CA2090895A1 - Cryptographic method for communication and electronic signatures - Google Patents
Cryptographic method for communication and electronic signaturesInfo
- Publication number
- CA2090895A1 CA2090895A1 CA002090895A CA2090895A CA2090895A1 CA 2090895 A1 CA2090895 A1 CA 2090895A1 CA 002090895 A CA002090895 A CA 002090895A CA 2090895 A CA2090895 A CA 2090895A CA 2090895 A1 CA2090895 A1 CA 2090895A1
- Authority
- CA
- Canada
- Prior art keywords
- mod
- key
- message
- encoding
- tlle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
Landscapes
- Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
ABSTRACT
A cryptographic method for communication and electronic signatures is described. The system includes at least one encoding device coupled to at least one decoding device by a communications channel. The method is a form of public-key or two-key cryptosystem, where the private decoding key is not feasibly determinable from the associated public encoding key. A block of ns bits of a message-to-be-transferred M (or key-to-be-distributed)is enciphered to ciphertext by first mapping M to a set [X1,X2, ...,Xn], where Xi ? ¦0, 2?). Then the ciphertext [ Y1, Y2, ..., Ym] is determined by mod q; for j = 1 to m', and . for j =
m' + 1 to m, where . The encoding key (associated with the intended receiver) consists of integers aij gj and positive fractions f? for i = 1 to n and for j =
1 to m, and positive integers q? for j = 1 to m'. The ciphertext is deciphered (with a secret key known only to the intended reciver) by solving a knapsack with secret superincreasing weight [b1, b2, ..., b?] and target value b ?¦.omega.-1¦.omega.1-1y¦Q¦P.
where y ? [ Y1, Y2, ..., Ym] mod [q1, q2, ..., qm], and w, w', and [qm'+1, qm'+2, ... qm] are secret integers. The resulting terms {X'1, X'2, .... X'n}
correspond to the original message terms [X1, X2, ..., Xn].
A cryptographic method for communication and electronic signatures is described. The system includes at least one encoding device coupled to at least one decoding device by a communications channel. The method is a form of public-key or two-key cryptosystem, where the private decoding key is not feasibly determinable from the associated public encoding key. A block of ns bits of a message-to-be-transferred M (or key-to-be-distributed)is enciphered to ciphertext by first mapping M to a set [X1,X2, ...,Xn], where Xi ? ¦0, 2?). Then the ciphertext [ Y1, Y2, ..., Ym] is determined by mod q; for j = 1 to m', and . for j =
m' + 1 to m, where . The encoding key (associated with the intended receiver) consists of integers aij gj and positive fractions f? for i = 1 to n and for j =
1 to m, and positive integers q? for j = 1 to m'. The ciphertext is deciphered (with a secret key known only to the intended reciver) by solving a knapsack with secret superincreasing weight [b1, b2, ..., b?] and target value b ?¦.omega.-1¦.omega.1-1y¦Q¦P.
where y ? [ Y1, Y2, ..., Ym] mod [q1, q2, ..., qm], and w, w', and [qm'+1, qm'+2, ... qm] are secret integers. The resulting terms {X'1, X'2, .... X'n}
correspond to the original message terms [X1, X2, ..., Xn].
Description
(' R Y P~'t)( , R A l' i l l(` ~ I ( ) R COMMlJN'I(~ A rl() N ,~
1~,1,7~(' 11~0?~7~ Xl~.NATURE~
I~ACKGR()I i~ll ) ( )I 1 1 TE INVENTI()I;~' 1. Cross Reft-rcnce ~o Rclil:ed ~p~
Tlli~s al-plicatio1l is a collti1lu.ltion -in l~;u~, 1 nly earlier file(l U S Pate~ pl-licati~ n Seri.ll No 07/,~4,~9 filed ()~/19/'~ n(l llo~ u~doned 2 I iekl of the Invelltinll I his in~clltioll rclates gcllcl.llly to Cl ~ ~t(l!'l ;~phic COmmUniCatiOll Sy~it(`lll'; ;Illd, more particuhlrly, to public-key cryptogl.~ y~cnls in which the use of two kcy~ a public all(l private key, facilitates both seclct ;nld ;nl~ ntic transmission of dat~ p~lblic-key cryptosystem can bc ~Ised for idelltiri.,~ ll clcctronic signatllres, key-di~alil-ll~ion, an(l secure dat.l commullicatiom Specific ;Ip~ ni~lls of a public-key crypto~ clll hlc1u(1e autolllated hallk tellers e~cchan,oillg dala w i~ olner chip-card~s, point of S(~ i(t~ ballkillg, telecomlllullicatiolls, electronic mail, alld ;IC((~ control.
1~,1,7~(' 11~0?~7~ Xl~.NATURE~
I~ACKGR()I i~ll ) ( )I 1 1 TE INVENTI()I;~' 1. Cross Reft-rcnce ~o Rclil:ed ~p~
Tlli~s al-plicatio1l is a collti1lu.ltion -in l~;u~, 1 nly earlier file(l U S Pate~ pl-licati~ n Seri.ll No 07/,~4,~9 filed ()~/19/'~ n(l llo~ u~doned 2 I iekl of the Invelltinll I his in~clltioll rclates gcllcl.llly to Cl ~ ~t(l!'l ;~phic COmmUniCatiOll Sy~it(`lll'; ;Illd, more particuhlrly, to public-key cryptogl.~ y~cnls in which the use of two kcy~ a public all(l private key, facilitates both seclct ;nld ;nl~ ntic transmission of dat~ p~lblic-key cryptosystem can bc ~Ised for idelltiri.,~ ll clcctronic signatllres, key-di~alil-ll~ion, an(l secure dat.l commullicatiom Specific ;Ip~ ni~lls of a public-key crypto~ clll hlc1u(1e autolllated hallk tellers e~cchan,oillg dala w i~ olner chip-card~s, point of S(~ i(t~ ballkillg, telecomlllullicatiolls, electronic mail, alld ;IC((~ control.
3 I)escriptioll of the l'rior Art Thc two primary cryptograpllic fnllcti(~; required by modern con~ lllications systems are secrccy alld autllenticity ~'ic( ~-ct ~1 ;IIUillliSSiOIl of data over an insccllrc challllel is a uell establislle(l cryptograpllic full(~ioll 11li~ data may be a message-to-be-tl;lllsferre(l or a kcy-to-l c-exch.lllgcd ~notller crs p~o~ llic function is the autllellticatioll (~f clcctrollic Inessa,~es (or verificntioll of i~lelltity hy ~ Ic(~ llic means). Autilcllticatioll is l-~lrticlllar]y ~1 conccm with electrollic comillullic.lti()1l~ b.( ;nl~c of the potential for tamperinQ all(l forging digital messages Cr)lptosystems Call be chlssifie(l in~o 1~ o ~ private-key and public-key~ l'ri\~ate-key cryptosystem~s (also referred to as sing~lc-licy ol symmetrical cryptosystenl~C). SUCIl as tlle l)ES scllemc (data cucryption stall(hl~ c ~11c same key for encryption ~ul(l (Iccryptio1l T1lesc ciphers can be fast all(l hard to b1c~lk b~ llreat to their security is thc (li~;~l ihutiotl of the plivate key.
I'llhlic-kcy cryptograplly W.IS intro(lll( c(l l~y ~ Diffie and M E ~Iclllllall in "New directiolls in cryptograplly"~ IEEE Tr;~; lnf(-l-ln Theory, vol 1T-22, 197(, ~ ,44-6~4 Pllblic-key, two-key, or asymmetric.ll ( ~ CIllS address tllc problem of di~tribllting a sccrct key over all illsecure ch;lllllel b~ o keys Each p arty has tl~rir OWIl secret dcco(li1lg key all(l a matllelllatic~dlly l-f~la~c(, ~ hlic encoding key, which ca1l be publicly dis~libllt((l ~dtll(-llt conlprolllisillQ ~ c( Ic( ~ of the associated decodillg hcy Secrct COlllllllllli( ItiOn cmploys the pair o f kc~ nging to the rcceivcr all(l an clectronic .~iglllltllrC Ill;lkC~S USC of ~hf~ p;lil of kc)~ I)c ~c1ldcr A message M can be enciphered by sender A, with a publicly available encoding key EB generated by party B, that can only be deciphered by receiver B with the matching private key DB. For secret transmission from party A to party B, the ciphertext C is enciphered by party A as C = EB(M) and decipered by party B as DB(C) -DB(EB(M)) = M. For authenticity, the sender A applies the decoding function to the message with his/her own private key DA and the receiver B unscrambles the message by applying the encoding function with the sender's public key EA. To verify that a message M from party A is authentic, a signature C = DA(M) is generated by party A
and the signature is verified by party B as EA(C) = EA(DA(M)) = M.
There are variations on the above basic Diffie and Hellman protocol such as concatenating standard data with the message which is checked by the receiver or signing a hashed (compressed) form of the message. To check identity, the verifier challenges the candidate to sign a random number (which is checked with the public key of the candidate) or to decrypt an enciphered random number. There are some public-key schemes that can only be used for signatures or secret transmission of data (but not both), while other schemes can provide both secrecy and authenticity. The public-key of each user can be placed in a public file, which can be distributed through a trusted key-distribution center to detect tampering with the public keys.
Diffie and Hellman proposed a key distribution scheme (not a two-key cryptosystem) depending on the discrete logarithm problem (see U.S. Pat. No. 4,200,770). The first implementation of the public key concept was the Rivest, Shamir, and Adleman (RSA) algorithm (see U.S. Pat. No. 4,405,829), which depends on the discrete logarithm and factoring problems. Other public-key-cryptosystems based on the discrete logarithm and factoring problems include the public key cryptosystem of T. ElGamal. "A public key cryptosystem and a signature scheme based on discrete logarithms", IEEE Transactions on Information Theory, vol. 31, 1985, pp. 469 - 472, and the signature schemes of the M. O.
Rabin, "Digital signatures and public-key functions as intractable as factorization", internal report of the MIT Laboratory for Computer Science, MIT/LCS/TR-212. 1979; T.
Okamoto. "A fast signature scheme based on congruential polynomial operations", IEEE
Transactions on Information Theory, vol. IT-36, pp. 47-53, 1990; A. Fiat and A. Shamir (European patent application Se. No. 0,252,499 and U.S Pat. No. 4,748,668); L. C. Gillou and J. J. Quisquater, "A practical zero knowledge protocol fitted to security microprocessor minimizing both transmission and memory", Advances in Cryptology EUROCRYPT '88. Berlin: Springer-Verlag. 1988. pp. 123-128; and Schmorr (U.S. Pat.
No. 4,995,082 and European patent application Ser. No. 0,384,475).
The problem to be solved with many of the above schemes is the amount of computation for encoding and/or decoding. They all include modular exponentiation in the encoding and decoding function, which has a large time complexity O(k3) where k is the - 2 ~
n~ 1bcr of bits in ~he e,Yponeilt all(l ll)o,l~ . Interactive schemes, sllcl~ l1ose of Schl1orr, Gillou-QIlis~llater. and Fi~ lil Inlve considerally less conll7ll~a~ion than RSA but tr~ldeoff prob.lbility of chc.~ torage spacc for accredit~ ll terms.Precompllt.ltiol1 i~s possible with Oka~ o'~ ';chnorr's schemes, which i~ ;n1 a(lvantage ill .IppliCatiOllS SllCh .IS cl~ip C-lrdS.
An idel1tification scheme bascd On ll~c ~ rmllted-kerllels problem all(l a zero-knowled~c protocol was propose(l by ,~ h;llllir (see U.S, ~a~. 4,932,05(~ hicl1 ha.s a small amo~lnt of computatiol1 but hils hn ~ nllllres (relative to the Fiat-Sll.ll1lil scl1emc) an(l re(luircs abollt 10 kbits of inter,l( ~ nlllnication between tlle vel iri( l and the call(li(latc.
A public-key crypto~sy~slelll base(l (,1l IlOl (orrecting codes was prol-o.~c(l I-y R. J.
McEliece de.scribe(l in "A public key cr~ lln~y~lclll based on al~ebraic codinc ~hcnry", JYL
I~SN Pro~ress Report 42-44. Jal1.-Ecl~ 114-116, which has se~cral orders of magllitll(le le~s comput.lti( n th~l1 RS/~ Iuls .1 n1essage expansion factor ~)f ~ o (in bits) al1cl a relatively lar~c plll lic-key (" . ~ in~. Several techlliqlles for in1l)len~entil1~
McElicce's crypto.system were descrih~ .1. Kiek and G. McFarlan(l (scc ll.S. pat.
~0~4.066). Ilowever, McEliece's cry~ clll was broken by V. I. Kor71lil; alld A. 1.
I urkill as describcd h1 "Cryptanalysis o f l~k~l.licce's public-key cryptosys~el1l", /~dvances in Cryptolo~y EIJROCRYPT '91, Bcrlin~ u-Verlag, 1991. pp. 68-70.
In 197~, R. C. Merkle and 1~l. E. Ilclllll;lll l-loposed a public-key crypto.systcln based on the knaps.lck problem in "lIidin~ inl`o~ ioll and signatures in trapdoor kn;lpsacks~
IEEE rrans~ Inform. Theory, vol. 11 ,' 1. 1~78, pp. 525-530 (also .scc lJ.S. Pat.
I'llhlic-kcy cryptograplly W.IS intro(lll( c(l l~y ~ Diffie and M E ~Iclllllall in "New directiolls in cryptograplly"~ IEEE Tr;~; lnf(-l-ln Theory, vol 1T-22, 197(, ~ ,44-6~4 Pllblic-key, two-key, or asymmetric.ll ( ~ CIllS address tllc problem of di~tribllting a sccrct key over all illsecure ch;lllllel b~ o keys Each p arty has tl~rir OWIl secret dcco(li1lg key all(l a matllelllatic~dlly l-f~la~c(, ~ hlic encoding key, which ca1l be publicly dis~libllt((l ~dtll(-llt conlprolllisillQ ~ c( Ic( ~ of the associated decodillg hcy Secrct COlllllllllli( ItiOn cmploys the pair o f kc~ nging to the rcceivcr all(l an clectronic .~iglllltllrC Ill;lkC~S USC of ~hf~ p;lil of kc)~ I)c ~c1ldcr A message M can be enciphered by sender A, with a publicly available encoding key EB generated by party B, that can only be deciphered by receiver B with the matching private key DB. For secret transmission from party A to party B, the ciphertext C is enciphered by party A as C = EB(M) and decipered by party B as DB(C) -DB(EB(M)) = M. For authenticity, the sender A applies the decoding function to the message with his/her own private key DA and the receiver B unscrambles the message by applying the encoding function with the sender's public key EA. To verify that a message M from party A is authentic, a signature C = DA(M) is generated by party A
and the signature is verified by party B as EA(C) = EA(DA(M)) = M.
There are variations on the above basic Diffie and Hellman protocol such as concatenating standard data with the message which is checked by the receiver or signing a hashed (compressed) form of the message. To check identity, the verifier challenges the candidate to sign a random number (which is checked with the public key of the candidate) or to decrypt an enciphered random number. There are some public-key schemes that can only be used for signatures or secret transmission of data (but not both), while other schemes can provide both secrecy and authenticity. The public-key of each user can be placed in a public file, which can be distributed through a trusted key-distribution center to detect tampering with the public keys.
Diffie and Hellman proposed a key distribution scheme (not a two-key cryptosystem) depending on the discrete logarithm problem (see U.S. Pat. No. 4,200,770). The first implementation of the public key concept was the Rivest, Shamir, and Adleman (RSA) algorithm (see U.S. Pat. No. 4,405,829), which depends on the discrete logarithm and factoring problems. Other public-key-cryptosystems based on the discrete logarithm and factoring problems include the public key cryptosystem of T. ElGamal. "A public key cryptosystem and a signature scheme based on discrete logarithms", IEEE Transactions on Information Theory, vol. 31, 1985, pp. 469 - 472, and the signature schemes of the M. O.
Rabin, "Digital signatures and public-key functions as intractable as factorization", internal report of the MIT Laboratory for Computer Science, MIT/LCS/TR-212. 1979; T.
Okamoto. "A fast signature scheme based on congruential polynomial operations", IEEE
Transactions on Information Theory, vol. IT-36, pp. 47-53, 1990; A. Fiat and A. Shamir (European patent application Se. No. 0,252,499 and U.S Pat. No. 4,748,668); L. C. Gillou and J. J. Quisquater, "A practical zero knowledge protocol fitted to security microprocessor minimizing both transmission and memory", Advances in Cryptology EUROCRYPT '88. Berlin: Springer-Verlag. 1988. pp. 123-128; and Schmorr (U.S. Pat.
No. 4,995,082 and European patent application Ser. No. 0,384,475).
The problem to be solved with many of the above schemes is the amount of computation for encoding and/or decoding. They all include modular exponentiation in the encoding and decoding function, which has a large time complexity O(k3) where k is the - 2 ~
n~ 1bcr of bits in ~he e,Yponeilt all(l ll)o,l~ . Interactive schemes, sllcl~ l1ose of Schl1orr, Gillou-QIlis~llater. and Fi~ lil Inlve considerally less conll7ll~a~ion than RSA but tr~ldeoff prob.lbility of chc.~ torage spacc for accredit~ ll terms.Precompllt.ltiol1 i~s possible with Oka~ o'~ ';chnorr's schemes, which i~ ;n1 a(lvantage ill .IppliCatiOllS SllCh .IS cl~ip C-lrdS.
An idel1tification scheme bascd On ll~c ~ rmllted-kerllels problem all(l a zero-knowled~c protocol was propose(l by ,~ h;llllir (see U.S, ~a~. 4,932,05(~ hicl1 ha.s a small amo~lnt of computatiol1 but hils hn ~ nllllres (relative to the Fiat-Sll.ll1lil scl1emc) an(l re(luircs abollt 10 kbits of inter,l( ~ nlllnication between tlle vel iri( l and the call(li(latc.
A public-key crypto~sy~slelll base(l (,1l IlOl (orrecting codes was prol-o.~c(l I-y R. J.
McEliece de.scribe(l in "A public key cr~ lln~y~lclll based on al~ebraic codinc ~hcnry", JYL
I~SN Pro~ress Report 42-44. Jal1.-Ecl~ 114-116, which has se~cral orders of magllitll(le le~s comput.lti( n th~l1 RS/~ Iuls .1 n1essage expansion factor ~)f ~ o (in bits) al1cl a relatively lar~c plll lic-key (" . ~ in~. Several techlliqlles for in1l)len~entil1~
McElicce's crypto.system were descrih~ .1. Kiek and G. McFarlan(l (scc ll.S. pat.
~0~4.066). Ilowever, McEliece's cry~ clll was broken by V. I. Kor71lil; alld A. 1.
I urkill as describcd h1 "Cryptanalysis o f l~k~l.licce's public-key cryptosys~el1l", /~dvances in Cryptolo~y EIJROCRYPT '91, Bcrlin~ u-Verlag, 1991. pp. 68-70.
In 197~, R. C. Merkle and 1~l. E. Ilclllll;lll l-loposed a public-key crypto.systcln based on the knaps.lck problem in "lIidin~ inl`o~ ioll and signatures in trapdoor kn;lpsacks~
IEEE rrans~ Inform. Theory, vol. 11 ,' 1. 1~78, pp. 525-530 (also .scc lJ.S. Pat.
4,21~,582), that encryp~.s an(~ decryp~ O(lt .1 hurldred times faster th;lll R~SA. Tlle kn.lpsack weights are initially selected a~ a s~ ( r increasing series an(l thell dis~lised by modular multiplication. Iienry describc(l a mc~llo(l of decoding tile single-iter;ltc(l Merkle-I-lellman knapsack cryptosystem called "dollblc cllcryption" (see U.S. Pat. No. 4.~99,323).
I-lowever, Sh.lmir broke the single-i~cl.uc(l l\lerkle-Ilel!m.ll1 cryptosy.stcnl in 19X4.
Event~lally all of lhe fast kn.lpsack-tyl~c ( r~ ems (Merkle al1d Hellman'.s scllelne an(l variants proposed subse(luently) ~ IC l-r~ el1. The cryptanalysis of l;ll;lpsackcryptosystems is reviewed by E. 1~. 131 i( l~cll .nl(l A. M. Odlyzko in "Cry~ ll.llysis: A
survey of recent results", Proceedinr!s of ~hc 11`1 1" vol. 76, May 1988, pp. 57~-5')~.
A fast knapsack-type public-key cl~ o~ys~cl11 was proposed by S. C. I.u ;ul(l L. N.
Lee in "A shnple and effcctive public-~;cy crypn~.system", COM. SAT. Tech. I:~cv., vol. 9.
no. 1, 1979, pp. 15-24, where the ('hi)lc~c Icnnlinder theorem and a resi(lllc number system are used to selcct the initi.ll I;n;~p~ cl~ cights. Several variant.s o f ~hc l,u-L,ee cryr~tosystem werc also l-roposc(l~ .l and P. Shal1kar, "Modific(l Lll-Leecryrtosystem", Electronic Letters, vol. .~ , Aug, 1985. pp. 794-795 all(l R. M.
Goodm.lnal1(1A.J.McAIllcy,"Ne~ dool l~n.lpsackpublickeycryp~os~s~cll~ IEE
2 ~
Procec(lillg~s, vol. 1~2~ p.lr~ E no (. ~!O~ Y5, pp. 289-292. llowe~cr. tllc I u-l..ee cryptosy.stelll all(l all of i~s varian~s wclc l-n~k ~1: as reviewed by Brickell au(l ()dly~ko.
I lle nl;lill wcaklless in the brol;cll kl~ nlck schemes is tlleir reliallcc On modul.lr mllltillliciatioll ia~, tlle di.sguisillg ~ecllnit~ cll and Odlyzko state(i in ~lleir 19~8 paper tllat " I hese ulluslJ;Illy goo(l sillllllt.lllcon~ (liol~ tine approximation~s can hc ~Ise(l to break all of the knapsack cryptosystems llnU 1~ c I-een proposcd tllat rely On modularmllltiplic;ltiolls as a disguising tel llni,lllt ' alld "The Chor an(i Rives~ kll.lpsack cryptosys~elll i~s ~lle only knapr,ack cr) l~lo~ t nl Illat has been pllblislle(l ~lla~ doc~; not use some forlll of mo(lular mllltiplic.ltioll m (li~rlliic an easy knapsack". Cllor all(l Rivest's kn;lps;lck cryptosystelll. de~scribed in ",~ l~ln~ ;l( 1; type public-key cryptos~stclll hased Oll aritlllllc~ic in finite fiekls"~ A(lvances ill ( ~ gy CRYPTO 'X4. Berlin: Spiincr-Verlar~, 19~5. Pl'- 54-65 is still ullbrokell tmt cln~ nln(lular exponentiatioll for (Iccr~ ption and llas similar speed to RSA.
Comp.lct kn;lpsacks. such as ~h( I.n 1 cc c ryptosystem, employ fewcr kllapsack vcigllts an(l have larger coefficients Icplc~cll~ in~.~ tlle message. whicll resl11t.s in a smaller public-key. E-lowever, if tlle number of k~ ;l( k weights, is sm.aller thall al~OIlt four, thell linear integer programmillg techniglles c.lll I-c n~ic(l to decode the ciphertext willlo~l~ finding e pri~ate l;ey (see Brickell and Odly7.k(~'s ll~ cw paper).
Sever.ll knapsack-type cryptosy~s~t~ ; Inl~ c I?een proposed in the last fc- ~ y cars. 1-1.
I't'telllOI`St prOpOSe(l 3 generalized kn;lr)~a(~k .I y l)~osystem, where a matrix is disgllised by multiplyillg eacll element by tne sanlc ll.lc~i( n.ll constant, ill "The use of frac~ions in pl~blic-key cryp~osy.stems", Advances in (~I-) p~ol( ~Iy EUROCRYPT '89, Bell;ll: Springer-Vel-lag, 1990. I~P- 47-55. Ilowever, ls~it`lllnl~P~i scheme was broken by J. ~tcrll and P.
Toffin as describe(l in "Cryptanaly~is nr a public-key cryptosystelll l-ase(l onapproximatiolls by rational numbers" ,~d~ ;Ill(`t'S ill Cryptology EUROCRYI'l` ~)0 Berlin:
Sprillger-Verlag, 1991, pp. 47-5.~ iCllli has recentlx proposed a knapsack cryptosyste1tl related to algebraic codin~a ~llcol~ . involving a matrix multip]ica~ioll as the disgllising operation! in "A new tral-(l(~ol in knapsacks", Advallces in ('rylltology EUROCRYPT '90, Berlin: Springel-V~ . 199(), pp. 47-55, but his scllellle has arelatively large p~lblic-key of 20 kl-i~ al~(l ( an not perform signatnres. Niemi's cryptosystelll was recently broken by . 1\1 (`llce A. Joux, and J. Stern a.s dc.~i(ribed in "Tlle cryptallalysis of a new public-kcy ~ osystem based on modular kmll-s;lcks", in Aclvance~s in Cryptology CRYPT() '(~1. I~llill: Springer-Verlag, 1991. pll. 204-212.
Recently C.-S. Laill. J.-Y. Lee, L. ~lalll all(l ~--K. Su. proposed modifyillLl ~llc Merkle-!lellm;lll scheme by ad(lillg a randolll ~CIlll ~o ~acll knapsack weigllt in "L inc.lily sllift kn;lps.lck plll lic-key cryptosystem", 11 1 1 .I(nl~ l Selected Areas in Comm~lllic;l~ion, vol.
7 no. 4 May 19~9~ pp. 5~4-.~9. althollL~I~ dc(a! I-~ion involves fnrtller com~ atioll alld tlle plll lic-key is abollt 40 kbits. 1. . X. I)nall .1ll(1 ('. (k Llan proposc(l a nonlilleal folnl of ~he 2 ~
l ee cryl~ci.sy.stel11 invol~ing lu(~ pol1entiatiol1 in "1~1Odifie(l I,U LEE
cryl~tosystems"~ Electronic l,et~crs~ ~ol. .'';~ o~ , 1989, pp. ~26, hut thcir sclleme wa~s hrokell l-y 1,. D. ~in~ iall(l 1,. (i'!. S~ yptanalysis of new m(!(lil`ied l,u-l,ee cryp~osy~stellls" Edectrol1ic l,etters~ vol. _~(!, OO 1~ Sept. 1990, pp~ 1601-16()2.
To s-l311~ rize tl~e, prior art, tlle pn~ i"~ l\ proposed public key crypt( s~stems tl-at remaili unhrokell h~ve p rohlell1s to l-e ~ least one of the fo]lowille respects: the all1ollnt of compllt.ltion for ellco(lill~ ;ul(l llc( (~lillg, publie an(l private key ~i~e mess.lr~e ,YI-~Ill.~iOIl~ c~lnll11lnic~ltioll (l~lily~ e.
OBJEC'T' ()1: '1'111 INVENTION
Accor(lillr!ly~ it is al1 ol~iect of this il~ C"i i~ o provicie a pnblic-key cr) I-tos) s~em that Call ensure secrecy an(l alltllel1ticity l.y pl i~ lI.ulslniSSiOn of signed mess.loes .IIld si~ned keys-to-be-(listribute('~ l(l idelltity ~el i ri( ;~
lt is ~lnotl1er ob ject to provi(le a ~ lic l~y cryptosystem that empl(~ mode.stal11ollllt of complltatiol1 an(l has a con1l~ nll~lic I;ey.
I~`is still ano~ller object to provide a Inlllli( - liey cryptosystenl that can l~e i1nl11ell1ellte(1 wi~h a low-cost ~eneral-pllrpose proce~ol ~llcl~ as a ehip eard~ microprocessol~ or digital Si~llal processor.
13RIE~ S'~A'l'~ ll'i'l'l` ( )1 'I`HE INVEN'I'ION
i3y otle asl-ect of tllis invel1tioln ~ r(~ ovided a erypto~raphie col~lm~ ieatio systelll comprisillg:
~. a comlllllllicatit ns cll~mnel;
13. all encodillg mealls collpk~(l t(l s.iill clmnnel and adapted for trallsfolming a trallslllitte(l messa~e si~nal ~ n~ to a eipller~ext siglnll ~ '2 !'",) on said cllanllel~
wllele ~ 2~ ) coll~ a set of illtt~gels replt~t~ ive of mes.s;l~e all(l 1 . 2S)~
for i = I to )1. where 1l > I al~ is ~ol"(~ positiYe inte~er, ~u1d llele ~ 2~ ",~ corle~ o a set of inte~ers represellt;~ e of a ellcil-llere(l forll1 of .sai(l nles~ Ol responds to 2`~ 9 ~7 r i nij - A x,~j mo(l (/~ I to m', yj = ~, x j n jj - ~ x.~j ~ fo~ "~ o m, and 1 1! 1 X li~-l ifil where 1~l > I ~ I < nl' < ~ = 2 (7 iS the numl er of itcr.l~ions of mo(lul;lr Inultiplicatioll u~c~l lo ~n~llcrate the puhlic-key ~nl(l 1 1 (lenotestnlllcalio~ all(l where tlle enco(lillg key col~ ; or ill~c~ers ajj~ gj, alld fraction~ fj ~ 1().0, 1.0).
for i = I tn /1 an(l j = I to nl~ u j = I to tn~ wherei a jj -~ j I P I ~1 ,~j _ lU' P mo(~ 9j, f 7~117i_rn o d P~
(in the present no~ation, I(l,l i~ c(l~ alent to c n~od r/ all(l Icl lcpresents tlllllCatiOIl or ~lle l~lr~e~t hl~e~cl 11 ~ llnlll or eqllal to c) an(l wllele ~ f72' /~" ~ i.s a superillcrea~sin~ serie.~
j l 17j > ~, 17j( 2S - 1) ~1l(1 i- 1 1'> 17j(25-l) lll(l wllere ~ql. ~12, -. (/",; .llc cllo~c~ uch that Q = ~ 9j > P( I + ~~e) whcrc Ax ha~s all .Ippro.Yilln~ ll cl l In l~ounded by (- 7-e, 0.01 befolc nullcatio all(l the fractiolls f;. for i - I ~ o Il. are truncate(l at .~ + lo~ - e bits l-lcci~ioll, wllelc ~ I po~iiti~
wllele /' is relati~ely prime to l~ - I to n, alld wllere ~ q2~ ~ q 1~ are p;lil\~ i ~e n ~la~ively prime and wllere P a~ are relatively p l illl alld wl~ere ~ ;md P are relatiYeJy I~I'illl''. ;'l~d where ~ all(l Q are relativel)- l~lilnc: ao l C. adeco(lill~ me3lls coupled to ai(l c ln~ eland adapted forrecei~ Y2 ~',7,) from said challllel an(l !` ~ forming ~YI ~2 ~ Yll) to a received Illes.s;l~e ~ nr(~ l { ~
wllerein ~ 2 . . x j co~ d to a set of nulnbers rel~rcscn~ative of a decipllere(l form of i \~ . . \ 1 and correspon(l to tlle ~ioln~ion of a knap.sack problelll ~1 , .r ';b;
i = 1 wi~h sllperillcre;l~sin wei ~ ... . h~n} and target value 1, 1 7~ ~1Y I Q IP
where ) ~ 2 ~ nl ~ l wllere tlle knapsack problenl i~ c(i sequentially for i = l1 decl illlellting to 1 accor(linf~ to the relation b- ~, x'jbj ~ .j = l~i to retum tlle (lecipllere(l messilC~ 2 ~ l n}; and wllere the deco(lillg key is tllc l (~ e integers w w ( ql. (~ .~ (l ) { b b2 . b" ) and p Accordillg to ~notller feature of ~l~ in~C~iOII, a digital sigllature o f a nlessage is ~enerate(l witll a decodill~ device lsin~ c p l i\/a~e decoding-key of the sen(lel all(l cllecked by tlle receiver with all encodillL devicc u iill(a Ille public encoclin~-key of tllc sellder. A
Ine~ss;lge-to-be-siglle(l is nl;lpped to l ~ `''m'}~ where ~ lO ~l;) f~ r j = I to Il~
/)1, ;1ll(1 1 < 111 < 111. /~ to~;ll Of n ,, j ~I"~ " Ill~ssages-to-be-!iiBlle(~ c;lll l,c l. l.resente(i wi~ll one i-lock (~ 2 ~ ) ~ r~. O ~ 9 ~
Messa~e~s lar~er tlulll onc hlock ale ei(l~e~ ol;ell into multil-le blocks tlm~ a~e signed .separlltely or tlle mes.saee is compresse(l 1~ h func~ion berore si !llillC~ '1`O prevent a cllosell cipllerlex~ a~tack~ e ensIlrc tlnl~ ~ ~"" l '`",+2~ Ym~ call not be selcc~c(l by all attacker~ Ran(lolll or p~sell(lorall(lom n~ el~ Inay be assigned to ~!'"1+l~ .r)" ~?~ ~ - Y"71' wllere !j ~ 1. qj). for j = nl + I lo /n. ~ .llively secret or public coll.slallts can be a~ssi~l~e(l to ( ~ '+~ +~
Vecipllerill~ Y~ ,1 yiel(l~ ~I)c ~signature ~al ~2~ ~ - a-"~. If tlle ~si~natllre terms .~j~ for i = I to /n .~ n"l ~111 in the ranr!e. lO. 25)~ Illen sicnature gener.ltiol1 ks repeate(l witll ~some l-ell~lll ;uioll ~f ~ '2~ !",) to c~ ll( tl I y inforln.ltiol1 abo~lt tlle secret ~Yei~llts 1/~ bn~ is not disclose(l. I lle avera~e nllmber of si~nat-lre ~ener.ltioll trial~s i~s 1 /."".
Si~n.ltllle verificatioll involves enco(lill~ tl~ nature to obtain the encil-llele(l signature ! 2~ - .!~", ) an(l clleckin~ if ~j Inod qj for j = I to 1ll . Io l.lcilitate si~n.ltllre clleckinc a suh~set of Ille n~o(l !!~ /2~ qm~} is Ill~(le plll lic .ls p ~he enco(litl~ kcey altholl~ll tlle rest of 11l, lllo(lnli ~ qm~+l~ qm~+~ ~--. q",) ale kcpt secret.
Durill~ enco(liIlg for si~nature cllecl~ . ollly the residues ~ ! 1 y ~ ~ Y ", Icorrespon(lin~ to tlle public mo(lllli ~ } are calculated.
Tlle public-ke5~ for sitonatures re(luilcs u jj al~d gj for i = 1 to 11 an(l j = I to m; h contr.lst secret mess.l~e~s h ave a lar~er l-lll-lic l~cy ineluding ajj and ~ for i = 1 to n an(l j = I to 0n A con1billed secret mess.ls~c aI~ ;CnatUre seheme can he coll.stmc~ed with one key set (i e. one public all(l private l;c5- 1-~ ty) or separate ~sehellles c an l~c use(l (i.e.
one key p.lil for secret messages all(l ollc ~ ol si~llatures).
Accordillg to another feature of tlle in~ ion the publie-key for si~l~atule.s can be millimize(l by USill~ wei~llts (~sccnc~ Ille~s.lnes are only secure witll ~ 1). ln the exemplary ca~se of )l = 1~ 1)1' = I, 1)1 = ~ ~nl(l /~1 = 1. the si~nat-lre is a ~ 1()- ~5) and tlle puhlic-key con~sists of (/l ~ ln~ - wP mod ql an(l fl = Il/P~ Tlle si~n.lt-lre is verified by ellcodill~ gl mod ql allcl clleckin~ \~l -- Y
nlod ql whele ! l represent~s the mes~s n (~ r colllpressed me~ssage).
Accordill~ to allotller feature of tln ill~a ll~ion the public--key can bc ~sh( Itened by ~stall(lar(li7illg ~some of ~lle variables in ~In~ p~ lic-key for all llsers in a nct~ork~ Tlle enco(lill~ alid deco(lill~ fullctioll are lln( llall~-e(l I-ut a subset of tlle public-key i~s identical for all pallies. Partial stan(lar(li7atioll loe~ l~ol l-eduee the security consi(lerill~ known Cryptallal)'tiC .Itt.lCkS. 111 .111 C~Yelllplaly (`~IS(U let l-al-t of the public-key: (l"j all(l ~;. for j =
I to ~n and ~ (12- (~ he st In(l;lnli~c(l to values fronl their spc( if ic(l ran~es.
I Irt of tllc pliV.ltC kcy~ 2 ~ ql11'+~ +2~ - - (l",)~ is secretly selecte(l as usual Illen ~lle rcst of tlle pli~ e kt~ and ~v is calclllatecl acc(-)r(lill~ to the ~2 ~19 ~ ~ ~ 3 rel~atiolls 7(J ~ p~ mo~l Q an(l 7(~ 0 l~lan IQ¦P wllere (r" -~ 1"2, 7~ o(i l q~ ln(l ~ gl11~ mo(l ~ ql~ The re~st of the pllblic wei~l~t~s (~ for i = I ln ~1 - I and j = l to n7, an(l fj. for i = I to 1l, are thell calcul;lted as usu~ll al1(1 will va~ n users.
Accordin~ to allother feature of ~In~ in\!`nlion, the number of itera~ions of Inodular multiplicati9n C;ln be increase(l as in ~llc lnoken multiple-iterated ~1erklc-Tlellm.ll1 cryptosystem In the pre~sent inventioll In e~tl l n()nlinear term is a(l(le(l to !hC cncoder for eacl1 subse(luel1t iteration of modlllar nll~ ion~ whicl1 may increase tlle sCCIll i~y Accordin~ to another feature of ~llc ill~'~`n~iOII, decodin~ can be pcrrornle(l with a similar al-proacl1 (but clifferent implelnen~ l~ion ~ as the "double-encryptiol1" teclmique of Ilenry. WlliCIl was (lesi~ne(l for tlle l roken sin~ le-iterated Merkle-~lellmall el y î~tosystem Tlle concept of "double encrypti()l1'' is ~l~a~ II)c in~lividual bits of the cipllertcxt aic tleated as tlle illpUt to an enco(ler with a special cn( o(lill~ key that is designe(l to ICtUIn /) IllOd P.
Tllel1 a superil1creasino series witll ~n~c~ lnc b is solved to return tl~e leciphere(l IlleSSa~e. Hellty Slll~este(l that mUI~ipl('- i~Cla~iOIIS of modular multiplicatioll can be performe(l by s~ql~e/~ l applicatioll ol' lli~ nn ln1ique, whicll is essentially ~I nlodular multiplier I,ess computation is neccs~ll5 ~ ll the present par(~ form of double-encryptiolll when tllere are m~lltiple-i~cn~ ol' n~odular multiplication, becausc of the use of small nol1lil1ear terms to account for e~ e ;~nl iteration as in tlle present cllc()(ler Accordin~ to ~Inotl~er feature of tllc i~ ention, ~bl, b2 ~ /t~ Call l-e selected accor(ling to alternate procedures. altllnn~ n1ay affect the security an(l llcrfolll1ance in tern~s of messa~e eYp;u1sion, I-locl; ~i~e (I, e oding delay. .Ind numbcr of ~i~nature ~eneration trials In ~eneral, a more rall(lolll a~ l1ment of { l~l. b2 , l~"l increases the security but cal]ses furtl~er message e~p~lnsion an(l signature generatiol1 trials 'I`llc Chil1ese remail1(ler theorem cal1 he use(l to con~lne~ 2, , bnl as in the dat;l-b~l~e private-key cryptosystem of G I Davi(la, 1) 1 ~'cll~ and J B. Kam, "A databa~se ellcryption system with subkeys", AC~M Tral1s l)a~lll)a~c ~stems, vol; 6, no 2, June 19(YI, pp. 312-~28, Alternatively, tlle ~enerillize(l fol n~ Or ~ Chinese rem;linder tlleorcll1 u~c(l in the broken L,u-Lee~ Adi~a-Sh;mkar~ all(l (ion~llmm-McCauley cryptosyslelns can be employe(l As well, mi~e(l radiY con~a~l~ion c all be employe(l to constrllct !l)l. 1~2, /~"1 ~Iso, a nol1-sllperillcreasil1~ seric~ e n~ n~c(l as described by 1~1 Willet, "'I'rapdoor kn;lpsacks without superil1creasil1~ s~me~lllc`' Illrormation Processin~ l,ettens~ \~ol 17, July 9~ I'P 7-]1 'I'he followin~ ful~ctiol~s of a pllbli( l~cy e l)~l~tosystem are establishe(l in tllc prior art an(l call be carrie(l out ~itl~ tlle prescn~ p~ lie I;ey cryptosystcm Tlle plc~sent inventiol1 may be use(l witl~ any len~tl~ messa~c~ plo\ i(le(l ~hat the messa~e is broken in~o suitable len~tl1 blocks before enco(lin~ The prC~ellt l~nl~li{ -key cryptosystem C.lll bc nse(l to secretly 11)2~8~'~
all(l alltllell~ically distribllte a ~sessio~ c) foml private-key cryptosy~s~en~ ,~s well, the p resent siplla~urc schellle call be usc(i ill Icccs~i colltrol systems to verify idc~ y by askin~
tl1e cal1(li(l~lte to si~n a rall(lom nullll-cl ol ~ l,t a ciphertext correspol1~ lr! ~o a ra~ciom messa~e. A mess3~e-to-be-si~lled c.u~ l,c fil~ cllcrypte(l with the present cno(lillg device (llSill~ tlle public-key of the intellde(l rc(ci\ cl ~ (~r ~Ising convention.ll encryl-ti()ll technique~s.
Tlle presel1t pl~blic-key cryptosystem 1~ c ~ t~d to ensure file inte~rity b) cn( oding and si~nill~ dat.1 w ords to prevent ull,lutl~ ing and detect tamperil1i i he present invelltioll potentially r~ u~ ~I significant a(lvance in tllc ficld of public-key cryptoi-~raplly (depcn(lill~ on tlle Sllc- css ~f clypfamllysis by tlle rese.lrcll c olllmunity) because enco(ling and deco(lill~ with tl~c l~lcs~ invention require about o lle lulll(lled times less computatiol1 thall for RSA and tllc plll~li( 1 ,~y size is comparable~
BRIEF VESCR l l' l l ( )~1 ( J 1 THE DRAWINGS
FIG~ I shows in block dia~r;llll lollln 1 (~olnmunications systell1 ad.lp~e(l to secretly transfer encipllered messa~es witll a plll.lic-l~c~ (~ryptosystem in one directioll hctween two termillals.
I~IG~ 2 sllows in block f~iagram f~l nl ;~ nbodiment of tlle system of 1 1(; 1 usinp the presel1t invelltiol1 (i e~ the present l~ ;c~ cryptosystem):
FIG. 3 sl1ows in detailed block di;nn;llu lorll1~ the encodin~ device in tlle system of ~I(J. :2:
FIG. 4 sllows in detailed block (I j~ OIm~ the decodillg device in tlle system of FIG~ 2;
FIG~ 5 shows ill block dia~ralll forlll a c olnmunications syste1ll adal)tc(l to transfer si~ned messages with a public-key cr~ ptoiys~clu in one direction betweell two tclminals;
FIG 6 sllows in block dia~ralll fnl-lll. ;u~ cllll-odiment of tlle system of 1-;1(, 5 usin~
tlle present inventioll;
FIG~ 7 SllOWS ill block dia~ralll forlll. "1I cllll-odiment of tlle systcll1 of 1 IG~ f~ adapted to verify the idclltity of a call(lidate USill" Illt` I'IC~Cllt public-key cryptosystcnl: all(l FIG. ~ sllows in block diar~ralll folnl. ;IU cllll-odiment of tlle system of 1 1(, 2 adapted to verify tlle identity of a can(li(late usino ~ cllt invention.
FIG. 9 sllows in detaile(l block di l~r nll ff)rm, an alternate decodill~ de~ice for tlle ~system of FIG. 2;
DESCRII'IIC)NOF 1`111 I'l~ I RREDEMB()DIMENPS
FlCi. t sllows in block dia~ram folln ~11(` I~;lsic elements of secrct tralu~lllissioll of dat.
from tllc sf-~ll(ler A to the leceivcl /~ ll ;1 pllblic-key cryptosystel11 as plol-osed by I)iffie an(l I lellm.lll in the prior alt. 'I'l~ tCi~l includes a comlllunicatiolls c llinlllcl 10 and two termill.lls couple(l to ~hc clulllllel. l i~ c nlessage is divide(l hlto hlocks (lhe block si~e (lel~ell(ls on the l~artic~llar ellco(li~ lull) by blocking subsyste~ . 'I'hen the .sen(ler A enco(les eacll l~essage blo( ~ ll cncoder 41 an(l the enco(lil-g key of the receiver En t form ~he cipllertex~(,ll) Next, each ciphertext block C' is sent to the receiver ~ on ihe comlllunicatioll~ ( In~ l l0. The receiver deco(les eacll ciphertext block C with deco(lcr ~2 all(l llis/llcl O~ l"lc( oding key l)~ to fornl tllc (lcciphered me.s.sage hlock M' = D~(C). ~:inally ~ ( l y ~ ted message is forme(l l-y ulli710cking subsystelll 44.
'I'lle presellt invelltiOIl is a rul~ ( ryptosystem th.lt pro~i(lcs ~l specific implelllelltatioll of tlle enco(ler all(l (lc( o~lcl nf FIC. 1. /~ comrlete cryl-tograpllic comlllullic.ltiolls system~ may also in( lll(lc l~ killg/llnblockillg system~s. c(lllllllnnicatioll challllels~ a computlltiollal device for cllco(lille/llecoding such as a microl-locc~isor, write-only registels, laml~erproof encloslllc~. elc( llomagnetic radiation shiel(lillg. ctc.. The.system of Fl('l. 1 is suitable for the O~lc-W;l~ ll;nlsfer of secret messia~es fronl tcrminal A
to termin.~l B but the .sallle metllo(l c ;~" l~c nscd for secret transfer.s frolll 13 to A or betweell any number of partie~s.
I~ig. 2 shows in block diagr,llll l`ollll ;ln embodiment of tlle sccrct message translllissioll sy.stem of FIG. 1 USillg (~ -lc~cllt invention, whicll defille.s ~lle encodin~
functioll Æ(M) an(l deco(lillg funclioll 1)(( ) l'lle message is transforllle(l ti~ ciphertext Oll a block by block ba.sis and one sucll l-lo(~l~ COllsiStS of terms ~xl~ r2. ..~ "~, where rj ~ l0. 25). for i = l to l1. alld ~l > l . l ;lell lllc~;lge block contiaills )Is bits.
'l'he message M is ilssigned to c~lc~ lc~.lge block ~xl~ .r2, ..., r") ~1ll(1 m~y be concatenate(l witll stan(lar(l informcltioll (sllclmls thlle, date, me.ssage nullll-er~ Ol certain bit pattems) or random bits; these blocking f'nllclions are perfonlled by subsystclll 14. The inclusioll of stan(lard fiel(ls, such as III(`S';;I~!(` nlllllber, time stamp, and stall(l-lr-l values or bit patterns, is a co~nmoll cryptograpl-i( l~r.l(ai(e to guard agilinst talllpelill, iall(l cho~sen cipllertext attacks an(l to detect enco(ling. (lc( ~-(ling, and commullicatioll crlols. As well~
random fiekls can ensure that identic,ll n~e.~ c blocks are enciphere(l diffelelltly each time an(l prevent chosell ciphertext attack.s. 'l'lle collc;ltenatioll of the message d.ltil witll standard hlforlllatioll or randolll bit.s is perfonnc(l ~lcll llult each combined term .~j. fol i = l to 11 is still in the range l~ 25). A block ~ . ..., xn) will be referred to ;us ll message block altllougll it will he ull(lerstoo(l tlnl~ c~ l-lock may contaill st~uldal(l ol r.lll(lom fiekls in part.
~ :or messages rel)rc.sented by nllllll-cl~ on~side tlle ran~e ~0. 25)~ a (~onvcntiolllll blocking mealls (sub.system 14) is utili7c(l lo Illc.lk the messagc hlto me~ss.lgc l~lock wor(l.s hcfore enco(lillg, wllcre eacll block is lcl)l-c~cll~cd by a numbcr from the .sllccificd range.
