JP2001203682A - Arithmetic operation saving type exclusive key share method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an arithmetic operation saving type exclusive key share method that can deliver a common key at high-speed by decreasing a communi cation quantity and an arithmetic quantity for sharing an exclusive key. SOLUTION: Secret information sets S, T are dispersed by a threshold value dispersion method to obtain Si, Ti and the Si and a Ui (=g exponential (Ti/Si mod q)mod p) are delivered to terminal (i) (=1-5). In the case of excluding the terminal 5 among the 5 terminals 1-5, a base station 0 broadcasts exclusion information (k×S5+T5 mod q) obtained by masking the dispersed secret information sets S5, T5 of the excluded terminal 5 by a random number (k) to each terminal. The other terminals than the excluded terminal can obtain the common key K through a power arithmetic operation on the basis of the exclusion information. Since the communication quantity of the exclusion information is reduced and each terminal can share the common key by only two power residue arithmetic operations intermediate frequency number of the excluded terminals, the common key can quickly be delivered to the other terminals than the excluded terminal.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an operation-saving exclusive key sharing method, and more particularly to a star type communication system including a base station and a plurality of terminals, which is common to all terminals other than the terminal specified by the base station. The present invention relates to an operation-saving exclusive key agreement method for quickly and securely delivering a secret key.

[0002]

2. Description of the Related Art In a star-type communication system in which a base station manages a plurality of terminals, a base station and a plurality of terminals under the umbrella form a group, and the group shares the same group secret key to perform broadcast cryptographic communication. May be done. Information encrypted using the group secret key can be decrypted only by terminals in the group holding the same secret key.

[0003] In some cases, it may be desired to exclude a specific terminal from this group. This is the case, for example, when a certain terminal in the group is stolen and fraudulent activities such as eavesdropping on encrypted communication using the terminal and transmission of false information are considered. At this time, it is necessary for the base station managing the secret key to remove the stolen terminal as soon as possible, update the group secret key, and share the new secret key only with the remaining terminals. . In the conventional exclusive key sharing method in such a case, a case where two terminals are excluded in a broadcast communication system including six terminals is shown in FIG.
This will be described with reference to FIGS.

[0005] As shown in FIG. 25, a chair terminal that manages the whole is a terminal 2. The chair terminal 2 distributes the secret information S by the threshold distribution method, and generates distributed secret information S _{1 to} S ₆ . If there are three different ones among S _{1 to} S ₆ , S can be obtained. The S _i to the terminal i to be held in secret. The terminals to be excluded are terminals 5 and 6.

[0005] As shown in FIG. 26, the terminal 2 has S ₅ and S ₆
To the terminals 2 to 6. As shown in FIG.
(1, 3-4) can determine S from S _i , S _5, and S ₆ held by itself. However, since the terminals 5 and 6 do not have three different pieces of shared secret information, S cannot be obtained. By utilizing this, a new group key can be delivered to the terminals 2 to 4. Specifically, the following is performed.

A prime number p larger than S is obtained. For example, 10
Use 24-bit prime numbers. Find the prime factor q of (p-1).
For example, it is a 160-bit prime number. The shared secret information S _i (i
= 1 to 6), and S _i = S + f ₁ × i + f ₂ × i ² mod q (f
₁ , and f ₂ (f ₂ ≠ 0) is delivered to each terminal as GF (q).

Let the set Λ _i be {i, 5,6} (i = 1 to
4), λ (i, Λ i) = {5 / (5-i)} × {6 / (6-i)} mod q λ (5, Λ i) = {i / (i-5)} × {6 / (6-5)} mod q λ (6, Λ _i ) = {5 / (5-6)} × {i / (i−6)} mod q, λ (i, Λ _i ) × S _i + λ (5, Λ _i ) × S ₅ + λ (6, Λ _i ) × S ₆
= S.

[0008] The chair terminal is an element g (≠ 0,1) of GF (p).
And the preparation information C1 = g ^k mod p is calculated from the element k (≠ 0, 1) of GF (q). The exclusion excluded from the secret information S ₅ and S ₆ of the terminal 5, 6 information _{C2 5 = g ^ (k ×} S 5 modq) modp C2 6 = g ^ (k × S 6 modq) modp calculated, eliminating terminal number 5 , 6 and the preparation information C1 to all terminals.

A shared key K = g ^ (k × S modq) mod p with all terminals except the excluded terminals 5 and 6 is obtained.

[0010] Each terminal i (i６5, 6) transmits the preparation information C1
When, and exclusion information C2 _5, C2 _6, by using the secret information S _i of its _{own, C1 ^ (S i × λ} (i, Λ i) mod q) mod p × C2 5 ^ (λ (5, Λ i ) mod q) mod p × C2 ₆ ^ (λ (6, Λ _i ) mod q) mod p to obtain the shared key K. But,
Since the terminals 5 and 6 have only two pieces of secret information, the shared key K
Can not ask. Therefore, the new keys K can be shared by the terminals 1 to 4, excluding the terminals 5 and 6.

[0011]

However, the conventional exclusive key sharing method has a problem that it takes a long time for key sharing because the number of exponentiation operations increases as the number of excluded terminals increases. In addition, there is a problem that the traffic increases according to the number of excluded terminals.

SUMMARY OF THE INVENTION An object of the present invention is to solve the above-mentioned conventional problems and to eliminate a specific terminal at a high speed with a small amount of calculation and a small amount of communication.

[0013]

According to the present invention, there is provided a broadcast communication system comprising a base station and N (N is an integer of 2 or more) terminals connected to the base station. An exclusive key agreement method for a communication system capable of: Let S and T be secret information, let p be a prime number greater than S, T and N,
The prime factor of (p−1) is q, the element whose order in GF (p) is q is g, the number of specific terminals is d (1 ≦ d <N−1), and T = Σλ (i, Λ) × T _i (sum is performed on i∈Λ) λ (i, Λ) = Π {L / (L−i)} (product is performed on L∈Λ− {i}) T _i = T + e ₁ × _{^{i 1 + ··· + e d ×}} i d modq ( _{However, e 1, ..., e d} (e d ≠ 0) is d number of elements of GF (q), Λ is of any of the N of terminal (d + 1 T) satisfying T _i that satisfies secret information, and each terminal i (1 ≦ i ≦
N) is S = {λ (i, Λ) × S _i (the sum is performed for i∈Λ) λ (i, Λ) = Π {L / (Li)} (the product is L∈Λ- {i performed _{on}) S i = S + f} 1 × i 1 + ··· + f d × i d modq ( _{However, f 1, ..., f d} (f d ≠ 0) is d pieces of original GF (q), Λ Holds secret information S _i satisfying an arbitrary (d + 1) set of N terminals) and secret information u _i = g ^ (T _i / S _i mod q) modp in secret. The office has secret information S and T
The secret information S _1, ..., S _N and T _1, ..., a T _N holds in secret, each terminal i and the base station, prime numbers p and prime factor q and the original g
(1) The base station arbitrarily generates an element k of GF (q) that is not zero, calculates the preparation information C1 = g ^k modp from ^k , and (2) identifies the number d of base stations terminal i _1, ..., secret information of _{i d S i1, ..., S} id and T _i1, ..., from T _id, eliminating information _{C2 i1 = k × S i1 +} T i1 modq, ···, C2 id = k × calculate the _{S id + T id modq, (} 3) the base station, eliminating information and preparation information C1 C2
_i1, ..., identified as C2 _id terminal number i _1, ..., a i _d broadcasts to all terminals, (4) the base station calculates a common key K = g ^ (k × S + T modq) modp, ( 5) Each terminal i (i ≠ i ₁ ,..., _Id ) has Λ _i =
As {i, i ₁ , ..., _id }, λ (i,… _i ) and λ (i ₁ , Λ _i ), ...,
seeking _{λ (i d, Λ i)} , λ (i 1, Λ i), ..., λ (i d, Λ i) and exclusion information C2 _i1, ..., synthesized index using the C2 _id W _i = C2 _{i1 × λ (i 1, Λ i} ) + ··· + C2 id × λ (i d,
Λ _i ) modq, C 1, W _i , λ (i, Λ _i ) and own secret information S _i
The shared key K is obtained by calculating {(C1 × u _i ) ^ (S _i × λ (i, _i ) modq)} × g ^Wi modp using u _i and u _i .

With this configuration, a specific terminal can be quickly eliminated with a small amount of computation and a small amount of communication.

[0015]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiments of the present invention will be described below in detail with reference to FIGS.

(First Embodiment) In a first embodiment of the present invention, a base station masks exclusion information with a random number and broadcasts the same to a terminal. This is a low-operation exclusive key sharing method in which one terminal is excluded from five terminals by performing a power operation to obtain a common key.

