, 2015.6/15 動機 - 中央大学c-faculty.chuo-u.ac.jp/~tsujii/pdf/150615murakami.pdfSecret Key Attack (SKA): 公開伴から秘密伴を求める攻撃 (例. Shamirの攻撃) Low-Density

OECU

2015.6/151 中央大学後楽園キャンパス

村上恭通

MELT up フォーラム組織間機密通信のための組織暗号の研究開発と社会的利用

パネル討論　暗号理論の最前線と将来展望, 2015.6/15

大阪電気通信大学

ナップザック暗号について

Network Security Laboratory

OECU内容• 耐量子暗号として期待されるナップザック暗号• モジュラナップザック暗号とその他の方式• モジュラナップザック暗号とトラップドア

• SI: Super-increasing Sequence (Merkle&Hellman)• SO: Shifted-odd Sequence (Kasahara&Murakami)• これらの組み合わせ＋ノイズ付加

• 安全でない証明可能方式(LPS方式)

• 最近の成果：乱数列利用（差分方式，低レート方式）

OECU動機• 量子コンピュータにより多項式時間で解ける問題：

素因数分解問題 (FP);

離散対数問題 (DLP, EDLP).

• 量子コンピュータでも難しいと考えられている問題：NP-困難な問題.

• ナップザック暗号は NP-困難な部分和問題(Subset Sum Problem: SSP) を利用．

• ナップザック暗号はPost-Quantum 暗号と Light-Weight 暗号として注目．

OECU

部分和問題とは，与えられた　　　　　　　　　　と　　　　からを満たす解を求める問題．

C � Z

(x1, x2, . . . , xn) � {0, 1}n

C = a1x1 + a2x2 + · · · + anxn

(a1, a2, . . . , an) � Zn

部分和問題(SSP)

SSP は NP-困難である．

OECU

ナップザック暗号

ナップザック暗号は SSP を利用．

C � Z

秘密鍵:

公開鍵:

平文:

暗号文:

(a1, a2, . . . , an) � Zn

(s1, s2, . . . , sn) � Zn

(m1,m2, . . . ,mn) � {0, 1}n

C = a1m1 + a2m2 + · · · + anmn

トラップドアを入れているため，等価とはいえない．

効率を犠牲にすると，SSPにより近づく．

OECUMerkle-Hellman ナップザック暗号(MH)

: 0: 0 or 1: 1

秘密鍵s1s2s3...sn−1sn

s4s5s6s7s8s9s10s11s12s13s14s15s16s17s18s19s20 1

公開鍵s1s2s3...sn−1sn


Easy

Hard

�v (mod p)

2510194283

107

721734324554

p=163v=36

103 = 17+32+54

( 0, 1, 0, 1, 0, 1 )

> 83< 83+42> 83+19< 83+19+10= 83+19+5}}

v-1=77

si >i�1�

k=1

sk

a1a2a3

an�1an

...

...

sn

sn�1

s3

s2

s1

1. Super-Increasing Sequence

2. Modular Multiplication

中間平文

M =n�

i=1

simi

暗号文

C =n�

i=1

aimi

　　平文(m1,m2, . . . ,mn) � {0, 1}n

OECUMerkle-Hellman の数列:

Super-Increasing Sequence (SI)



...

sn

sn�1

s3

s2

s1

トラップドア：超増加数列

2510194283

OECU笠原-村上の数列: Shifted Odd Sequence (SO)



...

sn

sn�1

s3

s2

s1

トラップドア:

奇数シフト数列

OECU笠原-村上の数列:

Shifted Odd Sequence (SO)

秘密鍵

s1s2s3...sn−1sn

s4s5s6s7s8s9s10s11s12s13s14s15s16s17s18s19s201

...

sn

sn�1

s3

s2

s1

トラップドア:

奇数シフト数列

737084728096

= 73 x 1= 35 x 2= 21 x 4= 9 x 8= 5 x 16= 3 x 32

238 = 70+72+96}

OECU２種類の攻撃法





a1a2a3

an�1an

...

...

sn

sn�1

s3

s2

s1

Secret Key Attack (SKA): 　公開鍵から秘密鍵を求める攻撃　(例. Shamirの攻撃)

Low-Density Attack (LDA): 　部分和問題を解いて平文を求める攻撃

平文(m1,m2, . . . ,mn) � {0, 1}n

暗号文

C =n�

i=1

aimi

LDA

Subset Sum Problem

CSK

OECU攻撃法への対策





a1a2a3

an�1an

...

...

sn

sn�1

s3

s2

s1

Secret Key Attack (SKA): 　公開鍵から秘密鍵を求める攻撃　(例. Shamirの攻撃)

Low-Density Attack (LDA): 　部分和問題を解いて平文を求める攻撃

高密度公開鍵のランダム性

秘密鍵のランダム性

OECU



a1a2a3

an�1an

...

log2 max ai

n

d =n

log2 maxai

密度

OECU

Costerらの低密度攻撃(LDA)

密度

密度が 0.9408 より小さいナップザック暗号は，この行列の行ベクトルが張る格子を縮小すると解ける．

d =n

log2 maxai

0

BBBBBB@

1 O �a11 �a2

. . ....

