JP7444378B2 - Key exchange system, communication terminal, information processing device, key exchange method, and program - Google Patents

Description

The present invention relates to a key exchange system, a communication terminal, an information processing device, a key exchange method, and a program.

An authenticated key exchange protocol is a protocol that allows each user to privately establish a common session key between two parties based on his or her private key. There are certificate-based key exchange protocols such as TLS (Transport Layer Security) handshake.

On the other hand, there are also ID-based authenticated key exchange protocols that do not require certificates. The Key Generation Center (KGC) generates a private key from each user's ID, and each user can perform authenticated key exchange without certificate verification as long as they know each other's ID. It is something that can be done.

In general, ID-based authenticated key exchange protocols are based on a single KGC, and therefore do not have the scalability of PKI (Public Key Infrastructure). Therefore, as the number of users increases, vast amounts of computing resources are required to verify IDs and to generate and distribute private keys. In contrast, a method called hierarchical ID-based key exchange with authentication is known (Non-Patent Documents 1 and 2). This method makes it possible to reduce the key generation burden on each KGC by using a hierarchical structure composed of a plurality of KGCs and key generation delegation based on that structure.

Fujioka, Atsushi, Koutarou Suzuki, and Kazuki Yoneyama. "Hierarchical ID-based authenticated key exchange resilient to ephemeral key leakage." International Workshop on Security. Springer, Berlin, Heidelberg, 2010. Yoneyama, Kazuki. "Practical and exposure-resilient hierarchical ID-based authenticated key exchange without random oracles." IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences 97.6 (2014): 1335-1344.

However, there are two problems with the conventional key exchange with hierarchical ID-based authentication.

The first is that conventional key exchange with hierarchical ID-based authentication is based on a single hierarchical structure. In PKI, there are multiple root CAs (Certificate Authorities), and even if the two parties attempting to communicate have different origins of trust, key exchange is possible as long as the trust relationship between the two CAs is established through mutual authentication certificates. It is possible to do this. On the other hand, in the conventional key exchange with hierarchical ID-based authentication, keys can only be exchanged between users under a single hierarchical structure, and thus keys cannot be exchanged between users having different root KGCs.

The second problem is that there is no built-in ID revocation mechanism. For this reason, in conventional key exchange with hierarchical ID-based authentication, it is necessary to periodically regenerate the private keys of all entities (KGC, each user, etc.) as a measure against leakage of private keys during actual system operation. .

An embodiment of the present invention has been made in view of the above points, and realizes key exchange between users under different hierarchical structures when performing key exchange by hierarchical ID-based key exchange with authentication, and also realizes key exchange between users under different hierarchical structures. The purpose is to realize revocation.

In order to achieve the above object, a key exchange system according to an embodiment includes a first key generation center group and a second key generation center group each forming a hierarchical structure, and a subordinate key generation center group of the first key generation center group. A key exchange system that includes at least a first communication terminal located at the second key generation center group, a second communication terminal located under the second key generation center group, and a time server that distributes time information, the key exchange system comprising: The communication terminal uses the time information acquired from the time server, the identifier of the second communication terminal, and the public parameter generated by the root key generation center of the second key generation center group to perform revocation. a first encryption unit that generates a first ciphertext using a hierarchical ID-based encryption; a first key generation unit that generates a key pair of a public key and a private key using a key encapsulation mechanism; a first transmitting unit that transmits one ciphertext and the public key to the second communication terminal; and receiving at least a second ciphertext and a third ciphertext from the second communication terminal; a first decryption unit that decrypts the second ciphertext using the revocable hierarchical ID-based encryption using its own medium-term secret key, and decrypts the third ciphertext using the key encapsulation mechanism; a first session key generation unit that generates a session key using a decryption result by the first decryption unit, and the second communication terminal is configured to transmit data from the first communication terminal to the first communication terminal. When at least the ciphertext and the public key are received, the time information acquired from the time server, the identifier of the first communication terminal, and the public key generated by the root key generation center of the first key generation center group are transmitted. a second encryption unit that generates the second ciphertext using the revocable hierarchical ID-based encryption using a parameter; and a second encryption unit that generates the third ciphertext from the public key using the key encapsulation mechanism. a third encryption unit that transmits at least the second ciphertext and the third ciphertext to the first communication terminal; a second decryption unit that decrypts the first ciphertext using the revocable hierarchical ID-based encryption; and a second session key generation unit that generates the session key using the decryption result of the second decryption unit. and has.

When performing key exchange using hierarchical ID-based key exchange with authentication, it is possible to realize key exchange between users under different hierarchical structures, and also to realize ID revocation.

FIG. 1 is a diagram showing an example of the overall configuration of a key exchange system according to the present embodiment. 1 is a diagram showing an example of a hardware configuration of a computer. FIG. 3 is a diagram illustrating an example of the functional configuration of a root KGC according to the present embodiment. It is a figure showing an example of the functional composition of intermediate KGC concerning this embodiment. FIG. 3 is a diagram illustrating an example of the functional configuration of a child KGC according to the present embodiment. FIG. 2 is a diagram showing an example of a functional configuration of a communication terminal according to the present embodiment. FIG. 2 is a sequence diagram showing an example of the flow of key exchange processing according to the present embodiment.