FIG. 1 is a diagram showing a communication system in a setup phase of an operation-saving exclusive key agreement method according to the first embodiment of the present invention. In FIG. 1, base station 0
Is a wireless station that manages the terminal and broadcasts to the terminal. Terminals 1 to 5 are radio stations that communicate via a base station. The base station storage unit 6 is a memory for storing secret information of the base station. Terminal storage units 7 to 11
Is a memory for storing secret information of the terminal.

FIG. 2 is a diagram showing a communication system in a preparation phase of the operation-saving exclusive key sharing method according to the first embodiment of the present invention. FIG. 3 is a diagram illustrating a communication system in a key sharing phase of the operation-saving exclusive key sharing method according to the first embodiment of the present invention.

The operation of the operation-saving exclusive key sharing method according to the first embodiment of the present invention configured as described above will be described. First, the principle of the reduced-operation exclusive key sharing method will be described.

Assumption: The terminal i is S _i (the secret sharing value of the secret information S) and u _i (= g ^ (T _i / S _i mod q) modp: T _i is the secret information T
, And the base station receives all S _i , T _i, and S
And T. p is a prime number, and g is an element whose order in GF (p) is q. q is a prime factor of (p-1).

Base station: Generates a random number k, and prepares preparation information C 1 (=
g ^k mod p). Exclusion information C2 _j (= k
× S _j + T _j mod q) is calculated. C1 and C2 _j and j are broadcast. Group key K (= g ^ (k × S + T mod q) mod
Calculate p).

Terminal i: exponent W _i (= Σ _j C2 _j × L (j, i) m
odq: L is a Lagrange interpolation coefficient). The group key K is calculated by the following equation. That is, (C1 × u _i ) ^ (S _i × L (j, i)) × g ＾ W _i mod p = g ^ (k × S _i × L (j, i)) × g ^ (T _i × L (j, i)) × g ^ (k × Σ _j S _i × L (j, i)) × g ^ (Σ _j T _j × L (j, i)) mod p = g ^ (k × S + T mod q) mod p = K

As described above, the secret information is masked by the random number and distributed, and the concealed secret information is collected. Then, the power-residue operation is performed. Therefore, regardless of the number of excluded terminals, only the power-residue operation is performed twice. Can share keys.

Referring to FIG. 1, in a communication system capable of performing broadcast communication including base station 0 and five terminals 1 to 5 connected to base station 0, exclusive access to terminal 5 is excluded. The setup phase in the key agreement method will be described. The base station 0 generates system secret information S and T and keeps it secret. Any prime number p larger than S, T, or 5 terminals
Is generated and delivered to the terminal. One of the prime factors q of (p-1) is selected and distributed to the terminal. An element g having an order q in GF (p) is generated and distributed to the terminal. To generate the original f ₁ non-zero GF (q), to calculate the secret sharing value _{S i = S + f 1 ×} i 1 modq system secret information S, distributes S _i to the terminal i. A non-zero element of GF (q) is set to e _1, and a secret shared value T _i = T + e ₁ × i ¹ modq of the system secret T is calculated. The secret information u _i = g ＝ (T _i / S _i mod q) modp is calculated, and the u _i is delivered to the terminal i. The base station 0, possess all the S _i and T _i.

The preparation phase will be described with reference to FIG. The base station 0 generates a random number k and calculates preparation information C1 = g ^k modp. The base station 0 from the secret information S ₅ and T ₅ of the exclusion terminal 5, to calculate the elimination information _{C2 5 = k × S 5 +} T 5 modq. The base station obtains a shared key K = g ^ (k × S + T modq) modp.

The key sharing phase will be described with reference to FIG. The base station 0 broadcasts the exclusion terminal number 5 C1 and C2 ₅ to each terminal. Each terminal i (i ≠ 5) is, lambda _i = a {i, 5}, λ ( i, Λ i) = λ (i, {i, 5}) = 5 / (5-i) λ (5, Λ _i ) = λ (5, {i, 5}) = i / (i−5).

The node i, λ (5, Λ _i) and with exclusion information C2 _5, synthetic index _{W i = C2 5 × λ (} 5, Λ i) modq = (k × S 5 + T 5) × i / (I-5) modq is calculated.

The terminal i uses C 1, W _i , λ (i, と_i ) and its own secret information S _i and u _i to obtain ｛(C 1 × u _i ) ^ (S _i × λ (i, Λ _i ) mod q)｝ × g ^Wi mod
The shared key K is obtained by calculating p.

The proof that the shared key K can be obtained by this calculation is as follows. That is, {(C1 × u _i ) ^ (S _i × λ (i, Λ _i ) modq)} × g ^Wi modp = ｛(g ^k × g ^{Ti / Si} ) ^ {S _i × λ (i, Λ _i ) modq｝｝ × g ^ {(k × S ₅ + T ₅ ) × λ (5, Λ _i ) modq} modp = g ｛｛(k × S _i + T _i ) × λ (i, Λ _i ) + (k × S ₅ + T ₅ ) × λ (5, Λ _i ) modq｝ modp = g ^ {k (S _i × λ (i, Λ _i ) + S ₅ × λ (5, Λ _i )) + T _i × λ (i , Λ _i ) + T ₅ × λ (5, Λ _i ) modq} modp = g ^ {k × S + T modq} modp = K

As described above, according to the first embodiment of the present invention, the base station broadcasts the exclusion information with a random number to the terminal in the reduced operation exclusive key sharing method. By combining the exclusion information and performing exponentiation to obtain a common key, one of the five terminals is excluded, so that the communication amount of the exclusion information is reduced, and Can quickly distribute the common key to the terminal.

(Second Embodiment) In a second embodiment of the present invention, a base station masks a plurality of pieces of exclusion information with random numbers and broadcasts them to a terminal. And then performing a power operation to obtain a common key, thereby eliminating two terminals from among the five terminals.

FIG. 4 is a diagram showing a communication system in a setup phase of the operation-saving exclusive key agreement method according to the second embodiment of the present invention. The basic configuration is the same as in FIG. 1 of the first embodiment.

FIG. 5 is a diagram showing a communication system in a preparation phase of an operation-saving exclusive key agreement method according to the second embodiment of the present invention. The basic configuration is the same as FIG. 2 of the first embodiment.

FIG. 6 is a diagram showing a communication system in the key sharing phase of the operation-saving exclusive key sharing method according to the second embodiment of the present invention. The basic configuration is the same as FIG. 3 of the first embodiment.

The operation of the operation-saving exclusive key sharing method according to the second embodiment of the present invention configured as described above will be described. A description of the same parts as in the first embodiment will be omitted. First, referring to FIG. 4, an exclusive key sharing method for excluding terminals 4 and 5 in a communication system including five terminals 1 to 5 connected to base station 0 and capable of broadcasting. Will be described. GF
The elements f ₁ and f ₂ (f ₂ ≠ 0) of (q) are generated, and the secret sharing value S _i = S + f ₁ × i ¹ + f ₂ × i ² modq of the system secret information S is calculated. Distribute _i . The element e ₁ of GF (q),
e ₂ (e ₂ ≠ 0) is generated, and a secret shared value T _i = T + e ₁ × i ¹ + e ₂ × i ² modq of the system secret T is calculated. The secret information u _i = g ＝ (T _i / S _i mod q) modp is calculated, and the u _i is delivered to the terminal i. The base station 0, possess all the S _i and T _i.

The preparation phase will be described with reference to FIG. The base station 0 generates a random number k and calculates preparation information C1 = g ^k modp.

[0037] The base station, from the secret information S _4, S ₅ and T _4, T ₅ of the two specific terminals 4 and 5, eliminates information _{C2 4 = k × S 4 +} T 4 modq C2 5 = k × S 5 Calculate + T ₅ modq. The base station obtains a shared key K = g ^ (k × S + T modq) modp.

The key sharing phase will be described with reference to FIG. The base station 0, C1 and C2 ₄ and C2 ₅ and exclusion terminal number 4,
5 to each terminal. Each terminal i (i ≠ 4,5) _{is, Λ i = {i, 4,5} } _{as, λ (i, Λ i)} = λ (i, {i, 4,5}) = 4 / (4- i) × 5
/ (5-i) λ ( 4, Λ i) = λ (4, {i, 4,5}) = i / (i-4) × 5
/ (5-4) λ (5, Λ i) = λ (5, {i, 4,5}) = i / (i-5) × 4
/ (4-5).

