JP2005176144A - Terminal device, communication system and communication method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an arbitrary IBE ciphering algorithm and a key segregation type ciphering method using an arbitrary public key ciphering method. <P>SOLUTION: A ciphering portion 11 of a transmission terminal 10 divides transmission information m into IBE division information m1 and arbitrary division information m2. The ciphering portion 11 ciphers the IBE division information m1 by an IBE ciphering algorithm with an IBE public parameter pk1 and time information, prepares an IBE cipher c1, ciphers the arbitrary division information m2 with an arbitrary public key pk2 and prepares an arbitrary cipher c2. A communication portion 14 transmits a transmission information cipher c including the IBE cipher c1 and the arbitrary cipher c2. A communication portion 25 of a reception terminal 20 receives the transmission information cipher c. A decipher determining portion 23 deciphers the IBE cipher c1 with an IBE decipher key, and the arbitrary cipher c2 with an arbitrary deciphering key sk2. By obtaining the IBE division information m1 and the arbitrary division information m2, the transmission information m is reconstructed. An updating portion 22 updates the IBE deciphering key. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a terminal device, a communication system, and a communication method.

  Conventionally, encryption schemes such as a key isolation encryption scheme (Key-Insulated Encryption) and an identification information encryption scheme (Identity-Based Encryption, hereinafter referred to as “IBE”) have been proposed. In the key isolation type encryption method, the transmission information ciphertext encrypted by the user of the transmission terminal is decrypted with the decryption key of the user of the reception terminal. The receiving terminal acquires key update information for updating a key generated by the external auxiliary device connected to the receiving terminal, and updates the decryption key in the receiving terminal by using the key update information. The key isolation encryption method is characterized in that when some of the user's decryption keys are leaked to the outside, if the total number of leaked decryption keys does not exceed a certain number called the leak threshold, The information related to the decryption key can be made known to only the user. Therefore, the user can reduce damage caused by leakage of the decryption key by frequently updating the decryption key. As described above, the key isolation type encryption method is an effective means for solving the leakage problem of the decryption key in the public key encryption method (for example, see Non-Patent Document 1). For example, a key isolation type encryption method is called a BP method (BP02) (see, for example, Non-Patent Document 2).

IBE is an encryption method based on identification information unique to a user. In IBE, identification information unique to a user is used as a public key. Such a concept was proposed in 1984, and a concrete realization method has been sought. In 2001, a method that satisfies all requirements as an encryption method using identification information, a Boneh-Franklin method (hereinafter referred to as “BF method”) was proposed (for example, see Non-Patent Document 3). The BF method is a method based on a mathematical problem defined in an elliptic curve. In addition to the BF method, a GS method and a Cocks method have been proposed as IBE (see, for example, Non-Patent Document 4 and Non-Patent Document 5). The Cocks method is a method based on a quadratic residue problem defined in a ring modulo a composite number (hereinafter referred to as a “combined number ring”).
Y. Dodis, J. Katz, S. Xu and M. Yung, "Key-Insulated Public-Key Cryptosystems", Proc. Of Eurocrypt 2002, Lecture Notes in Computer Science Vol. 2332, 2002, Springer-Verlag, p. 65 -82 M. Bellare and A. Palacio, “Protecting against Key Exposure: Strongly Key-Insulated Encryption with Optimal Threshold”, Cryptology ePrint Archive 064, Internet <URL: http://eprint.iacr.org/2002> D.boneh and M. Franklin, `` Identity Based Encryption from the Weil Pairing '', Proc. Of CRYPTO'01, Lecture Notes in Computer Science, Vol. 2139, Springer-Verlag, pp.213-229,2001 C. Gentry and A. Silverberg, `` Hierarchical Identity-Based Cryptography '', Proc. Of Asiacrypt'02, Lecture Notes in Computer Science, Vol. 2501, Springer-Verlag, pp.548-566,2002 C. Cocks, "An Identity Based Encryption Scheme Based on Quadratic Residues", Proc. Of IMA Int. Conf. 2001, Coding and Cryptography, Lecture Notes in Computer Science, Vol. 2260, Springer-Verlag, pp. 360-363, 2001

  However, at present, only one BP02 method is known as a key isolation type encryption method with an unlimited leakage threshold. As described above, since there is no selection range for the encryption method, it has been difficult to construct a communication system using the key isolation encryption method in response to the system request. In particular, it has been difficult to flexibly select mathematical problems as the basis for safety. In addition, the relationship between the key-separated encryption method and IBE has not been clarified.

  Therefore, the present invention can be realized by using an encryption algorithm of an arbitrary identification information encryption system and an arbitrary public key encryption system, and is a key with an unlimited leakage threshold value based on the difficulty of various mathematical problems. The purpose is to provide an isolated encryption method.

  The terminal device according to the present invention encrypts transmission information using public parameters generated by a public key generation algorithm of an identification information encryption method (hereinafter referred to as “identification information public parameters”) (hereinafter referred to as “identification information”). Splitting means for splitting into split information (hereinafter referred to as “arbitrary split information”) encrypted with a public key (hereinafter referred to as “arbitrary public key”) different from the identification information public parameter and identification information split information Is encrypted with the encryption algorithm of the identification information encryption method using the identification information public parameter and time information to create a ciphertext (hereinafter referred to as “identification information ciphertext”), and the arbitrary divided information is encrypted using the arbitrary public key Encrypting means for generating a ciphertext (hereinafter referred to as “arbitrary ciphertext”), and a ciphertext (hereinafter referred to as “transmission information ciphertext”) including identification information ciphertext and arbitrary ciphertext And a sending means for sending to the receiving terminal) as "transmission information ciphertext".

  According to such a terminal device, the dividing unit divides the transmission information into identification information division information and arbitrary division information. The encryption means encrypts the identification information division information using the identification information disclosure parameter and the time information by the encryption algorithm of the identification information encryption method, creates an identification information ciphertext, and uses the arbitrary division information using the arbitrary public key. Encrypt and create arbitrary ciphertext. Then, the transmission means transmits the transmission information ciphertext including the identification information ciphertext and the arbitrary ciphertext. As a result, the terminal device can be realized by using an encryption algorithm of an arbitrary identification information encryption method and an arbitrary public key encryption method, and the leakage threshold value based on the difficulty of various mathematical problems becomes unlimited. A key-isolated encryption method can be provided. Then, the terminal device becomes a transmitting terminal and can perform encryption by such a key isolation type encryption method.

  Further, the encryption means selects an identification information random number for the identification information division information and an arbitrary random number for the arbitrary division information, and identifies the identification information division information and the identification information random number using the identification information disclosure parameter and the time information. It is preferable that encryption is performed by an encryption algorithm of an information encryption method, and arbitrary division information and an arbitrary random number are encrypted using an arbitrary public key. In this way, by encrypting the identification information division information together with the identification information random number and encrypting the arbitrary division information together with the arbitrary random number, the terminal device can improve the security of the transmission information and can be assumed as an attack on the transmission information. Can prevent most of.