Followillg subse~llellt decodillg~ the Ic( ov c l c (1 block words nlay be transl'olnle(l back to the origin 1l messa~e by ul11 lockin~ sul~ a~
The presently describecl encodil1g (le~i(e ( ;11l (listinctly encode each of the 2"~ possible messages. In ~ ernative but equivalent elul~o~ the above ral1ges may hc ~-el~eralized as Ij ~ where (Ij is the u~ el ol ;Issignable states in the ilh ~C~IUl of ~he message set the lotal nllmber of n1es~ 1~ e; is ~ dj and Itj. for i = I to n are arbitr.lry inte~ers~ Accordin~ly~ the riu~ e lill~ inns for xi for i = I to 1n e~presse(l hereafter in this applicatiol1 are approl~ n( f ol uumbers (represel1~in~ me~s;l~cs) in the spccified rallge~ but it will be un(lelstoo(l ~ otl~er range limitations are cou~;idelc(l to be e(luivalel1t all(l are intel1(le(1 to be emhl;~(e(l h~ e cllims~
The enco(lil1~ de-dce 11 transforlu.~ e Il~ age ~ x2 .~ ~"} to tllc c i~-hertext !2. - -~ )~",) Iccor(lill~ lo tlle rel<lli y~ .r j n jj - A ~ ~ ~ uu ~d qj for j = 1 to 1~1 Yj= i~1 xini)~ lorj=m +1to1ll ", an(l Ax = ~ ifi J
whele I < nl~ < 01~ nl ~ 1 al1d ~n nl ~ all,l n~ itive integers.
In o pllblic-key cry ~to~y~em~ the cl~(~n~ y is publicly rcve~led bu~ ol~ I ql q2 ~. q",.) are part of the public enco(li~ 7;c~lu(l can be used to reduce ( Y~ `2~ Y/?~') during encoding. A subset ~Yl~ Y2~ ot ille ciphertext lesidues ~ Y",) are reduced mod {ql~ ~12~ qn1 ) duliu~? cuco(ling wherells (y~+l. !",17~ Y,7,}
are reduced mo(l ( ql11 +~ qm +7~ ql,l ~ dlll iu~ decoding because ( q ~ / 2 q"117 are part of the secret decodin~ key.
The encodillg key EB consi.s~s of in~c~-cls ~1,;. gj and *actions fj ~ 10~0. 1.0) for 7 = 1 to 1l n1(1 for j = 1 to m al1(1 positi-e illle~ I fll~ q2~ ~ ~ qm') wl1ere n ii -- ¦ S ( ! ~
I(! I! j Jll 1)(1 7 11(1 fj .
~ ~3 ~ 0 'I'lle prescnt ellcodet Ims thc cffe( ~ nhining the mcssage terll1s ( l l. r2 r"l accordillg to 1~ = ~ r~ mocl 1~ ul l~n~`orming several modular nuiltil-licatiolns.
by 1~ rllo(l P a~ ' Inod Q. before t'~ le~!;ill!' ~he ciphenext in the () re~ e number system (~lle pllblic enco(lillg f~lnction i~ ;cd version of these E era~ ls as defined above for encodill~ subsystem 11) 'I'llc i~ kll weights ~bl 1~2 b"} Call 1~(' Selecte( as a s~ elillcleasill~ series Witll ; I
11 j, , ~ I; ~ 2 11) wllere /~; attd P are relatively prime fol i = I lo n With presently known attacks ~e c all ~c~ 1~, = 2(i-1)S for i = I to n ~ltelllatively~
the size of each message term call be ~ ;ll ic(l \~ i~h ~i ~ [ 2Si) and ~7j = 2 ex~
Tlle security is potenticllly increase(l if ~ b,l} arc randolnly cl1osell from a sufficielltly large range so that tlley cal~ llot l c llessed by exhaustive searcll ill a leiasonable ~Imollllt of tilnc altllo1lgll tl~is precautioll i llot c~ential with presently kno~ .lcks Tl~e messa~c exlmllsion an(l consequellt n~ igllature generatiol1 trials P/~"s is directly related to tllc size of tlle ~selection ran~e~ /~ c olnpromise bet~een security all(l message expal1~sioll is to select 1~; ran(lomly frolll ( \ j~ ( I () -~ lI)l~j), whcre ~i = (2' ~ bj and i= 1 1~ > 0 0 Tlle nul11her of possibilities ro1 1~ n~; which incrcases witll ~s for a constallt t~ .
The differellce P - 1~,,+l where ~ c maximum value of b. has to l-c large toprevent Sllamir's attack on a dellse kn;~ Ich 1~ described in "On the cryptoconll)lexity of knapsack systems" Proceedil1~s of ll~c 1 1~ CM Symposiull1 on tlle 'I'lleory of Compllting~ 1979.pp 11~-129 Thisi~Cll~ (lbyIandomlyselecting1>froll~ 0+
Il/2)1~"+1 (1 0 ~ ",~1 'I'llellPn)~ly ~ ). if b~ tlld ll< 1 () (I~ss~mithat (1 0 ~ ll) ~ 21' if tl ~ 1 . 1 01) llul llu average numbcr of signatlire gelleratio trials is P/2"~ < 2"" wllich is less thall tw o il 1~ - 1 0/n.
A fc~v I-its Of messagc expal1sio]l al( ~ llot significant for secret i;ey-(iis~libutio so al1 exenlpl;lly p Iriameter is ll = 0 s 'I'l~c a~cl;~cc number of signatllre gell( liltiOIl trials 2o~9rj P/2'1s < 2'1" is only affectetl by tlle re(l~ y in the ring of intc~ers n1()(1 /' whicl1 is deterlllille(l by 1~. rhen a sll1aller ll is luere~ c for signaturcs sucl1 as 1l < I.nln~ The ~security agaimst exll(lllsti~c searcll f(~ ol / - I to n. can bc maintaille(l h) incre,asîllg s so tllat tlle n~lll1ber of pnssihilitics III~j fol- e;~ remains large.
Tlle cipl1ertext ;s represented aS ;1 II~ Y1, Y2~ 111} ill a rc~si(l~ umber ~1t ~sy~stem Witll relatively prime mo(l~ , q,~,~ and ~1 r~ e f ~
Modllli ~q~- q2 ~ ) are public ~ i IU.ly 1~ selected to sil11plify mo(l~ ll reduction ~SUCIl as 2~j _ Zj where tj and zj are l~o~ e illtegers and z is millimi~e(l. Althou~l1 a power of two 2'j is con jecture(l to he ~ 'fici!. Inly secure for one f ~ql ~12. ~ q~7.}, other choices may be ma(le to increase ~lle ~e( In i~y such as random values fro m tlle ran,~e 12lj~ 2~j + Zj), where tj al1(1 Zj are p ositi~ e ill~t~el.s, or nonrandom values Witll certain bit patterlls.
rlle secret Il1o(luli ~ +~ "1 ,?. ~ ~1",l may be selected ran(lo~ rrom a ~sufficiel1tly large interval 12tj~ 2~j + z j). 'I'llc ;Inackerknows that q; > (Ijj~ for i = I to , unless the publislle(l (Iji are not f~ c(lll( e(l mod qj WlliCIl increa~cs tlle n1essage expansion an(l public-key size. l'o prc~ell~ ~llc c.lse where nV is close to 2~i + ,j. whicll reveals that qj is al.so close to 2~j + , j~ i~cy ~ellelation may be repeatecl (cl1an~ bj, q;, or other parts of the private key) if (I,j nlo(l ~ 2~j and the publisl1e(1 ~Ijj is full) reduced IllO(IUlO qj alld iS ill tile ran~e 1~ 2'i). ~ e( ~ Zj > 2~jdoes not si~nific.llltl5 increase the security Decreasil1~ Zj minimi7.es ~lle a~ e~ e number of key-~ener.ltiol1 attempts.
Exemplary values of zj are zj = 2~j ol ~ 1 ` (in practice, I 3 so the secnll ity is not sigl1ifical1tly diminisl1ed). Alternatively. tllc 1~1 otlability of (7,j bein~ closc to a known upper limit of qj iS millimiZe(l with a key sele(~ioll procedure given below.
Tl1e secret modular multiplication col~s~ t IV is relatively prime to 1' alld 1~ is cl1osen randon1ly from the hlterval 1()~ cl'ore testing for relative prim;llity with P).
Similarly. ~ iS cllosell rall(lolllly frolll ~ ('ll tllat U~ and Q ~re relati\~cl)~ le.
The mo(iuli I ql. q2 . q"l~ are all l-;lir~ e relatively prime and salisfy Q > P(l ~ 2-e), wllere the approximatiol1 error in ~lle e!itimate of Ax is bounde(l by (-2~e. 0.01 before truncatiol1. The fractiol1s fj, for i = I to Il, are each truncate(l at ~s -~ lo~)I + e l-its, wllere xi ~ 10, 25) an(l e > O, (all lo~al ith~ ill be base two).
Encod~ satisfies ~ .ri~ 10. (1 + 2-e)P) ~ [O, Q) lec.lll~e of the errorl-oIln(i(-2-~'. n.ol0ll Ar beforetlll~lC.I~ioll.11lgeneral,if ~, .ri¦ ~ AlP~ Ic.
C + O). where r is sollle inte~er thel1 ~ Ie(lll( e(l value modulo Q durill~ deco(iing l1,1.S
to bc ~llifted by a mllltiple of Q to f;lll in ~lle lallge [c, c + Q) to returll ~lle nlessa~e.
2~g~
With ( = O (as is tlle case u~ith ~he al~ -c ~1~ lio.~ion of A~), compltqte redllc~ioll modulo ¢) duril1g dtqco(ling will correc~ly returl~ c lnc~ e. A large vahle of e ueakens ~he seeurity al1d a small vallle of t7 incleases thc n~ a~ p.lnsion ~but not the n~ l el of signature gelleratiol1 trials). Exempl.lry vallle~i of, :n~ I ~n 3. Alternatively, the fr(lctio ns fj, for i=
I to ~n may be roul1ded (instead Or ~r~ o s t logn ~ (~ bits precisioll l--ut then the approxil1lalioll error in the estil11ate (~f ,t~ o-lllded by I2-~-1, 2 f-l) <111(l 2 ('-I has to be .sllhtracte(l from A~ before trlll1catioll ~ n exel11phlry l;ey-selcctiol1 procc~ cl1 next. First the private key is landomly selected from the givel1 ral1ges witlloll~ lc!nll(l for relative prilnality all(l thell certai varhlbltqs are (iecrel1lel1~e(1 llntil the n~q(x~ la~ive primality conditions ale s.l~i~fied~
I. i,et l)~ = 1 al1(1 rall(lol1lly selcc~ j. ( l .() + u)v;), for i = ~ to 1l.
2. Ral1(lomly select P ~ I(l.O + ~ r", l ( I .() ~ u)~ ].
~ . Ral1clomly select Q ~ (P(l ~ ~'). /'(1 1 .' f)(l.O ~ U)).
4. ~,et ql = 2~ all(l q2 = ~Q/~ a~ I and 111 = 2.
I-lowever, Sh.lmir broke the single-i~cl.uc(l l\lerkle-Ilel!m.ll1 cryptosy.stcnl in 19X4.
Event~lally all of lhe fast kn.lpsack-tyl~c ( r~ ems (Merkle al1d Hellman'.s scllelne an(l variants proposed subse(luently) ~ IC l-r~ el1. The cryptanalysis of l;ll;lpsackcryptosystems is reviewed by E. 1~. 131 i( l~cll .nl(l A. M. Odlyzko in "Cry~ ll.llysis: A
survey of recent results", Proceedinr!s of ~hc 11`1 1" vol. 76, May 1988, pp. 57~-5')~.
A fast knapsack-type public-key cl~ o~ys~cl11 was proposed by S. C. I.u ;ul(l L. N.
Lee in "A shnple and effcctive public-~;cy crypn~.system", COM. SAT. Tech. I:~cv., vol. 9.
no. 1, 1979, pp. 15-24, where the ('hi)lc~c Icnnlinder theorem and a resi(lllc number system are used to selcct the initi.ll I;n;~p~ cl~ cights. Several variant.s o f ~hc l,u-L,ee cryr~tosystem werc also l-roposc(l~ .l and P. Shal1kar, "Modific(l Lll-Leecryrtosystem", Electronic Letters, vol. .~ , Aug, 1985. pp. 794-795 all(l R. M.
Goodm.lnal1(1A.J.McAIllcy,"Ne~ dool l~n.lpsackpublickeycryp~os~s~cll~ IEE
2 ~
Procec(lillg~s, vol. 1~2~ p.lr~ E no (. ~!O~ Y5, pp. 289-292. llowe~cr. tllc I u-l..ee cryptosy.stelll all(l all of i~s varian~s wclc l-n~k ~1: as reviewed by Brickell au(l ()dly~ko.
I lle nl;lill wcaklless in the brol;cll kl~ nlck schemes is tlleir reliallcc On modul.lr mllltillliciatioll ia~, tlle di.sguisillg ~ecllnit~ cll and Odlyzko state(i in ~lleir 19~8 paper tllat " I hese ulluslJ;Illy goo(l sillllllt.lllcon~ (liol~ tine approximation~s can hc ~Ise(l to break all of the knapsack cryptosystems llnU 1~ c I-een proposcd tllat rely On modularmllltiplic;ltiolls as a disguising tel llni,lllt ' alld "The Chor an(i Rives~ kll.lpsack cryptosys~elll i~s ~lle only knapr,ack cr) l~lo~ t nl Illat has been pllblislle(l ~lla~ doc~; not use some forlll of mo(lular mllltiplic.ltioll m (li~rlliic an easy knapsack". Cllor all(l Rivest's kn;lps;lck cryptosystelll. de~scribed in ",~ l~ln~ ;l( 1; type public-key cryptos~stclll hased Oll aritlllllc~ic in finite fiekls"~ A(lvances ill ( ~ gy CRYPTO 'X4. Berlin: Spiincr-Verlar~, 19~5. Pl'- 54-65 is still ullbrokell tmt cln~ nln(lular exponentiatioll for (Iccr~ ption and llas similar speed to RSA.
Comp.lct kn;lpsacks. such as ~h( I.n 1 cc c ryptosystem, employ fewcr kllapsack vcigllts an(l have larger coefficients Icplc~cll~ in~.~ tlle message. whicll resl11t.s in a smaller public-key. E-lowever, if tlle number of k~ ;l( k weights, is sm.aller thall al~OIlt four, thell linear integer programmillg techniglles c.lll I-c n~ic(l to decode the ciphertext willlo~l~ finding e pri~ate l;ey (see Brickell and Odly7.k(~'s ll~ cw paper).
Sever.ll knapsack-type cryptosy~s~t~ ; Inl~ c I?een proposed in the last fc- ~ y cars. 1-1.
I't'telllOI`St prOpOSe(l 3 generalized kn;lr)~a(~k .I y l)~osystem, where a matrix is disgllised by multiplyillg eacll element by tne sanlc ll.lc~i( n.ll constant, ill "The use of frac~ions in pl~blic-key cryp~osy.stems", Advances in (~I-) p~ol( ~Iy EUROCRYPT '89, Bell;ll: Springer-Vel-lag, 1990. I~P- 47-55. Ilowever, ls~it`lllnl~P~i scheme was broken by J. ~tcrll and P.
Toffin as describe(l in "Cryptanaly~is nr a public-key cryptosystelll l-ase(l onapproximatiolls by rational numbers" ,~d~ ;Ill(`t'S ill Cryptology EUROCRYI'l` ~)0 Berlin:
Sprillger-Verlag, 1991, pp. 47-5.~ iCllli has recentlx proposed a knapsack cryptosyste1tl related to algebraic codin~a ~llcol~ . involving a matrix multip]ica~ioll as the disgllising operation! in "A new tral-(l(~ol in knapsacks", Advallces in ('rylltology EUROCRYPT '90, Berlin: Springel-V~ . 199(), pp. 47-55, but his scllellle has arelatively large p~lblic-key of 20 kl-i~ al~(l ( an not perform signatnres. Niemi's cryptosystelll was recently broken by . 1\1 (`llce A. Joux, and J. Stern a.s dc.~i(ribed in "Tlle cryptallalysis of a new public-kcy ~ osystem based on modular kmll-s;lcks", in Aclvance~s in Cryptology CRYPT() '(~1. I~llill: Springer-Verlag, 1991. pll. 204-212.
Recently C.-S. Laill. J.-Y. Lee, L. ~lalll all(l ~--K. Su. proposed modifyillLl ~llc Merkle-!lellm;lll scheme by ad(lillg a randolll ~CIlll ~o ~acll knapsack weigllt in "L inc.lily sllift kn;lps.lck plll lic-key cryptosystem", 11 1 1 .I(nl~ l Selected Areas in Comm~lllic;l~ion, vol.
7 no. 4 May 19~9~ pp. 5~4-.~9. althollL~I~ dc(a! I-~ion involves fnrtller com~ atioll alld tlle plll lic-key is abollt 40 kbits. 1. . X. I)nall .1ll(1 ('. (k Llan proposc(l a nonlilleal folnl of ~he 2 ~
l ee cryl~ci.sy.stel11 invol~ing lu(~ pol1entiatiol1 in "1~1Odifie(l I,U LEE
cryl~tosystems"~ Electronic l,et~crs~ ~ol. .'';~ o~ , 1989, pp. ~26, hut thcir sclleme wa~s hrokell l-y 1,. D. ~in~ iall(l 1,. (i'!. S~ yptanalysis of new m(!(lil`ied l,u-l,ee cryp~osy~stellls" Edectrol1ic l,etters~ vol. _~(!, OO 1~ Sept. 1990, pp~ 1601-16()2.
To s-l311~ rize tl~e, prior art, tlle pn~ i"~ l\ proposed public key crypt( s~stems tl-at remaili unhrokell h~ve p rohlell1s to l-e ~ least one of the fo]lowille respects: the all1ollnt of compllt.ltion for ellco(lill~ ;ul(l llc( (~lillg, publie an(l private key ~i~e mess.lr~e ,YI-~Ill.~iOIl~ c~lnll11lnic~ltioll (l~lily~ e.
OBJEC'T' ()1: '1'111 INVENTION
Accor(lillr!ly~ it is al1 ol~iect of this il~ C"i i~ o provicie a pnblic-key cr) I-tos) s~em that Call ensure secrecy an(l alltllel1ticity l.y pl i~ lI.ulslniSSiOn of signed mess.loes .IIld si~ned keys-to-be-(listribute('~ l(l idelltity ~el i ri( ;~
lt is ~lnotl1er ob ject to provi(le a ~ lic l~y cryptosystem that empl(~ mode.stal11ollllt of complltatiol1 an(l has a con1l~ nll~lic I;ey.
I~`is still ano~ller object to provide a Inlllli( - liey cryptosystenl that can l~e i1nl11ell1ellte(1 wi~h a low-cost ~eneral-pllrpose proce~ol ~llcl~ as a ehip eard~ microprocessol~ or digital Si~llal processor.
13RIE~ S'~A'l'~ ll'i'l'l` ( )1 'I`HE INVEN'I'ION
i3y otle asl-ect of tllis invel1tioln ~ r(~ ovided a erypto~raphie col~lm~ ieatio systelll comprisillg:
~. a comlllllllicatit ns cll~mnel;
13. all encodillg mealls collpk~(l t(l s.iill clmnnel and adapted for trallsfolming a trallslllitte(l messa~e si~nal ~ n~ to a eipller~ext siglnll ~ '2 !'",) on said cllanllel~
wllele ~ 2~ ) coll~ a set of illtt~gels replt~t~ ive of mes.s;l~e all(l 1 . 2S)~
for i = I to )1. where 1l > I al~ is ~ol"(~ positiYe inte~er, ~u1d llele ~ 2~ ",~ corle~ o a set of inte~ers represellt;~ e of a ellcil-llere(l forll1 of .sai(l nles~ Ol responds to 2`~ 9 ~7 r i nij - A x,~j mo(l (/~ I to m', yj = ~, x j n jj - ~ x.~j ~ fo~ "~ o m, and 1 1! 1 X li~-l ifil where 1~l > I ~ I < nl' < ~ = 2 (7 iS the numl er of itcr.l~ions of mo(lul;lr Inultiplicatioll u~c~l lo ~n~llcrate the puhlic-key ~nl(l 1 1 (lenotestnlllcalio~ all(l where tlle enco(lillg key col~ ; or ill~c~ers ajj~ gj, alld fraction~ fj ~ 1().0, 1.0).
for i = I tn /1 an(l j = I to nl~ u j = I to tn~ wherei a jj -~ j I P I ~1 ,~j _ lU' P mo(~ 9j, f 7~117i_rn o d P~
(in the present no~ation, I(l,l i~ c(l~ alent to c n~od r/ all(l Icl lcpresents tlllllCatiOIl or ~lle l~lr~e~t hl~e~cl 11 ~ llnlll or eqllal to c) an(l wllele ~ f72' /~" ~ i.s a superillcrea~sin~ serie.~
j l 17j > ~, 17j( 2S - 1) ~1l(1 i- 1 1'> 17j(25-l) lll(l wllere ~ql. ~12, -. (/",; .llc cllo~c~ uch that Q = ~ 9j > P( I + ~~e) whcrc Ax ha~s all .Ippro.Yilln~ ll cl l In l~ounded by (- 7-e, 0.01 befolc nullcatio all(l the fractiolls f;. for i - I ~ o Il. are truncate(l at .~ + lo~ - e bits l-lcci~ioll, wllelc ~ I po~iiti~
wllele /' is relati~ely prime to l~ - I to n, alld wllere ~ q2~ ~ q 1~ are p;lil\~ i ~e n ~la~ively prime and wllere P a~ are relatively p l illl alld wl~ere ~ ;md P are relatiYeJy I~I'illl''. ;'l~d where ~ all(l Q are relativel)- l~lilnc: ao l C. adeco(lill~ me3lls coupled to ai(l c ln~ eland adapted forrecei~ Y2 ~',7,) from said challllel an(l !` ~ forming ~YI ~2 ~ Yll) to a received Illes.s;l~e ~ nr(~ l { ~
wllerein ~ 2 . . x j co~ d to a set of nulnbers rel~rcscn~ative of a decipllere(l form of i \~ . . \ 1 and correspon(l to tlle ~ioln~ion of a knap.sack problelll ~1 , .r ';b;
i = 1 wi~h sllperillcre;l~sin wei ~ ... . h~n} and target value 1, 1 7~ ~1Y I Q IP
where ) ~ 2 ~ nl ~ l wllere tlle knapsack problenl i~ c(i sequentially for i = l1 decl illlellting to 1 accor(linf~ to the relation b- ~, x'jbj ~ .j = l~i to retum tlle (lecipllere(l messilC~ 2 ~ l n}; and wllere the deco(lillg key is tllc l (~ e integers w w ( ql. (~ .~ (l ) { b b2 . b" ) and p Accordillg to ~notller feature of ~l~ in~C~iOII, a digital sigllature o f a nlessage is ~enerate(l witll a decodill~ device lsin~ c p l i\/a~e decoding-key of the sen(lel all(l cllecked by tlle receiver with all encodillL devicc u iill(a Ille public encoclin~-key of tllc sellder. A
Ine~ss;lge-to-be-siglle(l is nl;lpped to l ~ `''m'}~ where ~ lO ~l;) f~ r j = I to Il~
/)1, ;1ll(1 1 < 111 < 111. /~ to~;ll Of n ,, j ~I"~ " Ill~ssages-to-be-!iiBlle(~ c;lll l,c l. l.resente(i wi~ll one i-lock (~ 2 ~ ) ~ r~. O ~ 9 ~
Messa~e~s lar~er tlulll onc hlock ale ei(l~e~ ol;ell into multil-le blocks tlm~ a~e signed .separlltely or tlle mes.saee is compresse(l 1~ h func~ion berore si !llillC~ '1`O prevent a cllosell cipllerlex~ a~tack~ e ensIlrc tlnl~ ~ ~"" l '`",+2~ Ym~ call not be selcc~c(l by all attacker~ Ran(lolll or p~sell(lorall(lom n~ el~ Inay be assigned to ~!'"1+l~ .r)" ~?~ ~ - Y"71' wllere !j ~ 1. qj). for j = nl + I lo /n. ~ .llively secret or public coll.slallts can be a~ssi~l~e(l to ( ~ '+~ +~
Vecipllerill~ Y~ ,1 yiel(l~ ~I)c ~signature ~al ~2~ ~ - a-"~. If tlle ~si~natllre terms .~j~ for i = I to /n .~ n"l ~111 in the ranr!e. lO. 25)~ Illen sicnature gener.ltiol1 ks repeate(l witll ~some l-ell~lll ;uioll ~f ~ '2~ !",) to c~ ll( tl I y inforln.ltiol1 abo~lt tlle secret ~Yei~llts 1/~ bn~ is not disclose(l. I lle avera~e nllmber of si~nat-lre ~ener.ltioll trial~s i~s 1 /."".
Si~n.ltllle verificatioll involves enco(lill~ tl~ nature to obtain the encil-llele(l signature ! 2~ - .!~", ) an(l clleckin~ if ~j Inod qj for j = I to 1ll . Io l.lcilitate si~n.ltllre clleckinc a suh~set of Ille n~o(l !!~ /2~ qm~} is Ill~(le plll lic .ls p ~he enco(litl~ kcey altholl~ll tlle rest of 11l, lllo(lnli ~ qm~+l~ qm~+~ ~--. q",) ale kcpt secret.
Durill~ enco(liIlg for si~nature cllecl~ . ollly the residues ~ ! 1 y ~ ~ Y ", Icorrespon(lin~ to tlle public mo(lllli ~ } are calculated.
Tlle public-ke5~ for sitonatures re(luilcs u jj al~d gj for i = 1 to 11 an(l j = I to m; h contr.lst secret mess.l~e~s h ave a lar~er l-lll-lic l~cy ineluding ajj and ~ for i = 1 to n an(l j = I to 0n A con1billed secret mess.ls~c aI~ ;CnatUre seheme can he coll.stmc~ed with one key set (i e. one public all(l private l;c5- 1-~ ty) or separate ~sehellles c an l~c use(l (i.e.
one key p.lil for secret messages all(l ollc ~ ol si~llatures).
Accordillg to another feature of tlle in~ ion the publie-key for si~l~atule.s can be millimize(l by USill~ wei~llts (~sccnc~ Ille~s.lnes are only secure witll ~ 1). ln the exemplary ca~se of )l = 1~ 1)1' = I, 1)1 = ~ ~nl(l /~1 = 1. the si~nat-lre is a ~ 1()- ~5) and tlle puhlic-key con~sists of (/l ~ ln~ - wP mod ql an(l fl = Il/P~ Tlle si~n.lt-lre is verified by ellcodill~ gl mod ql allcl clleckin~ \~l -- Y
nlod ql whele ! l represent~s the mes~s n (~ r colllpressed me~ssage).
Accordill~ to allotller feature of tln ill~a ll~ion the public--key can bc ~sh( Itened by ~stall(lar(li7illg ~some of ~lle variables in ~In~ p~ lic-key for all llsers in a nct~ork~ Tlle enco(lill~ alid deco(lill~ fullctioll are lln( llall~-e(l I-ut a subset of tlle public-key i~s identical for all pallies. Partial stan(lar(li7atioll loe~ l~ol l-eduee the security consi(lerill~ known Cryptallal)'tiC .Itt.lCkS. 111 .111 C~Yelllplaly (`~IS(U let l-al-t of the public-key: (l"j all(l ~;. for j =
I to ~n and ~ (12- (~ he st In(l;lnli~c(l to values fronl their spc( if ic(l ran~es.
I Irt of tllc pliV.ltC kcy~ 2 ~ ql11'+~ +2~ - - (l",)~ is secretly selecte(l as usual Illen ~lle rcst of tlle pli~ e kt~ and ~v is calclllatecl acc(-)r(lill~ to the ~2 ~19 ~ ~ ~ 3 rel~atiolls 7(J ~ p~ mo~l Q an(l 7(~ 0 l~lan IQ¦P wllere (r" -~ 1"2, 7~ o(i l q~ ln(l ~ gl11~ mo(l ~ ql~ The re~st of the pllblic wei~l~t~s (~ for i = I ln ~1 - I and j = l to n7, an(l fj. for i = I to 1l, are thell calcul;lted as usu~ll al1(1 will va~ n users.
Accordin~ to allother feature of ~In~ in\!`nlion, the number of itera~ions of Inodular multiplicati9n C;ln be increase(l as in ~llc lnoken multiple-iterated ~1erklc-Tlellm.ll1 cryptosystem In the pre~sent inventioll In e~tl l n()nlinear term is a(l(le(l to !hC cncoder for eacl1 subse(luel1t iteration of modlllar nll~ ion~ whicl1 may increase tlle sCCIll i~y Accordin~ to another feature of ~llc ill~'~`n~iOII, decodin~ can be pcrrornle(l with a similar al-proacl1 (but clifferent implelnen~ l~ion ~ as the "double-encryptiol1" teclmique of Ilenry. WlliCIl was (lesi~ne(l for tlle l roken sin~ le-iterated Merkle-~lellmall el y î~tosystem Tlle concept of "double encrypti()l1'' is ~l~a~ II)c in~lividual bits of the cipllertcxt aic tleated as tlle illpUt to an enco(ler with a special cn( o(lill~ key that is designe(l to ICtUIn /) IllOd P.
Tllel1 a superil1creasino series witll ~n~c~ lnc b is solved to return tl~e leciphere(l IlleSSa~e. Hellty Slll~este(l that mUI~ipl('- i~Cla~iOIIS of modular multiplicatioll can be performe(l by s~ql~e/~ l applicatioll ol' lli~ nn ln1ique, whicll is essentially ~I nlodular multiplier I,ess computation is neccs~ll5 ~ ll the present par(~ form of double-encryptiolll when tllere are m~lltiple-i~cn~ ol' n~odular multiplication, becausc of the use of small nol1lil1ear terms to account for e~ e ;~nl iteration as in tlle present cllc()(ler Accordin~ to ~Inotl~er feature of tllc i~ ention, ~bl, b2 ~ /t~ Call l-e selected accor(ling to alternate procedures. altllnn~ n1ay affect the security an(l llcrfolll1ance in tern~s of messa~e eYp;u1sion, I-locl; ~i~e (I, e oding delay. .Ind numbcr of ~i~nature ~eneration trials In ~eneral, a more rall(lolll a~ l1ment of { l~l. b2 , l~"l increases the security but cal]ses furtl~er message e~p~lnsion an(l signature generatiol1 trials 'I`llc Chil1ese remail1(ler theorem cal1 he use(l to con~lne~ 2, , bnl as in the dat;l-b~l~e private-key cryptosystem of G I Davi(la, 1) 1 ~'cll~ and J B. Kam, "A databa~se ellcryption system with subkeys", AC~M Tral1s l)a~lll)a~c ~stems, vol; 6, no 2, June 19(YI, pp. 312-~28, Alternatively, tlle ~enerillize(l fol n~ Or ~ Chinese rem;linder tlleorcll1 u~c(l in the broken L,u-Lee~ Adi~a-Sh;mkar~ all(l (ion~llmm-McCauley cryptosyslelns can be employe(l As well, mi~e(l radiY con~a~l~ion c all be employe(l to constrllct !l)l. 1~2, /~"1 ~Iso, a nol1-sllperillcreasil1~ seric~ e n~ n~c(l as described by 1~1 Willet, "'I'rapdoor kn;lpsacks without superil1creasil1~ s~me~lllc`' Illrormation Processin~ l,ettens~ \~ol 17, July 9~ I'P 7-]1 'I'he followin~ ful~ctiol~s of a pllbli( l~cy e l)~l~tosystem are establishe(l in tllc prior art an(l call be carrie(l out ~itl~ tlle prescn~ p~ lie I;ey cryptosystcm Tlle plc~sent inventiol1 may be use(l witl~ any len~tl~ messa~c~ plo\ i(le(l ~hat the messa~e is broken in~o suitable len~tl1 blocks before enco(lin~ The prC~ellt l~nl~li{ -key cryptosystem C.lll bc nse(l to secretly 11)2~8~'~
all(l alltllell~ically distribllte a ~sessio~ c) foml private-key cryptosy~s~en~ ,~s well, the p resent siplla~urc schellle call be usc(i ill Icccs~i colltrol systems to verify idc~ y by askin~
tl1e cal1(li(l~lte to si~n a rall(lom nullll-cl ol ~ l,t a ciphertext correspol1~ lr! ~o a ra~ciom messa~e. A mess3~e-to-be-si~lled c.u~ l,c fil~ cllcrypte(l with the present cno(lillg device (llSill~ tlle public-key of the intellde(l rc(ci\ cl ~ (~r ~Ising convention.ll encryl-ti()ll technique~s.
Tlle presel1t pl~blic-key cryptosystem 1~ c ~ t~d to ensure file inte~rity b) cn( oding and si~nill~ dat.1 w ords to prevent ull,lutl~ ing and detect tamperil1i i he present invelltioll potentially r~ u~ ~I significant a(lvance in tllc ficld of public-key cryptoi-~raplly (depcn(lill~ on tlle Sllc- css ~f clypfamllysis by tlle rese.lrcll c olllmunity) because enco(ling and deco(lill~ with tl~c l~lcs~ invention require about o lle lulll(lled times less computatiol1 thall for RSA and tllc plll~li( 1 ,~y size is comparable~
BRIEF VESCR l l' l l ( )~1 ( J 1 THE DRAWINGS
FIG~ I shows in block dia~r;llll lollln 1 (~olnmunications systell1 ad.lp~e(l to secretly transfer encipllered messa~es witll a plll.lic-l~c~ (~ryptosystem in one directioll hctween two termillals.
I~IG~ 2 sllows in block f~iagram f~l nl ;~ nbodiment of tlle system of 1 1(; 1 usinp the presel1t invelltiol1 (i e~ the present l~ ;c~ cryptosystem):
FIG. 3 sl1ows in detailed block di;nn;llu lorll1~ the encodin~ device in tlle system of ~I(J. :2:
FIG. 4 sllows in detailed block (I j~ OIm~ the decodillg device in tlle system of FIG~ 2;
FIG~ 5 shows ill block dia~ralll forlll a c olnmunications syste1ll adal)tc(l to transfer si~ned messages with a public-key cr~ ptoiys~clu in one direction betweell two tclminals;
FIG 6 sllows in block dia~ralll fnl-lll. ;u~ cllll-odiment of tlle system of 1-;1(, 5 usin~
tlle present inventioll;
FIG~ 7 SllOWS ill block dia~ralll forlll. "1I cllll-odiment of tlle systcll1 of 1 IG~ f~ adapted to verify the idclltity of a call(lidate USill" Illt` I'IC~Cllt public-key cryptosystcnl: all(l FIG. ~ sllows in block diar~ralll folnl. ;IU cllll-odiment of tlle system of 1 1(, 2 adapted to verify tlle identity of a can(li(late usino ~ cllt invention.
FIG. 9 sllows in detaile(l block di l~r nll ff)rm, an alternate decodill~ de~ice for tlle ~system of FIG. 2;
DESCRII'IIC)NOF 1`111 I'l~ I RREDEMB()DIMENPS
FlCi. t sllows in block dia~ram folln ~11(` I~;lsic elements of secrct tralu~lllissioll of dat.
from tllc sf-~ll(ler A to the leceivcl /~ ll ;1 pllblic-key cryptosystel11 as plol-osed by I)iffie an(l I lellm.lll in the prior alt. 'I'l~ tCi~l includes a comlllunicatiolls c llinlllcl 10 and two termill.lls couple(l to ~hc clulllllel. l i~ c nlessage is divide(l hlto hlocks (lhe block si~e (lel~ell(ls on the l~artic~llar ellco(li~ lull) by blocking subsyste~ . 'I'hen the .sen(ler A enco(les eacll l~essage blo( ~ ll cncoder 41 an(l the enco(lil-g key of the receiver En t form ~he cipllertex~(,ll) Next, each ciphertext block C' is sent to the receiver ~ on ihe comlllunicatioll~ ( In~ l l0. The receiver deco(les eacll ciphertext block C with deco(lcr ~2 all(l llis/llcl O~ l"lc( oding key l)~ to fornl tllc (lcciphered me.s.sage hlock M' = D~(C). ~:inally ~ ( l y ~ ted message is forme(l l-y ulli710cking subsystelll 44.
'I'lle presellt invelltiOIl is a rul~ ( ryptosystem th.lt pro~i(lcs ~l specific implelllelltatioll of tlle enco(ler all(l (lc( o~lcl nf FIC. 1. /~ comrlete cryl-tograpllic comlllullic.ltiolls system~ may also in( lll(lc l~ killg/llnblockillg system~s. c(lllllllnnicatioll challllels~ a computlltiollal device for cllco(lille/llecoding such as a microl-locc~isor, write-only registels, laml~erproof encloslllc~. elc( llomagnetic radiation shiel(lillg. ctc.. The.system of Fl('l. 1 is suitable for the O~lc-W;l~ ll;nlsfer of secret messia~es fronl tcrminal A
to termin.~l B but the .sallle metllo(l c ;~" l~c nscd for secret transfer.s frolll 13 to A or betweell any number of partie~s.
I~ig. 2 shows in block diagr,llll l`ollll ;ln embodiment of tlle sccrct message translllissioll sy.stem of FIG. 1 USillg (~ -lc~cllt invention, whicll defille.s ~lle encodin~
functioll Æ(M) an(l deco(lillg funclioll 1)(( ) l'lle message is transforllle(l ti~ ciphertext Oll a block by block ba.sis and one sucll l-lo(~l~ COllsiStS of terms ~xl~ r2. ..~ "~, where rj ~ l0. 25). for i = l to l1. alld ~l > l . l ;lell lllc~;lge block contiaills )Is bits.
'l'he message M is ilssigned to c~lc~ lc~.lge block ~xl~ .r2, ..., r") ~1ll(1 m~y be concatenate(l witll stan(lar(l informcltioll (sllclmls thlle, date, me.ssage nullll-er~ Ol certain bit pattems) or random bits; these blocking f'nllclions are perfonlled by subsystclll 14. The inclusioll of stan(lard fiel(ls, such as III(`S';;I~!(` nlllllber, time stamp, and stall(l-lr-l values or bit patterns, is a co~nmoll cryptograpl-i( l~r.l(ai(e to guard agilinst talllpelill, iall(l cho~sen cipllertext attacks an(l to detect enco(ling. (lc( ~-(ling, and commullicatioll crlols. As well~
random fiekls can ensure that identic,ll n~e.~ c blocks are enciphere(l diffelelltly each time an(l prevent chosell ciphertext attack.s. 'l'lle collc;ltenatioll of the message d.ltil witll standard hlforlllatioll or randolll bit.s is perfonnc(l ~lcll llult each combined term .~j. fol i = l to 11 is still in the range l~ 25). A block ~ . ..., xn) will be referred to ;us ll message block altllougll it will he ull(lerstoo(l tlnl~ c~ l-lock may contaill st~uldal(l ol r.lll(lom fiekls in part.
~ :or messages rel)rc.sented by nllllll-cl~ on~side tlle ran~e ~0. 25)~ a (~onvcntiolllll blocking mealls (sub.system 14) is utili7c(l lo Illc.lk the messagc hlto me~ss.lgc l~lock wor(l.s hcfore enco(lillg, wllcre eacll block is lcl)l-c~cll~cd by a numbcr from the .sllccificd range.
Followillg subse~llellt decodillg~ the Ic( ov c l c (1 block words nlay be transl'olnle(l back to the origin 1l messa~e by ul11 lockin~ sul~ a~
The presently describecl encodil1g (le~i(e ( ;11l (listinctly encode each of the 2"~ possible messages. In ~ ernative but equivalent elul~o~ the above ral1ges may hc ~-el~eralized as Ij ~ where (Ij is the u~ el ol ;Issignable states in the ilh ~C~IUl of ~he message set the lotal nllmber of n1es~ 1~ e; is ~ dj and Itj. for i = I to n are arbitr.lry inte~ers~ Accordin~ly~ the riu~ e lill~ inns for xi for i = I to 1n e~presse(l hereafter in this applicatiol1 are approl~ n( f ol uumbers (represel1~in~ me~s;l~cs) in the spccified rallge~ but it will be un(lelstoo(l ~ otl~er range limitations are cou~;idelc(l to be e(luivalel1t all(l are intel1(le(1 to be emhl;~(e(l h~ e cllims~
The enco(lil1~ de-dce 11 transforlu.~ e Il~ age ~ x2 .~ ~"} to tllc c i~-hertext !2. - -~ )~",) Iccor(lill~ lo tlle rel<lli y~ .r j n jj - A ~ ~ ~ uu ~d qj for j = 1 to 1~1 Yj= i~1 xini)~ lorj=m +1to1ll ", an(l Ax = ~ ifi J
whele I < nl~ < 01~ nl ~ 1 al1d ~n nl ~ all,l n~ itive integers.
In o pllblic-key cry ~to~y~em~ the cl~(~n~ y is publicly rcve~led bu~ ol~ I ql q2 ~. q",.) are part of the public enco(li~ 7;c~lu(l can be used to reduce ( Y~ `2~ Y/?~') during encoding. A subset ~Yl~ Y2~ ot ille ciphertext lesidues ~ Y",) are reduced mod {ql~ ~12~ qn1 ) duliu~? cuco(ling wherells (y~+l. !",17~ Y,7,}
are reduced mo(l ( ql11 +~ qm +7~ ql,l ~ dlll iu~ decoding because ( q ~ / 2 q"117 are part of the secret decodin~ key.
The encodillg key EB consi.s~s of in~c~-cls ~1,;. gj and *actions fj ~ 10~0. 1.0) for 7 = 1 to 1l n1(1 for j = 1 to m al1(1 positi-e illle~ I fll~ q2~ ~ ~ qm') wl1ere n ii -- ¦ S ( ! ~
I(! I! j Jll 1)(1 7 11(1 fj .
~ ~3 ~ 0 'I'lle prescnt ellcodet Ims thc cffe( ~ nhining the mcssage terll1s ( l l. r2 r"l accordillg to 1~ = ~ r~ mocl 1~ ul l~n~`orming several modular nuiltil-licatiolns.
by 1~ rllo(l P a~ ' Inod Q. before t'~ le~!;ill!' ~he ciphenext in the () re~ e number system (~lle pllblic enco(lillg f~lnction i~ ;cd version of these E era~ ls as defined above for encodill~ subsystem 11) 'I'llc i~ kll weights ~bl 1~2 b"} Call 1~(' Selecte( as a s~ elillcleasill~ series Witll ; I
11 j, , ~ I; ~ 2 11) wllere /~; attd P are relatively prime fol i = I lo n With presently known attacks ~e c all ~c~ 1~, = 2(i-1)S for i = I to n ~ltelllatively~
the size of each message term call be ~ ;ll ic(l \~ i~h ~i ~ [ 2Si) and ~7j = 2 ex~
Tlle security is potenticllly increase(l if ~ b,l} arc randolnly cl1osell from a sufficielltly large range so that tlley cal~ llot l c llessed by exhaustive searcll ill a leiasonable ~Imollllt of tilnc altllo1lgll tl~is precautioll i llot c~ential with presently kno~ .lcks Tl~e messa~c exlmllsion an(l consequellt n~ igllature generatiol1 trials P/~"s is directly related to tllc size of tlle ~selection ran~e~ /~ c olnpromise bet~een security all(l message expal1~sioll is to select 1~; ran(lomly frolll ( \ j~ ( I () -~ lI)l~j), whcre ~i = (2' ~ bj and i= 1 1~ > 0 0 Tlle nul11her of possibilities ro1 1~ n~; which incrcases witll ~s for a constallt t~ .
The differellce P - 1~,,+l where ~ c maximum value of b. has to l-c large toprevent Sllamir's attack on a dellse kn;~ Ich 1~ described in "On the cryptoconll)lexity of knapsack systems" Proceedil1~s of ll~c 1 1~ CM Symposiull1 on tlle 'I'lleory of Compllting~ 1979.pp 11~-129 Thisi~Cll~ (lbyIandomlyselecting1>froll~ 0+
Il/2)1~"+1 (1 0 ~ ",~1 'I'llellPn)~ly ~ ). if b~ tlld ll< 1 () (I~ss~mithat (1 0 ~ ll) ~ 21' if tl ~ 1 . 1 01) llul llu average numbcr of signatlire gelleratio trials is P/2"~ < 2"" wllich is less thall tw o il 1~ - 1 0/n.
A fc~v I-its Of messagc expal1sio]l al( ~ llot significant for secret i;ey-(iis~libutio so al1 exenlpl;lly p Iriameter is ll = 0 s 'I'l~c a~cl;~cc number of signatllre gell( liltiOIl trials 2o~9rj P/2'1s < 2'1" is only affectetl by tlle re(l~ y in the ring of intc~ers n1()(1 /' whicl1 is deterlllille(l by 1~. rhen a sll1aller ll is luere~ c for signaturcs sucl1 as 1l < I.nln~ The ~security agaimst exll(lllsti~c searcll f(~ ol / - I to n. can bc maintaille(l h) incre,asîllg s so tllat tlle n~lll1ber of pnssihilitics III~j fol- e;~ remains large.
Tlle cipl1ertext ;s represented aS ;1 II~ Y1, Y2~ 111} ill a rc~si(l~ umber ~1t ~sy~stem Witll relatively prime mo(l~ , q,~,~ and ~1 r~ e f ~
Modllli ~q~- q2 ~ ) are public ~ i IU.ly 1~ selected to sil11plify mo(l~ ll reduction ~SUCIl as 2~j _ Zj where tj and zj are l~o~ e illtegers and z is millimi~e(l. Althou~l1 a power of two 2'j is con jecture(l to he ~ 'fici!. Inly secure for one f ~ql ~12. ~ q~7.}, other choices may be ma(le to increase ~lle ~e( In i~y such as random values fro m tlle ran,~e 12lj~ 2~j + Zj), where tj al1(1 Zj are p ositi~ e ill~t~el.s, or nonrandom values Witll certain bit patterlls.
rlle secret Il1o(luli ~ +~ "1 ,?. ~ ~1",l may be selected ran(lo~ rrom a ~sufficiel1tly large interval 12tj~ 2~j + z j). 'I'llc ;Inackerknows that q; > (Ijj~ for i = I to , unless the publislle(l (Iji are not f~ c(lll( e(l mod qj WlliCIl increa~cs tlle n1essage expansion an(l public-key size. l'o prc~ell~ ~llc c.lse where nV is close to 2~i + ,j. whicll reveals that qj is al.so close to 2~j + , j~ i~cy ~ellelation may be repeatecl (cl1an~ bj, q;, or other parts of the private key) if (I,j nlo(l ~ 2~j and the publisl1e(1 ~Ijj is full) reduced IllO(IUlO qj alld iS ill tile ran~e 1~ 2'i). ~ e( ~ Zj > 2~jdoes not si~nific.llltl5 increase the security Decreasil1~ Zj minimi7.es ~lle a~ e~ e number of key-~ener.ltiol1 attempts.
Exemplary values of zj are zj = 2~j ol ~ 1 ` (in practice, I 3 so the secnll ity is not sigl1ifical1tly diminisl1ed). Alternatively. tllc 1~1 otlability of (7,j bein~ closc to a known upper limit of qj iS millimiZe(l with a key sele(~ioll procedure given below.
Tl1e secret modular multiplication col~s~ t IV is relatively prime to 1' alld 1~ is cl1osen randon1ly from the hlterval 1()~ cl'ore testing for relative prim;llity with P).
Similarly. ~ iS cllosell rall(lolllly frolll ~ ('ll tllat U~ and Q ~re relati\~cl)~ le.
The mo(iuli I ql. q2 . q"l~ are all l-;lir~ e relatively prime and salisfy Q > P(l ~ 2-e), wllere the approximatiol1 error in ~lle e!itimate of Ax is bounde(l by (-2~e. 0.01 before truncatiol1. The fractiol1s fj, for i = I to Il, are each truncate(l at ~s -~ lo~)I + e l-its, wllere xi ~ 10, 25) an(l e > O, (all lo~al ith~ ill be base two).
Encod~ satisfies ~ .ri~ 10. (1 + 2-e)P) ~ [O, Q) lec.lll~e of the errorl-oIln(i(-2-~'. n.ol0ll Ar beforetlll~lC.I~ioll.11lgeneral,if ~, .ri¦ ~ AlP~ Ic.
C + O). where r is sollle inte~er thel1 ~ Ie(lll( e(l value modulo Q durill~ deco(iing l1,1.S
to bc ~llifted by a mllltiple of Q to f;lll in ~lle lallge [c, c + Q) to returll ~lle nlessa~e.
2~g~
With ( = O (as is tlle case u~ith ~he al~ -c ~1~ lio.~ion of A~), compltqte redllc~ioll modulo ¢) duril1g dtqco(ling will correc~ly returl~ c lnc~ e. A large vahle of e ueakens ~he seeurity al1d a small vallle of t7 incleases thc n~ a~ p.lnsion ~but not the n~ l el of signature gelleratiol1 trials). Exempl.lry vallle~i of, :n~ I ~n 3. Alternatively, the fr(lctio ns fj, for i=
I to ~n may be roul1ded (instead Or ~r~ o s t logn ~ (~ bits precisioll l--ut then the approxil1lalioll error in the estil11ate (~f ,t~ o-lllded by I2-~-1, 2 f-l) <111(l 2 ('-I has to be .sllhtracte(l from A~ before trlll1catioll ~ n exel11phlry l;ey-selcctiol1 procc~ cl1 next. First the private key is landomly selected from the givel1 ral1ges witlloll~ lc!nll(l for relative prilnality all(l thell certai varhlbltqs are (iecrel1lel1~e(1 llntil the n~q(x~ la~ive primality conditions ale s.l~i~fied~
I. i,et l)~ = 1 al1(1 rall(lol1lly selcc~ j. ( l .() + u)v;), for i = ~ to 1l.
2. Ral1(lomly select P ~ I(l.O + ~ r", l ( I .() ~ u)~ ].
~ . Ral1clomly select Q ~ (P(l ~ ~'). /'(1 1 .' f)(l.O ~ U)).