An embodiment of the present invention will be described below. In this embodiment, a key exchange system that can realize key exchange between users under different hierarchical structures and also realize ID revocation when performing key exchange using hierarchical ID-based key exchange with authentication will be described.

<Preparation>
First, various algorithms and the like used in this embodiment are prepared.

≪Key encapsulation mechanism≫
The Key Encapsulation Mechanism (KEM) is composed of the following three algorithms (KeyGen, EnCap, and DeCap).

(ek, dk)←KeyGen(1 ^κ ): Inputs security parameter 1 ^κ and generates a public key/private key pair (ek, dk).

(K, C)←EnCap(ek): Takes the public key ek as input and generates a key-ciphertext pair (K, C).

K'←DeCap (dk, C): Inputs secret key dk and ciphertext C, and outputs key K'.

Furthermore, it is assumed that K=DeCap(dk, C) is satisfied for any (ek, dk)←KeyGen(1 ^κ ), (K, C)←EnCap(ek).

Examples of the above KEM include RSA-OAEP and ElGamal encryption.

≪Revocable hierarchical ID-based encryption≫
Revocable hierarchical identity-based encryption (RHIBE) is composed of the following seven algorithms (Setup, SKGen, KeyUP, DKGen, Enc, Dec, Revoke).

(mpk, msk, RL) ←Setup (1 ^κ , N, l): Input the security parameter 1 ^κ , the maximum number of IDs N at each level, and the maximum hierarchy depth l (l is a lowercase letter L), A public parameter mpk, master secret key msk, and revocation list RL are generated. Here, a level is an index representing each layer in a hierarchical structure, and is an integer from 0 to l (l is a lowercase letter L) and less. For example, the levels of each hierarchy are 1, . . . , l in descending order, with the layer where the root KGC exists being level 0. Note that an intermediate KGC exists in a hierarchy of level 1 or more and less than l-1 (l is a lowercase letter L), and a child KGC exists in a hierarchy of level l-1 (l is a lowercase letter L). Further, in the hierarchy of level l (l is a lowercase letter L), there is a user (communication terminal) who receives a key issue from a child KGC. The root KGC and the intermediate KGC have one or more KGCs at the next higher level as children, and the child KGCs have one or more users as children, forming a parent-child relationship in a graph structure.

Note that the public parameter mpk is input to SKGen, KeyUP, DKGen, Enc, Dec, and Revoke, but since it is self-explanatory, the description may be omitted.

：公開パラメータｍｐｋと秘密鍵

:Public parameter mpk and private key

とレベルｋの識別子ＩＤ_ｋとを入力とし、ＩＤ_ｋの秘密鍵

and an identifier ID _k of level k as input, and the secret key of ID _k is

と更新された秘密鍵

and the updated private key

とを生成する。

and generate.

In addition, from now on, when a subscript is added to the subscript of a certain character as in numbers 2 to 4 above, the second subscript will not be subscripted in the text of the specification. , shall be expressed by adding an underscore symbol "_" in front of it. For example, the private key shown in Equation 2 above is expressed as sk _{ID_k-1} , and the secret key shown in Equation 3 above is expressed as sk _{ID_k} .

(ku _{ID_k, T} , sk' _{ID_k} )←KeyUP(mpk, sk _{ID_k} , ku _{ID_k-1} , RL _{ID_k} , T): Public parameter mpk and private key sk _{ID_k} (However, when k=0, master private key msk ), update key ku _{ID_k-1} (however, nothing is input when k=0), revocation list RL _{ID_k} , and update period T, and update key ku _{ID_k,T} and updated private key sk' _{ID_k} is generated.

dk _{ID_k,T} ←DKGen (mpk, sk _{ID_k} , ku _{ID_k-1, T} ): Inputs the public parameter mpk, private key sk _{ID_k} , and update key ku _{ID_k-1, T} generated by the parent, and decrypts the decryption key dk _{ID_k. , T.}

C←Enc(mpk, ID, m, T): Generates ciphertext C by inputting public parameter mpk, identifier ID, plaintext m, and update period T.

m'←Dec(mpk, dk _{ID_k, T} , C): Inputs public parameter mpk, decryption key dk _{ID_k, T} , and ciphertext C, and generates plaintext m'.

RL' _{ID_k-1} ←Revoke (ID _k , T, RL _{ID_k-1} ): Inputs the identifier ID _k , update period T, and revocation list RL _{ID_k-1 ,} and revoke (ID _k , T ) is added to generate a revocation list RL' _{ID_k-1} . Note that this means that the parent can revoke the child's ID.

Furthermore, for any (mpk, msk, RL)←Setup(1 ^κ , N, l), any plaintext m, any identifier ID _k , and any update period T, ID _k is T. If it has not expired, it is assumed that m=Dec(dk _{ID_k, T} , Enc(ID _k , m, T)).

Examples of the above RHIBE include the methods proposed in References 1 and 2 below.

Reference 1: Seo, Jae Hong, and Keita Emura. "Revocable hierarchical identity-based encryption: history-free update, security against insiders, and short ciphertexts." Cryptographers Track at the RSA Conference. Springer, Cham, 2015.
Reference 2: Lee, Kwangsu, and Seunghwan Park. “Revocable hierarchical identity-based
"encryption with shorter private keys and update keys." Designs, Codes and Cryptography 86.10 (2018): 2407-2440.
In this embodiment, it is assumed that the plaintext space of the revocable hierarchical ID-based encryption and the key space generated by the key encapsulation mechanism EnCap are the same. Hereinafter, this space will be referred to as KS ₁ .