  Further, the encryption means inputs the transmission information, identification information division information, arbitrary division information, identification information random number and arbitrary random number to the hash function to obtain a hash value, and the identification information division information and identification information random number are disclosed to the identification information. It is preferable that encryption is performed by an identification information encryption algorithm using parameters, time information, and a hash value, and arbitrary division information and an arbitrary random number are encrypted using an arbitrary public key and a hash value. As a result, highly secure encryption is possible.

  Another terminal apparatus according to the present invention uses an identification information encryption parameter encrypted by an identification information encryption scheme encryption algorithm using an identification information disclosure parameter and time information generated by an identification information encryption public key generation algorithm. Receiving means for receiving a transmission information ciphertext including an arbitrary ciphertext encrypted using an arbitrary public key different from the identification information public parameter, and a decryption key (hereinafter referred to as an identification information public parameter). "Identification information decryption key") is used as the identification information division information, and the arbitrary ciphertext is decrypted using the decryption key corresponding to the arbitrary public key (hereinafter referred to as "arbitrary decryption key"). And decryption means for restoring the transmission information from the identification information division information and the arbitrary division information, and an update means for updating the identification information decryption key.

  According to such a terminal device, the receiving means receives the transmission information ciphertext including the identification information ciphertext and the arbitrary ciphertext. The decrypting means decrypts the identification information ciphertext with the identification information decryption key and the arbitrary ciphertext with the arbitrary decryption key to obtain identification information division information and arbitrary division information. Then, the decoding unit restores the transmission information from the identification information division information and the arbitrary division information. Furthermore, the update means updates the identification information decryption key. As a result, the terminal device can be realized by using an encryption algorithm of an arbitrary identification information encryption method and an arbitrary public key encryption method, and the leakage threshold value based on the difficulty of various mathematical problems becomes unlimited. A key-isolated encryption method can be provided. Then, the terminal device becomes a receiving terminal and can decrypt the transmission information ciphertext encrypted by such a key isolation type encryption method.

  Further, the terminal device encrypts the identification information division information using the identification information public parameter and the time information by the encryption algorithm of the identification information encryption method to create a determination identification information ciphertext, and the arbitrary division information to the arbitrary public key Is used to create a decision arbitrary ciphertext, determine whether the identification information ciphertext and the determination identification information ciphertext match, and the arbitrary ciphertext matches the determination arbitrary ciphertext It is preferable to provide a determination means for determining whether or not. According to this, the terminal device can determine whether the transmission information is correctly encrypted and transmitted, and can improve safety. The updating means preferably updates the identification information decryption key by using a master key used for generating the identification information decryption key as an update key.

  The communication system according to the present invention is a communication system including a transmission terminal that transmits transmission information and a reception terminal that receives transmission information. Then, the transmission terminal uses an arbitrary public key different from the identification information division information and the identification information public parameter to encrypt the transmission information using the identification information public parameter generated by the public key generation algorithm of the identification information encryption method. A division means for dividing into arbitrary division information to be encrypted, and an identification information ciphertext by creating an identification information ciphertext by encrypting the identification information division information using an identification information disclosure parameter and time information by an encryption algorithm of an identification information encryption method An encryption unit that encrypts information using an arbitrary public key to create an arbitrary ciphertext, and a transmission unit that transmits a transmission information ciphertext including an identification information ciphertext and an arbitrary ciphertext to a receiving terminal. The receiving terminal receives the transmission information ciphertext, and the identification information ciphertext is decrypted with the identification information decryption key corresponding to the identification information public parameter to obtain the identification information division information, and the arbitrary ciphertext corresponds to the arbitrary public key. And decryption means for decrypting with the arbitrary decryption key to obtain arbitrary division information, and decoding means for restoring the transmission information from the identification information division information and the arbitrary division information, and an update means for updating the identification information disclosure parameter.

  According to such a communication system, it can be realized by using an encryption algorithm of an arbitrary identification information encryption system and an arbitrary public key encryption system, and the leakage threshold is unlimited based on the difficulty of various mathematical problems. It is possible to provide a key isolation type encryption method. In the communication system, encryption by such a key isolation type encryption method can be performed, and the encrypted transmission information ciphertext can be decrypted.

  The communication method according to the present invention includes an arbitrary public key different from the identification information division information and the identification information public parameter for encrypting the transmission information using the identification information public parameter generated by the public key generation algorithm of the identification information encryption method. A step of dividing the identification information into pieces of arbitrary divided information to be encrypted, and a step of encrypting the identification information division information using an identification information disclosure parameter and a time information by an encryption algorithm of an identification information encryption method to create an identification information ciphertext And encrypting the arbitrary division information using an arbitrary public key to create an arbitrary ciphertext, and transmitting a transmission information ciphertext including the identification information ciphertext and the arbitrary ciphertext to the receiving terminal. Features. According to such a communication method, it can be realized using an encryption algorithm of an arbitrary identification information encryption system and an arbitrary public key encryption system, and the leakage threshold is unlimited based on the difficulty of various mathematical problems. It is possible to provide a key isolation type encryption method. And according to the communication method, the encryption method by such a key isolation type encryption system can be provided.

  Another communication method according to the present invention includes an identification information ciphertext encrypted by an identification information encryption scheme encryption algorithm using an identification information disclosure parameter and time information generated by an identification information encryption method public key generation algorithm. And a step of receiving a transmission information ciphertext including an arbitrary ciphertext encrypted using an arbitrary public key different from the identification information public parameter, and an identification information decryption key corresponding to the identification information public parameter. Using the decryption step to obtain the identification information division information, the arbitrary ciphertext using the arbitrary decryption key corresponding to the arbitrary public key to obtain the arbitrary division information, and the identification information division information and the arbitrary division information. The method includes a step of restoring transmission information and a step of updating an identification information decryption key. According to such a communication method, it can be realized using an encryption algorithm of an arbitrary identification information encryption system and an arbitrary public key encryption system, and the leakage threshold is unlimited based on the difficulty of various mathematical problems. It is possible to provide a key isolation type encryption method. And according to the communication method, the decoding method of the transmission information ciphertext encrypted by such a key isolation type encryption system can be provided.

  As described above, according to the present invention, a leakage that can be realized by using an encryption algorithm of an arbitrary identification information encryption system and an arbitrary public key encryption system and relies on the difficulty of various mathematical problems. It is possible to provide a key isolation type encryption method in which the threshold value is unlimited.

