JP2000196581A - Method for exclusively sharing key - Google Patents

Abstract

PROBLEM TO BE SOLVED: To deliver a common secret key to exclude a specific terminal at high speed with less communication quantity in a star type communication system. SOLUTION: A base station 0 generates a secret key S in a setup phase and keeps it with secrecy. The base station delivers secrecy information Si resulting from dividing the secret key S to terminals 1-5 by using an encryption communication means in a secret way. In a preparation phase, the base station 0 applies multiple address communication of preparation information C1 (=gk mod p), excluding information C2 (=y5k mod p), an encryption text C3 (=M×K mod p) and a specific terminal number 5 with all terminals. In a key common share phase, the terminal 1 uses the preparation information C1 and the excluding information C2 to calculate a product between a C1' (λ(1, Λ) mod q)mod p and C2' (λ(5, Λ)mad q) mod p so as to obtain a value K. The encryption text C3 is divided by the K to obtain a value M, which is used for common data to the base station 0. Similarly the terminals 2-4 are processed and then the terminals 1-4 can share the common data M in common.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method for sharing an encryption key in a star communication system comprising a base station and a plurality of terminals, and more particularly, to a method for securely sharing a secret key common to all terminals other than terminals specified by the base station. The present invention relates to a key sharing method for delivering and a key sharing method for securely delivering a shared secret key only to a specific terminal.

[0002]

2. Description of the Related Art In a star-type communication system in which a base station manages a plurality of terminals, a base station and a plurality of terminals under the umbrella form a group, and the group shares the same group secret key to perform broadcast cryptographic communication. Consider doing it. Information encrypted using the group secret key can be decrypted only by terminals in the group holding the same secret key.

[0003] In some cases, it may be desired to exclude a specific terminal from this group. This is the case, for example, when a certain terminal in the group is stolen and fraudulent activities such as eavesdropping on encrypted communication using the terminal and transmission of false information are considered. At this time, it is necessary for the base station managing the secret key to remove the stolen terminal as soon as possible, update the group secret key, and share the new secret key only with the remaining terminals. .

Further, it may be necessary to form a new group. This is the case when terminals outside the group are joined to the group, or when terminals from another group are combined into one group. At this time, the base station needs to share the key of the new group with terminals constituting the group as soon as possible.

FIG. 10 shows a key updating method in a first conventional example for sharing key data with a terminal other than the terminal specified by the base station. In Figure 10, five terminals T ₁ through T _5, respectively holds a unique key k ₁ to k _5, the base station manages the unique key of all terminals. At this time, for example, if the base station is the terminal T ₁
To the exclusion of, a case will be described in which distributed the new common secret key to another terminal T ₂ ~T _5.

[0006] First, the base station generates a secret key K, and
Each k_Two~ K_Five, And each terminal T
_Two~ T_FiveDeliver to. Terminal T to be excluded₁Terminals other than T_Two
~ T _FiveWill use the unique key to decrypt this and obtain the secret key K.
Get. In FIG. 10, for example, Ek_Two(K)
K is the unique key k_TwoIt is a ciphertext encrypted with. This channel
The above data is for terminal T_Two~ T_FiveEncrypted with unique key
The terminal T₁Steals this communication data
Even if you listen, get the secret key K generated by the base station
Can not do.

However, in this method, in order to generally exclude one terminal from N terminals, the base station requires (N-1)
Encryption must be performed and (N-1) data must be transmitted. As the group grows, this task becomes very burdensome for the base station. In addition, it is necessary to stop services such as encryption communication in the group until all stations are updated. However, if the service stop period until the distribution to (N-1) stations is completed is long, this is a serious problem.

FIG. 11 shows a key updating method in the second conventional example disclosed in Japanese Patent Publication No. 5-46731. In the second conventional example, a technique of public key encryption is used. In FIG. 11, five terminals T _{1 to} T ₅ have their own private keys (e ₁ , d ₁ ) to
(e ₅ , d ₅ ). Here, each secret key (e _i , d _i )
_{Is, e i · d i mod (} p-1) = 1 (p is a prime number of system published) it is assumed that are made up. The base station 1 manages the public keys p ₁ = g ^e1 modp,..., P ₅ = g ^e5 modp of all terminals. Here, g is a system public integer, and the public key p _{i of} each terminal and the system public information g,
It is difficult to obtain the secret key (e _i , d _i ) of each terminal from p if the bit length is long, which results in a discrete logarithm problem.
Similar to the conventional example 1, to eliminate the terminal T _1, first, the base station generates a random number R, to generate a key K = g ^R modp, than this ^{_{Z 2 = p 2 R modp,}} ··· , Z ₅ = p ₅ ^R modp, and distributes them to each of T _{2 to} T ₅ except for terminal T ₁ . Each terminal i other than the terminal T _1, received Z _i and a private key d _i
, And an update key KK = Z _i ^di mod p (= (p _i ^R ) ^di mod p = ((g ^ei ) ^di ) ^R mod common to the base station
p = g ^R modp).

This method differs from the first conventional example in that the base station does not know the secret key of each terminal, so that it is possible to prevent the unauthorized use of the base station. ing.

[0010]

However, in the conventional key sharing method, in order to exclude one terminal from N terminals, the base station performs (N-1) times of encryption, and (N-1) −
1) Data must be transmitted. For example, 10
Consider a case in which one terminal is excluded from the 00 terminals and a new common secret key is shared by the remaining 999 terminals. At this time, in the first and second conventional examples, it is necessary to perform 999 encryption processes and 999 ciphertext transmissions. In any case, these operations are very burdensome for the base station.

Generally, a terminal is not so high in computational power due to the necessity of realizing it at a small size and at low cost. In such a terminal, it is necessary to update the key at a high speed. In the second conventional example, a terminal needs a modular exponentiation operation with a long bit length in order to obtain a key. Implementing this operation with a terminal having a low computational capacity is a considerable burden, and the processing time required for key sharing becomes long.

In view of the foregoing, the present invention provides a method of excluding only a specific terminal and sharing distribution key information with another terminal,
And a method for sharing distribution key information only with a specific terminal, and aims to realize a key sharing method characterized by the following points. (1) The traffic from the base station to the terminal is small. The amount of data transmission at the base station is small. The business suspension period until key sharing for all terminals is short. (2) Key sharing can be realized at high speed by a terminal having low computational ability. The processing at the terminal can be reduced.

[0013]

According to the present invention, there is provided a broadcast communication system comprising a base station and N (N is an integer of 2 or more) terminals connected to the base station. , The secret key is S, and the prime number greater than S and N or the exponent of the prime number is p.
And the divisor of (p-1) is q, the number of specific terminals that can be specified by the base station is 1, and each terminal i (1 ≦ i ≦ N) is represented by S = Σλ (i, Λ) × S _i ( The sum is performed for i∈Λ) (where S _i = S + f ₁ × i modq (where f ₁ is a non-zero G
F (q)) λ (i, Λ) = {{L / (L−i)} (product is performed on L {− {i})} is from any two of N terminals. The secret information S _i that satisfies (S, p, g, S ₁ ,..., _SN ) is held by the base station, and (1) the base station holds GF (p ) Is g and k is a nonzero GF (q).
Then, the preparation information C ₁ = g ^k modp is calculated, and (2) the base station determines the secret information S _{a of the} specific terminal _a.
Exclusion information C ₂ = g ^ (k × S _a modq) modp and broadcasts it to all terminals together with the specific terminal number a and the preparation information C _1. (3) The base station excludes the specific terminal a A shared key K = g ^ (k × S modq) modp with all terminals j (j ≠ a) is obtained. (4) Each terminal j (j ≠ a) obtains C ₁ ^ (S _j × λ (j , Λ) modq) × C ₂ ^ (λ (a, mod) modq)
The configuration is such that the shared key K with the base station is obtained by calculating modp.

[0014] With this configuration, key sharing can be performed only by broadcasting from the base station to all terminals.
Since the business suspension period for key sharing can be shortened and the processing at the terminal can be reduced, key sharing can be performed at a high speed with a terminal having low computational power.

[0015]

BEST MODE FOR CARRYING OUT THE INVENTION
A base station and N units (N is 2 or more) connected to the base station;
(Integer) terminals capable of broadcasting.
In the exclusive key agreement method, the secret key is S,
And p is a prime number or a power of a prime number greater than N,
The number of terminals that the base station can specify, where q is the divisor of (p-1)
(Hereinafter referred to as the number of specific terminals) is assumed to be 1, and each terminal i
(1 ≦ i ≦ N) is S = {λ (i, ｉ) × S_i(Sum is performed for i∈Λ) (However, S_i= S + f₁× i modq (f₁Is a nonzero GF (q)
Element) λ (i, Λ) = Π {L / (Li)} (product is L は-{i}
集合 is a set of any two of the N terminals)._iConfidentially, said base
The station performs the above (S, p, g, S ₁,…, S_N) And (1)
The base station determines that the element of GF (p) is g, and the non-zero GF
When the element of (q) is k, the preparation information C₁= G^k modp, and (2) the base station transmits the secret information of the specific terminal a.
S_aExclusion information C_Two= G ^ (k × S_a modq) modp is calculated, the specific terminal number a and the preparation information C₁With all terminals
(3) The base station communicates with the specific terminal a.
A shared key K = g ^ (k × S modq) modp with all the terminals j (j ≠ a) except for the terminal j (j ≠ a) is obtained.
C₁And the exclusion information C_TwoAnd own secret information S_jUsing,
Said S_jAnd the product of λ (j, Λ) on the modulus q
C₁Power residue C of₁^ (S_j× λ (j, Λ) modq) modp and the λ (a, Λ) obtained on the method q as an index.
Said C_TwoPower residue C of_Two^ (λ (a, Λ) modq) product with modp C₁^ (S_j× λ (j, Λ) modq) × C_Two^ (λ (a, Λ) modq)
By calculating modp, the shared key with the base station is calculated.
This is an exclusive key agreement method that finds K
And C₁, C_TwoAnd only broadcast specific terminal number (a)
That terminals other than the specific terminal a can share keys.
Has an action.

According to a second aspect of the present invention, there are provided a base station and N units (N is an integer of 2 or more) connected to the base station.
In the exclusive key sharing apparatus of a communication system capable of broadcasting comprising the following terminals, the base station includes a secret key S and a modulus p which is a prime number or a power number of a prime number larger than the N,
An element g of GF (p) and a GF where the divisor of (p-1) is q
a first base station-side storage unit for holding an element k of (q), and S = {λ (i, Λ) × S _i (the sum is performed for i∈Λ) (where S _i = S + f ₁ × i modq (f ₁ is not zero G
F (q)) λ (i, Ｌ) = {{L / (L−i)} (product is performed on L∈Λ− {i})} is any of the N terminals , S _N that satisfies the following condition: a second base station storage unit that holds secret information S ₁ ,..., And S _N, and a third base station storage unit that holds the secret key S. , Each of the terminals i includes a first terminal-side storage unit that holds the (p, g), and further includes a second terminal-side storage unit that holds the secret information S _i secretly, (1) The base station calculates the preparation information C ₁ = g ^k modp using the (k, p, q, g) stored in the first base station storage unit. (2)
The base station comprises a control unit that specifies a particular terminal a, and outputs the secret information S _a stored based on the second base station-side memory unit of the control, the thereto (k, p , Q,
g), _a second base station side calculation unit for calculating exclusion information C ₂ = g ^ (k × S _a modq) modp is provided to all terminals together with the preparation information C ₁ and the specific terminal number a. And (3) the base station includes the (k, p,
q) and the secret key S stored in the third base station side storage unit, and all terminals j (j ≠
a) a third base station side calculation unit for calculating a shared key K = g ^ (k × S modq) modp, and (4) each terminal j (j ≠ a) is a power of C ₁ . The remainder value C ₁ ^ (S _j ×
λ (j, Λ) modq) modp and modular exponentiation value C ₂ of the C ₂
^ (λ (a, Λ) modq) Product with modp C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq)
This is an exclusive key sharing device including a terminal-side calculation unit for calculating a shared key K with the base station by calculating modp. The base station sends C ₁ , C ₂ and a specific terminal number (a ) Has the effect of allowing keys other than the specific terminal a to share keys.

