Similar documents
Block cipher

Microsoft PowerPoint - kyoto

( )

CryptoGame201712

[I486S] 暗号プロトコル理論

., ( [22]) ( ),.,,., 90 ( [38]),. ( [12]).,,..,.,,. 2,. 3,. 4,.,,. [20], [31],,. ([21], [34], [36], [49] ),,.,.,. 2

ICカードに利用される暗号アルゴリズムの安全性について:ENV仕様の実装上の問題点を中心に

21 Key Exchange method for portable terminal with direct input by user

福岡大学人文論叢47-3

04.™ƒ”R/’Ô”�/’Xfl©


Vol.59 No (Sep. 2018) 1,a) , CPU CPU CPU CPU CASS 2 CASS General Constructions of Computer-aided Security Sch

2 1,2, , 2 ( ) (1) (2) (3) (4) Cameron and Trivedi(1998) , (1987) (1982) Agresti(2003)

211 ‚æ2fiúŒÚ

スライド 1

2 3

(Requirements in communication) (efficiently) (Information Theory) (certainly) (Coding Theory) (safely) (Cryptography) I 1


取扱説明書 [d-01H]

ID Privacy-Preserving Data Mining Lindell 20) 1),30) 1 3 semi-honest malicious 3 n t < n/2 15) semi-honest malicious semi-honest malicious mali



φ 4 Minimal subtraction scheme 2-loop ε 2008 (University of Tokyo) (Atsuo Kuniba) version 21/Apr/ Formulas Γ( n + ɛ) = ( 1)n (1 n! ɛ + ψ(n + 1)

Microsoft PowerPoint - 暗号技術の発展.pptx

春期講座 ~ 極限 1 1, 1 2, 1 3, 1 4,, 1 n, n n {a n } n a n α {a n } α {a n } α lim n an = α n a n α α {a n } {a n } {a n } 1. a n = 2 n {a n } 2, 4, 8, 16,

untitled

HRBusinessReview_vol5

all


2 A id A : A A A A id A def = {(a, a) A A a A} 1 { } 1 1 id 1 = α: A B β : B C α β αβ : A C αβ def = {(a, c) A C b B.((a, b) α (b, c) β)} 2.3 α


RSA署名方式の安全性を巡る研究動向について

(Visual Secret Sharing Scheme) VSSS VSSS 3 i

0 (18) /12/13 (19) n Z (n Z ) 5 30 (5 30 ) (mod 5) (20) ( ) (12, 8) = 4

yamato_2016_0915_色校_CS3.indd

さくらの個別指導 ( さくら教育研究所 ) A a 1 a 2 a 3 a n {a n } a 1 a n n n 1 n n 0 a n = 1 n 1 n n O n {a n } n a n α {a n } α {a


2011 Future University Hakodate 2011 System Information Science Practice Group Report Project Name Visualization of Code-Breaking Group Name Implemati


漸化式のすべてのパターンを解説しましたー高校数学の達人・河見賢司のサイト

15 mod 12 = 3, 3 mod 12 = 3, 9 mod 12 = N N 0 x, y x y N x y (mod N) x y N mod N mod N N, x, y N > 0 (1) x x (mod N) (2) x y (mod N) y x

P14・15地域文化祭

特集セキュリティ基盤技術/紛失通信プロトコルの考察193 特集 ネットワークセキュリティ特集 4-3 紛失通信プロトコルの考察 4-3 A Survey on Oblivious Transfer Protocols Le Trieu Phong Le Trieu Phong 要旨 本論文では 公開

本文/扉1

プログラム


平成20年5月 協会創立50年の歩み 海の安全と環境保全を目指して 友國八郎 海上保安庁 長官 岩崎貞二 日本船主協会 会長 前川弘幸 JF全国漁業協同組合連合会 代表理事会長 服部郁弘 日本船長協会 会長 森本靖之 日本船舶機関士協会 会長 大内博文 航海訓練所 練習船船長 竹本孝弘 第二管区海上保安本部長 梅田宜弘

Program

aphp37-11_プロ1/ky869543540410005590


Œ{Ł¶/1ŒÊ −ªfiª„¾ [ 1…y†[…W ]

日本内科学会雑誌第96巻第11号

O E ( ) A a A A(a) O ( ) (1) O O () 467

xia2.dvi

n PSMT(Perfectly Secure Message Transmission) PSMT

かんたん操作ガイド[arrows M02]

かんたん操作ガイド[arrows RM02]