〔Communications system〕
As shown in FIG. 1, the communication system 1 includes a transmission terminal 10, a reception terminal 20, a public information server 30, an external auxiliary device 40, and a network 50. The transmission terminal 10 is a terminal device that transmits transmission information to the reception terminal 20. The receiving terminal 20 is a terminal device that receives transmission information transmitted by the transmitting terminal 10. Hereinafter, the user of the transmission terminal 10 is referred to as “sender”, and the user of the reception terminal 20 is referred to as “recipient”. There can be a plurality of transmission terminals 10 that transmit transmission information to a certain reception terminal 20 at a certain time t, for example, 1 ≦ j ≦ n (j and n are natural numbers), where j is the number of transmission terminals 10.

  The public information server 30 stores public information that is disclosed to other users such as the sender, and provides the information to the transmission terminal 10 and the reception terminal 20. The public information server 30 can be accessed by users other than recipients such as recipients and senders. The public information includes an IBE public parameter pk1 and an arbitrary public key pk2. Hereinafter, public information including the IBE public parameter pk1 and the arbitrary public key pk2 is represented as public information {pk1, pk2}. The IBE public parameter pk1 is an identification information public parameter generated by a public key generation algorithm (hereinafter referred to as “IBE public key generation algorithm”) of an identity information encryption method (Identity-Based Encryption, hereinafter referred to as “IBE”). The arbitrary public key pk2 is a public key that uses a public key cryptosystem different from IBE (hereinafter referred to as “arbitrary public key cryptosystem”).

  As the IBE, for example, a BF method (BF01), a GS method (GS02), a Cocks method (Cocks01), or the like can be used. The BF method is described in Non-Patent Document 3, for example, the GS method is described in Non-Patent Document 4, and the Cocks method is described in Non-Patent Document 5, for example. The arbitrary public key cryptosystem can be arbitrarily selected from public key cryptosystems other than IBE according to a request in the communication system 1 or the like. As the arbitrary public key cryptosystem, for example, a public key scheme conventionally used, such as the ElGamal scheme (ELG85) and the RSA scheme (RSA78), can be used. The ElGamal scheme is, for example, “A public key cryptosystem and a signature scheme based on the discrete logarithms”, T.M. ElGamal, IEEE Transactions on Information Theory, IT-31, 4, p. 469-472, 1985, the RSA method is, for example, “A method for obtaining digital signature and public-key cryptosystems”, R. Rivest, A. Shamir and L. Adleman, Communication of the ACM, 21, 2, p. 120-126, 1978.

  The external auxiliary device 40 is used by the receiving terminal 20 to update the identification information decryption key (hereinafter referred to as “IBE decryption key”). The external auxiliary device 40 is held by the recipient. The transmission terminal 10, the reception terminal 20, and the public information server 30 are connected via the network 50. The external auxiliary device 40 is connected to the receiving terminal 20 without being connected to the network 50 and is isolated from the network 50.

  Next, the transmitting terminal 10, the receiving terminal 20, the public information server 30, and the external auxiliary device 40 will be described in detail. The transmission terminal 10 includes an encryption unit 11, a storage unit 12, an input unit 13, and a communication unit 14. The storage unit 12 includes transmission information, recipient identification information Ui, an IBE encryption algorithm (hereinafter referred to as “IBE encryption algorithm”), and an arbitrary public key encryption algorithm (hereinafter referred to as “optional encryption algorithm”). Stores hash function, random number, etc. Identification information Ui unique to the receiver is given to the receiver. The identification information Ui includes, for example, an e-mail address and a telephone number. The input unit 13 receives transmission information from the sender and inputs the transmission information to the encryption unit 11.

  The encryption unit 11 uses the identification information division information (hereinafter referred to as “IBE division information”) m1 for encrypting the transmission information m to be transmitted to the receiving terminal 20 using the IBE public parameter pk1, and the arbitrary public key pk2. It functions as a dividing means for dividing the information into arbitrary divided information m2 to be encrypted. The encryption unit 11 acquires plaintext transmission information from the storage unit 12 and the input unit 13. The encryption unit 11 divides the acquired plaintext transmission information into identification information division information m1 and arbitrary division information m2 using, for example, secret sharing. As the secret sharing, for example, Shamir 79 described in “How to Share a Secret”, A. Shamir, Comm. ACM, 22, 11, p612-613, 1979 can be used. Since the encryption unit 11 divides the transmission information using secret sharing, it is not possible to know the other information even if one of the divided information is viewed. Therefore, the security of the transmission information m can be improved, which is preferable. .

  Further, the encryption unit 11 selects an identification information random number (hereinafter referred to as “IBE random number”) r1 for the IBE division information m1 and a random number (hereinafter referred to as “arbitrary random number”) r2 for the arbitrary division information m2. . For example, the encryption unit 11 selects the IBE random number r1 and the arbitrary random number r2 from the random numbers stored in the storage unit 12.

  Further, the encryption unit 11 creates the identification information ciphertext (hereinafter referred to as “IBE ciphertext”) c1 by encrypting the IBE division information m1 using the IBE public parameter pk1 and the time information by the IBE encryption algorithm, and arbitrarily It functions as an encryption means for encrypting the division information m2 using an arbitrary public key pk2 by an arbitrary encryption algorithm to create an arbitrary ciphertext c2. The encryption unit 11 acquires the public information {pk1, pk2} from the public information server 30 via the communication unit 14. The encryption unit 11 specifies the recipient identification information Ui, requests the public information server 30 for the public information, and receives the public information notification from the public information server 30, thereby obtaining the public information {pk1, pk2}. get.

  Then, the encryption unit 11 encrypts the IBE information (m1‖r1) including the IBE division information m1 and the IBE random number r1 by the IBE encryption algorithm using the acquired IBE public parameter pk1 and time information, and the IBE A ciphertext c1 is created. In this way, the encryption unit 11 performs encryption by reflecting the time information. The encryption unit 11 substitutes the time information at the time of encryption into the IBE encryption algorithm instead of the identification information substituted into the IBE encryption algorithm, and encrypts it. As the time information, for example, the generation time point for generating the IBE public parameter pk1 is set to 0, and the elapsed time from the generation time point 0, the current time, or the like can be used. Further, the encryption unit 11 encrypts arbitrary information (m2‖r2) including the arbitrary division information m2 and the arbitrary random number r2 by using an arbitrary public key pk2 acquired from the public information server 30, and using an arbitrary encryption algorithm, An arbitrary ciphertext c2 is created. Thus, by encrypting the IBE division information m1 together with the IBE random number r1 and encrypting the arbitrary division information m2 together with the arbitrary random number r2, the transmission terminal 10 can improve the safety of the transmission information m, It is possible to prevent most of the attacks assumed as attacks against the information m.