O 1 �an1/2 1/2 · · · 1/2 �C

1

CCCCCCA

OECU



a1a2a3

an�1an

...

log2 max ai

n

d =n

log2 maxai

密度

トラップドア数列の工夫

OECU

MSB LSB..... .......... .....

.....

..... .....

..... .....

..... .....

..... .....

.....

.....

s1s2s3

sn-2sn-1sn

.....

e

Fig. 1. Super-Increasing Sequence (SI))

..........

..........

.....

..........

..........

..........

..........

.....

.....

s1s2s3

sn-2sn-1sn

.....

MSB LSB

e

Fig. 2. Shifted-Odd Sequence (SO)

MSB LSB..........

.....

.....

.....

.....

.....

.....

.....

.....

...............

s1s2s3s4

sn-3sn-2sn-1sn

.....

e

Fig. 3. Combined Sequence SI & SO (SISO)

0

0 or 1

1

MSB LSB..... .......... .....

.....

..... .....

..... .....

..... .....

..... .....

.....

.....

.....

.....

.....

.....

.....

.....

.....

s1s2s3

sn-2sn-1sn

.....

f e1

Fig. 4. Noisy Super-Increasing Sequence (NSI)

MSB LSB....................

.....

..........

..........

..........

..........

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

s1s2s3

sn-2sn-1sn

.....

e fg

Fig. 5. Noisy Shifted-Odd Sequence (NSO)

MSB LSB

.....

.....

..........

s1s2s3s4

sn-3sn-2sn-1sn

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

f2 f1g1 e

Fig. 6. Proposed Noisy Combined Sequence (NSISO)

[Decryption with SISO]

Algorithm 3 Decryption with SISOfor i = 1 to n do

if i ∈ A then {Super-Increasing Type}if M ≥ γi then

mi = 1M ⇐ M − γi

elsemi = 0

end ifelse {i ∈ B: Shited-Odd Type}

if M ≡ 2L(i) (mod 2L(i)+1) thenmi = 1M ⇐ M − γi

elsemi = 0

end ifend if

end for

B. Noisy Trapdoor Sequences

Graham and Shamir improved the security by adding rel-atively small noise in head bits of the super-increasing se-quence. This method is secure against Shamir’s attack.

The similar method can be applied to other trapdoor se-quences. In this paper, a sequence which has a relatively smallnoise will be simply referred to as a noisy sequence.

1) Noisy Super-Increasing Sequence (NSI): The Graham-Shamir scheme uses a super-increasing sequence with noisein head bits. Unfortunately, Graham-Shamir scheme is notsecure[9]. Figure 4 illustrates NSI.

[Generation of NSI]

Step 1: Generate a super-increasing sequence αi such that

αi >i−1∑

k=1

αk (12)

for i = 1, 2, . . . , n.Step 2: Generate a random integer sequence qi of f -bit for

i = 1, 2, . . . , n.

MSB LSB..... .......... .....

.....

..... .....

..... .....

..... .....

..... .....

.....

.....

s1s2s3

sn-2sn-1sn

.....

e


..........

..........

.....

..........

..........

..........

..........

.....

.....

s1s2s3

sn-2sn-1sn

.....

MSB LSB

e


MSB LSB..........

.....

.....

.....

.....

.....

.....

.....

.....

...............

s1s2s3s4

sn-3sn-2sn-1sn

.....

e


0

0 or 1

1

MSB LSB..... .......... .....

.....

..... .....

..... .....

..... .....

..... .....

.....

.....

.....

.....

.....

.....

.....

.....

.....

s1s2s3

sn-2sn-1sn

.....

f e1


MSB LSB....................

.....

..........

..........

..........

..........

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

s1s2s3

sn-2sn-1sn

.....

e fg


MSB LSB

.....

.....

..........

s1s2s3s4

sn-3sn-2sn-1sn

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

f2 f1g1 e





mi = 1M ⇐ M − γi

elsemi = 0



elsemi = 0

end ifend if

end for





[Generation of NSI]


αi >i−1∑

k=1

αk (12)


i = 1, 2, . . . , n.

トラップドア数列Pure Seq.

Noisy Seq.

SI SISO SO

×× ××Not Secure

OECU

数列 [ICCIT2012]

MSB LSB..... .......... .....

.....

..... .....

..... .....

..... .....

..... .....

.....

.....

s1s2s3

sn-2sn-1sn

.....

e


..........

..........

.....

..........

..........

..........

..........

.....

.....

s1s2s3

sn-2sn-1sn

.....

MSB LSB

e


MSB LSB..........

.....

.....

.....

.....

