JP3479015B2 - Cryptographic key distribution generation method, signature generation / verification method, cryptographic key distribution generation device, signature generation / verification device, cryptographic key distribution generation program, and computer-readable recording medium recording signature generation / verification program - Google Patents

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a pay per view in digital TV / satellite broadcasting.
The present invention relates to a cryptographic key distribution generation method and device capable of making encryption of data in communication such as system / key distribution in information distribution, electronic mail, and electronic settlement strong, and a recording medium recording the cryptographic key distribution generation program.

[0002]

2. Description of the Related Art In recent years, various encryption techniques have been proposed in the field of communication because encryption techniques work effectively as techniques for protecting confidentiality between communicating parties such as concealment of transmitted information. The performance of these encryption techniques can be evaluated in terms of the security strength of the encryption method and the speed required for encryption / decryption. That is, an encryption method having a high security strength and a high encryption / decryption speed is an excellent encryption method.

Among such encryption techniques, RSA (Ri
vest Shamir Adleman) There is a public key cryptosystem of a type using a modular exponentiation operation known as cryptography, which has already been put to practical use. In this RSA cryptosystem, if the public key can be factorized, the plaintext can be obtained from the ciphertext, as described in the document "R. Rivest, A. Shamir and L. Adleman;" Ame.
thod for obtaining digital signatures and public-k
ey cryptosystems. ", Comm., ACM, vol.21, No.2, pp.120-12
6, (1978) ".

The public key cryptosystems such as the RSA cryptosystem are based on the security because it is difficult to obtain the secret key from the public key which is the publicly available information in terms of computational complexity. The larger the key size, the greater the safety strength. On the other hand, in terms of strengthening security, it is an important issue to keep the private key safe. On the other hand, instead of storing one key in one place, one key is divided into a plurality of keys, and a secret sharing scheme in which the original key cannot be obtained from the divided partial information of the key is described in the document "A.Shamir; “How to share a secret
“, Comm. Of the ACM, Vol. 22, 1979, pp. 612-613”.

A method using this secret sharing method for secret key management of RSA encryption is used in many certificate authorities CA.

Here, when a distributed key di (d = Σdi) is generated from the original key d of the RSA encryption, a certain specific dealer is required. In other words, when this dealer is attacked, the information of the entire private key is leaked,
The effect of dispersion may disappear.

[0007] Boneh and Franklin are described in the document "D. Boneh, JF
ranklin, “Efficient generation of shared RSA key
s, ”Advances in Cryptology−CRYPTO ^, 97, LNCS 1294,
(1997), pp.425-439. "RS that does not require a dealer
A method for generating a distributed key for A-cipher has been shown (hereinafter Boneh-Frank
lin method).

However, the Boneh-Franklin method requires a very large amount of calculation to generate one key and is inefficient. According to a certain experiment, it took 1.5 minutes and a communication amount of about 1 megabyte between the distributed encryption key generation means.

[0009]

As described above, when the conventional Boneh-Franklin distributed key generation method is used, a very large amount of calculation is required, and when communication is used, it is very low. It had the drawback of being efficient.

The present invention has been made in view of the above problems, and records an encryption key distribution generation method and device and an encryption key distribution generation program that are faster in processing than the Boneh-Franklin distributed key generation method. It is an object of the present invention to provide such a recording medium.

[0011]

In order to achieve the above object, the invention according to claim 1 includes encryption key generating means which are mutually connected by an arbitrary communication means and generate an encryption key of a public key cryptosystem. A plurality of servers i (i = 1, 2, ...
.., k) is a distributed cryptographic key generation method for generating a cryptographic key, using the first public key n and the second public key e, the plaintext M to the ciphertext C = M ^e In obtaining (modn), each server i generates two random numbers pi and qi as the first shared secret key, which is the secret information possessed by each server i, and the secret information possessed by each server is A candidate for the first public key n is N = (Σ _{i = 1, 2, ..., K} pi) using the BGW protocol that can be shared by all servers without leaking to the server.
² (Σ _{i = 1, 2, ..., K} qi) is generated.

