Cryptographic method for communication and electronic signatures
First Claim
1. A cryptographic communication system comprising:
- A. a communications channel;
B. an encoder coupled to the channel and adapted for transforming a message {x1, x2, . . . , xn } to a ciphertext {y1, y2, . . . , ym } on the channel, where {x1, x2, . . . , xn } corresponds to a set of integers representative of the message and
space="preserve" listing-type="equation">x.sub.i [0,2.sup.s), for i=1 to n, where n≧
2 and s is some positive integer, and where {y1, y2, . . . , ym } corresponds to a set of integers representative of an enciphered form of the message and corresponds to ##EQU82## where 1≦
m'"'"'<
m and r≧
2, and where an encoding key contains the integers aij, gljk, and fractions filk and fj,lh,k, for i=1 to n, j=1 to m, l=1 to mk, k=1 to r-1, and h=1 to k-1, and qj, for j=1 to m'"'"', wherein
space="preserve" listing-type="equation">a.sub.ij ≡
a.sub.i.sup.r mod q.sub.j, where air is obtained by performing r iterations of modular multiplication according to the relation
space="preserve" listing-type="equation">a.sub.i.sup.k+1 ≡
a.sub.ij.sup.k+1 mod p.sub.j.sup.k+1 ≡
w.sup.k+1 (a.sub.i.sup.k mod p.sub.j.sup.k) mod p.sub.j.sup.k+1, for j=1 to mk and k=1 to r, where ai0 =bi, for i=1 to n, and ##EQU83## where pj,lh,k is obtained by modular multiplying pjh to modulus plk according to the same relations followed by aijh, and where a set of initial knapsack weights {b1, b2, . . . , bn }={a10, a20, . . . , an0 } is selected as a superincreasing series according to the relation ##EQU84## and where ##EQU85## where k [1, r-1], and where mr-1 =1 and mr =m, and where ##EQU86## and where Alk has an approximation error bounded by [-2-e-1, 2-e-1) before truncation, and where {q1, q2, . . . , qm } are pairwise relatively prime and ##EQU87## and, where p1 is relatively prime to bi, for i=1 to n, and where pk-1 and pk are relatively prime, for k=2 to r, and where wk and pk are relatively prime, for k=1 to r;
C. a decoder coupled to the channel and adapted for receiving the ciphertext {y1, y2, . . . , ym } from the channel and for transforming {y1, y2, . . . , ym } to a deciphered message {x'"'"'1, x'"'"'2, . . . , x'"'"'n }, wherein the deciphered message {x'"'"'1, x'"'"'2, . . . , x'"'"'n } corresponds to a set of numbers representative of a deciphered form of the ciphertext {y1, y2, . . . , ym }, and where {y1, y2, . . . , ym } is decoded by first calculating
space="preserve" listing-type="equation">y.sub.j.sup.k ≡
(w.sup.k+1).sup.-1 y.sub.j.sup.k+1 mod p.sub.j.sup.k+1, for j=1 to mk and decrementing from k=r-1 to 0, where yr ≡
{y1, y2, . . . , ym } mod {q1, q2, . . . , qm }, and then solving a knapsack problem, ##EQU88## with the set of initial knapsack weights {b1, b2, . . . , bn } and target value b=y0, by calculating sequentially ##EQU89## from i=n decrementing to 1, to return the deciphered message {x'"'"'1, x'"'"'2, . . . , x'"'"'n }, and where a decoding key includes the positive integers {b1, b2, . . . , bn }, {w1, w2, . . . , wr }, {p1, p2, . . . , pr }, and {q1, q2, . . . , qm }.
0 Assignments
0 Petitions
Accused Products
Abstract
A cryptographic method for communication and electronic signatures is described. The system includes at least one encoding device coupled to at least one decoding device by a communications channel. The method is a form of public-key or two-key cryptosystem, where the private decoding key is not feasibly determinable from the associated public encoding key. A block of ns bits of a message-to-be-transferred M (or key-to-be-distributed) is enciphered to ciphertext by first mapping M to a set {x1, x2, . . . , xn }, where xi [0, 2s). Then the ciphertext {y1, y2, . . . , ym } is determined by ##EQU1## mod qj, for j=1 to m'"'"', and ##EQU2## for j=m'"'"'+1 to m, where ##EQU3## The encoding key (associated with the intended receiver) consists of integers aij, gj, and positive fractions fi, for i=1 to n and for j=1 to m, and positive integers qj, for j=1 to m'"'"'. The ciphertext is deciphered (with a secret key known only to the intended receiver) by solving a knapsack ##EQU4## with secret superincreasing weights {b1, b2, . . . , bn } and target value b≡|w-1 |w'"'"'-1 y|Q |P, where y≡{y1, y2, . . . , ym } mod {q1, q2, . . . , qm }, ##EQU5## and w, w'"'"', and {qm'"'"'+1, qm'"'"'+2, . . . , qm } are secret integers. The resulting terms {x'"'"'1, x'"'"'2, . . . , x'"'"'n } correspond to the original message terms {x1, x2, . . . , xn }.
