the plaintext vector m:

m.sub.i.ident.CD.sub.i.sup.-1 (mod d.sub.i) (a),

the first encryption method including the steps of:

providing a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) that is obtained by dividing plaintext by K,

providing base vectors D=(D.sub.0, D.sub.1, . . . , D.sub.K-1), with D.sub.i (0.ltoreq.i.ltoreq.K-1) being set to D.sub.1 =d/d.sub.i (where d=d.sub.0 d.sub.1 . . . d.sub.K-1, and any two numbers d.sub.i and d.sub.j are prime relative to each other), and

yielding ciphertext C=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 from the plaintext vector m and base vectors D,

the second encryption method including the steps of:

providing a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) that is obtained by dividing plaintext by K;

providing base vectors D=(D.sub.0, D.sub.1, . . . , D.sub.K-1), with D.sub.1 (0.ltoreq.i.ltoreq.K-1) being set to D.sub.i =d/d.sub.i v.sub.i (where d=d.sub.0 d.sub.1 . . . d.sub.K-1, any two numbers d.sub.i and d.sub.j are prime relative to each other, and v.sub.i is a random number); and

yielding ciphertext C=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 from the plaintext vector m and base vectors D, and

the third encryption method including the steps of:

providing a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) that is obtained by dividing plaintext by K,

providing base vectors D=(D.sub.0, D.sub.1, . . . , D.sub.K-1), with D.sub.i (0.ltoreq.i.ltoreq.K-1) being set to D.sub.i =d/d.sub.i (where d=d.sub.0 d.sub.1 . . . . d.sub.K-1, and any two numbers d.sub.i and d.sub.j are prime relative to each other),

providing a random number vector v=(v.sub.0, v.sub.1, . . . , v.sub.K-1), and

yielding ciphertext C=m.sub.0 v.sub.0 D.sub.0 +m.sub.1 v.sub.1 D.sub.1 + . . . +m.sub.K-1 v.sub.K-1 D.sub.K-1 from the plaintext vector m, base vectors D, and random number vector v.

7. An encryption/decryption method comprising the steps of:

providing a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) that K-divides plaintext;

providing base vectors D=(D.sub.0, D.sub.1, . . . , D.sub.K-1), with D.sub.i (0.ltoreq.i.ltoreq.K-1) being set to d/d.sub.i using an integer d.sub.i, (where d=d.sub.0 d.sub.1 . . . d.sub.K-1, and any two numbers d.sub.i and d.sub.j are prime relative to each other);

selecting w to satisfy w<P (where P=prime number) and finding a public key vector c=(c.sub.0, c.sub.1, . . . , c.sub.K-1) from formula (b):

c.sub.i.ident.wD.sub.i (mod P) (b);

producing ciphertext C indicated in formula (c) from inner product of the plaintext vector m and public key vector c:

C=m.sub.0 c.sub.0 +m.sub.1 c.sub.1 +m.sub.K-1 v.sub.K-1 c.sub.K-1 (c);

finding intermediate decrypted text M for said ciphertext C as in formula (d):

M.ident.w.sup.-1 C (mod P) (d);

finding said plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) by decrypting said intermediate decrypted text M by formula (e) below:

m.sub.i.ident.MD.sub.i.sup.-1 (mod d.sub.i) (e); and

obtaining the original plaintext from the plaintext vector m.

8. An encryption/decryption method comprising the steps of:

providing a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) that K-divides plaintext;

providing base vectors D=(D.sub.0, D.sub.1, . . . , D.sub.K-1), with D.sub.i (0.ltoreq.i.ltoreq.K-1) being determined with equation (f):

D.sub.i =d/d.sub.i v.sub.i (f)

where v.sub.i is a random number,

d.sub.i is an integer, and

d=d.sub.0 d.sub.1 . . . d.sub.K-1, with any two integers d.sub.i and

d.sub.j being prime relative to each other;

selecting w to satisfy w<P (where P=prime number), and finding a public key vector c=(c.sub.0, c.sub.1, . . . , c.sub.K-1) from formula (g):

c.sub.i.ident.wD.sub.i (mod P) (g);

producing ciphertext C indicated in formula (h) from inner product of the plaintext vector m and public key vector c:

C=m.sub.0 c.sub.0 +m.sub.1 c.sub.1 + . . . +m.sub.K-1 c.sub.K-1 (h);

finding intermediate decrypted text M for said ciphertext C as in formula (i):

M.ident.w.sup.-1 C (mod P) (i);

finding said plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) by decrypting said intermediate decrypted text M by formula (j) below:

m.sub.i.ident.MD.sub.i.sup.-1 (mod d.sub.i) (j); and

obtaining the original plaintext from the plaintext vector m.

9. An encryption/decryption method comprising the steps of:

providing a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) that K-divides plaintext;

finding prime numbers P and Q;

providing a base vector D=(D.sub.0, D.sub.1, . . . D.sub.K-1) by setting D.sub.Pi (0.ltoreq.i.ltoreq.K-1) to satisfy D.sub.Pi =d.sub.P /d.sub.Pi, using an integer d.sub.Pi, (where d.sub.P =d.sub.P0 d.sub.P1 . . . d.sub.PK-1, and any two numbers d.sub.Pi and d.sub.Pj are prime relative to each other);

providing another base vector D=(D.sub.0, D.sub.1, . . . , D.sub.K-1) by setting D.sub.Qi (0.ltoreq.i .ltoreq.K-1) to satisfy D.sub.Qi =d.sub.P /d.sub.Qi using an integer d.sub.Qi, (where d.sub.Q=d.sub.Q0 d.sub.Q1 . . . d.sub.QK-1, and any two numbers d.sub.Qi and d.sub.Qj are prime relative to each other);

deriving a minimum integer D.sub.i such that remainders resulting by P and Q become D.sub.Pi and D.sub.Qi, respectively, using Chinese remainder theorem;

selecting w to satisfy w<N (where N=PQ) and finding a public key vector c=(c.sub.0, c.sub.1, . . . , c.sub.K-1) from formula (k):

c.sub.i.ident.wD.sub.i (mod N) (k);

producing ciphertext C indicated in formula (1) from inner product of the plaintext vector m and public key vector c:

C=m.sub.0 c.sub.0 +m.sub.1 c.sub.1 + . . . +m.sub.K-1 c.sub.K-1 (l);

finding intermediate decrypted text M.sub.P and M.sub.Q, with modulus P and modulus Q, for said ciphertext C, as in formulas (m) and (n):

m.sub.p.ident.w.sup.-1 C (mod P) (m);

m.sub.Q.ident.w.sup.-1 C (mod Q) (n);

finding a pair of remainders (mi.sup.(P), mi.sup.(Q)) by decrypting said intermediate decrypted texts M.sub.P and M.sub.Q by formulas (o) and (p) below:

mi.sup.(P) =M.sub.P D.sub.Pi.sup.-1 (mod d.sub.Pi) (o),

mi.sup.(Q) =M.sub.Q D.sub.Qi.sup.-1 (mod d.sub.Qi) (p);

applying Chinese remainder theorem to mi.sup.(P) and mi.sup.(Q) to determine the plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1); and

obtaining the original plaintext from the plaintext vector m.