In the invention according to claim 1, the BGW
By using the protocol, it becomes possible to disperse and generate the key candidates of the p ² q cipher already proposed by the inventors of the present application, and by using the composite number in the form of N = P ² Q, the dealer We provide and realize a concrete configuration method of distributed key generation method that is fast and secure in unnecessary processing.

The invention according to claim 2 is the encryption key distributed generation method according to claim 1, further comprising the step of generating N that is a candidate for the first public key n, and further, each of the servers. i uses v, which is common to all servers, as v
_pi = g ^pi modN, and transmitting the calculated values to other servers; and each server i calculating v _p = Π _{i = 1, 2, ..., k} v _pi modN. And server 1 uses u ₁ = g ^N m
odN, server i (where i = 2, ..., k-1) is u _i = v _p ^{pi + qi} modN, server k is u _k = v _p
^{pk + qk−1} modN is calculated and distributed to each other, and the calculated value in this step is u ₁ = u
Each server i verifies whether or not _k Π _{i = 2, ..., K-1} u _i modN is satisfied, and if this expression holds, Σ _{i = 1, 2, ..., K} pi and Σ
_{i = 1, 2, ..., K} qi is determined to be a prime number.

According to the invention described in claim 2, for example, whether the encryption key candidate generated by the encryption key distribution generation method of claim 1 is P ² Q as desired, or whether P and Q are prime numbers. ,
Distributed verification can be performed.

A third aspect of the present invention is the encryption key distribution generation method according to the second aspect, wherein the Σ
_{i = 1, 2, ..., K} pi and Σ
_{When i = 1, 2, ..., K} qi are prime numbers, these prime numbers Σ _{i = 1, 2, ..., K} pi and Σ
_{Using i = 1, 2, ..., K} qi, γ (N) = (Σ
_{i = 1,2, ...,} kpi) {(Σ _{i = 1,2, ..., kp}
i) −1} {(Σ _{i = 1,2, ..., k} qi) −1}, each server i uses the BGW protocol for the prime R to be set, and γ (N) = Σ
_{i = 1, 2, ..., K} γ _i (N) −sR (where s =
0,1,2, ..., k-1) and generating a gamma _i (N) satisfying the second each server i with e being selected as the public key of the γ _i (N) mode Sending each value to another server, and each server i
δ _{e, s} = 1 / (γ (N) −sR) mode, and d _{i, s} = [(− δ _{e, s} γ _i (N)) / e] (where s = 0, 1, 2, , K−1), and each server i is a true decryption key
Secret key of d (where d is ed = 1 modγ (N)
The relational expression d = Σ
_{i = 1, 2, ...,} Kd _{i, s} + r modγ (N),
The second distributed secret key d is determined by determining s and r for which 1 = M ^ed mod N by some message M.
and generating _i respectively.

According to the invention of claim 3, N (= P
² Q) is determined, the second secret key d is distributed and generated, so that each server i has its own second secret key d.
Only the value of _i (1 ≦ i ≦ k) can be known.

The invention according to claim 4 uses the first public key N, the second public key e, and the second distributed secret key d _i generated by the encryption key distribution generation method according to claim 3. Signature generation that performs signature and verification of the signature
In the verification method, a plurality of servers i (i = 1, 2, ..., K) connected to each other by any communication means are the first
Using the public key N of the above and the second shared secret key d _i of the above, respectively, to the distributed signature S _i =
Using M ^di modN, the true signature S = Π
_{It is characterized in that i = 1, 2, ..., K} S _i modN is generated, and the verification of this signature is performed by S ^e = M modN.

According to the invention of claim 4, the second person
The whole authentication can be realized by collecting the partial authentication of only d _i without knowing the secret key d of.

