JP3321428B2 - Non-deposited key recovery method, device thereof, and program recording medium - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a non-deposited key recovery method for recovering a key in a cryptographic system without depositing a decryption key or information from which a decryption key can be derived to a trusted third party. In particular, a user who performs encryption / decryption attaches information from which a decryption key can be derived to the ciphertext E at the time of encryption as key recovery information, and the key recovery organization uses the key recovery means based on the key recovery request. The present invention relates to a non-deposited key recovery method for recovering a decryption key from the key recovery information.

[0002]

2. Description of the Related Art Currently, a common key cryptosystem and a public key cryptosystem are well known as cryptosystems in a cryptosystem. In the common key cryptosystem, the encrypting person and the decrypting person encrypt and decrypt using the same key. To store important information using this method, a common key is generated from a password or the like, and the information is encrypted using this as a cryptographic key. To obtain the original information, decryption is performed using the same key used for encryption as a decryption key.

In the public key cryptosystem, a user holds a private key and a public key in advance as his / her own key. The public key is widely disclosed, and the private key is kept secret by the user himself and must not be leaked to others. To encrypt and store important information using this method, the information is encrypted and stored using the user's own public key as an encryption key. To get the original information,
Decrypt using its own private key as a decryption key.

However, if the decryption key is lost or damaged due to carelessness or accident, there is a problem that the encrypted information cannot be decrypted. In a company, an encryption system is used to securely store confidential information such as transaction information. However, losing a decryption key makes recovery of confidential information impossible, which seriously impairs corporate activities. For this reason, a key recovery method has been proposed as a method that enables key recovery. Key recovery systems are roughly classified into a deposit type in which the key itself is deposited with a key recovery organization, and a non-deposit type in which the key is not deposited. As the former method, Nortel E
ntrust has been proposed, and as the latter method, TIS Reco
verKey and IBM SecureWay have been proposed.

In the non-deposited key recovery method, information from which a decryption key can be derived is attached to key recovery information, and a key recovery organization retrieves the decryption key from the key recovery information to recover the key. However, if the key recovery information is not created correctly due to carelessness or accident, key recovery becomes impossible. It is also conceivable that the key recovery information is not created correctly due to a user's misconduct. This can be as severe as losing a decryption key. For this reason, it is necessary for a company or the like to verify whether a third party can correctly recover the decryption key from the key recovery information, and the non-deposited key recovery method generally has a verification method.

[0006]

[Problems to be solved by the invention] In TIS RecoverKey,
At the time of encryption, the information necessary to create key recovery information
Encrypt with the public key of the decryptor and attach it to the ciphertext as verification information. At the time of decryption, information necessary to create key recovery information is extracted from the verification information, the key recovery information is reconstructed, and compared with the key recovery information attached to the ciphertext to verify whether they are the same. . However, this method has a problem that only the decryption person can verify the key recovery information, and cannot be verified by a third party.

[0007] Eric R. Verheul et al. Have proposed a Binding ElGamal method that allows verification by a third party (Bi
nding ElGamal: A Fraud-Detectable Alternative to K
ey-Escrow Proposals, Eric R. Verheul, Henk CA
van Tilborg, EUROCRYPT'97, LNCS 1233, 1997). However, this method has a problem that the total size of information (key recovery information and verification information) attached to the ciphertext is large.

On the other hand, NTT's Abe and Kanda et al. Have proposed a key escrow system suitable for real-time monitoring that verifies that key recovery is possible in a key escrow system (key escrow system suitable for real-time monitoring). , Masayuki Abe, Masatoshi Kanda, SCIS'98-5.2.
D, Jan, 1998, and related patents are ciphered broadcasting method, apparatus and program storage medium, Japanese Patent Application No. 10-012957, NTT serial number NTTH0971.
14). However, this method cannot be directly applied to the non-deposited type. Further, in this method, there are a ciphertext 1 and its attached information 1 (key recovery information, verification information), a ciphertext 2 and its attached information 2, and the attached information 2 is attached to the ciphertext 1, If the attached information is exchanged and stored, for example, the attached information 1 is attached to 2, there is a problem that the verification succeeds successfully even though the key is not correctly recovered.