<Overall configuration>
Next, a key exchange system according to this embodiment will be explained. The key exchange system according to this embodiment is composed of entities that are interconnected via a communication network such as the Internet. The entity includes a KGC (root KGC, intermediate KGC, child KGC), a communication terminal, and a time server. Here, the time server is a server that distributes the update period T to each KGC and each communication terminal.

In this embodiment, the key exchange system 10 shown in FIG. 1 is assumed as an example. The key exchange system 10 shown in FIG. 1 has a hierarchical structure 1 and a hierarchical structure 2, and the hierarchical structure 1 is composed of a root KGC 1000, intermediate KGCs 2000 to 2001, etc., child KGCs 3000 to 3001, etc., and a communication terminal 4000. , the hierarchical structure 2 is composed of a root KGC 1100, intermediate KGCs 2100 to 2101, child KGCs 3100 to 3101, and a communication terminal 4100.

As shown in FIG. 1, children of the root KGC 1000 are intermediate KGCs 2000 to 2001, etc., and children of the intermediate KGC 2000 are child KGCs 3000 to 3001, etc. Furthermore, a child of the child KGC 3000 is a communication terminal 4000. Similarly, children of the root KGC 1100 are intermediate KGCs 2100 to 2101, etc., and children of the intermediate KGC 2100 are child KGCs 3100 to 3101, etc. Further, a child of the child KGC 3100 is a communication terminal 4100.

In the example shown in FIG. 1, the hierarchical structures 1 and 2 both have four layers (that is, l=4), but this is just an example, and any number of layers may be used. Further, in the example shown in FIG. 1, there are two hierarchical structures, but any number of hierarchical structures may exist.

The time server 5000 is communicably connected to all other entities (each KGC and each communication terminal) other than itself, and regularly distributes the update period T to all these other entities. In other words, each entity other than the time server 5000 receives the update period T periodically distributed from the time server 5000. This update period T is information used for key exchange and encryption of revocable hierarchical ID-based encryption.

Note that in the example shown in FIG. 1, there is one time server 5000, but this is just an example, and a plurality of time servers 5000 may exist as long as they are time synchronized with each other.

Here, it is assumed that the intermediate KGC, the child KGC, and the communication terminals under them are assigned identifier IDs according to the hierarchy. In addition, in the above preparation, the identifier of the entity existing in the hierarchy of level k was set as ID _k , but below, using the code of the entity existing in the hierarchy of level k, the identifier of the entity with code kXXX will be expressed as ID _kXXX . shall be taken as a thing.

Specifically, for example, the intermediate KGC 2000 is assigned ID ₂₀₀₀ = ID _1,2000 , the child KGC 3000 is assigned ID ₃₀₀₀ = (ID _1,2000 , ID _1,3000 ), and the communication terminal It is assumed that ID ₄₀₀₀ = (ID _1,2000 , ID _1,3000 , ID _1,4000 ) is assigned to ID 4000. Similarly, for example, the intermediate KGC 2001 is assigned ID ₂₀₀₁ = ID _1,2001 . Similarly, for example, the intermediate KGC 2100 is assigned ID ₂₁₀₀ = ID _2,2100 , the child KGC 3100 is assigned ID ₃₁₀₀ = (ID _2,2100 , ID _2,3100 ), and the communication terminal 4100 is assigned ID ₄₁₀₀ = (ID _2,2100 , ID _2,3100 , ID _2,4100 ).

In addition, the following functions and values are assumed to be held by each entity as system-common parameters.

・Pseudo-random function F: KS ₂ ×{0,1} ^* →{0,1} ^κ
・Key derivation function KDF: Salt×KS ₁ → KS ₂
・Salt of key derivation function s∈Salt
Here, KS ₂ is the key space of the pseudorandom function. Examples of pseudorandom functions include HMAC and the like. Furthermore, examples of key derivation functions include HKDF and the like. Note that the security parameter κ represents security strength, and may be set to κ=128, κ=256, etc., for example.

<Hardware configuration>
Next, the hardware configuration of each entity will be explained. Each entity, for example, the computer 900 shown in FIG. 2, includes an input device 901, a display device 902, an external I/F 903, a communication I/F 904, a processor 905, and a memory device 906. Each of these pieces of hardware is communicably connected via a bus 907.

The input device 901 is, for example, a keyboard, a mouse, a touch panel, or the like. The display device 902 is, for example, a display. Note that the computer 900 does not need to have at least one of the input device 901 and the display device 902.

The external I/F 903 is an interface with an external device such as a recording medium 903a. Note that examples of the recording medium 903a include a CD (Compact Disc), a DVD (Digital Versatile Disk), an SD memory card (Secure Digital memory card), and a USB (Universal Serial Bus) memory card.

Communication I/F 904 is an interface for connecting to a communication network such as the Internet. The processor 905 is, for example, various arithmetic devices such as a CPU (Central Processing Unit) or a GPU (Graphics Processing Unit). The memory device 906 is, for example, various storage devices such as a HDD (Hard Disk Drive), an SSD (Solid State Drive), a RAM (Random Access Memory), a ROM (Read Only Memory), and a flash memory.