.....

.....

.....

.....

...............

s1s2s3s4

sn-3sn-2sn-1sn

.....

e


0

0 or 1

1

MSB LSB..... .......... .....

.....

..... .....

..... .....

..... .....

..... .....

.....

.....

.....

.....

.....

.....

.....

.....

.....

s1s2s3

sn-2sn-1sn

.....

f e1


MSB LSB....................

.....

..........

..........

..........

..........

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

s1s2s3

sn-2sn-1sn

.....

e fg


MSB LSB

.....

.....

..........

s1s2s3s4

sn-3sn-2sn-1sn

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

f2 f1g1 e





mi = 1M ⇐ M − γi

elsemi = 0



elsemi = 0

end ifend if

end for





[Generation of NSI]


αi >i−1∑

k=1

αk (12)


i = 1, 2, . . . , n.

MSB LSB

.....

.....

..........

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

s1s2s3s4

sn-3sn-2sn-1sn

.....

e2 e11

.....

.....

.....

.....

Fig. 7. Proposed Combined Sequence SO & SI (SOSI)

MSB LSB

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....

.....s1s2s3s4s5s6s7s8

.....

...............s9

s10

Fig. 8. Example (A = {2, 3, 5, 8, 9},B = {1, 4, 6, 7, 10})

[Generation of SOSI]Step 1: Generate a secret sequence αi such that

⎧⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎩

αi >n∑

k=i+1

αk if i ∈ A;

αi <n∑

k=i+1

αk if i ∈ B;(23)

for i = 1, 2, . . . , n.Step 2: Generate a secret sequence βi such that

βi ≡ 2L(i) (mod 2L(i)+1) (24)

for i = 1, 2, . . . , n.Step 3: Generate a positive integer X such that

X >n∑

k=1

αk. (25)

Step 4: Calculate a secret sequence si:

si = βiX + αi (26)

for i = 1, 2, . . . , n.

[Decryption with SOSI]

Algorithm 7 Decryption with SOSIQ = ⌊M/X⌋R = M mod Xfor i = 1 to n do

if i ∈ A then {Super-Increasing Type}if R ≥ αi then

mi = 1R ⇐ R − αi

Q ⇐ Q − βi

elsemi = 0

end ifelse {i ∈ B: Shifted-Odd Type}

if Q ≡ 2L(i) (mod 2L(i)+1) thenmi = 1R ⇐ R − αi

Q ⇐ Q − βi

elsemi = 0

end ifend if

end for

V. SECURITY CONSIDERATIONS

A. Security of Secret SequenceThe sequences, SI, SO, SISO and NSI are not secure against

the attacks of computing the secret sequence from the publicsequence.

1) SI: Merkle-Hellman scheme which uses SI can bebroken with Shamir’s attack[7].

2) SO: Shamir’s attack cannot be applied for SO. Recently,Sakai, Murakami and Kasahara proposed a new attack forSO by applying techniques developped by Shamir[14]. Tobe short, this attack uses the fact that si/2i−1 of SO provedto be a super-increasing sequence. They showed that SO hasthe advantage over SI related to the precision of computationalthough the difference is insignificant.

3) SISO: By the fact that si/2L(i) of SISO becomes asuper-increasing sequence, the secret SISO sequence are likelyto be computed from the public sequence ai with a similarmanner as SMK attack[14].

4) NSI: Graham-Shamir scheme which uses NSI can bebroken by Shamir and Zippel[9].

5) NSO, NSISO, SOSI: No attack for NSO, NSISO andSOSI has been proposed yet. However, it should be noted thatthe attacker might be successful in eliminating the noise be-cause its size is relatively small. Thus, we strongly recommendthat neither of the secret number X nor Y equals to any powerof two.

B. Security against the Low-Density AttackIt is known that the knapsack schemes of d < 0.9408 can

be broken with the low-density attack for the lattice spanned

SOSINoisyHigher Density

SI SO

SOSISISO

モジュラ変換以外の方式

OECU

• OTU2000方式[Crypto2000]

• 離散対数問題を解いて設計• 部分和問題（天）と森井-笠原暗号（地）を変換• 低重みを利用した低密度攻撃が提案

• 中国人の剰余定理利用方式[SITA2006他]

• （法が露呈すると）耐量子暗号でない• ガウス整数環利用方式[小林ら2003]（複数系列）

• 密度が低いと低密度攻撃で解読可能

モジュラ変換以外の方式（例）

証明可能方式の解読（Lyubanvskyらの方式）

OECU

• Lyubashevskyらの方式[TCC2010]

• 証明付きのナップサック暗号• 安全なナップサック暗号ができた？

• 実際の安全性• 低密度な部分和問題への帰着が証明• 上の部分和問題は簡単な問題• 実際には高確率で解読可能

証明可能方式の解読（概要）[SITA2012]