According to the present invention, in order to solve these problems, a third party can verify whether the decryption key can be correctly recovered from the key recovery information, and the total size of the attached information attached to the ciphertext is small. It is another object of the present invention to realize a non-deposited key recovery method that can verify whether attached information is attached to a corresponding cipher text.

[0010]

Means for Solving the Problems Let p be a large prime number and q
Is a divisible number of p-1, g is an element of the order q of the multiplicative group created by p, and p, g, and q are public information. Also,
It is assumed that the key recovery authority device has a secret key X and a public key Y = g ^X mod p. To encrypt the message M, the user first generates a random number t, calculates g ^t mod p, and sets the result to S. Using this S as an encryption key, the message M is encrypted to obtain a ciphertext E. The encryption procedure may use common key encryption such as FEAL or DES, or may use public key encryption such as ElGamal.

Next, key recovery information is created as follows.
G ^x mod p is calculated from the value x shared by the encrypting user and the decrypting user, and the result is defined as Y _x . Also,
(Y _x ) ^t = (g ^x ) ^t mod p is calculated from Y _x and the random number t, and the result is defined as G _x . Further, (Y) ^t = (g ^X ) ^t mod p is calculated from the public key Y of the key recovery authority device and the random number t,
_{Let the} result be _Gr . The G _x , G _r , and Y _x are used as key recovery information.

The value to be shared may be a passphrase shared by the encrypting person and the decrypting person. Further, in a situation where the encrypting person and the decrypting person can interact online, the values may be shared on the spot using a key agreement protocol, a public key encryption method, or the like. Next, verification information is created as follows. First, a random number r is generated, and (Y) ^r ,
(Y _x ) ^r is calculated, and the results are A1 and A2, respectively. Further, a result obtained by connecting A1 and A2 to the ciphertext E and applying the one-way function h is defined as c. Further, r-ct modq is calculated, the result is set as s, and c and s are set as verification information.

C = h ((Y) ^r ‖ (Y _x ) ^r ‖E) s = r−ct (mod q) A one-way function h is equal to A and B for two inputs A and B. H (A) = h (B), while A
Finding B such that h (B) equals h (A) when only given is a function that is computationally difficult. Examples of practical implementation of a function having such a property include MD5 and N-Hash, which are described in detail in Tatsuaki Okamoto and Hiroshi Yamamoto, “Modern Cryptography” (industrial book).

Finally, key recovery information and verification information are attached to the ciphertext. The following calculation is performed to verify whether the decryption key can be correctly recovered from the key recovery information. First, (Y)
^s (G _r ) ^c mod p, (Y _x ) ^s (G _x ) ^c mod p is calculated, and this and the ciphertext E are applied to the one-way function h to obtain h.
((Y) ^s (G _r ) ^c ‖ (Y _x ) ^s (G _x ) ^c ‖E) is calculated, and this value is compared with c in the verification information. _{^{This, (Y) s (G r}} ) c = (g X) (r-ct) (g Xt) c = g Xr = (g X) r = (Y) r (Y x) s (G x) ^c = (g ^x ) ^(r-ct) (g ^xt ) ^c = g ^xr = (g ^x ) ^r = (Y _x ) ^{r If} it is the same as c, it is considered that the decryption key can be correctly recovered.

For the user to decrypt, first, from the value x shared with the encrypted user and G _{x of the} key recovery information,
(G _x ) ^{1 / x} mod p is calculated, and the result is set as S. (G _x ) ^{1 / x} = (g ^xt ) ^{1 / x} = g ^t (mod p) The message M is obtained by decrypting the ciphertext E using this S as a decryption key. Before decrypting, verification as to whether the decryption key can be correctly recovered from the key recovery information may be performed by the above-described method. The user to decrypt is based on the public information p and q.
Since the secret key x and the public key Y _x = g ^x mod p are held, the verification may be performed using the public key Y _x in the above verification without including Y _{x in the} key recovery information. .