According to a third aspect of the present invention, there is provided a base station and N units (N is an integer of 2 or more) connected to the base station.
In the exclusive key agreement method of a communication system capable of broadcasting communication comprising the following terminals, let S be a secret key, let p be a prime number or a power of a prime number larger than S and N, and let the divisor of (p-1) be q
And the number of specific terminals is d (1 ≦ d <N−1), and each terminal i (1 ≦ i ≦ N) is S = {λ (i, Λ) × S _i (the sum is performed for i∈Λ). ) _{(where, S i = S + f 1} × i + ... + f d × i d modq (f 1, ..., f d is d number of elements of GF (q), where, f _d ≠
0) λ (i, Λ) = {{L / (L−i)} (product is performed on L∈Λ− {i})} is a set of arbitrary (d + 1) units of the N terminals ) holds the secret information S _i the secret satisfying, the base station, the (S, p, g, S 1, ..., holds S _N), (1)
The base station calculates preparation information C ₁ = g ^k modp (k is a non-zero element of GF (q)), and (2) the base station calculates d specific terminals i ₁ ,
..., secret information S _i1 of i _d, ..., from S _id, eliminating information _{C 21 = g ^ (k ×} S i1 modq) modp, ···, the _{C 2d = g ^ (k ×} S id modq) modp calculated and, the rejection information C _21, ..., a C _2d, the preparation information C ₁ with a particular terminal number i _1, ..., and broadcast to all terminals with i _d, (3) the base station, the specific terminal i _1, ..., all terminals j except the _{i d (j ≠ i 1,} ..., i d) calculates the shared key K = g ^ (k × S modq) modp and, (4) the respective The terminal j (j ≠ i ₁ ,..., _Id ) has Λ = ｛j,
i ₁ , ..., _id }, and λ (j, Λ), λ (i ₁ , Λ), ..., λ ( _id ,
Λ), and the preparation information C ₁ and the exclusion information C ₂₁ ,.
_{Using 2d} and its own secret information S _j , C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂₁ ^ (λ (i ₁ , Λ) modq) × ... × C _2d ^ (λ (i _d, lambda) by calculating mod q) modp, an exclusive key sharing method of obtaining the shared key K with the base station, to each terminal from the base station, C
_{1, C 21, ..., C} 2d and the specific terminal number (i _1, ..., i _d) the only broadcasts, a plurality of specific terminals i _1, ..., performs key sharing with the terminal except the i _d It has the effect of making it possible.

The invention according to claim 4 of the present invention is directed to a base station.
And N units connected to the base station (N is an integer of 2 or more)
Exclusive of communication system capable of broadcasting consisting of multiple terminals
In the key agreement method, the secret key is S, and the S and N
The prime number or the power of the prime number is p, and (p-1)
The divisor is q, the number of specific terminals is d (1 ≦ d <N−1),
The number of terminals actually specified by the base station during key sharing (hereinafter, referred to as
D, the actual number of specific terminals) is smaller than the number d of specific terminals.
Each terminal i (1 ≦ i ≦ N) is S = {λ (i, Λ) × S_i(Sum is performed for i∈Λ) (However, S_i= S + f₁× i + ... + f_d× i^d modq (f₁,…, F_dIs an element of d GF (q), where f_d≠
0) λ (i, Λ) = Π {L / (L−i)} (the product is L∈Λ− {i}
Λ is a collection of arbitrary (d + 1) units of the N terminals.
Secret information S that satisfies_iConfidentially, said base
The station is S_{N + 1}= S + f₁× (N + 1) + ... + f_d× (N + 1)^d mod
q, ..., S_{N + d-1}= S + f₁× (N + d-1) + ... + f_d× (N + d−
1)^d secret information S divided by calculating modq_{N + 1},…, S
_{N + d-1}And the secret information S₁,…, S_NAnd the secret key S, before
The notation p holds the element g of the GF (p), and (1) the base
The station prepares information C₁= G^k modp (k is a non-zero element of GF (q)), and (2) the base station calculates the D specific terminals i
₁,…, I_DSecret information S_i1,…, S_iDAnd the secret information S_{N + 1},
…, S_{N + d-1}Of arbitrary secret information S (= d−D)_b1,
…, S _bvFrom the exclusion information C_{twenty one}= G ^ (k × S_i1 modq) modp, ..., C_2D= G ^ (k × S_iD modq) modp, C_2b1= G ^ (k × S_b1 modq) modp, ..., C_2bv= G ^ (k × S_bv modq) modp and calculate the exclusion information C_{twenty one},…, C_2DAnd C_2b1,…, C_2bv
And the preparation information C₁And specific terminal number i₁,…, I_DAnd before
Secret information S_b1,…, S_bvNumber b₁,…, B_vTo all devices
(3) the base station communicates with the specific terminal i₁,…,
i_DAll terminals j (j ≠ i₁,…, I_D), And K = g ^ (k × S modq) modp is obtained. (4) Each terminal j (j ≠ i₁,…, I_D) Is Λ =
{j, i₁,…, I_D, b₁,…, B_v}, Λ (j, Λ), λ
(i₁, Λ),…, λ (i_D, Λ), λ (i_b1, Λ),…, λ (i_bv, Λ)
And the preparation information C₁And the exclusion information C_{twenty one},…, C_2D,
C_2b1,…, C_2bvAnd the above secret information S_jUsing
Surplus value C₁^ (S_j× λ (j, Λ) modq) and the power remainder
Value C_{twenty one}^ (λ (i₁, Λ) modq) ×… × C_2D^ (λ (i_D, Λ) modq) × C_b1^ (λ (b₁, Λ) modq) ×… × C_bv^ (λ (b_v, Λ) product with modq) modp) C₁^ (S_j× λ (j, Λ) modq) × C_{twenty one}^ (λ (i₁, Λ) modq) ×… × C_2D^ (λ (i_D, Λ) modq) × C_b1^ (λ (b₁, Λ) modq) ×… × C_bv^ (λ (b_v, Λ) modq) modp) to obtain a shared key K with the base station.
Exclusive key agreement method This is an exclusive key agreement method.
For each terminal, C₁, C_{twenty one},…, C_2d, C_2b1,…, C_2bvAnd specific end
End number (i₁,…, I_D, b₁,…, B_v) Only broadcast
Therefore, even if the specific terminal number d is determined in advance, the actual specific terminal
Specific terminal i of terminal number D₁,…, I_DKey sharing on terminals other than
It has the effect of making it possible.

The fifth aspect of the present invention is the third aspect of the present invention.
In exclusive key sharing method, wherein the base station, the secret key S of arbitrary integer e number of specific terminal number d _1, ..., holds the e sets of secret information divided respectively d _e, On the other hand, the terminal holds e secret information corresponding to its own terminal number from each set, and when performing key sharing excluding the specific terminal, the base station and the terminal j are ,
The specific terminal number d _w equal to the actual specific terminal number D (1 ≦
said _{w ≦ e) d 1, ...} , selected from d _e, the exclusion information and the preparation information using a set of the secret information the base station corresponding to the selected specific terminal number d _w same The terminal j obtains a shared key K with the base station using secret information corresponding to d _w , and specifies a shared key K equal to the actual number D of specified terminals. Only by selecting the secret information corresponding to the number of terminals d _w , the actual number of specific terminals D
Has the effect that terminals other than the terminal can share keys.

The invention according to claim 6 of the present invention is the invention according to claim 1.
In the exclusive key sharing method described in the above, the secret key S is transmitted to all terminals.
Before using the S as an exponent and the p as a modulus
Power residue value of the notation g y = g^S modp is the public key of all terminals, and the base station
Secret information S solved₁, S _Two,…, S_NConfidential,
(1) The base station arbitrarily generates an integer k, and
Exponent, the power of the g value modulo the p
Preparation information C₁= G^k modp (k is a non-zero element of GF (q)), and (2) the base station calculates the
Secret information S_aIs used to find the product of the k and the method q.
Where p is a modulus and g is a base.
Exclusion information C_Two= G ^ (k × S_a modq) modp, and (3) the base station sets k as an index,
The modular exponentiation value of the public key y of all terminals modulo p
Some shared key K = y^k modp, and at the same time arbitrarily arbitrarily common data with the terminal j (j ≠ a).
Data M, and the product of the M and the shared key K on the modulus p
(Hereinafter referred to as ciphertext) C_Three= M × K modp to calculate the preparation information C₁And the specific terminal number a
Broadcast to all terminals, (4) Each terminal j (j ≠ a)
Assuming Λ = {j, a}, find λ (j, Λ) and λ (a, Λ),
Preparation information C₁And the exclusion information C_TwoAnd the secret information of itself
S_jBy using_jAnd λ (j, Λ) on the method q
The index of which is the product of₁Power residue C of₁^ (S_j× λ (j, Λ) modq) modp and before using the λ (a, Λ) obtained on the method q as an index
Note C_TwoPower residue C of_Two^ (λ (a, Λ) modq) product with modp K = C₁^ (S_j× λ (j, Λ) modq) × C_Two^ (λ (a, Λ) mod
q) modp) is obtained on the method p, and the ciphertext C_ThreeOn the law p
Value C divided by K_Three/ K = M × K / K modp with the base station
Required as data M, any M can be set
Has the effect of

The seventh aspect of the present invention provides the first aspect.
In the exclusive key sharing method described above, the secret keys S
Is an exponent, the modular exponentiation value of g, modulo p, is y = g ^S modp is the public key of all the terminals, and the base station determines the decomposed secret information S ₁ , S ₂ ,. _N is an index, and p
Which is the modular exponentiation value of the g modulo public information ^{_{y 1 = g S1 modp, y}} 2 = g S2 modp, ..., available ^{_{y N = g SN modp, (}} 1) the base station, the integer k is arbitrarily generated, k is an exponent, and preparation information C ₁ = g ^k modp (k is a non-zero element of GF (q)), which is a modular exponentiation value of the g, modulating the p is calculated. , (2) the base station, the k and the index, the modulo p, calculates the public information y a modular exponentiation value is eliminated information C ₂ = y _a ^k modp of _a said specific terminal a, (3) The base station uses the k as an exponent and modulates the p as a modulus of the public key y of all terminals. The shared key K = y ^k modp = gｇ (S × k) modp , And at the same time, arbitrarily generate common data M with the terminal j (j ≠ a), and obtain the ciphertext C ₃ = M × K mo which is a product of the M and the K on the modulus p. dp is calculated and broadcast to all terminals together with the preparation information C ₁ and the specific terminal number a. (4) Each terminal j (j ≠ a)
Finds λ (j, Λ) and λ (a, Λ) as Λ = {j, a}, and uses the preparation information C ₁ , the exclusion information C _2, and the secret information S _j of itself, The product of the S _j and the λ (j, Λ) on the modulus q is an index, and the power residue value C ₁ ^ (S _j × λ (j, Λ) modq) modp with the C ₁ as a base Λ (a, Λ) obtained on the method q as an index, and a product of the power residue value C ₂ ^ (λ (a, Λ) modq) modp with C ₂ as a base K = C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) mod
q) modp is obtained on the modulus p, and a value C ₃ / K modp = M × K / K modp obtained by dividing the ciphertext C ₃ by the K on the modulus p is used as common data M with the base station. It is required to be able to set an arbitrary M, improve security by eliminating the need to store secret information of each terminal in the base station, and reduce the load on setup by eliminating the need to share secret information in advance. Has an action.