The node i, λ (4, Λ _i) and λ (5, Λ _i) and with exclusion information C2 _4, C2 _5, synthetic index _{W i = C2 4 × λ (} 4, Λ i) + C2 ₅ × λ (5, Λ _i ) modq = (k × S ₅ + T ₅ ) × i / (i−4) × 5 / (5-4) +
_{(K × S 5 + T 5} ) × i / (i-5) × 4 / (4-5) modq calculated.

[0040] The terminal i, using the C1 and W _i and λ _(i, Λ i) its own secret information S _i and _{u i, {(C1 × u} i) ^ (S i × λ (i, Λ _i ) mod q)｝ × g ^Wi mod
The shared key K is obtained by calculating p.

By distributing the secret information by masking it with random numbers, the communication amount of the exclusion information becomes (bit length of q) × the number of exclusions. In the delivery method using the discrete logarithm problem, the communication amount of the exclusion information is (bit length of p) × the number of exclusion units.
Since the bit length of the prime factor q of (p−1) is a fraction of the bit length of p, the communication amount of the exclusion information is reduced to a fraction of that of the delivery method using the discrete logarithm problem. . For example, p
Is 1024 bits and the bit length of q is 160 bits, the communication amount of the exclusion information is 1024 bits × the number of exclusions from 160bi.
t x number of excluded units, which is reduced to about 1/8. Further, since it is possible to perform the power-residue calculation after the secret information is collected, the key can be shared only by two power-residue calculations regardless of the number of excluded terminals.

Further, since the secret information T _i increases each time the exclusion information increases, the random number k and the secret information T _i cannot be obtained even if a plurality of pieces of exclusion information are collected. Therefore, it is difficult for the exclusion terminal to obtain the common key K.

As described above, in the second embodiment of the present invention, the base station broadcasts the reduced operation exclusive key sharing method to the terminal by masking a plurality of pieces of exclusion information with random numbers, The terminal is configured to collect all exclusion information and then perform exponentiation operation to obtain a common key, thereby eliminating two terminals from among the five terminals. The common key can be obtained by exponentiation.

(Third Embodiment) In a third embodiment of the present invention, when three terminals can be eliminated, two terminals out of five terminals are assumed as dummy terminals. It is an operation-saving exclusive key agreement method that eliminates.

FIG. 7 is a diagram showing a communication system in a setup phase of the operation-saving exclusive key sharing method according to the third embodiment of the present invention. The basic configuration is the same as in FIG. 1 of the first embodiment.

FIG. 8 is a diagram showing a communication system in a preparation phase of the operation-saving exclusive key agreement method according to the third embodiment of the present invention. The basic configuration is the same as FIG. 2 of the first embodiment.

FIG. 9 is a diagram showing a communication system in the key sharing phase of the operation-saving exclusive key sharing method according to the third embodiment of the present invention. The basic configuration is the same as FIG. 3 of the first embodiment.

The operation of the operation-saving exclusive key sharing method according to the third embodiment of the present invention configured as described above will be described. The description of the same parts as in the first and second embodiments will be omitted. First, referring to FIG. 7, in a communication system including five terminals 1 to 5 connected to base station 0 and capable of performing broadcast communication, an exclusive key sharing method for excluding terminals 4 and 5 Will be described. Assume that the number of excluded terminals that can be eliminated by the base station is 3, and the number of terminals that are actually eliminated by the base station during key sharing is 2. Element f of GF (q)
₁ , f ₂ , f ₃ (f ₃ ≠ 0) is generated, and the secret sharing value S _i = S + f ₁ × i ¹ +... + F ₃ × i ³ modq of the system secret information S is calculated, and the terminal i ( to deliver the S _i to 2-5). GF
generates a source _{e 1, e 2, e 3} (e 3 ≠ 0) of the (q), to calculate the secret sharing value _{T i = T + e 1 ×} i 1 + ··· + e d3 i 3 modq the system secret T , And distributes T _i to terminals i (2 to 5). The secret information u _i = g _i (T _i / S _i mod q) modp is calculated, and u _i is delivered to the terminal i (2 to 5).

The preparation phase will be described with reference to FIG. The base station 0 generates a random number k and calculates preparation information C1 = g ^k modp. The base station calculates secret information S ₆ = S + f ₁ × 6 ¹ +... + F ₃ × 6 ³ modq of the dummy terminal 6 T ₆ = T + f ₁ × 6 ¹ +... + F ₃ × 6 ³ modq. The secret information S _4, S ₅ and T _4, T ₅ of the two specific terminals 4 and 5, from the secret information S ₆ and T _6, eliminates information _{C2 4 = k × S 4 +} T 4 modq, C2 5 = k × S ₅ + T ₅ modq, C ₂₆ = k × S ₆ + T ₆ modq are calculated. Further, a shared key K = g ^ (k × S + T modq) modp is obtained.

The key sharing phase will be described with reference to FIG. The base station 0 is broadcast and preparation information C1 and exclusion information C2 _4, C2 ₅ and C2 ₆ specific terminal number 4, 5 and 6 in all terminals.

Each terminal i (i ≠ 4,5) has Λ _i = {i, 4,5,
As 6}, λ (i, Λ i), λ (4, Λ i), λ (5, Λ i), λ (6,
Λ _i ), and λ (4, Λ _i ), λ (5, Λ _i ) and λ (6, Λ
_i), and exclusion information C2 _4, C2 ₅ and C2 ₆ using a synthetic index _{W i = C2 4 × λ (} 4, Λ i) + C2 5 × λ (5, Λ i) + C2 6 × λ
(6, Λ _i ) modq, C 1, W _i , λ (i, Λ _i ) and own secret information S _i
And u _i , {(C 1 × u _i ) ^ (S _i × λ (i, Λ _i ) mod q)} × g ^Wi mod
The shared key K is obtained by calculating p.

As described above, in the third embodiment of the present invention, the operation-saving exclusive key sharing method is applied to a case where three terminals can be excluded and five terminals are assumed assuming dummy terminals. Since the configuration is such that two terminals are excluded from the above, any three terminals can be eliminated.

(Fourth Embodiment) In a fourth embodiment of the present invention, a base station prepares a plurality of sets of shared secret information and sets two terminals out of five terminals. Is an operation-saving exclusive key agreement method that eliminates

FIG. 10 is a diagram showing a communication system in the setup phase of the operation-saving exclusive key sharing method according to the fourth embodiment of the present invention. The basic configuration is the same as in FIG. 1 of the first embodiment.

FIG. 11 is a diagram showing a communication system in a preparation phase of the operation-saving exclusive key agreement method according to the fourth embodiment of the present invention. The basic configuration is the same as FIG. 2 of the first embodiment.

FIG. 12 is a diagram showing a communication system in a key sharing phase of the operation-saving exclusive key sharing method according to the fourth embodiment of the present invention. The basic configuration is the same as FIG. 3 of the first embodiment.

The operation of the operation-saving exclusive key sharing method according to the fourth embodiment of the present invention configured as described above will be described. The description of the same parts as those in the first to third embodiments will be omitted. First, referring to FIG. 10, in a communication system including five terminals 1 to 5 connected to base station 0 and capable of performing broadcast communication, an exclusive key sharing method for excluding terminals 4 and 5 Will be described.
The number of excluded terminals that can be eliminated by the base station is assumed to be two or three, and the number of terminals that are actually eliminated by the base station during key sharing is assumed to be two. GF (q)
Of generating the original _{f 1, f 2, f 3} (f 2, f 3 ≠ 0), the system secret information Sa, secret sharing value of _{Sb Sa i = Sa + f 1} × i 1 + f 2 × i 2 modq Sb i = the ^{_{Sb + f 1 × i 1 +}} ··· + f 3 × i 3 modq is calculated to deliver Sa _i, sb _i to the terminal i (2 to 5).
Generate elements e ₁ , e ₂ , e ₃ (e ₂ , e ₃ ≠ 0) of GF (q), and secret sharing values Ta _i = Ta + e ₁ × i ¹ + e ₂ i ² modq of system secret information Ta, Tb. the _{Tb i = Tb + e 1 ×} i 1 + ··· + e 3 i 3 modq is calculated to deliver Ta _i, Tb _i to the terminal i (2 to 5).
Secret information _{ua i = g ^ (Ta i} / Sa i mod q) modp ub i = g ^ (Tb i / Sb i mod q) modp the calculation, ua _i to the terminal i (2~5), the ub _i To deliver.

The preparation phase will be described with reference to FIG. The base station 0 generates a random number k and calculates preparation information C1 = g ^k modp. The base station, from the secret information of the two specific terminals 4, 5 Sa _4, Sa ₅ and Ta _4, Ta _5, eliminating information _{C2 4 = k × Sa 4 +} Ta 4 modq C2 5 = k × Sa 5 + Ta 5 modq , Is calculated. The shared key K = g ^ (k × Sa + Ta modq) modp is obtained.