[0016] key recovery engine system is to recover the key, from G _r of the secret key X _r and key recovery information of key recovery institutions themselves, (G
_r ) Calculate ^{1 / X} mod p to obtain a decryption key as S. ( _Gr ) ^{1 / X} = (g ^Xt ) ^{1 / X} = g ^t (mod p) Even before the key is recovered, whether the decryption key can be correctly recovered from the key recovery information is verified by the above-described method. good.

[0017]

Embodiments of the present invention will be described below in detail with reference to the drawings. First Embodiment FIGS. 1 and 2 show a first embodiment. here,
Let p be a large prime number, q be a number divisible by p-1, and g
Is the element of the order q of the multiplicative group created by p, p, g, and q are public information. Further, it is assumed that the key recovery authority device 11 has a secret key X and a public key Y = g ^x mod p, and the user terminal B has a secret key x and a public key g ^x mod p.

FIG. 1 shows the overall configuration of this embodiment. The user terminal A sends the user terminal B an encrypted text with the key recovery information and the verification information attached. Encryption The user terminal A performs encryption according to the following procedure. 1. 1. Generate a random number t g ^t mod p is calculated, and the result with S 3. 3. Using S as an encryption key, encrypt message M to obtain ciphertext E. Create key recovery information. (A) Use Y _x as public key g ^x of user terminal B. (b) Calculate (g ^x ) ^t mod p from Y _x and random number t, and set the result as G _x ( c) Calculate (Y) ^t mod p from the public key Y of the key recovery authority device 11 and the random number t, and set the result to _Gr . (d) Use G _x , G _r , and Y _x as key recovery information. Create verification information (a) Generate random number r (b) Calculate (Y) ^r and (Y _x ) ^r and use the results as A1 and A2, respectively (c) A1, A2 and ciphertext E 5. The result of applying the one-way function h is set to c. (D) r-ct modq is calculated, and the result is set to s. (E) c and s are used as verification information. Finally, the key recovery information G _x , G _r , Y _x and the verification information c, s are attached to the cipher text E (see FIG. 2). The verification user terminal B correctly decrypts the key recovery information in the following procedure. Verify that the key can be recovered. 1. (Y) ^s (G _r ) ^c mod p, (Y _x ) ^s (G _x ) ^c
mod p is calculated, and this and the ciphertext E are applied to the one-way function h to obtain h ((Y) ^s (G _r ) ^c ‖ (Y _x ) ^s (G _x )
^c ‖E) was calculated, and the result with c '. 2. c ′ is compared with c in the verification information. If they are the same, it can be understood that the key can be recovered correctly. Decryption The user terminal B performs decryption in the following procedure. 1. It verifies with the verification information whether the user terminal A has correctly created the key recovery information. 2. 2. Calculate (G _x ) ^{1 / x} mod p from secret key x of user terminal B and G _{x of the} key recovery information, and set the result to S. Second Embodiment A second embodiment is shown in which a key is recovered in a system to which the first embodiment is applied, by using S as a decryption key and decrypting the ciphertext E to obtain a message M. Key Recovery The key recovery authority device 11 performs decryption in the following procedure. 1. It verifies with the verification information whether the user terminal A has correctly created the key recovery information. 2. Secret key X of key recovery authority device 11 and G _{r of} key recovery information
Then, (G _r ) ^{1 / X} mod p is calculated, and the result is a decryption key.

FIG. 3 shows a functional configuration example of the user terminal A on the encryption side. The memory 12 stores the public information p, q, g, the public key Y of the key recovery authority device 11, the secret information x shared with the user terminal B on the decryption side, and the like. Random number generator 1
3 from the random number t, r is generated, the encryption key S = g ^t mod p is generated by the encryption key generating section 14. The message M is encrypted by the encryption unit 15 using the encryption key S, and a ciphertext E is generated.