乱数利用方式（差分方式，MHK3）

乱数利用方式差分方式

OECU

公開鍵 s1s2s3...sn−1sn


a1a2

an

...公開鍵

s1s2s3...sn−1sn


n

差分方式のアイデア

小→解けるs1s2s3...sn−1sn


b1b2

...

bk

k

c1

c2

...

ck

db =k

log2 max bi

dc =k

log2 max ci

da =n

log2 max ai

D =n + k

log2 max ai + max ci

log2 max ai = log2 max bi log2 max cidab =

n + k

log2 max ai

大→解けない

OECU

公開鍵 s1s2s3...sn−1sn


a1a2

an

...公開鍵

s1s2s3...sn−1sn


差分方式のアイデア

s1s2s3...sn−1sn


b1b2

...

bk

c1

c2

...

ck

�v mod p �w mod q

からを求めることは困難ならば安全bi, ci ti

s1s2s3...sn−1sn


s1s2s3...sn−1sn


s1

s2

sn

t1t2

tn

...

...

秘密鍵

OECU

Encryption

3 Proposed Scheme

3.1 PreliminariesList of the symbols:

p, q : Secret prime moduli.v, w : Secret positive integers.si, tj : Secret random u-bit positive integers.ai, bj , cj : Public key.mi : Message sequence. mi ∈ {0, 1}rj : Random binary sequence. rj ∈ {0, 1}(C1, C2) : Ciphertext.

for i = 1, 2, . . . , n and j = 1, 2, . . . , k.

3.2 Key Generation✓ ✏Public key : ai, bj , cj

(i = 1, 2, . . . , n, j = 1, 2, . . . , k).Secret key : si, tj , v, p, w, q

(i = 1, 2, . . . , n, j = 1, 2, . . . , k).

✒ ✑Step 1: Decide parameters k, n and u such that n <

u < n+k and n ≪ k. It is recommended thatn ≤ 60 for decrypting the message.

Step 2: Generate u-bit positive integers si at randomfor i = 1, 2, . . . , n.

Step 3: Generate u-bit positive integers tj at randomfor j = 1, 2, . . . , k.

Step 4: Generate a prime number p such that

p >n∑

i=1

si +k∑

j=1

tj > p/2. (3)

Step 5: Generate an odd number 0 < v < p.

Step 6: Generate a prime number q such that

q >k∑

j=1

tj > q/2. (4)

Step 7: Generate an odd number 0 < w < q.

Step 8: Compute ai, bj , cj as follows:

ai = vsi mod p i = 1, 2, . . . , n; (5)bj = vtj mod p j = 1, 2, . . . , k; (6)cj = wtj mod q j = 1, 2, . . . , k. (7)

3.3 EncryptionThe ciphertext (C1, C2) is given by

C1 =n∑

i=1

aimi +k∑

j=1

bjrj , (8)

C2 =k∑

j=1

cjrj . (9)

3.4 DecryptionLet the intermediate messages M and M ′ be defined

by

M =n∑

i=1

simi. (10)

M ′ =n∑

i=1

simi +k∑

j=1

tjrj . (11)

Let the intermediate noise message N be defined by

N =k∑

j=1

tjrj . (12)

Since M ′ = v−1C1 mod p and N = w−1C2 mod q holdsfrom Eqs.(3) and (4), M can be obtained by the legiti-mate receiver as M = M ′ − N . The message sequencemi can be recovered by solving the subset sum prob-lem of Eq.(10). It should be noted that any attackingmethod for knapsack schemes or any solving method ofthe subset sum problem can be used for this purpose.We shall give some examples of the decryption below.

3.4.1 Decryption with Exhaustive SearchThe exhaustive search is usually used for attack by

searching plaintext at all possibilities. However, we canuse the exhaustive search for decryption. It is recom-mended that n ≤ 32 in order to use the exhaustivesearch to decrypt the message in a practical time.

3.4.2 Decryption with Space-Time Trade-offAt-tack

In general, the computation time can be reduced byincreasing the memory use. This type of attacks iscalled the space-time trade-off attack. We can reason-ably assume that the time complexity of O(N) can bedivided into the time complexity of O(

√N) and the

space complexity of O(√

N).In the proposed scheme, we can also use this attack

for decryption. We recommend that n ≤ 64 in orderto decrypt the message with the space-time trade-offattack.