[0022] The invention according to claim 8 of the present invention relates to claim 1.
In the exclusive key agreement method described above, the secret key S is a secret key of the base station, the S is an exponent, and the modular exponentiation value y = g ^S modp of the base modulo p is disclosed to the base station. .., _SN , the secret key S of the base station is kept secret, and the base station stores the secret information S ₁ , S ₂ ,. the secret information S _1, S _2, which is the decomposition of the terminal, ..., S _N respectively as indices, power residue value a is public information y ₁ = g ^S1 modp of the g modulo the p, y ₂ = g ^S2 modp, ..., y _N = g ^SN mod
(1) The base station arbitrarily generates (1-a) an integer k, sets (−k) obtained on the modulo q as an index, and
Calculate the power residue value C ₀ = g ^ (− k modq) modp of g by modulo (1-b) all terminals j (j
共通 a) is generated and a product r = M × C ₀ modp of the M and the C ₀ on the modulus p is obtained, and (1-c) is divided by the q of the r. The remainder r ′ = r modq at this time is calculated, and (1-d) the r ′, the k, and the secret key S of the base station.
The value s that satisfies k = s−r ′ × S modq is obtained using (−e) obtained on the (1-e) method q as an index, and the power-residue remainder of the g obtained by modulating the p. the value at which preparation information C ₁ = g ^ - calculate the (r modq) modp, a (1-f) by using the public information y _a of the particular terminal a, calculated on legal q (-r) Calculate exclusion information C ₂ = y _a ^ (− r modq) modp which is an exponent and _a power residue value of the ya modulo the p, and calculate (1-g) the (r, s) of M A broadcast is sent to all terminals together with the C ₁ and C ₂ as a signature. (2) Each terminal j (j ≠ a) sets λ (j, Λ) and λ
(a, Λ), and using the preparation information C ₁ , the exclusion information C _2, and the secret information S _j of itself, the S _j and the λ (j,
The power residue value C ₁ ^ (S _j × λ (j, Λ) modq) modp of the C ₁ whose exponent is the product of the 上) on the modulus q and the λ (a, 求 め) determined on the modulus q the C ₂ to) be the index
The product with the power residue value of C ₂ ^ (λ (a, Λ) modq) modp K = C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq) modp = y ^ (-r modq) modp is obtained on the modulus p, and g is an index of s.
And the product r × g ^s × K modp of the r and the K on the modulus p to obtain the common data M, and simultaneously verify the digital signature of the base station. It has the effect of making it possible.

The ninth aspect of the present invention is the first aspect.
In the exclusive key sharing method described above, the secret keys S
Is an exponent, and the modular exponentiation value of the g by modulating the p is y = g^S Let modp be the public key of all terminals, and the base station
Secret information S₁, S_Two,…, S_NEach is an index, and p
Public information y that is the power residue value of g modulo₁= G^S1 modp, y_Two= G^S2 modp,…, y_N= G^SN modp, and (1) the base station can arbitrarily set the integer k
Generating, the k being an index, and the g being modulo p.
Preparation information C, which is a power residue value₁= G^k modp, and (2) the base station uses k as an index,
The public information y of the specific terminal a, modulo p_aPower of
Exclusion information C which is a residual value_Two= Y_a ^k modp, and (3) the base station uses k as an index,
Power remainder value of the public key y of all the terminals modulo p
With all terminals j (j ≠ a) except the specific terminal a.
Keyed key K = y^k (4) In the terminal j, the preparation information C₁
And the exclusion information C_TwoAnd own secret information S _jUsing
S_jAnd the product of the λ (j, Λ) on the modulus q is an index.
Said C₁And the λ obtained on the method q
(a, Λ) as an index,_TwoWith the power residue value of C₁^ (S_j× λ (j, Λ) modq) × C_Two^ (λ (a, Λ) modq)
By calculating modp on the modulus p, sharing with the base station
The keyed K is obtained, and the secret information of each terminal is transmitted to the base station.
Eliminates the need to remember to improve security and
Reduce setup load by eliminating the need to share information
It has the effect of cleaning.

The invention according to claim 10 of the present invention is directed to claim 1
In the exclusive key sharing method described above, each terminal holds the secret information S ₁ ,..., _SN secretly, and sets a set of arbitrary two or more t terminals of the N terminals to Λ (1) The base station calculates the preparation information C ₁ = g ^k modp using the integer k, using k as an index, modulating p, and using g as a base, and (2) ) The base station includes t specific terminals i ₁ ,
..., any i _j of _{i t (j = 1, ...} , t) shared information _{X ij X ij = Π (g} ^ (S u × k)) modp ( product satisfying the following expression for the u∈ Λ- {i _j }
For taking) is calculated and broadcasts all shared information X _ij and the preparation information C ₁ to all terminals, (3) the base station, the secret information of the specific terminal S _i1, ..., an S _it Then, K that satisfies the following equation is calculated and used as the shared key K with the t specific terminals. K = g ^x modp, x = k × ΣS _ij modq (the sum is taken for j = 1 to t) ( 4) the specific terminal i _j, the p and modulo itself the secret information S _ij of the exponent said C ₁ modular exponentiation value and the X _ij product X _ij × C ₁ ^Sij modp the legal and p By calculating the above, the shared key K with the base station is obtained, and has the effect of forming a group having a size not exceeding half of all terminals at high speed.

The eleventh aspect of the present invention is the first aspect.
In the exclusive key sharing method described above, the secret key S is divided by the base station, and the secret key S is distributed to corresponding terminals in advance by cryptographic communication means provided in the base station and the terminal. This has the effect of eliminating the need for a third engine for dividing S.

The invention described in claim 12 of the present invention is characterized by claim 1
In exclusive key sharing method according to another third engine and the base station, division of the secret key S, modular exponentiation value y, public information y _1, y _2, ..., a calculation of y _N public, and it is intended to perform the embedding of S _a which corresponds to the terminal a, with the effect that the base station eliminates the need to divide the secret key S, reduce the burden on the base station.

The invention according to claim 13 of the present invention is the invention according to claim 1.
In the exclusive key agreement method described above, each terminal i (1 ≦ i ≦
N) keeps the secret information S _i secretly,
Are the exponents of the integers f ₀ (= S), f ₁ ,..., F _d , respectively, and the modular exponentiation values of the g (hereinafter referred to as verification information) g ^f0 , g ^{f1 ,.} g ^fd can be used, and each terminal a performs the following calculation using the verification information and the secret information S _i of itself, and obtains g ^Si = Π (g ^ (f _j × a ^j ) modp (product is j = 0 to d) by determining whether the two sides are equal or not, thereby confirming the validity of the secret information S _i itself, and verifying that the institution performing the division does not perform any wrongdoing. It has the effect of doing.

The invention according to claim 14 of the present invention relates to claim 1
In the exclusive key agreement method described above, a new terminal number I (I> N) is set for a terminal newly joining the communication system capable of broadcasting, and S _I = S + f ₁ × I is calculated. By doing so, the secret information S _I obtained is kept confidential, and has the effect of enabling a new terminal to be added after the system is constructed.

The invention according to claim 15 of the present invention is the invention according to claim 1.
In exclusive key sharing method, wherein the terminal i, the modulo the p instead of the secret information S _i, the modular exponentiation value of C ₁ to the S _i the index of the (= C ₁ ^Si modp) It is stored in secret and has the effect of preventing the secret key S from being requested even if the terminals collude.

[0030] The invention described in claim 16 of the present invention is characterized by claim 1
In the exclusive key agreement method described, the base station obtains the λ (i, Λ) for all the Λ including the specific terminal, and obtains each of the λ (i, Λ) obtained on the method q. Is calculated as an exponent, the power remainder value C ₂ ^ (λ (i, Λ) modq) modp of the exclusion information C ₂ modulo p is calculated, broadcasted at the time of key sharing, and excluding the specific terminal a. In all the terminals j (j ≠ a), the shared key K is obtained by using the modular exponentiation value C ₂ ^ (λ (i, Λ) modq) modp) corresponding to the Λ including the j, This has the effect of reducing the amount of calculation of the terminal.

[0031] The invention described in claim 17 of the present invention relates to claim 1 of the present invention.
In exclusive key sharing method according, new shared on the shared key K ₁ that share the shared key K and the previous key sharing all terminals j (j ≠ a) is covalently except the specific terminal a and the base station is intended to generate the key K _2, it has the effect of allowing to continue to eliminate even once eliminated the terminal at the time of the next key sharing.

[0032] The invention according to claim 18 of the present invention is directed to claim 1.
In the exclusive key agreement method described, in the digital signature means provided in advance in the base station and the terminal,
The digital signature of the base station is added to the data delivered from the base station, and the terminal has a function of verifying the digital signature to detect impersonation and tampering.

The invention described in claim 19 of the present invention is directed to claim 2
The exclusive key sharing device according to claim 1, wherein the first of the base stations is
The second and third base station-side storage units and the first and second terminal-side storage units of the terminal are areas that cannot be observed or changed from the outside, and may enter the base station or lose the terminal.・
It has the effect of improving security against collusion.

The invention described in claim 20 of the present invention is characterized by claim 1
In the exclusive key sharing method described above, if the size of a group to be configured exceeds half of all terminals, the exclusive key sharing method according to claim 1 is applied, and the size of the group to be configured is half of all terminals. If it does not exceed, it is automatically selected to apply the exclusive key agreement method described in claim 10,
This has the effect of allowing key sharing to be performed efficiently regardless of whether the group size exceeds or does not exceed half without the base station being aware of it.

The invention according to claim 21 of the present invention is the invention according to claim 1.
In the exclusive key sharing method described above, the number of secret information held by the terminal is increased or decreased according to the authority of the terminal, and has an effect of setting the strength of the authority to the terminal.

According to a twenty-second aspect of the present invention, there is provided an exclusive key sharing method for a communication system capable of performing broadcast communication comprising N (N is an integer of 2 or more) mutually connected terminals.
Let S be a secret key, let p be a prime number or a power of a prime number larger than S and N, q be a divisor of (p-1), g be an element of GF (p), and identify the chair terminal. The number of specific terminals is 1, and each terminal i (1 ≦ i ≦ N) is represented by S = {λ (i, Λ) × S _i (the sum is performed for i∈Λ) (where S _i = S + f ₁ × i mod q (f ₁ original GF (q) is not zero) λ (i, Λ) = is Π {L / (L-i )} ( product is performed for L∈Λ- {i}) Λ, the N number Secret information S _i that satisfies the following condition: secret key S _i that satisfies the following condition: public key y = g ^S modp of all terminals, and public information y ₁ = g ^S1 modp, y ₂ = g ^S2 modp,..., Y _N = g ^SN modp, (1) the chair terminal is a non-zero GF (q)
Optionally generate original k of, calculate the preparation information ^{_{C 1 = g k modp, (}} 2) the chairman terminal calculates the exclusion information C ₂ = y _a ^k modp from the public information y _a particular terminal a , then broadcast to all terminals with preparation information C ₁ with a particular terminal number a, (3) the chairperson terminal, it obtains a shared key ^{K = y k modp, (4} ) the respective terminals j (j ≠ a) is , Λ = {j, a}
Λ (j, Λ) and λ (a, Λ) are obtained, and the preparation information C
C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq) by using ₁ , the exclusion information C ₂ and its own secret information S _j.
This is an exclusive key sharing method for obtaining a shared key K by calculating modp, and has an effect of enabling a common terminal to be shared in a communication system without a base station by excluding a specific terminal.

According to a twenty-third aspect of the present invention, there is provided an exclusive key sharing method for a communication system comprising N (N is an integer of 2 or more) mutually connected terminals capable of broadcasting.
S is a secret key, p is a prime number or a power of a prime number greater than S and N, q is a divisor of (p−1), g is an element of GF (p), and each terminal i ( 1 ≦ i ≦ N)
Is S = {λ (i, Λ) × S _i (the sum is performed for i∈Λ) (where S _i = S + f ₁ × i modq (f ₁ is a nonzero GF (q) element) λ (i, lambda) = a Π {L / (L-i )} ( product is performed for L∈Λ- {i}) Λ is the secret information S _i that satisfies the set) consisting of any two of the N devices at It is kept secret, and the public key y = g ^S modp of all terminals and the public key y ₁ = g ^S1 modp, y ₂ = gs ² modp,..., Y _N = g ^SN modp of each terminal can be used. (1) is the terminal a is optionally generate original k of GF (q) is not zero, calculate the preparation information C ₁ = g ^k modp, (2) the terminal a from the public key y _a own the exclusion information C ₂ = y _a ^k modp calculated, and broadcast to all terminals with preparation information C ₁ and come terminal number a, (3) the terminal (a) obtains the shared key K = y ^k modp, ( 4) Each terminal j (j ≠ a) has Λ = {j, a}
Λ (j, Λ) and λ (a, Λ) are obtained, and the preparation information C
C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq) by using ₁ , the exclusion information C ₂ and its own secret information S _j.
This is an exclusive key sharing method for calculating the shared key K by calculating modp, and has the effect of updating the group key.

The invention described in claim 24 of the present invention is directed to claim 22
In the exclusive key sharing method described above, each terminal holds all public keys other than its own public key, and has the effect of eliminating the need to manage public keys.

