JPH0746234A - Ciphering system - Google Patents

Abstract

PURPOSE:To realize sophisticated security with a simple algorithm by providing a reception terminal equipment generating a secret key through specific arithmetic operation, generating a common key between a key generating center and a conference member and decoding the received ciphering text with other common key generated by the common key or the like. CONSTITUTION:A key generating center 1 applies unidirectional Hash functions f(), h() to each user 2 or the like based on the ID information intrinsic to user. Then a list of secret information sets P, Q, L, alpha, beta, gamma, delta, S and a public information N, subscriber ID list including a secret key G are generated by the arithmetic operation including an exponential function of a primitive element (g) of a prime. Thus, a common key is generated between the center 1 and conference membership without need of preliminary communication and the data are sent through ciphering by the common key. The receiver side generates a common key with the conference membership based on the secret key G, the ID information and the public information without need of preliminary communication and the reception terminal equipment decodes the received ciphering text.

Description

Detailed Description of the Invention

[0001]

FIELD OF THE INVENTION The present invention is a message (electronic information).
The present invention relates to a cryptographic system for securely communicating data, and in particular, it enables postal cryptographic communication such as fax and has a wide range of applications, and shares a common key for encryption / decryption among multiple persons. This is an encryption system that enables the use of a conference key that can be used.

[0002]

2. Description of the Related Art "Electronic information" is essentially different from materials and energy and can be easily copied. There is no distinction between original and copy. When copied, it leaves no trace of it on the original. The unique double-edged sword, which has the unique property of information, contributes greatly to the realization of an advanced information society and also causes information security problems.

Various methods have been proposed as methods for realizing such information security, but the following two methods are roughly classified as cryptographic systems that have been put to practical use in the past.・ Common key cryptosystem ・ Public key cryptosystem

The common key cryptosystem is a system in which a key for encryption (encryption key) and a key for decryption (decryption key) are the same, and the sender side and the receiver side of a message share a common means by secure means. The key is handed over, the sender side encrypts the transmitted key, and the received one is decrypted with the same key on the receiving side to receive the message. However, there are many inconveniences because it is necessary to hand over the key while keeping the secret before communication. In addition, if the number of users is large, the number of keys that should be secretly managed will also be very large, and there is the inconvenience that management is not easy.

On the other hand, the public key cryptosystem is a one-way function known as a discrete logarithm problem, a knapsack problem, etc. for an arbitrarily determined decryption key, which is made up of a pair of encryption key and decryption key for each user. Generate an encryption key by using the), publish the encryption key in the public key list, etc., keep only the decryption key secret for each user, and the sender uses the public encryption key of the receiver to send messages. Is encrypted and transmitted, and the receiving side decrypts it with its own decryption key and receives the message. The reason why the decryption key is kept safe even if the encryption key is disclosed is based on the property of the one-way function.

In this public key cryptosystem, it is not necessary to hold a key with the other party in advance, and each user need only have his own key, so there is no inconvenience unlike the common key cryptosystem described above. However, it is necessary to provide a public key list for publicizing the encryption key of each user, and it is necessary to add an authentication function to each individual public key. Generally, public key cryptosystems use encryption and decryption algorithms. However, there is a problem in that it is technically difficult to perform the calculation at high speed due to the complexity.

Under such circumstances, an "encryption system based on ID information" has been proposed, and in particular, when a common key is generated from ID information and encryption / decryption is performed by this, the inconvenience of the public key encryption system described above occurs. It is very promising because it will be resolved.

That is, in the encryption system based on ID information,
Assuming that a reliable key generation center exists, ID information is registered in advance for each user, a secret key is generated and given to each user based on the ID information, and the ID information of each user is made public. . Then, the user on the transmission side generates a common key from the public ID information and other public information of the user on the reception side and its own secret key, and thereby encrypts the message and transmits it. The receiving-side user generates a common key from the public ID information of the transmitting-side user and other public information and its own secret key, and thereby decrypts the received message.

