JP2000098886A - Public key cryptosystem - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable the cryptoanalysis of both of a ciphertext sent to the entire part of a group and a ciphertext addressed to the receivers themselves to be performed with one secret key with each of the respective receivers by having the respective secret keys derived from the secret key of the group held by the respective receivers. SOLUTION: In the case of a cipher level 0, i.e., transmission to the entire part of the group, an integer n-0 to attain n-0=p-0*q-0 is determined with respect to arbitrary integers p-0 and q-0 (S1) and the Euler's function thereof is put as phi(n-0). And a-0*b-0=b-0=1 (mod phi(n-0)) is determined (S2) and the integers a-0 and b-0 are respectively determined as the public key and secret key of the cipher lever 0. In the case of the cipher level (i) to be sent only to the receiver (i), the integer n-i to attain n-i=p-i*q-i is determined with respect to arbitrary integers p-i and q-i (S6). The intrinsic integer is formed by using random numbers, etc., and this integer is determined as k-i. The secret key b-i of the receiver (i) is determined from b-i=b-0+k-i×phi(n-0) (S7).

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a public key cryptosystem based on the RSA system. When a plurality of recipients form a group, individual ciphertexts sent to the recipients and the entire group Are related to a public key cryptosystem that can be decrypted with the same private key held by the receiver.

[0002]

2. Description of the Related Art In recent years, various cryptosystems have been proposed in order to enhance communication security. There are two main types of encryption schemes: a common key scheme in which the sender and receiver have a common secret key, the sender encrypts with that key, and the recipient decrypts with the same key. This is a public key method in which the recipient and the recipient have different keys, the sender encrypts with a public key, and the recipient decrypts with a secret key that only the user can know.

[0003] As a method included in the former common key method, there are DES, FEAL, IDEA and the like. As the latter public key method, there is an RSA or Elgamal method.

For example, as a conventional RSA encryption method, R.
“A method of o” by L. Rivest, A. Sharmir and L. Adleman
btaining digital signatures and public key cryptos
ystems "(Comm. of ACM, Feb, 1978), and USP 4,405,
829 discloses the disclosed technology.

FIG. 5 is a flowchart showing a procedure for producing a key of the RSA cryptosystem, FIG. 6 is a flowchart showing a procedure for producing a cipher text on the transmitting side, and FIG. 7 is a flowchart showing decryption of a cipher text on the receiving side. It is a flowchart which shows a procedure.

The procedure for producing a key will be described with reference to the flowchart of FIG.

[0007] The RSA encryption method is a method based on the difficulty of factorizing an integer into prime factors. In this method, first, for any prime numbers p and q, an integer n such that n = p * q
Is determined (step 41). Assuming that the Euler function (the total number of integers that are n or less and is relatively prime to n) is phi (n), phi (n) = (p−1) * (q−1). Then, a * b = 1 (mod phi (n)) is obtained (step 42), and integers a and b satisfying a * b = 1 (mod phi (n)) are set as a public key and a secret key, respectively (step 42). 43).

[0010] A procedure for producing a ciphertext on the transmitting side will be described with reference to a flowchart of FIG.

Assuming that the plain text is x, y = x ＾ a (mod
n) is calculated (step 51) to obtain a ciphertext y (step 52).

The procedure for decrypting the cipher text on the receiving side will be described with reference to the flowchart of FIG.

When the cipher text y is received, z = y ＾ b (mo
dn) (step 61), and a plaintext z is obtained (step 62).

[0012]

Generally, encryption / decryption by the common key method is high speed, and encryption / decryption by the public key method is low speed. Further, in the common key method, since both the sender and the receiver need to store the secret key, there are problems such as a key distribution method and key theft. On the other hand, in the public key method, the transmission key is open to the public, so that the recipient only has to manage the secret key, and the latter is more advantageous in terms of security.

For this reason, the entire original text is rarely encrypted with the public key. PG often used on the Internet
In the P method and the like, the common key method and the public key method are used in combination, and the encryption of the original text itself is performed using the common key method (IDE).
A), but the common key is delivered by the public key method (RSA).
It is done in.

For example, Simson Garfinkel's' PGP: Prett
In the PGP described by y Good Privacy '(O'reilly 1994), the original text itself is encrypted by IDEA, which is a common key system, and only the common key is encrypted by RSA.

[0015] Thereby, the encryption cost can be reduced.
Also, the problem of distributing the common key is solved.

When the same original text is transmitted to a plurality of recipients, the common key is encrypted with the public key of each recipient, as in the ciphertext 111 shown in FIG. The encryption result is transmitted together with the ciphertext encrypted by the common key. Alternatively, the entire receiver is grouped into one group, and the common key is encrypted with the public key of the group, as in the entire ciphertext 121 shown in FIG. 9, and the encryption result of the common key is encrypted using the common key. Sent with the sentence.

However, the entire ciphertext 11 shown in FIG.
When transmitting the encryption result of each common key together with the ciphertext as in 1, if the number of recipients is very large, the amount of information of the entire ciphertext becomes enormous, and the communication cost becomes high. Not a target.