3.4.3 Decryption with LDAWe also use LDA in order to decrypt the message.

The plaintext message can be decrypted with LDA forthe lattice spanned by the following row matrix:

⎛

⎜⎜⎜⎜⎜⎜⎝

1 O −λs1

. . . −λs2

. . ....O 1 −λsn

−1/2 · · · · · · −1/2 λM

⎞

⎟⎟⎟⎟⎟⎟⎠,

where λ is an appropriate integer such that λ >√

n.In this case, the density dM is given by

dM =n

log2 max(s1, s2, . . . , sn)≃ δ,

2

最近の研究成果：乱数利用＆低レート方式

MHK→解読→MHK3

OECUMHKナップザック暗号: 鍵生成

Step1: n 個の正の乱数 si を生成Step2: 素数法 P を生成

Step3: 秘密鍵 e を生成Step4: 公開鍵 ai に変換Step5: 小さい正整数 Z と bi を公開

P >n�

i=1

si > P/2

gcd(e, P ) = 1

ai = esi mod P

bi = si mod Z

鍵生成

OECU

Step1: 平文m ∈{0,1,...,Z-1}

Step2: ２進乱数列 ri を生成

Step3: 暗号文 C を計算

C =n�

i=1

airi

Step1: 中間平文 M を計算

Step2: 平文 m を復号

M = e�1C mod P

M =n�

i=1

siri

中間平文 M:

m =

�n�

i=1

biri

�mod Z

m = M mod Z

小さい部分和問題を解く

MHKナップザック暗号: 暗号化・復号暗号化復号

乱数平文

OECUMHKナップザック暗号の図解

秘密鍵

s1s2s3...sn−1sn


...

sn

sn�1

s3

s2

s1 737085755492

}すべて乱数

s1s2s3...sn−1sn


公開鍵

...

b1

b2

b3

bn�1

bn

165364

380283311140375385

a1a2a3

an�1an

...

公開鍵× 337 mod 457

暗号化関数は陰関数

平文: m=2

C =n�

i=1

airi

m=1+3+6=2 mod 8

乱数平文: r = (1,0,0,1,1,0)

暗号化: C = 380+140+375 = 895

m =

nX

i=1

biri mod Z

}ほぼ乱数

小さな部分和問題を解く

法: Z=8

トラップドア:下位ビットを公開

復号　: M = 895×337-1 mod 457 = 202m = 202 mod 8 = 2

m ! r ! C

C = E(m)�

m = f(r)C = g(r)

中間平文: M = 73 + 75 + 54 = 202

OECU長尾-森井攻撃(NM攻撃）秘密鍵

s1s2s3...sn−1sn


...

sn

sn�1

s3

s2

s1 737085755492s1

s2s3...sn−1sn


公開鍵

...

b1

b2

b3

bn�1

bn

165364

380283311140375385

a1a2a3

an�1an

...

公開鍵× 337 mod 457

平文: m=2m=1+3+6=2 mod 8

乱数平文: r = (1,0,0,1,1,0)

暗号化: C = 380+140+375 = 895法: Z=8

復号　: M = 895×337-1 mod 457 = 202m = 202 mod 8 = 2

【NM攻撃による解読】低密度攻撃によりC = a r’ となる偽の乱数平文 r’ = (0,1,2,0,1,-1) が求まるC = 1×283+2×311+1×375−1×385 = 895

m’ = 1×6+2×5+1×6−1×4 = 18 = 2 mod 8

中間平文: M = 73 + 75 + 54 = 202

中間平文: M = 70 + 2×85 + 1×54 −1×92 = 202r’ のノルムが小さいとMも一致してしまう

解読条件

OECUMHKナップザック暗号: 鍵生成

Step1: 次元 n と N を決めるStep2: 　　　　乱数 s　　　　　　 ∈ ZN

n を生成Step3: 素数法 P　　　　　　　　　　を生成　　　　P > sum(s) > P /2Step4: 秘密鍵 e 　　　　　　　を生成　　　　P > e > P /2Step5: 公開鍵 a ∈ Zn に変換　　　　a = e a mod PStep6: 公開鍵 b を計算　　　　b = s mod 2

解読原因：　sの下位ビット　をそのまま公開

OECUMHK3ナップザック暗号: 鍵生成

Step1: 次元 n と N を決めるStep2: 三系列の乱数 s1, s2, s3 ∈ ZN

n を生成Step3: 素数法 P1, P2, P3 を生成　　　　Pi > sum(si) > Pi/2Step4: 秘密鍵 e1, e2, e3 を生成　　　　Pi > ei > Pi /2Step5: 公開鍵 ai ∈ Zn に変換　　　　ai = e ai mod PiStep6: 公開鍵 bi を計算　　　　b1 = (s2 +s3) mod 2　　　　b2 = (s3 +s1) mod 2　　　　b3 = (s1 +s2) mod 2

互いの系列によりsiの下位ビットを隠す biからsiは求められない

独立な乱数

G =

0

@0 1 11 0 11 1 0

1

A

det(G) = 2

0

@b1kb2kb3k

1

A ⌘ G

0

@s1ks2ks3k

1

A(mod 2)

OECU

Step1: 平文 m ∈ {0,1}

Step2: 三系列の乱数 v1, v2, v3 ∈ {0,1}nを生成　　　　m = (b1・v1 + b2・r2 + b3・r3) mod 2

Step3: 三系列の乱数 r1, r2, r3 ∈ {0,1}nに変換　　　r1 = (v2 +v3) mod 2 　　　r2 = (v3 +v1) mod 2 　　　r3 = (v1 +v2) mod 2