According to the invention of claim 5, a plurality of servers i (i = 1, 2, ...
, K), which is a cryptographic key distribution generation device for generating a cryptographic key of a public key cryptosystem by being distributed, wherein a plaintext M is generated using a first public key n and a second public key e. From ciphertext C
= M ^e (mod n), a random number generation means for generating two random numbers pi and qi for each server i as the first shared secret key, which is secret information that the server has, and each server has its own random number. N = (Σ which is a candidate for the first public key n is calculated by using the BGW protocol which can be shared by all servers without leaking the secret information to other servers.
_{i = 1, 2, ..., k} pi) ² (Σ _{i = 1, 2, ..., k} q
and i) public key candidate generation means for generating i).

In the invention according to claim 5, the BGW
By using the protocol, it becomes possible to disperse and generate the key candidates of the p ² q cipher already proposed by the inventors of the present application, and by using the composite number in the form of N = P ² Q, the dealer We provide and realize a concrete configuration method of distributed key generation method that is fast and secure in unnecessary processing.

According to a sixth aspect of the invention, there is provided the encryption key distribution generation apparatus according to the fifth aspect, wherein the common random number selecting means for selecting the random number g common to all the servers and the common random number selecting means are selected. Using a random number g and N, which is a candidate for the first public key n, each server i (where i = 1, 2,
..., k) to calculate v _pi = g ^pi mod N,
A means for transmitting the calculated v _pi to another server and v _p = Π _{i = 1, 2, ..., k} v _pi modN in the server 1.
And a calculation means of the server 1 for calculating u ₁ = g ^N modN using this v _p , and a server i (where i =
2, ..., k−1), v _p = Π _{i = 1,2, ..., k} v
The _pi modN calculated, _u i = _{v p} using the _{v p}
A server i (i) that calculates ^{pi + qi} modN respectively
= 2, ..., K-1) and v _{p in} the server k
= Π _{i = 1, 2, ..., K} v _pi modN, and using this v _p , calculates u _k = v _p ^{pk + qk−1} modN by the calculation means of the server k and the calculation means of each server. _u 1 _was, u _{2, ···,} and the means to distribute to each other _{u k, u 1 = u k} Π i = 2, ..., k-1 u i modN
It is verified whether or not, and if this expression holds, Σ _{i = 1, 2, ..., K} pi and Σ
It is characterized by further comprising a prime number judging means for judging that _{i = 1, 2, ..., K} qi is a prime number.

According to the invention of claim 6, for example, whether the encryption key candidate generated by the encryption key distribution generation method of claim 1 is P ² Q as desired, or whether P and Q are prime numbers. ,
Distributed verification can be performed.

The invention according to claim 7 is the cryptographic key distribution generation device according to claim 6, wherein the prime number determination means includes the Σ _{i = 1, 2, ..., K} pi and the Σ _i.
When it is determined that _{i = 1, 2, ..., K} qi is a prime number,
These Σ _{i = 1, 2, ..., K} pi and Σ
_{Using i = 1, 2, ..., K} qi, γ (N) = (Σ
_{i = 1,2, ...,} kpi) {(Σ _{i = 1,2, ..., kp}
i) −1} {(Σ _{i = 1,2, ..., k} qi) −1}, using the BGW protocol for the set prime R, γ (N) = Σ _{i = 1,2 , ..., k} γ _i (N)-
γ _i (N) satisfying sR (here, s = 0, 1, 2, ..., K−1) is stored in the server i (where i = 1, 2, ..., And).
k) and the generation means of the server i and the random number e
Is selected as the second public key, γ _i (N) generated by the generation means of the server i and e selected by the random number selection means are used to obtain δ _{e, s} = 1 /
(Γ (N) -sR) mode, and d _{i, s} =
[(−δ _{e, s} γ _i (N)) / e] (where s = 0,
1, 2, ..., K−1) and the second secret key, which is the true decryption key, of the server i and d (here, d satisfies ed = 1 modγ (N)). , D = Σ _{i = 1, 2, ..., k} d _{i, s} + r modγ
(N) and a certain message M, 1 = M ^ed mo
It further comprises a private key generating means of the server i for respectively generating the second distributed secret key d _i by determining s and r that satisfy dN.