かんたん操作ガイド[arrows M03]

x, y x 3 y xy 3 x 2 y + xy 2 x 3 + y 3 = x 3 y xy 3 x 2 y + xy 2 x 3 + y 3 = 15 xy (x y) (x + y) xy (x y) (x y) ( x 2 + xy + y 2) = 15 (x y)

SAMA- SUKU-RU Contents p-adic families of Eisenstein series (modular form) Hecke Eisenstein Eisenstein p T

プログラム

r 1 m A r/m i) t ii) m i) t B(t; m) ( B(t; m) = A 1 + r ) mt m ii) B(t; m) ( B(t; m) = A 1 + r ) mt m { ( = A 1 + r ) m } rt r m n = m r m n B

EPSON エプソンプリンタ共通 取扱説明書 ネットワーク編

untitled

ありがとうございました

EPSON エプソンプリンタ共通 取扱説明書 ネットワーク編

公務員人件費のシミュレーション分析


橡hashik-f.PDF

198

ネットショップ・オーナー2 ユーザーマニュアル


1

新婚世帯家賃あらまし

05[ ]戸田(責)村.indd

/9/ ) 1) 1 2 2) 4) ) ) 2x + y 42x + y + 1) 4) : 6 = x 5) : x 2) x ) x 2 8x + 10 = 0

R R 16 ( 3 )

Collatzの問題 (数学/数理科学セレクト1)

7章 構造物の応答値の算定

Part () () Γ Part ,

電子マネー・システムにおけるセキュリティ対策:リスク管理に焦点を当てて

2

2 (March 13, 2010) N Λ a = i,j=1 x i ( d (a) i,j x j ), Λ h = N i,j=1 x i ( d (h) i,j x j ) B a B h B a = N i,j=1 ν i d (a) i,j, B h = x j N i,j=1 ν i

B

p

スラヴ_00A巻頭部分

日経テレコン料金表(2016年4月)

73 p p.152


Microsoft Word - 田中亮太郎.doc

_Print

122011pp

2

A p A p. 224, p B pp p. 3.

Microsoft Word - 映画『東京裁判』を観て.doc

9

() L () 20 1

308 ( ) p.121

Transcription:

/ ( ) 1 1.1 323 206 23 ( 23 529 529 323 206 ) 23 1.2 33

1.3 323 61 61 3721 3721 323 168 168 323 23 61 61 23 1403 323 111 111 168 206 323 47 111 323 47 2 23 2 2.1 34

2 2.2 2 a, b N a b N a b (mod N) mod N 32 2 30 15 2 32 2 (mod 15) (1) 32 2 15 21 6 15 15 21 6 15 21 6 (mod 15) (2) 323 206 X 2 206 (mod 323) a 1 b 1 (mod N), a 2 b 2 (mod N) a 1 + a 2 b 1 + b 2 (mod N) a 1 a 2 b 1 b 2 (mod N) (1) (2) 32 + 21 2 + 6 (mod 15) 32 21 2 6 (mod 15) c N ( 1) ca cb (mod N) a b (mod N) 35

N c c N (1) 2 16 1 (mod 15) (2) 3 7 2 (mod 15) 7 2 (mod 5) 2 15 3 15 2.3 2 X 2 206 206 100 = 10 2 400 = 20 2 10 X 20. 10 20 10+20 2 = 15 15 2 = 225 206 X 15 10 X 15. 10 15 10+15 2 = 12.5 12.5 2 = 156.25 206 X 12.5 12.5 X 15. X X = 14.35270009 N = 323 X 2 206 (mod 323) N = 323 x = 0 x 1 1 N = 323 0 N a X 2 a (mod N) X N a ( ) 36

N N 4 1 N ( N N N ) N ( N ) N N 3 P V P V x w w (P, V ) L (L ) x w ( ) P w V P P V ( ) P w V V P P V ( ) V P x ( ) V P 3 [4] 3 w V P w 3 37

3.1 X 2 a (mod N) X = w 1 [3] P X 2 a (mod N) (a, N) X = w V (a, N) P V V V [ ] 1. ( 1 ) P 0 (N 1) r r N c = r 2 mod N P c V 2. ( ) V e 0 1 P 3. ( 2 ) P e 0 c r y (y = r) e 1 r w N y (y = rw mod N) P y V 4. ( ) V c e y y 2 ca e (mod N). 1: 1 e = 0 a 0 1 V ) y 2 c (mod N) y = r c r e = 1 y 2 ca (mod N) y w y rw w a P a w V P ( ) ( ) P V P 1 c P V 38