According to a twenty-fifth aspect of the present invention, in the exclusive key agreement method according to the first or third to ninth aspects, the multiplication operation is performed by using a curve such as an elliptic curve on an arbitrary finite field. This corresponds to the above-described addition operation, and has an effect of speeding up the calculation of the base station and the terminal.

Hereinafter, an embodiment of the present invention will be described with reference to FIGS.
This will be described in detail with reference to FIG.

The first embodiment of the (First Embodiment) In a base station and five terminal system, by using the secret information S _i obtained by dispersing secret key S by secret sharing scheme In each terminal, preparation information (g ^k modp), exclusion information (g
^kS5 modp), the ciphertext (M × K modp) and the exclusion terminal number (5) are broadcast, and each terminal transmits C _i ^ (λ (i, Λ)
modq) modp and C ₂ ^ (λ (5, Λ) modq) modp to calculate K, obtain ciphertext (M × K modp) by K and obtain M to obtain base station. This is an exclusive key sharing method in which a key is shared between the base station and other terminals except the terminal 5 as common data with 0.

FIG. 1 is a diagram showing a setup of a key sharing method according to the first embodiment of the present invention. In FIG.
0 is a base station, and 1 to 5 are terminals under the control of the base station. 6 is a storage unit in the base station, 7 to 11 are in each terminal,
This storage unit cannot be observed or changed externally.

FIG. 2 is a diagram showing a preparation phase according to the first embodiment of the present invention.

FIG. 3 shows all the terminals 1,...
FIG. 4 is a diagram showing a key sharing phase when a shared key is shared in No. 4;

FIG. 4 is a diagram showing the configuration of a base station and each terminal i (1 ≦ i ≦ N). FIG. 4A is a block diagram of the terminal. In FIG. 4A, reference numeral 20 denotes a receiving unit for receiving data from a base station, and reference numeral 21 denotes a first unit that holds modulo p, q and base g.
The terminal-side storage unit 22 is a second terminal-side storage unit that holds the secret information S _i . 23, preparation information C1 to be delivered from the base station in a key sharing phase, the shared key K from the exclusion information C ₂
The first terminal-side calculation unit 24 calculates the common data M from the ciphertexts C ₃ and K delivered from the base station.
Of the terminal side calculation unit. FIG. 4B is a block diagram of the base station. In FIG. 4 (b), 25, the first base station-side memory unit for holding a modulo p, q and bottom g and an integer k, 26 is public information y ₁ of each terminal, ..., holding the y ₅ The second base station-side storage unit 27 is a third base station-side storage unit that stores the common data M and the public keys y of all terminals. 28 is the preparation information C
_{The first} base station side calculation unit 29 that calculates 1 is the exclusion information C ₂
The second base station-side calculation unit for calculating a, 30 share a key K is calculated, a third base station calculating unit that calculates a ciphertext C ₃ thereto from the common data M. A control unit 31 selects public information from a specific terminal number and sends the specific terminal number to a transmission unit 32. The control unit 32 broadcasts preparation information, exclusion information, cipher text, and a specific terminal number to all terminals. The transmission unit.

FIG. 5 is a diagram showing a key sharing phase in a method in which only a specific terminal performs key sharing.

The key sharing method according to the first embodiment of the present invention includes three steps: setup, preparation phase, and key sharing phase.
Divided into two phases. Hereinafter, a case where the base station manages five terminals will be described for each phase.

Referring to FIG. 1, the setup of the key sharing method according to the first embodiment of the present invention will be described. The base station 0 creates a secret key S and keeps it secret. A prime number or a prime exponent p larger than the secret key S and larger than the number of terminals 5 is created and held. One divisor q of (p-1) is obtained and held. It holds seeking original f ₁ non-zero GF (q).

Using f (z) = S + f ₁ × z modq, secret information Si obtained by calculating Si = f (i) is transmitted to each terminal i (1 ≦ i ≦ 5) by an encryption communication means. And deliver it secretly.

A set consisting of any two of the five terminals is denoted by Λ
S = {λ (i, Λ) × Si (the sum is performed for i∈Λ) λ (i, Λ) = Π {L / (Li)} (product is L はΛ− {i}). Where the set Λ− {i} is a set from the set Λ
It is a set excluding {i}. For example, if Λ = {1,2}, Becomes

Each terminal 1,..., 5 holds the secret information S _i in the storage units 7,. The base station 0 holds the element g of the modulus p and GF (p) in the storage unit 6. The base station 0 transmits the secret information S ₁ ,
..., and the index S ₅ respectively, modulo p, public information and a base of ^{_{g y 1 (= g S1 modp}} ), y 2 (= g S2 modp), ..., y
₅ (= g ^S5 modp) is calculated and stored in the storage unit 6. After the calculation, S ₁ ,..., S ₅ are deleted from the base station. Base station 0
Calculates the public keys y (= g ^S modp) of all terminals having exponents of the secret keys S of all terminals 1,..., P modulo p, and g as the base, and stores them in the storage unit 6. After the calculation, S is deleted from the inside of the base station.

The preparation phase of the first embodiment of the present invention will be described with reference to FIG. The base station 0 arbitrarily generates a non-zero element k of GF (q), calculates k as an exponent, modulates p, and prepares preparation information C ₁ (= g ^k modp) using g as a base. Exclusion information C ₂ (= y ₅ ^k mod) using the base of the public information y ₅ of the terminal 5 specified by the base station 0 using the integer k as an exponent and p as a modulus.
Calculate p). k is exponent, p is modulo, all terminals 1, ..., 5
Key K (= y ^k modp = g ^ (S
× k) Find modp). At the same time, the common data M with all the terminals j (j = 1,..., 4) except the specific terminal 5 is generated, and the ciphertext C ₃ (= M × K) which is the product of M and K on the modulus p
modp). More C _1, C _2, C ₃ and a specific terminal number 5 broadcasts to all terminals.

Referring to FIG. 3, a key sharing phase when a shared key is shared by all terminals 1,..., 4 except terminal 5 will be described. In the terminal 1, based on its own terminal number 1 and the received exclusion terminal number 5, Λ (1, Λ) = 5 / (5-1) = 5/4 λ (5, Λ) = 1 / (1-5) = − ／. Preparation information C ₁ (= g ^k modp) and exclusion information C
_{Using 2} (= y ₅ ^k modp), S ₁ and λ (1, Λ) are used as exponents, and a power residue value C ₁ ^ (λ (1, Λ) modq) modp with C ₁ as a base, and λ The product of (5, を) as an exponent and the power residue value C ₂ ^ (λ (5, Λ) modq) modp with C ₂ as a base C ₁ ^ (S ₁ × λ (1, Λ) modq) × C ₂ ^ (λ (5, Λ) modq) modp = g ^ (k × S ₁ × λ (1, Λ) modq) × g ^ (k × S ₅ × λ (5, Λ) modq) modp = g ^ (k × (S ₁ × λ (1, Λ) + S ₅ × λ (5, Λ) modq)) modp = g ^ (k × S modq) modp = K to obtain K. Further, the ciphertext C ₃ (= M ×
K modp) is divided by K on the modulus p to obtain C ₃ / K = M × K / K modp = M, which is used as common data with the base station 0.

The above calculation can be performed in the same manner in the terminals 2 to 4, and as a result, the common data M
Can be shared.

On the other hand, in the terminal 5, the exclusion information C ₂ (= y ₅ ^k = g (k × S ₅ ) mod broadcast from the base station 0
p) and the power-residue value that can be calculated from the stored information
(= C ₁ ^{S 5} modp = g ^ (k × S ₅ ) modp) is the same, and Λ = {5}, and λ (5, Λ) cannot be obtained. Can not calculate the shared key K. Therefore, the common data M cannot be calculated.

[0056] Each terminal, K = g ^ (S × k) modp, C 1 = g k modp, y = g S can not be obtained secret key S from modp, each divided secret information S _a reused it can. Therefore, there is no need to perform setup from the next key sharing, and the preparation phase and the key sharing phase may be repeated.

FIG. 4 shows the configuration of a base station and each terminal i (1 ≦ i ≦ N) for performing the above processing.

Next, security in the first embodiment will be described.

(1) It is difficult for all terminals to obtain the shared key K in the preparation phase. In the preparation phase, for example, the information held by the terminal ₁ is the following two pieces of information. Secret information: S ₁ Preparation information: C ₁ (= g ^k modp) In order to obtain the shared key K from the above information, the secret key S may be obtained from S ₁ . However, the secret key S of all terminals is Sh
amir's threshold method (For details on Shamir's threshold method, see Mene
`` HANDBOOK of APPLIED C '' by zes, van Oorschot, Vanstone
RYPTOGRAPHY ", publisher CRC. ) Since the resolved using, can not seek from S _1. However, it is necessary to keep the size of the secret keys S of all terminals large enough to resist a brute force attack.

(2) It is difficult for the excluded terminal 5 to obtain the shared key K and the common data M even in the key sharing phase. The information held by the terminal 5 excluded in the key sharing phase is added to the above (1). ・ Exclusion information: C ₂ (= y ^S5 = g ((k × S ₅ ) modp) ・ Ciphertext: C ₃ (= M × K = M × g ^ (k × S) modp). These are equivalent to ciphertexts in ElGamal encryption. Therefore, if the modulo p and q and the integer k are set to be sufficiently large, it becomes difficult to obtain the shared key K and the common data M from these, resulting in ElGamal encryption. Specifically, it is desirable that p be 1024 bits or more and k and q be 160 bits or more.

In the preparation phase after excluding the terminal 5 and sharing the key, the terminal 5 can be continuously eliminated. This is because, for example, when five terminals share a common secret key and perform encrypted communication within a group, first the terminal 5 is lost or stolen, and in response to this, a new Share a common secret key.

Next, the terminal 4 is also lost or stolen.
Yes, exclude both terminals 4 and 5 and share the next common key
In some cases. For this purpose, the terminal 5
In the key sharing phase after the removal, the base station and the terminals 1 to 3
Common data M shared when terminal 5 was removed₁And when terminal 4 is excluded
Shared data M shared by_TwoCreate new common data M 'from
(Simply M₁And M_TwoOr the exclusive OR of
M ₁And M_TwoTake the hash value of the sum of
Is also good. ). According to this method,
Communication data M₁5 and common data M that cannot be obtained_TwoSeeking
Terminal 4 must create new common data M '
Can not. Similarly, common data M₁Using common data
Data M_TwoPreparation information, exclusion information and ciphertext for sharing
May be delivered secretly. According to this method, common data
M₁5 and the terminal 4 that cannot obtain the common data M_Four
Can not be asked.

In the case where the terminals 4 and 5 collude and obtain new common data M ', the terminal 4 after the elimination of the terminal 5
Exclusion information C corresponding to terminal 5 in the key sharing phase at the time of exclusion
There is also a method of distributing ₂ and sharing the new common data among the terminals 1 to 3. This method is substantially the same as the method described in the second embodiment.

[0064] In the first embodiment, the secret information S _a of each terminal is a base station is divided, but the delivery is using an encryption communication means, a trusted third party other than the above and the base station terminal it is not may be carried out, the pre-secret information S _a without delivery may be embedded in the terminal.

The encryption communication means may use secret key cryptography or public key cryptography. However, using public key cryptography improves security against unauthorized use of the base station because the base station holds only the public key of each terminal.

If a digital signature of the base station is added to all data delivered from the base station to each terminal, the terminal can be authenticated by the terminal, falsification by a third party can be detected, and security can be detected. Is improved.

[0067] Also, whether the secret information S _a of each terminal in the first embodiment is divided properly, Peder
Sen's share verification protocol (Proc. of Eurocrypt'9
1 ”Published by Springer-Verlag publisher“ Distributed Prove
rs with Applications to Undeniable Signatures ”
See TPPedersen. ) Can be applied. Verification information ｛g ^f0 modp, g ^f1 modp, ..., g ^fN mod
By exposing p by the secret splitter, each terminal can confirm the correctness of its own secret information, and the security is improved.

[0068] base station, and delivered to the terminal in secret the secret information S _a of each terminal using the cipher communication section, preparation information C ₁ also has a configuration to deliver to each terminal, the base station C ₁ ^Sa modp
May be calculated and secretly delivered to each terminal using the encryption communication means. In this method, since each terminal cannot directly know Sa, the terminals cannot collaborate to obtain S. However, in this case, setup must be performed for each key sharing.