4. ~,et ql = 2~ all(l q2 = ~Q/~ a~ I and 111 = 2.
5. Decremel1t (or increment) q2 n~ n~d q2 are relatively prime (che(king thatthe seleclioll ral1ge.s are not exceeded).
6. Decrement P ul1til P and Q = (l~ ;nc l~hltively prime.
7. Decrement bj. for i = ~ to ~1, ul1~ j all(l 1~ ale relatively prime.
8. Ral1(lon1ly select ~ [O. P~.
9. Decremel1t ~ ntil 1~ and P ale lel;l~i\ cly prime or let 1~ be the gre;ltest common divisor of )s an(l P. Alternately, ~ al1(1 n ' c.n~ be calculated to ensure th.lt thq pllblie-key is partially stan(l.lrdize(l as (lescribe(l helow.
10. Repeat steps 8 .u1d 9 to fin(l a n ' t= I() ()) that is relatively prime to ~?
I l. Calculate the public-key (or the noll ~;ln(l.lrdized parts of the public-kc~) from the private-i;ey, whicll i.s now fully selected.
,~n exel11plary form of the encodillg snb~ slem 11 is shown in FIG. 3. 'I'lle eneoder consist.s of a parallel array of multiplicl ~ ~ 1. wllicl1 are aceumulated by colull1ll u ith a tree of a(lders for eacl1 colm11l1. Alten1.lti~cl5. ~ht~ (~ocoding subsystcm ll Call bc illlplemellte(l Se(lllellti.llly with (l SillglC llliCrOprOCes';nl w i~ll ;111 eneoding delay that is less thal1 a second but FIG. 3 sl1ows a parallel implemcn~ lo ~how how to mil1imize the enco(ling delay by parallelization al1(1 to illllstrate the slnl~tnlc of the encoding algoritl1m. 1~1 F lG. ~, there is one row f(ir eacl1 message term a;. fOl i ~ o n, and one column for c<lcl1 ciphertext residlle ~;, for j = I to nl. I'l1e mlll~ipli~n- 2 ~ at the ith row an(l jth COI~ lll computes r,~ this pro(lllct is accumlllate(l wi~ll all ;l(hlcr 25 for the jth ciphert~qxt rcsidue. The pllbliC CipllCrteXt IllOdllhl.S ill this e~;alllplc i~ ~ 2~; the modul.lr reducti()l1 of )~l mod is accoll1plishe(1 in FIG. 3 b)~ disc;~ Ihc overflow bits beyond :2~ u ith the adders 27 in collnlll1 one. I:IG. ~ .show.s ~I)c ( ;(~.~ of n = 2 and lrl = 2; n all(l l11 may be l/2~9~
hlcrea.se(l hy adclillg fur~iler ro\~s a~ ln~ c.spectively. ~I'here l1as to l~c OIlC or more IllO(iU1O re(lllCed COIullltl!; (i.e. 111' > I ) al~ nc or more unreduced colull-lls (i.e. m >
'). Also~ ~llere is one ex~r.l columll (in~ ell(lellt of 1l and nl) ~o calcul.l~c ~ where ~he parallel mllltiplier 24 at the itll row in tl~ lltmost columll calcula~es a fi. which is accllmul.lted wi~h ad(lers 25. Tllen sul)s~ nll 2fi truncates the sllm al1(1 A~ is ~he integer part of ~lle sllm. As well at ~he bottonl ol 1 1(; .~. one extra row calcula~es -A~-~; for j = I
~o n~ uhicll is accumllla~e(l for ~J
Tlle pro(lllc~s xf. for i = I to n. Inl~ e precise to l~ + log/l fra(~ l bi~s toensllre ~Imt Ar is precise to e frac~ion;~ ole truncation (i.e. the apl-ro~ ion error of Ar is boullde(l by (-2 ~ ().01 befolc ~llnl~ iol1)~ The frac~ions fi. for i= I ~o 1i are precise ~o s + logl1 + e frac~iol1al l~ a~ llc message tern1s ~; are s l-it in~egers. A
conventiol1al multiplicatiol1 of r~ l ec i<~c to s + logll + e frac~ional bits but Co111pl1t.1tiOI1 can be saved by conlpll~illt- Illc partial prodllcts ~o e -l log/l + log/
frac~iol1.l1 bits where ~here are 11 par~i;ll lnod~ to be accumlllated to folnl ~llc product.
Tl1e number of par~ial products /I dcpcll(l~ on Illc design of tlle parallel mul~ lier or the word size of ~he processor and ~lle m~ li(;llioll algori~hm (for a det tilc(l dcscl-iptiol1 of mul~ipliers~ see K. I-lwang "Compu~emllitll~ New York: John Wiley. 197')).
F;IG. 3 is a parallel architec~llrc ~ llicll nlii1imizes the encoding delay. A one-dimel1siol1al or linear ~ree of adders is ~llo~n in I IG. 3 but a fas~er binary or ~allace tree of adders can be used. ~'his architec~nlc c;nl l~c l?ipelined to h~crease the clock rate m1(1 hel1ce throll~ ut by inclu(lill~ one Clo( I;t'(~ 1 ill each accumulatioll trec .Iflcr each row all(l ~lehlyillg the input mess.lge ter~ in Ill(~ illl row with i ~ tchcs. As ~ell the multipliers call be pipeline(l and fast ad(lcls C;lll be used such as the carry-.save or carry lookahead adders. The multiplier inpllts alc se~ el al hundred bits long so snlallel nlllltiplier~s may be combine(l to form each mul~iplicl ~lh~ eln 24.
The alnoull~ of compu~atiol1 in cll( nlill~ sllbsys~em Il is small cnoll-!ll that a progr.ln1me(1 digital compu~er~ microploc( ss()~ c llip card or digital Sigllal processor can encode fas~ eno~lgll for many applica~io~ I(IIougll the encoding opera~ion is ~cll sui~ed to a gel1eral purpose processor a cust(~ in(c(.u;l(c(l circuit may be used wi~ hc a(lvantage of inclu(lillg speci.ll wri~e-only registcl-~ t'ol ~iC( ret keys that are erased if tallll-ering is delecte(l all(l other .security or coml11ullicati(-'1 Illllctions. In alten1ative embo(lil11el1ts~ other multiplicatio~ al1d acclllllnlation proct~dllle~ nl;l)~ readily be utilized h1 };eepill~ wi~h ~he l~resen~ illvell~joll~
Once tlle cipllertex~ '2 ~ c ncode(i in I~IG. 2 it i~i snt by tl1e COIllllnnliC.l~i(!ll Ch.lllllel 10 to tlle rc( ~ 'l'he deciphered message ~ ''2 is foul1(1 by the deco(lil1g device 12 l~y ~ lculatil1g where y - ~ Y2 . y",~ lno(l ~ q~ . qltl}. TIlen a kllar~SaCk iS ~;OI~ed Witll tlle secre~ wei~llts ~ , b2...., 11") all(l Ull~
i - I
Witl~ .sllperillcre.l.sill~ initi<ll wei~hts ~ . ... bn}~ the decipllered nless.lYc is foun(l se~ entially from .~ to .r~l. where 1~" i~ n~.~e.st superincreasi!l~ wei,~ . I irst, x'" =
Ih/17~ll is found (I-l (lenotes trunc.ltioll~ mlle deciphered mcssa~e ternl coll-c~pondi to tlle secoll(l lar~e.st wei~ht i.s fou~ '" I - I ~ /~ - .r'"bn)/l7n l] all(l in ~eneral ' '.i 1~- ~, x'jbj x~i= i,i j~ l _ , for i = J1 decrilllelltill~ to 1. rlle (leci~ I nlessage (x'l, x'2, ..., ~ i.s e(lmll to tlle origill.ll messa~e ~ Il. x2. x/1 3 Tlle ~ei~llted value y of tlle residlle~ 1 \ 1 \ .. ...y",} can be recon~stlllctc(l with the Chille~se rem.lill(ler theorelll accor(lill~ to:
I "
)J ¦ qj ¦ Q
where Qj = Q/qj. or by mixed-ra(lix (~nl~el~i(!ll (conversion of a residue nlllllber to a wei~hte(l value is reviewed in "Re.sidue Illlull~c~ system aritl~metic: modelll applications in digital .si~n-ll processin~", IEEE press ( 1~ 1-9)~
rllere is less computatioll durillr ~Icco(lill~l if the w' modular multil-lic.ltion is ullwoun(l in the Q residue nlllllber s).~te~ -rding to Y'i -- yJ~ mo(l qj~ for j = ]
to ~ ratller 1hall unwill(lill~ tlle wei~llte(l \ (llue~s as y' 3 y~ mod Q. '1 11(' decodill~
key i.s coml-letcly specified by the ~ t iu~e~ers {bl, b2, ..., b"}, u . u '. ~). and P
but a practic.ll implement.ltion of .1 (le(o~lel- nlay also employ, ~ ql, q,. . . q",), alld other const.lllts relate(l to the Chillese relll;lin~lel Illeorem or mixed-radix conver~ion.
/~n exempl.lry form of tlle decodim.~ ice iS sllowll in ~IC;. 4 witll 1l = /n = 2. First tlle ~ ' mo(lulilr multil)lic.ltioll is ullwoun(l. ! j -- yjW ~,1 mo(l q;, for i = I ~ o ll1, witl residue mo(lular multipliers 28. Tl~eu nli~ c conversion is applie(l lo ~lle res~llti 1~ ~?,~
residues ~ ' 23 to find y ~- !a~ ~1 m(-~l (? ;~ ding to the relation q2 In FIG. 4m1lixed-r.l(lix conversioll k~ ilu;-lclllcllted with an a(lditive i~ ersc 30 tl~at calculates ~ , a modular adder 25 ~lull l`ilnl~ ! '2 ~ a modular mlllliplicr 28 that multiplies by (111 mo(ltllo q2, an(l a mlllti~ 1 that multiplies by ql. I llen /~ - y'~
mo(i P is calclllatcd by mo(i1llar m1ll~ l hlock 29. Next. a supcril1cl(msill~ series b = ~ ; is ~solve(l by subsys~el~ Ic(l~l(lillgtotherelation i = 1 jbj~
j . . .
I i for i = l1 decrell1elltil1~ to 1, to re~ulll tll(~ dc~ )llered messa~e terms (.~ , X',7~`
Witll 1~ 2 = I /~/b21 and ~'1 = I ( 1) - ~ '.1?7)/bl]; in the exemplal-y case of FIG~
4, t~l = I .so x'l = b - l-'2h,~ If thc ~ci~ l, a2~ , (1"l were perulutc(l durin~
key generatiol1, tllen the decipl1ered mess.loc i~ !iimilarly permuted.
Mally mo(l1ll.lmn1lltiplic,l~ioll techl~ c~ ell as modular addition al1(! sllb~ractioll tecl1ni(illes, are establisl1ed in the prior .ul. 1-(-~ cample, see E. F. Brickell. "A .survey of har(lware implemcntatiolls of RSA", in A~l~ allces in Cryptology CRYP-I O ',~9. Berlin:
Sprin~er Vcrla~, 1989, pp. 368-~',70 all(l ~ . .Soderstrarld, W. K. Jenkil1s. G. /~. Julliem and F~ J~ I`aylor (editors). "Residue mulll-cl s5 stem arithmetic: modern applications in cli~ital Si~ll.ll processing", Reprint Serics~ Ne~ 'ork: IEEE PRESS, 1986. If olle input of a modul.lr multiplier is a constant (.sucll ,1~ m(-(l1llar multipliers 28 an(l 2')), ~l~ell some precomplltation is possible as emplo) cd 1)) 1 Icl1ly (see U.S. Pat. No. 4, '.9~). '.23) for tlle now-broken Merkle-l-lellmall crypto~ cm l l~is approach is describcd I~CX~ for an arbitrary rnodular multiplication by a c OIIS~ . I o compute (Ih mod c. w llerc /~ and k /7~
are any fixed cons~allts alld a = ~, n j2i~ ith aj ~ [0, 2') all(l 1~ is somc positive i = o k /7~
inte~er, first bi -- t72i'` mod (~ for i = I ~(? ~ is precompu~ed and tl~en ~, nibi is i () calculated for eacl1 a val1le~
'I'lle resllltillg slm1 is con~rue~ o ~ nn~ although a fimal redllc~ioll nl()(llllo c Or l~ + log2,'/\~ bits is necessary. ~l~he al~ l`, (nl1putation for modlllar nll~ licatioll is millill1i-ffe(l with l~ = 1 bllt thc~ l~rc~ l values require ~2/~ bi~s of mcmory.
Altenn~tely ~ f)recoml~ e(l lookup ~al~lc~ ( :n, I-e employed, wllere the i~ al-le outputs i mo(l c for an illput of (/j ~_ 10. ~ nl Illc lable outputs are acclln1llhltc(lmllthougl this increases the mell1ory ~o 2''~-~/v.
In an altenlate embodill1el1t of ~llc (`n(`()~lt' m-f hlG. 3. the above modlllilr nllll~iplicatio ~echlli(lllc call be used to compll~e .r,~,; nn~d ,/j. for i = I to ~malld j = I to n,l'. 'I'hel1 the mul~iplier in ~he i~h row all(l jth colullllm-l' I l( i. ~, is replaced by a module ~h;l~ calcula~e.s S/l' S/f' ~, xjknj;k, where .rjk= ~ k2~ d ~ k - njj2k~ mod qj. Tlle alllount of k = () k = () compu,atiol1 is redllced if tile final redll(~iolmllo(lulo qjis delayed until artcl ~llc colum acculnulatioll.
Wi~h ~hese enco~lillg an(l deco(lil1E~ dcv icc~. ;l message sent from the enc()(lillg device to the decodil1g device is transformecl frolll ( \I. .r" ..., xn) to {)~ 2. ~ !~",lf by tlle encoding device, and tl1ell back frolll ~ ...., y",~ to l-r'~. ~''2- -- ~'"~ by tlle deco(lillg device. where ~ x'l..r'2. ..., .~ '" 1 = ~ n~
FIG. 5 shows in block diagral1l fol-nl ~lu l~a~;ic elements of sendillg sigl1ed messages with a public-key cryptosyslem as prolu1sc(1 I-~ I)iffie and Hellnlan. This sy.stell1 includes a commlJl1icatiol1s chanl1el 10 an(l t~o tclnlinals coupled to the channel. 'I'llc sender A
may first compress ~he mcssage into a h;l.~ v;lllle M with hashing subsystcnl ~15A, where the ma~imlll11 llasll val~le eqllals the inl~ lo~k size of the decocler. Tllen M i~, signed by apl Iying M as the input to a decoder 42 ~ llc decoding key of the sen(lc.l /),~ to form the signature C = DA(M). Tlle signa~lllc i~ .~cnt to the receiver along a conl~ lllicatio chal1nel 10. Tl1e receiver B encodes ~lle Sifnlatlllc C with an encoder 41 an(l ~hc. .sender's encodillg key Æ~, ~o form the cllec~ V aluc ,11' = EA(C). Tl1e sender al.SO .sen(,1s the message (or enciphered messaf e) to ~l~c r cciVcl along, a communicatioll clmllllel 10 an(l the receiver forms a hash value ~fl of tllc nl~ ssage (or deciphered messa~e) with a idel1tical haslling subsy.stem 45T~. 'J'llcll tln~ chccl~ing subsystem 46 .si~nals tllat the nuessag,~e is alJ~l1elltic if M = M'. Tlle scll(lcl ,l llas to identify herself to thc rcceiver B
througl1 the cllanl1el 10 to tell the receivcl to ll~C the public encocling-key Æ,; for signature veriflcatioll; an identificatioll string m~ e Incl-cnded or appendcd to the siglultllre.
In all alterllate confi~llratiol1, eacll hlocfr~ 01 11le message can be signe(l indel~elldently thel1 tlle mes.sage can be recovered f~ ll tllc sigl1ature (and does not ha~e to be sent in(lel-ell(lclltly) hut ~he receiver has to c llcck ~Inl~ ~he message is meanillgflll or contains certaill slalld~lrd infon1latioll. The systcnl of l l( ;. S is suitable for the one--way tral1sfer of siglle(l message.s from termirlal A to tcllnill;ll /-' but the samc method cal1 bc used for ~ ( ` 2 ~
~sigl1e(1 mes~ia,gc transfers from ,rl? to A ol llct~c( n al1y number nf tem1ilmls I IG. 6 ~shows in block di.l~ral1l l~ ml ( Iyptographic commul1ica~ioll system for ~sen(ling ~si~ne(l messa,ecs betweel1 t- o ~el~ ; in one direction in ;1ccol(l;lllcc with the ple~it~l1t in~el1tiol1. In I~IG. (" a mcss;lne -n~ l~e- ~igned is first compressc(l h1 ;1 l1ashin,o subsy~stcm l')A if i~ exceeds tlle block ~i~c (~l~ defined below) of the blockinL~ ~subsystell1 2()A alll1oll~1l the messa~c may~ in al~CIl~ n i\ c ~ odiments, be broken into hhe,cks that are sif~ne(l scparately. Then the hasll v;llllc ,~ assigned to tcrms ( !'~ - !'"~} in blocking subsystel11 2~ wht re !j ~_ I t) (Ij). for j = I to nl', and 1 ~ /n' < l1n The maximu1n block size of blockine suhf~y~tcln 2(~,~ is the product of the plll1lic ci,r,herte~;t m(l(lUli f (/1~ f/2, -- q"; ~. An e~eml~l;lly c (~ uration is to assien ~ I-its of ~he hash vahle ,~ll to !~j. for j = I to ~11', wl1cie ~ " and then the block size of ~ubsystern 20A correspon(lil1,o to the hasl1 func~ion ~ ' bits. Secre~ bits fronl a rall(lom (or pse~ldoral1dol11)source18areassi~l1c(1~0~ lms ~Ym~ !m'+2~ f byblockill,~
subsystcl11 21, where !~ IO, q;), fol j ~ ' -I I to m. For cxample, if (/j -e 25, for j = nl' ~ 1 to t~l, then ~ ran(lom hits c;ln l-c a~iLIled to yj, for j = ~1' + I to /)n and the hlock sizc of subsystem 21 corresp(-l~ o ihe random number R ks s(~ Ill') bits 'l'hel1 the ~scn(ler decodes (!~ 2~ ",fl ~`ilh a decoder 31 an(l the decodhlP kcy of the ~sender D" yieklil1g the si~?nature ~ \-, . \" 1 In al~ern.ltive embodil11el1ts, tlle ~ ; ot l!'"1~+l~ Yol~+2~ ,") (lo l~(~t ll;l-e to be r~m(lolll al1d if they are constant for all ~iell;lt~llc~ then they do not have to lle secret. Secret andral1(lon1values'of (~'"~+I, ~ 't? ~. Y"~1, mayprovideextrasecllrityagainst presently unknowl1 attacks. Party A 1~ n- ell~lrc that other r,;lrties sucll n~ ~I forger can not select a series of values to perfonn a cllo~en- c iphertext attack or know thc vallles if they are change(l.
During deco(lil1g with device 31 h1 I~ (, Ihe signature is tested to sce if ~; < 2S, for j = I to )1. If this tcst is failed, thel1 si ?lI;l~lll(` L't`lleratiOll iS rereated with llC\V l`alldOmly-assiglle(l resi(lues l!~n, +l, ~'",~+2 ~ .\`",1 ~ltcll1atively, the failed ral1(lonlly ;ussigl1e(1 residues can be modifie(l by any functioln ~lle h as adding one to ~?1 mod ~/", 'I'his test is desigl1e(1 to thwart al1 attack wherein si~n;ltllle~; xl, x2, ~-, x/1} are collccted to reduce the sealcl1 sllace for the secret initial \~ r~ b2, ~, b") (the attacker en1l-loys ti1e h1forlllation: I;'i > x; l2~'(i l)~ for i = ' to n~ lult this test may not be e~ssenti;ll hecause mal1y si,gna~lles ~are nee(le(l for this ;Itt;lcli t~- I)e successfu] depel1dil1~ in 'I~alt on the null1ber of cl1oiccs for the initial wei~ellt~ \vhi( h increases with 1/ and s (therc are 1~1';
choiccs for /~; ,as define(l above). If ~ hl( le;lscd, then P increases rehltivc to 2~15 and the avcra,?e nlll1~ber of si n1ature eencml iOn ll ials P,l~s grows. rhe valuc o f ~ can bc h~clease(l to ~strenc?tllell the security ~'lr'.lill'~t C~llallStiVe search rOr ~ b~ ) while retail1in~ sltlall n~llnber of tri lls for si u ;llul ~ ~ ~ucration Once I signa~llre is crcate(l by ihe s Ul(lt l iu l l(i. 6 tlle signature is SÇIl~ to Iht~ receiver ;IlOl~g ~I COI~ lliC~ltiOI~ C~ e~ l(` It`(`~ lletl el~COde.S ~lle sigll;ltllre (-~ r2~
r ~ witll enco(ler lfi and tl~e sen(lcr ~ Inll)li( ~llcoding key ÆA Encodillg tO check a signature with subs~stelll 16 ~hicll hl~ol es transforming Ixl. x2 ~ I to ~ y 1 Y 2 !; I.useslesscon~ tationthalllu( (Ihgamessageblock~ xn~to a cipllcrtcxt block {!1 !2. ~ (sc III Icm 11 in F1( 2) bec;ulse /)1 < m. Tf only sigll.ltllres ;Ire re(l~lire(l. the si7.e ()r Illc ~ lic ellcodillg-key EA jS snulllcl- bcc;lllse the resi(lues ofthe kn3psack Wci hts (Ij~ fol i - I to n ancl gdo not h.lve tn l c l.ublishe(l with resl~ect to (q +~ (/"71.
Tlle message is also scnt to the l ( i\ . l alollg the comnlullic3tioll ch;lllllel This mess;lge may be sent in plaillte~t or bc cl ( il-hcl(~(l with a conventional codc or a l-ul-lic-key cryp~osystelll sucll as thc prescnt invelll iOU (I ~llcll(ling on the ;I;-plication `I he Incssage or decipllere(l mess3~e is then h;lslle(l 191:~ 1 y ;(1~ ical hash functioll Is em~lo~c(l in 1~.
an(l blocked 201~ into tlle tcnlls ~ ! 1 !`2 I he signatllre checkillg sllbsys~elll 17 ~ hcther there is ~;ome (I con~rllellmllodulo q to a vllueilltllerallgc1- 1 IQ/rl ~ uchthaty - y + (Ig mo(l (/~where ~"
'1 = n L1~ , !'2~ !", ) ~ /2 ~ qnt ~ ! 2 1 = 1 1110(l f~qt~ q2~ ~, q~ (I -- f.(l~ ) mo(l {ql~ q2~ ~ ~ q~ g --2~ C~7~) mo(l I ql~ q2. . 1 1~l Ihl ~alue of dcan be foun(l 1 y calclllatillc-v) mo(l q. Altcnlatively tl c v ( 1 il i(~r can check all values of / hl tile range IQ/PI + I] If Q < 2P thell tcsthl( if r; - yj~ gjmo(l qj for j = I to m is sufficiellt to verify tlle sigllatllre T he rcsult of Ihc checking subsystem 17 is (I true/false autllellticity deterlllillatioll ~llat il (licates h cll~ he message was tmly sent b~ rty A ;Is claime(l by the sen(ler Sigll;ltures (lo not re(luire Q ~ / a~ i necessary for encipherill~ nlrssages I fowever selccting Q < P will cause ful Ihel (~(lulldancy in thc signature Selecthlg Q >
P will resull in an abbreviate(l sigll;ll ~ ollgh tbere are the follo ~ illC ~ccurity restrictious The rall~c of (l incrcases ~ it~ \ i;ltion which reduces tlle elfccti\c lengtl of the si~natl re so we recom1lle~ O ~ 1og2[Q/p] to prevent birth(l ly llttacks where, IOg2q u~(l a is a security nl;lloill of ll~out IOO. Also abbreviatioll re(l~lces P
d Stern all(l Toffill s attack re~ uires th;ll ~ -- lo~ )/n A deviatioll I y (/g where ~ )il l occurs between ! a l<l ! I-ecause hlfornl;ltioll is lost (l~lrhlg sigll;lture gcll l~llio~ len yu)~l mo(l Q is redllec(l In()(lulo P
with P < f) /~ devi Ition of +<~ in clle(~ - sllhsystem 17 ma~ occur e-ell ~ith Q < P
bec l~lse thc cstinl ItiOll of Ar dllrill~ c~ hl~ h;ls an error bollnded b~ (-2 O ()1 Tlle e.7 rjl? ~ ?
+g correction doe.s not .sinific~ tly ~Iffc( ~ c dcl.ly for signature checking o r tl~c .securi~5 .
Fnr sigllatures of a mess~ge by multii-lc l~:u~ic~ . described below, the _,~,~ correction will sinific,llltly increase the verific~llion dcl~l~ u~ s the required corrections <Ire dctermille(l by each .si~nillg par~y an(l .~i~pencle(l to ~llc ~ n~ le. Several techlliques for elin~ ating the +g correction ~lre describe(l next ~lltlloll~ell ~ clilllillatioll is not essenti.ll.
Tlle ~g correctioll c.~n avoi(le(l by c;ll~ accordirlg to ~ile relatio ?~ + cq)lp ere .\ - ~ ~ 1, !2. - - \,l, i mo(l ~. (/"7~1 and e is a secret inte~er r.lndoml5 selected fro~ P2~ P/9) if A~; fj] and A~is accurate to (-2-e, 0-01 before truncatioll. Sigllature ener.lti(~ ( and ~YI- l'~ -~ \'111') ill\ol~es less computaliollthallrec(llllbillill~\",l Alternately,iftllefractinn.sl,.fori= I
to J1, are roull(le(l (instea(l of trunc~lt( d ) Ill. u, is equivalently selected froul I P2~~~1/q~
P( I - 2~~~1)/q) with Ax = ¦ -2-e~ f; . 1ll a furtller embodilllellt~ tlle sell(ler can perform repeated sign.lture ~eneratioll ll-i;ll~ w illl decoder 31 to elimillate the nee(l for the _g correction (by enco(lill~ the SiLlla~lll(` ;IU(I Icpeating sign~lture enel~ltioll with new ran(lolllly assiglle(l residues l \'", +l~ ,1 if a ~g eorrection is necess~lly).
If the key-.r;et is designe(l si~eciii( ;Illy lol- signatures (~uld will not l~e u.sed for encipllerillg messa~es)~ thell the devi.l~iol~ l~y ~ can be avoided by selecthlo P > Q(l +
2-e) alld always roun(lillg tlle fractious l,. f-~ i- I to n, up ~It s + log/l + e fractiollal bits with ~x = i -1 . The trunc~e(l ll;u lion of Ax is then bounded b5~ I(!., Q(l +
2-~)/P) ~ 10.0, 1.0) durin encodillg fnl Siglul~lllc cheeking because the tmllcate(l fraetion of Ar is all estimate of (~'1? mod P)/l' ;Illd 1(/? mod P ~ [0.0, Q) is ensllle(l during signatllre cneration. Thell ~; r;l?l~l?~ A~ [O.O, Q -~ 2~ 0Ø P). which i = ]
shows that Ax and the (disguise(l) Icdll(~ion mod P are e~act during cnc()dillg for signature checkillg ~In(l will matcll thc c()lul~lcle reduction mocl Q that OCCUI.S during deco(lillg for sin.ltlJre gelleratioll. ~Itcl~ lti\c15~ if the fractions are roun(le(l at ~ + log~
e fractional bits, tllen Ari.s calculatecl accl)l(lilll7 to Ax = [2-e-1 + ~ rifi l If ~ different partie.s sigll the s~ullc UlC~S;~ c of size t bits with their own decodill key, then ~he total size of all the sicu;l~(llc~ ii l/k, wllere k = ~IS. This mlll~ le-p~rty sigll.lture call be colllp,lcte(l .Is de.scril~c(i ~c~.
2 ~ ~ ~r ~ ~ f 'I'llc firs~ l-arty ~si~ns the me.is.l~c :ni 110~ 1. 'I'he second party sirn.s ~n~ iss fronl 11t ~he si~nLI~llrc of ~lle fir.st palty, wllelc ~ ,/ ;nl(l q = ~ ~1i (all par~ies C.lll bave ~llc same value of ~/). 'rl1e l - ~ hitS frO~ u` fil l l~ilrty, that are not si~ne(l hy ~he secon(l party, are appel1(le(1 to tl1e sigll.lture of Illc ~;e( ,n~(l party. The thir(l piarty tllell Siglls any bits from ei~her ~lle sigllllture of tlle ~ic~ nl l~;uty or the ~ - t bits iapl-cll(le(l f'rom tllc sicl1ilture of the first party. Tllis I-roce~ c ;IU l~e extended to 1~ parties luld tll.~ multiple-pilrty sicllllture ~size is 11(~ - t) t t.
A larger block size n1iay he nec(le(l l'~n sigllatures thal~ for secret Incssllges to compell.silte for iattacks basc(l on tlle Ic~ in the signature. Tllere ale I -1O~2[Q/
bits represellting tlle messllge (or llasll rull~aiOIl of the message) an(l l1S - l ~- loc2rQ
l11 bits redull(l.ll1cy in the sigllature of ~ , where t = log2q an(l ~
Abbreviatioll (loe~i not reduce tl1e re(lull(l.lln y in the si~nature because l~s i~ 21Q/PI
remaiIls tlle .same. 'rlle nolllillear term ,1~ 7nl~ abollt s bits and for sccule sig~ tures we reCOlllmell(i ~5~ > ~1 + /7.~ - t -t log210//'~ 1(`1(` () iS a security margil1 of .ll>out 100~ to prevent an attacke.r from trallsformill~e ~llc ul~lllillear encodin~ problem to .1 Iclis secule linear knapsack.
I~IG~ 7 sl1ows in block diagral~ l nl .~ cryptographic identificatioll .liystem in accordance Witll tlle present inventiom w l~i~ ll C;lll be used for access contlol. 1l1 FIG. 7.
par~y B cllecks the idel1tity of pa~-~y ,1 1~ cllallenging A to sigll a l.ln(lom (or pseudoral1(lom~ value R* according to ~lle .~;inil1L~ procedure of FIG. 6. (:)nl~ tlle true A
will know the private key of A and l-c ablc ~o correctly sigll the randol11 nlllllber. A
raIldom value 1~ is gellerate(l by Terlllin;ll /, w ilh a random number gellcrator 18B an(l sent to terminal ~. The ran(lom value R-! tl~cll l-clllaces the hasll value A~ of tlle message ill the SiE~llillg procedure of l:IG. 6. ~ c ~d~ u~e {xl, ,r2, .. r") can be cllccke(l by l~
or any thir(l party by enco(lillg witll au cu(o(ler 16 and tlie pllblic-key Æ" of l-arty A.
Cl1eckin~ subsystel1l 17 compares thc (`lI('(-(It`(l si~nature { Y 1 )' 2~ !` ",~1 witll {!`1 !~2! --- !'"1 ~ where tlle ral1(lom valllc /~ locked by sub~systelll 2~ in~o lY~ 2---~ !'", } Tlle idel1~ity verificatiol1 si~lull i i ;1 nll, /false indicatol that tells l artv 1~ whetller the can(li(liate is tmly A as claime(l by bi~ . r i~lel~l if ication string.
FIG. 8 shows in block diagram fo~ln <nmIIICII1atiVe embodimel1t of a clvl-tograpl1ic ;(lentjfjCat jOn SYSten1;11 aCCOr(lal1Ce W ;~ C l11C~;CI1t inVentiO1n In FICJ X. ~l~e vt rifier A
enco(les I I a ran(loll1 (or p~seu(loral1(lonl ~ ul)llll~cl ~ generated by ran(lnlll soll~cc 18 and cllalienges tlle call(li(late B to deco(lc .~2 ll~c n ~ulting ciphert( ~t ~Y~ 2 .. . \`",1. Only tlle true B will know tlle l-rivate (leco(liln~ of party B au(l be able to dccryl-t the chilllellge. Call(li(l.lte B call only p.lr~ ;ll each decipl~ere(l mess.l~c r(sidue to prcevellt a clloscn cipllcrte~t attack ~ c ~c~ initial weights (1~ 2 Il") of part B In the excml-lilry case illustrated il~ ,Y llle candidate B calculil~c~ '"27~ wi~ll suhsysteill 2~ accor(lill~ ~o tl~ ion: x"i = X'j mod 25 for i = I to wlleretlle(Iccrypte(lc~ lertexti~C(~ to I \ I X2~ ..., ~"). S < .. ~ ll(l a ~
security margin of ilbout 100 rlle CllC(d\ill~! ~ul-system 22 of party ~t conlpilles ,r"; witl mo(l 25, for i = I to ~1 In illtemative embodilllell~s of 1 1(; ~ u(lidate may re~spoll(l wi~ "l = x'l mo(l 2'/ an(l the verifier check~ if ~ llcle sl > a and 11 > 1 'I'llcll colnputatioll mily be save(l by fin(lill~ ollly \'~ dlll ill~ (1~ ( odillg In other alterlliltive ellll~( dilllellts ol' FIC, X~ 2~ ") mily be cho~ u ;l~; po~verS of two for ease of ilnl-lclllentatioll:
selectin~ 1 bl, 1~2~ witll ,cecrct l-ull(lolll ll~lmbers may increilse ~lle Scculity but is not essen~iill consiclerill~ pre~sell~ly kuo~ s, Then the ciul(li(late re~c~ s ~ 'j mo(l 2 ~i, for i = 1 to ~ wllere ~ < ~1 to pl~ cl~ chosen-eipllrtext attack ou P In all embodimeJlts of FICJ~ f,. tlle candi(lillc ~ I, Illse to respond if ,~'; > 2''i~ fol ilny i ~
11), because thi~s can n()t Occul with a Ic~ ll;ln~ cllilllen~,e and Inay be calIsc(l l-y a cl-o~sen-cipllertext attack.
Si;~lliltllre ~elleriltiOIl Witll tllC preSt'll~ iuvcll!ioll iS illustrate(l lleXt Wit~ SIl~ l example~
wllere l1 = 2. k = 10, all(l s = ~ 5 I~ lle priYate decodin~ alld p~ lic enco(likeys are ~enerilte(l for palty A
Let ~ 2~ = { 1, 32~
Let P = 1221, ~ 45. l~ mod P- ~()?
Let q = 256, \1 ' = 7~ - 249, Public-key for si~naturcs p lq, for i = l t o l1, { c~ , 194 J
fi -- - p - - ~fl,f21 = ~0 69, 0 1~ '/' mod q a 45, q = 2';6 Next a ~si~nilt-lre is create(l for a IllC~ ` Iclllesented by 217 (or a lla ll vallle of 217 Witll tlle private decodin~-key of the scll(lcl ,l !'- 217 mo(l 2s6;
I et c = 4: c is riln(lolllly cllosell l`lolll l/'' (Iq, P/q) = 11~ 5), WhClC ~' = 7 - s -lo~ll = I l~ecallse tlle frilct ion.s,f; are il('CIII ;I~C ;~1 .' ~, c~ (249-217nlo(125(,) 1 I-'51,- ]041 - 1041 mnd P-- 5~5 - ~ 2 ~ 9 0 ~ .9 ~
Solvh1g a s~lperillcreasil1g serie~s witl~ and weights ( 1, 321:
~2 = 15~5/ 321 = 1~ rl = 585 - 18-:~2 - ~1 'I'hell the sigllature is ( 9, I X ) (~ry .Inntlle~ 2S, for any i ~ 11. 11)).
Thell tlle sigll.ltllre of ( 9, 1 X ) i~s cllecl;c(~ with tlle public key of tl~e scll(ler A:
Ax= ¦ ~ rifi~ = 19-0 69+ 18-0 15l - ~
y-¦ ~ r j 1l j -Ax,~¦~1 -- 9-245 -~ Il'. 1')-I--~ 15 mod256- 217 Tl1e origil1al message (or llash v(lln(~ ) ol ' 11 was returne(l so the Sigll.l!llle is vali~l.
Next~ secret message encil heril1g is illn~ I with the pul lic enco(lill~ ,m(l private ieco(lillg keys of party A ~i.e. party /'. \~ n~ ln enciphere(l mess(lge to p(llly A). Tn a secure lletwork, eacl1 party ha.s a uni(lllc ~c~ .~t'l . I irst, party A expands theil p llblic-key so that the kn,lpsack weigl1ts, nj; -- ~ ; !nO(I /') mod qj, for i = I to /1 ~m(l j = I to ~11, .Ire expresse(l with respect to two c ipllel~ l Inoduli {ql- (/21 = ( 25G~ 9)~ wllere (1 is public, q2 is secret, nl' = I, an~ - .'. I o ( n.sure all messages C~lll l-e li~co~ered, we select ~ q2 > (1 + 2-'')P, uhere ( -- 1 Let ( ql q2) = ~ 256,9 } so Q = 2304 I et ( ~ ' 2 ~ = f 7~ 7l~ 2 ) ~ (/2} = ( 249,2) I'llblic-lcey mo~ ~ ql ~ 92) (I I = (245. ~ 194,8 }, g = f 45,3) fj={0 69.0 15).q=256 Next, party B encodes a binary mess~lge 1()11()00110 with tlle pllblic elJco(lill~ key of party A:
ASSi~llillg message: 1011000110 ~ ( 1()11(1. ()(1110} = ~22,6) Enc~yptiol1: Ax = ¦ ~ ~ ih ¦ = 122~ () 1 5 1 = 15 y~ j n j1 -AXgl l _ 22-245 ~ 15-45 mod 256 = 247 Y2 = ~; x~ ni2 - Axg2 = 22~4 +6~ - I 5 3 - O I
Thel1 p.llty A (leciphers the cipllertext 12 17. ') I I i~ ith the private (leco(ling-l;ey Or p;llty A:
!'-- (247,91) mo(l (256,9) ?7 ~3 ~rj 2.'i6. ~ - i 7 ~3. 21~ )o~l l2~76, 9~ 6~ ~ ) t !! 2 = ()~ " I ~7 = 1343 -r2 = 121'~/ ~21 = 6. .1l = 2i - 6~' = 2 'I'he ule.ss;l~e of ~2, 6) w<~.c retulllt(l.
Iu ill~e~ te Cml?c)(l~ e~ s~ the l~Uhli~ le preSellt illVCll~iOIl Cilll l-c ~ clled for Sir7UiltlllC.'j l-y n.~illL 11 = I (seclet U)c~ lire ~1 > 1). ~'itll f7 = 1~ e sie~ ture is ~' ~- 1. 2~ ll(l tlle ~ lic kt~y is (~ o(l ql~ fi = ~ ll'P Illo(l fl~ 'T'he .sigllatllle is enco(le~l ilCC()l(~ "1 - Xfl~ - [,IJ'llgl mo~l (/1 'I-l~c largel nol1lilleilr ~erm A~ nf s bit.s with 1l = I lel l~ o the redundiulcy in the .si~nl~ lle of .s -klg(/l I!its l)enllits a smilllel bk)ck Si7.t` ;lu(l l~ul~ kcy than with l1 > 1.In still othel embo(lilllellt~s~ the l-ul~ le present in\~clltioll Cilll l-e .illoltene(l by .stiln~lilr~li7il1g some of tlle vilriilbles iu ~lle l~ul~li( I;ey for all parties in a llt'l~(ul;~ 'I'here llle still the .sallle nl]l1lber of possible rl-i~ ~ne ~ for a g iven l-ublie key: tlle ulllllber of ~)o.s~sible public keys is re(llJee(l but i~ ill l;u~e enough to l~revent exll~ stive searcll attilcl;.s Wi~h pre.selltly kno~ll erypt~ ic ;u~.leks~ the block size doc.s llot uecd to l~e expan~le~l whel1 tlle ~ ublic-key is l al~i;llly ~nlll~lardized. The encodi}l~ all(l (Iecoclin~7 fullctioll ilre ullchiln~ed but illl the llSt'lS ll;n l.` ;1 l~ul~lie-key that is i~lenticill in I al t.
~I`he following variilble.s of tlle ~ e~ ul.ly be standaldized~ 7~ . f~
X2~ al1(1 ((~ 2- ~ ~1""1 ~ re vtakes on one of the vilhle.s in the rilll~e 11, Il). Stm~ r~l villue.s of (~ J. Iol j = 1 to ~tl~ mlly ~e r.lll(l(-ll-lly chosell frolll 125-l. 25). where 25 ~ 9; (tlle low c l Ihni~ ~-f 2S-l is inelll(led hecause ~inl.lll wei~ht.s weakell the eneodillg prohlem). ,~lterl1~ ( eltilin bit patten1s eal1 be ch( sen l'ol reasol~s of secllrity or im}71emelltatiol~ from 1 ' '- ~ . ' ` ). \~i a seeurity precautioll. select tll. gleate~st eornmon (livisor ~c(l(~ ;) > ,3/1l, lol j - I to m'. Then i 17l, b2, ~ 17"1~ P, an(l +l~ ~1",+2~ (1",) aresecretly~clc cn ,1 ~ usual.Next. 11~and u 'al-e c illculilte(l aceor~lillgtothereliltion.s: 7(~- P-1~s~ Ino(l (' ;U1(1 ?V= ¦bV1¦7(~ n~¦Q!I~ wl~re (~
2 ~ 71~ 1110(l ~ 12 ~",1 ;IIld g - {gl- ~2 ~ ~",1 ~ f/l, ~/2 -- (1",~ If 11~' is llot relati~ely Inill~c ~o (~ ~cilusing the in\~erse of u ' ul(!(! Q to not exist), tllen ~ i.s sliglltly mo(lifie(l (fol e,~ u~l~h~ h1erement gl nlo(l (~ y ()llt ~ illl(l 11~ is reeillculate(l. Sh11ilillly. if 1~ is not rel.l~i~cl~ ue to P, then (~ is ~;1 jgl1tlY illO(lifie(l. Thc differellces hetwe~n tlle mo(lifie~ all(l "~ lle standard villues iue l~ul~ lle(l il.s ~alt of th~e l-ublie-key. ~\ltenl.ltely, new ~ulllle~ ol /'. Q or b,. ean be ehosell ulltil tlle iu~er~ses c,f \~ all(l )~' exi.st. 1~ hllge villue of ,. .~ 7, i~s more .seeul-e l~t`Cilll'it` /)" i~'; Ihe hlrgéS~ ;Illd COlltilillS thc Ill()St secret inl'uln~ ioll. 'I'l~e rest of the l)ul~lie weigll~i u" for i =
1 to ~ - I a~ + I to 1l. all(l i - I ~o ", alldfi, for f = I to /1, are tllcll cllosen a~s usual an(l are not standar(lize(l.
Tl~e prcsent invention satisfies both fh,~ lecy and authenticity rcu~uircmcnts-of a public-key cryptosystetn~ as does RS/~. bllt lu~; ;IbOUt one hundred times less computatiol1 for encoding and decoding than RSA. Nu111cl (:UlS security protocols for tlle secret and/or authel1tic e~change of informatioll h;l~'(' beel1 proposed that involve p ublic-key cryptosystems and the present inventinll (;111 ll~l'Ct the requirements al1d specifications of sucll protocols. Mal1y applications of plll~liC--I~C)' cryptosystems Usil1g sucl- protocols are knowl1 in the prior art such as secure tclc((~ llllllications an(l banking (all overview of public-key cryptography is ~ivell hl "Colltcllll)ol;lly cryptology. the sciencc of informatio integrity", IEEE press, 1992).
Encoding with the present invel1tioll ;ll~ ol~ c~ a double-iterated mo(lul.lr mllltiplicatiol1:
)v mod P at1d 1l~' mod Q. Conventiolull li~ullls(lcks, as well as thc prcsent inventiol1, choose P accordin~ to the small sum pl hl( iplc: 1~ > ~, bi(2~ to ple~el1t overflow f = 1 mod P and ensure correct decoding. Ilowc~cl. conventional knapsacks also select Q
according to the small sum principlc: 0~ ~ x~ bllp. In contra.st. the present invention is designed such t]lat ~; r j ¦ (u~ /IXP ~ [O, Q) (we call tllis tl-e large sum principle). The nonlinear variable A~. corrccts for the nverflow mod P that occurs when the message terms are combined durin~ cnco(lill~, which pen11its a smaller ~ relative to r than the small sum principle.
lo ensure a higll level of security i~ I systems, a party's ~lecoding key is notpractically determinable from tlleir public ell(o(lillg key. ~te security of the private key (i.e.
the secrecy of the trapdoor embedded hl ~hc el1coding yroblcm) depends hl pllrt on the difficulty of reconstructing the knapsack \~ cil~llts from the Q resid-le mlrllbcr system, where ~ qn1 +1~ q~n,+2~ --, q,7,} are secrct ~s ~ ell, attacks on the trapdoor of knapsacks by simultaneous diophantine approxinl;l~ion (a~ leviewed by Brickell and Odlyzko) rely on the information provided by the small .Suill plillciple, which is not followed l-y the present invention. An attacker may attempt to ull!-a\ cl ~llc present trap(loor using tlle information from g and the fractions. I-lowever, thc ;In.~( kcr is not able to recombine tlle knapsack weights from their residue representati( n ,~ f~ ller countermeasure is to select gcd(g, q) > ~ 1 to ensure that g-l mod q doe.s llot ~ . This can be accompli.slte(l during the partial standar(lization procedure for g.
The present public-key cryptosystenl i.~ nl~ closely related to tlle Merkle-l lcllman or C~oodman-McCallley (described in "Ncw n-;lp(ioor knapsack p ublic key cryl-~( system", IEE Proceedillgs, 19~5) knapsack public l;c! c lyptosystems altl1ou~h botll ~erc broken (as reviewed by Brickell ail(l Odlyzko!. ( )nc (lii-i`crence between the presellt h~vlltion ~an(l ` ~ ~ ~ ? ~ , ?
the m.my broken kn.lps.lck crypto.sy~ae~ lmt conventional kn.lps.lck cryl-~osystellls follow the small-s~lm prhlciple for ea(ll i~e~ iull of modular multiplicatioll. wllcreas the present invell~ioll follows the presen~ ial ( e -slUl~ principle except for ~he first iter.ltion. A
second difference is th;lt the presen~ hl\ e llti(nl includes the extra step of replese,lting tlle knapsack weights in a residue n~ cl .~ n with partially secret mo(l~lli. Severalpreviously proposed kn.lpsack cryl-~o~ . such as the Goodmall all(l l~lcCauley schemc, have mappe(l the 01ess(~ tn a l-e~i(llle number system witl1 sccret nlo~luli (tlle present inven~ion call also employ ~his n~ Illli(luc. in an altenl;lte embo(lill1cllt) hut those schemes did not express the kn.lps;lc'~ ~ e i.~h~ alld cipl1e)text in a residue. nl]lllbcr system with partially secret moduli and are con.~e~ (ly not secure as a public-kcy cryptosystem.
The various definitiol1s of the ini~ ci~ b" 1)2, ..-, 17"). as enlploye(l by thebroken knapsacks, can also be enlplu)e~ ith the present inventi()ll ;I.S llterllate embo(lilllellls.
The security of this cryptosystem rc~ es ~hat at least one of the mo(l~ . q2 q~77l be kept secret (i.e. ~n > ~1') to ple~ell~ le( ombination of the public residlles of the knapsack weigl1ts. The mo(luli in the ~? I-csi(lue number system can have diffelent sizes (in terms of number of bits). As well. a~ hnlst one of the moduli (q~ q~t~ is recommended to be public (i.e. ~i~' > I ) w llel1 sending secret messages because the amount of inforl11ation in the ciphellc.~ is n (iuced if ~Yl. )'2~ ..., Y", } are rc(luced by ~ql~ q2~ ~ q~ } durin~ encoding al~ll( ugll Ihis may not be essential. I ~!.st signature checkin~ also requires that ~ql, q2. --. ~/", 1 I~e l-ublic.