V e e = 0 e = 1 y ( V e = 0 e = 1 ) 2 y y 0, y 1 y 0, y 1 P y 2 0 c (mod N) y 2 1 ca (mod N) (2 c ) (y 1 /y 0 ) 2 a (mod N) 1 w = y 1 /y 0 X 2 a (mod N) y 0, y 1 P y 1 /y 0 P w P 1 P w V r y r c c r V y r w P w V y r w w V P x ( ) S( ) S: 1. ( ) X 2 a (mod N) (a, N) 2. ( ) e 0 1 3. ( ) y e c c = y 2 /a e mod N 4. ( ) S (a, N) V V c ( ) e e e 1 y 0 ( c) N y 0 ( c) N N y 0 ( c) N 39

5. ( ) V r S V e e y c (c = y 2 /a e mod N y 2 ca e (mod N) ) e S V c r P w ( ) ( ) e e 0,1 2 2 e ( c y e V c V e ) S w V V c y ( ) w w (a, N) S 3.2 3.2.1 p 2 g, h g x h (mod p) x ( ) p h g ( ) p = 43 4 x 35 (mod 43) x x = 0 4 x mod 43 4 0 mod 43 = 1, 4 1 mod 43 = 4, 4 2 mod 43 = 16, 4 3 mod 43 = 21, 4 4 mod 43 = 41, 4 5 mod 43 = 35, x = 5 x p p 2 len(p)1/3 len(p) p p 40

p x ( p ) 3.2.2 g x h (mod p) x = w 2 [6] P g x h (mod p) (p, g, h, q) x = w ( q g q 1 (mod p) q q g g ) V (p, g, h, q) 1. ( 1 ) P 0 (q 1) r g p r c = g r mod p P c V 2. ( ) V e 0 (q 1) P 3. ( 2 ) P e r w y = (r + ew) mod q P y V 4. ( ) V c e y g y ch e (mod p). 2: 2 ( 1) e 1 q 1 41

P w y g y = g r+ew = g r (g w ) e ch e (mod p) V ( ) P V c ( )2 e 0, e 1 y 0, y 1 g y 0 ch e 0, g y 1 ch e 1 (mod p) g y 0 y 1 h e 0 e 1 (mod p). P w = (y 0 y 1 )/(e 0 e 1 ) V e ( P w ) V V P {(c, e, y) : r $ {0,..., q 1}, e $ {0,..., q 1}, c = g r mod p, y = (r + ew) mod q} w {(c, e, y) : e $ {0,..., q 1}, y $ {0,..., q 1}, c = g y h e mod p} V P w 3.3 F F s r LOOP: 1. m 42

2. s r s m F : (s, m ) F (s, r, m). 3. m 4. s s LOOP (m, m ) (s, m ) = F (s, r, m) s, s, r F F F ( ) ( ) F 4 4.1 M 1. pk Bob 2. pk Bob M C 3. C ( ) 4. sk Bob C M 43

pk Bob C sk Bob C M pk Bob sk Bob pk Bob sk Bob C pk Bob sk Bob 4.1.1 ( ) 3 ES = (Gen, Enc, Dec) Gen(k) k pk sk ( k ) Enc(pk, m) m pk c Dec(sk, c) sk c m ) (pk, sk) Gen(k), c Enc(pk, m) Dec(sk, c) = m ) sk pk c m 44

4.2 [2] Gen(k) 2 p, q (1 ) g g q 1 (mod p) q k ( p, q, g ) 0 (q 1) x g p x y = g x mod p (p, q, g, x) sk (p, q, g, y) pk Enc(pk, m) pk p, q, g, y 0 (q 1) r g p r c 1 = g r mod p ( )y p r m c 2 = my r mod p c 1 c 2 c = (c 1, c 2 ) c Dec(sk, c) sk p, q, g, x c c 1, c 2 c 1 x c 2 m = c 2 /c x 1 mod p m p, q, g 0 (p 1) ( m 0 (p 1) g ( α g α mod p) ) k = 3 ( k 160 ) 2 p = 43, q = 7 g = 4 4 7 1 (mod 43) q k = 3 0 q 1 = 6 x = 3 y = g x mod p = 4 3 mod 43 = 21 (p = 43, q = 7, g = 4, x = 3) sk (p = 43, q = 7, g = 4, y = 21) pk m = 11 pk p = 43, q = 7, g = 4, y = 21 0 q 1 = 6 r = 2 c 1 = g r mod p = 4 2 mod 43 = 16 c 2 = my r mod p = 11 21 2 mod 43 = 35 m = 11 c = (16, 35) Dec(sk, c) sk p = 43, q = 7, g = 4, x = 3 c c 1 = 16, c 2 = 35 45