The key sharing phase will be described with reference to FIG. The base station 0 is broadcast and exclusion preparation information C1 information C2 _4, C2 ₅ and a specific terminal number 4, 5 all terminals.

Each terminal i (i ≠ 4,5) has Λ _i = {i, 4,5}
_{As, λ (i, Λ i)} , λ (4, Λ i), obtains a _{λ (5, Λ i),} λ
_{(4, Λ i), λ} (5, Λ i) and exclusion information C2 _4, C2 ₅ using a synthetic index _{W i = C2 4 × λ (} 4, Λ i) + C2 5 × λ (5, Λ i) modq, C1, W _i , λ (i, Λ _i ) and its own secret information Sa _i
And using _{ua i, {(C1 × ua} i) ^ (Sa i × λ (i, Λ i) modq)} × g Wi m
The shared key K is obtained by calculating odp.

As described above, according to the fourth embodiment of the present invention, the base station prepares a plurality of sets of distributed secret information by using Of these, two terminals are excluded, so that an arbitrary number of terminals can be excluded within the prepared range.

(Fifth Embodiment) In a fifth embodiment of the present invention, a signature of the base station is added to the preparation information, and the base station removes one terminal from the five terminals. This is an operation-saving exclusive key agreement method.

FIG. 13 is a diagram showing a communication system in the setup phase of the operation-saving exclusive key agreement method according to the fifth embodiment of the present invention. The basic configuration is the same as in FIG. 1 of the first embodiment.

FIG. 14 is a diagram showing a communication system in a preparation phase of an operation-saving exclusive key sharing method according to the fifth embodiment of the present invention. The basic configuration is the same as FIG. 2 of the first embodiment.

FIG. 15 is a diagram showing a communication system in the key sharing phase of the operation-saving exclusive key sharing method according to the fifth embodiment of the present invention. The basic configuration is the same as FIG. 3 of the first embodiment.

The operation of the operation-saving exclusive key sharing method according to the fifth embodiment of the present invention configured as described above will be described. The description of the same parts as those in the first to fourth embodiments will be omitted. First, referring to FIG. 13, in a communication system capable of performing broadcast communication including five terminals 1 to 5 connected to base station 0, setup in exclusive key sharing method when terminal 5 is excluded The phases will be described. The hash function hash () and the base station public key y (= g ^x modp) are delivered to each terminal.

The preparation phase will be described with reference to FIG. A hash function using a hash (), obtaining the elimination information C2 ₅ hash value obtained by compressing the particular terminal number _{5 H = hash (C2 5,} 5). The signature Z = H × (−x) + k modq is calculated using the base station secret key x.

The key sharing phase will be described with reference to FIG. The base station, the particular terminal number 5 and exclusion information C2 ₅ and signature Z is broadcast to all terminals. Each terminal i (i ≠ 5) has a hash
() The hash value H 'H' obtained by compressing the particular terminal number 5 and exclusion information C2 ₅ with = Request hash (C2 _5, 5).

Each terminal i has_i= {I, 5}, λ (i,
Λ_i) And λ (5, Λ_i) And λ (5, Λ _i) And exclusion information C2_FiveTo
Using composite index W_i= C2_Five× λ (5, Λ_i) Calculate modq.

Each terminal i uses the base station public key y, the hash value H ′, the composite exponent W _i , λ (i, Λ _i ), the signature Z, and its own secret information S _i and u _i to obtain {g ^ (Z × S _i × λ (i, Λ _i ) + W _i modq)} × {y ^ (H ′ ×
S _i × λ (i, Λ _i ) modq)} × {u _i ^ (S _i × λ (i, Λ _i ) mod
q)} modp. Signed by the private key x, and if the signature Z and exclusion information C2 ₅ specific terminal number 5 has not been tampered with,
H ′ = H, g ^z × y ^H ′ modp = gｇ (H × (−x) + k) × gｇ (xx × H ′) modp = g ^ (xx × (H′−H) + k) modp = G ^k modp.

As described above, in the fifth embodiment of the present invention, the operation-saving exclusive key sharing method is performed by adding the base station signature to the preparation information, , One terminal can be excluded from the terminal, so that the terminal can confirm the source base station of the exclusion information.

(Sixth Embodiment) A sixth embodiment of the present invention is based on the Cramer-Shoup encryption, and the base station eliminates one terminal out of five terminals by a reduced operation. It is a type exclusive key agreement method.

FIG. 16 is a diagram showing a communication system in the setup phase of the operation-saving exclusive key agreement method according to the sixth embodiment of the present invention. The basic configuration is the same as in FIG. 1 of the first embodiment.

FIG. 17 is a diagram showing a communication system in a preparation phase of the operation-saving exclusive key agreement method according to the sixth embodiment of the present invention. The basic configuration is the same as FIG. 2 of the first embodiment.

FIG. 18 is a diagram showing a communication system in the key sharing phase of the operation-saving exclusive key sharing method according to the sixth embodiment of the present invention. The basic configuration is the same as FIG. 3 of the first embodiment.

The operation of the operation-saving exclusive key sharing method according to the sixth embodiment of the present invention configured as described above will be described. The description of the same parts as those in the first to fifth embodiments will be omitted. First, referring to FIG. 16, in a communication system including five terminals 1 to 5 connected to base station 0 and capable of performing broadcast communication, setup in exclusive key sharing method when terminal 5 is excluded The phases will be described.

The secret information is defined as α1, α2, β1, β2, S, T, T1, T
Assume 2. Let α1, α2, β1, β2, S, T, T1, T2 and a prime number larger than 5 be p, and let a prime factor of (p−1) be q.
Elements of GF (p) are g1 and g2. Assume that the number of excluded terminals is one.

T = {λ (i, Λ) × T _i (the sum is performed for i∈Λ) (where T _i = T + e ₁ × i ¹ modq) T1 = Σλ (i, Λ) × T1 _i (the sum is performed for i∈Λ) _{(however, T1 i = T1 + e 1} × i 1 modq) T2 = Σλ (i, Λ) × T2 i ( sum performed for i∈Λ) (provided _{that, T2 i = T2 + e 1} × i 1 modq) λ (i, Λ) = Π {L / (L−i)} (product is performed on L∈Λ− {i}) (where f ₁ and e ₁ are elements of two GF (q) , F ₁ , e
₁ {0, Λ is a set consisting of any two of five terminals), T _i , T 1 _i , and T 2 _i, and each terminal i (1 to
5), α1 = Σλ (i, Λ ) × α1 i ( sum performed for I∈ramuda) _{(however, α1 i = α1 + f 1} × i 1 modq) α2 = Σλ (i, Λ) × α2 i ( sum is performed for i∈Λ) _{(however, α2 i = α2 + f 1} × i 1 modq) β1 = Σλ (i, Λ) × β1 i ( sum performed for i∈Λ) _{(However, β1 i = β1 + f 1} × i ¹ modq) β2 = {λ (i, Λ) × β2 _i (the sum is performed for i∈Λ) (however, β2 _i = β2 + f ₁ × i ¹ modq) S = {λ (i, Λ) × S _i (the sum is i∈Λ) (where S _i = S + f ₁ × i ¹ modq), secret information α1 _i , α2 _i , β1 _i , β2 _i , S _i and secret information r1 _i = g1 ^T1i modp r2 _i = g2 ^T2i modp u _i = g1 ^{Si / Ti} modp is kept secret.

The base station transmits the secret information α1, α2, β1, β2, S,
T, T1, T2 and _{α1 1, ..., α1 5,} α2 1, ..., α2 5, β1 i, ...,
_{β1 5, β2 1, ...,} β2 5, S 1, ..., S 5, T 1, ..., T 5, T1 1, ..., T
_{1 5,} T2 1, ..., it holds the T2 _5. The base station and the terminal can use the prime number p, the prime factor q, the elements g1 and g2, and the hash function hash ().

The preparation phase will be described with reference to FIG. The base station arbitrarily generate the original k of GF (q) is not zero, calculating the preparatory information ^{_{C1 1 = g1 k modp, C1}} 2 = g2 k modp. The exclusion information C2 ₅ = k × S ₅ + T ₅ modq is calculated from the secret information S ₅ and T _{5 of} one specific terminal 5. Verification information v = (g1 ^ ((α1 + β1 × c) k + T1 modq)) × (g2 ^ ((α
2 + β2 × c) k + T2 modq)) modp (c = hash (C1 1, C1 2) modq) v1 5 = (α1 5 + β1 5 × c) k + T1 5 modq v2 5 = (α2 5 + β2 5 × c) k + T2 5 modq Is calculated. The shared key K = (g1 ^ (k × S + T modq)) modp is obtained.