10. The encryption/decryption method according to claim 9, wherein said ciphertext C is sent with said N as modulus.

11. A cryptographic communications system for conducting information communications between a plurality of entities using ciphertext, comprising:

an encryptor for producing ciphertext from plaintext using an encryption method, the encryption method including the steps of:

providing a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) that is obtained by dividing plaintext by K,

providing base vectors D=(D.sub.0, D.sub.1, . . . D.sub.k-1), with D.sub.i (0.ltoreq.i.ltoreq.K-1) being set to D.sub.i =d/d.sub.i (where d=d.sub.0 d.sub.1 . . . d.sub.K-1, and any two numbers d.sub.i and d.sub.j prime relative to each other), and

yielding ciphertext C=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 from the plaintext vector m and base vectors D,

a communication path for transmitting said ciphertext one entity to another entity or entities; and

a decryptor for decrypting said ciphertext so transmitted to original plaintext.

12. The cryptographic communications system according to claim 11, wherein the encryption method further includes the step of providing a plurality of sets each containing K terms of d.sub.i (i=0, 1, 2, . . . , K-1) elements, and the ciphertext is obtained for each of those sets, respectively.

13. A cryptographic communications system for conducting information communications between a plurality of entities using ciphertext, comprising:

an encryptor for producing ciphertext from plaintext using an encryption method, the encryption method including:

providing a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) that is obtained by dividing plaintext by K,

providing base vectors D=(D.sub.0, D.sub.1, . . . D.sub.K-1), with D.sub.i (0.ltoreq.i.ltoreq.K-1) being set to D.sub.i =(d/d.sub.i) v.sub.i (where d=d.sub.0 d.sub.1 . . . d.sub.K-1, any two numbers d.sub.i and d.sub.j are prime relative to each other), and v.sub.i is a random number), and

yielding ciphertext C=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 from the plaintext vector m and base vectors D,

a communication path for transmitting said ciphertext from one entity to another entity or entities; and

a decryptor for decrypting said ciphertext so transmitted to original plaintext.

14. The cryptographic communications system according to claim 13, wherein the encryption method further includes the step of providing a plurality of sets each containing K terms of d.sub.i (i=0, 1, 2, . . . , K-1) elements, and the ciphertext is obtained for each of those sets, respectively.

15. A cryptographic communications system for conducting information communications between a plurality of entities using ciphertext, comprising:

an encryptor for producing ciphertext from plaintext using an encryption method, the encryption method including the steps of:

providing a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) that is obtained by dividing plaintext by K,

providing base vectors D=(D.sub.0, D.sub.1, . . . D.sub.K-1) with D.sub.i (0.ltoreq.i.ltoreq.K-1) being set to D.sub.i =(d/d.sub.i) (where d=d.sub.0 d.sub.1 . . . d.sub.K-1, any two numbers d.sub.i and d.sub.j are prime relative to each other), providing a random number vector v=(v.sub.0, v.sub.1, . . . , v.sub.K-1), and

yielding ciphertext C=m.sub.0 v.sub.0 D.sub.0 +m.sub.1 v.sub.1 D.sub.1 + . . . +m.sub.K-1 v.sub.K-1 D.sub.K-1 from the plaintext vector m, base vectors D and random number vector v;

a communication path for transmitting said ciphertext from one entity to another entity or entities; and

a decryptor for decryption said ciphertext so transmitted to original plaintext.

16. An encryption method comprising the step of:

providing components of a plaintext vector, the plaintext vector being obtained by dividing plaintext;

providing components of one of a plurality of types of base vectors; and

providing ciphertext from the components of the plaintext vector and the components of the one of the plurality of types of base vectors in such a manner that said ciphertext contains information indicative of which base vector component has been used.

17. An encryption method for obtaining ciphertext from plaintext, comprising the step of:

providing a plaintext vector m=(m.sub.1, m.sub.2, . . . , m.sub.K-1) that (K-1)-divides a plaintext;

providing first base vectors D.sub.P =(D.sub.P0, D.sub.P1, . . . , D.sub.PK-1) which is set to D.sub.Pi =d.sub.P0 d.sub.P1 . . . d.sub.PK-1 /d.sub.Pi with an integer d.sub.Pi (0.ltoreq.i.ltoreq.K-1), and second base vectors D.sub.Q =(D.sub.Q0, D.sub.Q1, . . . , D.sub.QK-1) which is set to D.sub.Qi =d.sub.Q0 d.sub.Q1 . . . d.sub.QK-1 /d.sub.Qi with an integer d.sub.Qi (0.ltoreq.i.ltoreq.K-1);

discretionarily selecting either D.sub.Pi or D.sub.Qi as D.sub.i ; and

obtaining ciphertext c=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 from the plaintext vector m and selected base vector D.sub.i, with m.sub.0 indicating D.sub.Pi /D.sub.Qi selection information.

18. A method for decrypting ciphertext C encrypted by an encryption method, the encryption method including the step of:

providing a plaintext vector m=(m.sub.1, m.sub.2, . . . , m.sub.K-1) that (K-1)-divides a plaintext;

providing first base vectors D.sub.P =(D.sub.P0, D.sub.P1, . . . , D.sub.PK-1) which is set to D.sub.Pi =d.sub.P0 d.sub.P1 . . . d.sub.PK-1 /d.sub.Pi with an integer d.sub.Pi (0.ltoreq.i.ltoreq.K-1), and second base vectors D.sub.Q =(D.sub.Q0, D.sub.Q1, . . . , D.sub.QK-1) which is set to D.sub.Qi =d.sub.Q0 d.sub.Q1 . . . d.sub.QK-1 /d.sub.Qi with an integer d.sub.Qi (0.ltoreq.i.ltoreq.K-1),

discretionarily selecting either D.sub.Pi or D.sub.Qi as D.sub.i ; and

obtaining ciphertext c=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 from the plaintext vector m and selected base vector D.sub.i, with m.sub.0 indicating D.sub.Pi /D.sub.Qi selection information,

the decryption method comprising the steps of:

decrypting those components of the plaintext vector m which form products with D.sub.Pi in said ciphertext C and said m.sub.0 ; and

decrypting those components of said plaintext vector m which form products with D.sub.Qi in said ciphertext C.

19. An encryption method for yielding ciphertext from a plaintext vector m=(m.sub.1, m.sub.2, . . . , m.sub.K-1) that (K-1)-divides plaintext, and base vectors D=(D.sub.0, D.sub.1, . . . , D.sub.K-1), comprising the steps of:

providing a plurality of types of base vector, the base vectors d.sub.i (0.ltoreq.i.ltoreq.K-1) which is set to D.sub.i =d/d.sub.i (where d=d.sub.0 d.sub.1 . . . d.sub.K-1);

selecting i'th component of anyone base vector of said plurality of types of base vector as D.sub.i ; and

obtaining ciphertext C=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 from the plaintext vector m and selected base vector D.sub.i, with m.sub.0 indicating D.sub.i selection information.

20. A cryptographic communications system for conducting information communications between a plurality of entities using ciphertext, comprising:

an encryptor for producing ciphertext from plaintext using an encryption method, the encryption method including the steps of:

providing components of a plaintext vector, the plain text vector being obtained by dividing plaintext,

providing components of one of a plurality of types of base vectors, and

providing ciphertext from the components of the plaintext vector and the components of the one of the plurality of types of base vectors in such a manner that said ciphertext containing information indicative of which base vector component has been used;

a communication path for transmitting said ciphertext from one entity to another entity or entities; and

a decryptor for decrypting said ciphertext so transmitted to original plaintext.