According to the invention of claim 7, N (= P
² Q), the second secret key d is distributed and generated, so that each server i knows only the value of its own second distributed secret key d _i (1 ≦ i ≦ k). I don't get it.

The invention according to claim 8 uses the first public key N, the second public key e, and the second distributed secret key d _i generated by the encryption key distribution generation device according to claim 7. Signature generation that performs signature and verification of the signature
In the verification device, the plurality of servers i (i = 1, 2, ..., K) connected to each other by any communication means are the first
Distributed signature S _i = M ^{di with} respect to the message M using its public key N and its own second shared secret key d _i
Using modN, the true signature S = Π _{i = 1, 2, ..., k}
It is characterized by having a signature means for generating S _i modN and a signature verification means for verifying the signature generated by this signature means by S ^e = M modN.

According to the invention described in claim 8,
The whole authentication can be realized by collecting the partial authentication of only d _i without knowing the secret key d of.

The invention according to claim 9 relates to claims 1 to 3.
A computer-readable recording medium recording an encryption key distribution generation program for causing a computer to execute the encryption key distribution generation method described in any one of 1.

According to the invention of claim 9, since the encryption key distribution generation program is recorded in the recording medium, the distribution medium of the encryption key distribution generation program can be enhanced by using the recording medium. .

According to a tenth aspect of the present invention, there is provided a computer-readable recording medium recording a signature generation / verification program for causing a computer to execute the signature generation / verification method according to the fourth aspect.

According to the invention of claim 10, since the signature generation / verification program is recorded in the recording medium, the encryption key distribution generation program or the signature generation / verification program is distributed by using the recording medium. You can improve your sex.

[0031]

[0032]

[0033]

[0034]

[0035]

[0036]

[0037]

[0038]

[0039]

[0040]

[0041]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below with reference to the drawings.

First, the basic concept of the present invention will be described with reference to FIG. Here, the number of servers is three, that is, the servers 1, 2, and 3 for simplification, but the number of servers is not particularly limited. The encryption key is distributed as the number of servers increases, so the encryption strength increases, but the decryption time also increases as the number of distribution increases, so the communication content (importance, data amount) ), The number of servers and the number of servers may be appropriately selected.

Note that here, pi, q in which two prime numbers p, q are distributed to k servers i (i = 1, 2, ..., K)
i (however, p = Σpi, q = Σqi) is set as the first shared secret key, p ² q is set as the first public key n, and ed = 1
e that satisfies mod L (where L = p (p-1) (q-1)) is set as the second public key, and d is the server i.
Has k encryption key generation means for generating an encryption key by setting d _i (where d = Σd _i ) distributed to the second shared secret key, and generating the encryption key by the encryption key generation means. It is assumed that the ciphertext C is obtained from the plaintext M according to C = ^Me (mod n) using the first public key n and the second public key e.

Server 1, server 2 and server 3 shown in FIG.
Are mutually connected by arbitrary communication means, and each server i (where i = 1, 2, 3) has an administrator.

First, random numbers pi and qi are generated in each server i, and are kept and managed by respective managers in secret. That is, p1, q1 is generated in the server 1, p2, q2 is generated in the server 2, and p3, q3 is generated in the server 3.

Next, the key is generated by performing the BGW protocol and the prime number test between the servers (administrators).

Here, the BGW protocol will be briefly described. The BGW protocol is, for example, (p1, q1) for server 1, (p2, q2) for server 2, and server 3
Has (p3, q3) as secret information, n = p ² q (where p = p1 + p2 + p3, q = q1 + q2 + q3) is used, and each server secret information (pi, qi) is It is a protocol that can be calculated without leaking it to the server.

By using such a BGW protocol, n = p ² q = (p1 + p2 + p3) ² (q1 + q2 + q3) can be shared by the server 1, the server 2, and the server 3.