The key sharing phase will be described with reference to FIG. Verification information v, v1 _5, v2 ₅ and exclusion information C2 ₅ and preparation information C1 _1, C1 ₂ specific terminal number 5 broadcasts to all terminals.

[0082] As each terminal i (i ≠ 5) _{is, Λ i = {i, 5} }, λ (i, Λ i), obtains a _{λ (5, Λ i),} λ (5, Λ i) and Verification information v1 _5, v2 ₅ a verification exponent _{U1 i = v1 5 × λ (} 5, Λ i) using _{modq, U2 i = v2 5 ×} λ (5, Λ) obtaining a mod q. λ _(i, Λ i) the verification exponent U1 _i and U2 _i and its own secret information _{r1 i, r2 i, α1 i} , α2 i, β1 i, the verification equation using _{β2 i (C1 1 ^ ((} α1i + β1i × c) λ (i, Λ _i ) modq)) × (r1
^{λ (i, Λ i))} × (C1 2 ^ ((α2 i + β2 i × c) λ (i, Λ i) mod
^{q)) × (r2λ (i} , Λ i)) × (g1 U1i) × (g2 U2i) modp = v (c = hash (C1 1, C1 2) modq) is calculated, and if not hold the key sharing Abort.

If the above holds, each terminal i has λ (5, Λ _i )
Synthetic index using the exclusion information C2 ₅ and _{W i = C2 5 × λ (} 5, Λ i) calculating a mod q. C1 using ₁ and W _i and λ _(i, Λ i) its own secret information S _i and _{u i, {(C1 1 ×} u i) ^ (S i × λ (i, Λ i) modq)} × g1 ^Wi m
The shared key K is obtained by calculating odp.

As described above, in the sixth embodiment of the present invention, the base station uses one of the five terminals based on the Cramer-Shoup encryption based on the operation-saving exclusive key sharing method. , The security of common key distribution can be improved.

(Seventh Embodiment) In a seventh embodiment of the present invention, the base station eliminates two terminals from among the five terminals and sends a cipher text with a new common key. It is an operation-saving exclusive key agreement method.

FIG. 19 is a diagram showing a communication system in the setup phase of the operation-saving exclusive key agreement method according to the seventh embodiment of the present invention. The basic configuration is the same as in FIG. 1 of the first embodiment.

FIG. 20 is a diagram showing a communication system in a preparation phase of the operation-saving exclusive key agreement method according to the seventh embodiment of the present invention. The basic configuration is the same as FIG. 2 of the first embodiment.

FIG. 21 is a diagram showing a communication system in the key sharing phase of the operation-saving exclusive key sharing method according to the seventh embodiment of the present invention. The basic configuration is the same as FIG. 3 of the first embodiment.

The operation of the operation-saving exclusive key sharing method according to the seventh embodiment of the present invention configured as described above will be described. The description of the same parts as those in the first to sixth embodiments will be omitted. The setup phase in FIG. 19 is the same as in the first embodiment.

The preparation phase will be described with reference to FIG. The base station creates a ciphertext C = m × K modp obtained by encrypting the plaintext m using the shared key K.

The key sharing phase will be described with reference to FIG. The ciphertext C is broadcast together with the preparation information, the exclusion information, and the specific terminal number. The terminal calculates m = C / K modp using the calculated shared key K, and decrypts the ciphertext C to obtain a plaintext m.

The encryption may be performed by C = m EOR K (EOR is an exclusive OR for each bit), and the decryption may be performed by m = C EOR K.

When the signature and the verification information are used, the verification information and the cipher text C together with the signature, the exclusion information and the specific terminal number are used.
To broadcast.

As described above, in the seventh embodiment of the present invention, the base station eliminates two terminals out of five terminals and uses a new operation-saving exclusive key agreement method. Since the cipher text is sent using the common key, the cipher text can be sent to a new group quickly.

(Eighth Embodiment) In an eighth embodiment of the present invention, when the same terminal is continuously excluded, the same terminal is encrypted by using the previous group key and distributed, and the same terminal is transmitted. It is an operation-saving exclusive key agreement method that eliminates.

FIG. 22 is a diagram showing a communication system in the setup phase of the operation-saving exclusive key agreement method according to the eighth embodiment of the present invention. The basic configuration is the same as in FIG. 1 of the first embodiment.

FIG. 23 is a diagram showing a communication system in a preparation phase of the operation-saving exclusive key sharing method according to the eighth embodiment of the present invention. The basic configuration is the same as FIG. 2 of the first embodiment.

FIG. 24 is a diagram showing a communication system in the key sharing phase of the operation-saving exclusive key sharing method according to the eighth embodiment of the present invention. The basic configuration is the same as FIG. 3 of the first embodiment.

The operation of the operation-saving exclusive key sharing method according to the eighth embodiment of the present invention configured as described above will be described. The description of the same parts as those in the first to seventh embodiments will be omitted. When the continuously eliminating the same terminal is a C2 ₅ need to broadcast encrypted by a group key previously shared. If broadcast is performed without encryption, the exclusion terminal may be required to obtain information such as _Ti from its own secret information, previous exclusion information, and new exclusion information.

The setup phase of FIG. 22 is the same as that of the first embodiment. Except for the terminal 5, it has the previous group key K.

The preparation phase will be described with reference to FIG. The base station, the exclusion information C2 _5, is encrypted using the shared key K. In other words, the C = C2 ₅ × K modp.

The key sharing phase will be described with reference to FIG. With preparation information with a particular terminal number, it broadcasts a C encrypted using the shared key K to eliminate information C2 _5. Terminal using a shared key K, to calculate the C2 ₅ = C / K modp, obtain exclusion information C2 _5. Seek the shared key K 'from the exclusion information C2 _5.

[0103] When using a signature, the base station encrypts the elimination information and the verification information v1 _5, v2 ₅ specific terminal using the common key K of the previous with signature and the particular terminal number and verification information v in all terminals Broadcast. The terminal obtains a new shared key K ′ based on the information decrypted using the shared key K.

In the case where a new shared key K ′ is obtained by excluding a plurality of specific terminals including the same specific terminal after obtaining a shared key K after excluding a certain specific terminal, the following is performed. The base station and the terminal obtain the common key K1 by excluding a plurality of specific terminals except for the same specific terminal by any one of the key sharing methods of the above embodiments. The base station and the terminal
A new shared key K′K ′ = K EOR K1 (where EOR represents an exclusive OR for each bit) is obtained from K and K1. Alternatively, K ′ is obtained by the four arithmetic operations in the mod p of K and K1.

As described above, in the eighth embodiment of the present invention, when the same terminal is successively excluded by using the operation-saving exclusive key sharing method, the exclusion information is encrypted with the previous group key. , And the same terminal is excluded, so that exclusion information can be sent safely.

In the above embodiment, the method of performing multiplication on the prime field GF (p) has been described. However, the multiplication operation is made to correspond to the addition operation on a curve such as an elliptic curve on an arbitrary finite field. Thus, high-speed operation can be performed.

In addition, instead of the prime number p, the exponent o of the prime number o
and ^m, it is also possible to perform the calculation in GF expansion of (o) GF (o ^m) in place of the residue operation modulo prime o.

[0108]