243 Citations
20 Claims
-
1. A cryptographic communication system comprising:
-
A. a communications channel; B. an encoder coupled to the channel and adapted for transforming a message {x1, x2, . . . , xn } to a ciphertext {y1, y2, . . . , ym } on the channel, where {x1, x2, . . . , xn } corresponds to a set of integers representative of the message and
space="preserve" listing-type="equation">x.sub.i [0,2.sup.s),for i=1 to n, where n≧
2 and s is some positive integer, and where {y1, y2, . . . , ym } corresponds to a set of integers representative of an enciphered form of the message and corresponds to ##EQU82## where 1≦
m'"'"'<
m and r≧
2, and where an encoding key contains the integers aij, gljk, and fractions filk and fj,lh,k, for i=1 to n, j=1 to m, l=1 to mk, k=1 to r-1, and h=1 to k-1, and qj, for j=1 to m'"'"', wherein
space="preserve" listing-type="equation">a.sub.ij ≡
a.sub.i.sup.r mod q.sub.j,where air is obtained by performing r iterations of modular multiplication according to the relation
space="preserve" listing-type="equation">a.sub.i.sup.k+1 ≡
a.sub.ij.sup.k+1 mod p.sub.j.sup.k+1 ≡
w.sup.k+1 (a.sub.i.sup.k mod p.sub.j.sup.k) mod p.sub.j.sup.k+1,for j=1 to mk and k=1 to r, where ai0 =bi, for i=1 to n, and ##EQU83## where pj,lh,k is obtained by modular multiplying pjh to modulus plk according to the same relations followed by aijh, and where a set of initial knapsack weights {b1, b2, . . . , bn }={a10, a20, . . . , an0 } is selected as a superincreasing series according to the relation ##EQU84## and where ##EQU85## where k [1, r-1], and where mr-1 =1 and mr =m, and where ##EQU86## and where Alk has an approximation error bounded by [-2-e-1, 2-e-1) before truncation, and where {q1, q2, . . . , qm } are pairwise relatively prime and ##EQU87## and, where p1 is relatively prime to bi, for i=1 to n, and where pk-1 and pk are relatively prime, for k=2 to r, and where wk and pk are relatively prime, for k=1 to r; C. a decoder coupled to the channel and adapted for receiving the ciphertext {y1, y2, . . . , ym } from the channel and for transforming {y1, y2, . . . , ym } to a deciphered message {x'"'"'1, x'"'"'2, . . . , x'"'"'n }, wherein the deciphered message {x'"'"'1, x'"'"'2, . . . , x'"'"'n } corresponds to a set of numbers representative of a deciphered form of the ciphertext {y1, y2, . . . , ym }, and where {y1, y2, . . . , ym } is decoded by first calculating
space="preserve" listing-type="equation">y.sub.j.sup.k ≡
(w.sup.k+1).sup.-1 y.sub.j.sup.k+1 mod p.sub.j.sup.k+1,for j=1 to mk and decrementing from k=r-1 to 0, where yr ≡
{y1, y2, . . . , ym } mod {q1, q2, . . . , qm }, and then solving a knapsack problem, ##EQU88## with the set of initial knapsack weights {b1, b2, . . . , bn } and target value b=y0, by calculating sequentially ##EQU89## from i=n decrementing to 1, to return the deciphered message {x'"'"'1, x'"'"'2, . . . , x'"'"'n }, and where a decoding key includes the positive integers {b1, b2, . . . , bn }, {w1, w2, . . . , wr }, {p1, p2, . . . , pr }, and {q1, q2, . . . , qm }. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- 13. The system of claim 3 and further comprising a shortened encoding key, wherein
a subset of the variables in the encoding key are standardized during key-generation, where the standardized subset of the encoding key of each user in a network is identical, and where the encoding key as defined in claim 3 is {ai1, ai2, . . . , aim }, for i=1 to n, {g1, g2, . . . , gm }, {f1, f2, . . . , fn }, and {q1, q2, . . . , qm'"'"' }, and where {q1, q2, . . . , qm'"'"' } is standardized, and where {an1, an2, . . . , anm } and {g1, g2, . . . , gm } are standardized by randomly selecting anj and gj from the range [0, qj), for j=1 to m, and where P, {b1, b2, . . . , bn }, and {qm'"'"'+1, qm'"'"'+2, . . . , qm } are selected as specified in claim 3 and are not standardized, and where w'"'"' is found according to the relation - space="preserve" listing-type="equation">w'"'"'≡