  At this time, the encryption unit 11 inputs the transmission information m, the IBE division information m1, the arbitrary division information m2, the IBE random number r1 and the arbitrary random number r2 to the hash function to obtain a hash value, and the obtained hash value is obtained by the probabilistic encryption. Used as a random number for conversion. As the hash function, for example, SHA-1 can be used. The encryption unit 11 encrypts the IBE information (m1‖r1) with the IBE encryption algorithm using the IBE public parameter pk1, the time information, and the hash value, and creates the IBE ciphertext c1. In addition, the encryption unit 11 encrypts the arbitrary information (m2‖r2) by using an arbitrary public key pk2 and a hash value using an arbitrary encryption algorithm, and creates an arbitrary ciphertext c2. Accordingly, the encryption unit 11 can perform highly secure encryption. The encryption unit 11 acquires an IBE encryption algorithm, an arbitrary encryption algorithm, a hash function, and recipient identification information Ui from the storage unit 12. The encryption unit 11 creates a transmission information ciphertext c including the created IBE ciphertext c1 and the arbitrary ciphertext c2.

  The IBE information (m1‖r1), the arbitrary information (m2‖r2), and the transmission information ciphertext c are the IBE division information m1 and the IBE random number r1, the arbitrary division information m2 and the arbitrary random number r2, the IBE ciphertext c1 and the arbitrary ciphertext, respectively. c2 may be included, and IBE division information m1 and IBE random number r1, arbitrary division information m2 and arbitrary random number r2, IBE ciphertext c1 and arbitrary ciphertext c2 may be included in any order and format. I do not care. The encryption unit 11 inputs the created transmission information ciphertext c to the communication unit 14.

  The communication unit 14 is a transmission unit that transmits the transmission information ciphertext c including the IBE ciphertext c1 and the arbitrary ciphertext c2 to the receiving terminal 20. The communication unit 14 acquires the transmission information ciphertext c from the encryption unit 11 and transmits it to the receiving terminal 20 via the network 50. In addition, the communication unit 14 acquires a request for public information {pk1, pk2} from the encryption unit 11 and transmits the request to the public information server 30 via the network 50. The communication unit 14 receives the public information {pk1, pk2} from the public information server 30 via the network 50 and inputs it to the encryption unit 11.

  The receiving terminal 20 includes a generation unit 21, an update unit 22, a decryption determination unit 23, a storage unit 24, a communication unit 25, and an output unit 26. The generating unit 21 generates an IBE public parameter pk1, a master key s, and an IBE decryption key sk1 that is an initial value of the IBE decryption key. The generation unit 21 substitutes the time information at the time of generation of the IBE public parameter pk1 into the IBE public key generation algorithm instead of the identification information substituted into the IBE public key generation algorithm, and generates the IBE public parameter pk1. As the generation time, the current time may be substituted, and when the generation time is set to 0, 0 may be substituted. The master key s is a secret key for generating the IBE decryption key sk1. The generation unit 21 generates a master key s using a key generation algorithm for a master key. The generation unit 21 may select a master key from master key candidates stored in the storage unit 24.

  The generation unit 21 uses the time information at the time of generation of the IBE decryption key sk1 as the IBE decryption key generation algorithm instead of the identification information substituted for the key generation algorithm of the IBE decryption key sk1 (hereinafter referred to as “IBE decryption key generation algorithm”). substitute. That is, the generation unit 21 generates the IBE decryption key sk1 using the IBE decryption key generation algorithm by causing the time information and the generated master key s to act. As the generation time, the current time may be substituted, and when the generation time is set to 0, 0 may be substituted. The IBE decryption key sk1 is a secret key. A secret key d (char) generated by operating the character string char and the master key s is referred to as a “decryption key corresponding to char”. In IBE, the ciphertext encrypted using char and the IBE public parameter pk1 can be decrypted using d (char). Furthermore, the generation unit 21 generates an arbitrary public key pk2 and an arbitrary decryption key sk2 corresponding to the arbitrary public key pk2, using a public key of an arbitrary public key cryptosystem and a key generation algorithm for a decryption key. The arbitrary decryption key sk2 is a secret key.

The generation unit 21 notifies the public information server 30 of public information {pk1, pk2} including the generated IBE public parameter pk1 and the arbitrary public key pk2. Specifically, the generation unit 21 transmits public information {pk1, pk2} in association with the identification information Ui to the public information server 30 via the communication unit 25. The receiving terminal 20 notifies the public information server 30 of the public information {pk1, pk2} and registers it in the public information server 30 so that the public information is disclosed to users other than the receiver such as the sender. To do. Further, the generation unit 21 generates a decryption key including the generated IBE decryption key sk1 and the arbitrary decryption key sk2. Hereinafter, the decryption key including the IBE decryption key sk1 and the arbitrary decryption key sk2, which are the initial values of the IBE decryption key, is represented as an initial decryption key {sk1, sk2}. The generation unit 21 stores the initial decryption key {sk1, sk2} in the storage unit 24. Furthermore, the generation unit 21 notifies the external auxiliary device 40 via the communication unit 25 using the generated master key s as an update key. The update key is a key used for updating the IBE decryption key. In this way, the generation unit 21 stores the master key s that is an update key in the external auxiliary device 40.
The storage unit 24 includes recipient identification information Ui, a master key s candidate, an IBE decryption key, an arbitrary decryption key sk2, an IBE public key generation algorithm, an IBE decryption key generation algorithm, a master key key generation algorithm, and an arbitrary public key encryption Public key and decryption key generation algorithm, IBE decryption algorithm (hereinafter referred to as “IBE decryption algorithm”) and IBE encryption algorithm, arbitrary public key encryption method decryption algorithm (hereinafter referred to as “arbitrary decryption algorithm” and optional encryption) Storage algorithm, hash function, etc.

  The update unit 22 is update means for updating the IBE decryption key. The update unit 22 performs update using the external auxiliary device 40. First, the update unit 22 requests the external auxiliary device 40 via the communication unit 25 to generate a new IBE decryption key dt at the time t using the master key s. The update unit 22 receives a request for the IBE public parameter pk <b> 1 from the requested external auxiliary device 40 via the communication unit 25. The updating unit 22 specifies the recipient identification information Ui and requests the public information server 30 via the communication unit 25 for the IBE public parameter pk1. The update unit 22 acquires a notification of the IBE public parameter pk1 from the public information server 30 via the communication unit 25. Then, the update unit 22 notifies the external auxiliary device 40 of the IBE public parameter pk <b> 1 received from the public information server 30.