As is apparent from the above description, according to the present invention, communication capable of performing broadcast communication comprising a base station and N (N is an integer of 2 or more) terminals connected to the base station. The secret key sharing method of the system is as follows.
, P and a prime factor larger than T and N, q is a prime factor of (p−1), g is an element whose order in GF (p) is q, and d is a specific terminal number (1 ≦ d <N −1), T = {λ (i, Λ) × T _i (sum is performed for i∈Λ) λ (i, Λ) = Π {L / (Li)} (product is L∈Λ− { i} performed _{on) T i = T + e 1} × i 1 + ··· + e d × i d modq ( _{However, e 1, ..., e d} (e d ≠ 0) is d pieces of original GF (q), Λ is the secret information that satisfies T _i that satisfies an arbitrary (d + 1) set of N terminals, and each terminal i (1 ≦ i ≦
N) is S = {λ (i, Λ) × S _i (the sum is performed for i∈Λ) λ (i, Λ) = Π {L / (Li)} (the product is L∈Λ- {i performed _{on}) S i = S + f} 1 × i 1 + ··· + f d × i d modq ( _{However, f 1, ..., f d} (f d ≠ 0) is d pieces of original GF (q), Λ Holds secret information S _i satisfying an arbitrary (d + 1) set of N terminals) and secret information u _i = g ^ (T _i / S _i mod q) modp in secret. The office has secret information S and T
The secret information S _1, ..., S _N and T _1, ..., a T _N holds in secret, each terminal i and the base station, prime numbers p and prime factor q and the original g
(1) The base station arbitrarily generates an element k of a non-zero GF (q), calculates preparation information C1 = g ^k modp from ^k , and (2) the base station identifies d units. Terminal i ₁ ,…, _id
Of secret information S _i1, ..., S _id and T _i1, ..., from T _id, eliminating information _{C2 i1 = k × S i1 +} T i1 modq, ···, the _{C2 id = k × S id +} T id modq calculated (3) The base station performs the preparation information C1 and the exclusion information C2 _i1,.
id with a particular terminal number i _1, ..., a i _d broadcasts to all terminals, (4) the base station calculates a common key K = g ^ (k × S + T modq) modp, (5) each terminal i (i ≠ i ₁ , ..., _id ) is Λ _i = {i, i ₁ , ...,
i _d }, λ (i, Λ _i ) and λ (i ₁ , Λ _i ), ..., λ ( _id , Λ _i )
Λ (i ₁ , Λ _i ),..., Λ ( _id , Λ _i ) and the exclusion information C2 _i1 ,
..., synthetic index W by using the _{C2 id i = C2 i1 × λ} (i 1, Λ i) + ··· + C2 id × λ (i d,
Λ _i ) modq, C 1, W _i , λ (i, Λ _i ) and own secret information S _i
Since the shared key K is obtained by calculating {(C1 × u _i ) ^ (S _i × λ (i, Λ _i ) modq)} × g ^Wi modp using u and u _i , An effect is obtained that a specific terminal can be eliminated at high speed with a small amount of computation and a small amount of communication.

[Brief description of the drawings]

FIG. 1 is a diagram showing a setup of an exclusive key agreement method in a first embodiment of the present invention;

FIG. 2 is a diagram showing a preparation phase of an exclusive key sharing method according to the first embodiment of the present invention;

FIG. 3 is a diagram showing a key sharing phase of an exclusive key sharing method according to the first embodiment of the present invention;

FIG. 4 is a diagram showing a setup of an exclusive key agreement method in the second embodiment of the present invention;

FIG. 5 is a diagram showing a preparation phase of an exclusive key sharing method according to the second embodiment of the present invention;

FIG. 6 is a diagram showing a key sharing phase of an exclusive key sharing method according to the second embodiment of the present invention;

FIG. 7 is a diagram showing a setup of an exclusive key agreement method according to the third embodiment of the present invention;

FIG. 8 is a diagram showing a preparation phase of an exclusive key agreement method according to the third embodiment of the present invention;

FIG. 9 is a diagram showing a key sharing phase of an exclusive key sharing method according to the third embodiment of the present invention;

FIG. 10 is a diagram showing a setup of an exclusive key agreement method in the fourth embodiment of the present invention;

FIG. 11 is a diagram showing a preparation phase of an exclusive key sharing method according to the fourth embodiment of the present invention;

FIG. 12 is a diagram showing a key sharing phase of an exclusive key sharing method according to the fourth embodiment of the present invention;

FIG. 13 is a diagram showing a setup of an exclusive key agreement method in the fifth embodiment of the present invention;

FIG. 14 is a diagram showing a preparation phase of an exclusive key sharing method according to the fifth embodiment of the present invention;

FIG. 15 is a diagram showing a key sharing phase of an exclusive key sharing method according to the fifth embodiment of the present invention;

FIG. 16 is a diagram showing a setup of an exclusive key agreement method in the sixth embodiment of the present invention;

FIG. 17 is a diagram showing a preparation phase of an exclusive key sharing method according to the sixth embodiment of the present invention;

FIG. 18 is a diagram showing a key sharing phase of an exclusive key sharing method according to the sixth embodiment of the present invention;

FIG. 19 is a diagram showing a setup of an exclusive key agreement method in the seventh embodiment of the present invention;

FIG. 20 is a diagram showing a preparation phase of an exclusive key agreement method in the seventh embodiment of the present invention;

FIG. 21 is a diagram showing a key sharing phase of an exclusive key sharing method according to the seventh embodiment of the present invention;

FIG. 22 is a diagram showing a setup of an exclusive key agreement method in the eighth embodiment of the present invention;

FIG. 23 is a diagram showing a preparation phase of an exclusive key agreement method in the eighth embodiment of the present invention;

FIG. 24 is a diagram showing a key sharing phase of an exclusive key sharing method according to the eighth embodiment of the present invention;

FIG. 25 is a diagram showing a setup of a conventional exclusive key agreement method;

FIG. 26 is a diagram showing a preparation phase of a conventional exclusive key sharing method,

FIG. 27 is a diagram showing a key sharing phase of a conventional exclusive key sharing method.

[Explanation of symbols]

 0 base station 1-5 terminal 6 base station storage unit 7-11 terminal storage unit

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Inventor Natsume Matsuzaki 3-20 Shin-Yokohama, Kohoku-ku, Yokohama City, Kanagawa Prefecture 8 Within Advanced Mobile Communication Security Technology Research Institute, Inc. (72) Inventor Tsutomu Matsumoto Kakikindai, Aoba-ku, Yokohama-shi, Kanagawa Prefecture 13-45 F term (reference) 5J104 AA16 AA22 EA04 EA26 EA28 JA03 NA02 PA01 5K067 AA34 CC14 DD17 EE02 EE10 HH36

Claims (10)