Each entity included in the key exchange system 10 according to the present embodiment has the hardware configuration shown in FIG. 2, thereby being able to implement various processes described below. Note that the hardware configuration shown in FIG. 2 is an example, and the hardware configuration of each entity is not limited to this.

<Functional configuration>
Next, the functional configuration of each entity included in the key exchange system 10 according to this embodiment will be explained.

≪Route KGC≫
As shown in FIG. 3, the root KGCs 1000 and 1100 include a setup processing section 101, a long-term secret key generation section 102, an update key generation section 103, and a revocation list update section 104. Each of these units is realized, for example, by a process that a program installed in the root KGC causes a processor to execute.

Furthermore, the root KGCs 1000 and 1100 have a storage unit 105. The storage unit 105 is realized by, for example, a memory device or the like.

The setup processing unit 101 executes the Setup algorithm to generate public parameters, a master private key, and a revocation list. These public parameters, master private key, and revocation list are stored in the storage unit 105. Further, the public parameters are distributed to subordinate intermediate KGCs, child KGCs, and communication terminals.

The long-term private key generation unit 102 executes the SKGen algorithm to generate a child private key and an updated master private key. The child's private key is sent to the child. Note that this private key is also called a long-term private key.

The update key generation unit 103 executes the KeyUP algorithm to generate an update key and an updated master private key. This update key is distributed to the child KGC.

The revocation list update unit 104 executes the Revoke algorithm to update the revocation list.

The storage unit 105 stores various information (eg, public parameters, master private key, revocation list, etc.).

≪Intermediate KGC≫
As shown in FIG. 4, the intermediate KGCs 2000 to 2001 and 2100 to 2101 include a latest secret key generation section 201, a long-term secret key generation section 202, an update key generation section 203, and a revocation list update section 204. Each of these units is realized, for example, by a process that a program installed in the intermediate KGC causes a processor to execute.

Further, the intermediate KGCs 2000 to 2001 and 2100 to 2101 have a storage unit 205. The storage unit 205 is realized by, for example, a memory device.

When the latest private key generation unit 201 receives an update key from the parent KGC, it executes the DKGen algorithm to update its own decryption key. Note that the decryption key is a type of secret key, and is updated periodically according to the distribution of the update period T, so it is also called the latest secret key, medium-term secret key, etc.; hereinafter, it will be referred to as the latest secret key.

The long-term secret key generation unit 202 executes the SKGen algorithm to generate a child's long-term secret key and its own updated long-term secret key.

The update key generation unit 203 executes the KeyUP algorithm to generate an update key and its own updated long-term private key. This update key is distributed to the child KGC.

The revocation list update unit 204 executes the Revoke algorithm to update the revocation list.

The storage unit 205 stores various information (for example, a long-term secret key, the latest secret key (decryption key), a revocation list, etc.).

≪Child KGC≫
As shown in FIG. 5, the child KGCs 3000 to 3001 and 3100 to 3101 have a latest secret key generation section 301, a long-term secret key generation section 302, an update key generation section 303, and a revocation list update section 304. Each of these units is realized, for example, by a process that a program installed in the child KGC causes a processor to execute.

Furthermore, the child KGCs 3000 to 3001 and 3100 to 3101 have a storage unit 305. The storage unit 305 is realized by, for example, a memory device.

When the update key is distributed from the parent KGC, the latest private key generation unit 301 executes the DKGen algorithm to update its own latest private key.

The long-term secret key generation unit 302 executes the SKGen algorithm to generate a child's long-term secret key and its own updated long-term secret key.

The update key generation unit 303 executes the KeyUP algorithm to generate an update key and its own updated long-term private key. This update key is distributed to the child KGC.

The revocation list update unit 304 executes the Revoke algorithm to update the revocation list.

The storage unit 305 stores various information (eg, long-term secret key, latest secret key, revocation list, etc.).

≪Communication terminal≫
As shown in FIG. 6, communication terminals 4000 and 4100 include a latest secret key generation section 401, an RHIBE encryption section 402, an RHIBE decryption section 403, a KEM key pair generation section 404, a time information acquisition section 405, It includes an encapsulation processing section 406, an encapsulation decryption section 407, a key derivation section 408, a session key generation section 409, a message reception section 410, and a message transmission section 411. Each of these units is realized, for example, by a process that a program installed in the communication terminal causes a processor to execute.

Furthermore, communication terminals 4000 and 4100 have a storage section 412. The storage unit 412 is realized by, for example, a memory device.

When the update key is distributed from the parent KGC (that is, child KGC), the latest private key generation unit 401 executes the DKGen algorithm to update its own latest private key.

The RHIBE encryption unit 402 executes the Enc algorithm to generate a ciphertext.

The RHIBE decryption unit 403 executes the Dec algorithm to decrypt the ciphertext.

The KEM key pair generation unit 404 executes the KeyGen algorithm to generate a KEM public key and private key pair.

The time information acquisition unit 405 acquires the update period T distributed from the time server 5000.

The encapsulation processing unit 406 executes the EnCap algorithm to generate a KEM key and ciphertext pair.

The encapsulation/decryption unit 407 executes the DeCap algorithm to obtain the KEM key.