c 2 /c x 1 mod p = 35/163 mod 43 = 11 pk = (p, q, g, y) sk = (p, q, g, x) y g x (mod p) pk = (p, q, g, y) m c = (c 1, c 2 ) r c 1 = g r, c 2 = my r c 2 /c x 1 (my r )/(g r ) x (mod p) (m(g x ) r )/(g r ) x (mod p) m (mod p). c m ( sk ) A pk = (p, q, g, y) c = (c 1, c 2 ) c 1, c 2 r c 1 = g r, c 2 = my r c 2 A m y r A g, y, c 1 = g r y r A c 1 = g r r y y r 2 g, y, c 1 = g r y r r m m m 4.3 4.3.1 CPA 4.1.1 pk c m ES = (Gen, Enc, Dec) A CPA CPA : k 1. (.) k Gen (pk, sk) 46

2. (A.) pk A( ) A 2 (m 0, m 1 ) b 0 1 m b pk Enc ( )c A 3. (.) A ˆb ˆb = b A A A pk 2 m 0, m 1 (m 0, m 1 ) m b c A c m 0 m 1 ˆb ˆb = b A A A 1/2 CPA c m b 1/2 b CPA ES CPA A CPA 1/2 ) 4.3.2 CPA DH CPA DH p, q g g q 1 (mod p) g a mod p g b mod p g ab mod p DH DH DH p 0 q 1 a, b DH DH DH g a mod p g b mod p g c mod p c ab (mod q) DH DH DH 2.1 DH p 0 q 1 a, b, c g a mod p g b mod p z = g ab mod p z = g c mod p 47

z z 1/2 z = g ab mod p z = g c mod p z 1/2 1 DH CPA CPA A DH D DH DH CPA CPA A CPA 1/2 A DH D D 0 q 1 a, r, c (g a mod p, g r mod p, z) z 1/2 z = g ar mod p z = g c mod p D z 1/2 mod p D: (g a, g r, z) 1. (.) A pk = (p, q, g, g a ) g a D 1 2. (.) A (m 0, m 1 ) b 0 1 π = (g r, zm b ) A g r D 2 z 3 3. (.) A ˆb ˆb = b z = g ar z = g c D z z = g ar 1/2 A π π = (g r, zm b ) = (g r, g ar m b ) = (g r, (g a ) r m b ) pk = (p, q, g, g a ) m b z = g ar D A CPA A CPA 1/2 A b (ˆb = b) D z = g ar 1/2 z z = g ar D z p 0 1/2 D z z = g c 1/2 π = (g r, zm b ) = (g r, g c m b ) b c 48

b = 0 b = 1 π 2 g c m b m b g ( α g α ) m b = g α c α g c m b = g c+α {g 0, g 1,..., g q 1 } b c m b g c b π b A b (ˆb = b) 1/2 b c A ˆb b D z = g c p 1 1/2 D 1/2p 0 + 1/2p 1 = 1/2p 0 + 1/4 p 0 1/2 1/2 D DH 4.3.3 CPA 1. 10 m = 10 c = (g r mod p, 10 y r mod p) (p, q, g, y(= g x )) 1 2. A c = (c 1, c 2 ) c 2 100 c 2 = 100 c 2 mod p c = (c 1, c 2 ) A (c 1 ) 3. A c = (c 1, c 2 ) c 2/c x 1 = (100 10 y r )/(g r ) x mod p = 1000. A 1000 A 4. A 1000 100 10 c = (c 1, c 2 ) A 4.3.4 CCA 4.3.3 CCA 49

CCA ES = (Gen, Enc, Dec) A CCA : k 1. (.) k Gen (pk, sk) 2. (A.) pk A( ) A A (.) A c c c sk Dec m A A (.) A 2 (m 0, m 1 ) b 0 1 m b pk Enc c A 3. (.) A ˆb ˆb = b A A A (m 0, m 1 ) m b c m 0, m 1 ˆb CPA CCA A A CCA A m 0, m 1 c c A m b ES CCA A CCA 1/2 ) CCA CCA A A: pk = (p, q, g, y) 1. (.) m 0, m 1 (m 0, m 1 ) c = (c 1, c 2 ) 50

