The present invention relates to a cipher communication method using a public-key encryption scheme and being provable to be semantically-secure against an adaptive chosen-ciphertext attack.
Up to the present, a variety of public-key encryption methods have been proposed. Among them, an encryption method published in a literature 1: “R. L. Rivest, A. Shamir, L. Adleman: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Commun. of the ACM, Vol. 21, No. 2, pp. 120-126, (1978)” is the most famous and the most put-into-practical-use public-key encryption scheme. As another encryption method, a method using elliptic curves described in the following literatures has been known as an efficient public key encryption scheme: A literature 2: “V. S. Miller: Use of Elliptic Curves in Cryptography, Proc. of Crypto' 85, LNCS218, Springer-Verlag, pp. 417-426, (1985)”, a literature 3: “N. Koblitz: Elliptic Curve Cryptosystems, Math. Comp., 48, 177, pp. 203-209, (1987)”, and so on.
As encryption methods that are provable about the security, at first, as the methods with a chosen-plaintext attack set as their object, the following have been known: A method described in a literature 4: “M. O. Rabin: Digital Signatures and Public-Key Encryptions as Intractable as Factorization, MIT, Technical Report, MIT/LCS/TR-212 (1979)”, a method described in a literature 5: “T. E L Gamel: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms, IEEE, Trans. On Information Theory, IT-31, 4, pp. 469-472, (1985)”, a method described in a literature 6: “S. Goldwasser and S. Micali: Probabilistic Encryption, JCSS, 28, 2, pp. 270-299, (1984)”, a method described in a literature 7: “M. Blum and S. Goldwasser: An Efficient Probabilistic Public-Key Encryption Scheme which Hides All Partial Information, Proc. of Crypto' 84, LNCS196, Springer-Verlag, pp. 289-299, (1985)”, a method described in a literature 8: “S. Goldwasser and M. Bellare: Lecture Notes on Cryptography, http:/www-cse.ucsd.edu/users/mihir/ (1997)”, a method described in a literature 9: “T. Okamoto and S. Uchiyama: A New Public-Key Cryptosystem as Secure as Factoring, Proc. of Eurocrypto' 98, LNCS1403, Springer-Verlag, pp. 308-318, (1998)”, and so on.
Also, as encryption methods that are provable about the security against the chosen-ciphertext attack, the following have been known: A method described in a literature 10: “D. Dolve, C. Dwork, and M. Naor: Non-Malleable Cryptography, In 23rd Annual ACM Symposium on Theory of Computing, pp. 542-552, (1991)”, a method described in a literature 11: “M. Naor and M. Yung: Public-Key Cryptosystems Non-malleable against Chosen Ciphertext Attacks, Proc. of STOC, ACM Press, pp. 427-437, (1990)”, a method described in a literature 12: “R. Cramer and V. Shoup: A Practical Public-Key Cryptosystem Non-malleable against Adaptive Chosen Ciphertext Attack, Proc. of Crypto' 98, LNCS1462, Springer-Verlag, pp. 13-25, (1998)”, and so on.
Also, in a literature 13: “M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway: Relations Among Notions of Security for Public-Key Encryption Schemes, Proc. of Crypto' 98, LNCS1462, Springer-Verlag, pp. 26-45, (1998)”, the equivalence between IND-CCA2 (i.e., being semantically-secure against the adaptive chosen-ciphertext attack) and NM-CCA2 (i.e., being non-malleable against the adaptive chosen-ciphertext attack) has been demonstrated. Accordingly, at present, the public key encryption scheme satisfying this condition is considered as the most secure cypher.
An encryption method described in a literature 14: “M. Bellare and P. Rogaway: Optimal Asymmetric Encryption How to Encrypt with RSA, Proc. of Eurocrypto' 94, LNCS950, Springer-Verlag, pp. 92-111, (1994)” has been considered as semantically-secure against the adaptive chosen-ciphertext attack on the premise of the difficulty in calculating the inverse function of a one-way trapdoor permutation. In recent years, however, in a literature 15: “V. Shoup: OAEP Reconsidered. Available on the e-print library (2000/060), November 2000”, a problem and the fact that the proof of the security is insufficient from a general viewpoint have been pointed out, and the solving methods therefor have been also proposed.
Meanwhile, in a cipher communication, in many cases, transmission data is encrypted using a common-key cypher, and the secret key to the common-key cypher used for the data encryption at that time is encrypted using a public key encryption scheme. One reason for this is that the length of a plaintext that can be encryption-processed at one time using the public-key encryption methods described in the above-described respective literatures is short, and is limited in proportion to the key length. For example, in the encryption method described in the literature 1, if the key length is 1024 bits, the plaintext is, at the most, 1024 bits. Moreover, in the encryption method described in the literature 3, if the base p is 160 bits, the information that can be transmitted at the one-time encryption is 160 bits.
In the practical systems, however, there are many cases where, in addition to the common key, the identification information (i.e., the ID information) of the user is also sent together therewith. Also, in accompaniment with the advancement of the computers' capabilities, the key length to be transmitted is now getting longer and longer. On account of this, there occurs a necessity for performing the encryption in a manner of being divided into a plurality of times. In the case of dividing the encryption into the plurality of times, there occurs a necessity for guaranteeing the validity of the correspondences among the respective ciphertexts. This necessitates much extra time and labor.
From the situation like this, expectations are concentrated on an encryption method which allows a longer plaintext to be encrypted at one time and whose security against the attack is provable.
Also, the literature 4 has proved that the encryption method described in the literature 4 is unidirectional against the chosen-plaintext attack. This, however, means that the encryption method is weak against the chosen-ciphertext attack. Also, although the encryption method in the literature 4 is superior in the high-speed performance in the encryption processing, the method could not be expected to implement a high-speed decryption processing.