21. A cryptographic communications system for conducting information communications between a plurality of entities using ciphertext, comprising:

an encryptor for producing ciphertext from plaintext using an encryption method, the encryption method including the steps of:

providing a plaintext vector m=(m.sub.1, m.sub.2, . . . , m.sub.K-1) that (K-1)-divides a plaintext;

providing first base vectors D.sub.P =(d.sub.P.sub.0, d.sub.P1, . . . , d.sub.PK-1) and second base vectors D.sub.Q =(D.sub.Q0, D.sub.Q1, . . . , D.sub.QK-1), with the first base vectors D.sub.P being set to d.sub.Pi =d.sub.P0 d.sub.P1 . . . d.sub.PK-1 /d.sub.Pi utilizing integers d.sub.Pi (0.ltoreq.i.ltoreq.K-1), and the second base vectors D.sub.Q being set to D.sub.Qi (0.ltoreq.i.ltoreq.K-1) D.sub.Qi =d.sub.Q0 d.sub.Q1 . . . d.sub.QK-1 /d.sub.Qi with an integer d.sub.Qi (0.ltoreq.i.ltoreq.K-1),

discretionarily selecting either D.sub.Pi or D.sub.Qi as D.sub.i ; and

obtaining ciphertext c=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 from the plaintext vector m and selected base vector D.sub.i, with m.sub.0 indicating D.sub.Pi /D.sub.Qi selection information,

a communication path for transmitting said ciphertext from one entity to another entity or entities; and

a decryptor for decrypting said ciphertext so transmitted to original plaintext.

22. A cryptographic communications system for conducting information communications between a plurality of entities using ciphertext, comprising:

an encryptor for producing ciphertext from plaintext using an encryption method, the encryption method including the steps of:

providing a plaintext vector m=(m.sub.1, m.sub.2, . . . , m.sub.K-1) that (K-1)-divides plaintext,

providing a plurality of types of base vectors, each base vector D=(D.sub.0, D.sub.1, . . . , D.sub.K-1), with said D.sub.i (0.ltoreq.i.ltoreq.K-1)being set to D.sub.i =d.sub.Pi (where d=d.sub.0 d.sub.1 . . . d.sub.K-1),

selecting i'th component of anyone base vector of said plurality of types of base vector as D.sub.i, and obtaining ciphertext C=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1, from the plaintext vector m and the selected base vector D.sub.i, with m.sub.0 indicating D.sub.i selection information;

a communication path for transmitting said ciphertext from one entity to another entity or entities; and

a decryptor for decrypting said ciphertext so transmitted to original plaintext.

23. A computer readable medium adapted to store a program for obtaining ciphertext from plaintext by a computer, comprising:

first program code means for causing said computer to (K-1)-divide plaintext to be encrypted so as to obtain a plaintext vector m=(m.sub.1, m.sub.2, . . . , M.sub.K-1);

second program code means for causing said computer to set a plurality of types of base vectors D=(D.sub.0, D.sub.1, . . . , D.sub.K-1) wherein D.sub.i (where 0.ltoreq.i.ltoreq.K-1) is set to D.sub.i =d/d.sub.i (where d=d.sub.0 d.sub.1 . . . . d.sub.K-1);

third program code means for causing said computer to generate m.sub.0 as a binary vector indicating of which base vector an i'th component is selected as D.sub.i ; and

fourth program code means for causing said computer to generate ciphertext C=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 using said m.sub.0, plaintext vector m and selected D.sub.i.

Description

This application relates to two applications concurrently filed herewith entitled (1) "CRYPTOGRAPHIC COMMUNICATION METHOD, ENCRYPTION METHOD, AND CRYPTOGRAPHIC COMMUNICATION SYSTEM" that claims foreign priority based on Japanese patent applications 10-262035, filed Sep. 16, 1998 and 10-338190, filed Nov. 27, 1998 inventors: Masao Kasahara and Yasuyuki Murakami; Express Mail EL 446 156 915 US) and (2) "ENCRYPTION METHOD, DECRYPTION METHOD, ENCRYPTION/DECRYPTION METHOD, CRYPTOGRAPHIC COMMUNICATIONS SYSTEM, AND COMPUTER USABLE MEDIUM" that claims foreign priority based on Japanese patent applications 10-262036, filed Sep. 16, 1998 and 11-105815, filed Apr. 13, 1999 inventors: Masao Kasahara and Yasuyuki Murakami; Express Mail EL 446 156 827 US), which applications are hereby incorporated by reference in their entirety.

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates to an encryption method for converting plaintext into ciphertext, and to a decryption method for converting ciphertext into the original plaintext, and more particularly relates to product-sum type cryptosystem.

2. Description of the Related Art

In today's world, characterized by sophisticated information utilization, important business document and image information are transmitted and communicated in the form of electronic information over an infrastructure of computer networks. By its very nature, electronic information can be easily copied, making it extremely difficult to distinguish between the copy and the original, and information security has become a very serious problem. The realization of computer networks which support "computer resource sharing," "multi-accessing," and "wide-area implementation" is particularly indispensable to the establishment of a high-level information society. However, that very realization involves factors that are in conflict with the goal of information security between involved parties. An effective technique for eliminating those inconsistencies is encryption technology, whichup until now, in the course of human history, has been primarily used in the fields of military operations and foreign diplomacy.

Cryptography is the exchange of information in such a way that the meaning of that information cannot be understood by anyone other than the authorized parties. In cryptography, the conversion of the original text (plaintext), that is understandable by anyone, to a text (ciphertext), the meaning of which is not understood by a third party is called encryption, and the changing of ciphertext into plaintext is decryption. The overall process of this encryption and decryption is called a cryptosystem. In the encryption process and decryption process, respectively, secret data called an encryption key and a decryption keys are employed. Since a secret decryption key is necessary for decryption, only a party who knows that decryption key can decrypt the ciphertext, enabling the confidentiality of the information to be maintained in accordance with encryption.

Generally, there are two types of encryption schemes. Namely common key encryption scheme and public key encryption scheme. In a common key encryption scheme, the encryption key and the decryption key are identical, and cryptographic communication is conducted with the identical keys in the possession of both the sending party and the receiving party. The sending party encrypts plaintext based on the common key and sends it to the receiving party, whereupon the receiving party uses the common key to decrypt the ciphertext into the original plaintext.

By contrast, in a public key encryption scheme, the encryption key and decryption key are different. In conducting cryptographic communications in this system, the sending party encrypts the plaintext with the public key of a receiving party, and the receiving party decrypts that ciphertext with his or her own secret key. The public key is used for encryption, and the secret key is a key for decrypting the ciphertext encrypted by the public key. The ciphertext encrypted by the public key can only be decrypted using a secret key.

New methods for product-sum type cryptosystem, which is one public key encryption scheme, as well as attack methods (methods for breaking the codes), are being proposed one after another. A particularly urgent task is now that of developing cryptographic techniques capable of high-speed decryption so as to enable large volumes of information be processed in short times.

SUMMARY OF THE INVENTION

An object of the present invention, which was devised in view of the situation described in the foregoing, is to provide a new encryption method and decryption method for product-sum type cryptosystem wherewith high-speed decryption processing is possible.

Another object of the present invention is to provide an encryption method and decryption method wherewith vulnerability to attack by the LLL (Lenstra-Lenstra-Lovasz) method is minimized and security is enhanced.

According to the first aspect of the present invention, there is provided an encryption method comprising the step of preparing a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) that is obtained by dividing plaintext by K, the step of preparing base vectors D=(D.sub.0, D.sub.1, . . . , D.sub.K-1), with D.sub.i (0.ltoreq.i.ltoreq.K-1) being set to D.sub.i =d/d.sub.i (where d=d.sub.0 d.sub.1 . . . d.sub.K-1, and any two numbers d.sub.i and d.sub.j are prime relative to each other), and the step of yielding ciphertext C=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 from the plaintext vector m and base vectors D.