The key derivation unit 408 generates a key using a key derivation function KDF.

The session key generation unit 409 generates a session key using the pseudo-random function F using the key generated by the key derivation unit 408.

Message receiving section 410 receives messages (hereinafter also referred to as protocol messages) from other communication terminals.

Message transmitter 411 transmits protocol messages to other communication terminals.

The storage unit 412 stores various information (eg, long-term secret key, latest secret key, key derivation function KDF, pseudorandom function F, salt s, etc.).

<Details of various processing>
Hereinafter, details of various processes executed by the key exchange system 10 according to this embodiment will be explained.

≪Setup≫
Setup is primarily performed by root KGCs 1000 and 1100, respectively. Hereinafter, as an example, processing executed by the root KGC 1000 will be described. Note that the root KGC 1100 also executes the same processing as the root KGC 1000.

First, the setup processing unit 101 of the root KGC 1000 executes (mpk, msk, RL)←Setup (1 ^κ , N, l). Note that the public parameter mpk, master secret key msk, and revocation list RL are stored in the storage unit 105.

Next, the setup processing unit 101 of the root KGC 1000 distributes the public parameter mpk to the intermediate KGCs 2000 and 2001, the child KGCs 3000 and 3001, the communication terminal 4000, etc. under the root KGC 1000. The setup processing unit 101 of the root KGC 1000 also distributes the public parameter mpk to the root KGC (for example, the root KGC 1100, etc.) with which a trust relationship (for example, mutual authentication using PKI) has been established separately.

Furthermore, when public parameters are distributed from another root KGC (for example, root KGC 1100, etc.), the setup processing unit 101 of the root KGC 1000 sends information to the intermediate KGCs 2000 and 2001 under itself, the child KGCs 3000 and 3001, and the communication terminal 4000. Distribute the public parameters to other users.

Furthermore, KGCs other than the root KGC (intermediate KGCs and child KGCs) also generate and store revocation lists RL. Note that at this point, it is sufficient to generate an empty revocation list RL.

Hereinafter, the revocation list managed by KGC with ID _m will be written as RL _m . Furthermore, public parameters and master private keys will also be distinguished by writing mpk _m , msk _m , etc. For example, mpk ₁₀₀₀ represents a public parameter generated by the root KGC 1000, and mpk ₁₁₀₀ represents a public parameter generated by the root KGC 1100.

≪Long-term private key generation≫
Long-term secret key generation is performed by the root KGC, intermediate KGC, and child KGC, respectively. In the following, as an example, assume that the root KGC 1000, intermediate KGC 2000, and child KGC 3000 generate long-term secret keys, and these KGCs are collectively referred to as "KGCn000". In this case, the intermediate KGC is 2000, and in the case of n=3, it is the child KGC 3000.

In long-term secret key generation, KGCn000 generates a long-term secret key for its child (the KGC corresponding to the child when n=1 and 2, and the communication terminal corresponding to the child when n=3). Let the identifier of KGCn000 be ID _n000 , and let the identifier of the child for which a long-term secret key is to be generated be ID _(n+1)000 .

At this time, the long-term private key generation unit n02 of KGCn000 executes (sk _{ID_(n+1)000} , sk' _{ID_n000} )←SKGen(sk _{ID_n000} , ID _(n+1)000 ) to generate the long-term private key sk _{ID_(n+1) 000} and an updated long-term secret key sk' _{ID_n000} .

Then, the long-term secret key generation unit n02 of KGCn000 transmits the long-term secret key sk _{ID_(n+1)000} to the child via a secure communication channel such as TLS. Further, the long-term private key generation unit n02 of KGCn000 updates its own long-term private key sk _{ID_n000} to sk' _{ID_n000} .

However, in the above case where n=1, sk _{ID_1000} and sk' _{ID_1000} are master private key msk ₁₀₀₀ and updated master private key msk' ₁₀₀₀ , respectively.

≪Update key generation≫
The update key generation is executed by each KGC at the time of system setup or when the regular update period T is distributed from the time server 5000. Hereinafter, similarly to the above long-term secret key generation, KGCn000 is assumed to be the root KGC1000 when n=1, the intermediate KGC2000 when n=2, and the child KGC3000 when n=3.

The update key generation unit n03 of KGCn000 executes (ku _{ID_n000, T} , sk' _{ID_n000} )←KeyUP(sk _{ID_n000} , ku _{ID_(n-1)000} , RL _{ID_n000} , T) to generate the update key ku _{ID_n000, T.} and an updated long-term secret key sk' _{ID_n000} . Here, when n=2, 3, ku _{ID_(n-1)000} is an update key distributed from KGC, which is the parent of KGCn000.

Then, the update key generation unit n03 of KGCn000 updates its own long-term secret key to sk' _{ID_n000} and distributes the update key ku _{ID_n000,T} . Note that this update key ku _{ID_n000,T} is not distributed only to its own children, but may be made public information that can be viewed by other entities, for example.

However, if n=1 in the above, no update key is input to the KeyUP algorithm. Further, when n=1, the long-term secret key is the master secret key.

≪Latest private key generation≫
The latest secret key generation is executed by each KGC and each communication terminal when an update key is distributed from the parent KGC. In the following, as an example, it is assumed that the intermediate KGC 2000, the child KGC 3000, and the communication terminal 4000 generate the latest private key, and these are collectively referred to as "device n000". In this case, it is assumed that the child KGC is 3000, and when n=4, it is assumed that it is the communication terminal 4000.