'T'he security of a l-ublic-key cryl-~ elll also requires that the me~s~;;lge is not practically discernible from Ihe cipller~e.~;~ w i~hollt the secret decoding key (the encodil1g ful1ction is called a trapdoor one-~ay full(~ ll by Diffie al1d llellmal1). I)ecoding a ciphertext cleated by the present inveu~ioll \vi~hout the decoding key involvcs solving a compact knapsack problem includillg a lu)lllillc;ll term Axg, that is a nol1lille;lr fln1ction of the mes.sage (the nollline.lr operation i.s ~lle ~ nc,ltion of Al). Linear con1l-.lcl knapsack.s, with large coefficients and few weigll~;. ;ue less secure than linear knapsacl;s w ith [O, 11 coefficients alld many weigllts. The p l-e~ell~ ellcoding function is designed to crcate a large nol1linear coeMicient A,., Wllicll thwal-ts cl-yp~;lll;llytical attacks that are succcs.sful ,against linear compact knapsacks .such as intcgel l-l ogl ;Imming or lattice basis re(lllction (these attacks are reviewed by Brickell an(l ()(il~ 7'~:0). I inear knapsack cryptosystc!ns require a public-key in the tens of kilobits, whi(ll i~ a Ihllitation for a lar~e nul11hel of parties. ï'lle present invention has a public-key hl ~lle hllll(ireds of bits because the nolllillear terln pen11it.s fewer knapsack wei~hts to bc u~e(l lol ~llc sarne security level.
'I'he present inYel1tion uses lO. 2') coclri( ients so the degree of comlulc~ioll increases with s. l'he public-key size of rouglll) (n ~ 15 bits decreases with Jn Con~entioll.ll knap.sack cryptosystel11s need at le~ I ()U to p~event cmlmer;ltiQl1 att.lcks on tlle kn;lpsack problel1l (see R. Schroe~ . Shal1-lir, "A T52 = 0(2") till1e/spacetra~eoff for certain Nr-com7t~1ete ~ in Procee(lin~s IEEF, 2()th Annual Symposiull1 f oul1d.ltiol1s Compu~ g~ .~( iCII( c. 1979). Enumer(ltiol1 can also be applied to the presen~ cryptosys~e1n. so ue recon~ n(l n- > 2a for secrc.t messages al~ > 2~) for signatures, where ~ is a security mal~lin of ~ out 100~ For identification or ~sigl1atures.
where the can(li(late is time or resoutcc linlin~ uch as smart car(l idel1tificatiQn)~ ) is s~lrriciellt~
Anoillcr type of att;lck on the kn;l~ iem searches for altcrl1.ltc tral-(loors al1(1 mliy l)e feasiblc a~aillst the presellt il)~ C,~ \ll if n is small. especially n S 2~ but the complexi!y of this attack is arl e~;ponel~ l fn~ ion Of 11 becallse tile knapsack prQblem is NP-con1/71elc~ Exall1ple~s of this tSpe ol ;l~n~ lc: A. Shamir, "Ihecryptogr.ll)ll;c security of compact knaps.lcks", I'roceedil1gs 1'~ nll)osium on Security an(l Privacy, IEEE
Computer Society, pp. 9-1-99 and E I . I'~ cll, "Solving low density kmll-sacks". in Advallcesil1Cryptology(`RYPTO',~.Nc~ rk:P1enumPIcss,19~4.l-l- 1~ ~7. Ihe feasibility of this form of attack is rcdll( cd hy increasing n, s. and 1 whilc. mail1taining a del1sity ~1s/log2Q close to 1Ø
Tlle ~security depends in part 011 the si-~c Or ~he nonlinear tcrm of s hits rcl;lti~e to the block size of ~15 bits. Smaller values ol` n hlclease this ratio. I-Iowever. ~he encoding functiol1 col1tail1s a compact knapsack (as w cll ;lS the nonlinear term) ;md tlle .sec~lrity of a COlnpaCt kllapSaCk illCreaSeS with 11. /~ I;II I?CI nonlinear term cal1 be geller;lted for signatures without decreasil1g ~I by val)~ g lhc message term size with r; ~= lO, 25i).
wheref;, for i = I to l1. are publisl)cll lo j ~ 10g2n ~ ebits preci~ion. Thc size s of the message terms for .secret IllCS.SagC~ h;lS ~n be constant with i, whcle lj ~ IO, 2S), because the most significant bits of thc lal-gcs~ lncssage term arc reve;lled l)y all ullreduced cipherlext residue.
A consequence of the nol1linear nu nl a~ he associated fractions i f~ f~ . ~ fn} of the public key is tllat a chosell cipher~c~ a~ o find the secret constal1ts P or i 17l, 172.
.... h"} can be successful if not ncll~ li7c(1 Ihis chosen cipher~ex~ attack will be succes~sflll if all of the ciphertext resill~lc~ 2~ - ~ Ym} c;m be chosel1 al1(1 all of the decipl1ered message terms ix'~ '2 - ~'"l ale revealed. Ilowever, thele ale several standard ways to ensure that a choscll ( il-hel~cst attack is not feasible sllcll as checkillg stan(lard data fiekls in eacl1 decipl1e~cd lnt~s~ c block (and destrQyil1g ~he deciphere(l messa~e if the sign;lture is invalid). ~u inclll(lil1~ random data fields in c~icll n1essage reSi(llle that are discarded UpOIl deClS'p~i()n~ 111 the case of si~natures, rall(lo71l data are g dues l\~7~+1 ~ 71~+2~ r/~ () a cllosen ciphertext at~ack is tll~nirted Aswell, a chosell cipherte.Yt attack is no~ l`(-;l~ii-lc for secret distlibutiol1 of keys fQr other cryptosystcms provide(l that the distlil~lnc(l l;c! i.s kept secret al1(1 not rcveale(l. Further 3 ~
cryl tan;lly~is of ~he presel1t invell~io~ in my Ph. D. tl~esi.s Very l;lrce scale aritlllne~ic witlmlpplic;ltiolls to cr)ip~ ueen s Uni.cnsit)~. Kin~s~o~ anad;l.
Octol-er. 19'~2.
'I'llc pl'CS~ \'elltiol~ C;lll rCrllli~ ;Irld sicned Illc.SS;lCeS ~ ll OllC key .se~
(con.si.stil1g of all enco(lill~ key ;~n(l :~ ~le( ~ lillg key). Also the pre.sel1t pllhlic-kcy cryp~o.sys~elll c;n1 be emplo)e(l in ;l fo~ l5 permits secret nless~lces }-y ~;ccpinco all or mo.st of the nlo(l~ c( 1~l alld a smaller l-lock size is po.s.sible th wi~ll a conlbille(l secrecy/si~l1;ltllle m()(l( . \~ he present invelltioll call I-c el11ploye(1 in a form tlnlt ollly ~-erl~lits si~n;ltule~ c moduli ~ - (/2~ --- ~1", ) pllblic but not l1u~liciy (lisclosilll ~1,; m(l ~ ;. fol i - I 1 ~1 anc7. j = 1~1 + I to lln I wo .separ.lte key .scts (one for sccrecy U1(i one !ol :ul~ y) results in le~s.s colnpu~;lli()ll than a conlbille(l key set becallse of tlle small~ .i/cs I`llc secul-i~y of l-ul~lic-key cryp~os) ~1. lll~ ( :1ll not be proven Son~e ~ui(lclille i ;uc givcn l)elow for selec~ he block size .1ll(1 ( I ~ ptosystem p ~rameters s(~ .Ill the crypt.lll.llytical l~tacks knowll at presell~ ;llt~ lcasible. Other p ar~nlletel ~;clcc~ions art`
p ossihle in keepillo with tlle present il~ u~ in general tllere i~s a tr.l(leorf hetweell sccurity al1(1 perform;lllce in terms ol ~ ulblic-key size. messLI~e c~pal~siol1 and si~ll.lturc ~size.
I lle cryptos) stenl p;llal-leters c.lll he ~ ~pl~ ~cd in terms of .somc mlll~iple of ~3 bit.s.
where tlle fastest knowll attack requile.i 2~) lel-elilions and each repetition ta~es ;It least one clock cycle. I llel1 ~ c~n be selected ~o ;Icl~ie\ ~ Ille desired security level; I`or e.~;alllple~ ~ =
.~o prOvi(le.S nlillilllal secu~i~y alld a ~ S a high level of security wi~ll today s con)plllers~ c followin~ ~ui~lelille.s lle ~ e( ~led to implemellt ~his invclltioll (with / =
2 iteratiol1s of modul.lr multiplic.ltioll. a.~ de ~CI il-c d so far~ P = ~)~ ~l al1li 12 = 1~' ):
i~ll.ltlJre~s .md secret,nless;loe~s ¦ < 111 < 1~1, )11 > I.
2. 1>l.
~. t + s < ( ~1 + r ~ + ~ /n to neu~r.llize Sterl1 an(i l offin s ", alt;lcl;. wllele t = ~ 1~2'1) J
~sj Ejllatul e.s ~, /1> I
';. ~$~ ; > ~ - 1ocll~z+ll~7'~ `leVellt preSet~ of A, witl~ +
InC~ bit.s redulldancy in ~IIe ~ (ure where S",iiX = lo~ ",jl~. r"l~x =
m l~ r~ ..... r"l ~ = .sl -I .- I .. t 5,7~ I)Z iS tlle Ollly ril~o of intecel~s ` I 2 ~
itl~ + I >
*~ > (3. whe,le ~s~",,,~ is ~",;,~ n~ -csetting any ~ loo~ l bit~s il~
the~sioll~ltllrc 1~ 2- ~
7. 1 < lo~/)'' - )/2 to pre~ellt recolul~ ol Ihe weights.
. I > 12~'~ + lorl/)z~lll) l to CO~lllt~ ay attacks 011 ~si~1laturcs .~ >
loc ll) + I/~)Z l for si lUlt~l rc-h;l~e(l i(le l lt i l'i~ ;I i oll .
9 ~ > 2.) to collntelh~ lllce enulllel;(lioll ;~ s on the eneo(lh1~ problelll.
lO. ~ < lo~ )/2 to foil .lll llllu ill~ l, I. on the trapdool .
~Secret l,ne~ss,a~es, Il. 11> 1.
] 2. ~ < 10;.?J)) - ~ to pre~ent recoml~ ol ~he weights.
1~- All 1 ~1~ a'2~ ") h.lve ~s l~ > a for secret messa~e.~ so that mo~st si~ilificallt bit~s of the l~lroe~st nle~ o le ii,lue is not reve.lled by ulll-e(l~lce(l cipl1erte~t resi(lues 14~ - 171')5 ~ for secret ole~ e~ lo thwart a linear appro,~illnltiol1 of the encodil1g probleln Wi~]1 ~he most siellil'i.;lll~ bits of the unleduced cipl1eîte~at residues.
1~. ,5 > (", - ", )5 + a ,0 ensure th:ll the ~ coding problem is not ol1i(lueiy define(l witl1 A ~ treate(l as a Ihlear ullkllc,wlu l ( . ~ > 2a to hlock enlllnemtioll att.l( k i 0" ~lle cllcoding prol lem.
17. Stall(hlrd or r~ul(lol~ its may be hl( Ill~le~l ~" counter a eho~ien cipl1erte;~t atl.~ck.
I~lore conser~mtive ~ui(lelil1es n1lly hc llee(le(l in keeping u~itl1 tlle presel1t in~el1tio lependil1g on tlle succes~s of future clyl~l;llu~ (i.e. may nee(l to increasé ~he n1inirllu values or ch.lll~e tlle ratios of ~, /n 1 . /~n n ~ alld k - t). Alternate selec~iolls of ~l1e initi;ll ~weio.l1ts (/)~ 2. . b"~ (as (Ie~lihe(l l~elow) may provi(le hiollel security but may also res~llt in a lar~er public-key ol . ~Ir;l Ille~isage expansiolu .~ slnall public-key is ~alu.lble for ,1 I;u ~e ulll1lbels of par~ies all(l this hi ~Ichieve(l by decreasill~ 1l all(l 1 altl1olloll the secllli~ f ~h~ eneoding problem incr~ es witl1 n and 'I`able I suoL~ests cryptosystel11 par.lllle~ers hl ~erms of a for ~lle sll1alle~ possihle value.s of n al1(1 1, whicll siltisfy the abo~e uli(leli~les and lead to the smallcst pul lic-ke~
I~lr~llneter selection~s for l~lr~er ~1 ol- J ;"e ;11.,- possible, whicl1 sa~isfy the elli(lelil1es Se~er;ll IllO(IC.S of oper.ltiol1 ~Ire (lescl-il~e(l i~ table: signature-ol1ly or ~;ecret-uless3ges-ol~ly or a combil1e(1 secrecy/sitnatlllt~ o,l,, I'he correspon(lillg public key !ii7C iS also hl(li(~lte(l in terllls of )~ With 1~1 = 3 (;l~ lCd in T~lble 1), tllere is Ollly olle public, o(lllllls ~/~ o f I bits .so the secret luo~ has about ~ - ~ bits, u hela~ s bits i.~; the nless(~e hlock size.
2 ?3 9 ~
TABLE 1. Exempl;lry par;~ cter selc( li~ o il~c present inventioll.
Mode )? 1 ~ ~ max t ~ iC-l;Cy its/~ bi~s/~ it.
sicl1.lture l 2 .~ ~ 2 sicl1a~lll-e 2 ' ' . ~ l .S 2 l.
~i~l1<ltlllC ~ 2 .~ l.S 2.. ~ 9 sir~ ture ~ 1.5 si~ lt~ c 2 ~ .'.; l.S 2 X.
seclec) 2 2 . I 1 ~1 secrecy ~ 2 .~ l 2 ') ~sccrec) ~ 2 l I :~ I f, secrecy 2 ~ . l l 7 secrecy 2 4 ' i l l l secrecy/sigll.ltul e 2 2 l l 3 .secrecy/sifn.lture 2 4 1 ' 3 22 All of tl~e si~llat~lre or secrecy .scl~culc~ c used for idelltificatioll accor(lil1~ to FIG.
7 or ~IG. X respectively. T l1e last ro~ crl~ nature~s and secret mes.sa~es witl1 a sin~le priv.lte al1(l public key p.lir.
I lle iUl10lll1t o f cou1r)ut.ltiol1 for ~ c"~ inventiol1 is ro~l~hly equi~ llcnt lo I + ~12 lnlllti~lic.s of ~ by ~ l)its for enco(li~ u~ multiplies for cleco(iinf~ rc~c.ll(lless of (all(l tl~e e(luiv.llellt to two multiplics i~; slll l i( i- nt for (lecodiu~ regar(lless Or, with all altcn1ate deco(lil1g tecllni(llle descrit c(l l~clo\~ ). Computation is minil11i7c(1 ~vitll ~n = I .
ql = 2~. l)l = l. ll1(l 1~2 = 2~.
If a sm tll public-key ~size is of pl illUU ~ il11portance tl1en a hybl-i(l crS l-tograplfic collllllllllicatioll scl1eîl1e C.lll be compr~ l ol` ~lle ll = I signature sclleme in cou junction with the l)iffie--l-lelll11.ll1 key-di.strib~l~ioll ~cllelue (which has no user-(lepel~dcllt public-key) plu.s a col1ventiollal single-kc) ( l~l i\ ;uc key) cryptosy.sten1 for sccrct u1ess.lges rcsultil1g in a total ~-ublic-key of abou~ I ~(J l~ ll alternative llybrid cry~tosyS;tcl1l that has less COIllpUtatiOIl tl1al1 tllc I~iffie-llellllulll ~( llclue for key-distribution incl~l(les the n = l si~nature-ol1ly .sclleme all(l the 11 = c~ lc~ .sages mode for key-(listlil u~iol1 plus a collventioll;ll ~sin~le-key crSI-,tosSsstelll f(,l ~c( l~ l u1essages resulting in a tot;ll plll-lic-key of i.) + l ~ its.
Ill altclll;lte culbo(lilllcllt~s~ tlle hli~ lu~ ck weights ~ 2 ~ "l call forme(l frou~ l . ul-cl illcre l.sil1~ sclicS; witll in~c~ Ul llol1-supr rincre l.iill~ hll1(l~i lS l-roposed for tllc hroken (irallalll-Sl1;llllir ln(l Willc~ l~lull~ l; cryptosystems wlficll thell pl(!CCSS tlle 6~ 3 r initi ll l;n;~ps.lck ~eiyllls aS ~ iln~ 1erkle-llelln~ l cr) ptosyslclll. Fir.s~ .
~sul erincrea.silly serie.s ~ 1 accordillg to ,Cj 1) "
(1ll(l 1' ` ,` .1,~ . i- 1) .
A l l c ~ l ;l r y s e l ~ c t i o ll i s (1; = 2 . ~ ] t o 11, w ll e l e s j -- .~ . N c x ~ 2 (11 ) i.s divide(l into ~wo slll).ie~ .S ;~ . where S conl;lills ally 1I elclllellts from If/~ ...., (1"~). 5* COlltaill.s tlle l'Clll;lil~ ' Il" elemelltS, ;Illd 11' = 11 + Il". 'I'llell ~lle ini~ial l;n.ll-s lcl; wci~ s ~ 2. . . /~llated as 1?; ~ , 1Aikdk `
for i = I ~ o /n wllere (Ij ~ S. a difrt ~ c of dj from subset S is ns (l with eacl l)j~ all(l I j~. is r nldolllly selected Irol~ 1() .` illl) for all (ll. ~ S*. l`lle rcst of tlle enco(lilly ;In(l (leco(lillg key call now 1-1~ -llt'l/~lC(I wieh 11 2 1. r > 1. all(l ~lu- ~-arti;llly-..uperillcrc;lsilly initi;ll-weiyll~s ~/)1 1)~ .... / ~ accor(lillg to the sallle lel l~iOllS that ale enll lo)~e(l if ~ 2.... 1~ ,1 is a sl~ iu 1~ iuy series. Tb( mc~ss Ige-t( -l~e cl~cipllere(l is assicnc(i to ~ 2` i). for i --- I 1 Il. Decoding is performe(l b) solvillg a superillcle;lsilly series witll v eigll~ .... (1" 1 an(l tar~et v~ e 1~ alld tlle decipllele(l messa~e ( ~ 2 . ~ s to tlle coerficien~s ol` ~llc .nll-set 5 of ¦~/1. (12. ---- (1,~. Tlle noll-superillc~ bl~ lll(ls increase tlle nlessagc e~;ra~sioll an(l ~lle aver;lyc nlllllber of .sigllil~ule gellel.ltiol) ni;ll; P/2"s.
In otller en~bo(limen~s. ~he geller lli~c l ~ l of the Chinese remaill(ler ~he()l-clll use(l in ~he broken Goodlllall-l~lcC;Illley cr~ n c m be employe(l ~o forlll a sc~ o f initial n;lps;lck weiyllts ~ 1)"1 i~ c lill of integers mo(lulo P witll Ille present invell~i()ll. Illc Coo(llll ul all(l ~IcAulc~ lm-s)stem is a genel;lliz.lti(lll o f ~be brokcn pllblic-key cry~-to.sys~eul o f S. C. I.u ;1ll 1 1.. ~1 I.ee describe(l in A ~sinll)le .ul(l effec~ive public-ke)~cr~ptosys~el~ OI~IS~I ~ccll~ Icview 1979 Pl~ -24.
~ ! ~ t~ 3 I inst a residllc nlllllllel sys~e~ d~( t ~ ith ~I pairwise rcla~ el~ l~rill~c mo(luli (/'1- 1'2- - 1~ llat Ire r.lll(i()llll~ 1 llo~ ull the interv.ll pj ~ j2'~ ) for i = I to 11 wllere ~/ .nl(l 1! arc l~ositi~e i~ e initial rin~ nf in~et~el. Il)o(~ o P Ille -ccollleS ~ i Ne~t- tllf llultl i ~ ( ted wllere i = ]
1~
b-- !~ b2"
1"~ - b""
a~ tlle v.llue.s of l~j;. for i = I to /1 all 1 j ~-- I to Il arc randolllly cllosell fl-olll ~lle riall~e 1),j ~ 1. 2Z) ~sucll that th(~ nlatrix 1~ i~i ll(n~ ular and invertable all(l tllc .SUIll of eacl COIlll~ of 1~ is less tllall 2Z (i.e ~ . . for i = I to l1) w l~erc ~ ,i and ~ is J = I
a security In<lr~ of abollt 100 Ille iuiti.ll kn.lpslck weiL~llts ~") are then (Icfille(l by tl~e rcl;l~iorl /)j _ - bi~ /);") IllOd ~ 7. . ~ . /)"1 ;ul(l ~lle resiclues ~ I)j7. ~ /)j"l may l~e recombilleci by tlle Cllillese rem lillclel ~ u~ ccordill~ to the relatin~
I "
for i = I to )1, ~h~here P; = P//~ c l-e .~ e encodin~ all(i (leco(lillr~ licy can be ~enerate(l with l1 > ]. /~ > 1. alld the i~ llts ~bl b2 .~ sl eciricd I-y matrix b .a.s if 1/)1- b7 ~ b/l} iS a sul~eli~lc~-- a iill series. A messa~e-to-lle-en(i~nllere(l is ls.si~lle(l to ~ 2 ~ llc~e ~i ~ ` . for i = 1 to )1. 1~ A~
el~code(l Ine.ssa~e i.s (lecil~llered by fi~
~' i -- I (e~ '' IQ~
for i = 1 to )1. ~itll 1 = 2 wllere ! ~ O~} mod 1-1,- q - - /",I. Tlle~a m.ltrix n~l~ltil!lic.ltioll x = x -b-l is l~llOI~ (1. where x = (.I~ "") an(l tlle Iecinllerc(l me.ssa~e is x = (r~l r, . . ~ ich is con~ruellt to the ori~ilnll n1essa~e ~.r~ a- .. r)ll n1o(llllo ~ ;! Ihe Lu-Lee ;lucl (ioo(ll~lall-~lcC.lllley cryl-tosy.stenls (lel en(le(l ill ~ t o~l tll. (lil`~ , of factorin~ / an(l so ~ llil( (l (/ > 20n altllol~ tl~i.s is ~ot essenti;ll witll tlle l-!c~ t i~ tiOIl.
I l-e n e of a i~ener.llize(l form of ~llc ( l~ emai;1der tl1corel1l in the ini~ l 1;l13pxa( 1 of tl1e ~1resent invell~ioll reslllts in Lrc~ 'C expansion wlliell mrly l-e accepl.lble fol l-rief secrel lnes.s Ir~es bnl c.ln si~l~ific;llnl~ d. l~ ir~nature genel.atioll. The sillll-ler fonll of tlle Chillese remaill(lcr tlleolem a.s e~ `d l-! D avida Well.s. lnd Kalll doe~s not h.l ;e fur~her nle.ss lgC e~(palnsioll lhclll .a .s~ illg series. With ~lle .xil1lple forlll of ~lle Cllinese rem.lill(ler tl1eorenl the m(alli~ l, ix .~ ted as the idel1ti~y m~ ; xo /)j = P,l~
mod 1)j) for i = I tn ~1. 1 llel1 ~lle el1co(lc(l 1~ is deciphere(l Iccol-dillL ~(-for i = I to /n ith r = 2. Ilowever. ~ llle factors of / (i.e /lj, for i = l to 1l) ix easiertl1ll1 findil1~ P witl~ Slern all(l lolli~ taek. Conse(lnel1tly. we reconll1len(l ~ ~
.s - ~ with r = 2~ icll re.sultx in .l l.ll~ c k size than tht~ eon(litioll~ I < ~ - ~/)n of ~uidelille ~ fomsul-eril~cre Ixil~ initi.ll w(~i ln~ ith r > 2. gni(lelille ~ C.lll .l1s0 be msc(l with thi.s ~sinlple fonl1 of tlle Cllinexe Iclll;lilld~ l llleorem.
In still otl1er emb( dil1lellts~ the fol-llm~ inese remain(lel theoJ-elll ellll loyed l-y Adii~ a an(l Sllallkar in the hrokel1 Modil`i~ l.ce eryptosystem call be nse(l to xeleet tlle initial kn Ip~sack wei~llts for the prescll~ lli ioin First ~b~ 2. . ~. 1)" 1 } are ~el1erate(1 froln a m ltrix l) of diil1lel1~siolls ~ y ~ ll the Chinese rel11aill(iel ~lleolelll~ where t I
c l~ 25)~ for i = I to 11 - I al~(l j --- I l~"l - 1 P = ~ 1~i- all(l /lj > 2 / Next.
i = 1 f~lrtller illitial wei~llt is inclll(le(l: b" = I
I llen tlle ellcodill~ all(l decodil1~ llerated with the illitial klnlpx.lci~ wei~llt.s {/~I. 1)2. - /~")~ Tl1e me~s~sae is ~ssii~lle(l to .~" ~_ lO 25) and rall(lom hi(.i ~rc assigl1e(l to ~; ~ l(). 2~)~ for i = I to 1l - 1 wln~ -l- z. Deeodill~ invol\~es calclllatil1g x =
l~ ~ wl~e re ~ a 2 - .~ l l r~ Im~ r ltional nulll hers. I hell tll.~ dc cipl1ele(1 " - 1 mes~s~lr~c iS .~ ~ = r 'j- ~, ([~- 'j]~ le iis one of tlle illtei~el-x f~o~ tlle ram e J= 1 - 1) In(l llj= O if ~ > O ~j, il lll~` llm of tlle ith colnlllll of l)-l is p()~sitive) m(l ttj= I other~ixe~ In the ease of ~ = O for i = I to 2 il /)l~ > /~22 a~d > /~
el o~ilel el1lbo(li~ tl~ ion C~ be ~ plo~e(l t(l follll ~1ll illiti li-kn.ll-s;lcl; in tile P l-esi~lnc n~ 1bcr s~ n~ = 2 for secrct an(l siglle(l n~ess,lges /\
mess.l; e ~ a2'1 is conlbille(l by n~ conversion r _ /~ 2 ~
a 1 in ~lle ring of integers mo(llllo /' (~ alion is disguised ~IIlrin g el1co(lillg) T ilC
initi.ll klnllls,lck wei-~llts are selecte(l 1~ p1~ 2 i. im(l all enc()(lillg kc~
i~s geller.lte(l ~ith ~1 = 2 ~In(l 1 > I ( I( ~ lo the same relatiolls tllat ~lc ilSC(I if ~
1)2i are ~llperincreasillg) A mess.l,7c ~o 1~ il)hered is assig~llc(l to ~ 1() 21'), fol i = l to 2, iln(1 ~ 7 - ~ enc()(l~ enco(ling-ke)u lf ~1~ is llcj=ative whi(l Illtly OCCIII if l2 ~ s negative tl~`ll l~ i-~ lounded dowll (in weiglltc(l viallle not .al solllte vallle) so tllat tbe lIrge sllll~ Ic j~l xil 7(~ p -/'t1P~ [ ~ )salisfie(l (fol exalllple ~ is 1~ owll to Ax= -2) Tlle enco(le(l Incssagc i~
decipllcre(l ,Iccor(ling to for i = I to 2. willl r = 2 As (lescribcd .ll~ove, lll~ lltelluln ~ ls of tlle initi.ll wei11t~ ,.. I)" i are possible with tlle p resent invelltioll !~ illcreasing serics is belieYc(l to plovi(le tll~
best combilla~ioll of scclJrity all(l nle~ia~ e ~ allsiol1, whicll is (lirectly ICP.I(C(I to tllc aver.l; e nlllllt-er of i~igl1.ltllre ~eneratiolml i;ll~ I llc choice of initial wei~l1ts l1as Iess affect on tlle security witll ~ > 2 (a.s (I(`SCl'il-~ '). Other choiccs of 1/)1. /), 1~"~ m~
rea(lily be emi1lo)ed in keepin~ witll tllc ~ clll inventiol1, pro~ide(i tlult lllele is a prltctic;ll metllo(l of recoYerill j~g ~ ~ I r2, r" 1 ! -In yet slill otller elllbo(limtll~s~ rnl-lll~u i':`la~iOIlS of rno(lul~ll multil!lica(ioll can b~
illClll(lC(I (lurill g key gel1er.ltioll al~ 0nll nl1mber of iteratiolls is /~ v,~llelc ~ > I
(I IGS 2 3 ~, G. 7~ al1(1 1~ correspol~ ith modulal mllltiplic,l~ioll~s by IV mo(l P 1111(1 1~'Illo(l Q)~llleillitil~ 'Ci,~ ... , b"~cal1Ic ~ erillclc/~ l ora of tlle alterll;lte selections of Ille initial ~ n be employe(l ln tlle following gellerlli notlltiol1~ l ing of integers nlo(lulo is callc(l /1() (tllis is e(llliwillent to P wi~h ~ = 2) iall(l Ihe l`ill;ll lill~ ~,f integers mo(l~llo /)' (ol c(l~iivalelltly O
Witll r = 2) is ia resi(llle Illllnber Sy~nCI~ `le /~ iS tlle pro(lllct of ~ . q",l wllicll ilre p;lirwise relatively-prillle ~ ilclatiolls of mo~llllill-llllll~il-lic Ition ~b~
initi;ll-weigllts ille clllle(l l1() = I)j~ for i - I l o Il ~nd tlle wcigllts ill tllc rill/ll rillr l l integers m(l(llllo l~' are calle(l 11,~ 11, wllere 1l > 1. 'l~llc ~:t~ Cl/ltioll ()I' od~ ml~ licL~ crforll~
~7 -~ ,,,cl pk for ~ = I to ~ ere "l an(l /)~ .uc ~ rime. for ~ = 1 to /. ~UI(i 1)l alld ~
ale pairwi~e rel~ cly prillle. for ~" ~ further nolllillear tc rll~ c~lrs in t11~`
encn(lill~ ~)robleul for eacl~ extra itcl;~ ular multiplicatioll. wllicll In;l5~ incre.l~c tl-e securit)/ F nc((lin j~ witll 1 > I i~ l-c~ lc,l IC c ordin~ to the rclatious 11 1'-1 j~ k~ o(l (lj~ fl j= l ~o lll' all(l i 1 ii h~ ~j . forJ = m -~ I to 1)l.
wl~ele ~Irk = ~ A~l f ll,k l l i= I 1: =1 I
all(l 1 < al < 1~1. The enco(lill~-ke5~ c~u~ lle inte~.ers oji <~jk all(l fr~l(tioll~f; all~i f1'~k for i = I to n, j = 1 to 1~1. and 11 = 1 to ~- - ], ~1ll(1 /j for j = I
to )~/'. wl~cre ' k k js o bf ili1~ e(1 l~ Itin~ plt~ _7~
pll,ll i-2 _ (t,h~217l~ mo(l y~ 2 p~ Jkyh,k~l m(!(l 17k (~ 1 i.'i c ~llculatc(l sin~il<lrly all(l /7~
If tlle init ial wei~llts (17l, 1)2~ . ., 1)" ~ --- 1!l 1, !1 (1,,,,, al ~ are ~clected as ~ UI-CI illcreasill-~CIiCs, ~llcll ~llc followill~ rcliltioll.s .Irc ~ lic~l 2 ~ '7l 1.'7 l~j > ~, I`;( .` l) an(l ~) , ~, I ;( - 1), i I
wl~ele /~1 is rel.ltively l-rime to 17i fo~ The rings o f integel~s /,l~ fnr ~ = 1 to r - 1, sia~isfy ~llc lial~e Slllll l-rillcil-lt ~'i(7~ 'k ~ [0 ~7k+
wllicll i~s ell.s~lle(l 1~'7' ~elec~illL~
~7k i I ( ~ 7k, for ~: = I to ~ ullerc tllc estilnatio~ 1 A ~ accurate to (-2 ~ ~'71 all(l ~lle fractioll~;
f i all(l f )l~k~ for i = I to 11, 1~ o /~ - I ;llul /~ = 1 to r - I are trullcale(l at .~ +
10~2/~ 1) bits l7recision~ where (~ ive number (or tnmcate all flactiolls at ~
+ I' + IO~ 711 + (1` - 2) bits precision) I IIC C ~;IU~ 1) bits accoullt for tlle lalger size of A r7 in tllc A llf 11~k terms to c~llculate A ~ .ui 11 ilu~l-e.lses. If k > 2. Ark nlay l-e licgative an(l A ~k is roull(le(l (IOWI1 jn ~A~ei~hted Vallle 110~ olute value (i.e. Ar = ~ l ks rounde(l lou~ll to ~ = -2).
An ellcipllere(l messil1!e ~ .... \", ~ i~ (lecl ded by first calculating tl~ k-~ l o d l7 k, fr()lll ~ = I (le~lclll~lltil~ to 1~ '2~ "1l Illo(l ~ (l7 d tllell solvill~ a kn.ll-sllck r)roblelln 7i ui~ll supelillcreasil~g wci~llts ~ . 17~. . . 1~,/' .IIld target value /7 -- ~() b) calcul.lti se(lllelltially ;~_ r jb;
!, from i = 1l decritllei~tillQ ~o I . to rc~ lle l~eiphere(l message ~.r ~ ..... a "}. l ln~
deco(lillg key il~cll~(le~s tllt~ l-ositive il~ . b2.. 1)"). ( l(l { ~ 2 ~ }
l~or sigll~ le checkill~ v~ ith ~ . l;Ui~ f modIllar mllltil liciltion. tlle .si~n;lt vel if ier checks if k for j = I to 1ll . Witll ~ i 1 If the key-.sct is clesiglle(l for secle~
ll~essages. a.s well as si~ res ~In 1l 1~ 2-e)pk-l an(l tl~e l-l-ol-ability of deviiltiou by a multiple Of ~l a~pl-~1o a.s the ratio of l~l+~ - a~ -oaelles unil~
wllell c is illcrcilse(l.
711e si~niltllre clleckillg sut~systell~ ('t lnlve to check for a deviati(?ll of ~1 ' -lgl 1 i 1-lle n~es.sil~e (or hilsll val~le)~ il.ssiellc(l 1~ Yl~l } all(l a secret rall(lollI value -(or any secret inte~ers or a fixed-viIllle) i~le (:oll)l illed according to tlle relalioll "-1 Ill lq + cq~
wllele ( ~ 2rlq~(l Y~ -- {Yl~ !2- -- .~",-1 1~0(l ?<~1-q~.. q",.}. I lle subse(lIlelll steps ol ~ alllle gelIeration are colnplete(l ~ if 1~ tlle abov( alue of y'~i. Tllell Ihe sielliltllre is villi,l il I/j y j + ~"lkg~k mo~ q; fol j = I lo k = 1 ', wl~lc (l~ +l/l)~l + I I
If Ille key-.sel is desi~lle~l s~-(ci~ l .signiatIlres (al~ o~ l-e u.se(l fol encil-llerillo Ine.ssilges) tllell ally de\ ia~iol~ 1?~ a InuI~iple of g~. for ~ = I lo 1 -- I ean be avoi(le(l hy selectiny /~- > I)l+~ allll l-ounding up (il~stea(l of tl-UlICiltilI~) tl~e fractiollsf; all(lf1'~k for i = I lo I~ 1 and ~- = I to 1 - I at s +
log ?1~ - - I ) bits precisi()ll.
~(p ~
I llel1 A ~ c lln l~e ~ rec i .se l ) C S~ n ~ ul se ~ I X i ~f ~ 1 A
~+ ~ +- 2 ' ) t-- 1 0 .0 . 1~ signature cl~c~ g .~1l(1 tl fr.lction of ~I k is hollll(lc d hy 10 0. ~ ' !/p~). which elimi~ tes tlle llee(l i`ol- tl~
correctiolls l~s Icgl~ for ~- = 1 to ~nature is vali(l if \j ~ o(l (/ . fol-j= I to If .lI-hre\~i Ite(l si~ oles .ue (le ~i~t~ +1 is selc~ted for only OllC \~ le (~
flolfl tllc l;~llre 11. ~ t ~lt f( 1.l~I if /; ~ b-~c - 1)/(1l+ r -~)loe/~ - f)//liSIClll~U. I~lockS~ernalld loffin~ acl~.llll~lle bl-revi.ltioll i.s l-ossihle ~itll ~ > ~ I-e( .UI~ q can be m aill~.lill(~(l ~llil( /)~ -+~ llere ~ s one ~allle frolll I I. '1 ~11 other value.s of ~ lla~e 1)~ >
2-"). I`he re~sllltill~ key-~set is de!iif lle(l 1(~ ( ifieally for ~siol1.ltllles bccllllse lllli deco(lino of secret nless;l,~es re(lllires /,~ l( I + 2-C) fol ~ I I
verifier tes~s if tl~ere is sol~le (/ coll~ U ll~odulo q to .I villue in ~lle 1 Ul~C 1-1 +~ i + IJ sllcl1 tll.lt !~ + 11~llere z equal~ the one ~ ol >l- < /~+~ llld (/ is calc~ tc d by fl ~lod q~
\Vith r-itel.ltiol1s of mo(llll.lr nl~ir~ for ~ = I to / - I al1(1 j -- I ~o )n Call be ~stall(llr(lize(l a~s well IS ~f/."'l and one WCi~11t ( (/)~ ,",~
wllere )~ is one of tlle inte~ner ~alllcs ill tl)~e ~ ee ~1 ~1]. The stal1(lardize(1 v.lll~.s of all(l ~1~ for ~ = I to / - I ul(l j = 1 ~o 1~ le l.~lldomly selec~ecl (or cllosen ~ cel~.li bit l~atterlls) fronl Ille ri~ e 1~ ). Al~ l qj) > ~ f~ for j = I to 1)l . nl;~
selecte(l as a secllrity me.lsllre~ I lle ~ec(~ ol~(lllli qj~ for j = ~ I to /)n \~ ;u hetween users an(l .llC not kno~ll Wllell Scl'cc~ lle standard ~alues but ll,.j all(~ n;l) hc selected from Ihe r.ul,oe 10. q;). wl~e~e ~l~e esl~eeted value of q; i~s q ~ e sl.lll(l.ll(l v~eigllts ale not recol11l11ell(led to pre.ltl) e~(.ee(l ol be sicnifiealltly less tll lll qjlo Illail~t-li tl~e difficlllty of the encodil1ro l roblell~ lel1ee of several l it~s in I~ r~ de lul.s ;~
ne~ ible effect 011 tlle secllrity. A l-ri\.~ found by first secletly selectil~ (. 1>, >") ~ />2 ~ } 1l1(1 (f/",~ ".~ ~.. q,~,} h) tlle S(llll~ rell~i(-iIllo~lt stall(lar(liz ItiOIl~ Tl1ell ( lt 1~ ~1 '~ .... 1~ ' 1 ;1l-~ round sequentially as ?(, k _ ( ~ 0 cl 1 ~ k for ~ = r declel1lelltill~ to 2~ \~llel-~ ohtained bs~ seqllellti ~ c;~ic~
-~ k-~ " 1~ r~ ]l~k-1,~ llo ~k-l k_ (~()k~ k-l k~l l1l0(~ = gk-l 1ll~ ,k~
1 ~ql~ q2 ~ q~} If ~ 2 1)~ 1ell sli~lltl~ lo(li~
Il 2~9~7g~
(fnl exa~ le~ inclell1ellt ,y~1 nlo(l ~/1 h)~ ~u~ ,1 Iccalcl;late l~k-I,k because ~llc pliV;llC ~c~
oulll not m;ltcll tl1e sta~ r(l for ~l- '1 lu~ dil Iclellce between the nlo(lifie(l stiul~
iuld the standar(l g~ i.s pullli.sl1cd as l~:u~ e lull-lic-key. Stan(l.lrclized v;llllc.s of ~' ha~e to vilry ~ith ~ (any differellce is sllrl i( i(~llt ) ~(- ensure that ~ ' = O d( cs not oe c Ul .
Sometimes~ a value of ~.I- is foulld th;ll is n(-l Icliltively primc to ~l` alld tllcll the in~els~
of l1~ mo~ l` does not e,~ist: in thilt c;uic. ~ slightly modil`ied and ~ is recilkull;l~c(i Altenlately, if l1~l' is not rcl.ltively l~l h~ o ~ then a new /)~ call be cllosc~ h;lt i~
rCIiltiVel~ llrillle to/~ all d ~l-+l ) O~ :1 11!`\~' p~ can bc selected all(l thrll le~ i s recalculiltc(l (this ilrl-roacll will llsu~ l\ ol\~c lu(-le conlputati(~ hilll IllOdil`)'ill(! "l !.
Next. lcl is foull(l acc~(!r(lil1~ to tllc l-cl;l~
o d ~7 1, where a() = /7,~ u is one of the inte~el v,llllc~ hl the ran~e 11. ~ all(l n ,~ is oh~;lillc(l i-v sequellti~llly Clllc-llati~ 7;-l 3 (7l1~ 1, az,-2~ ])-I~
(11_(7~2)~l17.2n~ocll12,wllerenr- ~ a~ ) mo(l (ql' (12' '''' ~
> /~1', whcre /1 ~= 11 rl~ thcll sli~h~ly Illo(lil! l1'; (for examl71e, increlllcl1t 11';l n)o by one) all(l recalclllilte ,7~1, 'l'he rest ol` II)c l-ul~lic key, (Ijj~ for i = I to u - I a~
I to ~n and fractionsfk alldf~'~k~ for ~ n j = I to t)n ~- = 1 to 1 - I ~ all(l 11 = I
to ~ are not .stall(lar(li7ed al1(1 c;ul l)c L~cl)cl;lle(l from the private-key (;lccol(lill~ to thc .sallle e~,uatiolls use~l willlollt pilrtial .s~;ul(l;l~ ioll), whicll is now fully selecte(l. If thc hli~i,ll wei~hts ~ 2~ ~ 17"~ .IrC !~ elill(`l`e;lSillg, then u = ~1 is Ihe Inost S((~IIIC
l~ecause ~7 = /~, is the lal~est alld contilills Illc 1110St secret inforlllatioll.
In furtllel embodil7lellts, if ~ c fl;l(tionsflk, for 1: = I to 1 - I. C;Ul bc stall(lilr(lize(l~ as well as one wei~ht ~ l ..., nl",,} or ~ k"~2k, ,~,~,k" ~ ~hclc is one of the integer v.llues in the ral1gc 11. 1 - 1 l Standardizin~ the fractiolls f~ rO, to ~ in al1 l1 = I si~nilture-ollly nlo(lc. Ic~ul~s in a smaller user-(lepell(lellt pllllli(-l;e thal1 st~uldilrdizillg ~r~ for ~- = I to r ~ ul(l;ll~lizin~ the fractions is n()~ fc;~sil-lc ~
11 > 1. With 11 = 1. the fractiolls f 1k. fo~ 1, may be stilndilrdi7e(1 1'(~1 ;111 u cl-s to some rall(lolllly choscl1 value withill ~hc l;lll(~e 1() 0, 1.0). Altemately~ the fr;lcti( ns c .Ul h(~
selected from 1 ~ 1.0) so thilt the lllost ~i~nlil'ic~ t fractiol1.l1 bits are al~ul~s as~crtc(l l-ecilllse lal~e fractioll.s resul~ hl a lal~c~ lllillc;ll term AXk.
T)llrin~ key gencliltioll. I~t all(l ~ are choscrl .secretly as usu;ll. `I'he 2, ,,,, Ic/~l ) arc foul1(1 ~se(luell~i;lll) " ~ Oll~ t to the relatio 7~ k _ ( ~ m o d 17 k, 2 ~ 9 ~;7 for~- I to r - 1.Aftercacll ~1isl`ouu(l.~lu~ l`ractiollf lkis calculate(l accor(lilu.~ r k lltk r~ orlll~ f l = - k ~ (lirf ~ tweell tlle st lllclclr~l cll~ llr ~ lc fractiol1s is publi.slle(l as p art of ~lle p~ I;c~ weral of the leait sicllificallt fr;lc~iol~
m.ly difrer). If ~1~ or nk~l are not rcl;~ cl~ ime to pk (callsill theil- il1~erses ~o nol exist)~ eu fkt is sli~ ly mo(liîic(l a~ o~l le~ are recalcul;ltc(l. I~or r x;l~ )le. ;Id(l 2 `
mo(l l .O ~o tlle stal1(lai(lfk a~ e dr\~ he standardfk ~a]ue is plll-li.sllc(l ;~ p;
of tlle p-ll lic-key. Altenlatively~ jf "l 01 /1 1 1 ;ue not relativel)~ prilllc tn /)lu ;mlrw ~ .llu ~-f l7~ c cl~osell 1ll(1 ~l i.s ~lle Next. one wei11t call be s~ ul(lar(li~c(l 11 ;1 ~ for j = I to 01 . are s~all(l;ll(li~r(k is calcula~e(l accor(liil~ to ~llc relatin n 7(~ nod (1j for j = I to 1)1 . where l7k,~ k--. ~ j. Alterllatel~7~ if (/~; ~ lol j = I to 1ll .
are stall(lardi7e(1~ thell Itl is calculate(l acc ol d iU!~ he rel ltion 7(~ o d ~
for j = I to 1)1'. Tlle recomlllellde(l ~ ci ~ o ~lalldardi~e is ~ l (i.e. ~ ?C( ~IUSr the inver~se of l)l~ 7l-l will ~Iwayi e.~;isl. Il` ~' is not rela~ ely prilne ~o q; ~ ~or j =
I ~o /)~ tl1en t new g/-l o r /~ $ srlc~r(l I l~r rest of the public-key is tl~en c llcul;lte(l accordill~ to the nornlal relations.
In still furtller embo(limellts~ tllc / ulo(llll;ll- multiplicatiolls call be UIl~A mlll(l dlll iU!
deco(lin~ Wit]l rl sli~lltly modifie(l follu ol ~lu~ l-resent encodel. Tl~ere ale at le;lit l =
iterltions of nlodulll mllltiplic.lli(ll~ ,IIlrillg decodill a~s sl~ccifir(l I-y:
,~k-] -t~k(7~,k)-l mo~l 77k~ froln /~ Ir(leulentinc~ to 1, where ~' -- !~1 ! -!",) ~o~l (ql~ ~2~ -~ q",~ ~S ~lesclil~ o~thesemodullrlll~llti~ lti(llls~
ullwolllld se(luentially witll ~111)' Illodlll;ll ullll~il-lication techni(lue. ~lowe~er~ ~llc pl(~seut IllO(Iifie(l enCO(Ier perfOIIll.S all ~ iter;~il ll.i l)i Ill~dUIar IllUltipliC ltioll (p]U.; leC()lnbill;l~iO!l of tlle ciphelteYt re.si(lues) in parallel ~ ( lo~ to the same alllollllt of compllt;ltioll as a sill,1e mo(lular multiplic,ltioll.
Ilellry p ropo.sed a modul.lr mu1tipli( ;1~iOII u~ od called double-ellclyl-tiou ~ (scr 11..~;.
I'at. No. 4. t99~2~)~ wllich was de.sil.ll~ e now-brokell sin~le-i~rr;l~e(l ~ lr-llellmall kmll~sack-cryptosystelll lleul-y'~i trcllnique perforllls a .siu~le Inmllll;ll-mlltiplicatiollby;lcoll.stclllt~such aS /, "-1~ Illod P employillprecnllll-ut;l~ioll:~llru 21~ 9~
ia superincre(lsil1~ series witll tarce~ olved to rec(-)ver tlle nlcssilce llcllr! ~i mO(Illlar Illll~ ier reSelllble~S <I klnl~ t`l~ p~ion, which C,YpP~illS ~l~e mllllC "d0111-1C-cncryp~ioll I or (lecodill~ all r-i~c~ c(l lu~ ack. tllere alc 1 itera~iol1s nf n Illlll~il~lic.ltioll to llllwill(l ~ lel1ry l(~ (Ipplyillghis Illo~llll;lrll~ lier~
se(luell~i.llly in Fast decryptioll ;llooli(b~ tlle knapsack crypto~rapl~ic Systclll l`llc Bell System T echnical Jourl1 tl ~ol 6() 1 "Y I l~l~ 767-773 Henry`s n1odul;lr multiF)licl- c \l~
also be applied r-till1es S~ fi~ n~ c~ent inventiol1 }lowcver. ~he plC~CI~t mo(lular mllltil-lier describe(l below l-e~ f~ lodular mul~iplica~iol1s by ll COll.s~lllt ill ll~l wi~h closc ~o ~l~c sal11e ;n11ollllt ,~f c o~ ta~iol1 as one n1o(lular mlll~il-lic l~ n ;lu(l a sin1il(lr al11olll1~ of prccompll~e(l Incllll)l; I lle present /-i~erate(l mo(l(ll(ll nl(llliplicl resemble~s enco(lil1~ witll tlle present ell~o(lcl 1 i c a knapsack pl~ls nol1lille 1r ~ernls) ~o \1 c also usc ~he n al11e "dollhle-cllclyp~ioll A ii iyl11bol is used lelow ~o dirfcrell~i;ltc tl~c double-ellclyp~ioll--(leco(lillo-key from tl~c cllc~ g-key.
I`llc cipller~ext ~ !",~ bi lil~t 1)~ ped to lZI~ -2~ Z~ wllt`le .; '-~
25 )~ for i = I to 1n ~ is a p()~ifi~e illtC~!-`I .