Step4: 暗号文 Ci を計算　　　　Ci = ai・ri

MHK3ナップザック暗号: 暗号化

riからviは求められない

G =

0

@0 1 11 0 11 1 0

1

Adet(G) = 2

0

@r1kr2kr3k

1

A ⌘ G

0

@v1kv2kv3k

1

A(mod 2)

OECU

中間平文 Mi 及び M を次式で定義する　　　　Mi = si・ri

　　　　M = M1 + M2 + M3

Step1: 中間平文 Mi を計算　　　　Mi = ei

-1 Ci mod PiStep2: 中間平文 M を計算　　　　M = M1 + M2 + M3

Step3: 平文 m を計算　　　　m = M mod 2

MHK3ナップザック暗号: 復号

A Toy Example

OECU鍵生成

Step 4: 暗号文 Ci を

Ci = ai · ri (i = 1, 2, 3) (23)

により計算する．

4. 3 復号中間平文Mi 及びM を次式で定義する．

Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)

Step 1: 式 (13)及び式 (15)より，中間平文 Mi 及び M を次式により計算することができる．

Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)

Step 2: 平文 m を次式により計算する．

m = M mod 2. (28)

4. 4 復号の正当性

M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).

が成立する．4. 5 小さい数値例提案方式の小さい数値例を挙げる．4. 5. 1 鍵生成

Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —

OECU復号暗号化


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —

OECUMHK3図解6

9

8

s1

s2s3

mod 2

a1, a2, a3公開

公開

秘密乱数

m = (b1・v1 + b2・v2 + b3・v3) mod 2 = 1平文

6

8

75

7

65

6

57

9

57

8

69

7

79

6

8 0

1

00

0

11

1

01

0

11

1

11

0

01

1

11

0

01

01

10

01

0

11

11

00

00

10

01

01

01

b1

b2

1

10

01

01

0

11

11

01

00

00

01

10

00

r1

r2r3

v3

v1

v2

b3

XOR

XOR1

1

0

01

10

00

01

10

00

11

01

11

10

11

00

Ci = ai・ri暗号文1

1

1

?

?

?

0

1

1 1

0

0

ai = ei si (mod Pi)

乱数

OECU別解攻撃真の解

正当な乱数平文


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —

5. 安全性に関する考察5. 1 秘密鍵の安全性Shamirの攻撃のように，秘密鍵の特殊性を利用して，公開

鍵から秘密鍵を求める攻撃がある．しかしながら，提案方式の秘密鍵 si はトラップドアの存在しない完全な一様乱数列として生成されている．したがって，ai から si を求めることはできない．5. 2 秘密鍵の LSBの安全性秘密鍵 si (i = 1, 2, 3) の LSB の安全性について考察する．

秘密鍵 si の LSBを s′i と置く．すなわち，s′

i = si mod 2とする．このとき，式 (16)～式 (18)より，

b1 ≡ s′2 + s′

3 (mod 2), (29)

b2 ≡ s′3 + s′

1 (mod 2), (30)

b3 ≡ s′1 + s′

2 (mod 2). (31)

が成立する．k = 1, 2, . . . , n について，未知ベクトル xk 及び定数ベ

クトル ck を，それぞれ，xk = (s′1k, s′2k, s

′3k)

T 及び ck =

(b1k, b2k, b3k)T とする．このとき，

G =

⎛

⎜⎜⎝

0 1 1

1 0 1

1 1 0

⎞

⎟⎟⎠ (32)

と置くと，式 (29),式 (30)及び式 (31)の第 k 成分は，

ck ≡ Gxk (mod 2) (k = 1, 2, . . . , n) (33)

と表される．従って，秘密鍵の最下位ビット s′i(i = 1, 2, 3)を

求めるには，式 (33)の n組の三元連立方程式を解き，すべての xk(k = 1, 2, . . . , n)を求める必要がある．もし，Gの逆行列が存在すれば，この連立合同式 (33)は

xk ≡ G−1ck (mod 2) (34)

により解くことができる．しかしながら，det(G) = 2 であるので，Gの逆行列は存在しない．ゆえに，この連立合同式を解くことができない．したがって，秘密鍵の最下位ビット s′

i を求めることはできない．5. 3 低密度攻撃に対する安全性三系列の公開鍵 ai (i = 1, 2, 3) の，それぞれに対して，十分

高密度であるように設計すれば，(Ci,ai) に対する低密度攻撃に対して安全である．また，提案方式は，ri が異なるため，従来の多系列ナップザック暗号に対する低密度攻撃を適用しても効果がない．5. 4 別解攻撃に対する安全性提案方式に対して，(Ci,ai) に対する低密度攻撃により，