Although the base station delivers the exclusion information C ₂ when excluding the terminal 5 in the key sharing phase, the base station calculates C ₂ ^ (λ (5, Λ) modq) modp. May be delivered. In this method, the amount of calculation of the terminal is very small, but the amount of communication increases because Λ differs for each terminal.

In the first embodiment, the method is performed based on the ElGamal encryption, but may be performed based on the Nyberg-Rueppel signature. In this method, the terminal can verify the digital signature of the base station for the common data M. For more information on Nyberg-Rueppel signatures, see Menezes, van Oors
`` HANDBOOK of APPLIED CRYPTOGRAPH '' by chot, Vanstone
Y "(CRC Publishing). Also, Nyberg-Rueppel
Six types of signatures (even more in consideration of positive and negative) have been proposed depending on the configuration method, and all six types are applicable to the present invention.

Further, the base station makes public information y ₁ ,.
it is configured to hold a y _5, when the base station is reliable, the secret information S ₁ instead, ..., may hold S _5.

Although the common data M is used as a common key in the first embodiment, the shared key K itself may be used as a common key between the base station and the terminal instead.

When a new terminal is to be added to the system whose setup has been completed as in the first embodiment, secret information is calculated using a new terminal number.
The secret information may be secretly delivered to the new terminal.

Further, in the first embodiment, one piece of secret information is held for each terminal. However, by increasing or decreasing the number of secret information according to the strength of the authority of the terminal, the authority is assigned to each terminal. It is possible to change. For example, a terminal that has only one piece of secret information cannot share a key,
A terminal having two or more terminals can use the key in such a way that key sharing is possible.

In the first embodiment, the finite field GF
Although the difficulty of the discrete logarithm problem on (p) is used, this can be generally extended to a discrete logarithm problem on an elliptic curve on an arbitrary finite field (definition field). In this case, the number of bits of the definition field can be reduced to, for example, about 160 bits, so that the amount of data communication and the size of a storage area in a terminal or a base station can be reduced.

If the first, second, and third base station-side storage units of the base station and the first and second terminal-side storage units of the terminal are areas that cannot be externally observed or changed, the base station and The terminal user and third parties cannot observe or change the secret information, thereby improving security. Further, even if the terminals are colluded, it becomes difficult to obtain the secret keys S of all the terminals.

In the first embodiment, key sharing is performed excluding a specific terminal. However, a method in which a base station shares a key only with a specific terminal will be described below. In this method, the same infrastructure as in the first embodiment can be used. Further, if the key sharing method of the first embodiment and the following key sharing method are automatically switched according to the group size, the base station can perform key sharing in an efficient manner without being aware of it. . FIG. 5 shows a key sharing phase in a method in which key sharing is performed only by a specific terminal.

The base station 0 sends specific terminals 1 and 2
Public information y of fixed terminals 1 and 2₁And y_TwoWith p as the modulo
And the shared information X with k as an index₁(= Y_Two ^k modp), X_Two
(= Y ₁ ^k modp) to calculate the preparation information C₁(= G^k mod
Broadcast to all terminals 1,..., 5 together with p).

The base station 0 uses the integer k and the public information y ₁ and y ₂ of the specific terminals ₁ and ₂ to set the exponent to k, the modulus to p, and y ₁ and y ₂
Shared key based on the product of Is calculated.

The specific terminal 1 prepares the preparation information C ₁ by modulating p.
Is calculated by calculating the product C ₁ ^S1 × X ₁ = g ^ (k (S ₂ + S ₁ ) modq) modp of the modular exponentiation value with the secret key S ₁ as an exponent and the shared information X _1. The configuration may be such that the key K is obtained. In this method, the specific terminal 2 can obtain the shared key K by the same calculation. Further, since the system setup and the preparation phase are the same as in the first embodiment, in the key sharing phase, the key sharing method between the first embodiment and the specific terminal may be switched according to the number of specific terminals.

As described above, the first embodiment of the present invention
Now, the exclusive key in the system of base station and 5 terminals
A secret method in which a secret key S is shared by a secret sharing
Report S _iUsing each terminal, the preparation information (g^k modp), exhaust
Removal information (g^kS5 modp), ciphertext (M × K modp) and
And the exclusion terminal number (5) are broadcast. _i^
(λ (i, Λ) modq) modp and C_Two^ (λ (5, Λ) modq) m
The product of odp is calculated to obtain K, and the ciphertext (M × K modp)
Is divided by K to obtain M to be used as common data with the base station 0.
With the configuration, the terminal 5 is excluded at high speed with a small amount of communication
The key can be shared by the base station and another terminal.

(Second Embodiment) In a second embodiment of the present invention, in a system of a base station and five terminals, preparation information (g ^k modp) and exclusion information (y ₄ ^k modp, y ₅₎ ^k mod
p) and the ciphertext (M × K modp) are assigned to the specific terminal number (4,5).
And broadcasts to all terminals, and at the terminal, g ^ (k × S ₁ ×
λ (1, Λ) modq) × g ^ (S ₄ × k × λ (4, Λ) modq) ×
g ^ (S ₅ × k × λ (5, Λ) modq) modp is obtained to obtain K, divided by ciphertext K to obtain common data M with the base station,
This is an exclusive key sharing method in which a key is shared between a terminal and a base station other than the terminal 4 and the terminal 5.

FIG. 6 shows a key sharing scheme in a case where common data is shared by all the terminals 1, 2, and 3 except the terminal 4 and the terminal 5 in the exclusive key sharing method according to the second embodiment of the present invention. It is a figure showing a phase. The setup and preparation phase of the second embodiment of the present invention is the same as that of the first embodiment.

Referring to FIG. 6, a key sharing phase in the case where common data is shared by all terminals 1, 2, 3 except terminal 4 and terminal 5 will be described. Base station 0 uses k as an index,
Preparation information C ₁ (= g ^k modp) with p modulo g
And exclusion information C ₂₄ (= y ₄ ^k modp) using the public information y ₄ and y ₅ of the two specific terminals 4 and ₅ as an integer k as an index, p as a modulus, and g as a base. C ₂₅ (= y ₅ ^k modp),
Ciphertext C which is the product of common data M and shared key K on modulus p
₃ (= M × K modp) is broadcast to all terminals together with the specific terminal number (= 4,5).

In the terminal 1, Λ = {1, 4, 5} and λ
Calculate (1, λ), λ (4, Λ), λ (5, Λ). Using the preparation information C ₁ and the exclusion information C ₂₄ and C ₂₅ , S ₁ and λ (1, Λ) are obtained.
Exponentiation product of modulo q and power residue value with C ₁ base Is calculated. With exclusion information _{C 24, λ (4, Λ} ) and the exponent, modulo exponentiation to base C ₂₄ value _{C 24 ^ (λ (4,} Λ) mo
dq) modp = y ₄ ^ (k × λ (4, Λ) modq) modp = g ^
(S ₄ × k × λ (4, Λ) modq) modp is calculated. Using exclusion information C ₂₄ and C ₂₅ , power exponentiation value with λ (5, Λ) as an index and C ₂₅ as a base Is calculated. These products To obtain K. Further, a value C ₃ / K mod p = M × K / K mod obtained by dividing the cipher text C ₃ by K on the modulus p
Obtain p = M and obtain common data M with the base station.

The above calculations can be performed in the same manner at terminals 2 and 3, and as a result, common data M
Can be shared. There is no need to perform setup from the next key agreement.

On the other hand, in the terminals 4 and 5, the exclusion information C ₂₄ (= y ₄ ^k = g ^ (k × S ₄ ) mod broadcasted from the base station is transmitted.
p), C ₂₅ (= y ₅ ^k = g ^ (k × S ₅ ) modp) and a power-residue value (C ₁ ^S4 modp) that can be calculated from the held information.
= G ^ (k × S ₄ ) modp, C ₁ ^S5 modp = g ^ (k × S ₅ ) modp
p) are the same, Λ = {4,5}, and λ (4,
Since Λ) and λ (5, Λ) are not obtained, calculation of the shared key K in the key sharing phase is not possible. Therefore, the common data M cannot be calculated.

In addition to the exclusion of a predetermined number d of specific terminals, an arbitrary number of exclusions can be performed. The base station transmits the secret key S to an arbitrary number e of specific terminals d ₁ ,.
It holds the e sets of secret information divided respectively d _e, while each terminal holds the secret information corresponding to its own terminal number from each set, when performing a key agreement is Actual number of specific terminals d _w (1 ≦ w ≦
The e) d _1, ..., and selected from d _e, by using the secret information divided to the selected specific terminal number d _w, within d stand do it and delivered by calculating the elimination information to all terminals If so, it can be arbitrarily excluded.

The actual specific terminal is larger than the specific terminal number d.
When the number D is small, the secret keys S of all terminals are
(D-1) The number is divided into many, and the number is
S _{N + 1}, ..., S_{N + d-1}Base as dummy secret information
Bureau keeps. In this method, the actual number of specific terminals D and
The difference v (= d−D) pieces of secret information S of the specific terminal number d_b1,
…, S_bvS_{N + 1}, ..., S_{N + d-1}Selected by base station from
By calculating information and delivering extra to all terminals, d units
If it is within, it can be arbitrarily excluded. Place of this method
If d₁, D_Two,,…, d_eE secret information corresponding to
Less confidential information than the method using.

As described above, the second embodiment of the present invention
Now, the exclusive key in the system of base station and 5 terminals
The sharing method is described in the preparation information (g^k modp), exclusion information (y_Four ^k mod
p, y_Five ^k modp) and the ciphertext (M × K modp)
(4, 5) and broadcast to all terminals.
(k × S₁× λ (1, Λ) modq) × g ^ (S_Four× k × λ (4, Λ)
 modq) × g ^ (S_Five× k × λ (5, Λ) modq) Calculate modp
To obtain K and divide by ciphertext K to obtain common data with the base station.
M, so that the communication speed is small and the terminal
The key can be shared between the base station and other terminals except for terminal 4 and terminal 5.
Can be.

[0091] Third Embodiment (Third Embodiment) The present invention, in the six terminal system utilizes a secret information S _i obtained by dispersing secret key S by secret sharing scheme, chairman terminal Broadcasts the preparation information C ₁ (g ^k modp), the exclusion information C ₂ (g ^kS5 modp), the ciphertext K (g ^kS modp) and the exclusion terminal number (5) to each of the other terminals. Then C
₁ ^ (λ (i, Λ) modq) × C ₂ ^ (λ (5, Λ) modq) modp
Is obtained, and K is obtained, and the group key K is shared by the terminals other than the terminal 5 in the exclusive key sharing method.

FIG. 7 is a diagram showing a setup of a key sharing method according to the third embodiment of the present invention. FIG. 8 is a diagram illustrating a preparation phase according to the third embodiment of this invention. FIG. 9 is a diagram showing a key sharing phase when all terminals except the terminal 5 share a shared key.

The key sharing method according to the third embodiment of the present invention includes three steps: setup, preparation phase, and key sharing phase.
Divided into two phases. Hereinafter, the case where the terminal 2 becomes the chairperson and excludes the terminal 5 to share the group key K will be described for each phase.

Referring to FIG. 7, the setup of the key sharing method according to the third embodiment of the present invention will be described. The chair terminal 2 creates a secret key S and keeps it secret. A prime number or a power p of a prime number larger than the secret key S and larger than the number of terminals 6 is created and made public. Find and publish one divisor q of (p-1). Disclose the element g of GF (p).

A non-zero element f ₁ of GF (q) is obtained and held.

The secret information S _i obtained by calculating S _i = f (i) using f (i) = S + f ₁ × i modq is encrypted and transmitted to each terminal i (1 ≦ i ≦ 6). Deliver secretly by means.

A set consisting of any two of the six terminals is denoted by Λ
When the secret information S _i is, S = Σλ (i, Λ ) × S i ( sum performed for i∈Λ) λ (i, Λ) = Π {L / (L-i)} ( product is L∈Λ- {i}). Where the set Λ− {i} is a set from the set Λ
It is a set excluding {i}. Each terminal 1,..., 6 holds the secret information S _i in the storage unit.