Next, the first half of the distributed prime test is performed. For this purpose, first, a random number g common to the server 1, server 2 and server 3 is generated and shared by each. Using this random number g, the server 1 sends g ^p1 to the server 2 and the server 3, the server 2 sends g ^p2 to the server 1 and the server 3, and the server 3 sends g ^p2 to the server 1 and the server 2. Send ^p3 respectively. Subsequently, the server 1, server 2, and server 3 share v _p = g ^p modn by g ^p1 g ^p2 g ^p3 modn.

Further, the server 1 has v _p ^{p1 + q1} m
odn, server 2 calculates v _p ^{p2 + q2} modn, and server 3 calculates v _p ^{p3 + q3-1} modn and distributes them to each other, and g ^{{p (p-1) (q-1)}} = 1 modn holds. Check whether or not. Ring T using the same method
Perform the latter half of the distributed prime test with _N. If it is confirmed that this equation is satisfied and p and q are respectively prime numbers, then it is possible to use p1, p2, p3, q1, q2, and q3 as distributed keys. It will be.

Next, referring to FIG. 2, a distributed key generation method,
The prime number determination will be described in detail. Here p ² q
It is assumed that the server includes an encryption key generating means and the number of servers is k.

First, in step S11, two random numbers pi and q are generated by the random number generation means provided in each server i.
i (3 mod 4) is generated, and subsequently, in step S13,
Reference “M. Ben-Or, S. Goldwasser, A. Wigderson;“ Complete
ness theorems for non-cryptographic faulttolerant
When using the BGW protocol described in distributed computation, "STOC, (1998), pp.1-10" to set the candidate of the composite number of the first public key n to N by the public key candidate generating means, N = (Σ _{i = 1,2, ..., k} pi) ² (Σ _{i = 1,2, ..., k} qi) is generated.

At this time, Σ _{i = 1,2, ..., k} pi and Σ
_In order to prevent _{i = 1,2, ..., k} qi from being broken by a small prime number, the document “M. Malkin, T. Wu and D. Boneh, Experimenting with Sha
red Generation of RSA keys, 1999 Symposium on Netwo
rk and Distributed System Security (SNDSS), pp.43-5
Repeated division is performed using the distributed sieving method described in 6. and small prime numbers.

In step S15, the common random number selecting means provided in each server i selects a random number g common to all servers. Subsequently, in step S17, each server i calculates v _pi = g ^pi mod N by the notified random number g and transmits it to each server.

As a result, in step S19,
Each server i calculates v _p = Π _{i = 1,2, ..., k} v _pi modN by each calculation means. Further, the server 1 calculates u ₁ = g ^N modN, and thereafter, similarly, the server i (i = 2, ..., k)
-1) calculates u _i = v _p ^{pi + qi} modN, and the server k calculates u _k = v _p ^{pk + qk−1} modN.

Further, in step S21, the prime number determination means verifies whether u ₁ = u _k Π _{i = 2, ..., k-1} u _i mod N. If not,
It is determined that N is not the product of two prime numbers (N = P ² Q) (step S23).

The processing in steps S25 to S33 will be described. The calculation here is that the ring T _N = (Z
_N [x] / (x ² +1)) / Z _N operation.

First, in step S25, the common random number selection means selects k random numbers h common to all servers.
In step S27, each server i calculates r _pi = h ^pi and sends it to each server i.

The calculation means of each server i executes step S2.
At 9, each server i calculates r _p = Π _{i = 1,2, ..., k} r _pi modN. The server 1 calculates s ₁ = h ^N , and similarly, the server i (i = 2, ..., K−1)
Computes s _i = r _p ^-pi-qi , and server k computes s _k = r _p ^-pk-qk-1 .

Further, the prime number determination means is step S31.
Then, it is verified whether s ₁ = s _k Π _{i = 2, ..., k-1} s _i holds. If not satisfied, it is determined that N is not the product of two prime numbers (N = P ² Q) (step S33).