Ci = ai · r′i を満たす別解 r′

i が求まる可能性がある（注3）．別解

（注3）：このような別解を擬似乱数平文と呼ぶことにし，真の乱数平文 ri と区別するために，r′

i と表すことにする．

は，文献 [13]の解読条件

Mi = si · r′i (35)

さえ満たせば，必ずしも r′i ∈ {0, 1}n である必要はない（注4）．

実際，提案方式においても，式 (35) を満たす別解 r′i は十分

多く存在する．しかしながら，提案方式では解読条件を満たすr′i が求まったとしても，平文 mを求めるには，暗号化に使用した乱数平文 v1,v2,v3 を求めて，式 (19)により mを計算する必要がある．乱数平文v1,v2,v3を求めるには，式 (20)，式 (21)及び式 (22)

の三元連立方程式を解く必要がある．すなわち，k = 1, 2, . . . , n

について，未知ベクトル xk 及び定数ベクトル ck を，それぞれ，xk = (v1k, v2k, v2k)

T 及び ck = (r1k, r2k, r3k)T として，

式 (33)の三元連立合同式を解く必要がある．しかしながら，第5. 2節と同様の議論により，この連立合同式は解くことができない．したがって，平文mを求めることができない．5. 5 別解攻撃ができないことの例証まず，(ai, Ci) による低密度攻撃により下記の別解が求まっ

たとする．

r′1 = (0, 1, 1, 1, 0, 0, 1, 1),

r′2 = (0, 1, 1, 1, 0, 0, 1, 0),

r′3 = (1, 1, 1, 0, 0, 0, 0, 0).

これらは，確かに次式を満たす別解となっている．

C1 = 30 + 43 + 56 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 27 + 8 = 81.

これらは別解攻撃の解読条件である次式を満たしている．

M1 = s1 · r′1 = 7 + 8 + 9 + 8 + 9 = 41,

M2 = s2 · r′2 = 9 + 7 + 7 + 6 = 29,

M3 = s3 · r′3 = 8 + 7 + 6 = 21.

従来方式だと，この時点で r′i を利用して，mを特定すること

ができて，解読が成立する．しかしながら，MHK3では，この段階まで求められても解読できない．このことをこの例を用いて具体的に説明する．攻撃者が平文 m を求めるためには，式 (20)，式 (21) 及び

式 (22) の三元連立方程式を解く必要がある．法が 2であるので，このことは，法 2 の三元連立合同式を解くことと等しい．xk = (v1k, v2k, v3k)

T，ck = (r1k, r2k, r3k)T，と置くと，第 k

成分について，この連立合同式は，Gxk ≡ ck (mod 2) と表現することができる．もし，G の逆行列が存在すれば，この連立合同式を xk ≡

G−1ck (mod 2) により解くことができるが，det(G) = 2であ

（注4）：求めた r′i のノルムが十分に小さければ，解読条件 Mi = si · r′

i を満たす可能性が高い．

— 5 —





b1 ≡ s′2 + s′

3 (mod 2), (29)

b2 ≡ s′3 + s′

1 (mod 2), (30)

b3 ≡ s′1 + s′

2 (mod 2). (31)



′3k)

T 及び ck =


G =

⎛

⎜⎜⎝

0 1 1

1 0 1

1 1 0

⎞

⎟⎟⎠ (32)


ck ≡ Gxk (mod 2) (k = 1, 2, . . . , n) (33)



xk ≡ G−1ck (mod 2) (34)









Mi = si · r′i (35)








たとする．

r′1 = (0, 1, 1, 1, 0, 0, 1, 1),

r′2 = (0, 1, 1, 1, 0, 0, 1, 0),

r′3 = (1, 1, 1, 0, 0, 0, 0, 0).


C1 = 30 + 43 + 56 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 27 + 8 = 81.


M1 = s1 · r′1 = 7 + 8 + 9 + 8 + 9 = 41,

M2 = s2 · r′2 = 9 + 7 + 7 + 6 = 29,

M3 = s3 · r′3 = 8 + 7 + 6 = 21.









— 5 —





b1 ≡ s′2 + s′

3 (mod 2), (29)

b2 ≡ s′3 + s′

1 (mod 2), (30)

b3 ≡ s′1 + s′

2 (mod 2). (31)



′3k)

T 及び ck =


G =

⎛

⎜⎜⎝

0 1 1

1 0 1

1 1 0

⎞

⎟⎟⎠ (32)


ck ≡ Gxk (mod 2) (k = 1, 2, . . . , n) (33)



xk ≡ G−1ck (mod 2) (34)









Mi = si · r′i (35)








たとする．

r′1 = (0, 1, 1, 1, 0, 0, 1, 1),

r′2 = (0, 1, 1, 1, 0, 0, 1, 0),

r′3 = (1, 1, 1, 0, 0, 0, 0, 0).


C1 = 30 + 43 + 56 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 27 + 8 = 81.