()j ;, j ", ,~ I) mocl qj .
i = 1 i - I
Tl1e value of ~;~ for j = l to 1~1~ will ~ ;u-y ~ itl~ e size of the cipl1er~ex~ resi(llle s !~",) ~JI~re(lllce(lci;)l1eltextresi(lll~; 1` "1 Y,t,~+2~ \~"~ corles~o,~ l~
secret moduli ~ q",+l~ ~1",+2 ~ (l",~ 1ll;(! l~c reduced at ~lle start of de(o(lillp ~"
millilllize ~ii f()ri= ~1'+ I to ~rr. an(l tllc ~i~c ~i'thedouble-ellcryptio~ ;cy. 'l'llc ~ o nf coml-llta~ioll for double-el1cryptinll i~ Illinil~ ed with s = I hllt tl~e men~oly ~p;l( c lnl the double-el1cryption-key of (~l5)2/C I it~ i~i Ininimized by incle.lsil1~ s Altc~ te mal~pil1oscll1heel11ploye(lplo~idil1~c;\cl~t.llll j fori= I tn 1î. cnnt.lil~ss con~ccllti~c di~its from ol1e of tlle cipllertext rc~sidllc~
Tlle r~-iterltiol1s of Ino(iul;~r mllltil~lic.lti~ll are performed Witl1 a n~llltil-lc-i~l;lt((l knaps lck witlm~nnlil1e;ll terms to corlc c t ~ c I l`low th.lt occuls m( dlllo 1~ i`or ~- - I t o as witl~ tlle p resent encnder If ~11 o i- tl~c I( ,IIlctions mod~lln /1~` are not cnlnl-lctc to 1() thell tllC deCO(Iill(~ is incorrect. 1l! tbc ( ;l~e ol` ~ccret messa~e~s thc enc()(lc~ f( llo~\ ~ tllc -0~0~9r7 1arge-sul1l rrincirle~so re(luctiol1 nln(llllo ~ to be completc dllril1L~ dcc()(lil~ ;u~
is ~ossiblc witll dollble-el1cryl-tiol1 aS (le~ elow Complete redllctiol1 is n(l~ esscllti;ll for si~natllres hcc~llJ!;e tlle \~erificr cau ( ~1 It`el l~u a deviation l-y a multil1lc of Overflow does no~ occur (lurillg de(o(li~ e small-sum pritlciple 1)~ > 1l2' satisfie(l by tlle double-ellcryptiol1 ~ci~ ugl~ key sets will not gel1eJally s Iti~
re(luirell1el1t~ Conse(lllelltly~ overflo~ c~ ;ue necessary for decoding scclet IIIC~
by double-ellcr) ptiOl1 becallse /~ > /)~ ) but in a sign.lture-ollly 1n0(1t o~ . 1 fl(-\-estil1ultes ale not nee(le(l Ino(llllo 17~ if 1)~ ~ n ' /~ , wllere ~ ~ I l. r - I 1 In tl1e e~el11rlilry c~lse of r = 2~ dOIII~IC-CllCl~l)tiOIl illVO1VeS CalC~lla~illg /~ ;ICCOnlillr' to tlle relatious 17 -- ~ nnod P
j . I
all(l A, - \. -ifi ], l l e l t~7 j _ ¦ 7~ Q ¦ P
(1 f 71~ lod Q
Ihe initial-weiel1ts for doub1e-el1cry~-tio~ 7~ } are formed ~ l1c (`I)iI~CSCremail1(ler tl1eorem in tlle ring of intege r ~; luo~ Q according to tlle relatio 17j= ()~ 2'(~ i-l 1)Q 11;
wllere Qj = ~2lljall(l l/j, < i < ";. /~fl~ u-ming double-ellcry}tiou to fiu(l /) tl~c decipllt~le(l n1essage (~ '2~ l-n~ e(l by solvin~ a sul-elillcre;lsillg ~elie~
witll talget 1) all(l in.tial weigl~ts ~ /71 Io ensllre correctcleciplleri~ Of cl~ lc(l ~le~ssa~es the ~educ~ ll u~l)(lul(- ~) (lu~ n deco(lill~ Inl.s to be comi~leiely corl-e(~ . a (l~via~ion by a n~ iple of ~.? will c allie a error). C onsc(illelItly~ tl)e e~limati(-~ to be exaet dlltilIg (loublc-ell(l-yl~li il I I I
ensllle tllat ~ 7~ ~ 17 jl Q - ~l C~ C ,~ o . ~1) I )uring enco(li n tlle error i n Illc c s~iInal c of Ar is bollll(lc(l by (-2 r~ 0.01 (before llul~(.lti~ ) and the large-~sulIl p rincil)le is s ~ fie(l beclll.se ~ -~il7~ A~' ~ 1() /(1 ! .` '~) ~ [0~ a) s~lIere Q > /(1 ~ ' ). Il ~lIe error in ~lle es~im(lte of ,lz (befolc n Illlca~ l ) is boulIded l)y [0.(~ 2-' ) all~l al~o (~( I
2-'`) > P(l + 2-r)~ tlIell ~ a;¦(u ~ Q ~ 10. P(l + 2-') t ~2-' ) ~ 1(). ~)) alI(l Az is e.xacl. I helI ~lle tbe dollble-eu( Iy~ IraetiolIsfi for decoclillg sccret Ille~;~a~e~
ale roull(le(l uit at ~ + log2n + (~ hits plc( i~ioll ~ = 2 ~ deco(ler with cl()lll-Jle-ellcr)~l)tioll all(l / -- . is illustrated iu l;]C-. 9~ I~ile Cil~llt`l~(`Xt i~
first assiglle(l to tlle terlll. ( t~ 1 ) (i.C. .. I iS the first ~ bits of ! ~ e IlC~
s bits of ~ an(l so O~ I hell tllC left coluln~l ill l lG. 9 caleulates Zi tii ~ for i -- I to It . sv i~b mllltiolier.s 24 ~ wl]ich is acc~llIllllate(l s~ i~ll a(l(lel.~ 25. The right columlI calc~ll.lte~; a; ~; . fol i = I to ii. witll multipliers 24~ wllicll b; a(:l lnlIulated separ ltely witll a(l(lel.s 2~. I lle pro(lucts ~jfj ~ for i = I to tl~ llave to l-e pleci.~ o ~ ~ IOgt1 fractional bits. I llell trull( .~tio s~lb.sy.stelll 36 ou~iluts tlle inteQer p alt of ~llc .~ulll of the right columll as Az~ Next. -~1 ~$ i~
calculate(l witll a multiplier 21 an(l a((lllllllla~ecl witb the acculIllllatioll tree of tlle left COIlllllll. Tlle filIal total of tlle left cc,lulllll i; ~llell reduced mo(lulo P an(l tllc renl.liil(lel i~
/~. A superilIcre<lsillQ series i.s solve(l s~ i~ll t.llget value b and superincreasillQ w( i llts (/~1~ 1)~ --. /~"). In tlle exempiary ca~;e Or 1l = 2 and bl = 1 .l~s ShOWIl ill (livider 33 calclllates ~ 2 = I l~ 21 all(l ~11 t`11 .~'~ = b - x 21~ is foull(l witll sul t 3~. If s = 1~ tlle multipliers may be repla(c(l I-y ~I-allsmission ~ates that pas.s n; iall(l fj if = I alI(l pass ~ero if ~j = O.
I)ouble-elIclyi~tioll calI also be u~;c-l fol ~i~ Inlture generatioll~ in w lliCIl c iase /1. (loe~
no~ llave to be exact but a correction 1-~ ill l-e needed during sigllatllle cllecl;iuc if 1 lla.s I (leviatioll of one flom tlle exa( ~ ~ allle. I IlCn Q may be le~s.s tllan P for SiQIla~
with (lolll le-elIcrylItioll. I lle nlillilI rnlc~ e is s + 10~21i bits to keep ~lle (Ievill~i(.
to a ~single nnllsilIle of ~ becau.se thc~ ~In;lll ~lllu l-lineiple for dollble-ellcr~ ll cal~ In vel be ~sati.ifie(l Illo(llllo tlle final IillQ (.! c~ Cll 1"l signatures~ If l1 is lulwollll(l I-cfolc leCollll~ Q ~ !2 ~ ll nlixc(l I 1~l iY conversiolI plior to cloul-le-ellcl~l-tiOIl.
tllCIl the -t~ COrrCC~iOII i!; llot nece.s.s;lry blll Illolc ~ olIlput/ltiolI is inv()lve(i~
2 ~
~ ellcr.~ 7~ i7~ A ~ \c any value ill lO, Q) wl~ell i'ell(`liltilU' sigll.lfllre.s by doul le-encr~ptioll so ,l c;~ c cstimated exactly wi~ll a prilctic.lll~ slll.lll ~llue o f c all(l a cnrrec~io~l of ~ ; tl~t`ll l~et`(l~`(l (IhiS iS .llSO the C-I!ie for si~lla~llles ~ illl / -> 2). In practice~ a correc~ion by -+,~? (loc~ llol ~ dowll signature cl1eckillg or \~ n~ llc seculit~ so extra colnputatiollal effort lo :1~ t~ orreCtiOIl of ~ is not recollllllell~le(l Wi~ er~ltions of mo(l~ lr nl~ ;lliol1 (lollble-ellcry~7tioll is perfolllle(l ~lcco to tlle relatiolls i; '? Akgk IlllOd ('/
, 1 A ~ f 11, k wlle~ 1 p2 p, ~l jk ((~ jA I l~lod ck ( I ); 1 ( I"k ( ,~ ' P = (', Q = cl. n; = /7 ;, i~ )(1 c11~k is obt.line(l 1-~ c;llclllati 1~, )1+1 - ~7~ c~ mo~l cll ~1, ( 1, 1" `.? - (7l7h+2!)-lc1~ +l mo~l cl~ ' c)l, k _ (7l7k) 1 cl'~k~l mo~l ck (ck,'- i.s c;ilclll;l~e(l ~ilnilarly).
Secretmess.lgesle(luire 1~k-~1(1-2-' ) > 1~(1+2~~),for~= I to r - I.tol-el~
Colrect (lec()din~ h dolll-le-encl~ u ~\ I);~1 e Azk i s acc ur ~lte to 1() - 2-' ) (I-efo re tmllcatioll)all(ltllefractiollsf j ;ln(lJ . f~l i -- I to /1"~= I to 1 - I. a~ o - 1, are roun(le(l up at s + c + 10~2~ ( k I ! I-its precision. Signatllre~s do n(l~ rc~lllile ~+/ > I~A for dollble-ellcr~lltioll ~ul(l t` ~ ` are rounded (tmllc~ltioll or rou1l(1il~g ui-ale also possil le becallse Azk call n()~ c~;l( l in this case) at ~ + 10?_~1i + ( 10~2¦ ( A+ I/( A ~ .s f or ~- = I t ( ~ +I .
;7 ]11 still o~hcr embo(lilllell~s, ~he n~ olllinear temlS gellcratc(l ~-er i~cra~ioll ol' mo(l~ r m~ lic;ltioll call bc in(lr;~sr~l ~o some positive integcr /n~ hcl-~
111 k 1ll k ~k = rI 11;k~ ~7~'] = n. 1~ c~> 2, l1 > 2 tll > I fol .si~
j = 1 j = 1 only). In'~ ~ a~(l 17JA I l ~ YJ~(I + 2 ' ) I llr ~ ding function is gcllerally defille(l :1~
11 1 1111 1~
k~ i mod qj, f( I j = I to nl' ii k~ for j = 1n 1- I t Alk ~ , AjJ~f~ k~, where f k~ d 17k n k+l - nk+1 mod 17jk+1 - 111~ ' l (n ~ 1110(1 yjk) mod yjk , for j = I ~o m li k I
t ~
alld Y; 1 i~S obtaille(l by Willdill~ y~ !ll(ldllhl~i Yl along the ~sallle pa~ll (wi~ hr ~IIUt' mo(iular mu]tilllicati()ll.s) talcen by n ~ /elo for j ~ I ullie.ss y1~ i.s ~iub~;e(lllrll~ ~o the re jOinillg of the yjl' brallcll). Dec( dill(~ llll;~ ill(l~s the modul;lr Ill~ ipIicil~ioll.s~ Ir~ ( ilU~
the path ~or p.ltlls of ~he residues) follo~ e(i dlll iIU~ encoditlg, wllere yk-l _ ((~ mod 17jk~
for j = I to n~ ;In(l ~ o 1. I Ilrl-( ( :ul o(lly be one nonlilleal telnl ~o COllrr~ fl~l overflow mo(llllo l7'~1 (i.C. nl~ !` of Stern and I`offhl's a~acl;. In grllcr:lh /71~+1 has to h~lve a nlillilllulll of ~nI Iu(~dllli~ l~lIt that does not neces.~i;lrily rc(luilr th;ll 3 J;
~+1 nlbecausenk 1 nlo(l ~k~ o ml+l callberecombillc(lwi~
Cllillc~;e ICIll<~ (ler ~I~COr~lll or le(~ 1? ~ t~r SUb-mOd~ le l~rO(IllC~ (~r ~l1C ~
mo(luli e(~lJal~ Ihe parellt m(3(1ll1us) ~11 I y 1` for k = I to r - I all(l 1 = I to ~ . c a~ c s~all(lar(lize(l Double-ellclyp~ioll call 1-. ~I c 1 I(lr decoding and thele are ~l nol~ c;
ferms per ring 1?~ dUrillg deco(lillg as i!~ C (':UiC during encodil~g I`llc diffic~ y o r ~llc enco(ling problem is coll)ectured to incl c;~ he number of nonlillear ~emls I lowcv( l tlle al11oullt of COlllpU~a~iOI1 .In(l yllbli( I~;c~ ~i;'` illCreaSeS prOpO~liO11a~ely.
In fur~l1er s~ill embo(lill1ell~s~ ~he nolllillc;ll ~ærms in the cnco(ler Call l-c elilllill.l~e( en~irely~ Thell ~lle ~o~al pub?ic-key con i ~ f I j~ for i = 1 to fl an(l j = I lo m~ all(l ~/;
for j = I ~o m'~ as defil1e(1 in plevioll~ cllll-o lilllcl1ts~ This emi~odill1el1t nl.ly lliave a Illole secure trapdoor but ~he pllblic-key ~i~c Ill- ~a(~e expansioll~ all(l avcrar e nllll1l~cr ol sigllat~lre t ener.ltioll ~rials increa~se. I nc(-(lil~ i I-clformed accorcling ~o tllc rela~iolls 1~j3 ~, .rj(lj; 111(~(l /~;, forj= I to 1ll~
. .
l i= m + I to l/1 i = 1 Vecodil1g is tlle sallle as wi~ll previous cllll o di~l~ellts. The number of itera~iolls of nl(?(llll;
multiplic.l~;ol1 dllrillg key-generl~ioll is l > 1 1(1 ensure correct decodil1~ e snlall principle l1ias ~o l e sa~isfied:
"
1 ? k > ~ ( 2 -- 1 ) , -- 1 for ~ o / Tllis en1ho(limellt re(luilcs n ~ 4 to thwart in~eger prograll1ll1ill? /~s 200 to block enumeratioll at~acks. all(l ;/~ ? .'(i(~ if n < 1 I to coun~er Slnllllir; coull-ac knapsack attack. Tllere are all avera~c Or /) /~?1lS z 2(r~ 1) sigllltule ~ellcl;lti trials~
In yet fur~llcr embo(lill1en~s~ ~lle n~c~a~c c ;1~ e encrypted ~vi~h o~ller cryp~osy~tcll~ (?I
ally series of invertable oper.ltiolls priol ~,- ( 1 al~el encodillg witll the presen~ invell~ioll Silllilarly. the following variatioll~ Ol~ c u c of the encodil1g/(leco(lil~(l de~i(e~ ;uc ~o be considere(l a~s obviou~ ~o one skille(l ill tl~c ~-l ior art and thcrefore witllin tl~c il~lcn(lc(l scope of tlle attacllcd clitim~s (I) using tlle enco(lillgi(lcco(lil~ dCi i( ~`~ in cipller-fecdback m( (le or n~c~;n~c ch(li~ lg n1o(le instea(l of thc ~iull-lc I lock encoding mctllo(l dcsct ibc(l l~crc~
.I ps~ ll(lolll l1~lll11~cr ~ o ocllerate pads (2) sigllalures m ay be effecte(l I-y si Oil~ - a tran ;formc(l VCl.Si()ll of ~l~c ll~C~
~J~
where the transforlml~io~ own and is not necessarily invc~ hlc.
(~') IlSill~ the preSellt illVe11tiOI~ fo tmln;lllit keys to be lnse(l in allotllcr enclyl tiou n~c~llo(l fnr cnco(lill~ stlbsc(l~lcllt Illc~ es.
(4) St'l~ or receivin~ si~ne(l .In(l/~.m~e( rct messages by any combilla~io n of p~lrtics in a comlll1lllic.l~ioll~s networ~ cl-e cach party has ~heir own private (Icco(lill -key allci m~them(ltically rela~c~l plihlic cllcoding-key.
(~) compressill~ messa~es berolc cll( ul;ng so as to millimize s~( ra~e arc;l a increase security by re(lucil~ c l-c(lllll(lancy in the messa~e.
(6) .sendill~ a secret signed 111CS.5;1'~C 1)~ cl~coding the mess(l~e fir.st ~itll ~llc p ul-lic enco(lill~-ke)~ of the sen(lcl all(l ~Innl (leeoding the enco(le(l messa~e ~ i~h ~lle private deco(lhl~-key of thc scll(lc l-. Or deeoding first and ~hell enco(lill~ all(l a receiver un(loes the encodilli~/(lc( o(lil ~ ~ransformations in the oppo.~ite or(lt r tlu they were applic(l.
Key-mana~ement protocols m(ly he clnl-losc(l to distribute the public encoclill~-k~Ays of all parties in a network to all o~her p.lllit`.~ the network alld permit ~hc (lc~ec~ion of tamperill~ in the distrib1ltioll of the nll-li( cllco(lillg-keys. The followin~ key-maml~elllt llt protocols are establishe(l hl the prior ;n-~ all(l may be employed to distribu~e a I ublic encodill~-key belongill~ to a party A ~o .1 sc( ol~l party B wi~ tlle present illvell~ioll:
(7) the public-key of party A aloln- w i~ll identificatioll data is si~ne(l by akey-manaLelllent center an(l s~()l(l I-y p arty A and transmitte(l to par~y B~
(8) party 1~ obtains the public-enco(lill~ key of party A from a list of ~i(lentitics ail(l correspon(lin~ public keys. ~lliclmn.ly bç signed by a trusted key-nl;lml~eltlcllt center an(l (9) the public-key of party ~1 is tr;ll~ oi~c(l to party B along with the messllre alld party B checks a compressc(l l-ul!lic-key of party A against a silllilal-ly compre.ssed list of public-keys. ~ ich may have been si~ne(l hy a ~rustc(i liey-management center Other protocols that are desi~ne(l for p~ lic-l;cy cryptosystems may readily be eml-loyc(l with the present invelltioll (see. for e.~alllple. R. C. Merkle. "Pro~ocol.s for yul-lic kcy cryptosystems" Procee(iill~s of thc 19~0 Il ~ E Symposium Oll Security all(l Priv;lcy~
IEEE Computer Society. 19~0 all(l S. Ilnl1l0~;l "Privacy and authell~icatioll i!l ISI)N: I llc key distriblltioll problem" Proceedin~s of hl~cl-ll.ltional Switchill~ Symposium. 19~
Tlle present hlvelltioll may be emplo~ c (l ;I:i a component of a commullic;ltioll ;ul~l/or identific.ltioll system sucll as a chil- c;ll-(k cllil- card reader telephone. comlllullic;l~iolls swi~ch. persomll security mo(l1lle~ all~olua~c(l teller point-of-service ballkill~ sy~tenl electronic fun(ls trallsfer system elec~ol~i( c .lsll system do~ ta~ frielld or foe sy~telll.
invelltory con~roller lottery macllillc~ .Iccc~ c oll~roller or computer.
I l. Calculate the public-key (or the noll ~;ln(l.lrdized parts of the public-kc~) from the private-i;ey, whicll i.s now fully selected.
,~n exel11plary form of the encodillg snb~ slem 11 is shown in FIG. 3. 'I'lle eneoder consist.s of a parallel array of multiplicl ~ ~ 1. wllicl1 are aceumulated by colull1ll u ith a tree of a(lders for eacl1 colm11l1. Alten1.lti~cl5. ~ht~ (~ocoding subsystcm ll Call bc illlplemellte(l Se(lllellti.llly with (l SillglC llliCrOprOCes';nl w i~ll ;111 eneoding delay that is less thal1 a second but FIG. 3 sl1ows a parallel implemcn~ lo ~how how to mil1imize the enco(ling delay by parallelization al1(1 to illllstrate the slnl~tnlc of the encoding algoritl1m. 1~1 F lG. ~, there is one row f(ir eacl1 message term a;. fOl i ~ o n, and one column for c<lcl1 ciphertext residlle ~;, for j = I to nl. I'l1e mlll~ipli~n- 2 ~ at the ith row an(l jth COI~ lll computes r,~ this pro(lllct is accumlllate(l wi~ll all ;l(hlcr 25 for the jth ciphert~qxt rcsidue. The pllbliC CipllCrteXt IllOdllhl.S ill this e~;alllplc i~ ~ 2~; the modul.lr reducti()l1 of )~l mod is accoll1plishe(1 in FIG. 3 b)~ disc;~ Ihc overflow bits beyond :2~ u ith the adders 27 in collnlll1 one. I:IG. ~ .show.s ~I)c ( ;(~.~ of n = 2 and lrl = 2; n all(l l11 may be l/2~9~
hlcrea.se(l hy adclillg fur~iler ro\~s a~ ln~ c.spectively. ~I'here l1as to l~c OIlC or more IllO(iU1O re(lllCed COIullltl!; (i.e. 111' > I ) al~ nc or more unreduced colull-lls (i.e. m >
'). Also~ ~llere is one ex~r.l columll (in~ ell(lellt of 1l and nl) ~o calcul.l~c ~ where ~he parallel mllltiplier 24 at the itll row in tl~ lltmost columll calcula~es a fi. which is accllmul.lted wi~h ad(lers 25. Tllen sul)s~ nll 2fi truncates the sllm al1(1 A~ is ~he integer part of ~lle sllm. As well at ~he bottonl ol 1 1(; .~. one extra row calcula~es -A~-~; for j = I
~o n~ uhicll is accumllla~e(l for ~J
Tlle pro(lllc~s xf. for i = I to n. Inl~ e precise to l~ + log/l fra(~ l bi~s toensllre ~Imt Ar is precise to e frac~ion;~ ole truncation (i.e. the apl-ro~ ion error of Ar is boullde(l by (-2 ~ ().01 befolc ~llnl~ iol1)~ The frac~ions fi. for i= I ~o 1i are precise ~o s + logl1 + e frac~iol1al l~ a~ llc message tern1s ~; are s l-it in~egers. A
conventiol1al multiplicatiol1 of r~ l ec i<~c to s + logll + e frac~ional bits but Co111pl1t.1tiOI1 can be saved by conlpll~illt- Illc partial prodllcts ~o e -l log/l + log/
frac~iol1.l1 bits where ~here are 11 par~i;ll lnod~ to be accumlllated to folnl ~llc product.
Tl1e number of par~ial products /I dcpcll(l~ on Illc design of tlle parallel mul~ lier or the word size of ~he processor and ~lle m~ li(;llioll algori~hm (for a det tilc(l dcscl-iptiol1 of mul~ipliers~ see K. I-lwang "Compu~emllitll~ New York: John Wiley. 197')).
F;IG. 3 is a parallel architec~llrc ~ llicll nlii1imizes the encoding delay. A one-dimel1siol1al or linear ~ree of adders is ~llo~n in I IG. 3 but a fas~er binary or ~allace tree of adders can be used. ~'his architec~nlc c;nl l~c l?ipelined to h~crease the clock rate m1(1 hel1ce throll~ ut by inclu(lill~ one Clo( I;t'(~ 1 ill each accumulatioll trec .Iflcr each row all(l ~lehlyillg the input mess.lge ter~ in Ill(~ illl row with i ~ tchcs. As ~ell the multipliers call be pipeline(l and fast ad(lcls C;lll be used such as the carry-.save or carry lookahead adders. The multiplier inpllts alc se~ el al hundred bits long so snlallel nlllltiplier~s may be combine(l to form each mul~iplicl ~lh~ eln 24.
The alnoull~ of compu~atiol1 in cll( nlill~ sllbsys~em Il is small cnoll-!ll that a progr.ln1me(1 digital compu~er~ microploc( ss()~ c llip card or digital Sigllal processor can encode fas~ eno~lgll for many applica~io~ I(IIougll the encoding opera~ion is ~cll sui~ed to a gel1eral purpose processor a cust(~ in(c(.u;l(c(l circuit may be used wi~ hc a(lvantage of inclu(lillg speci.ll wri~e-only registcl-~ t'ol ~iC( ret keys that are erased if tallll-ering is delecte(l all(l other .security or coml11ullicati(-'1 Illllctions. In alten1ative embo(lil11el1ts~ other multiplicatio~ al1d acclllllnlation proct~dllle~ nl;l)~ readily be utilized h1 };eepill~ wi~h ~he l~resen~ illvell~joll~
Once tlle cipllertex~ '2 ~ c ncode(i in I~IG. 2 it i~i snt by tl1e COIllllnnliC.l~i(!ll Ch.lllllel 10 to tlle rc( ~ 'l'he deciphered message ~ ''2 is foul1(1 by the deco(lil1g device 12 l~y ~ lculatil1g where y - ~ Y2 . y",~ lno(l ~ q~ . qltl}. TIlen a kllar~SaCk iS ~;OI~ed Witll tlle secre~ wei~llts ~ , b2...., 11") all(l Ull~
i - I
Witl~ .sllperillcre.l.sill~ initi<ll wei~hts ~ . ... bn}~ the decipllered nless.lYc is foun(l se~ entially from .~ to .r~l. where 1~" i~ n~.~e.st superincreasi!l~ wei,~ . I irst, x'" =
Ih/17~ll is found (I-l (lenotes trunc.ltioll~ mlle deciphered mcssa~e ternl coll-c~pondi to tlle secoll(l lar~e.st wei~ht i.s fou~ '" I - I ~ /~ - .r'"bn)/l7n l] all(l in ~eneral ' '.i 1~- ~, x'jbj x~i= i,i j~ l _ , for i = J1 decrilllelltill~ to 1. rlle (leci~ I nlessage (x'l, x'2, ..., ~ i.s e(lmll to tlle origill.ll messa~e ~ Il. x2. x/1 3 Tlle ~ei~llted value y of tlle residlle~ 1 \ 1 \ .. ...y",} can be recon~stlllctc(l with the Chille~se rem.lill(ler theorelll accor(lill~ to:
I "
)J ¦ qj ¦ Q
where Qj = Q/qj. or by mixed-ra(lix (~nl~el~i(!ll (conversion of a residue nlllllber to a wei~hte(l value is reviewed in "Re.sidue Illlull~c~ system aritl~metic: modelll applications in digital .si~n-ll processin~", IEEE press ( 1~ 1-9)~
rllere is less computatioll durillr ~Icco(lill~l if the w' modular multil-lic.ltion is ullwoun(l in the Q residue nlllllber s).~te~ -rding to Y'i -- yJ~ mo(l qj~ for j = ]
to ~ ratller 1hall unwill(lill~ tlle wei~llte(l \ (llue~s as y' 3 y~ mod Q. '1 11(' decodill~
key i.s coml-letcly specified by the ~ t iu~e~ers {bl, b2, ..., b"}, u . u '. ~). and P
but a practic.ll implement.ltion of .1 (le(o~lel- nlay also employ, ~ ql, q,. . . q",), alld other const.lllts relate(l to the Chillese relll;lin~lel Illeorem or mixed-radix conver~ion.
/~n exempl.lry form of tlle decodim.~ ice iS sllowll in ~IC;. 4 witll 1l = /n = 2. First tlle ~ ' mo(lulilr multil)lic.ltioll is ullwoun(l. ! j -- yjW ~,1 mo(l q;, for i = I ~ o ll1, witl residue mo(lular multipliers 28. Tl~eu nli~ c conversion is applie(l lo ~lle res~llti 1~ ~?,~
residues ~ ' 23 to find y ~- !a~ ~1 m(-~l (? ;~ ding to the relation q2 In FIG. 4m1lixed-r.l(lix conversioll k~ ilu;-lclllcllted with an a(lditive i~ ersc 30 tl~at calculates ~ , a modular adder 25 ~lull l`ilnl~ ! '2 ~ a modular mlllliplicr 28 that multiplies by (111 mo(ltllo q2, an(l a mlllti~ 1 that multiplies by ql. I llen /~ - y'~
mo(i P is calclllatcd by mo(i1llar m1ll~ l hlock 29. Next. a supcril1cl(msill~ series b = ~ ; is ~solve(l by subsys~el~ Ic(l~l(lillgtotherelation i = 1 jbj~
j . . .
I i for i = l1 decrell1elltil1~ to 1, to re~ulll tll(~ dc~ )llered messa~e terms (.~ , X',7~`
Witll 1~ 2 = I /~/b21 and ~'1 = I ( 1) - ~ '.1?7)/bl]; in the exemplal-y case of FIG~
4, t~l = I .so x'l = b - l-'2h,~ If thc ~ci~ l, a2~ , (1"l were perulutc(l durin~
key generatiol1, tllen the decipl1ered mess.loc i~ !iimilarly permuted.
Mally mo(l1ll.lmn1lltiplic,l~ioll techl~ c~ ell as modular addition al1(! sllb~ractioll tecl1ni(illes, are establisl1ed in the prior .ul. 1-(-~ cample, see E. F. Brickell. "A .survey of har(lware implemcntatiolls of RSA", in A~l~ allces in Cryptology CRYP-I O ',~9. Berlin:
Sprin~er Vcrla~, 1989, pp. 368-~',70 all(l ~ . .Soderstrarld, W. K. Jenkil1s. G. /~. Julliem and F~ J~ I`aylor (editors). "Residue mulll-cl s5 stem arithmetic: modern applications in cli~ital Si~ll.ll processing", Reprint Serics~ Ne~ 'ork: IEEE PRESS, 1986. If olle input of a modul.lr multiplier is a constant (.sucll ,1~ m(-(l1llar multipliers 28 an(l 2')), ~l~ell some precomplltation is possible as emplo) cd 1)) 1 Icl1ly (see U.S. Pat. No. 4, '.9~). '.23) for tlle now-broken Merkle-l-lellmall crypto~ cm l l~is approach is describcd I~CX~ for an arbitrary rnodular multiplication by a c OIIS~ . I o compute (Ih mod c. w llerc /~ and k /7~
are any fixed cons~allts alld a = ~, n j2i~ ith aj ~ [0, 2') all(l 1~ is somc positive i = o k /7~
inte~er, first bi -- t72i'` mod (~ for i = I ~(? ~ is precompu~ed and tl~en ~, nibi is i () calculated for eacl1 a val1le~
'I'lle resllltillg slm1 is con~rue~ o ~ nn~ although a fimal redllc~ioll nl()(llllo c Or l~ + log2,'/\~ bits is necessary. ~l~he al~ l`, (nl1putation for modlllar nll~ licatioll is millill1i-ffe(l with l~ = 1 bllt thc~ l~rc~ l values require ~2/~ bi~s of mcmory.
Altenn~tely ~ f)recoml~ e(l lookup ~al~lc~ ( :n, I-e employed, wllere the i~ al-le outputs i mo(l c for an illput of (/j ~_ 10. ~ nl Illc lable outputs are acclln1llhltc(lmllthougl this increases the mell1ory ~o 2''~-~/v.
In an altenlate embodill1el1t of ~llc (`n(`()~lt' m-f hlG. 3. the above modlllilr nllll~iplicatio ~echlli(lllc call be used to compll~e .r,~,; nn~d ,/j. for i = I to ~malld j = I to n,l'. 'I'hel1 the mul~iplier in ~he i~h row all(l jth colullllm-l' I l( i. ~, is replaced by a module ~h;l~ calcula~e.s S/l' S/f' ~, xjknj;k, where .rjk= ~ k2~ d ~ k - njj2k~ mod qj. Tlle alllount of k = () k = () compu,atiol1 is redllced if tile final redll(~iolmllo(lulo qjis delayed until artcl ~llc colum acculnulatioll.
Wi~h ~hese enco~lillg an(l deco(lil1E~ dcv icc~. ;l message sent from the enc()(lillg device to the decodil1g device is transformecl frolll ( \I. .r" ..., xn) to {)~ 2. ~ !~",lf by tlle encoding device, and tl1ell back frolll ~ ...., y",~ to l-r'~. ~''2- -- ~'"~ by tlle deco(lillg device. where ~ x'l..r'2. ..., .~ '" 1 = ~ n~
FIG. 5 shows in block diagral1l fol-nl ~lu l~a~;ic elements of sendillg sigl1ed messages with a public-key cryptosyslem as prolu1sc(1 I-~ I)iffie and Hellnlan. This sy.stell1 includes a commlJl1icatiol1s chanl1el 10 an(l t~o tclnlinals coupled to the channel. 'I'llc sender A
may first compress ~he mcssage into a h;l.~ v;lllle M with hashing subsystcnl ~15A, where the ma~imlll11 llasll val~le eqllals the inl~ lo~k size of the decocler. Tllen M i~, signed by apl Iying M as the input to a decoder 42 ~ llc decoding key of the sen(lc.l /),~ to form the signature C = DA(M). Tlle signa~lllc i~ .~cnt to the receiver along a conl~ lllicatio chal1nel 10. Tl1e receiver B encodes ~lle Sifnlatlllc C with an encoder 41 an(l ~hc. .sender's encodillg key Æ~, ~o form the cllec~ V aluc ,11' = EA(C). Tl1e sender al.SO .sen(,1s the message (or enciphered messaf e) to ~l~c r cciVcl along, a communicatioll clmllllel 10 an(l the receiver forms a hash value ~fl of tllc nl~ ssage (or deciphered messa~e) with a idel1tical haslling subsy.stem 45T~. 'J'llcll tln~ chccl~ing subsystem 46 .si~nals tllat the nuessag,~e is alJ~l1elltic if M = M'. Tlle scll(lcl ,l llas to identify herself to thc rcceiver B
througl1 the cllanl1el 10 to tell the receivcl to ll~C the public encocling-key Æ,; for signature veriflcatioll; an identificatioll string m~ e Incl-cnded or appendcd to the siglultllre.
In all alterllate confi~llratiol1, eacll hlocfr~ 01 11le message can be signe(l indel~elldently thel1 tlle mes.sage can be recovered f~ ll tllc sigl1ature (and does not ha~e to be sent in(lel-ell(lclltly) hut ~he receiver has to c llcck ~Inl~ ~he message is meanillgflll or contains certaill slalld~lrd infon1latioll. The systcnl of l l( ;. S is suitable for the one--way tral1sfer of siglle(l message.s from termirlal A to tcllnill;ll /-' but the samc method cal1 bc used for ~ ( ` 2 ~
~sigl1e(1 mes~ia,gc transfers from ,rl? to A ol llct~c( n al1y number nf tem1ilmls I IG. 6 ~shows in block di.l~ral1l l~ ml ( Iyptographic commul1ica~ioll system for ~sen(ling ~si~ne(l messa,ecs betweel1 t- o ~el~ ; in one direction in ;1ccol(l;lllcc with the ple~it~l1t in~el1tiol1. In I~IG. (" a mcss;lne -n~ l~e- ~igned is first compressc(l h1 ;1 l1ashin,o subsy~stcm l')A if i~ exceeds tlle block ~i~c (~l~ defined below) of the blockinL~ ~subsystell1 2()A alll1oll~1l the messa~c may~ in al~CIl~ n i\ c ~ odiments, be broken into hhe,cks that are sif~ne(l scparately. Then the hasll v;llllc ,~ assigned to tcrms ( !'~ - !'"~} in blocking subsystel11 2~ wht re !j ~_ I t) (Ij). for j = I to nl', and 1 ~ /n' < l1n The maximu1n block size of blockine suhf~y~tcln 2(~,~ is the product of the plll1lic ci,r,herte~;t m(l(lUli f (/1~ f/2, -- q"; ~. An e~eml~l;lly c (~ uration is to assien ~ I-its of ~he hash vahle ,~ll to !~j. for j = I to ~11', wl1cie ~ " and then the block size of ~ubsystern 20A correspon(lil1,o to the hasl1 func~ion ~ ' bits. Secre~ bits fronl a rall(lom (or pse~ldoral1dol11)source18areassi~l1c(1~0~ lms ~Ym~ !m'+2~ f byblockill,~
subsystcl11 21, where !~ IO, q;), fol j ~ ' -I I to m. For cxample, if (/j -e 25, for j = nl' ~ 1 to t~l, then ~ ran(lom hits c;ln l-c a~iLIled to yj, for j = ~1' + I to /)n and the hlock sizc of subsystem 21 corresp(-l~ o ihe random number R ks s(~ Ill') bits 'l'hel1 the ~scn(ler decodes (!~ 2~ ",fl ~`ilh a decoder 31 an(l the decodhlP kcy of the ~sender D" yieklil1g the si~?nature ~ \-, . \" 1 In al~ern.ltive embodil11el1ts, tlle ~ ; ot l!'"1~+l~ Yol~+2~ ,") (lo l~(~t ll;l-e to be r~m(lolll al1d if they are constant for all ~iell;lt~llc~ then they do not have to lle secret. Secret andral1(lon1values'of (~'"~+I, ~ 't? ~. Y"~1, mayprovideextrasecllrityagainst presently unknowl1 attacks. Party A 1~ n- ell~lrc that other r,;lrties sucll n~ ~I forger can not select a series of values to perfonn a cllo~en- c iphertext attack or know thc vallles if they are change(l.
During deco(lil1g with device 31 h1 I~ (, Ihe signature is tested to sce if ~; < 2S, for j = I to )1. If this tcst is failed, thel1 si ?lI;l~lll(` L't`lleratiOll iS rereated with llC\V l`alldOmly-assiglle(l resi(lues l!~n, +l, ~'",~+2 ~ .\`",1 ~ltcll1atively, the failed ral1(lonlly ;ussigl1e(1 residues can be modifie(l by any functioln ~lle h as adding one to ~?1 mod ~/", 'I'his test is desigl1e(1 to thwart al1 attack wherein si~n;ltllle~; xl, x2, ~-, x/1} are collccted to reduce the sealcl1 sllace for the secret initial \~ r~ b2, ~, b") (the attacker en1l-loys ti1e h1forlllation: I;'i > x; l2~'(i l)~ for i = ' to n~ lult this test may not be e~ssenti;ll hecause mal1y si,gna~lles ~are nee(le(l for this ;Itt;lcli t~- I)e successfu] depel1dil1~ in 'I~alt on the null1ber of cl1oiccs for the initial wei~ellt~ \vhi( h increases with 1/ and s (therc are 1~1';
choiccs for /~; ,as define(l above). If ~ hl( le;lscd, then P increases rehltivc to 2~15 and the avcra,?e nlll1~ber of si n1ature eencml iOn ll ials P,l~s grows. rhe valuc o f ~ can bc h~clease(l to ~strenc?tllell the security ~'lr'.lill'~t C~llallStiVe search rOr ~ b~ ) while retail1in~ sltlall n~llnber of tri lls for si u ;llul ~ ~ ~ucration Once I signa~llre is crcate(l by ihe s Ul(lt l iu l l(i. 6 tlle signature is SÇIl~ to Iht~ receiver ;IlOl~g ~I COI~ lliC~ltiOI~ C~ e~ l(` It`(`~ lletl el~COde.S ~lle sigll;ltllre (-~ r2~
r ~ witll enco(ler lfi and tl~e sen(lcr ~ Inll)li( ~llcoding key ÆA Encodillg tO check a signature with subs~stelll 16 ~hicll hl~ol es transforming Ixl. x2 ~ I to ~ y 1 Y 2 !; I.useslesscon~ tationthalllu( (Ihgamessageblock~ xn~to a cipllcrtcxt block {!1 !2. ~ (sc III Icm 11 in F1( 2) bec;ulse /)1 < m. Tf only sigll.ltllres ;Ire re(l~lire(l. the si7.e ()r Illc ~ lic ellcodillg-key EA jS snulllcl- bcc;lllse the resi(lues ofthe kn3psack Wci hts (Ij~ fol i - I to n ancl gdo not h.lve tn l c l.ublishe(l with resl~ect to (q +~ (/"71.
Tlle message is also scnt to the l ( i\ . l alollg the comnlullic3tioll ch;lllllel This mess;lge may be sent in plaillte~t or bc cl ( il-hcl(~(l with a conventional codc or a l-ul-lic-key cryp~osystelll sucll as thc prescnt invelll iOU (I ~llcll(ling on the ;I;-plication `I he Incssage or decipllere(l mess3~e is then h;lslle(l 191:~ 1 y ;(1~ ical hash functioll Is em~lo~c(l in 1~.
an(l blocked 201~ into tlle tcnlls ~ ! 1 !`2 I he signatllre checkillg sllbsys~elll 17 ~ hcther there is ~;ome (I con~rllellmllodulo q to a vllueilltllerallgc1- 1 IQ/rl ~ uchthaty - y + (Ig mo(l (/~where ~"
'1 = n L1~ , !'2~ !", ) ~ /2 ~ qnt ~ ! 2 1 = 1 1110(l f~qt~ q2~ ~, q~ (I -- f.(l~ ) mo(l {ql~ q2~ ~ ~ q~ g --2~ C~7~) mo(l I ql~ q2. . 1 1~l Ihl ~alue of dcan be foun(l 1 y calclllatillc-v) mo(l q. Altcnlatively tl c v ( 1 il i(~r can check all values of / hl tile range IQ/PI + I] If Q < 2P thell tcsthl( if r; - yj~ gjmo(l qj for j = I to m is sufficiellt to verify tlle sigllatllre T he rcsult of Ihc checking subsystem 17 is (I true/false autllellticity deterlllillatioll ~llat il (licates h cll~ he message was tmly sent b~ rty A ;Is claime(l by the sen(ler Sigll;ltures (lo not re(luire Q ~ / a~ i necessary for encipherill~ nlrssages I fowever selccting Q < P will cause ful Ihel (~(lulldancy in thc signature Selecthlg Q >
P will resull in an abbreviate(l sigll;ll ~ ollgh tbere are the follo ~ illC ~ccurity restrictious The rall~c of (l incrcases ~ it~ \ i;ltion which reduces tlle elfccti\c lengtl of the si~natl re so we recom1lle~ O ~ 1og2[Q/p] to prevent birth(l ly llttacks where, IOg2q u~(l a is a security nl;lloill of ll~out IOO. Also abbreviatioll re(l~lces P
d Stern all(l Toffill s attack re~ uires th;ll ~ -- lo~ )/n A deviatioll I y (/g where ~ )il l occurs between ! a l<l ! I-ecause hlfornl;ltioll is lost (l~lrhlg sigll;lture gcll l~llio~ len yu)~l mo(l Q is redllec(l In()(lulo P
with P < f) /~ devi Ition of +<~ in clle(~ - sllhsystem 17 ma~ occur e-ell ~ith Q < P
bec l~lse thc cstinl ItiOll of Ar dllrill~ c~ hl~ h;ls an error bollnded b~ (-2 O ()1 Tlle e.7 rjl? ~ ?
+g correction doe.s not .sinific~ tly ~Iffc( ~ c dcl.ly for signature checking o r tl~c .securi~5 .
Fnr sigllatures of a mess~ge by multii-lc l~:u~ic~ . described below, the _,~,~ correction will sinific,llltly increase the verific~llion dcl~l~ u~ s the required corrections <Ire dctermille(l by each .si~nillg par~y an(l .~i~pencle(l to ~llc ~ n~ le. Several techlliques for elin~ ating the +g correction ~lre describe(l next ~lltlloll~ell ~ clilllillatioll is not essenti.ll.
Tlle ~g correctioll c.~n avoi(le(l by c;ll~ accordirlg to ~ile relatio ?~ + cq)lp ere .\ - ~ ~ 1, !2. - - \,l, i mo(l ~. (/"7~1 and e is a secret inte~er r.lndoml5 selected fro~ P2~ P/9) if A~; fj] and A~is accurate to (-2-e, 0-01 before truncatioll. Sigllature ener.lti(~ ( and ~YI- l'~ -~ \'111') ill\ol~es less computaliollthallrec(llllbillill~\",l Alternately,iftllefractinn.sl,.fori= I
to J1, are roull(le(l (instea(l of trunc~lt( d ) Ill. u, is equivalently selected froul I P2~~~1/q~
P( I - 2~~~1)/q) with Ax = ¦ -2-e~ f; . 1ll a furtller embodilllellt~ tlle sell(ler can perform repeated sign.lture ~eneratioll ll-i;ll~ w illl decoder 31 to elimillate the nee(l for the _g correction (by enco(lill~ the SiLlla~lll(` ;IU(I Icpeating sign~lture enel~ltioll with new ran(lolllly assiglle(l residues l \'", +l~ ,1 if a ~g eorrection is necess~lly).
If the key-.r;et is designe(l si~eciii( ;Illy lol- signatures (~uld will not l~e u.sed for encipllerillg messa~es)~ thell the devi.l~iol~ l~y ~ can be avoided by selecthlo P > Q(l +
2-e) alld always roun(lillg tlle fractious l,. f-~ i- I to n, up ~It s + log/l + e fractiollal bits with ~x = i -1 . The trunc~e(l ll;u lion of Ax is then bounded b5~ I(!., Q(l +
2-~)/P) ~ 10.0, 1.0) durin encodillg fnl Siglul~lllc cheeking because the tmllcate(l fraetion of Ar is all estimate of (~'1? mod P)/l' ;Illd 1(/? mod P ~ [0.0, Q) is ensllle(l during signatllre cneration. Thell ~; r;l?l~l?~ A~ [O.O, Q -~ 2~ 0Ø P). which i = ]
shows that Ax and the (disguise(l) Icdll(~ion mod P are e~act during cnc()dillg for signature checkillg ~In(l will matcll thc c()lul~lcle reduction mocl Q that OCCUI.S during deco(lillg for sin.ltlJre gelleratioll. ~Itcl~ lti\c15~ if the fractions are roun(le(l at ~ + log~
e fractional bits, tllen Ari.s calculatecl accl)l(lilll7 to Ax = [2-e-1 + ~ rifi l If ~ different partie.s sigll the s~ullc UlC~S;~ c of size t bits with their own decodill key, then ~he total size of all the sicu;l~(llc~ ii l/k, wllere k = ~IS. This mlll~ le-p~rty sigll.lture call be colllp,lcte(l .Is de.scril~c(i ~c~.
2 ~ ~ ~r ~ ~ f 'I'llc firs~ l-arty ~si~ns the me.is.l~c :ni 110~ 1. 'I'he second party sirn.s ~n~ iss fronl 11t ~he si~nLI~llrc of ~lle fir.st palty, wllelc ~ ,/ ;nl(l q = ~ ~1i (all par~ies C.lll bave ~llc same value of ~/). 'rl1e l - ~ hitS frO~ u` fil l l~ilrty, that are not si~ne(l hy ~he secon(l party, are appel1(le(1 to tl1e sigll.lture of Illc ~;e( ,n~(l party. The thir(l piarty tllell Siglls any bits from ei~her ~lle sigllllture of tlle ~ic~ nl l~;uty or the ~ - t bits iapl-cll(le(l f'rom tllc sicl1ilture of the first party. Tllis I-roce~ c ;IU l~e extended to 1~ parties luld tll.~ multiple-pilrty sicllllture ~size is 11(~ - t) t t.
A larger block size n1iay he nec(le(l l'~n sigllatures thal~ for secret Incssllges to compell.silte for iattacks basc(l on tlle Ic~ in the signature. Tllere ale I -1O~2[Q/
bits represellting tlle messllge (or llasll rull~aiOIl of the message) an(l l1S - l ~- loc2rQ
l11 bits redull(l.ll1cy in the sigllature of ~ , where t = log2q an(l ~
Abbreviatioll (loe~i not reduce tl1e re(lull(l.lln y in the si~nature because l~s i~ 21Q/PI
remaiIls tlle .same. 'rlle nolllillear term ,1~ 7nl~ abollt s bits and for sccule sig~ tures we reCOlllmell(i ~5~ > ~1 + /7.~ - t -t log210//'~ 1(`1(` () iS a security margil1 of .ll>out 100~ to prevent an attacke.r from trallsformill~e ~llc ul~lllillear encodin~ problem to .1 Iclis secule linear knapsack.