In the key recovery information generating section 16, Y_xGenerate
Y at part 17_x= G^xmod p is generated and G_xGenerator 18
And G_x= (Y_x)^tmod p is generated and G_rGenerator 19
And G _r= (Y)^tmod p is generated. Where Y_xIs profit
Since it is the public key of user terminal B, Y_xOmit generation unit 17
And Y stored in the memory 12_xMay be used. Verification
In the use information generation unit 21, A1 =
(Y)^rmod p is generated, and A2 = (Y
_x)^rmod p is generated, and the one-way function part 24 calculates c = h
(A1‖A2‖E) is calculated, and the generation unit 25 calculates s = r-ct.
 The modq is calculated, and the verification information s, c is obtained.

FIG. 4 shows a functional configuration example of the user terminal B on the decoding side. Public information p in the memory 31
1, a public key Y and a private key (shared information with the terminal A) x of the user terminal B are stored. In the verification unit 32, (Y _x ) ^s mod p is calculated in the exponentiation operation unit 33, (G _x ) ^c mod p is calculated in the exponentiation operation unit 34, and the product B1 = (Y _x) of the results of these exponentiation operations ) ^S · (G _x ) ^c mod p
Is calculated by the multiplication unit 35, and (G _r ) is calculated by the exponentiation operation unit 36.
^c mod p is calculated, and the exponentiation operation unit 37 calculates (Y) ^s mod
p is calculated, and the product B2 = (G
_r ) ^c · (Y) ^s mod p is calculated by the multiplier 38, c ′ = h (B1‖B2‖E) is calculated by the one-way function calculator 39, and the result c ′ is compared with c. The comparison is performed by the unit 41.

When c = c 'is detected by the comparing section 41, the key can be recovered, and the exponentiation section 42 calculates S = (G _x ).
^{1 / x} mod p is calculated, and the decryption unit 4
In step 3, the ciphertext E is decrypted, and the message M is obtained.
As can be understood from the above description, it is possible to verify that the decryption key can be correctly recovered from the key recovery information using only the ciphertext, the key recovery information, the verification information, and the public information. Verification by a third party other than the user and the key recovery organization, that is, a user who does not have the secret information x and X necessary for performing decryption and key recovery. The verification at the third-party user terminal may be performed in the same manner as the verification at the decrypting user terminal. In this case, the user terminal to be decrypted as key recovery information at the encrypting user terminal is disclosed. and to include a key Y _x, may or may not include, in the latter case, the third user device will be verified to obtain public information Y _x.

Each function of the user terminals A and B can be operated by decoding and executing a program by a computer.

[0024]

As described above, according to the present invention, it is possible to verify that the decryption key can be correctly recovered from the key recovery information only by using the ciphertext, the key recovery information, the verification information, and the public information. Verification by a third party is possible. Further, Y _x , G _x , and G _r mod p are stored in the key recovery information, and s and cm d q are stored in the verification information. The sizes of p and q are each 1024 bi considering the recent encryption strength.
t, 160 bits is common. Based on this, according to the present invention, in the case of the first embodiment, the total size of the key recovery information and the verification information is 3392 bits. On the other hand, Binding El
In the case of the Gamal method, the total is 5100 bits in the first embodiment.
Thus, the total size of the information attached to the cipher text can be reduced.

Further, by adding information about the cipher text to the verification information, it is possible to verify whether the attached information is attached to the corresponding cipher text.

[Brief description of the drawings]

FIG. 1 is a diagram showing a system configuration according to a first embodiment of the present invention.

FIG. 2 is a diagram showing a ciphertext format used in the first embodiment.

FIG. 3 is a diagram showing a functional configuration example of a user terminal A on the encryption side.

FIG. 4 is a diagram showing an example of a functional configuration of a user terminal B on the decoding side.