The chair terminal uses public information y ₁ (= p) modulo p and secret information S ₁ ,..., S ₆ as exponents, respectively.
g ^S1 modp), y ₂ (= g ^S2 modp),..., y ₆ (= g ^S6 modp)
Calculate and publish. After the calculation, S ₁ ,..., S ₆ are deleted from the chair terminal. The chair terminal is the secret key S of all terminals 1,.
Is used as an exponent, and modulo p is used to calculate and publish the public key y (= g ^S modp) of all terminals having g as the base. After the calculation, S is deleted from the chair terminal. The preparation phase of the third embodiment of the present invention will be described with reference to FIG.

The chair terminal arbitrarily generates a non-zero element k of GF (q), calculates k as an index, modulates p, and calculates preparation information C ₁ (= g ^k modp) using g as a base. . Using the integer k as an index and modulo p, the exclusion information C ₂ (= y ₅ ^k modp) based on the public information y ₅ of the terminal 5 specified by the chair terminal is calculated. C _1, C ₂ and a specific terminal number 5 broadcasts to all terminals.

Referring to FIG. 9, a key sharing phase in the case where a shared key is shared by all terminals 1,..., 4, and 6 except for terminal 5 will be described. The chair terminal calculates the group key K = y ^k modp using the system public key y.

The terminal 1 sets λ (1,5) from its own terminal number 1 and the received exclusion terminal number 5 as 排除 = {1,5}.
Λ) and λ (5, Λ) are calculated. Preparation information C ₁ (= g ^k modp)
And exclusion information C ₂ (= y ₅ ^k modp), S ₁ and λ (1,
The lambda) and index, modular exponentiation value _{C 1 ^ (λ (1,} Λ) to base C ₁ mod q) modp and, lambda (5, and the lambda) index, modular exponentiation value C to base C ₂ Product with ₂ ^ (λ (5, Λ) modq) modp C ₁ ^ (S ₁ × λ (1, Λ) modq) × C ₂ ^ (λ (5, Λ) modq) modp = g ^ (k × S ₁ × λ (1, Λ) modq) × g ^ (k × S ₅ × λ (5, Λ) modq) modp = g ^ (k × (S ₁ × λ (1, Λ) + S ₅ × λ ( 5, Λ) modq)) modp = g ^ (k × S modq) modp = K to obtain K.

The above calculation can be performed in the same manner in the terminals 3 to 4 and 6, and as a result, the common data K can be shared by the terminals 1 to 4 and 6.

On the other hand, in the terminal 5, the exclusion information C ₂ (= y ₅ ^k = g ^ (k × S ₅ ) mod broadcast by the chair terminal.
p) and the power-residue value that can be calculated from the stored information
(= C ₁ ^{S 5} modp = g ^ (k × S ₅ ) modp) is the same, and Λ = {5}, and λ (5, Λ) cannot be obtained. Can not calculate the shared key K.

Since each terminal cannot obtain the secret key S from K, C ₁ , y, each divided secret information S _i can be reused. Therefore, there is no need to perform setup from the next key sharing, and the preparation phase and the key sharing phase may be repeated.

When there is a new subscriber terminal, S _i = f (i) may be secretly delivered to the new subscriber terminal i.

A method of periodically updating a shared key will be described.
For example, the third terminal may change the key, a random number is generated k, create a C ₁ to broadcast to the other terminals. Using third public key y ₃ of the terminal, to broadcast to other terminal by creating a C ₂ when eliminating third terminal. Other than No. 3 can share the same key. No. 3 can obtain a shared key with another terminal using the public key y of all terminals and the random number k generated by itself. By sending two pieces of information,
You can change the broadcast key all at once.

That is, this is the key sharing proposer (terminal 3)
However, the base station performs the key sharing that excludes itself as if the base station did, and finally generates a shared key from the public keys of all terminals.

A method for rating a terminal will be described. It is assumed that there is a difference in authority among users among terminals, and a chair is present. The purpose is to form a group consisting only of the chairperson and to limit the recipients according to the communication content. As a specific method, realized by chairman and another terminal changing the number (weight) of the share S _i.

For example, in the setup, the chair
The other terminals have two shares with the threshold value of 3, and the other terminals also have one share with the threshold value of 3. In the key agreement phase,
The chair creates one dummy share and sends exclusion information. As a result, the chair can share keys, but not other terminals.

As another example, in the setup,
The chair has three shares with a threshold of 4, the vice chair has two shares, and the other terminals have one share. In the key sharing phase, the chair creates one dummy share and sends exclusion information. As a result, the chair can share keys, but the vice chair and other terminals cannot share keys. If the chairman creates two dummy shares and sends exclusion information, the chairperson and the vice-chairman can share keys, but other terminals cannot.

As described above, in the third embodiment of the present invention, the exclusive key sharing method is applied to the secret information S _i obtained by distributing the secret key S by the secret sharing method in a system of six terminals.
, The preparation information C is sent from the chair terminal to each of the other terminals.
₁ (g ^k modp), exclusion information C ₂ (g ^kS5 modp), ciphertext K
(G ^kS modp) and the exclusion terminal number (5) are broadcast, and each terminal transmits C ₁ ^ (λ (i, Λ) modq) × C ₂ ^ (λ
(5, Λ) modq) Modp is calculated to obtain K, and other terminals except the terminal 5 share the group key K. Therefore, even in a system without a base station, high speed can be achieved with a small amount of communication. The key can be shared by other terminals except the terminal 5.

[0112]

As described above, according to the present invention, an exclusive key sharing method for a communication system capable of performing broadcast communication comprising N terminals connected to a base station is represented by S as a secret key and S as a secret key. terminal i is, S = Σλ (i, Λ ) × confidential information satisfies the S _i S _i
Is kept secret, and the base station prepares the preparation information C ₁ (g ^k modp)
And the exclusion information C ₂ (g ^ (k × S _a modq) modp), together with the specific terminal number a, to all terminals.
≠ a) is C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a,
Λ) modq) Since the configuration is such that the shared key K with the base station is obtained by calculating modp, it is possible to obtain the effect that the processing can be simplified and the security can be improved.

In the exclusive key sharing method, the secret key is S, the number of specific terminals is d, and each terminal i has S = Σλ (i,
秘密) × S _i, and keep the secret information S _i secret. The base station prepares the preparation information C ₁ = g ^k modp and the exclusion information C ₂₁ (g ^ (k
× S _i1 modq) modp),..., C _2d (g ^ (k × S _id
The mod q) modp), particular terminal number i _1, ..., and broadcast to all terminals with i _d, the terminal j _{is, C 1 ^ (S j ×} λ (j, Λ) mo
_{dq) × C 21 ^ (λ} (i 1, Λ) modq) × ... × C 2d ^ (λ (i d,
Λ) modq) By calculating modp, the configuration is such that the shared key K with the base station is obtained.
C _1, C _2a, only broadcasts a C _2b with a particular terminal number (a, b), the effect is obtained that the two terminals at the same time can be eliminated.

[Brief description of the drawings]

FIG. 1 is a diagram showing a setup in a key sharing method according to a first embodiment of the present invention;

FIG. 2 is a diagram showing a preparation phase in the key sharing method according to the first embodiment;

FIG. 3 is a diagram showing a key sharing phase shared by all terminals except a terminal 5 in the key sharing method according to the first embodiment;

FIG. 4 is a diagram showing a configuration of each terminal and a base station in the key sharing method according to the first embodiment;

FIG. 5 is a key sharing phase diagram when not more than half of all terminals share a key in the key sharing method according to the first embodiment;

FIG. 6 is a diagram showing a key sharing phase when a shared key is shared by all terminals except specific terminals 4 and 5 in the key sharing method according to the second embodiment of the present invention;

FIG. 7 is a diagram showing a setup in a key sharing method according to a third embodiment of the present invention;

FIG. 8 is a diagram showing a preparation phase in the key sharing method according to the third embodiment;

FIG. 9 is a diagram showing a key sharing phase in the key sharing method according to the third embodiment;

FIG. 10 is a diagram showing a key sharing scheme in a first conventional example;

FIG. 11 is a diagram showing a key sharing scheme in a second conventional example.

[Explanation of symbols]

 0 Base station 1 to 5 Terminal 1 to terminal 5 6 Storage unit in base station 7 to 11 Storage unit in terminal 19 Receiving unit 20 First terminal side storage unit 21 Second terminal side storage unit 22 First terminal side Calculation unit 23 Second terminal side calculation unit 24 Third terminal side calculation unit 25 First base station side storage unit 26 Second base station side storage unit 27 Third base station side storage unit 28 First base Station-side calculator 29 Second base-station-side calculator 30 Third base-station-side calculator 31 Controller 32 Transmitter

────────────────────────────────────────────────── ───

[Procedure amendment]

[Submission date] March 16, 2000 (200.3.1.1)
6)

[Procedure amendment 1]

[Document name to be amended] Statement

[Correction target item name] 0050

[Correction method] Change

[Correction contents]

A set consisting of any two of the five terminals is denoted by Λ
S = {λ (i, は) × Si (the sum is performed for i∈Λ) λ (i, Λ) = Π {L / (Li)} (product is L はΛ− {i}). Where the set Λ− {i} is a set from the set Λ
It is a set excluding {i}. For example, if Λ = {1,2}, Becomes By setting the secret information Si in this way,
Thus, the secret key S can be obtained by the product-sum operation. did
Therefore, the exclusion information with the secret information Si as the exponent should be
By multiplying by the power, the product-sum operation can be performed on the exponent part. So
Without revealing the secret information Si
It is possible to obtain the secret key S in the exponent part while hiding it in several parts
It is possible to use the secret information Si
It becomes possible.

[Procedure amendment 2]

[Document name to be amended] Statement

[Correction target item name] 0052

[Correction method] Change

[Correction contents]

The preparation phase of the first embodiment of the present invention will be described with reference to FIG. The base station 0 arbitrarily generates a non-zero element k of GF (q), calculates k as an exponent, modulates p, and prepares preparation information C ₁ (= g ^k modp) using g as a base. Exclusion information C ₂ (= y ₅ ^k mod) using the base of the public information y ₅ of the terminal 5 specified by the base station 0 using the integer k as an exponent and p as a modulus.
Calculate p). k is exponent, p is modulo, all terminals 1, ..., 5
Key K (= y ^k modp = g ^ (S
× k) Find modp). At the same time, the common data M with all the terminals j (j = 1,..., 4) except the specific terminal 5 is generated, and the ciphertext C ₃ (= M × K) which is the product of M and K on the modulus p
modp). More C _1, C _2, C ₃ and a specific terminal number 5 broadcasts to all terminals. The use of k is
Can be changed to use different secrets using the same secret key S.
This is to enable delivery of the keyed K.