Random number vectors v=(v.sub.0, v.sub.1, . . . , v.sub.K-1) may further be used to yield ciphertext C=m.sub.0 v.sub.0 D.sub.0 +m.sub.1 v.sub.1 D.sub.1 + . . . +m.sub.K-1 v.sub.K-1 D.sub.K-1. A plurality of sets each containing K terms of d.sub.i (i=0, 1, 2, . . . , K-1) elements may be provided, and ciphertext is obtained for each of those sets, respectively.

According to the second aspect of the present invention, there is provided an encryption method comprising the step of preparing a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1 that K-divides plaintext, the step of preparing base vectors D=(D.sub.0, D.sub.1, . . . , D.sub.K-1), with D.sub.i (0.ltoreq.i.ltoreq.K-1) being set to D.sub.i =(d/d.sub.i)v.sub.i (where d=d.sub.0 d.sub.1 . . . d.sub.K-1, any two numbers d.sub.i and d.sub.j are prime relative to each other, and v.sub.i is a random number), and the step of yielding ciphertext C=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 from the plaintext vector m and base vectors D.

A plurality of sets each containing K terms of d.sub.i (i=0, 1, 2, . . . , K-1) elements may be provided, and ciphertext is obtained for each of those sets, respectively.

According to the third aspect of the present invention, there is provided a decryption method for decrypting the ciphertext C encrypted by any of the above described encryption methods, wherein the plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) is found by formula (a) below.

m.sub.i.ident.CD.sub.i.sup.-1 (mod d.sub.i) (a)

According to the fourth aspect of the present invention, there is provided an encryption/decryption method comprising the steps of:

providing a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) that K-divides plaintext;

providing base vectors D=(D.sub.0) D.sub.1, . . . , D.sub.K-1), with D.sub.i (0.ltoreq.i.ltoreq.K-1) being set to d/d.sub.i, using the integer d.sub.i, (where d=d.sub.0 d.sub.1 . . . d.sub.K-1, and any two numbers d.sub.i and d.sub.j are prime relative to each other);

selecting w to satisfy w<P (P=prime number), and finding a public key vector c=(c.sub.0, c.sub.1, . . . , c.sub.K-1) from formula (b),

c.sub.i.ident.wD.sub.i (mod P) (b);

producing the ciphertext C indicated in formula (c) from the inner product of a plaintext vector m and public key vector c,

C=m.sub.0 c.sub.0 +m.sub.1 c.sub.1 + . . . +m.sub.K-1 c.sub.K-1 (c);

finding intermediate decrypted text M for the ciphertext C from formula (d),

M.ident.w.sup.-1 C (mod P) (d);

finding the plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) by decrypting that intermediate decrypted text M by formula (e) below,

m.sub.i.ident.MD.sub.i.sup.1 (mod d.sub.i) (e); and

obtaining the original text from the plaintext vector m.

According to the fifth aspect of the present invention, there is provided an encryption/decryption method comprising the steps of:

providing a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) that K-divides plaintext;

providing base vectors D=(D.sub.0, D.sub.1, . . . , D.sub.K-1), with D.sub.i (0.ltoreq.i.ltoreq.K-1) being determined by equation (f),

D.sub.i =(d/d.sub.i) v.sub.i (f)

where

v.sub.i is a random number,

d.sub.i is an integer, and

d=d.sub.0 d.sub.1 . . . d.sub.K-1

and where any two integers d.sub.i and d.sub.j are prime relative to each other);

selecting w to satisfy w<P (P=prime number), and finding a public key vector c=(c.sub.0, c.sub.1, . . . , c.sub.K-1) from formula (g),

c.sub.i.ident.wD.sub.i (mod P) (g);

producing the ciphertext C indicated in formula (h) from the inner product of a plaintext vector m and public key vector

C=m.sub.0 c.sub.0 +m.sub.1 c.sub.1 + . . . +m.sub.K-1 c.sub.K-1 (h);

finding intermediate decrypted text M for ciphertext C from formula (i),

M.ident.w.sup.-1 C (mod P) (i);

finding the plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) by decrypting that intermediate decrypted text M by formula (j) below,

m.sub.i.ident.MD.sub.i.sup.-1 (mod d.sub.i) (j); and

obtaining the original plaintext from the plaintext vector m.

According to the sixth aspect of the present invention, there is provided an encryption/decryption method comprising the steps of:

providing a plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) that K-divides plaintext;

providing prime numbers P and Q;

providing a base vector D (D.sub.0, D.sub.1, . . . , D.sub.K-1) with D.sub.Pi (0.ltoreq.i.ltoreq.K-1) satisfying D.sub.Pi =d.sub.P /d.sub.Pi, using the integer d.sub.Pi, (where d.sub.P =d.sub.P0 d.sub.P1 . . . d.sub.PK-1 ; and any two numbers d.sub.Pi and d.sub.Pj are prime relative to each other);

providing another base vector D=(D.sub.0 D.sub.1, . . . , D.sub.K-1) with D.sub.Qi (0.ltoreq.i.ltoreq.K-1) satisfying D.sub.Qi =d.sub.Q /d.sub.Qi, using the integer d.sub.Qi, (where d.sub.Q =d.sub.Q0 d.sub.Q1 . . . d.sub.QK-1, and any two numbers d.sub.Qi and d.sub.Qj are prime relative to each other);

deriving a minimum integer D.sub.i such that remainders resulting by P and Q become D.sub.Pi and D.sub.Qi, respectively, using the Chinese remainder theorem;

selecting w to satisfy w<N (N=PQ), and finding a public key vector c=(c.sub.0, c.sub.1, . . . , c.sub.K-1) from formula (k),

c.sub.i.ident.wD.sub.i (mod N) (k);

producing the ciphertext C indicated in formula (l) from the inner product of a plaintext vector m and public key vector c,

C=m.sub.0 c.sub.0 +m.sub.1 c.sub.1 + . . . +m.sub.K-1 c.sub.K-1 (l)

finding intermediate decrypted text M.sub.P and M.sub.Q, with modulus P and modulus Q, for the ciphertext C, as in formulas (m) and (n),

M.sub.P.ident.w.sup.-1 C (mod P) (m),

M.sub.Q.ident.w.sup.-1 C (mod Q) (n),

finding a pair of remainders (m.sub.i.sup.(P), m.sub.i.sup.(Q)) by decrypting the intermediate decrypted-text M.sub.P and M.sub.Q by formulas (o) and (p) below,

m.sub.i.sup.(P).ident.M.sub.P D.sub.Pi.sup.-1 (mod d.sub.Pi) (o),

m.sub.i.sup.(Q).ident.M.sub.Q D.sub.Qi.sup.-1 (mod d.sub.Qi) (p);

applying the Chinese remainder theorem to m.sub.i.sup.(P) and m.sub.i.sup.(Q) to find the plaintext vector m=(m.sub.0, m.sub.1, . . . , m.sub.K-1); and

obtaining the original plaintext from the plaintext vector m.

The ciphertext C may be sent with the N as modulus.

According to seventh aspect of the present invention, there is provided a cryptographic communications system for conducting information communications between a plurality of entities using ciphertext, comprising: an encryptor for producing ciphertext from plaintext using any one of the above described encryption methods; a communication path for transmitting the produced ciphertext from one entity to another entity or entities; and a decryptor for decrypting transmitted ciphertext to the original plaintext.

According to the eighth aspect of the present invention, there is provided an encryption method for obtaining ciphertext from components of a plaintext vector and components of one of multiple types bf base vectors, wherein the ciphertext is generated containing information indicative of which base vector (or vector component(s)) has been used. The plaintext vector is obtained by dividing the plaintext.