  Then, the external auxiliary device 40 that has acquired the IBE public parameter pk1 uses the master key 2 to generate a new IBE decryption key dt at that time t, and notifies the receiving terminal 20 of it. Therefore, the update unit 22 acquires a new IBE decryption key dt generated using the master key s via the communication unit 25. The update unit 22 deletes the initial decryption key {sk1, sk2} stored in the storage unit 24. The update unit 22 uses the acquired new IBE decryption key dt and the arbitrary decryption key sk2 stored in the storage unit 24 to generate a new decryption key {dt, sk2}. The update unit 22 stores the newly generated decryption key {dt, sk2} in the storage unit 24 and updates the decryption key. The updating unit 22 can update the IBE decryption key and update the decryption key at regular time intervals or when the receiver arbitrarily selects the decryption key. Thus, the update unit 22 instructs the external auxiliary device 40 to generate a new IBE decryption key dt using the master key s, and updates the master key s by acquiring the generated IBE decryption key dt. The IBE decryption key used as the key can be updated.

  The communication unit 25 is a receiving unit that receives the transmission information ciphertext c including the IBE ciphertext c1 and the arbitrary ciphertext c2. The communication unit 25 receives the transmission information ciphertext c from the transmission terminal 10 via the network 50. The communication unit 25 inputs the received transmission information ciphertext c to the decryption determination unit 22. The communication unit 25 acquires the notification of the public information {pk1, pk2} from the generation unit 21 and transmits it to the public information server 30 via the network 50. The communication unit 25 acquires a request for the IBE public parameter pk1 and the public information {pk1, pk2} from the update unit 22 and the decryption determination unit 23, and transmits the request to the public information server 30 via the network 50. The communication unit 25 receives the notification of the IBE public parameter pk1 and the public information {pk1, pk2} from the public information server 30 via the network 50 and inputs them to the update unit 22 and the decryption determination unit 23.

  The decryption determination unit 23 decrypts the IBE ciphertext c1 with the IBE decryption key corresponding to the IBE public parameter pk1 to obtain IBE partition information m1, and the arbitrary ciphertext c2 with the arbitrary decryption key sk2 corresponding to the arbitrary public key pk2. The decoding means decodes the arbitrary division information m2 and restores the transmission information m from the IBE division information m1 and the arbitrary division information m2.

  The decryption determination unit 23 acquires the transmission information ciphertext c transmitted from the transmission terminal 10 from the communication unit 25. The decryption determination unit 23 acquires the public information {pk1, pk2} from the public information server 30 via the communication unit 25. The decryption determination unit 23 specifies the recipient identification information Ui, requests the public information server 30 for the public information, and receives the public information notification from the public information server 30, thereby obtaining the public information {pk1, pk2}. get. The decryption determination unit 23 acquires the IBE decryption key and the arbitrary decryption key sk2 from the storage unit 24.

  Then, using the IBE public parameter pk1, the decryption determination unit 23 uses the IBE decryption key corresponding to the IBE public parameter pk1 obtained by encrypting the IBE ciphertext c1 included in the transmission information ciphertext c. Check if it exists. The decryption determination unit 23 decrypts the IBE ciphertext c1 by using the IBE decryption key and the IBE decryption algorithm that have been confirmed to correspond to obtain the IBE division information m1 and the IBE random number r1. Hereinafter, the IBE division information m1 and the IBE random number r1 are collectively expressed as {m1, r1}. In addition, the decryption determination unit 23 uses the arbitrary public key pk2 and the obtained arbitrary decryption key sk2 is an arbitrary decryption key corresponding to the arbitrary public key pk2 obtained by encrypting the arbitrary ciphertext c2 included in the transmission information ciphertext c. Check if it is sk2. The decryption determination unit 23 decrypts the arbitrary ciphertext c2 using the arbitrary decryption key sk2 and the arbitrary decryption algorithm that have been confirmed to correspond to each other, and obtains the arbitrary division information m2 and the arbitrary random number r2. Hereinafter, the arbitrary division information m2 and the arbitrary random number r2 are collectively expressed as {m2, r2}. The decryption determination unit 23 restores the plaintext transmission information m from the obtained IBE division information m1 and the arbitrary division information m2. The decryption determination unit 23 uses an IBE decryption algorithm and an arbitrary decryption algorithm corresponding to the IBE encryption algorithm and the arbitrary encryption algorithm used for encryption.

  Further, the decryption determination unit 23 encrypts the IBE division information m1 by the IBE encryption algorithm using the IBE public parameter pk1 and the time information, and determines the identification information ciphertext for determination (hereinafter referred to as “determination IBE ciphertext”) c1 ′. And the arbitrary divided information m2 is encrypted using the arbitrary public key pk2 to generate the determination arbitrary ciphertext c2 ′, and whether or not the received IBE ciphertext c1 matches the determination IBE ciphertext c1 ′ It also functions as a determination unit that determines whether or not the received arbitrary ciphertext c2 matches the determination arbitrary ciphertext c2 ′.

  Specifically, the decryption determination unit 23 obtains IBE information (m1‖r1) including the IBE division information m1 and the IBE random number r1 obtained by decryption from the public information server 30 and the time of the IBE public parameter pk1. Using the information, it is encrypted by the IBE encryption algorithm to create a determination IBE ciphertext c1 ′. Also, the decryption determination unit 23 encrypts arbitrary information (m2‖r2) including the arbitrary divided information m2 and the arbitrary random number r2 obtained by decryption using the arbitrary public key pk2 acquired from the public information server 30. Encryption by the algorithm is performed, and an arbitrary ciphertext c2 ′ for determination is created.

  At this time, the decryption determination unit 23 inputs the transmission information m, the IBE partition information m1, the arbitrary partition information m2, the IBE random number r1 and the arbitrary random number r2 to the hash function to obtain a hash value, and the obtained hash value is the probabilistic encryption Used as a random number for conversion. The decryption determination unit 23 encrypts the IBE information (m1‖r1) using the IBE public parameter pk1, the time information, and the hash value using the IBE encryption algorithm, and creates the determination IBE ciphertext c1 '. In addition, the decryption determination unit 23 encrypts the arbitrary information (m2‖r2) by using an arbitrary public key pk2 and a hash value using an arbitrary encryption algorithm, and creates a determination arbitrary ciphertext c2 '. The decryption determination unit 23 uses a hash function used for obtaining a hash value when encrypting as a hash function. The decryption determination unit 23 acquires an IBE decryption algorithm and an IBE encryption algorithm, an arbitrary decryption algorithm and an arbitrary encryption algorithm, receiver identification information Ui, and a hash function from the storage unit 24.

