JP2680426B2 - Authentication method - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION [Industrial field of application] The present invention is directed to authentication of the other party (for example, authenticating that the other party of the telephone is who he / she wants to speak), personal authentication (for example, that The present invention relates to an authentication system such as a person or another person who authenticates the person himself / herself) and data authentication (a person who authenticates that the data is correct).

[Prior Art] Fig. 2 shows "Zero-knowledge proof that proves to hold a black box" by Tatsuaki Okamoto and Kazuo Ota (Source: Symposium on Cryptography and Information Security, 1989, February 2, 1989).
It is a block diagram of the authentication system which implement | achieves the conventional authentication method shown by (Sunday-February 4).

In the figure, 1 is a random number generator that generates a random number by the operation of a decryption person, 2 is a decryption side memory that stores random numbers generated by the decryption person and data sent from a confirmer, and 3 is possessed by the decryption person A decryption device for the cipher to be decrypted, 4 is an arithmetic unit for operating the function f by the operation of the decrypter, 5 is a communication line for exchanging data between the confirmer and the decrypter, and 6 is a random number by the confirmer's operation A random number generator that generates a random number generator, 7 is a confirmer side memory that stores random numbers generated by a confirmer and data sent from a decrypter, 8 is a cryptographic encryption device to be decrypted, and 9 is a confirmer operation A decryption device 10 is composed of the random number generator 1, the memory 2, the decryption device 3 and the operation device 4, which is an operation device for performing the operation of the function f. The random number generator 6, the memory 7, the encryption device 8 and the operation device The device 9 constitutes the confirmer side device 11.

 Next, the operation will be described.

As a pre-authentication procedure, a non-separable pseudo-random function f is prepared for the encryption function E of the cipher to be decrypted.

Step 1: The decryptor randomly uses a random number generator 1 to a ∈ Dom
(F) is selected and stored in the memory 2, and the random number a is sent to the confirmer via the communication line 5 (where Dom (f)
Represents the domain of function f).

Step 2: The confirmer randomly generates a plaintext p using the random number generator 6 and stores it in the memory 7.

Step 3: The confirmer calls the plaintext p stored in the memory 7,
The ciphertext c = E (p) encrypted by the cipher cipher 8 to be decrypted and d = f (pa) using the calculator 9 of the function f are stored in the memory 7 and authenticated. The data D = (c, d) is sent to the decryption person via the communication line 5.

Step 4: The decryption person is the first person of the authentication data sent from the confirmer.
The cipher text c which is the component is deciphered by using the deciphering device 3, and the deciphered text E ⁻¹ (c) = q is obtained and stored in the memory 2.

Step 5: The decryption person calls the random number a stored in the memory 2, the decrypted text q, and the second component d of the authentication data, and using the arithmetic unit 4 of the function f, d = f (qa) Check if it holds. If it is satisfied, go to the next step 6, otherwise stop the operation.

Step 6: The decryptor sends the decrypted text q to the confirmer via the communication line 5.

Step 7: The confirmer calls the plaintext p stored in the memory 7 and checks whether or not p = q holds. If so, authenticate the decrypter as legitimate, otherwise do not authenticate.

[Problems to be Solved by the Invention] Since the conventional authentication method is performed as described above, the decrypter confirms that the confirmer surely knows the plaintext p and then directly asks the confirmer. By sending back the deciphered text, it is possible to prevent the deciphered text from being taught to an illegal decipher who does not know the plaintext p, and the deciphered person has no useful knowledge for the confirmer except that he / she has the deciphering ability. Authentication can be performed without leaking, but communication between the decipherer and the confirmer is required at least three times, and there is a problem that the number of communication can be further reduced and efficient authentication can be performed.
In the conventional method, like Rabin encryption, when there are multiple decrypted sentences for one ciphertext, it cannot be used directly,
There has been a need for an authentication method that can perform decryption authentication for a cipher whose encryption function is many-to-one.

The present invention has been made to solve the above problems, and it is possible to reduce the number of communications and perform efficient authentication, and, like Rabin encryption, an encryption function having a many-to-one encryption function. The purpose is to obtain an authentication method that can perform the decryption authentication of.

[Means for Solving the Problem] In the authentication method according to the present invention, a random number generating means for randomly generating a plaintext p on the confirmer side, and an encryption for encrypting the generated plaintext p with an encryption function E Means and the condition that, with respect to the encryption function E, E and F are quantitatively independent and it is difficult to obtain E (X) to F (X) and F (X) to E (X). And a calculation means for calculating a function F satisfying the above condition. The decryption side is provided with a decryption means for the cipher to be decrypted and a calculation means for calculating the function F. The incoming ciphertext is deciphered by the deciphering means, the deciphered text is enciphered by the arithmetic means of the function F and sent back to the confirmer, who verifies the plaintext p generated by the random number generating means by the arithmetic operation of the function F. The data obtained by calculating with the means and the data sent from the decryption person In which it was to be more perform authentication.

[Operation] In the authentication method according to the present invention, since the decrypted text is further encrypted and sent to the confirmer, it is possible to prevent the decrypted text from being taught to an unauthorized decrypter who does not know the plaintext p. Other than having the ability to decrypt, authentication can be performed without leaking any useful knowledge to the confirmer, and communication between the decrypter and the confirmer only needs to be performed twice, which enables more efficient authentication than the conventional method. It is also possible to perform the decryption authentication of the encryption such as the Rabin encryption having the many-to-one encryption function.