Further, when all the recipients have the private key of the group as in the ciphertext 121 shown in FIG. 9, each recipient needs to have the key of the group in addition to its own private key. Problems arise in management.

Therefore, in order to solve the above-mentioned problem, the present invention holds each private key derived from a group private key by each recipient, so that one private key is provided for each recipient. An object of the present invention is to provide a public key cryptosystem capable of deciphering both the ciphertext issued to the entire group and the ciphertext addressed to the user.

[0020]

In order to solve the above-mentioned problems, the present invention provides a public key cryptosystem based on the RSA system, wherein a secret key for a group consisting of n individuals is set to b_0, and a public key is set to b_0. Is a_0, and a modulo integer is n_
When the Euler function of n_0 is phi (n_0), an integer k_i unique to the individual i (i = 1... N) is selected, and the secret key b_i of the individual i is b_i = b_0 +
It is defined by k_i × phi (n_0).

According to the present invention, the secret key of each individual, that is, each receiver is derived from the secret key of the group. Each recipient can decrypt both the ciphertext issued to the entire group and the ciphertext destined for itself using only his / her private key.

For example, when the original text itself is encrypted by the common key method and the common key is distributed by the public key encryption method of the present invention, the common key added to the cipher text addressed to the entire group is the public key a_0. And a common key added to the ciphertext addressed to one recipient is encrypted by the public key a_i. Each recipient can decrypt any of the respective secret keys with only one private key b_i,
Using the decrypted common key, it is possible to decrypt both the ciphertext issued to the entire group and the ciphertext destined for the user.

[0023]

Embodiments of the present invention will be described below with reference to the accompanying drawings.

FIG. 1 is a flowchart showing a procedure for preparing a key based on one embodiment of the public key cryptosystem of the present invention. FIG. 2 is a flowchart showing a procedure for preparing a cipher text on the transmitting side. 5 is a flowchart showing a ciphertext decryption procedure on the receiving side.

In the present embodiment, the encryption level is set to 0 when transmitting to the entire group, and the encryption level is set to i when transmitting only to each receiver, for example, the receiver i. The ciphertext at the encryption level 0 can be decrypted using the secret key of any receiver.

The procedure for producing a public key and a secret key in this embodiment will be described with reference to the flowchart of FIG.

First, when the encryption level is 0, that is, when the public key and the secret key are transmitted to the entire group,
Generated based on the SA method. That is, an arbitrary prime p
For n_0 and q_0, an integer n_0 such that n_0 = p_0 * q_0 is determined (step 1). The Euler function (the total number of integers which are n_0 or less and are relatively prime to n_0) is expressed as ph
If i (n_0) is set, phi (n_0) = (p_0−
1) * (q_0-1). And a_0 * b_0
= 1 (mod phi (n_0)) is obtained (step 2), and a_0 * b_0 = 1 (mod phi (n_0)
Integers a_0 and b_0 as 0)) are used as a public key and a secret key of encryption level 0, respectively (step 3).

Next, in the case of the encryption level i, i of the receiver i
Is initialized to 1 (step 4), and steps 6 to 9 are repeated until i exceeds a preset maximum number of recipients n (n indicates the number of recipients) (step 5, Yes).

For recipient i, any prime number p_i, q
_I, an integer n_i such that n_i = p_i * q_i
(Step 6). Then, a unique integer is generated using a random number or the like, this integer is set as k_i, and the secret key b_i of the receiver i is calculated as b_i = b_0 + k_i × phi (n
_0) (step 7). That is, the secret key b_i of the receiver i is obtained by calculating the secret key b_0 of the entire group and the Euler function ph obtained in the process of deriving the key of the entire group.
It is obtained by using i (n_0). Further, the secret key b_
From i, a_i * b_i = 1 (mod phi (n_
a_i as i) is obtained as the public key of the receiver i (step 8). Thereafter, i of the receiver i is incremented (step 9), and the process returns to step 5.

Each time steps 6 to 9 are repeated, the receiver i
Is incremented, and the secret key b_i of the receiver i is obtained from b_0 + k_i × phi (n_0), and b_i
The public key a_i of the receiver i is derived from i. As a result, a secret key and a public key of each receiver are obtained.

Next, a procedure for generating a cipher text on the transmitting side in the present embodiment will be described with reference to the flowchart of FIG.

First, when cipher text is transmitted to the entire group, the encryption level is set to 0 (i is set to 0), and when it is transmitted to the receiver i, the encryption level is set to i (step 11). Thereafter, assuming that the plain text is x, y = x ＾ (a_
i) Calculate mod (n_i) (step 12) and obtain ciphertext y (step 13). The ciphertext y is transmitted together with the cipher level i.

Next, the decryption procedure of the cipher text on the receiving side in this embodiment will be described with reference to the flowchart of FIG.

When the cipher text y is received, the cipher level i added to the cipher text y (when the cipher text is 0, i =
0, i = 1, 2, 3,... When the encryption level is i (step 21). Then, for the cipher text y, z = y ＾ (b_j) mod using its own secret key b_j.
(N_i) is calculated (step 22), and a plain text z is obtained (step 23). However, only when the encryption level i = 0 or j, the ciphertext y can be correctly decrypted.

