JP2006109244A - Encryption key sharing method and encryption key sharing apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a group key sharing method and apparatus which enable a third person to detect, based on information flowing on a communication path, whether or not a parameter resulting from encrypting a group key is surely distributed to all users in a group completely without using private information of the group key or private keys of members of the group. <P>SOLUTION: An encryption key sharing method is characterized in that, in a key sharing system for a key creator to allow recipients to share a group key for encryption communication, the third person can verify, based on information flowing on the communication path, whether or not group key distribution is normally carried out, completely without using the private information of the group key or the private keys of members of the group. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a group key sharing method and apparatus that can be detected by a third party.

A common key cryptosystem in which both communicators share a secret key has a long history and is widely used in general. However, communicators must first exchange the common key. Therefore, a public key cryptosystem represented by RSA cryptography is used for exchanging the common key. The RSA cipher is based on the difficulty from the viewpoint of computational complexity of prime factorization, but the Diffie-Hellman problem (hereinafter referred to as the DH problem) is used for the cipher based on the computational difficulty as well. There is public key cryptography.
Examples of the DH problem include a DH determination problem, a DH calculation problem, a DH gap problem, and a bilinear DH problem.
When configured to satisfy the feature of elliptic curve pairing, the DH calculation problem and the bilinear DH problem are difficult, but the DH decision problem has the property of being easily solved. This is called the DH gap problem.

Specifically, the DH calculation problem and the DH determination problem can be expressed as the following (a) to (e).
(A) Let P be a point on an elliptic curve E represented by Y ^ 2 = X ^ 3 + αX + β (modT) (where T is a prime number).
(B) Let q be the number of elements in the subgroup generated using P as a generator.
(C) Both a and b are elements of Zq.
(D) Under the assumptions (a) to (c) above, when P, aP, bP, T, α, and β are given, finding an element on the elliptic curve E called abP is a DH calculation problem. Become.
(E) It is a DH determination problem to determine whether X = abP is satisfied when X, aP, bP, T, α, β are given under the assumptions of (a) to (c) above. It is.
Regarding the DH problem
Has a detailed description. Also, assuming that the subgroup generated by P is G1 and the circulation group having the same order q is G2 under the assumptions of (a) to (c) above, the elliptic curve of G1 × G1 → G2 The bilinear pairing e (,) satisfies the property of the following formula (i). e (aP, bP) = e (P, abP) = e (P, P) ^ ab (i) For the elliptic curve and its characteristics Has a detailed description. In addition, when sharing a group key according to the prior art, the key generator creates an encryption key using a public key cryptosystem represented by RSA encryption and the like, and sends an encrypted group key to each user. The format will be distributed. Even in the conventional method, by using a public key cryptosystem or a hash function, it is possible for the key generator or the user to detect that a valid parameter has been distributed to all. However, it is impossible for a third party to detect without using confidential information.

Alfred. Menezes, Paul C. van Oorschout, Scott A. Vanstone’Handbook of Applied Cryptography ’, 1997 CRC Press, Inc., pp113-114, pp515-524, ISBN: 0-8493-8523-7 Lawrence C. washington, 'ELLIPTIC CURVES', 2003, CHAPMAN & HALL / CRC, ISBN: 1-58488-365-0

When communicating in a specific group so that external people do not know the communication contents, a group key shared by all group members is required. For example, in the case of FIG. 1 described later, each user (30 to 32) must hold the same key.
Until now, there has been no means for confirming whether the group key is shared or not from the outside. Because it is necessary to know the group key or the user's private key from the outside in order to confirm that the group key is surely delivered to everyone, the group key known to the outside person is the appropriate group key. This is because the secret key cannot be disclosed, and all secret information is disclosed. Therefore, in the past, a trusted third party or a group key created by one user in the group was used, but it is desirable that the third party also does not know the group key. Further, as described later, when one user in the group generates a key, even if the key generator deliberately does not send the key to a specific user, it cannot be detected.

If a group key is shared within a specific group and some damage occurs, the key generator intentionally did not send the correct parameters to the specific user. It is not possible to determine whether it was not received because of a problem with the key, or whether the key recipient was false. Therefore, it was impossible to determine who was responsible for the damage. Therefore, when a problem occurs in the use of the group key, there is a problem that an external person cannot determine the responsibility of the problem. It is possible to prove that a specific person is not responsible by using a public key cryptosystem, but it is not possible to determine who is responsible. Even if the key generator is a trusted third party, this problem cannot be solved. At present, when such a problem occurs, there is no choice but to establish a mediator.
In the present invention, the above problem is solved, and whether a parameter that can be converted into a group key is surely distributed to all users in the group is determined based on information that a third party flows on the communication path. It is an object of the present invention to provide a group key distribution method and apparatus capable of detecting without using any secret information of a key or a secret key of a group member.