[Claims] In an exclusive key sharing method of a communication system capable of performing broadcast communication comprising a base station and N (N is an integer of 2 or more) terminals connected to the base station, secret information is transmitted. S and T, p is a prime number larger than S, T and N, q is a prime factor of (p-1), g is an element whose order in GF (p) is q, and the number of specific terminals To d (1 ≦ d
<N−1), and T = {λ (i, Λ) × T _i (the sum is performed for i）) λ (i, Λ) = Π {L / (L−i)} (the product is L∈Λ - {i} performed _{for) T i = T + e 1} × i 1 + ··· + e d × i d modq ( _{However, e 1, ..., e d} (e d ≠ 0) is d pieces of GF of (q) Originally, Λ is a secret that satisfies T _i that satisfies an arbitrary (d + 1) set of the N terminals, and each terminal i (1 ≦
i ≦ N) is given by: S = {λ (i, Λ) × S _i (sum is performed for i∈Λ) λ (i, Λ) = Π {L / (L−i)} (product is L は − {i} performed _{for) S i = S + f 1} × i 1 + ··· + f d × i d modq ( _{However, f 1, ..., f d} (f d ≠ 0) source of d pieces of GF (q) , Λ are secret information S _i satisfying an arbitrary (d + 1) set of N terminals) and secret information u _i = g ^ (T _i / S _i mod q) modp are secretly held. And the base station communicates with the secret information S
, T and the secret information S ₁ ,..., _SN and T ₁ ,..., T _N are secretly held, and each terminal i and the base station communicate with the prime number p, the prime factor q, the element g Can be used, (1)
The base station arbitrarily generates an element k of GF (q) that is not zero and calculates preparation information C1 = g ^k modp from the ^k . (2) The base station generates d specific terminals i ₁ ,
..., the secret information S _i1 of i _d, ..., S _id and T _i1, ..., T _id
From exclusion information _{C2 i1 = k × S i1 +} T i1 modq, ···, C2 id = k × S id + T id modq is calculated and (3) the base station eliminates said preparation information C1 Information C2 _i1 , ..., C2 _id with a particular terminal number i _1, ..., a i _d broadcasts to all terminals, (4) the base station calculates a common key K = g ^ (k × S + T modq) modp, ( 5) wherein each terminal _{i (i ≠ i 1, ...} , i d) is, lambda _i
= {I, i ₁ , ..., _id }, λ (i, Λ _i ) and λ (i ₁ , Λ _i ),
_{..., λ (i d, Λ} i) seek, the _{λ (i 1, Λ i)} , ..., λ (i d, Λ
_i) and the exclusion information C2 _i1, ..., synthetic index W with _{C2 id i = C2 i1 × λ} (i 1, Λ i) + ··· + C2 id × λ (i d,
Λ _i ) modq, and using the C 1, the W _i , the λ (i, _i ) and its own secret information S _i and u _i , ((C 1 × u _i ) ^ (S _i × λ (i, Λ _i ) modq)} × g ^Wi modp, thereby obtaining a shared key K. 2. An exclusive key sharing method for a communication system capable of performing broadcast communication comprising a base station and N (N is an integer of 2 or more) terminals connected to the base station. S and T, p is a prime number larger than S, T and N, q is a prime factor of (p-1), g is an element whose order in GF (p) is q, and g is the base station. Is defined as d (1 ≦ d <N−1), and the number D of terminals actually specified by the base station at the time of key sharing (hereinafter referred to as the actual number of specific terminals) D is calculated from the number d of specific terminals. T = {λ (i, Λ) × T _i (sum is performed for i∈Λ) λ (i, Λ) = Π {L / (L−i)} (product is L∈Λ - {i} performed _{for) T i = T + e 1} × i 1 + ··· + e d × i d modq ( _{However, e 1, ..., e d} (e d ≠ 0) is d pieces of GF of (q) Original, Λ is the end of the N units Any (d + 1) and T _i is the secret information satisfying comprising aggregate) from base, each terminal i (1 ≦ a
i ≦ N) is given by: S = {λ (i, Λ) × S _i (sum is performed for i∈Λ) λ (i, Λ) = Π {L / (L−i)} (product is L は − {i} performed _{for) S i = S + f 1} × i 1 + ··· + f d × i d modq ( _{However, f 1, ..., f d} (f d ≠ 0) source of d pieces of GF (q) , Λ are secret information S _i satisfying an arbitrary (d + 1) set of N terminals) and secret information u _i = g ^ (T _i / S _i mod q) modp are secretly held. And the base station: S _{N + 1} = S + f ₁ × (N + 1) ¹ +... + F _d × (N + 1) ^d
_{modq, ···, S N + d} -1 = S + f 1 × (N + d-1) 1 + ··· + f d × (N
+ D-1) ^d modq and T _{N + 1} = T + f ₁ × (N + 1) ¹ + ... + f _d × (N + 1) ^d
modq,..., T _{N + d-1} = T + f ₁ × (N + d−1) ¹ +... + f _d × (N
+ D−1) secret information S _{N + 1} ,..., S obtained by calculating ^d modq
_{N + d-1} and _{T N + 1, ..., T} N + d-1 and the secret S and T and the secret information S _1, ..., S _N and T _1, ..., to hold the T _N secret The terminal i and the base station can use the prime p, the prime factor q, and the element g, and (1) the base station arbitrarily generates an element k of a non-zero GF (q), The base station calculates the preparation information C1 = g ^k modp from the ^k , and (2) the base station calculates the D specific terminals i
_1, ..., i secret information S _i1 of _D, ..., S _iD and T _i1, ..., T
_iD and the secret information S _{N + 1} , ..., S _{N + d-1} and T _{N + 1} , ...,
T N _{+ d-1} of the internal any of v (= d-D) pieces of secret information S _b1, ...,
From S _bv and T _b1 ,..., T _bv , exclusion information C2 _i1 = k × S _i1 + T _i1 modq,..., C2 _iD = k × S _iD + T _iD mod q, C2 _b1 = k × S _b1 + T _b1 modq ,..., C2 _bv = k × S _bv + T _bv modq, and (3) the base station calculates the preparation information C1 and the exclusion information C2 _i1 ,..., C2 _iD and C2 _{b1 ,.} The specific terminal numbers i ₁ ,..., _Id and b ₁ ,..., B _v are broadcast to all terminals. (4) The base station obtains a shared key K = g ＝ (k × S + T modq) modp. , (5) each terminal i (i ≠ i ₁ ,..., I _D , b ₁ ,.
b _{v) is, Λ i = {i, i} 1, ..., i D, b 1, ..., b v} as, lambda
(i, Λ _i ), λ (i ₁ , Λ _i ),…, λ (i _D , Λ _i ), λ (b ₁ , Λ _i ),
_{..., λ (b v, Λ} i) seeking, the _{λ (i 1, Λ i)} , ..., λ (i D,
Lambda _i) and _{λ (b 1, Λ i)} , ..., λ (b v, Λ i) and the exclusion information C2 _i1, ..., C2 _iD and C2 _b1, ..., synthesized index using the C2 _bv W _i = C2 _i1 × λ (i ₁ , Λ _i ) +... + C2 _iD × λ (i _D ,
Λ _i ) + C2 _b1 × λ (b ₁ , Λ _i ) +... + C2 _bv × λ (b _v , Λ
The _i) mod q calculated, the said C1 W _i and the λ _(i, Λ i) its own by using the secret information S _i and _{u i, {(C1 × u} i) ^ (S i × λ ( 2. The exclusive key sharing method according to claim 1, wherein the shared key K is obtained by calculating i, Λ _i ) modq)} × g ^Wi modp. 3. The base station can use 2 × θ sets of secret information obtained by dividing the secret information S and T into arbitrary integer θ specific terminal numbers d ₁ ,..., Dθ, respectively. The terminal holds 2 × θ pieces of secret information corresponding to its own terminal number from each set, and when performing the exclusive key sharing method, the base station and the terminal i are The specific terminal number d _w equal to the actual specific terminal number D (1 ≦ w ≦ θ)
Wherein d ₁ a, ..., selected from d [theta], the base station broadcasts a specific terminal number and the exclusion information and the preparation information using two sets of the secret information corresponding to a specific number of terminals d _w selected Communicates and seeks a shared key K with the terminal, while said terminal i receives d _w
Key K with the base station using the two secret information corresponding to
2. The exclusive key sharing method according to claim 1, wherein 4. A base station and N units connected to the base station
(N is an integer of 2 or more)
In an exclusive key agreement method of a communication system, secret information is
And T, primes greater than S and T and N
Is p, and the prime factor of (p-1) is q, and GF (p)
Let g be the element whose order is q, and let d (1 ≦ d <
N-1) and T = {λ (i, Λ) × T_i(The sum is performed for i∈Λ) λ (i, −) =) {L / (L−i)} (product is L∈Λ− {i}
T)_i= T + e₁× i¹+ ... + e_d× i^d modq (however, e₁,…, E_d(e_d(≠ 0) is d GF (q)
Originally, Λ consists of arbitrary (d + 1) units of the N terminals
Set)_iIs secret information, and each terminal i (1 ≦
i ≦ N), S = Σλ (i, Λ) × S_i(The sum is performed for i∈Λ) λ (i, −) =) {L / (L−i)} (product is L∈Λ− {i}
S_i= S + f₁× i¹+ ... + f_d× i^d modq (however, f₁,…, F_d(f_d(≠ 0) is d GF (q)
Originally, Λ consists of arbitrary (d + 1) units of the N terminals
Set) secret information S_iAnd secret information u_i= G ^ (T_i/ S_i mod q) modp is kept secret and the base station has its own secret key x
(X is a non-zero element of GF (q)) and the secret information S and
T and the secret information S₁,…, S_NAnd T₁,…, T_NSecret
Holding each terminal i and the base station with the prime number
p, the prime factor q, the element g, a hash function hash (),
Base station public key y = g^x modp, and (1) the base station has a nonzero GF (q)
Arbitrarily generates element k, and d specific terminals i₁,…, I_dThe above