The latest private key generation unit n01 of the device n0000 executes dk _{ID_n000,T} ←DKGen(sk _{ID_n000} , ku _{ID_(n-1)000,T} ) to generate the latest private key dk _{ID_n000,T} . Then, the latest private key generation unit n01 of the device n0000 updates its own latest private key to dk _{ID_n000,T} .

≪Revocation list update≫
Revocation list updates are performed by the KGC when revoking child entity IDs. Hereinafter, similarly to the above long-term secret key generation, KGCn000 is assumed to be the root KGC1000 when n=1, the intermediate KGC2000 when n=2, and the child KGC3000 when n=3.

A case will be described in which KGCn000 attempts to revoke ID _(n+1)000, which is one of the IDs of its child entities. Further, it is assumed that the latest update period distributed from the time server 5000 is T.

At this time, the revocation list update unit n04 of KGCn000 executes RL' _{ID_n} ←Revoke (ID _(n+1)000 , T, RL _{ID_n000} ) and adds (ID _(n+1)000 , T) to the revocation list RL _{ID_n000} . do. The revocation list after addition is RL' _{ID_n} . With the update key generated using this revocation list, it is not possible to generate the latest secret key for the ID included in the revocation list. This allows the ID to be revoked.

≪Key exchange≫
A case in which key exchange is performed between communication terminal 4000 and communication terminal 4100 (that is, between communication terminals in different hierarchical structures) will be described with reference to FIG. 7. Note that it is assumed that the latest update period acquired by time information acquisition section 405 of communication terminal 4000 and time information acquisition section 405 of communication terminal 4100 at this point is T. Further, it is assumed that communication terminal 4000 and communication terminal 4100 have each obtained the other party's ID in advance. Further, it is assumed that the communication terminal 4000 has acquired in advance the public parameter mpk ₁₁₀₀ generated by the root KGC 1100, and the communication terminal 4100 has acquired the public parameter mpk ₁₀₀₀ generated by the root KGC 1000.

Step S101: The RHIBE encryption unit 402 of the communication terminal 4000 takes K _A ∈KS ₁ uniformly at random, executes C _A ← Enc (mpk ₁₁₀₀ , ID ₄₁₀₀ , K _A , T), and generates the RHIBE ciphertext. Generate _CA. Further, the KEM key pair generation unit 404 of the communication terminal 4000 executes (ek _T , dk _T )←KeyGen(1 ^κ ) to generate a KEM key pair (ek _T , dk _T ).

Note that in the RIBE encryption and KEM key generation in step S101 above, random numbers generated within the algorithm may be used to generate the output in order to make the output probabilistic. There is a threat that the internal random numbers may be leaked due to the vulnerability of the random number generator used at this time, but as a countermeasure to this threat, the NAXOS trick (using the long-term private key and short-term private key) proposed in Reference 3 below is proposed. (using hashed values instead of random numbers) or the twisted pseudorandom function trick proposed in Reference 4 may also be used.

Reference 3: LaMacchia, Brian, Kristin Lauter, and Anton Mityagin. "Stronger security of authenticated key exchange." International conference on provable security. Springer, Berlin, Heidelberg, 2007.
Reference 4: Fujioka, Atsushi, et al. "Strongly secure authenticated key exchange from factoring, codes, and lattices." Designs, Codes and Cryptography 76.3 (2015): 469-504.
Step S102: The message transmitting unit 411 of the communication terminal 4000 transmits a protocol message including (ID ₄₀₀₀ , ID ₄₁₀₀ , T, C _A , ek _T ) to the communication terminal 4100 .

Step S103: The message receiving unit 410 of the communication terminal 4100 receives a protocol message including (ID ₄₀₀₀ , ID ₄₁₀₀ , T, C _A , ek _T ) from the communication terminal 4000 . Then, the RHIBE encryption unit 402 of the communication terminal 4100 takes K _B ∈KS ₁ uniformly at random, executes C _B ← Enc (mpk ₁₀₀₀ , ID ₄₀₀₀ , K _B , T), and converts the RHIBE ciphertext C Generate _B. Furthermore, the encapsulation processing unit 406 of the communication terminal 4100 executes (K _T , C _T )←EnCap(ek _T ) to generate a key-ciphertext pair (K _T , C _T ).

Note that, similar to step S101 above, in step S103 above, a NAXOS trick or a twisted pseudo-random function trick may be used as a countermeasure against leakage of the random numbers used inside the algorithm in RHIBE encryption and KEM encapsulation. .

Step S104: The message transmitting unit 411 of the communication terminal 4100 transmits a protocol message including (ID ₄₀₀₀ , ID ₄₁₀₀ , T, _CB , C _T ) to the communication terminal 4000.

Step S105-1: The message receiving unit 410 of the communication terminal 4000 receives a protocol message including (ID ₄₀₀₀ , ID ₄₁₀₀ , T, _CB , C _T ) from the communication terminal 4100. Then, the RHIBE decryption unit 403 of the communication terminal 4000 executes K _B ←Dec (mpk ₁₀₀₀ , dk _{ID_4000, T} , C _B ) to decrypt the ciphertext C _B to K _B. Furthermore, the encapsulation decryption unit 407 of the communication terminal 4000 executes K _T ←DeCap(dk _T , C _T ) to decrypt the ciphertext _CT to K _T.