According to the ninth aspect of the present invention, there is provided an encryption method for obtaining ciphertext from plaintext, comprising the steps of:

providing a plaintext vector m=(m.sub.1, m.sub.2, . . . , m.sub.K-1) that (K-1)-divides the plaintext;

providing first base vectors D.sub.P =(D.sub.P0, D.sub.P1, . . . , D.sub.PK-1) which is set to D.sub.Pi =d.sub.P0 d.sub.P1 . . . d.sub.PK-1 /d.sub.Pi with integers d.sub.Pi (0.ltoreq.i.ltoreq.K-1) and second base vectors D.sub.Q =(D.sub.Q0, D.sub.Q1, . . . , D.sub.QK-1) which is set to D.sub.Qi =d.sub.Q0 d.sub.Q1 . . . d.sub.QK-1 /d.sub.dQi with integers d.sub.Qi (0.ltoreq.i.ltoreq.K-1);

discretionarily selects either D.sub.Pi or D.sub.Qi as D.sub.i ; and

obtaining ciphertext c=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 with m.sub.0 indicating D.sub.Pi /D.sub.Qi selection information.

According to the tenth aspect of the present invention, there is provided a decryption method for decrypting the ciphertext C encrypted by the encryption method described just above, wherein components of the plaintext vector m forming products with D.sub.Pi in the ciphertext C and the m.sub.0 are decrypted; and components of the plaintext vector m forming products with D.sub.Qi in the ciphertext C are next decrypted.

The concept of the encryption and decryption methods of the present invention is now described.

Let a set {d.sub.i } be considered which contains K integer elements. Arbitrary two integer elements among this set are prime. The product of these K elements is represented by d, as given in equation (1) below, and the base D.sub.i is defined as in equation (2).

d=d.sub.0 d.sub.1 . . . d.sub.K-1 (1)

D.sub.i =d/d.sub.i (2)

Now, a message m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) is represented as given in equation (3) below, using the base D=(D.sub.0, D.sub.1, . . . , D.sub.K-1).

M=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 (3)

Here, the elements m.sub.i in the message vector m are set so as to satisfy m.sub.i <d.sub.i.

In the present invention, ciphertext is produced in this manner, that is, using equations (1) to (3).

When the base is given by equation (2), the message m=(m.sub.0, m.sub.1, . . . , m.sub.K-1) can be decrypted from the integer M using the algorithm noted below. This decryption algorithm is called a parallel decryption algorithm.

Parallel Decryption Algorithm

unit i (m.sub.i decryption)

m.sub.i.ident.MD.sub.i.sup.-1 (mod d.sub.i)

Encryption techniques based on this concept and the decryption methods therefor are subject matters of the present invention. The specific techniques are described subsequently.

With the present invention, moreover, a plurality of types of base vector are provided, and the ciphertext C=m.sub.0 D.sub.0 +m.sub.1 D.sub.1 + . . . +m.sub.K-1 D.sub.K-1 is produced using a plaintext vector m=(m.sub.1, m.sub.2, . . . , m.sub.K-1 that divides the plaintext to be encrypted, a base vector D=(D.sub.0, D.sub.1, . . . , D.sub.K-1) configured by selecting the i'th component D.sub.i (0.ltoreq.i.ltoreq.K-1) from any one of the plurality of types of base vector, and m.sub.0 indicating which base vector was selected to provide the i'th components. Thus, while it is easy for an authorized decrypting party to determine which base vector's components D.sub.i have been selected based on the decrypted m.sub.0 information, it is extremely difficult for an attacking party to find out which base vector's components D.sub.i have been selected, whereupon attack by the LLL method is made exceedingly difficult. As a consequence, security is enhanced.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a model diagram representing how information is communicated between two entities (or two persons); and

FIG. 2 illustrates computer usable media (recording media) according to the present invention.

DETAILED DESCRIPTION OF THE INVENTION

Concrete examples of the present invention are now given for embodying aspects of the present invention.

FIG. 1 is a model diagram representing a situation wherein an encryption/decryption method of the present invention is employed in communicating information between two entities a and b. In the example diagramed in FIG. 1, one entity a uses an encryptor 1 to encrypt plaintext x into ciphertext C. This ciphertext C is transmitted to the other entity b over a communication path 3, and entity b uses a decryptor 2 to decrypt that ciphertext C back into the original plaintext x.

First Embodiment

A secret key and a public key are prepared as follows.

Secret key: {d.sub.i }, P, w

Public key: {c.sub.i }

The base is given as in equation (2) noted earlier. In this case, the base vector {D.sub.i } is not a super-increasing sequence, and is highly resistive to attack by the LLL method. An integer w is randomly selected which satisfies w<P (where P is a large prime number). Further, the elements m.sub.i in the message vector m are set so that m.sub.i <d.sub.i is satisfied. The public key vector c is derived from the components of D using the integer w, as in the equations (4) and (5).

c.sub.i.ident.wD.sub.i (mod P) (4)

c=(c.sub.0, c.sub.1, . . . , c.sub.K-1) (5)

Also, .mu. satisfying that .mu.<min(d.sub.0, d.sub.1, . . . , d.sub.K-1) is disclosed to each entity. At the entity a, based on this disclosed .mu., the plaintext x is divided into K-dimensional message vectors less than or equal to .mu.. At the entity a, the inner products of the message vectors m and public key vector c are found as in equation (6), and the plaintext x is encrypted to yield the ciphertext C. The ciphertext C so produced is transmitted over the communication path 3 from entity a to entity b.

C=m.sub.0 c.sub.0 +m.sub.1 c.sub.1 + . . . +m.sub.K-1 c.sub.K-1 (6)

At the entity b, decryption processing is performed as described below.

First, an intermediate decrypted text M is derived for the ciphertext C as in equation (7).

M.ident.w.sup.-1 C (mod P) (7)

This intermediate decrypted text M is given specifically by formula (3) noted earlier. Therefore it can be decrypted by the parallel decryption algorithm described earlier. In a case where K types of parallel processing are possible, the ciphertext C can be decrypted at high speed in the time required to execute two multiplication/division processes. In the present invention, moreover, there is no need to decrypt the elements in the message vector in order from the highest digit (or in order from the lowest digit), but a message element in any digit can be freely decrypted in parallel, wherefore parallel communications are made possible.

Now, if we suppose combinations (d.sub.i, d.sub.j) of two numbers d.sub.i and d.sub.j, in round-robin fashion, then P will be revealed. That being so, in actual practice, it is necessary to select something on the order of 2.sup.32 d.sub.i.

A specific example is now given.

Secret key

d=(11, 17, 29)

D=(17.multidot.29, 29.multidot.11, 11.multidot.17)

=(493, 319, 187)

P=59659

w=25252

w.sup.-1.ident.48633 (mod P)

where D.sub.1, D.sub.2, and D.sub.3 do not constitute a super-increasing sequence.

Public key

c.ident.wD.ident.(40164, 1423, 9063) (mod P)

Encryption

Assume message m=(4, 6, 8).

C=c.multidot.m=241698

Decryption

Find intermediate decrypted text M and decrypt using parallel decryption algorithm.

M.ident.w.sup.-1 C.ident.5382 (mod 59659)

m.sub.0.ident.5382.multidot.493.sup.-1.ident.4 (mod 11)

m.sub.1.ident.5382.multidot.319.sup.-1.ident.6 (mod 17)

m.sub.2.ident.5382.multidot.187.sup.-1.ident.8 (mod 29)

In this manner the message m=(4, 6, 8) is obtained.