──────────────────────────────────────────────────続 き Continued on the front page (56) References A proposal for a key recovery system for enterprises, IEICE Technical Report, September 12, 1997, Vol. 97, No. 252, p. 55-62 (58) Field surveyed (Int. Cl. ⁷ , DB name) H04L 9/08 G09C 1/00 630 JICST file (JOIS)

Claims (20)

(57) [Claims] 1. A user terminal having encryption / decryption means.
Uses the information from which the decryption key can be derived as key recovery information,
Attached to the ciphertext E at the time of decryption, and the key recovery institution device receives the key recovery request based on the key recovery request.
Undeposited key that recovers the decryption key from the key recovery information
The recovery method is characterized by the following. Big element
Let p be the number, q be a number divisible by p-1, and g be p
, And p, g and q are public information
And the key recovery authority device is a secret key X and a public key Y = g^Xhave mod p
One thing. The encryption means of the user terminal is based on the encryption key creation process
Encryption process and key recovery information creation processWhat to do
RThe encryption key generation process includes a process of generating a random number t and g^tmod
calculating a p and obtaining an encryption key S. The encryption step encrypts the message M with the encryption key S
The key recovery information creation process comprises the steps of: obtaining a value x shared by the user terminal and the user terminal to be decrypted;
More g^xCalculate mod p and calculate the value Y_xAnd the process of obtaining_x, From the random number t (Y_x)^tCalculate mod p and calculate the value G_xTo
The process of obtaining, from the public key Y of the key recovery authority device and the random number t (Y)^tmod p
To calculate the value G_rAnd the value G_x, The above value G_rCreate key recovery information consisting of
Become with the process. 2. The non-deposited key recovery method according to claim 1,
And the following features. User terminal decryption means
Defines the decryption key generation process and the decryption processWhat to do
RThe decryption key generation process depends on the user terminal and the encrypted user.
Value x shared by terminal and G in key recovery information_xThan,
(G_x)^{1 / x}From the process of calculating mod p and obtaining the decryption key S
In the decryption process, the ciphertext E is decrypted with the decryption key S, and
The process of obtaining a message M. 3. The non-deposited key recovery method according to claim 1 or 2.
The method is characterized by the following. Key recovery authority equipment
The key recovery means includes a secret key X of the key recovery authority device itself and a G in the key recovery information.
_rFrom (G_r)^{1 / X}Calculate mod p to get decryption key S
The processTo dothing. 4. The non-deposit according to any one of claims 1 to 3.
The following is a characteristic of the type key recovery method. user
The encryption means of the terminal includes the encryption key creation process and the encryption
Process, the key recovery information creation process, and the verification information creation process.
What to doThe verification information generation step includes a step of generating a random number r, and (Y)^rmod p, (Y_x)^rThe result of calculating mod p
The value c = h obtained by connecting the sentence E and applying the one-way function h
((Y)^r‖ (Y_x)^r(E) and the verification information c and s are created from the value s obtained by calculating the r-ct modq.
The verification information c and s are attached to the ciphertext E.
When. 5. The non-deposited key recovery method according to claim 4, wherein: User terminal to encrypt also be included in the key recovery information the values Y _x, decoding means of the user terminal for decoding performs the above decryption key generating process, and the decoding process, the verification process In things
Yes , the above verification process consists of (Y) ^s (G _r ) ^c mod p, (Y _x )
the process of calculating ^s (G _x ) ^c mod p, and applying this calculation result and ciphertext E to the one-way function h
_{^{((Y) s (G r}} ) c ‖ _{^{(Y x) s (G x}} ) c ‖E) ' and process of obtaining the value c' value c calculated the Ri Na more and the process of comparing the c, If the comparisons match, perform the decoding process. 6. A non-deposited key recovery method according to claim 4, wherein: The user terminal to decrypt is based on the public information p and g, the secret key x and the public key Y _x = g ^x mod