P.sup.-1 g mod Q,
where g≡
{g1, g2, . . . , gm } mod {q1, q2, . . . , qm }, and where w is found according to the relation
space="preserve" listing-type="equation">w≡
|b.sub.n.sup.-1 |w'"'"'.sup.-1 a.sub.n |Q|Pwhere an ≡
{an1, an2, . . . , anm } mod {q1, q2, . . . , qm }, and where the rest of the encoding key;
aij, for i=1 to n-1 and j=1 to m, and fi, for i=1 to n, is not standardized and is then selected as specified in claim 3. - space="preserve" listing-type="equation">w'"'"'≡
-
-
14. The system of claim 2 and further comprising a signature verification, wherein
a sender generates a signature of the message with the decoder and the decoding key of the sender, where n≧ - 1 and r≧
2, and where the message is assigned to {y1, y2, . . . , ym'"'"' } by a blocking method, where yj [0, qj) for j=1 to m'"'"', and 1≦
m'"'"', and 1≦
m'"'"'<
m, and where at least one of the following group;
secret random integers, secret pseudo-random integers, secret non-random integers, and non-secret integers that are constant for all signatures, are assigned to {ym'"'"'+1, ym'"'"'+2, . . . , ym }, where yj [0, qj) for j=m'"'"'+1 to m, and where decoding {y1, y2, . . . , ym } with the decoder and the decoding key of the sender yields the signature {x1, x2, . . . , xn } , and where the sender then checks if xj <
2s, for j=1 to n, and if this test is failed, then decoding {y1, y2, . . . , ym } is repeated with a different value of {ym'"'"'+1, ym'"'"'+2, . . . , ym }, and where the signature and the message are sent to a receiver along the communications channel, andthe signature {x1, x2, . . . , xn } is checked by the receiver or by a third party by encoding {x1, x2, . . . , xn } to {y'"'"'1, y'"'"'2, . . . , y'"'"'m'"'"' } with the encoder and the encoding key of the sender, and where the message is assigned to {y1, y2, . . . , ym'"'"' } with the blocking method, and where the signature is valid if ##EQU114## for j=1 to m'"'"', where dk [-1, [pk+1 /pk ]+1].
- 1 and r≧
-
15. The system of claim 2 and further comprising a signature verification, wherein
a sender generates a signature of the message with the decoder and the decoding key of the sender by assigning the message to {y1, y2, . . . , ym'"'"' } with a blocking method, where yj [0, qj) for j=1 to m'"'"', and where n≧ - 1 and r≧
2, and where an integer c is selected from one of the group consisting of;
a secret random integer, a secret non-random integer, and a fixed public integer, and where c [pr-1 2-e /q,pr-1 /q), where ##EQU115## and where yr mod q and c are combined according to the relation
space="preserve" listing-type="equation">y.sup.r-1 =|(w.sup.r).sup.-1 y.sup.r |q+cq,where yr ≡
{y1, y2, . . . , ym'"'"' } mod {q1, q2, . . . , qm'"'"' }, and where yr-1 is an intermediate value in the decoder and decoding is completed from yr-1 by the decoder to generate the signature {x1, x2, . . . , xn }, and where decoding yr-1 is repeated with a different value of c if xj ≧
2s, for j=1 to n, and where the signature and the message are sent to a receiver along the communications channel, andthe signature {x1, x2, . . . , xn } is checked by the receiver or by a third party by encoding {x1, x2, . . . , xn } to {y'"'"'1, y'"'"'2, . . . , y'"'"'m'"'"' } with the encoder and the encoding key of the sender, and where the message is assigned to {y1, y2, . . . , ym'"'"' } with the blocking method, and where the signature is valid if ##EQU116## for j=1 to m'"'"', where dk [-1, [pk+1 /pk ]+1].