Therefore, since the publicized information is the ID information corresponding to the user's name, address, telephone number, etc., it is more convenient and safe than the method of releasing the encryption key like the public key cryptosystem. In addition, since the encryption and decryption are performed by the common key, the algorithm can be simplified.

[0010]

As described above, various attempts have been made for the encryption system based on ID information to be a very effective system, but none have sufficient security, and in particular, there are a plurality of systems. There is a drawback that the center secret is analyzed by colluding by (a large number of users) and a key between arbitrary users can be generated.

On the other hand, the present inventor has solved the above-mentioned drawbacks.
We have already developed a cryptographic system applicable to communication between parties and applied for a patent. In this application, we will discuss a conference key that can share a common key for encryption / decryption among multiple parties. Is not considered.

The present invention has been proposed in view of the above points, and an object thereof is to maintain a high degree of security while maintaining a simple algorithm.
An object of the present invention is to provide an encryption system that can use a conference key that can share a common key for encryption / decryption among multiple persons.

[0013]

In order to achieve the above object, the present invention provides each user with a unique ID for that user.
A secret key is generated by an operation that includes the application of a one-way hash function based on information and the application of an exponential function that uses the primitive element of a prime number as a base and a method, and the secret key is given to the user himself, and the subscriber of each user From the key generation center that provides predetermined information including the ID list as public information, the secret key of the sending user and the public ID information of the conference members excluding the sending user and other public information A sender terminal that generates a common key with a conference member without requiring preliminary communication, encrypts a message with this common key, and sends the secret key of the receiving user and a conference member excluding the receiving user. A receiving side end that generates a common key from the publicly disclosed ID information and other public information without requiring preliminary communication between the sender and the receiver and decrypts the received ciphertext with the common key So that it provided the door.

Further, in order to increase the confidentiality of the common key, the information of the work key is encrypted / decrypted by the common key at the start of the communication, and then the message is encrypted / decrypted by the work key for communication. You can also choose to do so.

[0015]

In the cryptographic system of the present invention, prior to communication, the key generation center applies the one-way hash function to each user based on the ID information unique to the user and determines the primitive element of the prime number. A secret key is generated by an operation including application of an exponential function using the and method and given to the user himself. Further, the predetermined information including the subscriber ID list of each user is provided to each user as public information.

In the message communication, the sender terminal does not need preliminary communication based on the secret key of the sender user and the public ID information and other public information of the conference members excluding the sender user. A common key is generated with the member, and the message is encrypted with this common key and sent. In addition, the receiving side terminal generates a conference common key from the secret key of the receiving side user and the public ID information of the conference members excluding the receiving side user and other public information without the need for preliminary communication, and receives the conference common key. The decrypted ciphertext is decrypted by the conference common key.

On the other hand, at the start of communication, the work key information is encrypted / decrypted by the common key for communication, and thereafter, the message is encrypted / decrypted by the work key for communication to further improve the common key. Security can be enhanced.

[0018]

Embodiments of the present invention will be described below with reference to the drawings.

FIG. 1 is a block diagram showing an embodiment of a key generation center in the encryption system of the present invention.

In FIG. 1, the key generation center 1 has secret information and public information, and registers the ID information ID corresponding to the name, address, telephone number, etc. of the user 2 who newly joins. At the same time, the secret key G is added by the center algorithm based on each information. The key G is actually a bit data string. Therefore, it is preferable that the information is recorded on an IC card or the like and secretly applied.

The secret information in the key generation center 1 will be described below.
Public information and center algorithm will be explained.

First, the key generation center 1 calculates N = PQ (1) for two arbitrarily selected large prime numbers P and Q, and makes N public information.

Next, L, α and odd β, γ satisfying L = LCM {P-1, Q-1} = 2αβγ (2) are obtained for the above prime numbers P, Q. Where L
CM {P-1, Q-1} indicates the least common multiple of (P-1) and (Q-1).

Then, a finite field GF (P) of prime numbers P and Q,
Find a common primitive element g of GF (Q).

Then, an arbitrary one-way hash function f
Select (), h () and make this public information. In addition,
As the one-way hash function, a function known in the discrete logarithm problem, the knapsack problem, or the like can be used.