When the above test is passed (step S
35), N can theoretically be determined to be a product of two prime numbers with a probability of 1/2 or more. By performing this test a plurality of times, N can be determined with high probability as a product of two prime numbers. Also,
Reference "R. Rivest," Finding four million large random
primes, "Advances in Cryptology-Crypto'90, LNCS
537, pp.625-626 (1991) ", for a number N = P ² Q of 512 bits or more, if the test of steps S15 to S23 (or steps S25 to S33) is performed once, It is possible to determine P and Q as prime numbers with a probability of approximately 1.

Therefore, steps S15 to S2
Since it is almost possible to determine P and Q as prime numbers by executing the process of step 3 or any of the processes of steps S25 to S33, it is possible to perform only one of the processes. Further, it becomes possible to generate the distributed key at high speed.

Next, the encryption / decryption key generation method will be described with reference to FIG.

However, ed = eΣi _{= 1,2, ..., kd i} = 1 mod γ (N) γ (N) = P (P-1) (Q-1).

First, in step S41, a large prime number R is set. Next, in step S43, each server i uses γ (N) for this prime R by using the BGW protocol.
Share γ _i (N), i.e. _{γ (N) = Σ i =} 1,2, ..., k γ i (N) to generate the gamma _i (N) which satisfies the -sR (where, s = 0, 1,
2, ..., k-1).

Next, in step S45, a small random number e is selected. Succeedingly, in a step S47, each server i
By transmitting the value of γ _i (N) mod e to another server, δ _{e, s} = 1 / (γ (N) −sR) mod ed _{i, s} = [(− δ _{e, s} γ _i (N)) / e] is calculated (s = 0, 1, 2, ..., K−1).

Further, when the true decryption key (second secret key) is d in step S49, d = Σ _{i = 1,2, ..., k} d _{i, s} + r mod γ (N) is satisfied. , A certain message M determines s and r for which 1 = M ^ed mod N holds.

Next, the distributed digital signature device will be described.

In the signature and verification, the difference from the RSA encryption is that Si = M ^di mod n (M is a plaintext) is calculated once using the distributed key di, and then S1, S2, S3 and mod are calculated.
What is multiplied by n is the true signature.

First, in the signature generation, each server signs the message M with S _i = M ^di mod N to form a distributed signature.

The true signature S is generated by S = Π _{i = 1,2, ..., k} S _i mod N.

Verification of this signature is performed by S ^e = M mod N.

In order to show the effectiveness of the distributed key generation method using P ² Q described above, it was implemented by software.

In the same computer environment, key generation with the same bit length was compared with the Boneh-Franklin method. As a result of implementing in the same environment, the decryption algorithm became faster than the RSA encryption. The numerical results are shown in the following table.

[0075]

[Table 1] As described above, when the key generation is performed using the conventional Boneh-Franklin distributed key generation method, a very large amount of calculation is required and it takes time. It is clear that the method is very efficient because it can process at high speed.

[0076]

As described above, according to the present invention, when the key generation is performed by using the distributed key generation method, the processing can be performed at high speed and is very efficient. Also,
Each of the distributed encryption key generation means cannot know only the distributed key part generated by itself, and cannot know the distributed key part generated by another encryption key generation part and the encryption key itself. It has excellent strength.

[Brief description of drawings]

FIG. 1 is a block diagram showing the basic concept of the present invention.

FIG. 2 is a flowchart schematically showing a processing procedure of distributed key generation according to the present invention.

FIG. 3 is a flowchart schematically showing a processing procedure for generating an encryption / decryption key.