I~IG~ 7 sl1ows in block diagral~ l nl .~ cryptographic identificatioll .liystem in accordance Witll tlle present inventiom w l~i~ ll C;lll be used for access contlol. 1l1 FIG. 7.
par~y B cllecks the idel1tity of pa~-~y ,1 1~ cllallenging A to sigll a l.ln(lom (or pseudoral1(lom~ value R* according to ~lle .~;inil1L~ procedure of FIG. 6. (:)nl~ tlle true A
will know the private key of A and l-c ablc ~o correctly sigll the randol11 nlllllber. A
raIldom value 1~ is gellerate(l by Terlllin;ll /, w ilh a random number gellcrator 18B an(l sent to terminal ~. The ran(lom value R-! tl~cll l-clllaces the hasll value A~ of tlle message ill the SiE~llillg procedure of l:IG. 6. ~ c ~d~ u~e {xl, ,r2, .. r") can be cllccke(l by l~
or any thir(l party by enco(lillg witll au cu(o(ler 16 and tlie pllblic-key Æ" of l-arty A.
Cl1eckin~ subsystel1l 17 compares thc (`lI('(-(It`(l si~nature { Y 1 )' 2~ !` ",~1 witll {!`1 !~2! --- !'"1 ~ where tlle ral1(lom valllc /~ locked by sub~systelll 2~ in~o lY~ 2---~ !'", } Tlle idel1~ity verificatiol1 si~lull i i ;1 nll, /false indicatol that tells l artv 1~ whetller the can(li(liate is tmly A as claime(l by bi~ . r i~lel~l if ication string.
FIG. 8 shows in block diagram fo~ln <nmIIICII1atiVe embodimel1t of a clvl-tograpl1ic ;(lentjfjCat jOn SYSten1;11 aCCOr(lal1Ce W ;~ C l11C~;CI1t inVentiO1n In FICJ X. ~l~e vt rifier A
enco(les I I a ran(loll1 (or p~seu(loral1(lonl ~ ul)llll~cl ~ generated by ran(lnlll soll~cc 18 and cllalienges tlle call(li(late B to deco(lc .~2 ll~c n ~ulting ciphert( ~t ~Y~ 2 .. . \`",1. Only tlle true B will know tlle l-rivate (leco(liln~ of party B au(l be able to dccryl-t the chilllellge. Call(li(l.lte B call only p.lr~ ;ll each decipl~ere(l mess.l~c r(sidue to prcevellt a clloscn cipllcrte~t attack ~ c ~c~ initial weights (1~ 2 Il") of part B In the excml-lilry case illustrated il~ ,Y llle candidate B calculil~c~ '"27~ wi~ll suhsysteill 2~ accor(lill~ ~o tl~ ion: x"i = X'j mod 25 for i = I to wlleretlle(Iccrypte(lc~ lertexti~C(~ to I \ I X2~ ..., ~"). S < .. ~ ll(l a ~
security margin of ilbout 100 rlle CllC(d\ill~! ~ul-system 22 of party ~t conlpilles ,r"; witl mo(l 25, for i = I to ~1 In illtemative embodilllell~s of 1 1(; ~ u(lidate may re~spoll(l wi~ "l = x'l mo(l 2'/ an(l the verifier check~ if ~ llcle sl > a and 11 > 1 'I'llcll colnputatioll mily be save(l by fin(lill~ ollly \'~ dlll ill~ (1~ ( odillg In other alterlliltive ellll~( dilllellts ol' FIC, X~ 2~ ") mily be cho~ u ;l~; po~verS of two for ease of ilnl-lclllentatioll:
selectin~ 1 bl, 1~2~ witll ,cecrct l-ull(lolll ll~lmbers may increilse ~lle Scculity but is not essen~iill consiclerill~ pre~sell~ly kuo~ s, Then the ciul(li(late re~c~ s ~ 'j mo(l 2 ~i, for i = 1 to ~ wllere ~ < ~1 to pl~ cl~ chosen-eipllrtext attack ou P In all embodimeJlts of FICJ~ f,. tlle candi(lillc ~ I, Illse to respond if ,~'; > 2''i~ fol ilny i ~
11), because thi~s can n()t Occul with a Ic~ ll;ln~ cllilllen~,e and Inay be calIsc(l l-y a cl-o~sen-cipllertext attack.
Si;~lliltllre ~elleriltiOIl Witll tllC preSt'll~ iuvcll!ioll iS illustrate(l lleXt Wit~ SIl~ l example~
wllere l1 = 2. k = 10, all(l s = ~ 5 I~ lle priYate decodin~ alld p~ lic enco(likeys are ~enerilte(l for palty A
Let ~ 2~ = { 1, 32~
Let P = 1221, ~ 45. l~ mod P- ~()?
Let q = 256, \1 ' = 7~ - 249, Public-key for si~naturcs p lq, for i = l t o l1, { c~ , 194 J
fi -- - p - - ~fl,f21 = ~0 69, 0 1~ '/' mod q a 45, q = 2';6 Next a ~si~nilt-lre is create(l for a IllC~ ` Iclllesented by 217 (or a lla ll vallle of 217 Witll tlle private decodin~-key of the scll(lcl ,l !'- 217 mo(l 2s6;
I et c = 4: c is riln(lolllly cllosell l`lolll l/'' (Iq, P/q) = 11~ 5), WhClC ~' = 7 - s -lo~ll = I l~ecallse tlle frilct ion.s,f; are il('CIII ;I~C ;~1 .' ~, c~ (249-217nlo(125(,) 1 I-'51,- ]041 - 1041 mnd P-- 5~5 - ~ 2 ~ 9 0 ~ .9 ~
Solvh1g a s~lperillcreasil1g serie~s witl~ and weights ( 1, 321:
~2 = 15~5/ 321 = 1~ rl = 585 - 18-:~2 - ~1 'I'hell the sigllature is ( 9, I X ) (~ry .Inntlle~ 2S, for any i ~ 11. 11)).
Thell tlle sigll.ltllre of ( 9, 1 X ) i~s cllecl;c(~ with tlle public key of tl~e scll(ler A:
Ax= ¦ ~ rifi~ = 19-0 69+ 18-0 15l - ~
y-¦ ~ r j 1l j -Ax,~¦~1 -- 9-245 -~ Il'. 1')-I--~ 15 mod256- 217 Tl1e origil1al message (or llash v(lln(~ ) ol ' 11 was returne(l so the Sigll.l!llle is vali~l.
Next~ secret message encil heril1g is illn~ I with the pul lic enco(lill~ ,m(l private ieco(lillg keys of party A ~i.e. party /'. \~ n~ ln enciphere(l mess(lge to p(llly A). Tn a secure lletwork, eacl1 party ha.s a uni(lllc ~c~ .~t'l . I irst, party A expands theil p llblic-key so that the kn,lpsack weigl1ts, nj; -- ~ ; !nO(I /') mod qj, for i = I to /1 ~m(l j = I to ~11, .Ire expresse(l with respect to two c ipllel~ l Inoduli {ql- (/21 = ( 25G~ 9)~ wllere (1 is public, q2 is secret, nl' = I, an~ - .'. I o ( n.sure all messages C~lll l-e li~co~ered, we select ~ q2 > (1 + 2-'')P, uhere ( -- 1 Let ( ql q2) = ~ 256,9 } so Q = 2304 I et ( ~ ' 2 ~ = f 7~ 7l~ 2 ) ~ (/2} = ( 249,2) I'llblic-lcey mo~ ~ ql ~ 92) (I I = (245. ~ 194,8 }, g = f 45,3) fj={0 69.0 15).q=256 Next, party B encodes a binary mess~lge 1()11()00110 with tlle pllblic elJco(lill~ key of party A:
ASSi~llillg message: 1011000110 ~ ( 1()11(1. ()(1110} = ~22,6) Enc~yptiol1: Ax = ¦ ~ ~ ih ¦ = 122~ () 1 5 1 = 15 y~ j n j1 -AXgl l _ 22-245 ~ 15-45 mod 256 = 247 Y2 = ~; x~ ni2 - Axg2 = 22~4 +6~ - I 5 3 - O I
Thel1 p.llty A (leciphers the cipllertext 12 17. ') I I i~ ith the private (leco(ling-l;ey Or p;llty A:
!'-- (247,91) mo(l (256,9) ?7 ~3 ~rj 2.'i6. ~ - i 7 ~3. 21~ )o~l l2~76, 9~ 6~ ~ ) t !! 2 = ()~ " I ~7 = 1343 -r2 = 121'~/ ~21 = 6. .1l = 2i - 6~' = 2 'I'he ule.ss;l~e of ~2, 6) w<~.c retulllt(l.
Iu ill~e~ te Cml?c)(l~ e~ s~ the l~Uhli~ le preSellt illVCll~iOIl Cilll l-c ~ clled for Sir7UiltlllC.'j l-y n.~illL 11 = I (seclet U)c~ lire ~1 > 1). ~'itll f7 = 1~ e sie~ ture is ~' ~- 1. 2~ ll(l tlle ~ lic kt~y is (~ o(l ql~ fi = ~ ll'P Illo(l fl~ 'T'he .sigllatllle is enco(le~l ilCC()l(~ "1 - Xfl~ - [,IJ'llgl mo~l (/1 'I-l~c largel nol1lilleilr ~erm A~ nf s bit.s with 1l = I lel l~ o the redundiulcy in the .si~nl~ lle of .s -klg(/l I!its l)enllits a smilllel bk)ck Si7.t` ;lu(l l~ul~ kcy than with l1 > 1.In still othel embo(lilllellt~s~ the l-ul~ le present in\~clltioll Cilll l-e .illoltene(l by .stiln~lilr~li7il1g some of tlle vilriilbles iu ~lle l~ul~li( I;ey for all parties in a llt'l~(ul;~ 'I'here llle still the .sallle nl]l1lber of possible rl-i~ ~ne ~ for a g iven l-ublie key: tlle ulllllber of ~)o.s~sible public keys is re(llJee(l but i~ ill l;u~e enough to l~revent exll~ stive searcll attilcl;.s Wi~h pre.selltly kno~ll erypt~ ic ;u~.leks~ the block size doc.s llot uecd to l~e expan~le~l whel1 tlle ~ ublic-key is l al~i;llly ~nlll~lardized. The encodi}l~ all(l (Iecoclin~7 fullctioll ilre ullchiln~ed but illl the llSt'lS ll;n l.` ;1 l~ul~lie-key that is i~lenticill in I al t.
~I`he following variilble.s of tlle ~ e~ ul.ly be standaldized~ 7~ . f~
X2~ al1(1 ((~ 2- ~ ~1""1 ~ re vtakes on one of the vilhle.s in the rilll~e 11, Il). Stm~ r~l villue.s of (~ J. Iol j = 1 to ~tl~ mlly ~e r.lll(l(-ll-lly chosell frolll 125-l. 25). where 25 ~ 9; (tlle low c l Ihni~ ~-f 2S-l is inelll(led hecause ~inl.lll wei~ht.s weakell the eneodillg prohlem). ,~lterl1~ ( eltilin bit patten1s eal1 be ch( sen l'ol reasol~s of secllrity or im}71emelltatiol~ from 1 ' '- ~ . ' ` ). \~i a seeurity precautioll. select tll. gleate~st eornmon (livisor ~c(l(~ ;) > ,3/1l, lol j - I to m'. Then i 17l, b2, ~ 17"1~ P, an(l +l~ ~1",+2~ (1",) aresecretly~clc cn ,1 ~ usual.Next. 11~and u 'al-e c illculilte(l aceor~lillgtothereliltion.s: 7(~- P-1~s~ Ino(l (' ;U1(1 ?V= ¦bV1¦7(~ n~¦Q!I~ wl~re (~
2 ~ 71~ 1110(l ~ 12 ~",1 ;IIld g - {gl- ~2 ~ ~",1 ~ f/l, ~/2 -- (1",~ If 11~' is llot relati~ely Inill~c ~o (~ ~cilusing the in\~erse of u ' ul(!(! Q to not exist), tllen ~ i.s sliglltly mo(lifie(l (fol e,~ u~l~h~ h1erement gl nlo(l (~ y ()llt ~ illl(l 11~ is reeillculate(l. Sh11ilillly. if 1~ is not rel.l~i~cl~ ue to P, then (~ is ~;1 jgl1tlY illO(lifie(l. Thc differellces hetwe~n tlle mo(lifie~ all(l "~ lle standard villues iue l~ul~ lle(l il.s ~alt of th~e l-ublie-key. ~\ltenl.ltely, new ~ulllle~ ol /'. Q or b,. ean be ehosell ulltil tlle iu~er~ses c,f \~ all(l )~' exi.st. 1~ hllge villue of ,. .~ 7, i~s more .seeul-e l~t`Cilll'it` /)" i~'; Ihe hlrgéS~ ;Illd COlltilillS thc Ill()St secret inl'uln~ ioll. 'I'l~e rest of the l)ul~lie weigll~i u" for i =
1 to ~ - I a~ + I to 1l. all(l i - I ~o ", alldfi, for f = I to /1, are tllcll cllosen a~s usual an(l are not standar(lize(l.
Tl~e prcsent invention satisfies both fh,~ lecy and authenticity rcu~uircmcnts-of a public-key cryptosystetn~ as does RS/~. bllt lu~; ;IbOUt one hundred times less computatiol1 for encoding and decoding than RSA. Nu111cl (:UlS security protocols for tlle secret and/or authel1tic e~change of informatioll h;l~'(' beel1 proposed that involve p ublic-key cryptosystems and the present inventinll (;111 ll~l'Ct the requirements al1d specifications of sucll protocols. Mal1y applications of plll~liC--I~C)' cryptosystems Usil1g sucl- protocols are knowl1 in the prior art such as secure tclc((~ llllllications an(l banking (all overview of public-key cryptography is ~ivell hl "Colltcllll)ol;lly cryptology. the sciencc of informatio integrity", IEEE press, 1992).
Encoding with the present invel1tioll ;ll~ ol~ c~ a double-iterated mo(lul.lr mllltiplicatiol1:
)v mod P at1d 1l~' mod Q. Conventiolull li~ullls(lcks, as well as thc prcsent inventiol1, choose P accordin~ to the small sum pl hl( iplc: 1~ > ~, bi(2~ to ple~el1t overflow f = 1 mod P and ensure correct decoding. Ilowc~cl. conventional knapsacks also select Q
according to the small sum principlc: 0~ ~ x~ bllp. In contra.st. the present invention is designed such t]lat ~; r j ¦ (u~ /IXP ~ [O, Q) (we call tllis tl-e large sum principle). The nonlinear variable A~. corrccts for the nverflow mod P that occurs when the message terms are combined durin~ cnco(lill~, which pen11its a smaller ~ relative to r than the small sum principle.
lo ensure a higll level of security i~ I systems, a party's ~lecoding key is notpractically determinable from tlleir public ell(o(lillg key. ~te security of the private key (i.e.
the secrecy of the trapdoor embedded hl ~hc el1coding yroblcm) depends hl pllrt on the difficulty of reconstructing the knapsack \~ cil~llts from the Q resid-le mlrllbcr system, where ~ qn1 +1~ q~n,+2~ --, q,7,} are secrct ~s ~ ell, attacks on the trapdoor of knapsacks by simultaneous diophantine approxinl;l~ion (a~ leviewed by Brickell and Odlyzko) rely on the information provided by the small .Suill plillciple, which is not followed l-y the present invention. An attacker may attempt to ull!-a\ cl ~llc present trap(loor using tlle information from g and the fractions. I-lowever, thc ;In.~( kcr is not able to recombine tlle knapsack weights from their residue representati( n ,~ f~ ller countermeasure is to select gcd(g, q) > ~ 1 to ensure that g-l mod q doe.s llot ~ . This can be accompli.slte(l during the partial standar(lization procedure for g.
The present public-key cryptosystenl i.~ nl~ closely related to tlle Merkle-l lcllman or C~oodman-McCallley (described in "Ncw n-;lp(ioor knapsack p ublic key cryl-~( system", IEE Proceedillgs, 19~5) knapsack public l;c! c lyptosystems altl1ou~h botll ~erc broken (as reviewed by Brickell ail(l Odlyzko!. ( )nc (lii-i`crence between the presellt h~vlltion ~an(l ` ~ ~ ~ ? ~ , ?
the m.my broken kn.lps.lck crypto.sy~ae~ lmt conventional kn.lps.lck cryl-~osystellls follow the small-s~lm prhlciple for ea(ll i~e~ iull of modular multiplicatioll. wllcreas the present invell~ioll follows the presen~ ial ( e -slUl~ principle except for ~he first iter.ltion. A
second difference is th;lt the presen~ hl\ e llti(nl includes the extra step of replese,lting tlle knapsack weights in a residue n~ cl .~ n with partially secret mo(l~lli. Severalpreviously proposed kn.lpsack cryl-~o~ . such as the Goodmall all(l l~lcCauley schemc, have mappe(l the 01ess(~ tn a l-e~i(llle number system witl1 sccret nlo~luli (tlle present inven~ion call also employ ~his n~ Illli(luc. in an altenl;lte embo(lill1cllt) hut those schemes did not express the kn.lps;lc'~ ~ e i.~h~ alld cipl1e)text in a residue. nl]lllbcr system with partially secret moduli and are con.~e~ (ly not secure as a public-kcy cryptosystem.
The various definitiol1s of the ini~ ci~ b" 1)2, ..-, 17"). as enlploye(l by thebroken knapsacks, can also be enlplu)e~ ith the present inventi()ll ;I.S llterllate embo(lilllellls.
The security of this cryptosystem rc~ es ~hat at least one of the mo(l~ . q2 q~77l be kept secret (i.e. ~n > ~1') to ple~ell~ le( ombination of the public residlles of the knapsack weigl1ts. The mo(luli in the ~? I-csi(lue number system can have diffelent sizes (in terms of number of bits). As well. a~ hnlst one of the moduli (q~ q~t~ is recommended to be public (i.e. ~i~' > I ) w llel1 sending secret messages because the amount of inforl11ation in the ciphellc.~ is n (iuced if ~Yl. )'2~ ..., Y", } are rc(luced by ~ql~ q2~ ~ q~ } durin~ encoding al~ll( ugll Ihis may not be essential. I ~!.st signature checkin~ also requires that ~ql, q2. --. ~/", 1 I~e l-ublic.
'T'he security of a l-ublic-key cryl-~ elll also requires that the me~s~;;lge is not practically discernible from Ihe cipller~e.~;~ w i~hollt the secret decoding key (the encodil1g ful1ction is called a trapdoor one-~ay full(~ ll by Diffie al1d llellmal1). I)ecoding a ciphertext cleated by the present inveu~ioll \vi~hout the decoding key involvcs solving a compact knapsack problem includillg a lu)lllillc;ll term Axg, that is a nol1lille;lr fln1ction of the mes.sage (the nollline.lr operation i.s ~lle ~ nc,ltion of Al). Linear con1l-.lcl knapsack.s, with large coefficients and few weigll~;. ;ue less secure than linear knapsacl;s w ith [O, 11 coefficients alld many weigllts. The p l-e~ell~ ellcoding function is designed to crcate a large nol1linear coeMicient A,., Wllicll thwal-ts cl-yp~;lll;llytical attacks that are succcs.sful ,against linear compact knapsacks .such as intcgel l-l ogl ;Imming or lattice basis re(lllction (these attacks are reviewed by Brickell an(l ()(il~ 7'~:0). I inear knapsack cryptosystc!ns require a public-key in the tens of kilobits, whi(ll i~ a Ihllitation for a lar~e nul11hel of parties. ï'lle present invention has a public-key hl ~lle hllll(ireds of bits because the nolllillear terln pen11it.s fewer knapsack wei~hts to bc u~e(l lol ~llc sarne security level.
'I'he present inYel1tion uses lO. 2') coclri( ients so the degree of comlulc~ioll increases with s. l'he public-key size of rouglll) (n ~ 15 bits decreases with Jn Con~entioll.ll knap.sack cryptosystel11s need at le~ I ()U to p~event cmlmer;ltiQl1 att.lcks on tlle kn;lpsack problel1l (see R. Schroe~ . Shal1-lir, "A T52 = 0(2") till1e/spacetra~eoff for certain Nr-com7t~1ete ~ in Procee(lin~s IEEF, 2()th Annual Symposiull1 f oul1d.ltiol1s Compu~ g~ .~( iCII( c. 1979). Enumer(ltiol1 can also be applied to the presen~ cryptosys~e1n. so ue recon~ n(l n- > 2a for secrc.t messages al~ > 2~) for signatures, where ~ is a security mal~lin of ~ out 100~ For identification or ~sigl1atures.
where the can(li(late is time or resoutcc linlin~ uch as smart car(l idel1tificatiQn)~ ) is s~lrriciellt~
Anoillcr type of att;lck on the kn;l~ iem searches for altcrl1.ltc tral-(loors al1(1 mliy l)e feasiblc a~aillst the presellt il)~ C,~ \ll if n is small. especially n S 2~ but the complexi!y of this attack is arl e~;ponel~ l fn~ ion Of 11 becallse tile knapsack prQblem is NP-con1/71elc~ Exall1ple~s of this tSpe ol ;l~n~ lc: A. Shamir, "Ihecryptogr.ll)ll;c security of compact knaps.lcks", I'roceedil1gs 1'~ nll)osium on Security an(l Privacy, IEEE
Computer Society, pp. 9-1-99 and E I . I'~ cll, "Solving low density kmll-sacks". in Advallcesil1Cryptology(`RYPTO',~.Nc~ rk:P1enumPIcss,19~4.l-l- 1~ ~7. Ihe feasibility of this form of attack is rcdll( cd hy increasing n, s. and 1 whilc. mail1taining a del1sity ~1s/log2Q close to 1Ø
Tlle ~security depends in part 011 the si-~c Or ~he nonlinear tcrm of s hits rcl;lti~e to the block size of ~15 bits. Smaller values ol` n hlclease this ratio. I-Iowever. ~he encoding functiol1 col1tail1s a compact knapsack (as w cll ;lS the nonlinear term) ;md tlle .sec~lrity of a COlnpaCt kllapSaCk illCreaSeS with 11. /~ I;II I?CI nonlinear term cal1 be geller;lted for signatures without decreasil1g ~I by val)~ g lhc message term size with r; ~= lO, 25i).
wheref;, for i = I to l1. are publisl)cll lo j ~ 10g2n ~ ebits preci~ion. Thc size s of the message terms for .secret IllCS.SagC~ h;lS ~n be constant with i, whcle lj ~ IO, 2S), because the most significant bits of thc lal-gcs~ lncssage term arc reve;lled l)y all ullreduced cipherlext residue.
A consequence of the nol1linear nu nl a~ he associated fractions i f~ f~ . ~ fn} of the public key is tllat a chosell cipher~c~ a~ o find the secret constal1ts P or i 17l, 172.
.... h"} can be successful if not ncll~ li7c(1 Ihis chosen cipher~ex~ attack will be succes~sflll if all of the ciphertext resill~lc~ 2~ - ~ Ym} c;m be chosel1 al1(1 all of the decipl1ered message terms ix'~ '2 - ~'"l ale revealed. Ilowever, thele ale several standard ways to ensure that a choscll ( il-hel~cst attack is not feasible sllcll as checkillg stan(lard data fiekls in eacl1 decipl1e~cd lnt~s~ c block (and destrQyil1g ~he deciphere(l messa~e if the sign;lture is invalid). ~u inclll(lil1~ random data fields in c~icll n1essage reSi(llle that are discarded UpOIl deClS'p~i()n~ 111 the case of si~natures, rall(lo71l data are g dues l\~7~+1 ~ 71~+2~ r/~ () a cllosen ciphertext at~ack is tll~nirted Aswell, a chosell cipherte.Yt attack is no~ l`(-;l~ii-lc for secret distlibutiol1 of keys fQr other cryptosystcms provide(l that the distlil~lnc(l l;c! i.s kept secret al1(1 not rcveale(l. Further 3 ~
cryl tan;lly~is of ~he presel1t invell~io~ in my Ph. D. tl~esi.s Very l;lrce scale aritlllne~ic witlmlpplic;ltiolls to cr)ip~ ueen s Uni.cnsit)~. Kin~s~o~ anad;l.
Octol-er. 19'~2.
'I'llc pl'CS~ \'elltiol~ C;lll rCrllli~ ;Irld sicned Illc.SS;lCeS ~ ll OllC key .se~
(con.si.stil1g of all enco(lill~ key ;~n(l :~ ~le( ~ lillg key). Also the pre.sel1t pllhlic-kcy cryp~o.sys~elll c;n1 be emplo)e(l in ;l fo~ l5 permits secret nless~lces }-y ~;ccpinco all or mo.st of the nlo(l~ c( 1~l alld a smaller l-lock size is po.s.sible th wi~ll a conlbille(l secrecy/si~l1;ltllle m()(l( . \~ he present invelltioll call I-c el11ploye(1 in a form tlnlt ollly ~-erl~lits si~n;ltule~ c moduli ~ - (/2~ --- ~1", ) pllblic but not l1u~liciy (lisclosilll ~1,; m(l ~ ;. fol i - I 1 ~1 anc7. j = 1~1 + I to lln I wo .separ.lte key .scts (one for sccrecy U1(i one !ol :ul~ y) results in le~s.s colnpu~;lli()ll than a conlbille(l key set becallse of tlle small~ .i/cs I`llc secul-i~y of l-ul~lic-key cryp~os) ~1. lll~ ( :1ll not be proven Son~e ~ui(lclille i ;uc givcn l)elow for selec~ he block size .1ll(1 ( I ~ ptosystem p ~rameters s(~ .Ill the crypt.lll.llytical l~tacks knowll at presell~ ;llt~ lcasible. Other p ar~nlletel ~;clcc~ions art`
p ossihle in keepillo with tlle present il~ u~ in general tllere i~s a tr.l(leorf hetweell sccurity al1(1 perform;lllce in terms ol ~ ulblic-key size. messLI~e c~pal~siol1 and si~ll.lturc ~size.
I lle cryptos) stenl p;llal-leters c.lll he ~ ~pl~ ~cd in terms of .somc mlll~iple of ~3 bit.s.
where tlle fastest knowll attack requile.i 2~) lel-elilions and each repetition ta~es ;It least one clock cycle. I llel1 ~ c~n be selected ~o ;Icl~ie\ ~ Ille desired security level; I`or e.~;alllple~ ~ =
.~o prOvi(le.S nlillilllal secu~i~y alld a ~ S a high level of security wi~ll today s con)plllers~ c followin~ ~ui~lelille.s lle ~ e( ~led to implemellt ~his invclltioll (with / =
2 iteratiol1s of modul.lr multiplic.ltioll. a.~ de ~CI il-c d so far~ P = ~)~ ~l al1li 12 = 1~' ):
i~ll.ltlJre~s .md secret,nless;loe~s ¦ < 111 < 1~1, )11 > I.
2. 1>l.
~. t + s < ( ~1 + r ~ + ~ /n to neu~r.llize Sterl1 an(i l offin s ", alt;lcl;. wllele t = ~ 1~2'1) J
~sj Ejllatul e.s ~, /1> I
';. ~$~ ; > ~ - 1ocll~z+ll~7'~ `leVellt preSet~ of A, witl~ +
InC~ bit.s redulldancy in ~IIe ~ (ure where S",iiX = lo~ ",jl~. r"l~x =
m l~ r~ ..... r"l ~ = .sl -I .- I .. t 5,7~ I)Z iS tlle Ollly ril~o of intecel~s ` I 2 ~
itl~ + I >
*~ > (3. whe,le ~s~",,,~ is ~",;,~ n~ -csetting any ~ loo~ l bit~s il~
the~sioll~ltllrc 1~ 2- ~
7. 1 < lo~/)'' - )/2 to pre~ellt recolul~ ol Ihe weights.
. I > 12~'~ + lorl/)z~lll) l to CO~lllt~ ay attacks 011 ~si~1laturcs .~ >
loc ll) + I/~)Z l for si lUlt~l rc-h;l~e(l i(le l lt i l'i~ ;I i oll .
9 ~ > 2.) to collntelh~ lllce enulllel;(lioll ;~ s on the eneo(lh1~ problelll.
lO. ~ < lo~ )/2 to foil .lll llllu ill~ l, I. on the trapdool .
~Secret l,ne~ss,a~es, Il. 11> 1.
] 2. ~ < 10;.?J)) - ~ to pre~ent recoml~ ol ~he weights.
1~- All 1 ~1~ a'2~ ") h.lve ~s l~ > a for secret messa~e.~ so that mo~st si~ilificallt bit~s of the l~lroe~st nle~ o le ii,lue is not reve.lled by ulll-e(l~lce(l cipl1erte~t resi(lues 14~ - 171')5 ~ for secret ole~ e~ lo thwart a linear appro,~illnltiol1 of the encodil1g probleln Wi~]1 ~he most siellil'i.;lll~ bits of the unleduced cipl1eîte~at residues.
1~. ,5 > (", - ", )5 + a ,0 ensure th:ll the ~ coding problem is not ol1i(lueiy define(l witl1 A ~ treate(l as a Ihlear ullkllc,wlu l ( . ~ > 2a to hlock enlllnemtioll att.l( k i 0" ~lle cllcoding prol lem.
17. Stall(hlrd or r~ul(lol~ its may be hl( Ill~le~l ~" counter a eho~ien cipl1erte;~t atl.~ck.
I~lore conser~mtive ~ui(lelil1es n1lly hc llee(le(l in keeping u~itl1 tlle presel1t in~el1tio lependil1g on tlle succes~s of future clyl~l;llu~ (i.e. may nee(l to increasé ~he n1inirllu values or ch.lll~e tlle ratios of ~, /n 1 . /~n n ~ alld k - t). Alternate selec~iolls of ~l1e initi;ll ~weio.l1ts (/)~ 2. . b"~ (as (Ie~lihe(l l~elow) may provi(le hiollel security but may also res~llt in a lar~er public-key ol . ~Ir;l Ille~isage expansiolu .~ slnall public-key is ~alu.lble for ,1 I;u ~e ulll1lbels of par~ies all(l this hi ~Ichieve(l by decreasill~ 1l all(l 1 altl1olloll the secllli~ f ~h~ eneoding problem incr~ es witl1 n and 'I`able I suoL~ests cryptosystel11 par.lllle~ers hl ~erms of a for ~lle sll1alle~ possihle value.s of n al1(1 1, whicll siltisfy the abo~e uli(leli~les and lead to the smallcst pul lic-ke~
I~lr~llneter selection~s for l~lr~er ~1 ol- J ;"e ;11.,- possible, whicl1 sa~isfy the elli(lelil1es Se~er;ll IllO(IC.S of oper.ltiol1 ~Ire (lescl-il~e(l i~ table: signature-ol1ly or ~;ecret-uless3ges-ol~ly or a combil1e(1 secrecy/sitnatlllt~ o,l,, I'he correspon(lillg public key !ii7C iS also hl(li(~lte(l in terllls of )~ With 1~1 = 3 (;l~ lCd in T~lble 1), tllere is Ollly olle public, o(lllllls ~/~ o f I bits .so the secret luo~ has about ~ - ~ bits, u hela~ s bits i.~; the nless(~e hlock size.
2 ?3 9 ~
TABLE 1. Exempl;lry par;~ cter selc( li~ o il~c present inventioll.
Mode )? 1 ~ ~ max t ~ iC-l;Cy its/~ bi~s/~ it.
sicl1.lture l 2 .~ ~ 2 sicl1a~lll-e 2 ' ' . ~ l .S 2 l.
~i~l1<ltlllC ~ 2 .~ l.S 2.. ~ 9 sir~ ture ~ 1.5 si~ lt~ c 2 ~ .'.; l.S 2 X.
seclec) 2 2 . I 1 ~1 secrecy ~ 2 .~ l 2 ') ~sccrec) ~ 2 l I :~ I f, secrecy 2 ~ . l l 7 secrecy 2 4 ' i l l l secrecy/sigll.ltul e 2 2 l l 3 .secrecy/sifn.lture 2 4 1 ' 3 22 All of tl~e si~llat~lre or secrecy .scl~culc~ c used for idelltificatioll accor(lil1~ to FIG.
7 or ~IG. X respectively. T l1e last ro~ crl~ nature~s and secret mes.sa~es witl1 a sin~le priv.lte al1(l public key p.lir.
I lle iUl10lll1t o f cou1r)ut.ltiol1 for ~ c"~ inventiol1 is ro~l~hly equi~ llcnt lo I + ~12 lnlllti~lic.s of ~ by ~ l)its for enco(li~ u~ multiplies for cleco(iinf~ rc~c.ll(lless of (all(l tl~e e(luiv.llellt to two multiplics i~; slll l i( i- nt for (lecodiu~ regar(lless Or, with all altcn1ate deco(lil1g tecllni(llle descrit c(l l~clo\~ ). Computation is minil11i7c(1 ~vitll ~n = I .
ql = 2~. l)l = l. ll1(l 1~2 = 2~.
If a sm tll public-key ~size is of pl illUU ~ il11portance tl1en a hybl-i(l crS l-tograplfic collllllllllicatioll scl1eîl1e C.lll be compr~ l ol` ~lle ll = I signature sclleme in cou junction with the l)iffie--l-lelll11.ll1 key-di.strib~l~ioll ~cllelue (which has no user-(lepel~dcllt public-key) plu.s a col1ventiollal single-kc) ( l~l i\ ;uc key) cryptosy.sten1 for sccrct u1ess.lges rcsultil1g in a total ~-ublic-key of abou~ I ~(J l~ ll alternative llybrid cry~tosyS;tcl1l that has less COIllpUtatiOIl tl1al1 tllc I~iffie-llellllulll ~( llclue for key-distribution incl~l(les the n = l si~nature-ol1ly .sclleme all(l the 11 = c~ lc~ .sages mode for key-(listlil u~iol1 plus a collventioll;ll ~sin~le-key crSI-,tosSsstelll f(,l ~c( l~ l u1essages resulting in a tot;ll plll-lic-key of i.) + l ~ its.
Ill altclll;lte culbo(lilllcllt~s~ tlle hli~ lu~ ck weights ~ 2 ~ "l call forme(l frou~ l . ul-cl illcre l.sil1~ sclicS; witll in~c~ Ul llol1-supr rincre l.iill~ hll1(l~i lS l-roposed for tllc hroken (irallalll-Sl1;llllir ln(l Willc~ l~lull~ l; cryptosystems wlficll thell pl(!CCSS tlle 6~ 3 r initi ll l;n;~ps.lck ~eiyllls aS ~ iln~ 1erkle-llelln~ l cr) ptosyslclll. Fir.s~ .
~sul erincrea.silly serie.s ~ 1 accordillg to ,Cj 1) "
(1ll(l 1' ` ,` .1,~ . i- 1) .
A l l c ~ l ;l r y s e l ~ c t i o ll i s (1; = 2 . ~ ] t o 11, w ll e l e s j -- .~ . N c x ~ 2 (11 ) i.s divide(l into ~wo slll).ie~ .S ;~ . where S conl;lills ally 1I elclllellts from If/~ ...., (1"~). 5* COlltaill.s tlle l'Clll;lil~ ' Il" elemelltS, ;Illd 11' = 11 + Il". 'I'llell ~lle ini~ial l;n.ll-s lcl; wci~ s ~ 2. . . /~llated as 1?; ~ , 1Aikdk `
for i = I ~ o /n wllere (Ij ~ S. a difrt ~ c of dj from subset S is ns (l with eacl l)j~ all(l I j~. is r nldolllly selected Irol~ 1() .` illl) for all (ll. ~ S*. l`lle rcst of tlle enco(lilly ;In(l (leco(lillg key call now 1-1~ -llt'l/~lC(I wieh 11 2 1. r > 1. all(l ~lu- ~-arti;llly-..uperillcrc;lsilly initi;ll-weiyll~s ~/)1 1)~ .... / ~ accor(lillg to the sallle lel l~iOllS that ale enll lo)~e(l if ~ 2.... 1~ ,1 is a sl~ iu 1~ iuy series. Tb( mc~ss Ige-t( -l~e cl~cipllere(l is assicnc(i to ~ 2` i). for i --- I 1 Il. Decoding is performe(l b) solvillg a superillcle;lsilly series witll v eigll~ .... (1" 1 an(l tar~et v~ e 1~ alld tlle decipllele(l messa~e ( ~ 2 . ~ s to tlle coerficien~s ol` ~llc .nll-set 5 of ¦~/1. (12. ---- (1,~. Tlle noll-superillc~ bl~ lll(ls increase tlle nlessagc e~;ra~sioll an(l ~lle aver;lyc nlllllber of .sigllil~ule gellel.ltiol) ni;ll; P/2"s.
In otller en~bo(limen~s. ~he geller lli~c l ~ l of the Chinese remaill(ler ~he()l-clll use(l in ~he broken Goodlllall-l~lcC;Illley cr~ n c m be employe(l ~o forlll a sc~ o f initial n;lps;lck weiyllts ~ 1)"1 i~ c lill of integers mo(lulo P witll Ille present invell~i()ll. Illc Coo(llll ul all(l ~IcAulc~ lm-s)stem is a genel;lliz.lti(lll o f ~be brokcn pllblic-key cry~-to.sys~eul o f S. C. I.u ;1ll 1 1.. ~1 I.ee describe(l in A ~sinll)le .ul(l effec~ive public-ke)~cr~ptosys~el~ OI~IS~I ~ccll~ Icview 1979 Pl~ -24.
~ ! ~ t~ 3 I inst a residllc nlllllllel sys~e~ d~( t ~ ith ~I pairwise rcla~ el~ l~rill~c mo(luli (/'1- 1'2- - 1~ llat Ire r.lll(i()llll~ 1 llo~ ull the interv.ll pj ~ j2'~ ) for i = I to 11 wllere ~/ .nl(l 1! arc l~ositi~e i~ e initial rin~ nf in~et~el. Il)o(~ o P Ille -ccollleS ~ i Ne~t- tllf llultl i ~ ( ted wllere i = ]
1~
b-- !~ b2"
1"~ - b""
a~ tlle v.llue.s of l~j;. for i = I to /1 all 1 j ~-- I to Il arc randolllly cllosell fl-olll ~lle riall~e 1),j ~ 1. 2Z) ~sucll that th(~ nlatrix 1~ i~i ll(n~ ular and invertable all(l tllc .SUIll of eacl COIlll~ of 1~ is less tllall 2Z (i.e ~ . . for i = I to l1) w l~erc ~ ,i and ~ is J = I
a security In<lr~ of abollt 100 Ille iuiti.ll kn.lpslck weiL~llts ~") are then (Icfille(l by tl~e rcl;l~iorl /)j _ - bi~ /);") IllOd ~ 7. . ~ . /)"1 ;ul(l ~lle resiclues ~ I)j7. ~ /)j"l may l~e recombilleci by tlle Cllillese rem lillclel ~ u~ ccordill~ to the relatin~
I "
for i = I to )1, ~h~here P; = P//~ c l-e .~ e encodin~ all(i (leco(lillr~ licy can be ~enerate(l with l1 > ]. /~ > 1. alld the i~ llts ~bl b2 .~ sl eciricd I-y matrix b .a.s if 1/)1- b7 ~ b/l} iS a sul~eli~lc~-- a iill series. A messa~e-to-lle-en(i~nllere(l is ls.si~lle(l to ~ 2 ~ llc~e ~i ~ ` . for i = 1 to )1. 1~ A~
el~code(l Ine.ssa~e i.s (lecil~llered by fi~
~' i -- I (e~ '' IQ~
for i = 1 to )1. ~itll 1 = 2 wllere ! ~ O~} mod 1-1,- q - - /",I. Tlle~a m.ltrix n~l~ltil!lic.ltioll x = x -b-l is l~llOI~ (1. where x = (.I~ "") an(l tlle Iecinllerc(l me.ssa~e is x = (r~l r, . . ~ ich is con~ruellt to the ori~ilnll n1essa~e ~.r~ a- .. r)ll n1o(llllo ~ ;! Ihe Lu-Lee ;lucl (ioo(ll~lall-~lcC.lllley cryl-tosy.stenls (lel en(le(l ill ~ t o~l tll. (lil`~ , of factorin~ / an(l so ~ llil( (l (/ > 20n altllol~ tl~i.s is ~ot essenti;ll witll tlle l-!c~ t i~ tiOIl.
I l-e n e of a i~ener.llize(l form of ~llc ( l~ emai;1der tl1corel1l in the ini~ l 1;l13pxa( 1 of tl1e ~1resent invell~ioll reslllts in Lrc~ 'C expansion wlliell mrly l-e accepl.lble fol l-rief secrel lnes.s Ir~es bnl c.ln si~l~ific;llnl~ d. l~ ir~nature genel.atioll. The sillll-ler fonll of tlle Chillese remaill(lcr tlleolem a.s e~ `d l-! D avida Well.s. lnd Kalll doe~s not h.l ;e fur~her nle.ss lgC e~(palnsioll lhclll .a .s~ illg series. With ~lle .xil1lple forlll of ~lle Cllinese rem.lill(ler tl1eorenl the m(alli~ l, ix .~ ted as the idel1ti~y m~ ; xo /)j = P,l~
mod 1)j) for i = I tn ~1. 1 llel1 ~lle el1co(lc(l 1~ is deciphere(l Iccol-dillL ~(-for i = I to /n ith r = 2. Ilowever. ~ llle factors of / (i.e /lj, for i = l to 1l) ix easiertl1ll1 findil1~ P witl~ Slern all(l lolli~ taek. Conse(lnel1tly. we reconll1len(l ~ ~
.s - ~ with r = 2~ icll re.sultx in .l l.ll~ c k size than tht~ eon(litioll~ I < ~ - ~/)n of ~uidelille ~ fomsul-eril~cre Ixil~ initi.ll w(~i ln~ ith r > 2. gni(lelille ~ C.lll .l1s0 be msc(l with thi.s ~sinlple fonl1 of tlle Cllinexe Iclll;lilld~ l llleorem.
In still otl1er emb( dil1lellts~ the fol-llm~ inese remain(lel theoJ-elll ellll loyed l-y Adii~ a an(l Sllallkar in the hrokel1 Modil`i~ l.ce eryptosystem call be nse(l to xeleet tlle initial kn Ip~sack wei~llts for the prescll~ lli ioin First ~b~ 2. . ~. 1)" 1 } are ~el1erate(1 froln a m ltrix l) of diil1lel1~siolls ~ y ~ ll the Chinese rel11aill(iel ~lleolelll~ where t I
c l~ 25)~ for i = I to 11 - I al~(l j --- I l~"l - 1 P = ~ 1~i- all(l /lj > 2 / Next.
i = 1 f~lrtller illitial wei~llt is inclll(le(l: b" = I
I llen tlle ellcodill~ all(l decodil1~ llerated with the illitial klnlpx.lci~ wei~llt.s {/~I. 1)2. - /~")~ Tl1e me~s~sae is ~ssii~lle(l to .~" ~_ lO 25) and rall(lom hi(.i ~rc assigl1e(l to ~; ~ l(). 2~)~ for i = I to 1l - 1 wln~ -l- z. Deeodill~ invol\~es calclllatil1g x =
l~ ~ wl~e re ~ a 2 - .~ l l r~ Im~ r ltional nulll hers. I hell tll.~ dc cipl1ele(1 " - 1 mes~s~lr~c iS .~ ~ = r 'j- ~, ([~- 'j]~ le iis one of tlle illtei~el-x f~o~ tlle ram e J= 1 - 1) In(l llj= O if ~ > O ~j, il lll~` llm of tlle ith colnlllll of l)-l is p()~sitive) m(l ttj= I other~ixe~ In the ease of ~ = O for i = I to 2 il /)l~ > /~22 a~d > /~
el o~ilel el1lbo(li~ tl~ ion C~ be ~ plo~e(l t(l follll ~1ll illiti li-kn.ll-s;lcl; in tile P l-esi~lnc n~ 1bcr s~ n~ = 2 for secrct an(l siglle(l n~ess,lges /\
mess.l; e ~ a2'1 is conlbille(l by n~ conversion r _ /~ 2 ~
a 1 in ~lle ring of integers mo(llllo /' (~ alion is disguised ~IIlrin g el1co(lillg) T ilC
initi.ll klnllls,lck wei-~llts are selecte(l 1~ p1~ 2 i. im(l all enc()(lillg kc~
i~s geller.lte(l ~ith ~1 = 2 ~In(l 1 > I ( I( ~ lo the same relatiolls tllat ~lc ilSC(I if ~
1)2i are ~llperincreasillg) A mess.l,7c ~o 1~ il)hered is assig~llc(l to ~ 1() 21'), fol i = l to 2, iln(1 ~ 7 - ~ enc()(l~ enco(ling-ke)u lf ~1~ is llcj=ative whi(l Illtly OCCIII if l2 ~ s negative tl~`ll l~ i-~ lounded dowll (in weiglltc(l viallle not .al solllte vallle) so tllat tbe lIrge sllll~ Ic j~l xil 7(~ p -/'t1P~ [ ~ )salisfie(l (fol exalllple ~ is 1~ owll to Ax= -2) Tlle enco(le(l Incssagc i~
decipllcre(l ,Iccor(ling to for i = I to 2. willl r = 2 As (lescribcd .ll~ove, lll~ lltelluln ~ ls of tlle initi.ll wei11t~ ,.. I)" i are possible with tlle p resent invelltioll !~ illcreasing serics is belieYc(l to plovi(le tll~
best combilla~ioll of scclJrity all(l nle~ia~ e ~ allsiol1, whicll is (lirectly ICP.I(C(I to tllc aver.l; e nlllllt-er of i~igl1.ltllre ~eneratiolml i;ll~ I llc choice of initial wei~l1ts l1as Iess affect on tlle security witll ~ > 2 (a.s (I(`SCl'il-~ '). Other choiccs of 1/)1. /), 1~"~ m~
rea(lily be emi1lo)ed in keepin~ witll tllc ~ clll inventiol1, pro~ide(i tlult lllele is a prltctic;ll metllo(l of recoYerill j~g ~ ~ I r2, r" 1 ! -In yet slill otller elllbo(limtll~s~ rnl-lll~u i':`la~iOIlS of rno(lul~ll multil!lica(ioll can b~
illClll(lC(I (lurill g key gel1er.ltioll al~ 0nll nl1mber of iteratiolls is /~ v,~llelc ~ > I
(I IGS 2 3 ~, G. 7~ al1(1 1~ correspol~ ith modulal mllltiplic,l~ioll~s by IV mo(l P 1111(1 1~'Illo(l Q)~llleillitil~ 'Ci,~ ... , b"~cal1Ic ~ erillclc/~ l ora of tlle alterll;lte selections of Ille initial ~ n be employe(l ln tlle following gellerlli notlltiol1~ l ing of integers nlo(lulo is callc(l /1() (tllis is e(llliwillent to P wi~h ~ = 2) iall(l Ihe l`ill;ll lill~ ~,f integers mo(l~llo /)' (ol c(l~iivalelltly O
Witll r = 2) is ia resi(llle Illllnber Sy~nCI~ `le /~ iS tlle pro(lllct of ~ . q",l wllicll ilre p;lirwise relatively-prillle ~ ilclatiolls of mo~llllill-llllll~il-lic Ition ~b~
initi;ll-weigllts ille clllle(l l1() = I)j~ for i - I l o Il ~nd tlle wcigllts ill tllc rill/ll rillr l l integers m(l(llllo l~' are calle(l 11,~ 11, wllere 1l > 1. 'l~llc ~:t~ Cl/ltioll ()I' od~ ml~ licL~ crforll~
~7 -~ ,,,cl pk for ~ = I to ~ ere "l an(l /)~ .uc ~ rime. for ~ = 1 to /. ~UI(i 1)l alld ~
ale pairwi~e rel~ cly prillle. for ~" ~ further nolllillear tc rll~ c~lrs in t11~`
encn(lill~ ~)robleul for eacl~ extra itcl;~ ular multiplicatioll. wllicll In;l5~ incre.l~c tl-e securit)/ F nc((lin j~ witll 1 > I i~ l-c~ lc,l IC c ordin~ to the rclatious 11 1'-1 j~ k~ o(l (lj~ fl j= l ~o lll' all(l i 1 ii h~ ~j . forJ = m -~ I to 1)l.
wl~ele ~Irk = ~ A~l f ll,k l l i= I 1: =1 I
all(l 1 < al < 1~1. The enco(lill~-ke5~ c~u~ lle inte~.ers oji <~jk all(l fr~l(tioll~f; all~i f1'~k for i = I to n, j = 1 to 1~1. and 11 = 1 to ~- - ], ~1ll(1 /j for j = I
to )~/'. wl~cre ' k k js o bf ili1~ e(1 l~ Itin~ plt~ _7~
pll,ll i-2 _ (t,h~217l~ mo(l y~ 2 p~ Jkyh,k~l m(!(l 17k (~ 1 i.'i c ~llculatc(l sin~il<lrly all(l /7~
If tlle init ial wei~llts (17l, 1)2~ . ., 1)" ~ --- 1!l 1, !1 (1,,,,, al ~ are ~clected as ~ UI-CI illcreasill-~CIiCs, ~llcll ~llc followill~ rcliltioll.s .Irc ~ lic~l 2 ~ '7l 1.'7 l~j > ~, I`;( .` l) an(l ~) , ~, I ;( - 1), i I
wl~ele /~1 is rel.ltively l-rime to 17i fo~ The rings o f integel~s /,l~ fnr ~ = 1 to r - 1, sia~isfy ~llc lial~e Slllll l-rillcil-lt ~'i(7~ 'k ~ [0 ~7k+
wllicll i~s ell.s~lle(l 1~'7' ~elec~illL~
~7k i I ( ~ 7k, for ~: = I to ~ ullerc tllc estilnatio~ 1 A ~ accurate to (-2 ~ ~'71 all(l ~lle fractioll~;
f i all(l f )l~k~ for i = I to 11, 1~ o /~ - I ;llul /~ = 1 to r - I are trullcale(l at .~ +
10~2/~ 1) bits l7recision~ where (~ ive number (or tnmcate all flactiolls at ~
+ I' + IO~ 711 + (1` - 2) bits precision) I IIC C ~;IU~ 1) bits accoullt for tlle lalger size of A r7 in tllc A llf 11~k terms to c~llculate A ~ .ui 11 ilu~l-e.lses. If k > 2. Ark nlay l-e licgative an(l A ~k is roull(le(l (IOWI1 jn ~A~ei~hted Vallle 110~ olute value (i.e. Ar = ~ l ks rounde(l lou~ll to ~ = -2).