Second Embodiment

A second embodiment wherein random numbers are added to the first embodiment is described. In the first embodiment, when the sum products of the products of w and D.sub.i are found, the result is multiple products of w and d, as represented in equation (8) below. Thus, the possibility of finding w and d is not exactly zero. That being so, in the second embodiment, security is enhanced by using base vectors produced by multiplying the base vectors used in the first embodiment by random numbers. ##EQU1##

A secret key and public key are prepared as follows.

Secret key: {d.sub.i }, {v.sub.i }, P, w

Public: key: {c.sub.i }

Using random numbers v.sub.0, v.sub.1, . . . , v.sub.K-1 of roughly the same size, base D.sub.i is given as in equation (9).

D.sub.i =(d/d.sub.i).multidot.v.sub.i (9)

Here, d.sub.i and v.sub.i are prime relative to each other.

Using the integer w, as in the first embodiment, the public key vector c is found as shown below in equations (10) and (11).

c.sub.i.ident.wD.sub.i (mod P) (10)

c=(c.sub.0, c.sub.1, . . . , c.sub.K-1) (11)

From the inner products of the message vectors m and public key vector c, the ciphertext C is obtained as in the first embodiment (see equation (6) noted earlier).

Decryption processing is performed as follows.

First, an intermediate decrypted text M is derived for the ciphertext C as in equation (12).

M.ident.w.sup.-1 C (mod P) (12)

This intermediate decrypted text M is given specifically by formula (3) noted earlier, wherefore it can be decrypted by the parallel decryption algorithm as in the first embodiment.

A specific example is now given.

Secret key

d=(11, 17, 29)

v=(8, 7, 5)

D=(2465, 2233, 1496)

P=59659

w=25252

w.sup.-1.ident.48633 (mod P)

Public key

c.ident.wD

.ident.(21843, 9961, 12845) (mod P)

Encryption

Assume message m=(7, 8, 9).

C=c.multidot.m

=348194.

Decryption

Find intermediate decrypted text M and decrypt using parallel decryption algorithm.

M.ident.w.sup.-1 C.ident.48583 (mod 59659)

m.sub.0.ident.48583.multidot.2465.sup.-1.ident.7 (mod 11)

m.sub.1.ident.48583.multidot.2233.sup.-1.ident.8 (mod 17)

m.sub.2.ident.48583.multidot.1496.sup.-1.ident.9 (mod 29)

In this manner the message m=(7, 8, 9) is obtained.

Third Embodiment

In the second embodiment, random numbers are combined together with the base vectors themselves. It is also possible, however, to use the same base vectors as in the first embodiment and add random numbers v.sub.0, v.sub.1, . . . , v.sub.K-1 at the stage of producing the ciphertext C. The ciphertext C, in this case, takes on the same form as in the second embodiment.

Fourth Embodiment

A fourth embodiment is described wherein the base vectors used in the first embodiment are multiplexed. This fourth embodiment is an encryption/decryption method wherein base vectors {D.sub.i } based on the first embodiment are set for two moduli respectively, and the Chinese remainder theorem is applied.

A secret key and public key are prepared as follows.

Secret key: {d.sub.Pi }, {d.sub.Qi }, P, Q, N, w

Public key: {c.sub.1 }

Two large prime numbers P and Q are selected, and the product thereof is taken as N. Two different sets {d.sub.i } comprising K elements each, as in the first embodiment, are prepared and designated {d.sub.Pi } and {d.sub.Qi }. The basses generated therefrom are designated {D.sub.Pi } and {D.sub.Qi }. Using the Chinese remainder theorem, a minimum integer D.sub.i is derived such that the remainders from P and Q become D.sub.Pi and D.sub.Qi, respectively.

With N as the modulus, and using a secret random number w, the public key vectors c are found, as in the first embodiment, as represented below in equations (13) and (14).

c.sub.i.ident.wD.sub.i (mod N) (13)

c=(c.sub.0, c.sub.1, . . . , c.sub.K-1) (14)

From the inner products of the message vectors m and the public key vector c, the ciphertext C is obtained as in the first embodiment (see equation (6) noted earlier).

Decryption processing is performed as follows.

Intermediate decrypted texts M.sub.P and M.sub.Q, in modulus P and modulus Q, respectively, are derived for the ciphertext C as in equations (15) and (16).

M.sub.P.ident.w.sup.-1 C (mod P) (15),

M.sub.Q.ident.w.sup.-1 C (mod Q) (16),

For these intermediate decrypted texts M.sub.P and M.sub.Q, the equations (17) and (18) are established. Here, m.sub.i is given by either equation (19) or equation (20).

M.sub.P =m.sub.0.sup.(P) D.sub.P0 +m.sub.1.sup.(P) D.sub.P1 + . . . +m.sub.K-1.sup.(P) D.sub.PK-1 (17)

M.sub.Q =m.sub.0.sup.(Q) D.sub.Q0 +m.sub.1.sup.(Q) D.sub.Q1 + . . . +m.sub.K-1.sup.(Q) D.sub.PK-1 (18)

m.sub.i.ident.m.sub.i.sup.(P) (mod d.sub.Pi) (19)

m.sub.i.ident.m.sub.i.sup.(Q) (mod d.sub.Qi) (20)

For M.sub.P and M.sub.Q, a pair of remainders (m.sub.i.sup.(P), m.sub.i.sup.(Q)) can be derived by using a parallel decryption algorithm. When the Chinese remainder theorem is applied to these remainders, the message(s) m.sub.i <1 cm (d.sub.Pi, d.sub.Qi) can be decrypted.

A specific example in the fourth embodiment is now given.

Secret key

d.sub.P =(11, 17, 29)

d.sub.Q =(13, 19, 23)

D.sub.P =(493, 319, 187)

D.sub.Q =(437, 299, 247)

D=(946872238594, 409641492482, 772314923252)

P=1042183

Q=960119

N=1000619699777

w=947284758293

w.sup.-1.ident.337608855274 (mod N)

Public key

c.ident.wD.ident.(940952460514, 717925054865, 870712563437) (mod N)

Encryption

Assume message m=(45, 67, 89).

C=c.multidot.m=167937257544978

Decryption

Find intermediate decrypted texts M.sub.P and M.sub.Q and decrypt using parallel decryption algorithm.

M.sub.P.ident.w.sup.-1 C.ident.60201 (mod 1042183)

M.sub.Q.ident.w.sup.-1 C.ident.61681 (mod 9600119)

m.sub.0.sup.(P).ident.M.sub.P.multidot.493.sup.-1.ident.1 (mod 11)

m.sub.1.sup.(P).ident.M.sub.P.multidot.319.sup.-1.ident.16 (mod 17)

m.sub.2.sup.(P).ident.M.sub.P.multidot.187.sup.-1.ident.2 (mod 29)

m.sub.0.sup.(Q).ident.M.sub.Q.multidot.437.sup.-1.ident.6 (mod 13)

m.sub.1.sup.(Q).ident.M.sub.Q.multidot.299.sup.-1.ident.10 (mod 19)

m.sub.2.sup.(Q).ident.M.sub.Q.multidot.247.sup.-1.ident.20 (mod 23) From (m.sub.0.sup.(P), m.sub.0.sup.(Q)), m.sub.0 =45 is found by the Chinese remainder theorem. Similarly, from (m.sub.1.sup.(P), m.sub.1.sup.(Q)) and (m.sub.2.sup.(P), m.sub.2.sup.(Q), m.sub.i =67 and m.sub.2 =89 are found.