Having p, decoding means of the user terminal for decoding is intended to run and the decryption key generating process, and the decoding process, a verification process
And the verification process is (Y) ^s (G _r ) ^c mod p, (Y _x ) ^s
The process of calculating (G _x ) ^c mod p, and applying this calculation result and ciphertext E to the one-way function h
_{^{((Y) s (G r}} ) c ‖ _{^{(Y x) s (G x}} ) c ‖E) ' and process of obtaining the value c' value c calculated the Ri Na more and the process of comparing the c, If the comparisons match, perform the decoding process. 7. A non-deposited key recovery method according to claim 4, wherein: Be included in the value Y _x be the key recovery information, key recovery means of the key recovery authority apparatus that performs validation process
And the verification process is (Y) ^s (G _r ) ^c mod p, (Y _x ) ^s
The process of calculating (G _x ) ^c mod p, and applying the calculation result and the ciphertext E to the one-way function h, h
_{^{((Y) s (G r}} ) c ‖ _{^{(Y x) s (G x}} ) c ‖E) ' and process of obtaining the value c' value c calculated the Ri Na more and the process of comparing the c, Performing the process of obtaining the decryption key S if the comparisons match; 8. The non-deposited key recovery method according to claim 4, wherein: The user terminal to be decrypted uses the public information p and q to obtain a secret key x and a public key Y _x = g ^x mod
p, the key recovery means of the key recovery authority device is the public key Y of the user terminal
a process to obtain the _x, is intended to perform the verification process, the verification process _{^{(Y) s (G r)}} c mod p, (Y x) s
The process of calculating (G _x ) ^c mod p, and applying the calculation result and the ciphertext E to the one-way function h, h
_{^{((Y) s (G r}} ) c ‖ _{^{(Y x) s (G x}} ) c ‖E) ' and process of obtaining the value c' value c calculated the Ri Na more and the process of comparing the c, Performing the process of obtaining the decryption key S if the comparisons match; 9. A non-deposited key recovery method according to claim 4, wherein: The user terminal to be decrypted uses the public information p and q to obtain a secret key x and a public key Y _x = g ^x mod
Having p, decoding, third user terminal having no information (the X or x) to the key recovery is to have the validation means, the public key Y of the user terminal is said verification means for decoding a process to obtain the _x, is intended to perform the verification process, the verification process _{^{(Y) s (G r)}} c mod p, (Y x) s
The process of calculating (G _x ) ^c mod p, and applying the calculation result and the ciphertext E to the one-way function h, h
(Y) ^s (G _r ) ^c ‖ (Y _x ) ^s (G _x ) ^c ‖ E) The process of obtaining a value c ′ and the process of comparing the value c ′ with the above c. 10. The non-deposited key recovery method according to claim 4, wherein: User terminal to encrypt also be included in the key recovery information the values Y _x, decoding, third user terminal having no information (the X or x) for key recovery is to perform the validation process thing
And the verification process is (Y) ^s (G _r ) ^c mod p, (Y _x ) ^s
The process of calculating (G _x ) ^c mod p, and applying the calculation result and the ciphertext E to the one-way function h, h
(Y) ^s (G _r ) ^c ‖ (Y _x ) ^s (G _x ) ^c ‖ E) The process of obtaining a value c ′ and the process of comparing the value c ′ with the above c. 11. An encryption system in which a user terminal attaches key recovery information to ciphertext E and recovers a decryption key from the key recovery information based on a key recovery request or a key recovery authority device. Side user terminal, characterized in that: Let p be a large prime number, q be a number divisible by p-1, and g be stored as public information p, g, and q that are the basis of the order q of the multiplicative group created by p, and the public key Y of the key recovery authority device. Having a memory, an encryption key generation unit, an encryption unit, and a key recovery information generation unit; the encryption key generation unit calculates g ^t mod p by inputting g and t and generating random number t The encryption means comprises means for encrypting the message M with the encryption key S to obtain a ciphertext E, and the key recovery information creating means comprises means for decrypting with the user terminal. party and means for obtaining a g ^x mod p and compute the value Y _x terminal to input the values x and g to be shared, Y _x, enter the random number t by calculating (Y _x) ^t mod p Means for obtaining the value G _x , the public key Y of the key recovery authority device, and the random number t are inputted (Y) ^t