An ellcipllere(l messil1!e ~ .... \", ~ i~ (lecl ded by first calculating tl~ k-~ l o d l7 k, fr()lll ~ = I (le~lclll~lltil~ to 1~ '2~ "1l Illo(l ~ (l7 d tllell solvill~ a kn.ll-sllck r)roblelln 7i ui~ll supelillcreasil~g wci~llts ~ . 17~. . . 1~,/' .IIld target value /7 -- ~() b) calcul.lti se(lllelltially ;~_ r jb;
!, from i = 1l decritllei~tillQ ~o I . to rc~ lle l~eiphere(l message ~.r ~ ..... a "}. l ln~
deco(lillg key il~cll~(le~s tllt~ l-ositive il~ . b2.. 1)"). ( l(l { ~ 2 ~ }
l~or sigll~ le checkill~ v~ ith ~ . l;Ui~ f modIllar mllltil liciltion. tlle .si~n;lt vel if ier checks if k for j = I to 1ll . Witll ~ i 1 If the key-.sct is clesiglle(l for secle~
ll~essages. a.s well as si~ res ~In 1l 1~ 2-e)pk-l an(l tl~e l-l-ol-ability of deviiltiou by a multiple Of ~l a~pl-~1o a.s the ratio of l~l+~ - a~ -oaelles unil~
wllell c is illcrcilse(l.
711e si~niltllre clleckillg sut~systell~ ('t lnlve to check for a deviati(?ll of ~1 ' -lgl 1 i 1-lle n~es.sil~e (or hilsll val~le)~ il.ssiellc(l 1~ Yl~l } all(l a secret rall(lollI value -(or any secret inte~ers or a fixed-viIllle) i~le (:oll)l illed according to tlle relalioll "-1 Ill lq + cq~
wllele ( ~ 2rlq~(l Y~ -- {Yl~ !2- -- .~",-1 1~0(l ?<~1-q~.. q",.}. I lle subse(lIlelll steps ol ~ alllle gelIeration are colnplete(l ~ if 1~ tlle abov( alue of y'~i. Tllell Ihe sielliltllre is villi,l il I/j y j + ~"lkg~k mo~ q; fol j = I lo k = 1 ', wl~lc (l~ +l/l)~l + I I
If Ille key-.sel is desi~lle~l s~-(ci~ l .signiatIlres (al~ o~ l-e u.se(l fol encil-llerillo Ine.ssilges) tllell ally de\ ia~iol~ 1?~ a InuI~iple of g~. for ~ = I lo 1 -- I ean be avoi(le(l hy selectiny /~- > I)l+~ allll l-ounding up (il~stea(l of tl-UlICiltilI~) tl~e fractiollsf; all(lf1'~k for i = I lo I~ 1 and ~- = I to 1 - I at s +
log ?1~ - - I ) bits precisi()ll.
~(p ~
I llel1 A ~ c lln l~e ~ rec i .se l ) C S~ n ~ ul se ~ I X i ~f ~ 1 A
~+ ~ +- 2 ' ) t-- 1 0 .0 . 1~ signature cl~c~ g .~1l(1 tl fr.lction of ~I k is hollll(lc d hy 10 0. ~ ' !/p~). which elimi~ tes tlle llee(l i`ol- tl~
correctiolls l~s Icgl~ for ~- = 1 to ~nature is vali(l if \j ~ o(l (/ . fol-j= I to If .lI-hre\~i Ite(l si~ oles .ue (le ~i~t~ +1 is selc~ted for only OllC \~ le (~
flolfl tllc l;~llre 11. ~ t ~lt f( 1.l~I if /; ~ b-~c - 1)/(1l+ r -~)loe/~ - f)//liSIClll~U. I~lockS~ernalld loffin~ acl~.llll~lle bl-revi.ltioll i.s l-ossihle ~itll ~ > ~ I-e( .UI~ q can be m aill~.lill(~(l ~llil( /)~ -+~ llere ~ s one ~allle frolll I I. '1 ~11 other value.s of ~ lla~e 1)~ >
2-"). I`he re~sllltill~ key-~set is de!iif lle(l 1(~ ( ifieally for ~siol1.ltllles bccllllse lllli deco(lino of secret nless;l,~es re(lllires /,~ l( I + 2-C) fol ~ I I
verifier tes~s if tl~ere is sol~le (/ coll~ U ll~odulo q to .I villue in ~lle 1 Ul~C 1-1 +~ i + IJ sllcl1 tll.lt !~ + 11~llere z equal~ the one ~ ol >l- < /~+~ llld (/ is calc~ tc d by fl ~lod q~
\Vith r-itel.ltiol1s of mo(llll.lr nl~ir~ for ~ = I to / - I al1(1 j -- I ~o )n Call be ~stall(llr(lize(l a~s well IS ~f/."'l and one WCi~11t ( (/)~ ,",~
wllere )~ is one of tlle inte~ner ~alllcs ill tl)~e ~ ee ~1 ~1]. The stal1(lardize(1 v.lll~.s of all(l ~1~ for ~ = I to / - I ul(l j = 1 ~o 1~ le l.~lldomly selec~ecl (or cllosen ~ cel~.li bit l~atterlls) fronl Ille ri~ e 1~ ). Al~ l qj) > ~ f~ for j = I to 1)l . nl;~
selecte(l as a secllrity me.lsllre~ I lle ~ec(~ ol~(lllli qj~ for j = ~ I to /)n \~ ;u hetween users an(l .llC not kno~ll Wllell Scl'cc~ lle standard ~alues but ll,.j all(~ n;l) hc selected from Ihe r.ul,oe 10. q;). wl~e~e ~l~e esl~eeted value of q; i~s q ~ e sl.lll(l.ll(l v~eigllts ale not recol11l11ell(led to pre.ltl) e~(.ee(l ol be sicnifiealltly less tll lll qjlo Illail~t-li tl~e difficlllty of the encodil1ro l roblell~ lel1ee of several l it~s in I~ r~ de lul.s ;~
ne~ ible effect 011 tlle secllrity. A l-ri\.~ found by first secletly selectil~ (. 1>, >") ~ />2 ~ } 1l1(1 (f/",~ ".~ ~.. q,~,} h) tlle S(llll~ rell~i(-iIllo~lt stall(lar(liz ItiOIl~ Tl1ell ( lt 1~ ~1 '~ .... 1~ ' 1 ;1l-~ round sequentially as ?(, k _ ( ~ 0 cl 1 ~ k for ~ = r declel1lelltill~ to 2~ \~llel-~ ohtained bs~ seqllellti ~ c;~ic~
-~ k-~ " 1~ r~ ]l~k-1,~ llo ~k-l k_ (~()k~ k-l k~l l1l0(~ = gk-l 1ll~ ,k~
1 ~ql~ q2 ~ q~} If ~ 2 1)~ 1ell sli~lltl~ lo(li~
Il 2~9~7g~
(fnl exa~ le~ inclell1ellt ,y~1 nlo(l ~/1 h)~ ~u~ ,1 Iccalcl;late l~k-I,k because ~llc pliV;llC ~c~
oulll not m;ltcll tl1e sta~ r(l for ~l- '1 lu~ dil Iclellce between the nlo(lifie(l stiul~
iuld the standar(l g~ i.s pullli.sl1cd as l~:u~ e lull-lic-key. Stan(l.lrclized v;llllc.s of ~' ha~e to vilry ~ith ~ (any differellce is sllrl i( i(~llt ) ~(- ensure that ~ ' = O d( cs not oe c Ul .
Sometimes~ a value of ~.I- is foulld th;ll is n(-l Icliltively primc to ~l` alld tllcll the in~els~
of l1~ mo~ l` does not e,~ist: in thilt c;uic. ~ slightly modil`ied and ~ is recilkull;l~c(i Altenlately, if l1~l' is not rcl.ltively l~l h~ o ~ then a new /)~ call be cllosc~ h;lt i~
rCIiltiVel~ llrillle to/~ all d ~l-+l ) O~ :1 11!`\~' p~ can bc selected all(l thrll le~ i s recalculiltc(l (this ilrl-roacll will llsu~ l\ ol\~c lu(-le conlputati(~ hilll IllOdil`)'ill(! "l !.
Next. lcl is foull(l acc~(!r(lil1~ to tllc l-cl;l~
o d ~7 1, where a() = /7,~ u is one of the inte~el v,llllc~ hl the ran~e 11. ~ all(l n ,~ is oh~;lillc(l i-v sequellti~llly Clllc-llati~ 7;-l 3 (7l1~ 1, az,-2~ ])-I~
(11_(7~2)~l17.2n~ocll12,wllerenr- ~ a~ ) mo(l (ql' (12' '''' ~
> /~1', whcre /1 ~= 11 rl~ thcll sli~h~ly Illo(lil! l1'; (for examl71e, increlllcl1t 11';l n)o by one) all(l recalclllilte ,7~1, 'l'he rest ol` II)c l-ul~lic key, (Ijj~ for i = I to u - I a~
I to ~n and fractionsfk alldf~'~k~ for ~ n j = I to t)n ~- = 1 to 1 - I ~ all(l 11 = I
to ~ are not .stall(lar(li7ed al1(1 c;ul l)c L~cl)cl;lle(l from the private-key (;lccol(lill~ to thc .sallle e~,uatiolls use~l willlollt pilrtial .s~;ul(l;l~ ioll), whicll is now fully selecte(l. If thc hli~i,ll wei~hts ~ 2~ ~ 17"~ .IrC !~ elill(`l`e;lSillg, then u = ~1 is Ihe Inost S((~IIIC
l~ecause ~7 = /~, is the lal~est alld contilills Illc 1110St secret inforlllatioll.
In furtllel embodil7lellts, if ~ c fl;l(tionsflk, for 1: = I to 1 - I. C;Ul bc stall(lilr(lize(l~ as well as one wei~ht ~ l ..., nl",,} or ~ k"~2k, ,~,~,k" ~ ~hclc is one of the integer v.llues in the ral1gc 11. 1 - 1 l Standardizin~ the fractiolls f~ rO, to ~ in al1 l1 = I si~nilture-ollly nlo(lc. Ic~ul~s in a smaller user-(lepell(lellt pllllli(-l;e thal1 st~uldilrdizillg ~r~ for ~- = I to r ~ ul(l;ll~lizin~ the fractions is n()~ fc;~sil-lc ~
11 > 1. With 11 = 1. the fractiolls f 1k. fo~ 1, may be stilndilrdi7e(1 1'(~1 ;111 u cl-s to some rall(lolllly choscl1 value withill ~hc l;lll(~e 1() 0, 1.0). Altemately~ the fr;lcti( ns c .Ul h(~
selected from 1 ~ 1.0) so thilt the lllost ~i~nlil'ic~ t fractiol1.l1 bits are al~ul~s as~crtc(l l-ecilllse lal~e fractioll.s resul~ hl a lal~c~ lllillc;ll term AXk.
T)llrin~ key gencliltioll. I~t all(l ~ are choscrl .secretly as usu;ll. `I'he 2, ,,,, Ic/~l ) arc foul1(1 ~se(luell~i;lll) " ~ Oll~ t to the relatio 7~ k _ ( ~ m o d 17 k, 2 ~ 9 ~;7 for~- I to r - 1.Aftercacll ~1isl`ouu(l.~lu~ l`ractiollf lkis calculate(l accor(lilu.~ r k lltk r~ orlll~ f l = - k ~ (lirf ~ tweell tlle st lllclclr~l cll~ llr ~ lc fractiol1s is publi.slle(l as p art of ~lle p~ I;c~ weral of the leait sicllificallt fr;lc~iol~
m.ly difrer). If ~1~ or nk~l are not rcl;~ cl~ ime to pk (callsill theil- il1~erses ~o nol exist)~ eu fkt is sli~ ly mo(liîic(l a~ o~l le~ are recalcul;ltc(l. I~or r x;l~ )le. ;Id(l 2 `
mo(l l .O ~o tlle stal1(lai(lfk a~ e dr\~ he standardfk ~a]ue is plll-li.sllc(l ;~ p;
of tlle p-ll lic-key. Altenlatively~ jf "l 01 /1 1 1 ;ue not relativel)~ prilllc tn /)lu ;mlrw ~ .llu ~-f l7~ c cl~osell 1ll(1 ~l i.s ~lle Next. one wei11t call be s~ ul(lar(li~c(l 11 ;1 ~ for j = I to 01 . are s~all(l;ll(li~r(k is calcula~e(l accor(liil~ to ~llc relatin n 7(~ nod (1j for j = I to 1)1 . where l7k,~ k--. ~ j. Alterllatel~7~ if (/~; ~ lol j = I to 1ll .
are stall(lardi7e(1~ thell Itl is calculate(l acc ol d iU!~ he rel ltion 7(~ o d ~
for j = I to 1)1'. Tlle recomlllellde(l ~ ci ~ o ~lalldardi~e is ~ l (i.e. ~ ?C( ~IUSr the inver~se of l)l~ 7l-l will ~Iwayi e.~;isl. Il` ~' is not rela~ ely prilne ~o q; ~ ~or j =
I ~o /)~ tl1en t new g/-l o r /~ $ srlc~r(l I l~r rest of the public-key is tl~en c llcul;lte(l accordill~ to the nornlal relations.
In still furtller embo(limellts~ tllc / ulo(llll;ll- multiplicatiolls call be UIl~A mlll(l dlll iU!
deco(lin~ Wit]l rl sli~lltly modifie(l follu ol ~lu~ l-resent encodel. Tl~ere ale at le;lit l =
iterltions of nlodulll mllltiplic.lli(ll~ ,IIlrillg decodill a~s sl~ccifir(l I-y:
,~k-] -t~k(7~,k)-l mo~l 77k~ froln /~ Ir(leulentinc~ to 1, where ~' -- !~1 ! -!",) ~o~l (ql~ ~2~ -~ q",~ ~S ~lesclil~ o~thesemodullrlll~llti~ lti(llls~
ullwolllld se(luentially witll ~111)' Illodlll;ll ullll~il-lication techni(lue. ~lowe~er~ ~llc pl(~seut IllO(Iifie(l enCO(Ier perfOIIll.S all ~ iter;~il ll.i l)i Ill~dUIar IllUltipliC ltioll (p]U.; leC()lnbill;l~iO!l of tlle ciphelteYt re.si(lues) in parallel ~ ( lo~ to the same alllollllt of compllt;ltioll as a sill,1e mo(lular multiplic,ltioll.
Ilellry p ropo.sed a modul.lr mu1tipli( ;1~iOII u~ od called double-ellclyl-tiou ~ (scr 11..~;.
I'at. No. 4. t99~2~)~ wllich was de.sil.ll~ e now-brokell sin~le-i~rr;l~e(l ~ lr-llellmall kmll~sack-cryptosystelll lleul-y'~i trcllnique perforllls a .siu~le Inmllll;ll-mlltiplicatiollby;lcoll.stclllt~such aS /, "-1~ Illod P employillprecnllll-ut;l~ioll:~llru 21~ 9~
ia superincre(lsil1~ series witll tarce~ olved to rec(-)ver tlle nlcssilce llcllr! ~i mO(Illlar Illll~ ier reSelllble~S <I klnl~ t`l~ p~ion, which C,YpP~illS ~l~e mllllC "d0111-1C-cncryp~ioll I or (lecodill~ all r-i~c~ c(l lu~ ack. tllere alc 1 itera~iol1s nf n Illlll~il~lic.ltioll to llllwill(l ~ lel1ry l(~ (Ipplyillghis Illo~llll;lrll~ lier~
se(luell~i.llly in Fast decryptioll ;llooli(b~ tlle knapsack crypto~rapl~ic Systclll l`llc Bell System T echnical Jourl1 tl ~ol 6() 1 "Y I l~l~ 767-773 Henry`s n1odul;lr multiF)licl- c \l~
also be applied r-till1es S~ fi~ n~ c~ent inventiol1 }lowcver. ~he plC~CI~t mo(lular mllltil-lier describe(l below l-e~ f~ lodular mul~iplica~iol1s by ll COll.s~lllt ill ll~l wi~h closc ~o ~l~c sal11e ;n11ollllt ,~f c o~ ta~iol1 as one n1o(lular mlll~il-lic l~ n ;lu(l a sin1il(lr al11olll1~ of prccompll~e(l Incllll)l; I lle present /-i~erate(l mo(l(ll(ll nl(llliplicl resemble~s enco(lil1~ witll tlle present ell~o(lcl 1 i c a knapsack pl~ls nol1lille 1r ~ernls) ~o \1 c also usc ~he n al11e "dollhle-cllclyp~ioll A ii iyl11bol is used lelow ~o dirfcrell~i;ltc tl~c double-ellclyp~ioll--(leco(lillo-key from tl~c cllc~ g-key.
I`llc cipller~ext ~ !",~ bi lil~t 1)~ ped to lZI~ -2~ Z~ wllt`le .; '-~
25 )~ for i = I to 1n ~ is a p()~ifi~e illtC~!-`I .
()j ;, j ", ,~ I) mocl qj .
i = 1 i - I
Tl1e value of ~;~ for j = l to 1~1~ will ~ ;u-y ~ itl~ e size of the cipl1er~ex~ resi(llle s !~",) ~JI~re(lllce(lci;)l1eltextresi(lll~; 1` "1 Y,t,~+2~ \~"~ corles~o,~ l~
secret moduli ~ q",+l~ ~1",+2 ~ (l",~ 1ll;(! l~c reduced at ~lle start of de(o(lillp ~"
millilllize ~ii f()ri= ~1'+ I to ~rr. an(l tllc ~i~c ~i'thedouble-ellcryptio~ ;cy. 'l'llc ~ o nf coml-llta~ioll for double-el1cryptinll i~ Illinil~ ed with s = I hllt tl~e men~oly ~p;l( c lnl the double-el1cryption-key of (~l5)2/C I it~ i~i Ininimized by incle.lsil1~ s Altc~ te mal~pil1oscll1heel11ploye(lplo~idil1~c;\cl~t.llll j fori= I tn 1î. cnnt.lil~ss con~ccllti~c di~its from ol1e of tlle cipllertext rc~sidllc~
Tlle r~-iterltiol1s of Ino(iul;~r mllltil~lic.lti~ll are performed Witl1 a n~llltil-lc-i~l;lt((l knaps lck witlm~nnlil1e;ll terms to corlc c t ~ c I l`low th.lt occuls m( dlllo 1~ i`or ~- - I t o as witl~ tlle p resent encnder If ~11 o i- tl~c I( ,IIlctions mod~lln /1~` are not cnlnl-lctc to 1() thell tllC deCO(Iill(~ is incorrect. 1l! tbc ( ;l~e ol` ~ccret messa~e~s thc enc()(lc~ f( llo~\ ~ tllc -0~0~9r7 1arge-sul1l rrincirle~so re(luctiol1 nln(llllo ~ to be completc dllril1L~ dcc()(lil~ ;u~
is ~ossiblc witll dollble-el1cryl-tiol1 aS (le~ elow Complete redllctiol1 is n(l~ esscllti;ll for si~natllres hcc~llJ!;e tlle \~erificr cau ( ~1 It`el l~u a deviation l-y a multil1lc of Overflow does no~ occur (lurillg de(o(li~ e small-sum pritlciple 1)~ > 1l2' satisfie(l by tlle double-ellcryptiol1 ~ci~ ugl~ key sets will not gel1eJally s Iti~
re(luirell1el1t~ Conse(lllelltly~ overflo~ c~ ;ue necessary for decoding scclet IIIC~
by double-ellcr) ptiOl1 becallse /~ > /)~ ) but in a sign.lture-ollly 1n0(1t o~ . 1 fl(-\-estil1ultes ale not nee(le(l Ino(llllo 17~ if 1)~ ~ n ' /~ , wllere ~ ~ I l. r - I 1 In tl1e e~el11rlilry c~lse of r = 2~ dOIII~IC-CllCl~l)tiOIl illVO1VeS CalC~lla~illg /~ ;ICCOnlillr' to tlle relatious 17 -- ~ nnod P
j . I
all(l A, - \. -ifi ], l l e l t~7 j _ ¦ 7~ Q ¦ P
(1 f 71~ lod Q
Ihe initial-weiel1ts for doub1e-el1cry~-tio~ 7~ } are formed ~ l1c (`I)iI~CSCremail1(ler tl1eorem in tlle ring of intege r ~; luo~ Q according to tlle relatio 17j= ()~ 2'(~ i-l 1)Q 11;
wllere Qj = ~2lljall(l l/j, < i < ";. /~fl~ u-ming double-ellcry}tiou to fiu(l /) tl~c decipllt~le(l n1essage (~ '2~ l-n~ e(l by solvin~ a sul-elillcre;lsillg ~elie~
witll talget 1) all(l in.tial weigl~ts ~ /71 Io ensllre correctcleciplleri~ Of cl~ lc(l ~le~ssa~es the ~educ~ ll u~l)(lul(- ~) (lu~ n deco(lill~ Inl.s to be comi~leiely corl-e(~ . a (l~via~ion by a n~ iple of ~.? will c allie a error). C onsc(illelItly~ tl)e e~limati(-~ to be exaet dlltilIg (loublc-ell(l-yl~li il I I I
ensllle tllat ~ 7~ ~ 17 jl Q - ~l C~ C ,~ o . ~1) I )uring enco(li n tlle error i n Illc c s~iInal c of Ar is bollll(lc(l by (-2 r~ 0.01 (before llul~(.lti~ ) and the large-~sulIl p rincil)le is s ~ fie(l beclll.se ~ -~il7~ A~' ~ 1() /(1 ! .` '~) ~ [0~ a) s~lIere Q > /(1 ~ ' ). Il ~lIe error in ~lle es~im(lte of ,lz (befolc n Illlca~ l ) is boulIded l)y [0.(~ 2-' ) all~l al~o (~( I
2-'`) > P(l + 2-r)~ tlIell ~ a;¦(u ~ Q ~ 10. P(l + 2-') t ~2-' ) ~ 1(). ~)) alI(l Az is e.xacl. I helI ~lle tbe dollble-eu( Iy~ IraetiolIsfi for decoclillg sccret Ille~;~a~e~
ale roull(le(l uit at ~ + log2n + (~ hits plc( i~ioll ~ = 2 ~ deco(ler with cl()lll-Jle-ellcr)~l)tioll all(l / -- . is illustrated iu l;]C-. 9~ I~ile Cil~llt`l~(`Xt i~
first assiglle(l to tlle terlll. ( t~ 1 ) (i.C. .. I iS the first ~ bits of ! ~ e IlC~
s bits of ~ an(l so O~ I hell tllC left coluln~l ill l lG. 9 caleulates Zi tii ~ for i -- I to It . sv i~b mllltiolier.s 24 ~ wl]ich is acc~llIllllate(l s~ i~ll a(l(lel.~ 25. The right columlI calc~ll.lte~; a; ~; . fol i = I to ii. witll multipliers 24~ wllicll b; a(:l lnlIulated separ ltely witll a(l(lel.s 2~. I lle pro(lucts ~jfj ~ for i = I to tl~ llave to l-e pleci.~ o ~ ~ IOgt1 fractional bits. I llell trull( .~tio s~lb.sy.stelll 36 ou~iluts tlle inteQer p alt of ~llc .~ulll of the right columll as Az~ Next. -~1 ~$ i~
calculate(l witll a multiplier 21 an(l a((lllllllla~ecl witb the acculIllllatioll tree of tlle left COIlllllll. Tlle filIal total of tlle left cc,lulllll i; ~llell reduced mo(lulo P an(l tllc renl.liil(lel i~
/~. A superilIcre<lsillQ series i.s solve(l s~ i~ll t.llget value b and superincreasillQ w( i llts (/~1~ 1)~ --. /~"). In tlle exempiary ca~;e Or 1l = 2 and bl = 1 .l~s ShOWIl ill (livider 33 calclllates ~ 2 = I l~ 21 all(l ~11 t`11 .~'~ = b - x 21~ is foull(l witll sul t 3~. If s = 1~ tlle multipliers may be repla(c(l I-y ~I-allsmission ~ates that pas.s n; iall(l fj if = I alI(l pass ~ero if ~j = O.
I)ouble-elIclyi~tioll calI also be u~;c-l fol ~i~ Inlture generatioll~ in w lliCIl c iase /1. (loe~
no~ llave to be exact but a correction 1-~ ill l-e needed during sigllatllle cllecl;iuc if 1 lla.s I (leviatioll of one flom tlle exa( ~ ~ allle. I IlCn Q may be le~s.s tllan P for SiQIla~
with (lolll le-elIcrylItioll. I lle nlillilI rnlc~ e is s + 10~21i bits to keep ~lle (Ievill~i(.
to a ~single nnllsilIle of ~ becau.se thc~ ~In;lll ~lllu l-lineiple for dollble-ellcr~ ll cal~ In vel be ~sati.ifie(l Illo(llllo tlle final IillQ (.! c~ Cll 1"l signatures~ If l1 is lulwollll(l I-cfolc leCollll~ Q ~ !2 ~ ll nlixc(l I 1~l iY conversiolI plior to cloul-le-ellcl~l-tiOIl.
tllCIl the -t~ COrrCC~iOII i!; llot nece.s.s;lry blll Illolc ~ olIlput/ltiolI is inv()lve(i~
2 ~
~ ellcr.~ 7~ i7~ A ~ \c any value ill lO, Q) wl~ell i'ell(`liltilU' sigll.lfllre.s by doul le-encr~ptioll so ,l c;~ c cstimated exactly wi~ll a prilctic.lll~ slll.lll ~llue o f c all(l a cnrrec~io~l of ~ ; tl~t`ll l~et`(l~`(l (IhiS iS .llSO the C-I!ie for si~lla~llles ~ illl / -> 2). In practice~ a correc~ion by -+,~? (loc~ llol ~ dowll signature cl1eckillg or \~ n~ llc seculit~ so extra colnputatiollal effort lo :1~ t~ orreCtiOIl of ~ is not recollllllell~le(l Wi~ er~ltions of mo(l~ lr nl~ ;lliol1 (lollble-ellcry~7tioll is perfolllle(l ~lcco to tlle relatiolls i; '? Akgk IlllOd ('/
, 1 A ~ f 11, k wlle~ 1 p2 p, ~l jk ((~ jA I l~lod ck ( I ); 1 ( I"k ( ,~ ' P = (', Q = cl. n; = /7 ;, i~ )(1 c11~k is obt.line(l 1-~ c;llclllati 1~, )1+1 - ~7~ c~ mo~l cll ~1, ( 1, 1" `.? - (7l7h+2!)-lc1~ +l mo~l cl~ ' c)l, k _ (7l7k) 1 cl'~k~l mo~l ck (ck,'- i.s c;ilclll;l~e(l ~ilnilarly).
Secretmess.lgesle(luire 1~k-~1(1-2-' ) > 1~(1+2~~),for~= I to r - I.tol-el~
Colrect (lec()din~ h dolll-le-encl~ u ~\ I);~1 e Azk i s acc ur ~lte to 1() - 2-' ) (I-efo re tmllcatioll)all(ltllefractiollsf j ;ln(lJ . f~l i -- I to /1"~= I to 1 - I. a~ o - 1, are roun(le(l up at s + c + 10~2~ ( k I ! I-its precision. Signatllre~s do n(l~ rc~lllile ~+/ > I~A for dollble-ellcr~lltioll ~ul(l t` ~ ` are rounded (tmllc~ltioll or rou1l(1il~g ui-ale also possil le becallse Azk call n()~ c~;l( l in this case) at ~ + 10?_~1i + ( 10~2¦ ( A+ I/( A ~ .s f or ~- = I t ( ~ +I .
;7 ]11 still o~hcr embo(lilllell~s, ~he n~ olllinear temlS gellcratc(l ~-er i~cra~ioll ol' mo(l~ r m~ lic;ltioll call bc in(lr;~sr~l ~o some positive integcr /n~ hcl-~
111 k 1ll k ~k = rI 11;k~ ~7~'] = n. 1~ c~> 2, l1 > 2 tll > I fol .si~
j = 1 j = 1 only). In'~ ~ a~(l 17JA I l ~ YJ~(I + 2 ' ) I llr ~ ding function is gcllerally defille(l :1~
11 1 1111 1~
k~ i mod qj, f( I j = I to nl' ii k~ for j = 1n 1- I t Alk ~ , AjJ~f~ k~, where f k~ d 17k n k+l - nk+1 mod 17jk+1 - 111~ ' l (n ~ 1110(1 yjk) mod yjk , for j = I ~o m li k I
t ~
alld Y; 1 i~S obtaille(l by Willdill~ y~ !ll(ldllhl~i Yl along the ~sallle pa~ll (wi~ hr ~IIUt' mo(iular mu]tilllicati()ll.s) talcen by n ~ /elo for j ~ I ullie.ss y1~ i.s ~iub~;e(lllrll~ ~o the re jOinillg of the yjl' brallcll). Dec( dill(~ llll;~ ill(l~s the modul;lr Ill~ ipIicil~ioll.s~ Ir~ ( ilU~
the path ~or p.ltlls of ~he residues) follo~ e(i dlll iIU~ encoditlg, wllere yk-l _ ((~ mod 17jk~
for j = I to n~ ;In(l ~ o 1. I Ilrl-( ( :ul o(lly be one nonlilleal telnl ~o COllrr~ fl~l overflow mo(llllo l7'~1 (i.C. nl~ !` of Stern and I`offhl's a~acl;. In grllcr:lh /71~+1 has to h~lve a nlillilllulll of ~nI Iu(~dllli~ l~lIt that does not neces.~i;lrily rc(luilr th;ll 3 J;
~+1 nlbecausenk 1 nlo(l ~k~ o ml+l callberecombillc(lwi~
Cllillc~;e ICIll<~ (ler ~I~COr~lll or le(~ 1? ~ t~r SUb-mOd~ le l~rO(IllC~ (~r ~l1C ~
mo(luli e(~lJal~ Ihe parellt m(3(1ll1us) ~11 I y 1` for k = I to r - I all(l 1 = I to ~ . c a~ c s~all(lar(lize(l Double-ellclyp~ioll call 1-. ~I c 1 I(lr decoding and thele are ~l nol~ c;
ferms per ring 1?~ dUrillg deco(lillg as i!~ C (':UiC during encodil~g I`llc diffic~ y o r ~llc enco(ling problem is coll)ectured to incl c;~ he number of nonlillear ~emls I lowcv( l tlle al11oullt of COlllpU~a~iOI1 .In(l yllbli( I~;c~ ~i;'` illCreaSeS prOpO~liO11a~ely.
In fur~l1er s~ill embo(lill1ell~s~ ~he nolllillc;ll ~ærms in the cnco(ler Call l-c elilllill.l~e( en~irely~ Thell ~lle ~o~al pub?ic-key con i ~ f I j~ for i = 1 to fl an(l j = I lo m~ all(l ~/;
for j = I ~o m'~ as defil1e(1 in plevioll~ cllll-o lilllcl1ts~ This emi~odill1el1t nl.ly lliave a Illole secure trapdoor but ~he pllblic-key ~i~c Ill- ~a(~e expansioll~ all(l avcrar e nllll1l~cr ol sigllat~lre t ener.ltioll ~rials increa~se. I nc(-(lil~ i I-clformed accorcling ~o tllc rela~iolls 1~j3 ~, .rj(lj; 111(~(l /~;, forj= I to 1ll~
. .
l i= m + I to l/1 i = 1 Vecodil1g is tlle sallle as wi~ll previous cllll o di~l~ellts. The number of itera~iolls of nl(?(llll;
multiplic.l~;ol1 dllrillg key-generl~ioll is l > 1 1(1 ensure correct decodil1~ e snlall principle l1ias ~o l e sa~isfied:
"
1 ? k > ~ ( 2 -- 1 ) , -- 1 for ~ o / Tllis en1ho(limellt re(luilcs n ~ 4 to thwart in~eger prograll1ll1ill? /~s 200 to block enumeratioll at~acks. all(l ;/~ ? .'(i(~ if n < 1 I to coun~er Slnllllir; coull-ac knapsack attack. Tllere are all avera~c Or /) /~?1lS z 2(r~ 1) sigllltule ~ellcl;lti trials~
In yet fur~llcr embo(lill1en~s~ ~lle n~c~a~c c ;1~ e encrypted ~vi~h o~ller cryp~osy~tcll~ (?I
ally series of invertable oper.ltiolls priol ~,- ( 1 al~el encodillg witll the presen~ invell~ioll Silllilarly. the following variatioll~ Ol~ c u c of the encodil1g/(leco(lil~(l de~i(e~ ;uc ~o be considere(l a~s obviou~ ~o one skille(l ill tl~c ~-l ior art and thcrefore witllin tl~c il~lcn(lc(l scope of tlle attacllcd clitim~s (I) using tlle enco(lillgi(lcco(lil~ dCi i( ~`~ in cipller-fecdback m( (le or n~c~;n~c ch(li~ lg n1o(le instea(l of thc ~iull-lc I lock encoding mctllo(l dcsct ibc(l l~crc~
.I ps~ ll(lolll l1~lll11~cr ~ o ocllerate pads (2) sigllalures m ay be effecte(l I-y si Oil~ - a tran ;formc(l VCl.Si()ll of ~l~c ll~C~
~J~
where the transforlml~io~ own and is not necessarily invc~ hlc.
(~') IlSill~ the preSellt illVe11tiOI~ fo tmln;lllit keys to be lnse(l in allotllcr enclyl tiou n~c~llo(l fnr cnco(lill~ stlbsc(l~lcllt Illc~ es.
(4) St'l~ or receivin~ si~ne(l .In(l/~.m~e( rct messages by any combilla~io n of p~lrtics in a comlll1lllic.l~ioll~s networ~ cl-e cach party has ~heir own private (Icco(lill -key allci m~them(ltically rela~c~l plihlic cllcoding-key.
(~) compressill~ messa~es berolc cll( ul;ng so as to millimize s~( ra~e arc;l a increase security by re(lucil~ c l-c(lllll(lancy in the messa~e.
(6) .sendill~ a secret signed 111CS.5;1'~C 1)~ cl~coding the mess(l~e fir.st ~itll ~llc p ul-lic enco(lill~-ke)~ of the sen(lcl all(l ~Innl (leeoding the enco(le(l messa~e ~ i~h ~lle private deco(lhl~-key of thc scll(lc l-. Or deeoding first and ~hell enco(lill~ all(l a receiver un(loes the encodilli~/(lc( o(lil ~ ~ransformations in the oppo.~ite or(lt r tlu they were applic(l.
Key-mana~ement protocols m(ly he clnl-losc(l to distribute the public encoclill~-k~Ays of all parties in a network to all o~her p.lllit`.~ the network alld permit ~hc (lc~ec~ion of tamperill~ in the distrib1ltioll of the nll-li( cllco(lillg-keys. The followin~ key-maml~elllt llt protocols are establishe(l hl the prior ;n-~ all(l may be employed to distribu~e a I ublic encodill~-key belongill~ to a party A ~o .1 sc( ol~l party B wi~ tlle present illvell~ioll:
(7) the public-key of party A aloln- w i~ll identificatioll data is si~ne(l by akey-manaLelllent center an(l s~()l(l I-y p arty A and transmitte(l to par~y B~
(8) party 1~ obtains the public-enco(lill~ key of party A from a list of ~i(lentitics ail(l correspon(lin~ public keys. ~lliclmn.ly bç signed by a trusted key-nl;lml~eltlcllt center an(l (9) the public-key of party ~1 is tr;ll~ oi~c(l to party B along with the messllre alld party B checks a compressc(l l-ul!lic-key of party A against a silllilal-ly compre.ssed list of public-keys. ~ ich may have been si~ne(l hy a ~rustc(i liey-management center Other protocols that are desi~ne(l for p~ lic-l;cy cryptosystems may readily be eml-loyc(l with the present invelltioll (see. for e.~alllple. R. C. Merkle. "Pro~ocol.s for yul-lic kcy cryptosystems" Procee(iill~s of thc 19~0 Il ~ E Symposium Oll Security all(l Priv;lcy~
IEEE Computer Society. 19~0 all(l S. Ilnl1l0~;l "Privacy and authell~icatioll i!l ISI)N: I llc key distriblltioll problem" Proceedin~s of hl~cl-ll.ltional Switchill~ Symposium. 19~
Tlle present hlvelltioll may be emplo~ c (l ;I:i a component of a commullic;ltioll ;ul~l/or identific.ltioll system sucll as a chil- c;ll-(k cllil- card reader telephone. comlllullic;l~iolls swi~ch. persomll security mo(l1lle~ all~olua~c(l teller point-of-service ballkill~ sy~tenl electronic fun(ls trallsfer system elec~ol~i( c .lsll system do~ ta~ frielld or foe sy~telll.
invelltory con~roller lottery macllillc~ .Iccc~ c oll~roller or computer.
Claims (20)
1. A cryptographic communication system comprising:
A. a communications channel:
B. an encoding means coupled to said channel and adapted for transforming a transmitted message signal (X1,X2, ....Xn) to a ciphertext signal (Y1, Y2, ....
Ym) on said channel, where {X1, X2, ..., Xn} corresponds to a set of integers representative of a message and X? .epsilon. ¦0, 2s), for i = 1 to n, where n> 1 and s is some positive integer, and where [Y1, Y2, ..., Ym] corresponds to a set of intergers representative of an enciphered form of said message and corresponds to mod q? for j = 1 to m', ,for j = m' + 1 to m, and , where m > 1,1 ? m' < m, and r = 2 (r is the number of iterations of modular multiplication).and where the encoding key consists of intergers a?, gj, and fractions f, .epsilon. ¦0Ø 1.0).
for i = 1 to n and j = 1 to m, and qj for j = 1 to m', wherein nij? ¦.omega.'¦.omega.bi¦P¦qj' gj? .omega.'P mod qj, , (in the present notation, ¦c¦d equivalent to c mod d and ¦c¦ represents truncation or the largest integer less than or equal to c) and where {b1.b2. ....
bn} is a superincreasing series with and ,and where {q1, q2, ...,qm} are chosen such that .
where Ax has an approximation error bounded by (-2-e,0.0]before truncation and the fractions fi. for i = l to n, are truncated at 5 + log" + c bits precision, where e is a positive number, and where P is relatively prime to br for i = l to n, and where {q1, q2, ....qm}are pairwise relatively prime, and where P and Q are relatively prime, and where W and P are relatively prime, and where W' and Q are relatively prime, and a decoding means coupled to said channel and adapted for receiving{y1,y2, ....
ym}from said channel and for transforming {y1,y2, ...,ym} to a received message word signal{X'1,X'2, ...,Xn}, wherein {X'1,X'2, ...,X'n}correspond to a set numbers representative of a deciphered form of (y1,y2, ...,ym}and correspond to the solution of a knapsack problem with superincreasing weights {b1,b2, ...,bn}and target value b ? ¦.omega.-1¦.omega.?1y¦Q¦p where y ? [y1,y2, ...,ym]mod {q1,q2, ...,qm},and where the knapsack problem is sobred sequentially,for i = n decrimenting to l.
according to the relation to return the deciphered message {X'1,X'2, ...,X'n},and where the decoding key is the positive integers W, W', {q1,q2, ....1m}.{b1, b2, ...,bn},and P.
A. a communications channel:
B. an encoding means coupled to said channel and adapted for transforming a transmitted message signal (X1,X2, ....Xn) to a ciphertext signal (Y1, Y2, ....
Ym) on said channel, where {X1, X2, ..., Xn} corresponds to a set of integers representative of a message and X? .epsilon. ¦0, 2s), for i = 1 to n, where n> 1 and s is some positive integer, and where [Y1, Y2, ..., Ym] corresponds to a set of intergers representative of an enciphered form of said message and corresponds to mod q? for j = 1 to m', ,for j = m' + 1 to m, and , where m > 1,1 ? m' < m, and r = 2 (r is the number of iterations of modular multiplication).and where the encoding key consists of intergers a?, gj, and fractions f, .epsilon. ¦0Ø 1.0).
for i = 1 to n and j = 1 to m, and qj for j = 1 to m', wherein nij? ¦.omega.'¦.omega.bi¦P¦qj' gj? .omega.'P mod qj, , (in the present notation, ¦c¦d equivalent to c mod d and ¦c¦ represents truncation or the largest integer less than or equal to c) and where {b1.b2. ....
bn} is a superincreasing series with and ,and where {q1, q2, ...,qm} are chosen such that .
where Ax has an approximation error bounded by (-2-e,0.0]before truncation and the fractions fi. for i = l to n, are truncated at 5 + log" + c bits precision, where e is a positive number, and where P is relatively prime to br for i = l to n, and where {q1, q2, ....qm}are pairwise relatively prime, and where P and Q are relatively prime, and where W and P are relatively prime, and where W' and Q are relatively prime, and a decoding means coupled to said channel and adapted for receiving{y1,y2, ....
ym}from said channel and for transforming {y1,y2, ...,ym} to a received message word signal{X'1,X'2, ...,Xn}, wherein {X'1,X'2, ...,X'n}correspond to a set numbers representative of a deciphered form of (y1,y2, ...,ym}and correspond to the solution of a knapsack problem with superincreasing weights {b1,b2, ...,bn}and target value b ? ¦.omega.-1¦.omega.?1y¦Q¦p where y ? [y1,y2, ...,ym]mod {q1,q2, ...,qm},and where the knapsack problem is sobred sequentially,for i = n decrimenting to l.
according to the relation to return the deciphered message {X'1,X'2, ...,X'n},and where the decoding key is the positive integers W, W', {q1,q2, ....1m}.{b1, b2, ...,bn},and P.
2. The system of claim 1 and comprising further iterations of modular multiplication during key generation, wherein the cryptographic communications system comprises:
A. a comminications channel:
B. an encoding means with a total of ? > 1 iterations of modular multiplication during key generation, where a message block {X1.X2, ...,Xn}is encoded according to the relations mod q? for j = l to m', , for j = m' + 1 to m, and , where X1 .epsilon. ¦0.2s), for i = l to n, and where O ? m' <m,m> 1, and n > l, and where the encoding -key contains the integers ? ij, g?, and fractions f? and fh,k.
for i = l to n, j = l to m, k = l to r - l, and h = l to k - l, and qj, for j = l to m', wherein ?ij ? q? mod qj, where q? is obtained by calculating q? ? .omega.kq?-l mod Pk, from K= l to r, where q? = b? for i = l to n. and , , where ph,k is obtained by calculating ph,h + l ? .omega.h + l ph mod ph +l.
ph,h+2 ? .omega.h + 2ph,h+l mod ph + 2, ....ph,k ? .omega.kph,k-l mod pk, and g? ? pk,r mod qj ,and where a set of initial weights {b1,b2, ...,bn} = {q?,q?, ...,n?} areselected as a superincreasing series according to the relations , ,and pk+l>pk(l ? 2-e),for k=l to r -l, where the estimation of A ? is accurate to (-2-e,0.0¦ and the fractions f? and fh,k,for i = l to n, k = l to r - l, and h + l to k -l, are truncated at s + e + log 2n + (k - l) bits precision, where c is a positive number, and where {q1,q2, ...,qm} are pairwiae relatively prime and pr = . and , where pl is relatively prime to b? for i = l to n, and where pk+l and pk are relatively prime,for k=l to r - l, and where .omega.k and pk are relatively prime, for k=l to r, a decoding means where an enciphered message block {y1,y2, ...,ym} is decoded by first calculating Yk-l ? Yk (.omega.k)-l mod pk.
from k = r decrementing to l, where y.epsilon. ? {y1, y2, .... ym} mod {q1,q2, ...,qm}. and then solving a knapsack problem.
with superincreasing weights {b1, b2, ..., bn} and target value h = yo, by calculating srquentially , from i = n decrimenting to l, to return the deciphered message {X'1,X'2, ....
X'n}, and where the decoding key includes the positive integers {b1,b2, ...,bn},{W1, W2, ..., Wy},{P1,P2, ..., Pr}, and {q1, q2, ..., qm}.
A. a comminications channel:
B. an encoding means with a total of ? > 1 iterations of modular multiplication during key generation, where a message block {X1.X2, ...,Xn}is encoded according to the relations mod q? for j = l to m', , for j = m' + 1 to m, and , where X1 .epsilon. ¦0.2s), for i = l to n, and where O ? m' <m,m> 1, and n > l, and where the encoding -key contains the integers ? ij, g?, and fractions f? and fh,k.
for i = l to n, j = l to m, k = l to r - l, and h = l to k - l, and qj, for j = l to m', wherein ?ij ? q? mod qj, where q? is obtained by calculating q? ? .omega.kq?-l mod Pk, from K= l to r, where q? = b? for i = l to n. and , , where ph,k is obtained by calculating ph,h + l ? .omega.h + l ph mod ph +l.
ph,h+2 ? .omega.h + 2ph,h+l mod ph + 2, ....ph,k ? .omega.kph,k-l mod pk, and g? ? pk,r mod qj ,and where a set of initial weights {b1,b2, ...,bn} = {q?,q?, ...,n?} areselected as a superincreasing series according to the relations , ,and pk+l>pk(l ? 2-e),for k=l to r -l, where the estimation of A ? is accurate to (-2-e,0.0¦ and the fractions f? and fh,k,for i = l to n, k = l to r - l, and h + l to k -l, are truncated at s + e + log 2n + (k - l) bits precision, where c is a positive number, and where {q1,q2, ...,qm} are pairwiae relatively prime and pr = . and , where pl is relatively prime to b? for i = l to n, and where pk+l and pk are relatively prime,for k=l to r - l, and where .omega.k and pk are relatively prime, for k=l to r, a decoding means where an enciphered message block {y1,y2, ...,ym} is decoded by first calculating Yk-l ? Yk (.omega.k)-l mod pk.
from k = r decrementing to l, where y.epsilon. ? {y1, y2, .... ym} mod {q1,q2, ...,qm}. and then solving a knapsack problem.
with superincreasing weights {b1, b2, ..., bn} and target value h = yo, by calculating srquentially , from i = n decrimenting to l, to return the deciphered message {X'1,X'2, ....
X'n}, and where the decoding key includes the positive integers {b1,b2, ...,bn},{W1, W2, ..., Wy},{P1,P2, ..., Pr}, and {q1, q2, ..., qm}.
3. The system of claim 2 and further comprising an alternate initial knapsack construction,wherein the initial knapsack weights {b1, b2, ..., bn} are selected as a partially superincreasing series that contains n" non-superincreasing bands, where a superincreasing series {d1, d2, ..., dn,} is first selected according to the relations and , (P = P1) and then {d1, d2, ..., dn,} is divided into two subsets S and S*.
where S contains any n elements, S* contains the remaining n" elements, and n' = n + n", and where the initial knapsack weights {b1,b2, ...,bn} are calculated as bi = dj + rikdk, for i = l to n, where dj.epsilon. S, a different value of dj from subset S is used with each b? and rik is randomly selected from ¦0.2si/n). for all K .epsilon. S*.
and where the message is assigned to Xi.epsilon. ¦0,2si),for i = l to n, and where decoding is performed by solving a superincreasing series with weights {d1,d2, ..., dn,} and target value b and the deciphered message { X'1,X'2, ...,X'n}corrsponds to the coefficients of the subset S of {d1,d2, ....dn,}.
where S contains any n elements, S* contains the remaining n" elements, and n' = n + n", and where the initial knapsack weights {b1,b2, ...,bn} are calculated as bi = dj + rikdk, for i = l to n, where dj.epsilon. S, a different value of dj from subset S is used with each b? and rik is randomly selected from ¦0.2si/n). for all K .epsilon. S*.
and where the message is assigned to Xi.epsilon. ¦0,2si),for i = l to n, and where decoding is performed by solving a superincreasing series with weights {d1,d2, ..., dn,} and target value b and the deciphered message { X'1,X'2, ...,X'n}corrsponds to the coefficients of the subset S of {d1,d2, ....dn,}.