- 1 and r≧
-
16. A method as claimed in claim 15, wherein m'"'"'=1 and r=2.
-
17. The system of claim 2 and further comprising a signature verification, wherein
a sender generates a signature of the message with the decoder and the decoding key of the sender, where n≧ - 1 and r≧
2, and where the message is assigned to {y1, y2, . . . , ym'"'"' } by a blocking method, where yj [0 qj) for j=1 to m'"'"', and 1≦
m'"'"'<
m, and where at least one of;
secret random integers, secret pseudo-random integers, secret non-random integers, and non-secret integers that are constant for all signatures, are assigned to {ym'"'"'+1, ym'"'"'+2, . . . , ym }, where yj [0, qj) for j=m'"'"'+1 to m, and where decoding {y1, y2, . . . , ym } with the decoder and the decoding key of the sender yields the signature {x1, x2, . . . , xn }, where the decoding key is selected with p.sup. k >
pk+1 (1+2-e), for k=1 to r-1, and where decoding }y1, y2, . . . ym } is repeated with a different value of {ym'"'"'+1, ym'"'"'+2, . . . , ym } if xj ≧
2s, for j=1 to n, and where the signature and the message are sent to a receiver along the communications channel, andthe signature {x1, x2, . . . , xn } is checked by the receiver or by a third party by encoding {x1, x2, . . . , xn } to {y'"'"'1, y'"'"'2, . . . , y'"'"'m'"'"' } with the encoder and the encoding key of the sender, where the encoder calculates Axk during signature checking according to ##EQU117## and, where the message is assigned to {y1, y2, . . . , ym'"'"' } with the blocking method, and where the signature is valid if yj ≡
y'"'"'j mod qj, for j=1 to m'"'"'.
- 1 and r≧
-
18. The system of claim 2 and further comprising an abbreviated signature, wherein
a sender generates a signature of the message with the decoder using the decoding key of the sender, where n≧ - 1 and r≧
2, and where the message is assigned to {y1, y2, . . . , ym'"'"' } by a blocking method, where yj [0, qj) for j=1 to m'"'"', and 1≦
m'"'"'<
m, and where at least one of;
secret random integers, secret pseudo-random integers, secret non-random integers, and non-secret integers that are constant for all signatures, are assigned to {ym'"'"'+1, ym'"'"'+2, . . . , ym }, where yj [0, qj) for j=m'"'"'+1 to m, and where decoding {y1, y2, . . . , ym } with the decoder and the decoding key of the sender yields the signature {x1, x2, . . . , xn }, where the decoding key is selected with p.sup. k >
pk+1 (1+2-e), for k=1 to k'"'"'-1 and k'"'"'+1 to r-1, where k'"'"' is one value from [1, r-1], and where the signature is abbreviated by selecting pk'"'"' <
pk'"'"'+1, and where decoding {y1, y2, . . . , ym } is repeated with a different value of {ym'"'"'+1, ym'"'"'+2, . . . , ym } if xj ≧
2s, for j=1 to n, and where the signature and the message are sent to a receiver along the communications channel, andthe signature {x1, x2, . . . , xn } is checked by the receiver or by a third party by encoding {x1, x2, . . . , xn } to {y'"'"'1, y'"'"'2, . . . , y'"'"'m'"'"' } with the encoder and the encoding key of the sender, where the encoder calculates Axk during signature checking according to ##EQU118## and, where the message is assigned to {y1, y2, . . . , ym'"'"' } with the blocking method, and where the signature is valid if y≡
y'"'"'+dgk'"'"' mod q with d [-1, [pk'"'"'+1 /pk'"'"' ]+1], where d≡
(gk'"'"')-1 (y'"'"'-y) mod q, y≡
{y1, y2, . . . , ym'"'"' } mod {q1, q2, . . . , qm'"'"' }, y'"'"'≡
{y'"'"'1, y'"'"'2, . . . , y'"'"'m'"'"' } mod {q1, q2, . . . , qm'"'"' }, and ##EQU119##
- 1 and r≧
-
19. The system of claim 14 and further comprising an identity verification, wherein
a party (the verifier) wishes to verify a claimed identity of a second party (the candidate) and the verifier generates a secret random number and sends the secret random number to the candidate along the communications channel, and the candidate then generates the signature of the message, where the message is set equal to the secret random number, with the decoder and the decoding key of the candidate and sends the signature along the communications channel to the verifier, and the verifier then verifies if the signature of the secret random number is valid with the encoder and the encoding key of the candidate, and the claimed identity is true if the signature of the secret random number is valid. -
20. The system of claim 1 and further comprising an identity verification, wherein
a party (the verifier) wishes to verify a claimed identity of a second party (the candidate) and the verifier generates a secret random number and the message is set equal to the secret random number, and where the verifier assigns the message to {x1, x2, . . . , xn }, where xj [0, 2s), for j=1 to n, and where the verifier encodes the message {x1, x2, . . . , xn } to the ciphertext {y1, y2, . . . , ym } with the encoder and the encoding key of the candidate and sends {y1, y2, . . . , ym } to the candidate along the communications channel, and the candidate decodes {y1, y2, . . . , ym } with the decoder and the decoding key of the candidate to obtain the deciphered message {x'"'"'1, x'"'"'2, . . . , x'"'"'n } and the candidate sends {x"1, x"2, . . . , x"n } to the verifier along the communications channel, where x"j =x'"'"'j mod 2s" j and s"j ≦ - s, for j=1 to n, and
the verifier determines that the claimed identity of the candidate is true if x"j ≡
xj mod 2s" j, for j=1 to n.
- s, for j=1 to n, and
Specification