  The decryption determination unit 23 compares the IBE ciphertext c1 with the created determination IBE ciphertext c1 'and determines whether or not they match. Further, the decryption determination unit 23 compares the arbitrary ciphertext c2 with the generated determination arbitrary ciphertext c2 ', and determines whether or not they match. The decryption determination unit 23 then transmits the transmission information m only when the IBE ciphertext c1 matches the determination IBE ciphertext c1 ′, and the arbitrary ciphertext c2 matches the determination arbitrary ciphertext c2 ′. Is determined to have been correctly encrypted and transmitted. Then, the decoding determination unit 23 outputs the transmission information m as a decoding result to the output unit 26. The output unit 26 is an output unit that outputs information. The decryption determination unit 23 correctly encrypts the transmission information m if any one of the IBE ciphertext c1 and the determination IBE ciphertext c1 ′ and the arbitrary ciphertext c2 and the determination arbitrary ciphertext c2 ′ does not match. Therefore, the notification of decoding failure is output to the output unit 26, and the decoding result is not output. According to such a decryption determination unit 23, the receiving terminal 20 is one in which the transmission information m restored from the IBE division information m1 and the arbitrary division information m2 obtained by decryption is correctly encrypted and transmitted. Can be determined and safety can be improved.

  The public information server 30 includes a control unit 31, a public information database 32, and a communication unit 33. The public information database 32 stores the public information {pk1, pk2} in association with the recipient identification information Ui. The communication unit 33 receives the public information {pk1, pk2} associated with the recipient identification information Ui from the receiving terminal 20 via the network 50. The communication unit 33 inputs the received public information {pk1, pk2} to the control unit 31. The communication unit 33 receives a request for public information specifying the recipient identification information Ui from the transmission terminal 10 via the network 50 and inputs the request to the control unit 31. The communication unit 33 acquires the public information {pk1, pk2} of the specified identification information Ui from the control unit 31 as a response to the public information request. The communication unit 33 transmits the public information {pk1, pk2} acquired from the control unit 31 to the transmission terminal 10.

  The control unit 31 acquires the public information {pk1, pk2} associated with the recipient identification information Ui from the receiving terminal 20 via the communication unit 33. The control unit 31 registers the acquired public information {pk1, pk2} in the public information database 32 in association with the identification information Ui. The control unit 31 acquires a request for public information specifying the identification information Ui from the transmission terminal 10 via the communication unit 33. Based on the identification information Ui, the control unit 31 acquires the public information {pk1, pk2} of the recipient of the identification information Ui from the public information database 32. The control unit 31 provides the public information {pk1, pk2} acquired to the transmission terminal 10 via the communication unit 33.

  The external auxiliary device 40 includes an update information generation unit 41, a storage unit 42, and a communication unit 43. The storage unit 42 stores an update key used for updating the IBE decryption key of the receiving terminal 20. The storage unit 42 stores the master key s as an update key. The storage unit 42 stores an IBE decryption key generation algorithm. The update information generation unit 41 acquires a master key s as an update key from the reception terminal 20 via the communication unit 43. The update information generation unit 41 stores the acquired master key s in the storage unit 42. In addition, the update information generation unit 41 generates a new IBE decryption key dt. First, the update information generation unit 41 receives a request to generate an IBE decryption key dt at the time t as a new IBE decryption key from the receiving terminal 20 via the communication unit 43. The update information generation unit 41 requests the receiving terminal 20 for the IBE public parameter pk1 of the receiving terminal 20, that is, the IBE public parameter pk1 of the identification information Ui, via the communication unit 43. Then, the update information generation unit 41 acquires a notification of the IBE public parameter pk1 from the reception terminal 20 via the communication unit 43 as a response to the request. The update information generation unit 41 acquires a master key s that is an update key and an IBE decryption key generation algorithm from the storage unit 42.

  The update information generation unit 41 uses the IBE public parameter pk1 of the acquired identification information Ui, that is, the IBE public parameter pk1, time information, that is, the time point t, and the master key s that is the update key, to generate an IBE decryption key generation algorithm Thus, the IBE decryption key dt at the time t is generated. The time point t may be the current time or may be an elapsed time when the generation time is 0. The update information generation unit 41 notifies the generated new IBE decryption key dt to the reception terminal 20 of the recipient of the identification information Ui via the communication unit 43.

  The communication unit 43 receives the master key s as an update key from the receiving terminal 20 and inputs it to the update information generation unit 41. The communication unit 43 acquires a request for the IBE public parameter pk1 of the receiving terminal 20 from the update information generating unit 41 and transmits the request to the receiving terminal 20. The communication unit 43 receives the IBE public parameter pk <b> 1 of the receiving terminal 20 from the receiving terminal 20 and inputs it to the update information generating unit 41. The communication unit 43 acquires a new IBE decryption key dt from the update information generation unit 41 and transmits it to the receiving terminal 20.

〔Communication method〕
Next, a communication method using the communication system 1 will be described. First, generation of public information {pk1, pk2}, master key s, IBE decryption key sk1, and arbitrary decryption key sk2 will be described with reference to FIG. First, the receiving terminal 20 generates an IBE public parameter pk1, a master key s, and an IBE decryption key sk1 (S101). The receiving terminal 20 generates an arbitrary public key pk2 and an arbitrary decryption key sk2 (S102). The receiving terminal 20 notifies the public information server 30 of public information {pk1, pk2} including the generated IBE public parameter pk1 and the arbitrary public key pk2 (S103). The public information server 30 stores and registers the public information {pk1, pk2} notified from the receiving terminal 20 in the public information database 32 (S104).

  The receiving terminal 20 generates an initial decryption key {sk1, sk2} including the generated IBE decryption key sk1 and the arbitrary decryption key sk2, and stores it in the storage unit 24 in the receiving terminal 20 (S105). Further, the receiving terminal 20 notifies the external auxiliary device 40 using the master key s as an update key (S106). The external auxiliary device 40 stores the master key s notified from the receiving terminal 20 as an update key in the storage unit 42 in the external auxiliary device 40 (S107).

  Next, update of the IBE decryption key will be described with reference to FIG. First, the receiving terminal 20 requests the external auxiliary device 40 to generate an IBE decryption key dt at the time t as a new IBE decryption key (S201). The external auxiliary device 40 that has received the request requests the receiving terminal 20 for the IBE public parameter pk1 of the receiving terminal 20 (S202). In response to the request from the external auxiliary device 40, the receiving terminal 20 specifies the identification information Ui from the public information server 30 and requests the IBE public parameter pk1 (S203). In response to a request from the receiving terminal 20, the public information server 30 notifies the receiving terminal 20 of the IBE public parameter pk1 of the specified identification information Ui (S204). The receiving terminal 20 notifies the external auxiliary device 40 of the IBE public parameter pk1 of the identification information Ui notified from the public information server 30 (S205).

  The external auxiliary device 40 uses the IBE public parameter pk1 of the acquired identification information Ui, the time information, that is, the time point t, and the master key s that is the update key, and uses the IBE decryption key generation algorithm to create a new IBE decryption algorithm. An IBE decryption key dt at time t is generated as a key (S206). The update information generation unit 41 notifies the reception terminal 20 of the recipient of the identification information Ui of the generated IBE decryption key dt (S207). The receiving terminal 20 uses the new IBE decryption key dt notified from the external auxiliary device 40 and the arbitrary decryption key sk2 stored in the storage unit 24 in the receiving terminal 20, and uses the new decryption key { dt, sk2} is generated (S208). The receiving terminal 20 deletes the initial decryption key stored in the storage unit 24 in the receiving terminal 20, stores the newly generated decryption key {dt, sk2}, and updates the decryption key (S209).