The above problems are solved by the following inventions 1) to 4).
1) In a key distribution method in which a key generator distributes parameters to all users in a group and shares the same group key, the secret information of the group key or the group member based on the information flowing on the communication path A key sharing method characterized in that a third party can verify whether the parameter is a value that can be converted into a group key without using any secret key.
2) The encryption key sharing method according to 1), wherein pairing characteristics on an elliptic curve are used.
3) Let P be a point on an elliptic curve, and the order of a subgroup with P as a generator be q, and a user Ai (i is a natural number from 1 to n) in a certain group has a public key Vi = SiP and a secret, respectively. In the case of having the key Si, a means for generating a random number r, a means for the key generator to send rVi to each user Ai, and each user Ai using each secret key Si, rP or e (p, p) ^ By calculating r and using those parameters as group keys, it is possible to verify that the distributed parameters are valid by calculating e (rSiP, SnP) = e (SnP, SiP). The encryption key sharing method according to 2), characterized in that the encryption key sharing method is provided.
4) An apparatus capable of carrying out the encryption key distribution method according to any one of 1) to 3) including at least a key generation unit, a key acquisition unit, and a key verification unit.

Hereinafter, the present invention will be described in detail.
Various means for realizing the present invention are conceivable, but means using pairing on the elliptic curve and the DH gap problem is preferable.
FIG. 1 is an overall configuration diagram schematically showing components when implementing the key sharing method of the present invention. In this figure, each user A1 to An within a group of n members has a key acquisition device, a key generator has a key generation device, and a key verifier has a key verification device. Users in the group may generate keys.
The key generator sends a parameter to each user to cause each user to share a specific group key, and the key verifier verifies that the parameter is indeed shared.

In FIG. 1, members Ai (i is a natural number of 1 to n) in the group have a secret key Si and a public key Vi = SiP, respectively. These keys are the following (a) to (c): It has the following features.
(A) Let P be a point on an elliptic curve E represented by Y ^ 2 = X ^ 3 + αX + β (modT) (where T is a prime number).
(B) Let q be the number of elements in the subgroup generated using P as a generator.
(C) Si is an element of Zq.
For the pairing operation e (,), the same definition as described in the background art section is used.

The following (1) to (12) are specific key sharing procedures.

2, 3, and 4 are block diagrams of the key generation, acquisition, and verification devices, and FIGS. 5, 6, and 7 are flowcharts corresponding to these devices, respectively.
In each procedure (1) to (12), the position of the device in the block diagram is shown in the sentence, and the position in the flowchart is shown in parentheses.


(1) In FIG. 2, the key generation device 110 receives group member information from the input device 111.
(2) In FIG. 2, the key generation device 110 creates a random number r that is a source of the group key in the random number generation device 113. (In FIG. 5, this corresponds to S121)
(3) In FIG. 2, the key generation device 110 calculates distribution parameters using the public keys for the users A1 to An by the key generation device 114 and the parameter generation device 115, and outputs the output device 116 in FIG. Send from. (In FIG. 5, it corresponds to S123 and S124)
Specifically, a numerical value of rVi is used as the distribution parameter.
(4) In FIG. 3, each user's key acquisition device 210 receives a distribution parameter from the input device 211. (In FIG. 6, this corresponds to S221)
(5) In FIG. 3, each user's key acquisition device 210 calculates a group key k from the distribution parameters in the arithmetic device 212. The calculation method varies depending on the selected method, but in any case, it is performed using its own secret key Si. Specifically, k is obtained as follows. (In FIG. 6, this corresponds to S223)
(A) k = rVi × Si ^ −1 = rSiP × Si ^ −1 = rP
(B) k = e (rVi, P) ^ (1 / Si) = e (rP, P) ^ (Si × 1 / Si)
= E (rP, P)
The area that the value of (b) can take is G1, and the area that the value of (b) can take is G2, but either can be used.