2. (.) c 2 g c 2 = c 2g mod p c = (c 1, c 2 ) m 3. (.) m m 0 g mod p 0 1 A 4.3.3 A 4.4 [5, 8] c 1 = g r r r r σ c = (g r, my r, σ) e 2 H H H Gen(k) 2 p, q (1 ) g g q 1 (mod p) q k ( p, q, g ) H : {0, 1} {0, 1,..., q 1} 0 (q 1) x g p x y = g x mod p (p, q, g, x) sk (p, q, g, y) pk Enc(pk, m) pk p, q, g, y 0 (q 1) r pk m (c 1 = g r, c 2 = my r ) r c 1 σ 0 (q 1) s u = g s mod p e H (c 1, c 2, u) e = H(c 1, c 2, u) z r z = s+er σ = (u, z) (c 1, c 2 ) σ c = (c 1, c 2, σ) Dec(sk, c) sk p, q, g, x c c 1, c 2, σ = (u, z) 2 H : {0, 1} {0, 1} h H H(x) = H(y) x, y (x y) 51

σ e H (c 1, c 2, u) e = H(c 1, c 2, u) (u, e, z) u = g z c e 1 mod p c = (c 1, c 2 ) sk m = c 2 /c x 1 mod p m p, q, g 0 (p 1) ( m 0 (p 1) g ( α g α mod p) ) 4.4.1 A A c = (g r, c 2, σ) A c = (g r, c 2, σ) 1 g r c = (g r, c 2, σ ) A c σ 1 g r r σ A 1 g r r σ A c = (g r, c 2, σ) g r c = (g r, c 2, σ ) r σ r σ σ c 2 c 2 c 2 c 2 A (g r, c 2 ) H e = H(g r, c 2, u) e = H(gr, c 2, u) z z σ = (u, z) e = H(c 1, c 2, u) c 2 e = H(c 1, u) A subtle A c = (g r, c 2, σ) g r c = (g r, c 2, σ ) A 52

2 (Schnorr, Jakobsson 00[7]) CCA v H(u) v H(u) u v h {H : {0, 1} {0, 1} h } H u H u H(u) h g a 1 1 ga i i (g 1,..., g i ), (a 1,..., a i ) h (g 1,..., g i ), (a 1,..., a i ) g a 1 1... ga i i 4.5 c = (g r, my r, σ) r σ DH (c 1 = g x, z = h x x) [1] 53

Gen(k) 2 p, q (1 ) g g q 1 (mod p) q k ( p, q, g ) 2 H : {0, 1} {g i mod p i = 0, 1,..., q 1} G : {0, 1} {0, 1,..., q 1} 0 (q 1) a g p a b = g a mod p (p, q, g, a) sk (p, q, g, b) pk Enc(pk, m) pk p, q, g, b 0 (q 1) x pk m (c 1 = g x, c 2 = mb x ) DH c 1 x σ 0 (q 1) k u = g k mod p, h = H(u, c 1 ) z = h x, v = h k c G (c 1, c 2, h, z, u, v) c = G(c 1, c 2, h, z, u, v) s x s = k + cx σ = (z, s, u, v) (c 1, c 2 ) σ c = (c 1, c 2, σ) Dec(sk, c) sk p, q, g, a c c 1, c 2, σ = (z, s, u, z) σ c G (c 1, c 2, h, z, u, v) c = G(c 1, c 2, h, z, u, v) (u, v, c, s) DH u g s c c 1, v hs z c (mod p) c = (c 1, c 2 ) sk m = c 2 /c a 1 mod p 3 ( 09 [9]) DH CCA [1] B. Chevallier-Mames, An Efficient CDH-based Signature Scheme With a Tight Security Reduction, CRYPT 2005, pp. 1-27, 2005. [2] T. ElGamal, A Public-key Cryptosystem and a Signature Scheme Basedon Discrete Logarithms, CRYPTO 84, LNCS 196, pp.10-18, Springer-Verlag, 1985 [3] Fiat and A. Shamir, How to prove yourself: Practical solutions to identification and signature problems, Proc. Of Crypto 86, LNCS 263. [4] O. Goldreich, Foundations of Cryptography: Volume 1 - Basic Tools, Cambridge University Press, 2001. [5] M. Jakobsson, A Practical Mix, Eurocrypt 98, LNCS 1403, pp. 448-461, 1998. [6] C. P. Schnorr, Efficient signature genoration by smart cards, Journal of Cryptology, 4(3), pp. 161-174, 1991. [7] C. P. Schnorr and M. Jakobosson, Security of Signed ElGamal Encryption, ASIACRYPT 2000, LNCS 1976, pp. 73-89, 2000. 54

[8] Y. Tsiounis and M. Yung, On the Security of ElGamal Based Encryption, PKS 98, LNCS 1431, pp. 117-134, 1998. [9],,, Signed, 2009, SCIS 2009, 2B2-1, 2009/1. 55

2024 © docsplayer.net プライバシー | 利用規約 | フィードバック