   ─────────────────────────────────────────────────── ─── Continued front page    (54) [Title of Invention] Cryptographic key distribution generation method, signature generation / verification method, cryptographic key distribution generation apparatus, signature generation / verification apparatus, cryptographic key                     Computer-readable recording of distributed generation program and signature generation / verification program                     Possible recording media

Claims (10)

(57) [Claims] 1. A plurality of servers i (i = 1, 2, ..., K) which are mutually connected by arbitrary communication means and each have an encryption key generating means for generating an encryption key of a public key cryptosystem. A cryptographic key distributed generation method for generating a cryptographic key in a distributed manner, in which a ciphertext C = M ^e (modn) is obtained from a plaintext M using a first public key n and a second public key e. , A step in which each server i respectively generates two random numbers pi and qi as a first distributed secret key which is secret information that it has, and each server i does not leak the secret information that it has to other servers. , Which is a candidate for the first public key n by using the BGW protocol that can be shared by the servers of N =
(Σ _{i = 1, 2, ..., k} pi) ² (Σ
_{i = 1, 2, ..., K} qi) is generated. 2. The encryption key distribution generation method according to claim 1, further comprising the step of generating N, which is a candidate for the first public key n, further comprising: Calculating v _pi = g ^pi modN using a common random number g, and transmitting the calculated values to other servers; and each server i has v _p = Π _{i = 1,2, ..., k} v _pi
mod 1 and mod i, where server 1 is u ₁ = g ^N modN, server i (where i
= 2, ..., k-1) is u _i = v _{p p i} ⁺ _{q i} mod
N, the server k calculates u _k = v _p ^{pk + qk−1} modN and distributes them to each other, and the calculated value in this step is u ₁ = u _k Π
Each of the servers i verifies whether _{i = 2, ..., K-1} u _i modN is satisfied, and if this expression holds,
Σ _{i = 1, 2, ..., K} pi and Σ _{i = 1, 2 ,.}
and a step of determining that qi is a prime number. 3. The encryption key distribution generation method according to claim 2, wherein the Σ _{i = 1, 2, ..., K} pi and the Σ _{i
When i = 1, 2, ..., K} qi are prime numbers, these prime numbers Σ _{i = 1, 2, ..., K} pi and Σ
_{Using i = 1, 2, ..., K} qi, γ (N) = (Σ
_{i = 1,2, ...,} kpi) {(Σ _{i = 1,2, ..., kp}
i) −1} {(Σ _{i = 1,2, ..., k} qi) −1}, where each server i has the BG for the set prime R.
Γ (N) = Σ using W protocol
_{i = 1, 2, ..., K} γ _i (N) −sR (where s =
0,1,2, ..., k-1) and generating a gamma _i (N) satisfying the second each server i with e being selected as the public key of the γ _i (N) mode Each of the values is transmitted to another server, and each server i has δ _{e, s} = 1 / (γ (N) −sR).
mode, and d _{i, s} = [(− δ _{e, s} γ
_i (N)) / e] (where s = 0, 1, 2, ..., k−
1) and each server i calculates a second secret key which is a true decryption key by d
(Where d is ed = 1 mod γ (N)), the relational expression d = Σ
_{i = 1, 2, ...,} Kd _{i, s} + r modγ (N),
The second distributed secret key d is determined by determining s and r for which 1 = M ^ed mod N by some message M.
and a step of generating _i , respectively. 4. A signature is made using the first public key N, the second public key e, and the second distributed secret key d _i generated by the encryption key distribution generation method according to claim 3, and A signature generation / verification method for verifying the signature, wherein a plurality of servers i (i
= 1, 2, ..., K) respectively gives a distributed signature S _i = M ^di modN to the message M using the first public key N and its own second distributed secret key d _i. Using the true signature S = Π _{i = 1, 2, ..., k} S _i mo
A signature generation / verification method characterized in that dN is generated, and verification of this signature is performed by S ^e = M modN. 5. A plurality of servers i (i = 1, 2, ..., K) connected to each other by arbitrary communication means,