As described above, the ciphertext encrypted for the entire group, that is, the ciphertext encrypted with the public key a_0 can be decrypted using the private key b_j of each recipient. Of course, the ciphertext encrypted for one recipient j, that is, the ciphertext encrypted with the public key a_j can be decrypted only with the recipient's private key b_j.

This is proved to be correct by the proof of the following equation.

[0037]

(Equation 1) In the above equation, modulo is taken at n_0.

Next, a specific example in which a plaintext is encrypted with a public key and a ciphertext is decrypted with a secret key will be described. Here, the public key and the private key of the group, the public key and the private key of the receiver 1, the public key and the private key of the receiver 2 are respectively denoted by a
_0, b_0, a_1, b_1, a_2, b_2.

In the group, n_0 = p_0 * q_
An integer n_0 that becomes 0, an Euler function phi (n_0),
The public key a_0 and the secret key b_0 are, for example, as follows. n_0 = 159 (= 3 × 53) phi (n_0) = (3-1) × (53-1) = 104 a_0 = 7 b_0 = 15 where a_0 * b_0 = 7 × 15 = 105≡1 (mod
phi (n_0)) In the receiver 1, an integer n_1 satisfying n_1 = p_1 * q_1, an Euler function phi (n_1), and a public key a_
1. The secret key b_1 is, for example, as follows. b_1 = b_0 + 10 × phi (n_0) =
Put 1055. n_1 = 115 (= 5 × 23) phi (n_1) = (5-1) × (23-1) = 88 a_1 = 87 In the receiver 2, an integer n_2 satisfying n_2 = p_2 * q_2, and an Euler function phi (n_2) ), Public key a_
2. The secret key b_2 is, for example, as follows. b_2 = b_0 + 5 × phi (n_0) = 5
Put 35. n_2 = 133 (= 7 × 19) phi (n_2) = (7-1) × (19-1) = 128 a_2 = 38 For example, if plain text x = 49 is encrypted with the group public key (= 7), The encryption y = 46 is obtained. This is the recipient 1
Finds the plaintext 49 from y @ 1055 (mod 159), and the receiver 2 obtains from y @ 535 (mod 159)
Find plaintext 49.

FIG. 4 shows the configuration of the entire ciphertext when the public key cryptosystem and the common key system of this embodiment are used in combination. The entire ciphertext 101 is obtained by using an encryption level i (i = 0 when the encryption level is 0, i = 1 and 1 when the encryption level is i).
.., And a public key a_i (i = 0 when the encryption level is 0, i = 1, 2, 3,... When the encryption level is i).
..) and a ciphertext obtained by encrypting plaintext with the common key.

When decrypting the entire ciphertext, the common key is decrypted with the secret key, and the ciphertext is decrypted with the common key to obtain a plaintext.

[0042]

As described above, according to the present invention, each individual, that is, each recipient's secret key is derived from the group's secret key, and each recipient uses only his / her own secret key. Both the ciphertext issued to the entire group and the ciphertext addressed to the user can be decrypted.

For example, when the original text itself is encrypted by the common key method and the common key is delivered by the public key encryption method of the present invention, the common key added to the cipher text addressed to the entire group is the public key a_0. And a common key added to the ciphertext addressed to one recipient is encrypted by the public key a_i. Each recipient can decrypt any of the respective secret keys with only one private key b_i,
Using the decrypted common key, it is possible to decrypt both the ciphertext issued to the entire group and the ciphertext destined for the user.

[Brief description of the drawings]

FIG. 1 is a flowchart showing a procedure for producing a key in one embodiment of a public key cryptosystem of the present invention.

FIG. 2 is a flowchart illustrating a procedure for creating a ciphertext on the transmission side according to an embodiment of the present invention.

FIG. 3 is a flowchart showing a procedure for decrypting a cipher text on the receiving side in one embodiment of the present invention.

FIG. 4 is a diagram showing an entire configuration of a ciphertext when a public key cryptosystem and a common key system according to one embodiment of the present invention are used in combination.

FIG. 5 is a flowchart showing a procedure for producing a key in a conventional example.

FIG. 6 is a flowchart showing a procedure for producing a ciphertext on the transmission side in a conventional example.

FIG. 7 is a flowchart showing a ciphertext decryption procedure on the receiving side in a conventional example.

FIG. 8 is a diagram showing the configuration of the entire ciphertext in a conventional example.

FIG. 9 is a diagram showing another configuration of the entire ciphertext in the conventional example.

Claims (1)

[Claims] 1. A public key cryptosystem based on the RSA system, wherein a secret key for a group of n individuals is b_0, a public key is a_0, and a modulo integer is n_0,
When the Euler function of n_0 is phi (n_0), an integer k_i unique to the individual i (i = 1... n) is selected,
The secret key b_i of the individual i is calculated as b_i = b_0 + k_i ×
A public key cryptosystem defined by phi (n_0).