Step S106-1: Next, the key deriving unit 408 of the communication terminal 4000 calculates K' _A ←KDF (s, K _A ), K' _B ← KDF (s, K _B ), and K' _T ← KDF ( s, K _T ). Then, the session key generation unit 409 of the communication terminal 4000 calculates ST=(ID ₄₀₀₀ , ID ₄₁₀₀ , T, _CA , ek _T , _CB , C _T ), and generates the session key

を生成する。

generate.

Step S105-2: The RHIBE decryption unit 403 of the communication terminal 4100 executes K _A ←Dec(mpk ₁₁₀₀ , dk _{ID_4100, T} , C _A ) to decrypt the ciphertext C _A to K _A. Note that this step may start to be executed immediately after step S104 described above.

Step S106-2: Next, the key deriving unit 408 of the communication terminal 4100 calculates K' _A ←KDF (s, K _A ), K' _B ← KDF (s, K _B ), and K' _T ← KDF ( s, K _T ). Then, the session key generation unit 409 of the communication terminal 4100 calculates ST=(ID ₄₀₀₀ , ID ₄₁₀₀ , T, _CA , ek _T , _CB , C _T ), and generates the session key

を生成する。

generate.

As a result, the same session key SK is shared between communication terminal 4000 and communication terminal 4100 (that is, between communication terminals under different hierarchical structures, in other words, different routes KGC). Therefore, communication terminal 4000 and communication terminal 4100 can securely perform communication for various application processes using session key SK.

As described above, the key exchange system 10 according to the present embodiment introduces the time server 5000 for correctly sharing time (update period T) between entities in each hierarchy, and uses revocable hierarchical ID-based encryption. By using this, it is possible to realize key exchange and ID revocation between users (communication terminals) under different hierarchical structures. As a result, the key exchange system 10 according to the present embodiment has the scalability (hierarchical and multiple root CAs) that PKI-based key exchange satisfies, and the ID-based cryptographic key exchange that has the same scalability and functionality as certificate revocation. can be realized. By using the key exchange system 10 according to this embodiment, for example, certificate management (certificate creation, issuance application, revocation, renewal, etc.) by individual end users, which is required in PKI-based systems, is no longer necessary. Become.

The present invention is not limited to the above-described specifically disclosed embodiments, and various modifications and changes, combinations with known techniques, etc. are possible without departing from the scope of the claims.

10: Key exchange system 101: Setup processing unit 102: Long-term secret key generation unit 103: Update key generation unit 104: Revocation list update unit 105: Storage unit 201: Latest secret key generation unit 202: Long-term secret key generation unit 203: Update Key generation unit 204: Revocation list update unit 205: Storage unit 301: Latest private key generation unit 302: Long-term secret key generation unit 303: Update key generation unit 304: Revocation list update unit 305: Storage unit 401: Latest private key generation unit 402: RHIBE encryption unit 403: RHIBE decryption unit 404: KEM key pair generation unit 405: Time information acquisition unit 406: Encapsulation processing unit 407: Encapsulation decryption unit 408: Key derivation unit 409: Session key generation unit 410: Message Receiving unit 411: Message transmitting unit 412: Storage unit 900: Computer 901: Input device 902: Display device 903: External I/F
903a: Recording medium 904: Communication I/F
905: Processor 906: Memory device 907: Bus 1000, 1100: Root KGC
2000, 2001, 2100, 2101: Intermediate KGC
3000, 3001, 3100, 3101: Child KGC
4000, 4100: Communication terminal

Claims (10)