means for calculating mod p to obtain a value _Gr; and means for generating key recovery information consisting of a value G _x and a value G _r . 12. The user terminal according to claim 11, wherein: A means for generating verification information; a means for generating a random number; a means for generating a random number r; and inputting Y, Y _x , r to (Y) ^r mod p, (Y _x ) ^r mo
means for calculating d p; means for concatenating the calculation result with ciphertext E to obtain a value c = h ((Y) ^r ‖ (Y _x ) ^r ‖E) to which a one-way function h is applied; means for obtaining a value s obtained by calculating r-ct modq by inputting r, t, and c; and means for attaching c and s to the ciphertext E as verification information. 13. A decryption method in a non-escrowed key recovery system in which a user terminal attaches key recovery information to a ciphertext E and a key recovery authority device recovers a decryption key from the key recovery information based on a key recovery request. Side user terminal, characterized in that: P is a large prime number, q is a number divisible by p−1, g is a memory storing public information p, a public key Y, and a secret key x, which are elements of an order q of a multiplicative group formed by p. E, have key recovery information _{Y x, G x, G r} , verification information c, means for receiving the s, the verification unit, and a key recovery means, a decoding means, verification means Y, G _r , S, c and B1 = (Y) ^s
Means for calculating (G _r ) ^c mod p, and inputting Y _x , G _x , s, c and B2 = (Y _x )
means for calculating ^s (G _x ) ^c mod p; means for inputting these calculation results B1, B2 and ciphertext E to calculate a one-way function value c ′ = h (B1‖B2‖E); c ′ and c are compared, and if they agree with each other, the means is determined to be acceptable. The key recovery means inputs x and G _x and calculates (G _x ) ^{1 / x} mod p to obtain the decryption key S. The decryption means is a means for decrypting the ciphertext E with the decryption key S to obtain the message M. 14. A user terminal for encryption attaches key recovery information to cipher text E, and a user terminal for decryption uses a secret key x and a public key Y _x = g ^x mod p based on public information p and q. Holding
A key recovery authority device in a non-escrowed key recovery system for recovering a decryption key from key recovery information based on a key recovery request, characterized in that: Providing the key recovery device, the key recovery device and means for obtaining the public key Y _x of the user terminal, to have a decryption key recovery unit and the verification means, the said verification means _{^{(Y) s (G r)}} c mod p, (Y _x ) ^s
Means for calculating (G _x ) ^c mod p, and applying the calculation result and ciphertext E to the one-way function h
(Y) ^s (G _r ) ^c ‖ (Y _x ) ^s (G _x ) ^c ‖ E) means for calculating a value c ′, and means for comparing the value c ′ with the above c, The decryption key recovery means is means for recovering the decryption key S from the key recovery information using the secret key of the key recovery authority device if the comparisons match. 15. The encrypting user terminal attaches key recovery information to the ciphertext E, and the decrypting user terminal decrypts the secret key x and public key Y from the public information p and q. _x
= G ^x mod p, recovers the decryption key from the key recovery information, decrypts the ciphertext E, and the key recovery authority device recovers the decryption key from the key recovery information based on the key recovery request. A third-party user terminal having no information for decryption and key recovery in a key recovery system, characterized by the following. Having a verification unit, and means the verification means for obtaining the public key Y _x of the user terminal to decode, to have a verification execution means, it is the verification execution unit _{^{(Y) s (G r)}} c mod p ,
Means for calculating (Y _x ) ^s (G _x ) ^c mod p, and applying the calculation result and the ciphertext E to the one-way function h
((Y) ^s (G _r ) ^c ‖ (Y _x ) ^s (G _x ) ^c ‖E) means for calculating a value c ′, and means for comparing the value c ′ with the above c. 16. A user terminal for encryption attaches key recovery information to the ciphertext E, and a user terminal for decryption decrypts a user terminal based on public information p and q. _x