 ────────────────────────────────────────────────── ─── Continuing on the front page (72) Inventor Jun Anzai 3-20-20 Shin-Yokohama, Kohoku-ku, Yokohama-shi, Kanagawa 8 F-term in Advanced Mobile Communication Security Technology Research Institute, Inc. (Reference) 5J104 BA03 EA04 EA24 EA28 EA30 EA33 MA06 NA02 NA16 NA18 PA01 5K067 AA30 CC14 DD17 EE02 EE10 HH36

Claims (25)

[Claims] 1. A base station and N units connected to the base station
(N is an integer of 2 or more)
In an exclusive key agreement method of a communication system, a secret key is denoted by S.
And a prime number or a prime number greater than S and N
, The divisor of (p-1) is q, and the base station is
The number of terminals that can be specified (hereinafter referred to as the number of specific terminals) is 1,
Each terminal i (1 ≦ i ≦ N) is represented by S = {λ (i, Λ) × S_i(Sum is performed for i∈Λ) (However, S_i= S + f₁× i modq (f₁Is a nonzero GF (q)
Element) λ (i, Λ) = Π {L / (Li)} (product is L は-{i}
集合 is a set of any two of the N terminals)._iConfidentially, said base
The station performs the above (S, p, g, S ₁,…, S_N(1) The base station sets the element of GF (p) to g and is not zero.
When the element of GF (q) is k, the preparation information C₁= G^k modp, and (2) the base station obtains secret information S of the specific terminal a._aExhausted from
Exclusion information C_Two= G ^ (k × S_a modq) modp is calculated, the specific terminal number a and the preparation information C₁With all terminals
(3) The base station transmits all the terminals except the specific terminal a.
A shared key K = g ^ (k × S modq) modp with j (j ≠ a) is obtained. (4) Each terminal j (j ≠ a) obtains the preparation information C₁And before
Exclusion information C_TwoAnd own secret information S_jBy using_j
And the product of λ (j, Λ) on the modulus q as an index,
Note C₁Power residue C of₁^ (S_j× λ (j, Λ) modq) modp and the λ (a, Λ) obtained on the method q as an index.
Said C_TwoPower residue C of_Two^ (λ (a, Λ) modq) product with modp C₁^ (S_j× λ (j, Λ) modq) × C_Two^ (λ (a, Λ) modq)
By calculating modp, the shared key K with the base station is obtained.
An exclusive key agreement method characterized by 2. An exclusive key sharing apparatus for a communication system comprising a base station and N terminals (N is an integer of 2 or more) connected to the base station and capable of performing broadcast communication, wherein the base station comprises: , A secret key S and a modulus p which is a prime number or a power of a prime number larger than N, an element g of GF (p), and an element k of GF (q) where the divisor of (p-1) is q. S = {λ (i, Λ) × S _i (sum is performed for i∈Λ) (where S _i = S + f ₁ × i modq (f ₁ is zero) Not G
F (q)) λ (i, Ｌ) = {{L / (L−i)} (product is performed on L∈Λ− {i})} is any of the N terminals , S _N that satisfies the following condition: a second base station storage unit that holds secret information S ₁ ,..., And S _N, and a third base station storage unit that holds the secret key S. Each of the terminals i includes a first terminal-side storage unit that holds the (p, g), and further includes a second terminal-side storage unit that holds the secret information S _i secretly. The base station calculates the preparation information C ₁ = g ^k modp using the (k, p, q, g) stored in the first base station storage unit. part further comprising a (2) wherein the base station includes a control unit that specifies a particular terminal a, and outputs the secret information S _a stored based on the second base station-side memory unit of the control ,this And the above (k, p,
q, using a g), eliminates information _{C 2 = g ^ (k ×} S a modq) comprising a second base station-side calculation unit for calculating a modp, the preparation information C ₁ and the with a particular terminal number a total A transmitting unit for broadcasting to the terminal; (3) the base station includes the (k, p, q) and the third
Using the secret key S held in the base station side storage unit of
A third base station-side calculator for calculating a shared key K = g ^ (k × S modq) modp with all terminals j (j ≠ a) except the terminal a; (4) each terminal j (j ≠ a), the C ₁ modular exponentiation value _{C 1 ^ (S j × λ} (j, Λ) modq) modp and modular exponentiation value of the _{C 2 C 2 ^ (λ (} a, Λ) modq ) product with modp C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq)
An exclusive key sharing device, comprising: a terminal-side calculation unit that calculates modp to obtain a shared key K with the base station. 3. An exclusive key sharing method for a communication system capable of performing broadcast communication comprising a base station and N (N is an integer of 2 or more) terminals connected to the base station, wherein a secret key is set to S. Where p is a prime number or a power of a prime number larger than S and N, q is a divisor of (p−1), and d is a specific terminal number (1 ≦ d
<N−1), and each terminal i (1 ≦ i ≦ N) has S = {λ (i, Λ) × S _i (the sum is performed for i∈Λ) (where S _i = S + f ₁ × i + ^{_{... + f d × i d modq}} (f 1, ..., f d is d number of elements of GF (q), where, f _d ≠
0) λ (i, Λ) = {{L / (L−i)} (product is performed on L∈Λ− {i})} is a set of arbitrary (d + 1) units of the N terminals ) Secretly holds secret information S _i that satisfies the following condition, and the base station holds the (S, p, g, S ₁ ,..., S _N ); C ₁ = g ^k modp (k is an element of GF (q) that is not zero), and (2) the base station transmits secret information S _i1 ,..., _D of _d specific terminals i _{1 ,.} from S _id, eliminating information _{C 21 = g ^ (k ×} S i1 modq) modp, ···, to calculate the _{C 2d = g ^ (k ×} S id modq) modp, the rejection information C _21, ..., the C _2d, the preparation information C ₁ with a particular terminal number i _1, ..., and broadcast to all terminals with i _d, (3) the base station, the specific terminal i _1, ..., all but the i _d of the terminal _{j (j ≠ i 1, ...} , i d) to calculate the shared key K = g ^ (k × S modq) modp with, 4) wherein each terminal _{j (j ≠ i 1, ...} , i d) is, Λ = {j,
i ₁ , ..., _id }, and λ (j, Λ), λ (i ₁ , Λ), ..., λ ( _id ,
Λ), and the preparation information C ₁ and the exclusion information C ₂₁ ,.
_{Using 2d} and its own secret information S _j , C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂₁ ^ (λ (i ₁ , Λ) modq) × ... × C _2d ^ (λ (i _d , mod) modq) An exclusive key sharing method, wherein the shared key K with the base station is obtained by calculating modp. 4. A base station and N units connected to the base station
(N is an integer of 2 or more)
In an exclusive key agreement method of a communication system, a secret key is denoted by S.
A prime number greater than S and the N or a power number of a prime number
Is p, the divisor of (p-1) is q, and the number of specific terminals is d.
(1 ≦ d <N−1), and the base station actually
The number of terminals to be specified (hereinafter referred to as the actual number of specific terminals) D is
Each terminal i (1 ≦ i ≦ N) is smaller than or equal to the specific terminal number d._i(Sum is performed for i∈Λ) (However, S_i= S + f₁× i + ... + f_d× i^d modq (f₁,…, F_dIs an element of d GF (q), where f_d≠
0) λ (i, Λ) = Π {L / (L−i)} (the product is L∈Λ− {i}
Λ is a collection of arbitrary (d + 1) units of the N terminals.
Secret information S that satisfies_iConfidentially, said base
The station is S_{N + 1}= S + f₁× (N + 1) + ... + f_d× (N + 1)^d mod
q, ..., S_{N + d-1}= S + f₁× (N + d-1) + ... + f_d× (N + d−
1)^d secret information S divided by calculating modq_{N + 1},…, S
_{N + d-1}And the secret information S₁,…, S_NAnd the secret key S, before
The notation p holds an element g of the GF (p), and (1) the base station prepares C₁= G^k modp (k is a non-zero element of GF (q)), and (2) the base station calculates the D specific terminals i₁,…, I_Dof
Secret information S_i1,…, S_iDAnd the secret information S_{N + 1},…, S_{N + d-1}
Of arbitrary secret information S (= d−D)_b1,…, S _bvAnd
Exclusion information C_{twenty one}= G ^ (k × S_i1 modq) modp, ..., C_2D= G ^ (k × S_iD modq) modp, C_2b1= G ^ (k × S_b1 modq) modp, ..., C_2bv= G ^ (k × S_bv modq) modp and calculate the exclusion information C_{twenty one},…, C_2DAnd C_2b1,…, C_2bv
And the preparation information C₁And specific terminal number i₁,…, I_DAnd before
Secret information S_b1,…, S_bvNumber b₁,…, B_vTo all devices
(3) the base station communicates with the specific terminal i₁,…, I_DAll except
Terminal j (j ≠ i₁,…, I_D) And K = gｇ (k × S modq) modp, and (4) each terminal j (j ≠ i₁,…, I_D) Is Λ = {j, i₁,
…, I_D, b₁,…, B_v} As λ (j, Λ), λ (i₁, Λ),…,
λ (i_D, Λ), λ (i_b1, Λ),…, λ (i_bv, Λ)
Preparation information C₁And the exclusion information C_{twenty one},…, C_2D, C_2b1,…, C
_2bvAnd the above secret information S_j, The power residue value C
₁^ (S_j× λ (j, Λ) modq) and the power remainder value C_{twenty one}^ (λ (i₁, Λ) modq) ×… × C_2D^ (λ (i_D, Λ) modq) × C_b1^ (λ (b₁, Λ) modq) ×… × C_bv^ (λ (b_v, Λ) product with modq) modp) C₁^ (S_j× λ (j, Λ) modq) × C_{twenty one}^ (λ (i₁, Λ) modq) ×… × C_2D^ (λ (i_D, Λ) modq) × C_b1^ (λ (b₁, Λ) modq) ×… × C_bv^ (λ (b_v, Λ) modq) modp) to obtain a shared key K with the base station.
An exclusive key agreement method characterized by: 5. The base station stores the secret key S in an arbitrary
Number e of specific terminals d₁,…, D_eDivided into
E sets of secret information while the terminal
Holds e secret information corresponding to its own terminal number from
In the case of performing key sharing excluding the specific terminal,
Means that the base station and the terminal j are the actual specific terminal
The specific terminal number d equal to the number D_w(1 ≦ w ≦ e)
d₁,…, D _eAnd the base station is the selected specific terminal.
End number d_wUsing the set of secret information corresponding to
Broadcasts the device information and the exclusion information, and generates a shared key K
, While the terminal j is d_wUse secret information corresponding to
Requesting a shared key K with the base station
Item 3. The exclusive key agreement method according to Item 3. 6. The secret key S is used as a secret key of all terminals,
Let S be an exponent and the power of modulo g be modulo p.
Value y = g^S modp is the public key of all terminals, and the base station
Secret information S solved₁, S _Two,…, S_N(1) The base station arbitrarily generates an integer k, and
Exponent, the power of the g value modulo the p
Preparation information C₁= G^k modp (k is a non-zero element of GF (q)). (2) The base station calculates the secret information S
_aAnd the product of the above k and the above method q is obtained.
Exclusion information using exponent, modulo p, and base g_Two= G ^ (k × S_a modq) modp, and (3) the base station sets k as an index, and modulates p with modulo
A shared key K = y, which is a power-residue value of the public key y of all the terminals^k modp, and at the same time arbitrarily arbitrarily common data with the terminal j (j ≠ a).
Data M, and the product of the M and the shared key K on the modulus p
(Hereinafter referred to as ciphertext) C_Three= M × K modp to calculate the preparation information C₁And the specific terminal number a
(4) Each terminal j (j） a) sets Λ = {j, a}
λ (j, Λ) and λ (a, Λ) are obtained, and the preparation information C₁And said
Exclusion information C_TwoAnd the above secret information S_jBy using
_jAnd the product of the λ (j, Λ) on the modulus q as an index
C₁Power residue C of₁^ (S_j× λ (j, Λ) modq) modp and before using the λ (a, Λ) obtained on the method q as an index
Note C_TwoPower residue C of_Two^ (λ (a, Λ) modq) product with modp K = C₁^ (S_j× λ (j, Λ) modq) × C_Two^ (λ (a, Λ) mod
q) modp) is obtained on the method p, and the ciphertext C_ThreeOn the law p
Value C divided by K_Three/ K = M × K / K modp as the common data M with the base station.
2. The exclusive key agreement method according to claim 1, wherein 7. The secret key S of all the terminals is set as an exponent, and the modular exponentiation value y = g ^S modp of the modulo p is set as the public key of all the terminals, and the base station is obtained by decomposing the terminals. secret information S _1, S ₂ and, ..., and index, respectively S _N, the p
Which is the modular exponentiation value of the g modulo public information ^{_{y 1 = g S1 modp, y}} 2 = g S2 modp, ..., available ^{_{y N = g SN modp, (}} 1) the base station, the integer k is arbitrarily generated, k is an exponent, and preparation information C ₁ = g ^k modp (k is a non-zero element of GF (q)), which is a modular exponentiation value of the g, modulating the p is calculated. , (2) the base station, the k and the index, the modulo p, calculates the public information y a modular exponentiation value is eliminated information C ₂ = y _a ^k modp of _a said specific terminal a, (3) The base station uses the k as an exponent and modulates the p as a modulus of the public key y of all terminals. The shared key K = y ^k modp = gｇ (S × k) modp , And at the same time, arbitrarily generate common data M with the terminal j (j ≠ a), and obtain the ciphertext C ₃ = M × K, which is the product of M and K on the modulus p. modp is calculated and broadcast to all terminals together with the preparation information C ₁ and the specific terminal number a. (4) Each terminal j (j ≠ a) sets λ = {j, a} and λ ( j, obtains a lambda) and λ (a, Λ), using the secret information S _j of the preparation information C ₁ and the exclusion information C ₂ and itself, wherein S _j and the lambda (j, lambda) above The product on modulo q is the exponent,