M1 = s1 · r′1 = 7 + 8 + 9 + 8 + 9 = 41,

M2 = s2 · r′2 = 9 + 7 + 7 + 6 = 29,

M3 = s3 · r′3 = 8 + 7 + 6 = 21.









— 5 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —

不正な乱数平文

解読条件は満たすが…

逆行列がないのでviを求めることはできない


Ci = ai · ri (i = 1, 2, 3) (23)



Mi = si · ri (i = 1, 2, 3), (24)

M = M1 +M2 +M3. (25)


Mi = e−1i Ci mod Pi (i = 1, 2, 3), (26)

M = M1 +M2 +M3. (27)


m = M mod 2. (28)


M ≡ s1 · (v2 + v3) + s2 · (v3 + v1) + s3 · (v1 + v2)

≡ v3 · (s1 + s2) + v1 · (s2 + s3) + v2 · (s3 + s1)

≡ m (mod 2).


Step 1: n = 8, N = 10.

Step 2:

s1 = (6, 7, 8, 9, 6, 7, 8, 9),

s2 = (9, 9, 7, 7, 5, 5, 6, 6),

s3 = (8, 7, 6, 5, 5, 6, 7, 8).

Step 3:

P1 = 61 > sum(s1) = 60,

P2 = 59 > sum(s2) = 54,

P3 = 53 > sum(s3) = 52.

Step 4:

e1 = 13,

e2 = 11,

e3 = 19.

Step 5:

a1 = (17, 30, 43, 56, 17, 30, 43, 56),

a2 = (40, 40, 18, 18, 55, 55, 7, 7),

a3 = (46, 27, 8, 42, 42, 8, 27, 46).

Step 6:

b1 = (1, 0, 1, 0, 0, 1, 1, 0),

b2 = (0, 0, 0, 0, 1, 1, 1, 1),

b3 = (1, 0, 1, 0, 1, 0, 0, 1).

4. 5. 2 暗号化Step 1: m = 1.

Step 2:

v1 = (1, 0, 1, 0, 1, 0, 0, 1),

v2 = (0, 0, 1, 0, 1, 1, 1, 1),

v3 = (0, 0, 0, 1, 1, 0, 0, 0),

m = (b1 · v1 + b2 · v2 + b3 · v3) mod 2

= (1 + 0 + 1 + 0 + 0 + 0 + 0 + 0

+ 0 + 0 + 0 + 0 + 1 + 1 + 1 + 1

+ 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0) mod 2

= 1.

Step 3:

r1 = v2 + v3

= (0, 0, 1, 1, 0, 1, 1, 1),

r2 = v3 + v1

= (1, 0, 1, 1, 0, 0, 0, 1),

r3 = v1 + v2

= (1, 0, 0, 0, 0, 1, 1, 0).

Step 4:

C1 = 43 + 56 + 30 + 43 + 56 = 228,

C2 = 40 + 18 + 18 + 7 = 83,

C3 = 46 + 8 + 27 = 81.

4. 5. 3 復号Step 1:

M1 = 13−1 × 228 mod 61 = 41,

M2 = 11−1 × 83 mod 59 = 29,

M3 = 19−1 × 81 mod 53 = 21,

M = M1 +M2 +M3

= 41 + 29 + 21 = 91.

Step 2: m = 91 mod 2 = 1.

— 4 —

0

@r01kr02kr03k

1

A ⌘

0

@0 1 1

1 0 1

1 1 0

1

A

0

@v1kv2kv3k

1

A(mod 2)

OECU

MHK3まとめ• MHK3は下記の攻撃に対して安全

• 公開鍵から秘密鍵を求める攻撃(Shamirライク)

• 暗号文から平文を求める攻撃(低密度攻撃)

• 別解攻撃(NM攻撃やKNM攻撃)

• 多系列への一般化，法の一般化（多値化）も可能．• 「Call for Attack」です．よろしくお願いします．

41

OECU

まとめ• ナップザック暗号は耐量子暗号として期待．• トラップドアを入れると安全性証明が困難．○：部分和問題求解可能→ナップザック暗号解読×：ナップザック暗号解読→部分和問題求解可能

• 安全性が証明可能な方式でも必ずしも安全ではないことに注意（帰着する問題が現実には解読可能）．

• 証明されていなくても現実には解読困難な方式もある．→どのような手段で安全性の根拠を示すかが課題．

42

OECU

謝辞• 本研究の一部はNICTの組織暗号プロジェクトの補助により行われました．感謝申し上げます．

• 低ビットレートナップザック暗号を研究するきっかけを与えてくださいました辻井先生に感謝いたします．

• MHK暗号，MHK2暗号の解読法を提案してくださった森井先生の研究グループに感謝いたします．

43

Documents

, 2015.6/15 動機 - 中央大学c-faculty.chuo-u.ac.jp/~tsujii/pdf/150615murakami.pdfSecret Key Attack (SKA): 公開伴から秘密伴を求める攻撃 (例. Shamirの攻撃) Low-Density