(6) Each user holds k acquired in the previous step as a group key candidate and waits for a verification result.
(7) In FIG. 4, the verification device 310 receives group member information from the input device 311 in advance.
(8) The verification device 310 in FIG. 4 observes the distribution parameter sent to each user that has flowed on the communication path by the parameter acquisition device 312. (In FIG. 7, this corresponds to S321)
(9) The verification device 310 of FIG. 4 verifies whether or not the distribution parameters of all the users are correctly distributed in the arithmetic device 313 using the distribution parameters and the public key of each user as follows. . (In FIG. 7, it corresponds to S322 and S323)
That is, in order to check whether the group keys distributed to two users are the same, a pairing calculation is performed on the distribution parameters of one user and the public key of the other communicator. Verify whether the following equation (ii) holds.
e (rSiP, SnP) = e (SnP, SiP) (ii)
(10) If the verification result in FIG. 4 shows that the key generation is correct, the verification device 310 notifies the users Ai to An and the key generator that the output device 314 was correct. (In FIG. 7, it corresponds to S324 and S326)
(11) If there is a problem in key sharing as a result of the verification, the verification apparatus 310 in FIG. 4 notifies the user who received the problematic parameter from the output apparatus 314 to the user Ai and the key generator. (In FIG. 7, it corresponds to S325 and S326)
(12) In FIG. 3, each user's key acquisition device 210 receives the verification result from the input device 211, and outputs the group key k shared from the output device 213 if the verification is correct. If not correct, the cause of the problem from the output device 213 is output.

By using the above means, regarding group key sharing, fraud such as claiming that the damage caused by the negligence of the party is a parameter distribution error or trying to cause damage without sending the group key to a specific party, It is possible to detect when there is a problem in information transmission. Even if the third party is not a trusted third party, a group key can be generated within the group, and secret information about the group key is not leaked to a third party who verifies the key.
The reason why such an effect is obtained will be described. The parameters of the key verifier are the public keys V1 to Vn of the users in the group and the distribution parameters rV1 to rVn. I can't ask for it. This is because obtaining these values becomes a DH calculation problem and a bilinear DH problem, and there is no efficient calculation method. However, confirming whether or not the equation (9) above, e (rSiP, SnP) = e (SnP, SiP), is a DH decision problem, and by using an elliptic curve pairing calculation, Calculation is easy. Therefore, the key verifier can verify the key distribution without knowing the secret information of the group members' secret keys S1 to Sn and the group key r. Therefore, even if an incorrect parameter is sent to a specific partner, the key generator is verified, so that the correct parameter is distributed. In addition, each user cannot claim to be a distribution mistake as long as it is verified that the key verifier has correctly distributed.

According to the present invention, whether or not a parameter that can be converted into a group key has been distributed to all users in the group, based on the information that the third party flows on the communication path, the secret information of the group key or the group member It is possible to provide a group key distribution method and apparatus capable of detecting without using any secret key.
In addition, since the secret information about the group key is not leaked to a third party who verifies the group key, communication using the group key is possible even in a situation where a right problem or responsibility problem occurs.

The whole block diagram which showed schematically the component at the time of implementing the key distribution method of this invention. The block block diagram which shows an example of the key generation apparatus of this invention. The block block diagram which shows an example of the key acquisition apparatus of this invention. The block block diagram which shows an example of the key verification apparatus of this invention. The flowchart which shows the procedure of an example of the key generation apparatus of this invention. The flowchart which shows the procedure of an example of the key acquisition apparatus of this invention. The flowchart which shows the procedure of an example of the key verification apparatus of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 110 Key generation apparatus 111 Input apparatus 112 Arithmetic apparatus 113 Random number generation apparatus 114 Key generation apparatus 115 Parameter generation apparatus 116 Output apparatus 210 Key acquisition apparatus 211 Input apparatus 212 Operation apparatus 213 Output apparatus 310 Key verification apparatus 311 Input apparatus 312 Parameter acquisition apparatus 313 Arithmetic unit 314 Output unit S123 Parameter transmission (corresponding to S221 and S321)
S221 Parameter reception (corresponding to S123, S321)
S321 Parameter reception (corresponding to S123, S221)
S326 Verification result transmission, (corresponding to S223)
S223 Verification result reception (corresponding to S326)

Claims (4)

  In a key distribution method in which a key generator distributes parameters to all users in a group and shares the same group key, the secret information of the group key or the secret of the group member is based on the information flowing on the communication path. An encryption key sharing method characterized in that a third party can verify whether or not the parameter is a parameter that can be converted into a group key without using any key.   2. The encryption key distribution method according to claim 1, wherein pairing characteristics on an elliptic curve are used.   Let P be a point on an elliptic curve, and the order of a subgroup with P as a generator be q, and a user Ai (i is a natural number from 1 to n) in a certain group will have a public key Vi = SiP and a secret key Si, respectively. , A means for generating a random number r, a means for the key generator to send rVi to each user Ai, and each user Ai using the secret key Si for rP or e (p, p) ^ r Means that can be calculated by calculating e (rSiP, SnP) = e (SnP, SiP) that a distributed parameter can be converted into a group key by calculating and using those parameters as a group key. 3. The encryption key sharing method according to claim 2, further comprising: The apparatus which can implement the encryption key sharing method in any one of Claims 1-3 provided with the key generation means, the key acquisition means, and the key verification means at least.

Images