  Next, encryption and decryption of the transmission information m will be described with reference to FIG. The case where the decryption key {dt, sk2} at the updated time t is stored in the receiving terminal 20 will be described. When transmitting the transmission information m to the receiving terminal 20, the transmitting terminal 10 first requests the public information {pk1, pk2} by specifying the identification information Ui from the public information server 30 (S301). The public information server 30 notifies the transmission terminal 10 of the public information {pk1, pk2} of the specified identification information Ui (S302).

  The transmission terminal 10 divides the plaintext transmission information m into IBE division information m1 and arbitrary division information m2 using secret sharing or the like (S303). The transmission terminal 10 selects the IBE random number r1 and the arbitrary random number r2 (S304). The transmitting terminal 10 obtains a hash value as a random number for stochastic encryption, and obtains IBE information (m1‖r1) including the IBE division information m1 and the IBE random number r1, the acquired IBE public parameter pk1, time information, and hash value Is used to create an IBE ciphertext c1 using the IBE encryption algorithm (S305). The transmission terminal 10 encrypts the arbitrary information (m2‖r2) including the arbitrary division information m2 and the arbitrary random number r2 by using the arbitrary public key pk2 and the hash value acquired from the public information server 30, and using an arbitrary encryption algorithm, An arbitrary ciphertext c2 is created (S306). Then, the transmission terminal 10 creates a transmission information ciphertext c including the created IBE ciphertext c1 and arbitrary ciphertext c2, and transmits it to the reception terminal 20 (S307).

  Receiving terminal 20 receiving transmission information ciphertext c requests public information server 30 for public information {pk1, pk2} (S308). The public information server 30 notifies the receiving terminal 20 of the public information {pk1, pk2} (S309). The receiving terminal 20 uses the IBE decryption key dt stored in the storage unit 24 in the receiving terminal 20 to decrypt the IBE ciphertext c1 included in the transmission information ciphertext c using the IBE decryption algorithm, and performs IBE division Information and an IBE random number {m1, r1} are obtained (S310). The receiving terminal 20 uses the arbitrary decryption key sk2 stored in the storage unit 24 in the receiving terminal, decrypts the arbitrary ciphertext c2 included in the transmission information ciphertext c by the arbitrary decryption algorithm, and arbitrarily splits the information Then, an arbitrary random number {m2, r2} is obtained (S311). The receiving terminal 20 restores the plaintext transmission information m from the obtained IBE division information m1 and the arbitrary division information m2 (s312).

  Next, determination of the decoding result will be described with reference to FIG. First, the receiving terminal 20 obtains a hash value as a random number for stochastic encryption. Then, the receiving terminal 20 uses the IBE public parameter pk1, time information, and hash value obtained from the public information server 30 as IBE information (m1１r1) including the IBE division information m1 and the IBE random number r1 obtained by decryption. The encrypted IBE cipher text c1 ′ is created by using the IBE encryption algorithm (S401). The receiving terminal 20 encrypts the arbitrary information (m2‖r2) including the arbitrary divided information m2 and the arbitrary random number r2 obtained by decryption using the arbitrary public key pk2 and the hash value acquired from the public information server 30. Encryption by the algorithm is performed, and an arbitrary ciphertext c2 ′ for determination is created (S402).

  The receiving terminal 20 determines whether or not the IBE ciphertext c1 matches the created determination IBE ciphertext c1 ′, and the arbitrary ciphertext c2 matches the created determination arbitrary ciphertext c2 ′. (S403). The receiving terminal 20 determines that the IBE ciphertext c1 and the determination IBE ciphertext c1 ′ match and the arbitrary ciphertext c2 and the determination arbitrary ciphertext c2 ′ match in step (S403). It is determined that the restored transmission information m is correctly encrypted and transmitted, and the transmission information m is output as a decryption result to the output unit 26 (S404). On the other hand, in step (S403), if any one of the IBE ciphertext c1 and the determination IBE ciphertext c1 ′ and the arbitrary ciphertext c2 and the determination arbitrary ciphertext c2 ′ does not match, it is determined that the decryption has failed. A failure notification is output to the output unit 26 (S405).

〔effect〕
According to such a communication system 1, transmission terminal 10, reception terminal 20, and communication method, the following effects can be obtained. According to the transmission terminal 10, the encryption unit 11 divides the transmission information m into IBE division information m1 and arbitrary division information m2. The encryption unit 11 uses the IBE public parameter pk1 and time information to encrypt the IBE division information m1 with the IBE encryption algorithm to create the IBE ciphertext c1, and encrypts the arbitrary division information m2 with the arbitrary public key pk2. An arbitrary ciphertext c2 is created. Then, the communication unit 14 transmits the transmission information ciphertext c including the IBE ciphertext c1 and the arbitrary ciphertext c2.

  Further, according to the receiving terminal 20, the communication unit 25 receives the transmission information ciphertext c including the IBE ciphertext c1 and the arbitrary ciphertext c2. The decryption determination unit 23 decrypts the IBE ciphertext c1 with the IBE decryption key and the arbitrary ciphertext c2 with the arbitrary decryption key sk2, respectively, to obtain the IBE split information m1 and the arbitrary split information m2. Then, the decoding determination unit 23 restores the transmission information m from the IBE division information m1 and the arbitrary division information m2. Further, the update unit 22 updates the IBE decryption key.

  Therefore, according to the communication method using the transmission terminal 10, the reception terminal 20, the transmission terminal 10 and the reception terminal 20, and the communication method using the communication system 1, an arbitrary IBE encryption algorithm and an arbitrary public key cryptosystem It is possible to provide a key-separated encryption method that can be realized by using the above and that has an unlimited leakage threshold value based on the difficulty of various mathematical problems. In addition, since the transmission terminal 10 performs encryption using the IBE public parameter pk1 and time information, it is possible to realize a key-separated encryption method that does not require exchange of information about the key with the reception terminal 20 before transmission of transmission information. Such a key-separated encryption method can mathematically prove its safety, and even an attacker who has obtained the master key s cannot always perform unauthorized decryption of the transmitted information ciphertext c. . Then, the transmission terminal 10 can perform encryption by such a key isolation type encryption method. The receiving terminal 20 can decrypt the transmission information ciphertext encrypted by such a key isolation type encryption method. Further, according to the communication method, it is possible to provide an encryption method using such a key-separated encryption method and a method for decrypting a transmission information ciphertext encrypted using such a key-isolated encryption method.