Secret information S_i1,…, S_idAnd T_i1,…, T_idFrom the exclusion
Report C2_i1= K × S_i1+ T_i1 modq, ..., C2_id= K × S_id+ T_id modq, and (2) the base station uses the hash ()
The exclusion information C2_i1,…, C2_idAnd specific terminal number i₁,…, I_d
H = hash (C2_i1,…, C2_id, i₁,…, I_d(3) the base station uses its own secret key x
The signature Z = H × (−x) + k modq is calculated, and the signature Z and the exclusion information C2 are calculated._i1,…, C2_idAnd specific
Terminal number i₁,…, I_dTo all terminals, and (4)
The base station obtains a shared key K = g ^ (k × S + T modq) modp, and (5) the terminal i (i ≠ i₁,…, I_d)
Using the hash (), the exclusion information C2 _i1,…, C2_idAnd specific end
End number i₁,…, I_dH '= hash (C2_i1,…, C2_id, i₁,…, I_d)), And (6) each terminal i is represented by Λ_i= {I, i₁,…, I_d}
Λ (i, Λ_i) And λ (i₁, Λ_i),…, Λ (i_d, Λ_i)
Λ (i₁, Λ_i),…, Λ (i_d, Λ_i) And the exclusion
Report C2_i1,…, C2_idThe composite index W using_i= C2_i1× λ (i₁, Λ_i) + ... + C2_id× λ (i_d,
Λ_i) calculate modq, and (7) each terminal i receives the base station public key y
, The hash value H ′ and the composite index W_iAnd λ (i, Λ
_i), The signature Z and its own secret information S_iAnd u_iUsing
And {g ^ (Z × S_i× λ (i, Λ_i) + W_i modq)} × {y ^ (H ′ ×
S_i× λ (i, Λ_i) modq)} × {u_i^ (S_i× λ (i, Λ_i) mod
q)} modp (signed by secret key x, and signature Z and exclusion information C2
_i1,…, C2_idAnd specific terminal number i₁,…, I_dHas been tampered with
If not (that is, H '= H), g^Z× y^H'= G^k modp and
Become. ) To find the shared key K
The exclusion according to any one of claims 1, 2 and 3,
Key agreement. 5. A base station and N units connected to the base station
(N is an integer of 2 or more)
Confidential information in the exclusive key agreement method of
α1, α2, β1, β2, S, T, T1, T2, α1, α2, β
Let 1, β2, S, T, T1, T2 and a prime number greater than N be p
And the prime factor of (p-1) is q, and the order in GF (p)
Are g1, g2, and the number of specific terminals is d (1 ≦ d <
N-1) and T = {λ (i, Λ) × T_i(The sum is performed for i∈Λ) (However, T_i= T + e₁× i¹+ ... + e_d× i^d mod
q) T1 = {λ (i, Λ) × T1_i(The sum is performed for i∈Λ) (However, T1_i= T1 + e₁× i¹+ ... + e_d× i^d mo
dq) T2 = {λ (i, Λ) × T2_i(The sum is performed for i∈Λ) (However, T2_i= T2 + e₁× i¹+ ... + e_d× i^d mo
dq) λ (i, Λ) = Π {L / (Li)} (product is L に-{i}
(Where f₁,…, F_d(f_d≠ 0) and e₁,…, E_d(e_d
{0) is an element of 2 × d GF (q), and Λ is the N terminals
Information that satisfies any (d + 1) sets of
To T_i, T1_i, T2_iAnd each terminal i (1 ≦ i ≦ N) is given by α1 = {λ (i, Λ) × α1_i(The sum is performed for i∈Λ) (However, α1_i= Α1 + f₁× i¹+ ... + f_d× i^d mo
dq) α2 = Σλ (i, Λ) × α2_i(The sum is performed for i∈Λ) (However, α2_i= Α2 + f₁× i¹+ ... + f_d× i^d mo
dq) β1 = Σλ (i, Λ) × β1_i(The sum is performed for i∈Λ) (However, β1_i= Β1 + f₁× i¹+ ... + f_d× i^d mo
dq) β2 = Σλ (i, Λ) × β2_i(The sum is performed for i∈Λ) (However, β2_i= Β2 + f₁× i¹+ ... + f_d× i^d mo
dq) S = Σλ (i, Λ) × S_i(Sum is performed for i∈Λ) (However, S_i= S + f₁× i¹+ ... + f_d× i^d mod
q) Secret information α1 that satisfies_i, α2_i, β1_i, β2_i, S_iAnd secret
Secret information r1_i= G1^T1i modpr2_i= G2^T2i modp u_i= G1 ^ (T_i/ S_i mod q) modp is kept secret, and the base station transmits the secret information α
1, α2, β1, β2, S, T, T1, T2 and α1₁,…, Α1_N, α
Two₁,…, Α2_N, β1_i,…, Β1_N, β2₁,…, Β2_N, S_i,…, S _N, T
₁,…, T_N, T1_i,…, T1_N, T2₁,…, T2_NHolds,
The base station and the terminal communicate with the prime p and the prime factor q
The elements g1 and g2 and the hash function hash () can be used,
(1) The base station can arbitrarily change an element k of GF (q) which is not zero.
Generate and prepare information C1₁= G1^k modp, C1_Two= G2^k modp, and (2) the base station calculates d specific terminals i₁,
…, I_dSecret information S_i1,…, S_id, T_i1,…, T_idExcluded from
Information C2_i1= K × S_i1+ T_i1 modq, ..., C2_id= K × S_id+ T_id modq, and (3) the base station checks the verification information v = (g1 ^ ((α1 + β1 × c) k + T1 modq)) × (g2 ^ ((α
2 + β2 × c) k + T2 modq)) modp (c = hash (C1₁, C1_Two) modq) v1_i1= (Α1_i1+ Β1_i1× c) k + T1_i1 modq, ..., v1_id= (Α1_id+ Β1_id× c) k + T1_id modq v2_i1= (Α2_i1+ Β2_i1× c) k + T2_i1 modq, ..., v2_id= (Α2_id+ Β2_id× c) k + T2_id modq and calculate the verification information v, v1_i1, V1_id, v2_i1, v2_id
And the exclusion information C2_i1,…, C2_idAnd the preparation information C1₁, C1
_TwoAnd specific terminal number i₁,…, I_dTo all terminals,
(4) The base station obtains a shared key K = (g1 ^ (k × S + T modq)) modp, and (5) the terminal i (i ≠ i₁,…, I_d) Is Λ_i
= {I, i₁,…, I_d} As λ (i, Λ_i), λ (i₁, Λ_i),
…, Λ (i_d, Λ_i), And λ (i₁, Λ_i),…, Λ (i_d, Λ
_i) And the verification information v1_i1,…, V1_id, v2_i1,…, V2_idAnd
Verification index using U1_i= V1_i1× λ (i₁, Λ_i) + ... + v1_id× λ (i_d, Λ
_i) modq, U2_i= V2_i1× λ (i₁, Λ_i) + ... + v2_id× λ (i_d, Λ
_i) modq, and λ (i, Λ_i) And the verification index U1_iAnd U2_i
And said own secret information r1_i, r2_i, α1_i, α2_i, β1_i, β2_i
The verification formula (C1₁^ ((α1_i+ Β1_i× c) λ (i, Λ_i) modq)) × (r1
λ⁽ⁱ, Λⁱ⁾) × (C1_Two^ ((α2_i+ Β2_i× c) λ (i, Λ_i) mod
q)) × (r2λ⁽ⁱ, Λⁱ⁾) × (g1^U1i) × (g2^U2i) modp = v (c = hash (C1₁, C1_Two) calculate modq)
If not, stop key sharing.
Each terminal i has λ (i₁, Λ_i),…, Λ (i_d, Λ_i) And the exclusion
Report C2_i1,…, C2_idThe composite index W using_i= C2_i1× λ (i₁, Λ_i) + ... + C2_id× λ (i_d,
Λ_i) Calculate modq and calculate C1₁And the W_iAnd λ (i, Λ_i) And myself
Secret information S_iAnd u_iUsing ((C1₁× u_i) ^ (S_i× λ (i, Λ_i) modq)} × g1^Wi It is characterized in that a shared key K is obtained by calculating modp.
An exclusive key agreement according to any one of claims 1, 2, and 3,
Law. 6. The base station converts a ciphertext C obtained by encrypting a plaintext m using the shared key K into C = m × K modp or C = m EOR K (where EOR is an exclusive bit for each bit). (Representing a logical sum), and broadcasts with the preparation information, the exclusion information, and the specific terminal number, or with the signature, the exclusion information, the specific terminal number, and the verification information. And m = C / K modp or m = C EOR K using the calculated shared key K, and decrypts the ciphertext C to obtain the plaintext m. An exclusive key agreement method according to any of the above. 7. After excluding a specific terminal and obtaining a shared key K, when excluding a plurality of specific terminals including the same specific terminal and obtaining a new shared key K ′, the base station includes: Using the shared key K, encrypt the preparation information and the specific terminal number and the exclusion information of the specific terminal, or similarly encrypt the signature of the specific terminal and the specific terminal number and the exclusion information, or Encrypts the preparation information, the specific terminal number, the verification information and the exclusion information of the specific terminal, and broadcasts the information to all the terminals. The terminal uses the shared key K to prepare the preparation information of the specific terminal. And the specific terminal number and the exclusion information, or similarly, the signature of the specific terminal and the specific terminal number and the exclusion information, or similarly, the preparation information and the specific terminal of the specific terminal. It decrypts the verification information and the elimination information and number, exclusive key sharing method according to any one of claims 1 to 6, wherein the determination of the new shared key K '. 8. The method according to claim 8, wherein after obtaining a shared key K by excluding a specific terminal, when obtaining a new shared key K ′ by excluding a plurality of specific terminals including the same specific terminal, the base station and the terminal Calculating a common key K1 by excluding a plurality of specific terminals except for the same specific terminal by the key sharing method according to claim 1, claim 2, claim 3, claim 4, and claim 5, And the terminal obtains a new shared key K′K ′ from the K and K1.
7. The method according to claim 1, wherein: KEOR K1 (where EOR represents an exclusive OR for each bit) or a result of four arithmetic operations in mod p of K and K1. Exclusive key agreement. 9. The exclusive key agreement method according to claim 1, wherein the multiplication operation corresponds to an addition operation on a curve such as an elliptic curve on an arbitrary finite field. 10. A power of a prime number o instead of the prime number p, and GF (o) instead of a remainder operation modulo the prime number o.
2. An operation on an expanded field of
An exclusive key agreement method according to any one of claims 1 to 9.