= G ^x mod p, the user terminal that recovers the decryption key from the key recovery information, decrypts and encrypts the ciphertext E, also includes the value Y _{x in the} key recovery information, Decryption in a non-escrowed key recovery system that recovers a decryption key from key recovery information based on a key recovery request, a third-party user terminal having no information for key recovery, Features. Having verification means, said verification means being (Y) ^s (G _r ) ^c mod p, (Y _x ) ^s
Means for calculating (G _x ) ^c mod p, and applying the calculation result and the ciphertext E to the one-way function h
((Y) ^s (G _r ) ^c ‖ (Y _x ) ^s (G _x ) ^c ‖E) means for calculating a value c ′, and means for comparing the value c ′ with the above c. 17. A user terminal attaches key recovery information to ciphertext E, a key recovery authority recovers a decryption key from key recovery information based on a key recovery request, and sets a large prime number to p, and q to p
Let -1 be a divisible number, g be the element of the order q of the multiplicative group created by p, and function as a user terminal on the encryption side in a non-escrowed key recovery system in which p, q, and g are public information. a process for generating a random number t in a computer; a process for inputting g and t to calculate g ^t mod p to obtain an encryption key S; a process for encrypting a message M with the encryption key S and a ciphertext E And inputting the values x and g shared by the encryption-side user terminal and the decryption-side user terminal, calculating g ^x mod p to obtain the value Y _x, and obtaining the value Y _x , Inputting a random number t and calculating (Y _x ) ^t mod p to obtain a value G _x , inputting the public key Y of the key recovery authority device and the random number t and inputting (Y) ^t
a process of obtaining the values G _r to calculate a mod p, the value G _x, a recording medium recording a program for executing a process of transmitting and attach to the ciphertext E values G _r as the key recovery information. 18. The recording medium of claim 17, the process of generating a random number r, and processing to input the public key Y, the random number r to calculate the ^{A1 = (Y) r mod p} , the value Y _x, A process of calculating A2 = (Y _x ) ^r mod p by inputting a random number r, and concatenating the values A1 and A2 and the ciphertext E to obtain a one-way function value c =
h (A1‖A2‖E), random number r, t and value c are input to calculate s = r-ct modq, and value c, s is used as verification information in ciphertext E A recording medium comprising: a process to be attached; and a process for causing the computer to execute. 19. A non-deposited key recovery system in which a user terminal for encryption attaches key recovery information to ciphertext E, and a key recovery authority device recovers a decryption key from key recovery information based on a key recovery request. the <br/> computer to function as the user terminal to decrypt the ciphertext E, the key recovery information Y _x, G _x, the process of receiving the G _r, verification information _{c, s, Y, G r} , s , C to B1 =
(Y) ^s (G _r ) ^c mod p, and B2 = (Y _x ) ^s (G _x ) ^c mo from Y _x , G _x , s, c
d ′ is calculated; b ′ is calculated from the calculated results B1 and B2; and ciphertext E is used to calculate a one-way function value c ′ = h (B1‖B2‖E). Then, the process is determined to be acceptable, and (G _x ) ^{1 / x} mod p is calculated from x and G _x to obtain the decryption key
And a process for decrypting the ciphertext E with the decryption key S to obtain a message M. A recording medium recording a program for executing the process. 20. A non-deposited key recovery system in which a user terminal for encryption attaches key recovery information to ciphertext E, and a key recovery authority recovers a decryption key from the key recovery information based on a key recovery request. Function as a user terminal to decrypt
The computer that the ciphertext E, the key recovery information G _x, G _r, verification information c, the process of receiving _{s, Y, G r, s} , B1 = the _{^{c (Y) s (G r}} ) c mod p
A process of calculating, a process of calculating a G _x, s, the public key Y _x from the B2 = (Y _x) of the user terminal to decrypt and _{^{c s (G x) c mod}} p, these calculation results B1 , B2 and a ciphertext E to calculate a one-way function value c ′ = h (B1‖B2‖E); c ′ and c are compared; if they match, processing is accepted; x and G _x And (G _x ) ^{1 / x} mod p to calculate the decryption key S
And a process for decrypting the ciphertext E with the decryption key S to obtain a message M. A recording medium recording a program for executing the process.