  For example, a key-separated encryption method based on a quadratic surplus problem on a composite number ring such as the IBE of the Cocks method has not been proposed so far, but the Cocks method is selected as an IBE and an arbitrary public key encryption method is arbitrary. By selecting this public key cryptosystem, it is possible to realize a key isolation type cryptosystem based on the quadratic surplus problem on the composite number ring. In addition, for example, it is possible to realize a key isolation type encryption method using the BF method (BF01) as IBE and the ElGamal method (ELG85) as an arbitrary public key encryption method.

  The present invention is not limited to the above embodiment. For example, in the above embodiment, the encryption unit 11 divides the transmission information m into two pieces of division information, but may divide the transmission information m into more pieces of division information. The transmission terminal 10 can also function as a reception terminal by providing the function of the reception terminal 20 shown in FIG. 1, and the reception terminal 20 can also function as a transmission terminal by having the function of the transmission terminal 10 shown in FIG. Can also function.

1 is a block diagram showing a communication system according to an embodiment of the present invention. It is a sequence diagram which shows the procedure of the production | generation of the public information which concerns on embodiment of this invention, a master key, an IBE decoding key, and arbitrary decoding keys. It is a sequence diagram which shows the procedure of the update of the IBE decryption key which concerns on embodiment of this invention. It is a sequence diagram which shows the procedure of the encryption and the decoding which concern on embodiment of this invention. It is a flowchart which shows the procedure of the determination of the decoding result which concerns on embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Communication system 10 Transmission terminal 11 Encryption part 12 Storage part 13 Input part 14 Communication part 20 Reception terminal 21 Generation part 22 Update part 23 Decryption determination part 24 Storage part 25 Communication part 26 Output part 30 Public information server 31 Control part 32 Public Information database 33 Communication unit 40 External auxiliary device 41 Update information generation unit 42 Storage unit 43 Communication unit 50 Network

Claims (9)

The transmission information is encrypted using an identification information public parameter generated by an identification information encryption method public key generation algorithm and an arbitrary public key different from the identification information public parameter. A dividing means for dividing the information into division information;
The identification information division information is encrypted using the identification information public parameter and the time information by the encryption algorithm of the identification information encryption method to create an identification information ciphertext, and the arbitrary division information is generated using the arbitrary public key. Encryption means for encrypting and creating arbitrary ciphertext;
A terminal device comprising: transmission means for transmitting a transmission information ciphertext including the identification information ciphertext and the arbitrary ciphertext to the receiving terminal.   The encryption means selects an identification information random number for the identification information division information and an arbitrary random number for the arbitrary division information, and uses the identification information division information and the identification information random number as the identification information disclosure parameter and time information. The terminal device according to claim 1, wherein the terminal device is encrypted by the identification information encryption algorithm using the key, and the arbitrary division information and the arbitrary random number are encrypted using the arbitrary public key.   The encryption means inputs the transmission information, the identification information division information, the arbitrary division information, the identification information random number and the arbitrary random number into a hash function to obtain a hash value, and obtains the identification information division information and the identification information. A random number is encrypted by the identification information encryption algorithm using the identification information public parameter, time information and the hash value, and the arbitrary division information and the arbitrary random number are encrypted using the arbitrary public key and the hash value. The terminal device according to claim 2, wherein: The identification information ciphertext encrypted by the encryption algorithm of the identification information encryption method using the identification information disclosure parameter and time information generated by the public key generation algorithm of the identification information encryption method and the identification information public parameter are different. Receiving means for receiving a transmission information ciphertext including an arbitrary ciphertext encrypted using an arbitrary public key;
The identification information ciphertext is decrypted using an identification information decryption key corresponding to the identification information public parameter to obtain identification information division information, and the arbitrary ciphertext is decrypted using an arbitrary decryption key corresponding to the arbitrary public key. Decoding means for restoring transmission information from the identification information division information and the arbitrary division information,
A terminal device comprising: update means for updating the identification information decryption key.   The identification information division information is encrypted by the encryption algorithm using the identification information disclosure parameter and time information to create a determination identification information ciphertext, and the arbitrary division information is encrypted using the arbitrary public key. An arbitrary ciphertext for determination is created, whether or not the identification information ciphertext and the determination identification information ciphertext match is determined, and whether or not the arbitrary ciphertext and the determination arbitrary ciphertext match The terminal device according to claim 4, further comprising determination means for determining whether or not.   6. The terminal device according to claim 4, wherein the updating unit updates the identification information decryption key by using a master key used for generating the identification information decryption key as an update key. A communication system comprising a transmitting terminal that transmits transmission information and a receiving terminal that receives the transmission information,
The transmission terminal uses an identification information division information for encrypting the transmission information using an identification information public parameter generated by a public key generation algorithm of an identification information encryption method, and an arbitrary public key different from the identification information public parameter. Division means for dividing into arbitrary division information to be encrypted using;
The identification information division information is encrypted using the identification information public parameter and the time information by the encryption algorithm of the identification information encryption method to create an identification information ciphertext, and the arbitrary division information is generated using the arbitrary public key. Encryption means for encrypting and creating arbitrary ciphertext;
A transmission means for transmitting a transmission information ciphertext including the identification information ciphertext and the arbitrary ciphertext to the receiving terminal;
The receiving terminal receives the transmission information ciphertext; and
The identification information ciphertext is decrypted using an identification information decryption key corresponding to the identification information public parameter to obtain identification information division information, and the arbitrary ciphertext is decrypted using an arbitrary decryption key corresponding to the arbitrary public key. Decoding means for restoring transmission information from the identification information division information and the arbitrary division information,
A communication system comprising: update means for updating the identification information decryption key. The transmission information is encrypted using an identification information public parameter generated by an identification information encryption method public key generation algorithm and an arbitrary public key different from the identification information public parameter. Dividing into pieces of division information;
Encrypting the identification information division information using the identification information disclosure parameter and time information by an encryption algorithm of the identification information encryption method to create an identification information ciphertext;
Encrypting the arbitrary division information using the arbitrary public key to create an arbitrary ciphertext;
Transmitting a transmission information ciphertext including the identification information ciphertext and the arbitrary ciphertext to the receiving terminal. The identification information ciphertext encrypted by the encryption algorithm of the identification information encryption method using the identification information disclosure parameter and time information generated by the public key generation algorithm of the identification information encryption method and the identification information public parameter are different. Receiving a transmission information ciphertext including an arbitrary ciphertext encrypted using an arbitrary public key;
Decrypting the identification information ciphertext using an identification information decryption key corresponding to the identification information public parameter to obtain identification information division information;
Decrypting the arbitrary ciphertext using an arbitrary decryption key corresponding to the arbitrary public key to obtain arbitrary divided information;
Restoring transmission information from the identification information division information and the arbitrary division information;
And a step of updating the identification information decryption key.

Images