Embodiment An embodiment of the present invention will be described below with reference to the drawings.

FIG. 1 is a block diagram showing an authentication system according to an embodiment of the present invention. In the figure, 101 is a random number generator for generating a random number by the operation of the decryption person, 102 is a decryption side memory for storing the random number generated by the decryption person and data sent from the confirmer, and 103 is possessed by the decryption person. A decryption device for the cipher to be decrypted, 104 is an arithmetic unit for performing the operation of the function F by the operation of the decryption person, 105 is a communication line for exchanging data between the confirmer and the decrypter, and 106 is a random number depending on the operation of the confirmer. , A random number generator for generating 107, a confirmer side memory for storing the random number generated by the confirmer and the data sent from the decrypter, 108 an encryption cipher for decryption, and 109 for the confirmer's operation. A random number generator 101, a memory 102, a decryption device 103, and an arithmetic device 104 constitute a decryption side device 110, which is a calculation device for performing a calculation of a function F. The random number generator 106, the memory 107,
The verifier side device 111 is configured by the encryptor 108 and the calculator 109. Here, the function F is easy to calculate the following three conditions (1) F with respect to the encryption function E of the cipher to be decrypted.

(2) E and F are computationally independent, that is, it is difficult to extract all information about X from E (X) and F (X).

(3) E (X) to F (X) and F (X) to E (X)
Is difficult to find unless you know X.

Is a function that satisfies.

 Next, the operation will be described.

Step 1: The confirmer randomly generates a plaintext p using the random number generator 106 and stores it in the memory 107.

Step 2: The confirmer calls the plaintext p stored in the memory 107 and sends the ciphertext c = E (p) encrypted by the cipher cipher 108 to be decrypted to the decrypter via the communication line 105. .

Step 3: The decryptor decrypts the ciphertext c sent by the confirmer.
Decryption is performed using 103, and a decrypted text E ⁻¹ (c) = {p ₁ , ..., P _k } is obtained and stored in the memory 102. If the ciphertext c sent from the confirmer is undecipherable, the random number generator 10
1 is used to randomly generate k dummy sentences, and these are stored in the memory 102 as {p ₁ , ..., P _k }.

Step 4: The decryptor calls the decrypted sentence (or dummy sentence) {p ₁ , ..., P _k } stored in the memory 102, and d _i = F (p _i ) using the operator 104 of the function F , (I = 1, ..., K) is calculated, and the decoded text data D = {d ₁ , ..., D _k } is sent to the confirmer via the communication line 105.

Step 5: The confirmer stores the decrypted text data D sent from the decryptor in the memory 107.

Step: The confirmer uses the calculator 109 of the function F to calculate d = F (p).

Step 7: The confirmer calls the decrypted text data D stored in the memory 107 and confirms whether dεD. If dεD, the verifier authenticates the decrypter as valid, and otherwise does not.

Actually, there are various cryptographic encryption functions E known at present. For example, as F for each of them, the following well-known function F ₁ [m, n] (X) = X ^m This can be realized by appropriately taking the parameters [m, n] and [α, p] with either function of mod n F ₂ [α, p] (X) = α ^x mod p.

[Effects of the Invention] As described above, according to the present invention, since the decrypted text is further encrypted and sent to the confirmer, it is possible to teach the decrypted text to an unauthorized decrypter who does not know the plaintext p. It can be prevented, and the decrypter can authenticate without leaking any useful knowledge to the confirmer, except that it has the ability to decrypt, and the communication between the decrypter and the confirmer is only required twice. There is an effect that more efficient authentication can be performed, and decryption can be performed for a cipher whose encryption function is many-to-one like Rabin encryption.

[Brief description of the drawings]

FIG. 1 is a block diagram showing an embodiment of the present invention, and FIG. 2 is a block diagram showing a conventional example. 101 and 106 are random number generators (random number generating means), 102 and 107 are memories, 103 is a deciphering device (decoding means), 104 and 109 are computing units (computing means), 105 is a communication line, 108 is an encrypting device (encoding means),
110 is a decryption device and 111 is a confirmation device.

 ─────────────────────────────────────────────────── ─── Continuation of the front page (56) References Japanese Patent Laid-Open No. Hei 2-195743 (JP, A) Koyama “Safe and Efficient Protocol Proving that Public Key Cryptography Can Be Decrypted” IEICE Transactions D- ▲ I ▼, Vol. J72-D- ▲ I ▼, No. 4, P.I. 301-307 Sakurai "Interactive proof and Dummy Response" IEICE technical research report ISE89-23

Claims (1)

(57) [Claims] 1. An authentication system in which a decrypter having a decryption ability with respect to a cipher used for partner authentication, personal authentication, data authentication, etc., authenticates to a confirming party who is a communication partner that the decryptor has the decryption ability. At the confirmer side, a random number generating means for randomly generating a plaintext, an encryption means for encrypting the generated plaintext with an encryption function E, and E and F are measured with respect to the encryption function E. And a means for calculating a function F satisfying the condition that it is difficult to obtain F (X) from E (X) and E (X) from F (X). In addition, the decryption means for decrypting the cipher to be decrypted and the operation means for computing the function F are provided, and the decrypter decrypts the ciphertext sent from the confirmer by using the decryption means, and Confirmed by encrypting using the calculation means of function F Sent back, the verification party authentication scheme and performing authentication by the data sent plaintext generated by the random number generating means and calculating to obtain been found out data by the arithmetic means of the function F from decryption person.