4. The system of claim 3 and further comprising an alternate initial knapsack construction wherein the initial ring of integers modulo P =p1 is selected as a residue number system.
where and {p1,p2, ...,pn}are chosen randomly from the interval pi .epsilon. ¦2d,2d + Y), for i = l to n, where d and p are positive where {P1,P2, ..., Pn}are pairwise relatively prime,and where the initial knapsack weights {b1, b2, ..., bn}are generated by first selecting the matrix , where b?for i = l to n and j = l to n, are randomly chosen from the range b? .epsilon. ¦0.2z)such that the matrix b is nonsingular and invertable and the sum of each column of b is ;ess than 2z, and where the initial knapsack weights {b1,b2, ..., bn} are defined by the relation bi ? {bi1, bi2, ..., bin} mod {p1, p2, ..., pn} and the residues {bi1, bi2, ....bin} can be recombined by the Chinese remainder theorein according to the relation where Pj = P/pjand where a message block {X1,X2, ....Xn}satisfies Xi<2s,for i=l to n,and where d?s+ z, and where a message is enciphered with an encoding-key generated from [b1,b2, ...,bn}with n>1 and r > 1, and where an enciphered message {y1,y2, ...,ym}is decodes by calculating X"i=
yO mod Pi,for i = 1 to n, where yO is first obtained by calculating yk-1 ? yk (.omega.k)-1 mod pk.
from k = r decrementing to l, where yy ? {y1, y2, ....ym} mod {q1, q2, ...,qm},and then the matrix multiplication X' = X"?b-1 is performed, where X' =
{X'1,X'2, ...,X'n}and X" = {X"1,X"2, ....X"n},and where the deciphered message {X'1,X'2, ...,X'n}is congruent to the original message {X1,X2, ...,Xn}modulo {P1,P2, ...,Pn}.
where and {p1,p2, ...,pn}are chosen randomly from the interval pi .epsilon. ¦2d,2d + Y), for i = l to n, where d and p are positive where {P1,P2, ..., Pn}are pairwise relatively prime,and where the initial knapsack weights {b1, b2, ..., bn}are generated by first selecting the matrix , where b?for i = l to n and j = l to n, are randomly chosen from the range b? .epsilon. ¦0.2z)such that the matrix b is nonsingular and invertable and the sum of each column of b is ;ess than 2z, and where the initial knapsack weights {b1,b2, ..., bn} are defined by the relation bi ? {bi1, bi2, ..., bin} mod {p1, p2, ..., pn} and the residues {bi1, bi2, ....bin} can be recombined by the Chinese remainder theorein according to the relation where Pj = P/pjand where a message block {X1,X2, ....Xn}satisfies Xi<2s,for i=l to n,and where d?s+ z, and where a message is enciphered with an encoding-key generated from [b1,b2, ...,bn}with n>1 and r > 1, and where an enciphered message {y1,y2, ...,ym}is decodes by calculating X"i=
yO mod Pi,for i = 1 to n, where yO is first obtained by calculating yk-1 ? yk (.omega.k)-1 mod pk.
from k = r decrementing to l, where yy ? {y1, y2, ....ym} mod {q1, q2, ...,qm},and then the matrix multiplication X' = X"?b-1 is performed, where X' =
{X'1,X'2, ...,X'n}and X" = {X"1,X"2, ....X"n},and where the deciphered message {X'1,X'2, ...,X'n}is congruent to the original message {X1,X2, ...,Xn}modulo {P1,P2, ...,Pn}.
5. The system of claim 4 and further comprising an altemate initial knapsack construction, wherein the matrix b is selected as the identify matrix and bi = Pi{Pi-1 mod Pi}, for i = l to n.
where Pj = P/pj and n>l.
where Pj = P/pj and n>l.
6. The system of claim 5 and further comprising an altermate initial knapsack construction, wherein the matrix b is selected with dimensions n - l by n - l and bij ? ¦0.2s),for i = 1 to n - l and j = l to n - l, and where , Pi ? 2d, and d ? s+ z, and where bi ? {bi1,bi2, .., bin-1} mod {P1, P2, ....Pn-1}, for i = l to n - l.
and bn = l, and where the message is assigned to Xn ? ¦0.2s) and random bits are assigned to Xi ? ¦0.2z),for i = l to n - l, and where decoding id\s performed by first calculating X' = X".b-1,where X' = {X'1, X'2, ..., X' n-l} are rational numbers and then the deciphered message is . where i is any integer from the range ¦l.n - l) and ?i = O if the of the ith column of b - l is positive ) and ? i = l otherwise.
and bn = l, and where the message is assigned to Xn ? ¦0.2s) and random bits are assigned to Xi ? ¦0.2z),for i = l to n - l, and where decoding id\s performed by first calculating X' = X".b-1,where X' = {X'1, X'2, ..., X' n-l} are rational numbers and then the deciphered message is . where i is any integer from the range ¦l.n - l) and ?i = O if the of the ith column of b - l is positive ) and ? i = l otherwise.
7. The system of claim 6 and further comprising an alternate initial knapsack construction, wherein mixed radix conversion, X ? P1¦{X2 - X1}P?1¦P2 + X1, is used to combine { X1,X2}
in the ring of intergers modulo P = P1, and where the initial knapsack weights are {b1,b2} = {1,P1¦P?1¦P2}, and where a message is assigned to {X1,X2} such that Xi .epsilon. ¦0.2s}and X2 > X1,= {1,P1¦P?1¦P2} with n = 2 and r > l, and where an enciphered message {y1,y2, ..., ym} is decoded by calculating X'i ?
yO mod Pi, for i = l to n, where yO is first obtained by calculating yk-l ? yk(.omega.k)-l mod Pk, from k = r decrementing to l, where yr ? {y1, y2, ..., ym} mod {q1,q2, ..., qm}, and where a deciphered message {X'1,X2'} is congruent to the original message {X1, X2} modulo {P1,P2},
in the ring of intergers modulo P = P1, and where the initial knapsack weights are {b1,b2} = {1,P1¦P?1¦P2}, and where a message is assigned to {X1,X2} such that Xi .epsilon. ¦0.2s}and X2 > X1,= {1,P1¦P?1¦P2} with n = 2 and r > l, and where an enciphered message {y1,y2, ..., ym} is decoded by calculating X'i ?
yO mod Pi, for i = l to n, where yO is first obtained by calculating yk-l ? yk(.omega.k)-l mod Pk, from k = r decrementing to l, where yr ? {y1, y2, ..., ym} mod {q1,q2, ..., qm}, and where a deciphered message {X'1,X2'} is congruent to the original message {X1, X2} modulo {P1,P2},
8. The system of claim 7 and further comprising an altemate decoder with double-encryption, where the ciphertext {y1, y2, ..., ym} is first mapped to {z1,z2, ...,zn} such that mod qj,where , , Zi .epsilon. ¦0,2s},for i = l to n, and s is a positive integer, and where b is calculated according to the relations mod ? and . where {?,?-l, ..., c1} = {P1, P2, ..., Pr}, q? ? (.omega.k)-l ? ?-l mod ck.
.
,and gk = ck,r,and where ch,k is obtained by calculating ch,h + l ? (.omega.h+l)-lch mod ch+l.
?i = ?? and ?i = ??, and where ?i = Qj¦2?(i-dj-l)Q?1¦qj, where Q= Pr, Qj = Q/qj, and ?j-l<i??j,and where the deciphered message {X'1,X'2, ...,X'n}is obtained by solving superincreasing series with target value b and inital weights {b1,b2, ...,bn}, and where pk+l(1 - 2-?) > pk (1 + 2-e) , fro k = l to r - l, and the fractions f?
and fh,k, for i = l to n,k + l to r - l and h = l to k - l, are rounded up at s + ? + log2? + (k - l) bits precision.
.
,and gk = ck,r,and where ch,k is obtained by calculating ch,h + l ? (.omega.h+l)-lch mod ch+l.
?i = ?? and ?i = ??, and where ?i = Qj¦2?(i-dj-l)Q?1¦qj, where Q= Pr, Qj = Q/qj, and ?j-l<i??j,and where the deciphered message {X'1,X'2, ...,X'n}is obtained by solving superincreasing series with target value b and inital weights {b1,b2, ...,bn}, and where pk+l(1 - 2-?) > pk (1 + 2-e) , fro k = l to r - l, and the fractions f?
and fh,k, for i = l to n,k + l to r - l and h = l to k - l, are rounded up at s + ? + log2? + (k - l) bits precision.
9. The system of claim 8 and comprising further nonlinear terms, wherein the number of nonlinear terms generated per iteration of modular multiplication is increased to some positive integer mk,and where and there are mk terms A?g?,for l = l to mk, in the encoder from the ring of integers p?, where k .epsilon. {1.r - l }, and where mr - l = l, and where and p?+l > p? (1 + 2-e), and where mod qj, for j = l to m', . for j = m' + l to m, and ,where , .alpha.?+l ? .alpha.?+l mod p?+l ? wk+l(.alpha.? mod p?)mod p?+l, for j = l to mK, ,and mod qj = ,and where is obtained by modular multiplying p? to modulus p? according to the same relations followed by .alpha.?.and where decoding unwinds the modular multiplications according to y?-l ? (.omega.k)-ly? mod p?, for j = 1 to mk, decrimenting from k = r to l.
10. The system of claim 9 without any nonlinear terms, wherein an entire encoding-key consists of .alpha.ij, for i = l to n and j = l to m, and qj, for j = l to m', and where encoding is performed according to the relations mod qj, for j = l to m', and , for j=m' + j to m, and where the key satisfies the small-sum principle:
, for k = l to r, where r ? l.
, for k = l to r, where r ? l.
11. The system of claim 10, wherein an encoding and/or decoding comprises:
a general purpose processor such as a microprocessor, parallel processor, and computer, or a dedicated encoder and/or decoder comprising integrated circuits, and wherein the general purpose processor or dedicated encoder and/or decoder and decoder and of:registers for storing inputs and outputs of the encoder and decoder and constants related to the key:adders, multipliers, modular multipliers, and modular reduction circuits for encoding and decoding : and write-only registers for storing the secret key, and where the encoder and decoder are part of a cryptographic communication and/or indentification system.
a general purpose processor such as a microprocessor, parallel processor, and computer, or a dedicated encoder and/or decoder comprising integrated circuits, and wherein the general purpose processor or dedicated encoder and/or decoder and decoder and of:registers for storing inputs and outputs of the encoder and decoder and constants related to the key:adders, multipliers, modular multipliers, and modular reduction circuits for encoding and decoding : and write-only registers for storing the secret key, and where the encoder and decoder are part of a cryptographic communication and/or indentification system.
12. A method of shortening the public encoding-key, wherein a subset of the variables in the public encoding key are standardized during key-generation, such that the standardized subset of each user's public encoding-keyin a network is identical, and where the full public encoding-key is .alpha.ijg?,and fractions f? and fh,k, for i = l to n, j = l to m, k = l to r - l, and h = l to k - l, and qj, for j = l to m', and where the encoding and decoding relations are unchanged, and where {q1,q2, ..., qm}is standardized, and where one weight {.alpha.v1, v2, ..., .alpha.vm}is stanrardized, where v is one of the integer values in the range ¦l,n¦,and where g?,for k = l to r - l and j = l to m, are standardized, and where the standardized values of .alpha.rj and g?, for k = to r - l and j = 1 to m, are randomly selected (or chosen with certain bit patterns)from the range ¦0.qj), and where {b1,b2, ..., bn}, {P1, P2, ...,Pr}, and {qm'+l, qm'+l, ...,qm} are chosen secretly and are not standardized, and where {W1,W2, ..., Wr} are found sequentially according to the relation .omega.k ? (pk-l)-l Pk - l mod Pk, from k = r decrementing to 2, where pk-1,k is obtained by sequentially c a l c u l a t i n g pk-l,r-l ? (.omega.r)-l pk -l,r mod pr, pk-l,r-2 ? (.omega.r-l)-lpk-l,r-l mod pr-l, ...,pk-l,k ? (.omega.k+l)-l pk-l,k+l mod pk+l.
where pk-l,r = gk-l and gk ? {g?,g?, ..., g?} mod {q1,q2, ..., qm ], and where w1 is found according to the relation mod p1, where .alpha.? = bv and is obtained by sequentially calculating mod pr, mod pr-l, mod p2, where {.alpha.vl. .alpha.v2, .... .alpha.vm} mod {q1,q2, ...,qm},and where the rest of the public key, .alpha.ij for i = l to v - l and i = v + l to n. and fractions f? and fh,k, for i = l to n, j = l to m , k = l to r - l , amd h = l to K - l, are not standsrdized and can be generated from the private -key, which isnow fully selected.
where pk-l,r = gk-l and gk ? {g?,g?, ..., g?} mod {q1,q2, ..., qm ], and where w1 is found according to the relation mod p1, where .alpha.? = bv and is obtained by sequentially calculating mod pr, mod pr-l, mod p2, where {.alpha.vl. .alpha.v2, .... .alpha.vm} mod {q1,q2, ...,qm},and where the rest of the public key, .alpha.ij for i = l to v - l and i = v + l to n. and fractions f? and fh,k, for i = l to n, j = l to m , k = l to r - l , amd h = l to K - l, are not standsrdized and can be generated from the private -key, which isnow fully selected.
13. The method of claim 12 and further comprising an altemate method of shortening the public encoding-key with n = l, wherein a subset of the variables in the public encoding key are standardized f\during key-generation, such that the standardized subset of each user's public encoding-keyin a network is identical, and where the full public encoding key is .alpha.lj,g?, and fractions f ? and fh,k, for j=
l to m, k = l to r - l, and h = l to k - l , and qj, for j = l to m', and where the encoding and decoding relations are unchanged, and where {q1, q2, ..., qm,} sre standardized, and where {q1,q2, ...,qm} are standardized, and where the fractions f?, for k = l to r - l , are standardized to some value within the range ¦0.0, 1.0), and where g?-l, for j = l to m', are standardized to values from the range ¦0, qj).
and where b1 and {p1, p2, ..., pr-l}are chosen secretly and are not standardized, and where {w1,w2, ...,wr-l}are found sequentially according to the relation .omega.k ? (.alpha.?-l)-l[f?pk] mod pk, for k = l to r - l, and where Wr is calculated according to the relation .omega.r ? (pr-l)-l g?-l mod qj, where the rest of the public key is not standardized and can be generated from the private-key, which is now fully selected.
l to m, k = l to r - l, and h = l to k - l , and qj, for j = l to m', and where the encoding and decoding relations are unchanged, and where {q1, q2, ..., qm,} sre standardized, and where {q1,q2, ...,qm} are standardized, and where the fractions f?, for k = l to r - l , are standardized to some value within the range ¦0.0, 1.0), and where g?-l, for j = l to m', are standardized to values from the range ¦0, qj).
and where b1 and {p1, p2, ..., pr-l}are chosen secretly and are not standardized, and where {w1,w2, ...,wr-l}are found sequentially according to the relation .omega.k ? (.alpha.?-l)-l[f?pk] mod pk, for k = l to r - l, and where Wr is calculated according to the relation .omega.r ? (pr-l)-l g?-l mod qj, where the rest of the public key is not standardized and can be generated from the private-key, which is now fully selected.
14. The method of claim 13 and further comprising a method of signing and verifying messages, wherein a signature of a message is generated with a decoding device using a private decoding-key of a sender, where n ? l and r > l, and where a message-to-be-signed is mapped to {y1, y2, ..., ym,} by a blocking method,where yj .epsilon. ¦0.qj)for j = l to m',and l ? m',and where secret random integers are assigned to {ym'+2, ...,ym} may be secret pseudo-random integers or secret non-random integers or {ym'+l, ym'+2, ....
ym}may be set to non-secret integers that are constant for all signatures, and where decoding {y1,y2, ...,ym}with the private decoding-key of the sender yields the signature {X1,X2, ...,X?},and where the sender then checks if Xj <2s, for j = l to n, and if this test is failed, then signature generation is repeated with any new random value (or any functionof the previous random vakue)for the residues {ym'+l, ym'+2, ..., ym},and where the message may be enciphered with a symmetric or assymmetric cryptosystem such as the present invention, and where there signature and message (or encoded message)are sent to a receiver along a communications channels, and the signature {X1,X2, ..., Xn}is checked by the receiver or a third party by encoding {X1, X2, ..., Xn} to {y'1, y'2, ..., y'm,}with an encoding device and a public encoding-key coresponding to the sender.and where the received message (or deciphered message) is assigned to {y1,y2, ..., ym} by the same blocking method as used by the sender, and where the signature is valid if mod qj, for j = l to m', where dk .epsilon. ¦-l,lpk+l/pk¦ +l¦.
ym}may be set to non-secret integers that are constant for all signatures, and where decoding {y1,y2, ...,ym}with the private decoding-key of the sender yields the signature {X1,X2, ...,X?},and where the sender then checks if Xj <2s, for j = l to n, and if this test is failed, then signature generation is repeated with any new random value (or any functionof the previous random vakue)for the residues {ym'+l, ym'+2, ..., ym},and where the message may be enciphered with a symmetric or assymmetric cryptosystem such as the present invention, and where there signature and message (or encoded message)are sent to a receiver along a communications channels, and the signature {X1,X2, ..., Xn}is checked by the receiver or a third party by encoding {X1, X2, ..., Xn} to {y'1, y'2, ..., y'm,}with an encoding device and a public encoding-key coresponding to the sender.and where the received message (or deciphered message) is assigned to {y1,y2, ..., ym} by the same blocking method as used by the sender, and where the signature is valid if mod qj, for j = l to m', where dk .epsilon. ¦-l,lpk+l/pk¦ +l¦.
15. The method of claim 14 and further comprising an altemate method of signingmessages, wherein:
the signature is generated by assigning the message (or hash value) to {y1,y2, ..., ym,}, where yj .epsilon. ¦0.qj) for j = l to m', and where n ? l and r > l, and where a secret random integer c (or secret non-random integer or fixed public integer) is selected from the range ¦pr-l2-e/q.pr-l/q), where ,and where y mod q qnd c are combined according to the relation , where yr ? {y1, y2, ..., ym'} mod {q1. q2, ...,qm'}, and where signature generation is completed from yr-l and the signature is valid if mod qj, for j = l to m', where dk .epsilon. [-l,¦pk+l/pk¦ + l ¦.
the signature is generated by assigning the message (or hash value) to {y1,y2, ..., ym,}, where yj .epsilon. ¦0.qj) for j = l to m', and where n ? l and r > l, and where a secret random integer c (or secret non-random integer or fixed public integer) is selected from the range ¦pr-l2-e/q.pr-l/q), where ,and where y mod q qnd c are combined according to the relation , where yr ? {y1, y2, ..., ym'} mod {q1. q2, ...,qm'}, and where signature generation is completed from yr-l and the signature is valid if mod qj, for j = l to m', where dk .epsilon. [-l,¦pk+l/pk¦ + l ¦.
16. A method as claimed in claim 15, wherein n = l, m' = l, r = 2, and the signature is x .epsilon. ¦0,2s),and where P is secretly selected from [2s + ?, 2s + v), where ? and v are positive integers, and where the public encoding-key includes .alpha., g, f and q, where .alpha. ? W'W mod q,f = W/P, and g ? w' P mod q, and where a sender assigns a message-to-be-signed to y .epsilon. ¦0,q),and where the sender generates a signature x according to the relation X ? ¦W-1(¦W'-1y¦q + cq)¦p where e is a secret random number (or secret non-random integer or fixed public integer) from the range [P2-e/q, P/q), where the fraction f = w/P in the public encoding-key of the sender is precise to s + e bits, and where signature generation is repeated with a new value of e of x ? [0,2s), and where the signature x is verified by encoding x according to the relation y' ? xa - [xf]g mod q and the signature is valid if y' ? y mod q.
17. The method of claim 16 and further comprising an alternate method of signing messages, wherein:
the encoding and decoding key-pair is designed specifically for signatures (and can not be used for enciphering messages), and corrections by a multiple of gk, for k =
1 to r - 1, are not necessary during signature verification, and where p1 > pk+1(1 + 2-e), for k = 1 to r - 1, and the fractions f? and fh,k, for i = 1 to n, h = 1 to k - 1, and k = 1 to r - 1 are rounded up (instead of truncating) at s + e + log2n + (k - 1) bits precision, and where the signature is valid if yj = y'j mod qj, for j = 1 to m'.
the encoding and decoding key-pair is designed specifically for signatures (and can not be used for enciphering messages), and corrections by a multiple of gk, for k =
1 to r - 1, are not necessary during signature verification, and where p1 > pk+1(1 + 2-e), for k = 1 to r - 1, and the fractions f? and fh,k, for i = 1 to n, h = 1 to k - 1, and k = 1 to r - 1 are rounded up (instead of truncating) at s + e + log2n + (k - 1) bits precision, and where the signature is valid if yj = y'j mod qj, for j = 1 to m'.
18. The method of claim 17 and further comprising a method of abbreviating signatures, wherein:
the encoding and decoding key-pair is selected with pz < pz+1, where z is one value from [1, r - 1] (messages enciphered with this key set can not be uniquely decoded if r > 2), and where pk > pk+1(1 +2-e), for k = 1 to z - 1 and z + 1 to r - 1, and and the fractions f> and fh,k, for i = 1 to n, h = 1 to k - 1, and k = 1 to r - 1 are rounded up at s + e + log2n + (k - 1) bits precision, and where the signature is valid if y ? dgz mod q with d ? [-1, [pz+1/pz]+
1]. where d ? (bz)-1(y' - y) mod q, y ? {y1, y2, ... , ym'}, mod {q1, q2, ..., qm'}, y' ? {y'1, y'2, ..., y'm'} mod {q1, q2, ..., qm'}, and .
the encoding and decoding key-pair is selected with pz < pz+1, where z is one value from [1, r - 1] (messages enciphered with this key set can not be uniquely decoded if r > 2), and where pk > pk+1(1 +2-e), for k = 1 to z - 1 and z + 1 to r - 1, and and the fractions f> and fh,k, for i = 1 to n, h = 1 to k - 1, and k = 1 to r - 1 are rounded up at s + e + log2n + (k - 1) bits precision, and where the signature is valid if y ? dgz mod q with d ? [-1, [pz+1/pz]+
1]. where d ? (bz)-1(y' - y) mod q, y ? {y1, y2, ... , ym'}, mod {q1, q2, ..., qm'}, y' ? {y'1, y'2, ..., y'm'} mod {q1, q2, ..., qm'}, and .
19. The method of claim 18 and further comprising a cryptographic identification method, wherein a party (the verifier) wishes to verify the claimed identity of a second party (the candidate) and the verifier generates a random or pseudo-random number, which is sent to the candidate along a communication channel, and the candidate then creates a signature of the random number with a decoder and the candidate's private decoding-key and sends the signature along the communication channel tot he verifier, and the verifier encodes the signature with the public-key of the candidate and the identity is true if the encoded signature matches the random number.
20. The method of claim 19 and further comprising an alternate cryptographic identification method, wherein a set {x1, x2, ..., xn} of secret random or pseudo-random numbers, where xj ?[0,2s), for j = 1 to n, is encoded to {y1, y2, ..., ym} by the verifier with the candidate's public-key and sent to the candidate along a communications channel and the candidate decodes the ciphertext {y1, y2, ..., ym} with the candidate's private decoding-key to obtain the deciphered ciphertext {x'1, x'2, ... x'n} and the candidate sends {x"1, x"2, ... x"n} to the verifier along a communication channel, where x"j = x'j mod 2s"j and S"j ? s, for j = 1 to n, and the verifier determines that the identity of the candidate is true if x"j = xj mod 2s"j, for j = 1 to n.
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US85438992A | 1992-03-19 | 1992-03-19 | |
| US07/854,389 | 1992-03-19 | ||
| US07/957,105 | 1992-10-07 | ||
| US07/957,105 US5297206A (en) | 1992-03-19 | 1992-10-07 | Cryptographic method for communication and electronic signatures |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2090895A1 true CA2090895A1 (en) | 1993-09-20 |
Family
ID=27127232
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002090895A Abandoned CA2090895A1 (en) | 1992-03-19 | 1993-03-03 | Cryptographic method for communication and electronic signatures |
Country Status (3)
| Country | Link |
|---|---|
| US (1) | US5297206A (en) |
| CA (1) | CA2090895A1 (en) |
| GB (1) | GB2265285B (en) |
Families Citing this family (130)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5647001A (en) * | 1989-10-04 | 1997-07-08 | Litton Systems, Inc. | Nonlinear dynamic substitution devices and methods for block substitutions employing coset decompositions and direct geometric generation |
| US5418854A (en) * | 1992-04-28 | 1995-05-23 | Digital Equipment Corporation | Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system |
| FR2700430B1 (en) * | 1992-12-30 | 1995-02-10 | Jacques Stern | Method of authenticating at least one identification device by a verification device and device for its implementation. |
| US5491752A (en) * | 1993-03-18 | 1996-02-13 | Digital Equipment Corporation, Patent Law Group | System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens |
| US5414772A (en) * | 1993-06-23 | 1995-05-09 | Gemplus Development | System for improving the digital signature algorithm |
| US5448641A (en) * | 1993-10-08 | 1995-09-05 | Pitney Bowes Inc. | Postal rating system with verifiable integrity |
| EP0656709B1 (en) * | 1993-11-30 | 2005-07-13 | Canon Kabushiki Kaisha | Encryption device and apparatus for encryption/decryption based on the Montgomery method using efficient modular multiplication |
| FR2714780B1 (en) * | 1993-12-30 | 1996-01-26 | Stern Jacques | Method for authenticating at least one identification device by a verification device. |
| US5838792A (en) * | 1994-07-18 | 1998-11-17 | Bell Atlantic Network Services, Inc. | Computer system for centralized session key distribution, privacy enhanced messaging and information distribution using a split private key public cryptosystem |
| US5606609A (en) * | 1994-09-19 | 1997-02-25 | Scientific-Atlanta | Electronic document verification system and method |
| DE19513898B4 (en) * | 1995-04-12 | 2006-11-30 | Deutsche Telekom Ag | Public-key method for encrypting data |
| FR2739469B1 (en) * | 1995-10-03 | 1997-12-26 | Gemplus Card Int | PROCESS FOR PUBLIC KEY CRYPTOGRAPHY BASED ON DISCRETE LOGARITHM |
| US5838794A (en) * | 1996-01-11 | 1998-11-17 | Teledyne Electronic Technologies | Method and apparatus for inter-round mixing in iterated block substitution systems |
| US5737425A (en) * | 1996-05-21 | 1998-04-07 | International Business Machines Corporation | Cryptosystem employing worst-case difficult-to solve lattice problem |
| US7356847B2 (en) * | 1996-06-28 | 2008-04-08 | Protexis, Inc. | System for dynamically encrypting content for secure internet commerce and providing embedded fulfillment software |
| US5809145A (en) * | 1996-06-28 | 1998-09-15 | Paradata Systems Inc. | System for distributing digital information |
| US7010697B2 (en) | 1996-06-28 | 2006-03-07 | Protexis, Inc. | System for dynamically encrypting information for secure internet commerce and providing embedded fulfillment software |
| US7770230B2 (en) | 2002-04-22 | 2010-08-03 | Arvato Digital Services Canada, Inc. | System for dynamically encrypting content for secure internet commerce and providing embedded fulfillment software |
| US5841872A (en) * | 1996-07-01 | 1998-11-24 | Allsoft Distributing Incorporated | Encryption enhancement system |
| US6041123A (en) * | 1996-07-01 | 2000-03-21 | Allsoft Distributing Incorporated | Centralized secure communications system |
| US5828590A (en) * | 1996-11-27 | 1998-10-27 | United Microelectronics Corp. | Multiplier based on a variable radix multiplier coding |
| US6154541A (en) * | 1997-01-14 | 2000-11-28 | Zhang; Jinglong F | Method and apparatus for a robust high-speed cryptosystem |
| JP3206474B2 (en) * | 1997-01-27 | 2001-09-10 | 日本電気株式会社 | Electronic lottery method and electronic lottery system |
| US5771292A (en) * | 1997-04-25 | 1998-06-23 | Zunquan; Liu | Device and method for data integrity and authentication |
| US6088802A (en) * | 1997-06-04 | 2000-07-11 | Spyrus, Inc. | Peripheral device with integrated security functionality |
| US6003135A (en) * | 1997-06-04 | 1999-12-14 | Spyrus, Inc. | Modular security device |
| US6203427B1 (en) | 1997-07-03 | 2001-03-20 | Walker Digital, Llc | Method and apparatus for securing a computer-based game of chance |
| US20050054431A1 (en) * | 1997-07-03 | 2005-03-10 | Walker Jay S. | Method and apparatus for providing instructions to gaming devices |
| US6212637B1 (en) * | 1997-07-04 | 2001-04-03 | Nippon Telegraph And Telephone Corporation | Method and apparatus for en-bloc verification of plural digital signatures and recording medium with the method recorded thereon |
| US6076163A (en) * | 1997-10-20 | 2000-06-13 | Rsa Security Inc. | Secure user identification based on constrained polynomials |
| JPH11225138A (en) * | 1998-02-06 | 1999-08-17 | Matsushita Electric Ind Co Ltd | Encryption processing unit encryption processing method and recording medium recoding the method |
| JPH11231778A (en) * | 1998-02-18 | 1999-08-27 | Matsushita Electric Ind Co Ltd | Device and method for enciphering and deciphering and recording medium recording the same methods |
| US6069955A (en) * | 1998-04-14 | 2000-05-30 | International Business Machines Corporation | System for protection of goods against counterfeiting |
| US6223288B1 (en) | 1998-05-22 | 2001-04-24 | Protexis Inc. | System for persistently encrypting critical software file to prevent installation of software program on unauthorized computers |
| US6269163B1 (en) * | 1998-06-15 | 2001-07-31 | Rsa Security Inc. | Enhanced block ciphers with data-dependent rotations |
| US6697488B1 (en) * | 1998-08-26 | 2004-02-24 | International Business Machines Corporation | Practical non-malleable public-key cryptosystem |
| RU2153191C2 (en) | 1998-09-29 | 2000-07-20 | Закрытое акционерное общество "Алкорсофт" | Method for blind production of digital rsa signature and device which implements said method |
| RU2157001C2 (en) | 1998-11-25 | 2000-09-27 | Закрытое акционерное общество "Алкорсофт" | Method for conducting transactions |
| US6408075B1 (en) * | 1998-11-30 | 2002-06-18 | Hitachi, Ltd. | Information processing equipment and IC card |
| CA2259738C (en) * | 1999-01-20 | 2012-10-16 | Certicom Corp. | A resilient cryptographic scheme |
| US6839841B1 (en) * | 1999-01-29 | 2005-01-04 | General Instrument Corporation | Self-generation of certificates using secure microprocessor in a device for transferring digital information |
| AU761317B2 (en) | 1999-01-29 | 2003-06-05 | General Instrument Corporation | Self-generation of certificates using a secure microprocessor in a device for transferring digital information |
| IL128720A (en) | 1999-02-25 | 2009-06-15 | Cidway Technologies Ltd | Method for certification of over the phone transactions |
| US7600131B1 (en) | 1999-07-08 | 2009-10-06 | Broadcom Corporation | Distributed processing in a cryptography acceleration chip |
| US6477646B1 (en) | 1999-07-08 | 2002-11-05 | Broadcom Corporation | Security chip architecture and implementations for cryptography acceleration |
| JP2001282103A (en) * | 2000-01-25 | 2001-10-12 | Murata Mach Ltd | Ciphering method |
| US6839839B1 (en) | 2000-02-10 | 2005-01-04 | Xerox Corporation | Public key distribution using an approximate linear function |
| US7177421B2 (en) * | 2000-04-13 | 2007-02-13 | Broadcom Corporation | Authentication engine architecture and method |
| US20020059624A1 (en) * | 2000-08-03 | 2002-05-16 | Kazuhiro Machida | Server based broadcast system, apparatus and method and recording medium and software program relating to this system |
| IL138109A (en) * | 2000-08-27 | 2009-11-18 | Enco Tone Ltd | Method and devices for digitally signing files by means of a hand-held device |
| US20020061107A1 (en) * | 2000-09-25 | 2002-05-23 | Tham Terry K. | Methods and apparatus for implementing a cryptography engine |
| US20020078342A1 (en) * | 2000-09-25 | 2002-06-20 | Broadcom Corporation | E-commerce security processor alignment logic |
| US7277542B2 (en) * | 2000-09-25 | 2007-10-02 | Broadcom Corporation | Stream cipher encryption application accelerator and methods thereof |
| WO2002056538A2 (en) * | 2001-01-12 | 2002-07-18 | Broadcom Corporation | Implementation of the shai algorithm |
| JP4284867B2 (en) * | 2001-01-18 | 2009-06-24 | 株式会社日立製作所 | A public-key cryptography method that is secure against adaptive choice ciphertext attacks on a standard model |
| US7194498B2 (en) * | 2001-02-23 | 2007-03-20 | Southern Methodist University | Higher radix multiplier with simplified partial product generator |
| FR2824408A1 (en) * | 2001-05-03 | 2002-11-08 | Thomson Licensing Sa | METHOD FOR MANAGING A BET GAME ON A WINNING COMBINATION |
| IL142962A (en) * | 2001-05-03 | 2006-07-05 | Nds Ltd | Oss signature scheme |
| FR2828780B1 (en) * | 2001-08-20 | 2004-01-16 | France Telecom | METHOD FOR PRODUCING A CRYPTOGRAPHIC UNIT FOR AN ASYMMETRIC CRYPTOGRAPHY SYSTEM USING A DISCREET LOGARITHM FUNCTION |
| US7861104B2 (en) * | 2001-08-24 | 2010-12-28 | Broadcom Corporation | Methods and apparatus for collapsing interrupts |
| US7403615B2 (en) * | 2001-08-24 | 2008-07-22 | Broadcom Corporation | Methods and apparatus for accelerating ARC4 processing |
| US7065651B2 (en) | 2002-01-16 | 2006-06-20 | Microsoft Corporation | Secure video card methods and systems |
| JP2003223098A (en) * | 2002-01-29 | 2003-08-08 | Sony Corp | Method for encrypting and decrypting messages based on boolean matrices and data communication system |
| US8155314B2 (en) | 2002-06-24 | 2012-04-10 | Microsoft Corporation | Systems and methods for securing video card output |
| US7206940B2 (en) * | 2002-06-24 | 2007-04-17 | Microsoft Corporation | Methods and systems providing per pixel security and functionality |
| US8016662B1 (en) * | 2002-11-22 | 2011-09-13 | Sca Promotions, Inc. | Game-winner selection based on verifiable event outcomes |
| US7293178B2 (en) * | 2002-12-09 | 2007-11-06 | Microsoft Corporation | Methods and systems for maintaining an encrypted video memory subsystem |
| US20040123120A1 (en) * | 2002-12-18 | 2004-06-24 | Broadcom Corporation | Cryptography accelerator input interface data handling |
| US7434043B2 (en) | 2002-12-18 | 2008-10-07 | Broadcom Corporation | Cryptography accelerator data routing unit |
| US7568110B2 (en) * | 2002-12-18 | 2009-07-28 | Broadcom Corporation | Cryptography accelerator interface decoupling from cryptography processing cores |
| US7191341B2 (en) | 2002-12-18 | 2007-03-13 | Broadcom Corporation | Methods and apparatus for ordering data in a cryptography accelerator |
| US20040123123A1 (en) * | 2002-12-18 | 2004-06-24 | Buer Mark L. | Methods and apparatus for accessing security association information in a cryptography accelerator |
| KR20060006770A (en) * | 2003-03-04 | 2006-01-19 | 인터내셔널 비지네스 머신즈 코포레이션 | Long-term secure digital signatures |
| US7698557B2 (en) * | 2003-12-22 | 2010-04-13 | Guardtime As | System and method for generating a digital certificate |
| US7512237B1 (en) | 2004-10-26 | 2009-03-31 | Lockheed Martin Corporation | Encryption for optical communications using dynamic subcarrier multiplexing |
| US20060136717A1 (en) | 2004-12-20 | 2006-06-22 | Mark Buer | System and method for authentication via a proximate device |
| US8295484B2 (en) | 2004-12-21 | 2012-10-23 | Broadcom Corporation | System and method for securing data from a remote input device |
| US7941726B2 (en) * | 2006-06-30 | 2011-05-10 | Microsoft Corporation | Low dimensional spectral concentration codes and direct list decoding |
| CN1877633B (en) * | 2006-07-07 | 2011-04-13 | 上海交通大学 | Encryption/decryption and signature method and system |
| DE102007002230A1 (en) * | 2007-01-10 | 2008-07-17 | Benecke-Kaliko Ag | Thermoplastic film |
| US8312551B2 (en) * | 2007-02-15 | 2012-11-13 | Harris Corporation | Low level sequence as an anti-tamper Mechanism |
| US7937427B2 (en) * | 2007-04-19 | 2011-05-03 | Harris Corporation | Digital generation of a chaotic numerical sequence |
| US7921145B2 (en) * | 2007-05-22 | 2011-04-05 | Harris Corporation | Extending a repetition period of a random sequence |
| US8611530B2 (en) * | 2007-05-22 | 2013-12-17 | Harris Corporation | Encryption via induced unweighted errors |
| US7995757B2 (en) * | 2007-05-31 | 2011-08-09 | Harris Corporation | Closed galois field combination |
| US7974413B2 (en) * | 2007-06-07 | 2011-07-05 | Harris Corporation | Spread spectrum communications system and method utilizing chaotic sequence |
| US7962540B2 (en) * | 2007-06-07 | 2011-06-14 | Harris Corporation | Mixed radix number generator with chosen statistical artifacts |
| US7970809B2 (en) * | 2007-06-07 | 2011-06-28 | Harris Corporation | Mixed radix conversion with a priori defined statistical artifacts |
| CA2591280A1 (en) * | 2007-06-12 | 2008-12-12 | Nikolajs Volkova | A new digital signature scheme |
| US8005221B2 (en) * | 2007-08-01 | 2011-08-23 | Harris Corporation | Chaotic spread spectrum communications system receiver |
| US20090046848A1 (en) * | 2007-08-15 | 2009-02-19 | Lockheed Martin Corporation | Encryption management system |
| CA2698000C (en) * | 2007-09-04 | 2015-10-27 | Certicom Corp. | Signatures with confidential message recovery |
| US7995749B2 (en) * | 2007-10-30 | 2011-08-09 | Harris Corporation | Cryptographic system configured for extending a repetition period of a random sequence |
| US8180055B2 (en) * | 2008-02-05 | 2012-05-15 | Harris Corporation | Cryptographic system incorporating a digitally generated chaotic numerical sequence |
| US8363830B2 (en) * | 2008-02-07 | 2013-01-29 | Harris Corporation | Cryptographic system configured to perform a mixed radix conversion with a priori defined statistical artifacts |
| US20090234866A1 (en) * | 2008-03-17 | 2009-09-17 | Paul Caprioli | Floating Point Unit and Cryptographic Unit Having a Shared Multiplier Tree |
| US8040937B2 (en) * | 2008-03-26 | 2011-10-18 | Harris Corporation | Selective noise cancellation of a spread spectrum signal |
| US8139764B2 (en) * | 2008-05-06 | 2012-03-20 | Harris Corporation | Closed galois field cryptographic system |
| US8320557B2 (en) * | 2008-05-08 | 2012-11-27 | Harris Corporation | Cryptographic system including a mixed radix number generator with chosen statistical artifacts |
| US8145692B2 (en) * | 2008-05-29 | 2012-03-27 | Harris Corporation | Digital generation of an accelerated or decelerated chaotic numerical sequence |
| US8064552B2 (en) * | 2008-06-02 | 2011-11-22 | Harris Corporation | Adaptive correlation |
| US8068571B2 (en) * | 2008-06-12 | 2011-11-29 | Harris Corporation | Featureless coherent chaotic amplitude modulation |
| US8325702B2 (en) | 2008-08-29 | 2012-12-04 | Harris Corporation | Multi-tier ad-hoc network in which at least two types of non-interfering waveforms are communicated during a timeslot |
| FR2936391B1 (en) * | 2008-09-19 | 2010-12-17 | Oberthur Technologies | METHOD OF EXCHANGING DATA, SUCH AS CRYPTOGRAPHIC KEYS, BETWEEN A COMPUTER SYSTEM AND AN ELECTRONIC ENTITY, SUCH AS A MICROCIRCUIT CARD |
| US8165065B2 (en) | 2008-10-09 | 2012-04-24 | Harris Corporation | Ad-hoc network acquisition using chaotic sequence spread waveform |
| US9112910B2 (en) | 2008-10-14 | 2015-08-18 | International Business Machines Corporation | Method and system for authentication |
| US8351484B2 (en) * | 2008-12-29 | 2013-01-08 | Harris Corporation | Communications system employing chaotic spreading codes with static offsets |
| US8406276B2 (en) * | 2008-12-29 | 2013-03-26 | Harris Corporation | Communications system employing orthogonal chaotic spreading codes |
| US8457077B2 (en) * | 2009-03-03 | 2013-06-04 | Harris Corporation | Communications system employing orthogonal chaotic spreading codes |
| US8428102B2 (en) * | 2009-06-08 | 2013-04-23 | Harris Corporation | Continuous time chaos dithering |
| US8509284B2 (en) * | 2009-06-08 | 2013-08-13 | Harris Corporation | Symbol duration dithering for secured chaotic communications |
| US8428103B2 (en) * | 2009-06-10 | 2013-04-23 | Harris Corporation | Discrete time chaos dithering |
| US8379689B2 (en) * | 2009-07-01 | 2013-02-19 | Harris Corporation | Anti-jam communications having selectively variable peak-to-average power ratio including a chaotic constant amplitude zero autocorrelation waveform |
| US8406352B2 (en) * | 2009-07-01 | 2013-03-26 | Harris Corporation | Symbol estimation for chaotic spread spectrum signal |
| US8363700B2 (en) | 2009-07-01 | 2013-01-29 | Harris Corporation | Rake receiver for spread spectrum chaotic communications systems |
| US8428104B2 (en) | 2009-07-01 | 2013-04-23 | Harris Corporation | Permission-based multiple access communications systems |
| US8369376B2 (en) * | 2009-07-01 | 2013-02-05 | Harris Corporation | Bit error rate reduction in chaotic communications |
| US8385385B2 (en) * | 2009-07-01 | 2013-02-26 | Harris Corporation | Permission-based secure multiple access communication systems |
| US8340295B2 (en) | 2009-07-01 | 2012-12-25 | Harris Corporation | High-speed cryptographic system using chaotic sequences |
| US8369377B2 (en) * | 2009-07-22 | 2013-02-05 | Harris Corporation | Adaptive link communications using adaptive chaotic spread waveform |
| US8848909B2 (en) * | 2009-07-22 | 2014-09-30 | Harris Corporation | Permission-based TDMA chaotic communication systems |
| EP2334006B1 (en) * | 2009-12-10 | 2016-03-23 | Nxp B.V. | Side-channel resistant modular exponentiation |
| US8345725B2 (en) | 2010-03-11 | 2013-01-01 | Harris Corporation | Hidden Markov Model detection for spread spectrum waveforms |
| US9990478B2 (en) * | 2012-11-30 | 2018-06-05 | The Nielsen Company (Us), Llc | Methods, apparatus, and articles of manufacture to encode auxiliary data into relational database keys and methods, apparatus, and articles of manufacture to obtain encoded data from relational database keys |
| US9985784B2 (en) * | 2014-12-23 | 2018-05-29 | Nxp B.V. | Efficient smooth encodings for modular exponentiation |
| US9904516B2 (en) | 2014-12-23 | 2018-02-27 | Nxp B.V. | Modular exponentiation using look-up tables |
| US9906368B2 (en) | 2014-12-23 | 2018-02-27 | Nxp B.V. | General encoding functions for modular exponentiation encryption schemes |
| CN106059770B (en) * | 2015-04-17 | 2020-11-03 | 恩智浦有限公司 | Efficient stationary encoding for modular exponentiation |
| EP3346637B1 (en) | 2015-08-31 | 2019-10-23 | Samsung Electronics Co., Ltd. | Method and device for downloading profile in communication system |
| CN114978603B (en) * | 2022-04-25 | 2023-12-29 | 福建师范大学 | Data merging and transmitting method with receiving and judging capability and system thereof |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4218582A (en) * | 1977-10-06 | 1980-08-19 | The Board Of Trustees Of The Leland Stanford Junior University | Public key cryptographic apparatus and method |
| US4306111A (en) * | 1979-05-31 | 1981-12-15 | Communications Satellite Corporation | Simple and effective public-key cryptosystem |
| US4399323A (en) * | 1981-02-09 | 1983-08-16 | Bell Telephone Laboratories, Incorporated | Fast real-time public key cryptography |
| US4633036A (en) * | 1984-05-31 | 1986-12-30 | Martin E. Hellman | Method and apparatus for use in public-key data encryption system |
| FR2596177B1 (en) * | 1986-03-19 | 1992-01-17 | Infoscript | METHOD AND DEVICE FOR QUALITATIVE BACKUP OF DIGITAL DATA |
| US4748668A (en) * | 1986-07-09 | 1988-05-31 | Yeda Research And Development Company Limited | Method, apparatus and article for identification and signature |
| US5016274A (en) * | 1988-11-08 | 1991-05-14 | Silvio Micali | On-line/off-line digital signing |
| US5054066A (en) * | 1988-11-16 | 1991-10-01 | Grumman Corporation | Error correcting public key cryptographic method and program |
| EP0383985A1 (en) * | 1989-02-24 | 1990-08-29 | Claus Peter Prof. Dr. Schnorr | Method for subscriber identification and for generation and verification of electronic signatures in a data exchange system |
| US5073935A (en) * | 1990-12-17 | 1991-12-17 | Jose Pastor | Method for secure communication |
-
1992
- 1992-10-07 US US07/957,105 patent/US5297206A/en not_active Expired - Fee Related
-
1993
- 1993-03-03 CA CA002090895A patent/CA2090895A1/en not_active Abandoned
- 1993-03-19 GB GB9305711A patent/GB2265285B/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| GB2265285A (en) | 1993-09-22 |
| US5297206A (en) | 1994-03-22 |
| GB9305711D0 (en) | 1993-05-19 |
| GB2265285B (en) | 1996-01-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2090895A1 (en) | Cryptographic method for communication and electronic signatures | |
| EP0252499B1 (en) | Method, apparatus and article for identification and signature | |
| AU620291B2 (en) | Public key/signature cryptosystem with enhanced digital signature certification | |
| US5214702A (en) | Public key/signature cryptosystem with enhanced digital signature certification | |
| US9455832B2 (en) | Signatures with confidential message recovery | |
| CA1331213C (en) | Public key/signature cryptosystem with enhanced digital signature certification | |
| Hellman | An overview of public key cryptography | |
| US7860243B2 (en) | Public key encryption for groups | |
| US8654975B2 (en) | Joint encryption of data | |
| KR101099867B1 (en) | Signing device, verifying device, certifying device, encrypting device, and decrypting device | |
| US20090024852A1 (en) | Group signature system, method, device, and program | |
| CN111211910A (en) | Anti-quantum computation CA (certificate Authority) and certificate issuing system based on secret shared public key pool and issuing and verifying method thereof | |
| Merkepci et al. | Security Model for Encrypting Uncertain Rational Data Units Based on Refined Neutrosophic Integers Fusion and El Gamal Algorithm | |
| WO2022022924A1 (en) | Generating shared private keys | |
| CN100380860C (en) | Elliptic curve cryptographic process and device for computer | |
| Mesran et al. | Enhanced security for data transaction with public key Schnorr authentication and digital signature protocol | |
| US7424114B2 (en) | Method for enhancing security of public key encryption schemas | |
| Alvarez et al. | A matricial public key cryptosystem with digital signature | |
| Michels et al. | GOST 34.10—a brief overview of Russia's DSA | |
| Brier et al. | A Forward-Secure Symmetric-Key Derivation Protocol: How to Improve Classical DUKPT | |
| Hwang et al. | A new dynamic cryptographic key generation scheme for a hierarchy | |
| Suo et al. | Encryption technology in information system security | |
| Scholar | Development of Improved Rivest Shamir and Adleman (RSA) Algorithm for Securing Data on Transmission and Storage. 1Adejumobi, OK, 2Sadiq, MO 3Baruwa, Abiodun A. and 4Akintoye, NO | |
| Shao | Repairing efficient threshold group signature scheme | |
| Fahn | Frequently Asked Questions About Today's Cryptography |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Dead |