In this manner the message m=(45, 67, 89) is obtained.

Furthermore, with a multiplexing method such as this fourth embodiment, wherein a composite number N is taken as the modulus, it is thought to be safe to disclose N in cases where it is very difficult to analyze N prime factors. Accordingly, in such cases, encryption efficiency can be improved by sending ciphertext C derived using N as the modulus.

Fifth Embodiment

A fifth embodiment is an encryption scheme wherein random numbers are added to the fourth embodiment, that is, an encryption scheme wherein the base vectors in the second embodiment are multiplexed. Because this fifth embodiment will be readily understood by referring to the first to fourth embodiments described in the foregoing, it is not further described here.

Sixth Embodiment

In the fourth embodiment, a multiplexing scheme is described using two prime numbers. However, multiplexing may be done employing three or more prime numbers. A sixth embodiment is now described wherein L prime numbers P.sub.0, P.sub.1, . . . , P.sub.L-1 are used. If, therein, P.sub.0 =P and P.sub.1 =Q this becomes identical with the fourth embodiment.

A secret key and public key are prepared as follows.

Secret key: {P.sub.j }, {r.sub.j,i }, w

Public key: {c.sub.i }

For the prime numbers P.sub.j (j=0, 1, . . . , L-1), vectors D.sub.Pj similar to D.sub.P and D.sub.Q in the fourth embodiment are provided as in equation (21).

D.sub.Pj =(r.sub.j /r.sub.j,0, r.sub.j /r.sub.j,1, . . . , r.sub.j /r.sub.j,j, . . . , r.sub.j /r.sub.j,K-1) (21)

where: r.sub.j =r.sub.j,0, r.sub.j,1, . . . , r.sub.j,K-1

Now, by applying the Chinese remainder theorem, a base is obtained, with the smallest integer made D.sub.i as in equation (22).

D.sub.i.ident.D.sub.Pj,i (mod P.sub.j) (22)

With N=P.sub.0 P.sub.1 . . . P.sub.L-1 as the modulus, the public key c is prepared as in the first embodiment.

In this sixth embodiment, as compared to the first embodiment, what might be called a two-dimensional structure is incorporated. When this is done, the following benefits may be expected.

(1) When K=L, a message can only be decrypted when K.sup.2 parameters are employed. When a comparison is made with the dimension number K made the same, a safer system is realized.

(2) Similarly, when K=L, and a vector wherein D.sub.P0 given in equation (23) is cyclically substituted j times is used as D.sub.Pj, the circuitry can be simplified.

D.sub.P0 =(r.sub.0 /r.sub.0,0, r.sub.0 /r.sub.0,1, . . . , r.sub.0 /r.sub.0,K-1) (23)

In this sixth embodiment, moreover, when r.sub.j,i is made about 16 bits and K=L=8, the size of the public key becomes approximately 8.2 kilobits and the number of secret parameters becomes 74.

Seventh Embodiment

Secret keys and public keys are prepared as follows.

Secret keys: {d.sub.P1i }, {d.sub.P2i }, . . . , {d.sub.Pni }

(where i=0, 1, . . . , K-1)

{d.sub.Q1i }, {d.sub.Q2i }, . . . , {d.sub.Q1i }

N=P.sub.1 P.sub.2 . . . P.sub.n

L=Q.sub.1 Q.sub.2 . . . Q.sub.1

Public keys: c.sub.i.sup.(N).ident.c.sub.i (mod N)

c.sub.i.sup.(NL).ident.c.sub.i (mod NL)

{e.sub.Ni }

{e.sub.Li }

Prior to encrypting, at the transmitting entity a, K sequences a.sub.i .epsilon. GF (2) are randomly generated, and a K-dimensional binary vector I given below is generated.

vector I=(a.sub.1, a.sub.2, . . . , a.sub.K-1)

Further, using the bases of two types of public keys disclosed, a K-dimensional base vector c' as given below is generated.

vector c'=(c.sub.0 ', c.sub.1 ', . . . , c.sub.K-1 ')

Here, either c.sub.i.sup.(N) or c.sub.i.sup.(NL) is selected as {c.sub.i '} according to the following criteria.

c.sub.0 '=c.sub.0.sup.(N) (i=0)

c.sub.i '=c.sub.i.sup.(N) (a.sub.i =0) (i.gtoreq.1)

c.sub.i '=c.sub.i.sup.(NL) (a.sub.i =1) (i.gtoreq.1)

A plain vector m=(m.sub.1, m.sub.2, . . . , m.sub.K-1) which (m-1)-divides the plaintext x to be encrypted is generated, and a message vector m' is generated that is combined with the binary vector I, noted above, which indicates whether c.sub.i.sup.(N) or c.sub.i.sup.(NL) is selected therefor. This message vector m' is represented as follows.

vector m'=(vector I, m.sub.1, m.sub.2, . . . , m.sub.K-1)

Here, the size of this vector m' is represented as follows.

.vertline.vector I.vertline.=e.sub.N0

.vertline.m.sub.i.vertline.=e.sub.Ni (a.sub.i =0)

.vertline.m.sub.i.vertline.=e.sub.Ni +e.sub.Li (a.sub.i =1)

Settings are made, moreover, so as to satisfy the following conditions.

2.sup.e.sup..sub.Ni .ltoreq.1 cm (d.sub.P1i, d.sub.P2i, . . . d.sub.Pni)<2.sup.e.sup..sub.Ni .sup.+1

2.sup.e.sup..sub.Li .ltoreq.1 cm (d.sub.Q1i, d.sub.Q2i, . . . d.sub.Qni)<2.sup.e.sup..sub.Li .sup.+1

Then, at the transmitting entity a, the vector I is set as m.sub.0, and, using this m.sub.0, the components of the plaintext vector m, and the components of the selected base vector c', ciphertext C is generated as follows.

C=m.sub.0 c.sub.0 '+m.sub.1 c.sub.1 '+m.sub.K-1 c.sub.K-1 '

This ciphertext C can also be represented as follows.

C=C.sub.N '+C.sub.NL '

Here, C.sub.N ' is that portion of the message vector m' which is encrypted by c.sub.i.sup.(N), and C.sub.NL ' is the remaining portion of the message vector m' which is encrypted by c.sub.i.sup.(NL).

The ciphertext C generated as described in the foregoing is transmitted from the transmitting entity a to the receiving entity b over the communication path 3. When this is done, the transmission capacity is not constant in all of the blocks (the components of the message vector m'). The transmission capacity of M.sub.0 is e.sub.N0 bits, while the transmission capacity of m.sub.i (i.gtoreq.1) is either e.sub.Ni bits or (e.sub.Ni +e.sub.Li) bits.

At the receiving entity b, decryption processing is performed as follows. When, for the ciphertext C, the portion of the message decrypted using the public key vector c.sup.(N) =(c.sub.0.sup.(N), . . . , c.sub.K-1.sup.(N)) with mod N is named M.sub.N ', M.sub.N ' is represented as follows.

M.sub.N '=(m.sub.0.sup.(N), m.sub.1.sup.(N), . . . , m.sub.K-1.sup.(N))

Here, the first block m.sub.0.sup.(N) of the decrypted message becomes equal to the vector I, wherefore the receiving entity b can obtain information concerning {a.sub.i }. This makes it possible to know which term the public key c.sub.i.sup.(N) has been used in. Therefore, there is no need to perform further decryption on the set of message portions {m.sub.i.sup.(N) .vertline.a.sub.i =0} decrypted from the ciphertext C.sub.N ' that is part of the ciphertext C. Accordingly, some of the components of the original plaintext vector m corresponding thereto can be extracted.