Wherein C ₁ and the bottom power residue value _{C 1 ^ (S j × λ} (j, Λ) modq) and modp, the λ (a, Λ) determined on the method q was the exponent, the C ₂ Product with power residue value C ₂ ^ (λ (a, Λ) modq) modp as base K = C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) mod
q) modp is obtained on the modulus p, and a value C ₃ / K modp = M × K / K modp obtained by dividing the ciphertext C ₃ by the K on the modulus p is used as common data M with the base station. 2. The exclusive key agreement method according to claim 1, wherein the exclusive key agreement method is used. 8. The secret key S is the secret key of the base station, the S is an exponent, the modular exponentiation value of g, y = g ^S modp, modulo p is the public key of the base station (where , S _N), and each terminal keeps secret information S ₁ , S ₂ ,..., _SN of the secret key S of the base station in secret, and the base station Each of the decomposed secret information S ₁ , S ₂ ,..., S _N is an exponent, and the public information y ₁ = g ^S1 modp, y ₂ = g ^S2 modp, …, Y _N = g ^SN mod
(1) The base station arbitrarily generates (1-a) an integer k and finds it on the modulo q (−k)
Is calculated as an exponent, and the power residue value C of the g modulo p is calculated as C ₀ = g ^ (− k modq) modp. (1-b) All terminals j (j ≠ a )) To obtain a product r = M × C ₀ modp of the M and the C ₀ on the modulus p, and (1-c) the _value obtained by dividing the r by the q (1-d) Using the r ′, the k, and the secret key S of the base station, a value s satisfying k = s−r ′ × S modq is obtained, -e) Calculate the preparation information C ₁ = g ^ (− r modq) modp which is the power remainder value of the g by modulating (−r) obtained by modulo q as an index, and -f) using the public information y _a of the particular terminal a, modulo q
Was determined on the (-r) is the exponential, the y _a of a modular exponentiation value exclusion information C ₂ = y _a modulo said p ^ - Calculate the (r modq) modp, (1 -g) The (r, s) is broadcast to all terminals together with the C ₁ and C ₂ as a signature of M, and (2) The terminals j (j ≠ a) are represented by Λ = {j, a} and λ (j, Λ) and λ (a, Λ), and using the preparation information C ₁ , the exclusion information C _2, and the secret information S _j of itself, the S _j and the λ (j, Λ) are obtained. The power residue value C ₁ ^ (S _j × λ (j, Λ) modq) modp of C ₁ having the product on mod q as an index and the λ (a, Λ) obtained on mod q are indexed Said C ₂
The product with the power residue value of C ₂ ^ (λ (a, Λ) modq) modp K = C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq) modp = y ^ (-r modq) modp is obtained on the modulus p, and g is an index of s.
The exclusive data according to claim 1, wherein the common data M is obtained by calculating a product r × g ^s × K modp of the power residue value of and the r and the K on the modulus p. Key agreement method. 9. The secret key S of all terminals is set as an exponent,
The power residue value of the above g modulo p y = g^S Let modp be the public key of all terminals, and the base station
Secret information S₁, S_Two,…, S_NEach is an index, and p
Public information y that is the power residue value of g modulo₁= G^S1 modp, y_Two= G^S2 modp,…, y_N= G^SN modp can be used, (1) the base station arbitrarily generates the integer k,
The power remainder value of the g, where k is an index and the p is a modulus
Preparation information C₁= G^k modp, and (2) the base station sets k as an index and modulates p as
Public information y of the specific terminal a_aPower residue value of
Exclusion information C_Two= Y_a ^k modp is calculated, (3) the base station sets k as an index, and modulates p with
The power residue value of the public key y of all the terminals
Shared key with all terminals j (j ≠ a) except terminal a K = y^k (4) In the terminal j, the preparation information C₁And the exclusion
Report C_TwoAnd own secret information S _jBy using_jAnd the λ
The above C, wherein the product of (j, Λ) on the modulus q is an index₁Nobe
The power residue value and the λ (a, Λ) obtained on the method q
C_TwoWith the power residue value of C₁^ (S_j× λ (j, Λ) modq) × C_Two^ (λ (a, Λ) modq)
By calculating modp on the modulus p, sharing with the base station
2. The exclusive key according to claim 1, wherein a key K is obtained.
Key agreement method. 10. The terminal according to claim 1, wherein each of the confidential information S ₁ ,
.., _SN are kept secret, and a set of arbitrary two or more t of the N terminals is denoted by Λ. (1) The base station uses the integer k to set k and index, the p modulo, the preparation information C ₁ = g ^k modp to base the g calculated, (2) the base station, the specific terminal i ₁ of t stand, ..., any i _t of _{i j (j = 1, ...} , t) following shared information X _ij X _ij = Π satisfying the equation with respect to _{(g ^ (S u × k} )) modp ( products are u∈Λ- {i _j}
), And broadcasts all shared information X _ij and the preparation information C ₁ to all terminals. (3) The base station transmits the secret information S _i1 ,...
Calculate the K satisfying the following formula as a shared key K and said t stand specific terminal using ^{_{S it, K = g x modp}} , x = k × ΣS ij modq ( sum for j = 1 to t taking) (4) the specific terminal i _j is the p and modulo exponentiation remainder value of the C ₁ to the secret information S _ij itself the index and the product X _ij × C ₁ ^Sij modp of the X _ij 2. The exclusive key sharing method according to claim 1, wherein a shared key K with the base station is obtained by calculating on the modulo p. 11. The method according to claim 1, wherein the secret key S is divided by the base station and distributed to corresponding terminals in advance by cryptographic communication means provided in the base station and the terminal. Exclusive key agreement. 12. A third institution other than the base station may divide the secret key S, generate a power remainder value y, and publish information y ₁ , y ₂ ,
…, Calculation and disclosure of y _N and S _a corresponding to the terminal _a
10. The exclusive key agreement method according to claim 9, wherein embedding is performed. 13. Each of the terminals i (1 ≦ i ≦ N) holds the secret information S _i secretly, and each of the terminals i has the integers f ₀ (= S), f ₁ ,. _{Let d} be exponents, and modulo powers of the g (hereinafter referred to as verification information) g ^f0 , g ^f1 ,..., g ^fd modulo the p can be used.
The following calculation is performed using the verification information and the own secret information S _i , and g ^Si = Π (g ^ (f _j × a ^j ) modp (the product is taken for j = 0 to d). Determining whether or not the secret information S _i is valid.
Exclusive key agreement method as described. 14. A new terminal number I (I> I) for a terminal newly joining the communication system capable of broadcasting.
2. An exclusive key sharing method according to claim 1, wherein N) is set, and secret information S _I obtained by calculating S _I = S + f ₁ × I is kept secret. 15. The terminal i, the modulo the p instead of the secret information S _i, saves the power residue value of the C ₁ to S _i the index of the (= C ₁ ^Si modp) secretly 2. The exclusive key agreement method according to claim 1, wherein: 16. The base station obtains the λ (i, Λ) for all 含 む including the specific terminal, and
Each of the λ (i, Λ) obtained above is used as an index, and the power remainder value C ₂ ^ (λ (i, Λ) modq) modp of the exclusion information C ₂ modulo the p is calculated. At the same time, all terminals j (j ≠ a) except the specific terminal a have the power-residue value C ₂ ^ (λ (i, Λ) modq) modp corresponding to the 含 む including the j. The exclusive key sharing method according to claim 1, wherein the shared key K is obtained using From 17. shared key K ₁ covalently during key agreement for all terminals j (j ≠ a) the shared key K and the previous was shared with the exception of the specific terminal a with the base station a new shared key K ₂ 2. The exclusive key agreement method according to claim 1, wherein the exclusive key sharing method is performed. 18. The exclusion system according to claim 1, wherein the digital signature means provided in advance in the base station and the terminal adds a digital signature of the base station to data delivered from the base station. Key agreement. 19. The first, second, and third base station-side storage units of the base station and the first and second terminal-side storage units of the terminal are areas that cannot be externally observed or changed. 3. The exclusive key sharing device according to claim 2, wherein 20. When the size of the group to be configured exceeds half of all terminals, the exclusive key agreement method according to claim 1 is applied, and when the size of the group to be configured does not exceed half of all terminals. 11. The method according to claim 1, further comprising automatically selecting the exclusive key agreement method according to claim 10.
And 10. Exclusive key agreement method. 21. The number of secret information held by the terminal,
2. The exclusive key sharing method according to claim 1, wherein the number is increased or decreased according to the authority of the terminal. 22. An exclusive key sharing method for a communication system comprising N terminals (N is an integer of 2 or more) connected to each other and capable of broadcasting, wherein a secret key is S, Let p be a prime number or a power of a prime number greater than N,
The divisor of (p-1) is q, the element of GF (p) is g, the number of specific terminals that can specify the chair terminal (which can be any terminal) is 1, and each terminal i (1 ≤ i ≤ N, S = {λ (i, ｉ) x S _i (the sum is performed for _i ）) (where S _i = S + f ₁ × i modq (where f ₁ is a nonzero GF (q) element) ) Λ (i, Λ) = {{L / (L−i)} (product is performed on L∈Λ− {i})} is a set consisting of any two of the N terminals. the secret information S _i holds secret, use the public key y = g ^S modp of all terminals, public information ^{_{y 1 = g S1 modp, y}} 2 = g S2 modp, ..., the _y N = g ^SN modp (1) The chair terminal arbitrarily generates an element k of a non-zero GF (q) and calculates preparation information C ₁ = g ^k modp. (2) The chair terminal publishes a specific terminal a. the exclusion information C ₂ = y _a ^k modp from the information y _a Calculated, and then broadcast to all terminals with preparation information C ₁ with a particular terminal number a, (3) the chairperson terminal, obtains a shared key ^{K = y k modp, (4} ) the respective terminals j (j ≠ a ) Is と し て = {j, a},
λ (j, Λ) and λ (a, Λ) are obtained, and C ₁ ^ (S _j × λ (j, Λ) is obtained by using the preparation information C ₁ , the exclusion information C _2, and its own secret information S _j. ) modq) × C ₂ ^ (λ (a, Λ) modq)
An exclusive key sharing method wherein a shared key K is obtained by calculating modp. 23. An exclusive key sharing method for a communication system comprising N (N is an integer of 2 or more) mutually connected terminals capable of performing broadcast communication, wherein a secret key is set to S, and Let p be a prime number or a power of a prime number greater than N,
The divisor of (p−1) is q, the element of GF (p) is g, and each terminal i (1 ≦ i ≦ N) is S = {λ (i, Λ) × S _i (the sum is i行 な う) (where S _i = S + f ₁ × i modq (where f ₁ is a nonzero GF (q) element) λ (i, ｉ) = Π {L / (L−i)} (product is L行 な う-{i}) is secretly held secret information S _i that satisfies the above-mentioned set of two arbitrary terminals N), and the public key y = g ^S modp of all terminals. And the public key y ₁ = g ^S1 modp, y ₂ = g ^S2 modp,..., Y _N = g ^SN modp of each terminal. (1) A terminal a has a non-zero element k of GF (q) optionally generate, compute the preparation information ^{_{C 1 = g k modp, (}} 2) the terminal a calculates the exclusion information C ₂ = y _a ^k modp from the public key y _a of its own, and the terminal number a and broadcast to all terminals with preparation information C _1, (3) the terminal a, Seeking Yukagi K = y ^k modp, as (4) the respective terminals j (j ≠ a) is, Λ = {j, a} ,
λ (j, Λ) and λ (a, Λ) are obtained, and C ₁ ^ (S _j × λ (j, Λ) is obtained by using the preparation information C ₁ , the exclusion information C _2, and its own secret information S _j. ) modq) × C ₂ ^ (λ (a, Λ) modq)
An exclusive key sharing method wherein a shared key K is obtained by calculating modp. 24. The exclusive key sharing method according to claim 22, wherein each terminal holds all public keys other than its own public key. 25. The exclusive key agreement according to claim 1, wherein the multiplication operation corresponds to an addition operation on a curve such as an elliptic curve on an arbitrary finite field. Law.