A cryptographic key distribution / generation device that generates cryptographic keys of a public key cryptosystem in a distributed manner, using a first public key n and a second public key e, from plaintext M to ciphertext C = M ^e ( mod n), a random number generation means for generating two random numbers pi and qi for each server i as the first shared secret key which is the secret information which the server has, and the secret information which each server has , Which is a candidate for the first public key n by using the BGW protocol that can be shared by all servers without leaking to the server
(Σ _{i = 1, 2, ..., k} pi) ² (Σ
_{i = 1, 2, ..., K} qi), and a cryptographic key distribution generation device. 6. The encryption key distribution generation device according to claim 5, wherein the common random number selection means selects a random number g common to all servers, the random number g selected by the common random number selection means, and the first random number selection means. Using N, which is a candidate for the public key n of 1, v _pi = g ^pi mo for each server i (where i = 1, 2, ..., K)
calculate the d N, and means for transmitting the calculated _{v pi} to another server, _{v p =} Π _i = _1,2 In the server _{1, ..., k} v pi mod
V _p = Π in the calculation means of the server 1 which calculates ^N and u ₁ = g ^N modN using this v _p , and the server i (where i = 2, ..., K−1).
_{i = 1, 2, ..., K} v _pi modN is calculated, and this v
_The calculation means of the server i (i = 2, ..., k-1) that calculates u _i = v _p ^{pi + qi} modN using _p and v _p = Π _{i = 1,2, ..., k} v _pi mod
N is calculated, and using this v _p , u _k = v _p
Calculation means of the server k for calculating ^{pk + qk-1} modN and u ₁ , u ₂ , ..., U calculated by the calculation means of each server
_The means for distributing _k to each other and whether or not u ₁ = u _k Π _{i = 2, ..., k-1} u _i modN are verified, and if this equation holds, Σ
_{i = 1, 2, ..., K} pi and Σ _{i = 1, 2 ,.}
A cryptographic key distribution generation device further comprising a prime number determination means for determining that i is a prime number. 7. The encryption key distribution generation device according to claim 6, wherein said Σ _{i = 1, 2, ..., K} pi and said Σ _{i = 1, 2 ,.} When it is determined that they are prime numbers, these Σ _{i = 1, 2, ..., K} pi and Σ _{i
Using i = 1, 2, ..., K} qi, γ (N) = (Σ
_{i = 1,2, ...,} kpi) {(Σ _{i = 1,2, ..., kp}
i) −1} {(Σ _{i = 1,2, ..., k} qi) −1}, using the BGW protocol for the set prime R, γ (N) = Σ _{i = 1,2 , ..., k} γ _i (N) -sR
Γ _i satisfying (where, s = 0, 1, 2, ..., K−1)
(N) is generated by the server i (where i = 1, 2, ..., K) respectively, generating means for the server i, random number selecting means for selecting the random number e as the second public key, and the server γ _i (N) respectively generated by the generating means of _i
And δ _{e, s} by using e selected by the random number selection means
= 1 / (γ (N) -sR) mode, and di _{, s}
= [(-Δ _{e, s} γ _i (N)) / e] (where s =
Server i for calculating 0, 1, 2, ...
And the second secret key, which is the true decryption key, d (where d is ed
= 1 mod γ (N) is satisfied), d = Σ
_{i = 1, 2, ...,} Kd _{i, s} + r modγ (N),
The second distributed secret key d is determined by determining s and r for which 1 = M ^ed mod N is satisfied by a certain message M.
An encryption key distribution generation device, further comprising a secret key generation means of the server i for generating each _i . 8. A signature is made using the first public key N, the second public key e, and the second distributed secret key d _i generated by the encryption key distribution generation device according to claim 7, and A signature generation / verification device for verifying the signature, wherein a plurality of servers i (i
, 1, 2, ..., K) using the first public key N and the second shared secret key d _i of its own for the message M to use the distributed signature S _i = M ^di modN hand,
The signature means for generating the true signature S = Π _{i = 1, 2, ..., k} S _i modN and the verification for the signature generated by this signature means are ^Se = M
A signature generation / verification device, comprising a signature verification means for performing modN. 9. A computer-readable recording medium recording an encryption key distribution generation program for causing a computer to execute the encryption key distribution generation method according to any one of claims 1 to 3. 10. A computer-readable recording medium recording a signature generation / verification program for causing a computer to execute the signature generation / verification method according to claim 4.