Following that, decryption is performed on the result of subtracting from the transmitted ciphertext C the ciphertext C.sub.N ' (the ciphertext C.sub.N ' is obtained by multiplying the extracted components by the public key c.sub.i.sup.(N)) i.e., the decryption is performed on the ciphertext C.sub.NL '), using the public key vector c.sup.(NL) =(c.sub.1.sup.(NL), . . . , c.sub.K-1.sup.(NL)) with mod NL, whereby it is possible to find the remaining components of the original plaintext vector m corresponding to the remaining component set {m.sub.i.sup.(NL) .vertline.a.sub.i 1=}.

In the example described above, N and L are products of a plurality of integers, but of course these may be single integers.

In this example, moreover, the encryption is conducted with two types of sending capacity, using the two types of integers N and NL, but the encryption can of course be performed equivalently even with three or more types of integers in cases where those integers have common factors (as, for example, N, NL, and NLR).

Thus, with the encryption/decryption methods of the present invention, the sending entity arbitrarily selects the key used for encrypting from a plurality of public keys. Consequently, it is extremely difficult for an attacking party to infer which public key has been selected by the sending entity, and it is in fact impossible for an attacking party to resolve the plaintext from the ciphertext and public keys using the LLL method. An authorized receiving entity, on the other hand, can be cognizant of selection information on which public key has been selected by the sending entity and therefore perform decryption correctly.

FIG. 2 is a diagram for embodying aspects of computer usable media of the present invention. The term "computer usable medium" in this specification including the appended claims covers any physical object in which the program to be executed by CPU or the like is stored. For example, the term "computer usable medium" includes a floppy disk, CD-ROM, hard disk drive, ROM, RAM, an optical recording medium such as DVD, a photomagnetic recording medium such as MO, a magnetic recording medium such as magnetic tape, and a semiconductor memory such as IC card and a miniature card. A program for having CPU or the like execute a part or all of the operations described herein may, be stored in the "computer usable medium".

The program exemplified, here is recorded on the computer usable media described below. That program comprises: a process routine for (K-1)-dividing plaintext to obtain a plaintext vector m=(m.sub.1, m.sub.2, . . . , m.sub.K-1); a process routine for setting a plurality of types of base vector D=(D.sub.0 D.sub.1, . . . , D.sub.K-1) wherein D.sub.i (0.ltoreq.i.ltoreq.K-1) is set to D.sub.i =d/d.sub.i (where d=d.sub.0 d.sub.1 . . . d.sub.K-1); a process routine for generating m.sub.0 as a binary vector indicating from which base vector the i'th component is selected as D.sub.i ; and a process routine for producing ciphertext C using that m.sub.0, the plaintext vector m, and the selected D.sub.i. A computer or CPU 10 is provided at the sending entity.

In FIG. 2, a first computer usable medium 11, which is connected on-line to the computer 10, is constituted by for example a World Wide Web (WWW) server, computer, which is installed at a location distant from the computer 10. A program 11a like that described above is stored on the computer usable medium 11. The computer 10 prepares a ciphertext C in accordance with the program 11a, which is read out from the computer usable medium 11.

A second computer usable medium 12 disposed on the inside of the computer 10 is constituted by, for example, either a hard disk drive or ROM which is installed internally. A program 12a like that described above is stored on the computer usable medium 12. The computer 10 prepares a ciphertext C in accordance with the program, 12a which is retrieved from the second computer usable medium 12.

A third computer usable medium 13 which is inserted in a disk drive 10a disposed in the computer to is constituted by, for example, a transportable magneto-optic disk, CD-ROM or flexible disk, and a program 13a like that described above is stored on the third computer usable medium 13. The computer 10 prepares a ciphertext C in accordance with the program 13a which is read out from the computer usable medium 13.

With the present invention, as described in the foregoing, the base D.sub.i used when performing encryption is set to D.sub.i =d/d.sub.i (where d=d.sub.0 d.sub.1 . . . d.sub.K-1) wherefore the elements of the plaintext vector can be decrypted in parallel, and high-speed decryption can be performed with a simple hardware configuration. The present invention can therefore contribute greatly to opening the way for the practical implementation of product-sum type cryptosystem.

With the present invention, furthermore, ciphertext is configured using a base freely selected from among a plurality of preset base vectors. Therefore, the selection information pertaining thereto cannot be discovered, attack by the LLL method is made extremely difficult, and security can be enhanced. This aspect of the present invention also greatly contributes to opening the way for the practical implementation of product-sum type cryptosystem.

The above described encryption method, decryption method, encryption/decryption method, cryptographic communications system and computer readable medium are disclosed in Japanese Patent Application Nos. 10-262037 and 11-105814 filed in Japan on Sep. 16, 1998 and Apr. 13, 1999 respectively, the subject application claims priority of these two Japanese Patent Applications and the entire disclosures thereof are incorporated herein by reference.

Inventors
Kasahara, Masao; Murakami, Yasuyuki;
Assignee
Murata Kikai Kabushiki Kaisha (Kyoto, JP)
Published
Sep-28-2004
Current US Classes:
380/28
380/30
Application #
397677
International Classes
H04L 009/00; H04K 001/00
Field of Search
380/28
Examiner
Morse; Gregory
Agent
Hogan & Hartson, LLP
US Patent References:
4218582
4399323

Same subclass

Secure communication method and apparatus	5450493
Method of privacy communication using elliptic curves	5351297
Privacy-protected transfer of electronic information	5521980
Source authentication of download information in a conditional access system	6526508
Method and device for executing a decrypting mechanism through calculating a standardized modular exponentiation for thwarting timing attacks	6366673
Certificate revocation system	5666416
Identification protocols	6889322
One-way function generation method, one-way function value generation device, proving device, authentication method, and authentication device	7000110
Method and apparatus for a key-management scheme for internet protocols	5588060
Computer system for centralized session key distribution, privacy enhanced messaging and information distribution using a split private key public cryptosystem	5838792
Cryptographic methods for remote authentication	6226383
Robust data broadcast over a distributed network with malicious failures	5175765

Same class

Method of and an apparatus for generating internal crypto-keys	6278780
Method and apparatus for level and phase control of a plurality of RF signals	6175630
Reconfigurable universal trainable transmitter	6556681
Video control system for transmitted programs	5046092
Cryptographic method for restricting access to transmitted programming content using .function.-redundant establishment key combinations	6735312
Data transmission using DNA oligomers	6537747
System and method for synchronizing one time pad encryption keys for secure communication and access control	6445794
Communication system having a transmitter and a receiver that engage in reduced size encrypted data communication	6829357
Functionally modifiable cable television converter system	5003591
Two way authentication protocol	6487660
Spread spectrum correlation receiver	4653069
License management method and system	6915278

Consider this

Data management device in a karaoke communications system	5848422
Computer system to compile non-incremental computer source code to execute within an incremental type computer system	5884083
Airline-based video game and communications system	5959596
Method system and article of manufacture for debugging a computer program by encoding user specified breakpoint types at multiple locations in the computer program	6249907
Method, computer program product, and system for dynamically refreshing software modules within an actively running computer system	6629315
System and method for providing and displaying debugging information of a graphical program on a first computer during execution of the graphical program on a second computer	6715139
Method and computer-readable medium for installing an upgrade to an application program	6735766
Computer readable storage medium for providing repeated contact with software end-user	6795925
Method for generating a workflow on a computer, and a computer system adapted for performing the method	6895573
Recording medium having a computer-executable program for data transmission to plural devices	6996439