A first key generation center group and a second key generation center group forming a hierarchical structure, a first communication terminal under the first key generation center group, and the second key generation center group. A key exchange system that includes at least a second communication terminal under a second communication terminal and a time server that distributes time information,
The first communication terminal is
A revocable hierarchical ID base is created using the time information acquired from the time server, the identifier of the second communication terminal, and the public parameter generated by the root key generation center of the second key generation center group. a first encryption unit that generates a first ciphertext by encryption;
a first key generation unit that generates a key pair of a public key and a private key using a key encapsulation mechanism;
a first transmitter that transmits at least the first ciphertext and the public key to the second communication terminal;
Upon receiving at least the second ciphertext and the third ciphertext from the second communication terminal, the second ciphertext is decrypted by the revocable hierarchical ID-based encryption using its own medium-term secret key. and a first decryption unit that decrypts the third ciphertext using the key encapsulation mechanism;
a first session key generation unit that generates a session key using the decryption result by the first decryption unit,
The second communication terminal is
Upon receiving at least the first ciphertext and the public key from the first communication terminal, the first key generation center receives the time information acquired from the time server, the identifier of the first communication terminal, and the first key generation center. a second encryption unit that generates the second ciphertext using the revocable hierarchical ID-based encryption using a public parameter generated by a root key generation center of the group;
a third encryption unit that generates the third ciphertext from the public key using the key encapsulation mechanism;
a second transmitter that transmits at least the second ciphertext and the third ciphertext to the first communication terminal;
a second decryption unit that decrypts the first ciphertext using the revocable hierarchical ID-based encryption using its own medium-term secret key;
A key exchange system comprising: a second session key generation unit that generates the session key using a decryption result by the second decryption unit. Each key generation center included in the first key generation center group and the second key generation center group is
The other key generation center or communication terminal uses the time information acquired from the time server and the identifier of another key generation center or communication terminal that exists in the hierarchy one level lower than itself, to determine the medium-term secret of the other key generation center or communication terminal. an update key generation unit that generates an update key for updating the key;
It has a revocation unit that revokes the identifier of another key generation center or communication terminal that exists one level below the key generation center,
The update key generation unit includes:
2. The key exchange system according to claim 1, wherein when an identifier revoked by the revocation unit is used, an update key is generated in which another key generation center or communication terminal having the identifier cannot update the medium-term secret key. The first communication terminal and the second communication terminal are
When receiving an update key from a key generation center that is one level above the key generation center, the key update unit updates its own latest medium-term secret key using the update key and its own long-term secret key. The key exchange system according to claim 2, comprising: A communication terminal under a first key generation center group forming a hierarchical structure,
The time information obtained from the time server, the identifiers of other communication terminals under the second key generation center group forming a hierarchical structure, and the time information generated by the root key generation center of the second key generation center group. an encryption unit that generates a first ciphertext by revocable hierarchical ID-based encryption using a public parameter;
a key generation unit that generates a key pair of a public key and a private key using a key encapsulation mechanism;
a transmitting unit that transmits at least the first ciphertext and the public key to the other communication terminal;
Upon receiving at least the second ciphertext and the third ciphertext from the other communication terminal, the second ciphertext is decrypted by the revocable hierarchical ID-based encryption using the own medium-term secret key; , a decryption unit that decrypts the third ciphertext using the key encapsulation mechanism;
a session key generation unit that generates a session key to be shared with the other communication terminal using the decryption result by the decryption unit;
A communication terminal with A communication terminal under a second key generation center group forming a hierarchical structure,
When at least the first ciphertext and public key are received from another communication terminal under the first key generation center group forming a hierarchical structure, the time information acquired from the time server and the other communication terminal are a first encryption unit that generates a second ciphertext by revocable hierarchical ID-based encryption using an identifier and a public parameter generated by a root key generation center of the first key generation center group; ,
a second encryption unit that generates a third ciphertext from the public key by a key encapsulation mechanism;
a transmitter that transmits at least the second ciphertext and the third ciphertext to the other communication terminal;
a decryption unit that decrypts the first ciphertext using the revocable hierarchical ID-based encryption using its own medium-term secret key;
a session key generation unit that generates a session key to be shared with the other communication terminal using the decryption result by the decryption unit;
A communication terminal with An information processing device that forms a hierarchical structure with other information processing devices,
a long-term secret key generation unit that generates a long-term secret key of another information processing device that is a child using an identifier of another information processing device that is a child in the hierarchical structure and its own long-term secret key;
Used when the other child information processing device updates the medium-term secret key using the time information obtained from the time server, its own long-term secret key, and a revocation list that includes revoked identifiers. an update key generation unit that generates an update key;
a revocation unit that adds an identifier of the other child information processing device to the revocation list using time information acquired from the time server and an identifier of the other child information processing device; ,
has
The update key generation unit includes:
An information processing device that generates an update key that prevents other information processing devices having an identifier included in the revocation list from updating a medium-term private key. A first key generation center group and a second key generation center group forming a hierarchical structure, a first communication terminal under the first key generation center group, and the second key generation center group. A key exchange method used in a key exchange system that includes at least a second communication terminal under a second communication terminal and a time server that distributes time information,
The first communication terminal is
A revocable hierarchical ID base is created using the time information acquired from the time server, the identifier of the second communication terminal, and the public parameter generated by the root key generation center of the second key generation center group. a first encryption procedure for generating a first ciphertext by encryption;
a first key generation step of generating a key pair of a public key and a private key by a key encapsulation mechanism;
a first transmission procedure of transmitting at least the first ciphertext and the public key to the second communication terminal;
Upon receiving at least the second ciphertext and the third ciphertext from the second communication terminal, the second ciphertext is decrypted by the revocable hierarchical ID-based encryption using its own medium-term secret key. and a first decryption procedure for decrypting the third ciphertext using the key encapsulation mechanism;
a first session key generation procedure of generating a session key using the decryption result of the first decryption procedure;
The second communication terminal,
Upon receiving at least the first ciphertext and the public key from the first communication terminal, the first key generation center receives the time information acquired from the time server, the identifier of the first communication terminal, and the first key generation center. a second encryption procedure of generating the second ciphertext by the revocable hierarchical ID-based encryption using a public parameter generated by a root key generation center of the group;
a third encryption procedure of generating the third ciphertext from the public key by the key encapsulation mechanism;
a second transmission procedure of transmitting at least the second ciphertext and the third ciphertext to the first communication terminal;
a second decryption step of decrypting the first ciphertext using the revocable hierarchical ID-based encryption using its own medium-term secret key;
A second session key generation procedure for generating the session key using a decryption result from the second decryption procedure. A program that causes a computer to function as the communication terminal according to claim 4 . A program that causes a computer to function as the communication terminal according to claim 5. A program that causes a computer to function as the information processing device according to claim 6.

Images