Next, ID _m, which is the ID information of user _m
On the other hand, I _mf = 2f (ID _m ) +1 (3) I _mh = 2h (ID _m ) +1 (4) is calculated. The ID information of each user is public information based on the subscriber ID list.

Then, S _m = βI _mf + γI _mh (mod L) (5) is calculated. It should be noted that mod indicates a modulus.

Next, g _mf = g ** (αS _m β) (mod N) (6) g _mh = g ** (αS _m γ) (mod N) (7) is calculated. Note that “**” indicates the power of the value on the right with respect to the value on the left. That is, g ** (αS _m β)
Means g to the power of (αS _m β).

Then, G _m = {g _mf , g _mh } (8), which is a combination of g _mf and g _mh obtained by the above equation, is used by the user m as an IC card as a secret key for generating a conference key. Etc.

[0030] Incidentally, alpha, beta, deformed covered by some unknown random number gamma, ID information ID _m of two odd I _mf,
It is also possible to transform I _mh by some method to obtain it.

Next, FIG. 2 shows an example of a system configuration when a message is communicated between arbitrary users belonging to conference members.

In FIG. 2, the present system includes a transmission side terminal 3 for user A to perform encrypted communication with other conference members, that is, users B, C, ..., A wired or wireless communication path 4, and a user B. , C, ... And receiving side terminals 5, 6, ... For receiving the message.

Further, the transmitting side terminal 3 is provided with an encryption means 31 and a common key generating means 32, and the receiving side terminals 5, 6 and 6.
... and decryption means 51, 61, ... And common key generation means 52,
62, ... Are provided.

The operation of message transmission and reception will be described below together with the function of each unit. It is assumed that the user A at the transmitting terminal 3 transmits a plaintext (unencrypted state) message to the user B at the receiving terminal 5.

First, the common key generating means 32 of the transmitting side terminal 3
, The secret keys g _Af and g _Ah of the transmitting user A and the I of other conference members obtained from the public information of the key generation center 1.
D information ID _m and one-way hash function f (), h
From (), K _M = (g _Af ** (Π _{m; MA} I _mf )) ・ (g _Ah ** (Π _{m; MA} I _mh )) (mod N) (9) Calculate the common key K _M . In addition, (Π _{m; MA} I _mf )
Means that I _mf is multiplied for all the other members m except the transmitting user A from the conference member M.

Then, the encrypting means 31 encrypts the message with the calculated common key K _M and sends it to the receiving side terminal 5 via the communication path 4.

On the other hand, the common key generating means 52 of the receiving side terminal 5
, The secret keys g _Bf and g _Bh of the receiving user B and the I of other conference members obtained from the public information of the key generation center 1.
D information ID _m and one-way hash function f (), h
From (), K _M = (g _Bf ** (Π _{m; MB} I _mf )) ・ (g _Bh ** (Π _{m; MB} I _mh )) (mod N) (10) Calculate the common key K _M . In addition, (Π _{m; MB} I _mf )
Means that I _mf is multiplied for all the other members m except the receiving user B from the conference member M.

Then, the decryption means 51 decrypts the ciphertext received via the communication path 4 with the calculated common key K _M ,
Get the plaintext message.

The common key K _M obtained by the equations (9) and (10)
Can be proved to be equal to each other as follows.

Equation (9) is obtained by applying equations (6) and (7) to g _Af and g _Ah , and further applying equation (5), K _M = (g ** (αS _A βΠ _{m; MA} I _mf )). (g ** (αS _A γΠ _{m; MA} I _mh )) (mod N) = g ** (αS _A (βΠ _{m; MA} I _mf + γΠ _{m; MA} I _mh )) (mod N) = g ** (α (βI _Af + γI _Ah ) (βΠ _{m; MA} I _mf + γΠ _{m; MA} I _mh )) (mod N) = g ** (αβ ² I _Af Π _{m; MA} I _mf + αβγ (I _Af Π _{m; MA} I _mh + I _Ah Π _{m; MA} I _mf ) + αγ ² I _Ah Π _{m; MA} I _mh ) (mod N). Here, 2αβγ = L = 0 (mod L), and (I _Af Π _{m; MA} I _mh ), (I _Ah Π _{m; MA} I _mf ).
Is an odd number, and the sum of them is an even number, so the intermediate term of the last equation that has modified K _M is 0. Further, I _Af Π _{m; MA} I _mf = Π _{m; M} I _mf I _Ah Π _{m; MA} I _mh = Π _{m; M} I _mh . It should be noted that (Π _{m; M} I _mf ) means that I _mf is multiplied by all the members m of the conference member M. The same applies to (Π _{m; M} I _mh ). Therefore, K _M = g ** (α (β ² Π _{m; M} I _mf + γ ² Π _{m; M} I _mh )) (mod N).

On the other hand, in the equation (10), the equations (6) and (7) are applied to g _Bf and g _Bh , the equation (5) is applied thereto, and 2αβγ = L = 0 (mod L) is applied. Then, K _M = (g ** (αS _B βΠ _{m; MB} I _mf )) · (g ** (αS _B γΠ _{m; MB} I _mh )) (mod N) = g ** (αS _B (βΠ _{m ; MB} I _mf + γΠ _{m; MB} I _mh )) (mod N) = g ** (α (βI _Bf + γI _Bh ) (βΠ _{m; MB} I _mf + γΠ _{m; MB} I _mh )) (mod N) = g * * (Αβ ² I _Bf Π _{m; MB} I _mf + αβγ (I _Bf Π _{m; MB} I _mh + I _Bh Π _{m; MB} I _mf ) + αγ ² I _Bh Π _{m; MB} I _mh ) (mod N) = g ** (Α (β ² Π _{m; M} I _mf + γ ² Π _{m; M} I _mh )) (mod N), and both formulas agree. Therefore, it is possible to perform the encrypted communication message by encrypting and decrypting the K _M as the key of the common key cryptosystem.

On the other hand, it is necessary to show how high the security of this system is, but it is theoretically impossible to prove that the cryptosystem is absolutely safe. That is, the proof of security is that the attack (cryptographic analysis) is not proved to be possible. However, the qualitative grounds for high security are as follows.

In the equation (1), N is public information,
It is impossible to calculate the prime numbers P and Q from this N in terms of calculation amount.

Confidential information L generated by equation (2),
Since α, β, and γ are the least common multiples of prime numbers P and Q minus one and their prime factors, it is almost impossible to determine them from the public information unless the factorization of N is known, and these Since it is used in the formula, the irregularity of the value is high, and it is difficult to apply analysis by various mathematical methods.

Finite fields GF (P) and GF of prime numbers P and Q
It is almost impossible for the common primitive element g of (Q) to be derived from the public information, and since it is used in the middle of the equation, the irregularity of the value is high and various mathematical Analysis by the method is difficult to apply.

Since the one-way hash functions f (), h () are used in the equations (3), (4), mathematical analysis in the reverse direction is almost impossible.

In equations (6) and (7), since the power (exponent) of the primitive element g and the method of N are used, mathematical analysis in the reverse direction is almost impossible. Therefore, it is almost impossible for the center secret to be analyzed even if the user uses his own secret information or if a plurality of users collude and provide each secret information.

Next, FIG. 3 shows another embodiment of the present invention, in which the security of the common key and the message are further enhanced. The configuration and operation of the key generation center 1 are the same as those described above.

In FIG. 3, compared with the configuration of FIG. 2, a work key holding means 33 and a key switching means 34 are added to the transmitting side terminal 3, and the working key holding means is also provided to the receiving side terminals 5, 6, .... 5
, And key switching means 54 ,.

In the operation, the case where the user A in the transmitting terminal 3 transmits a plaintext (unencrypted state) message to the user B in the receiving terminal 5 is as follows.

First, the common key generating means 32 of the transmitting side terminal 3
, The secret keys g _Af and g _Ah of the transmitting user A and the I of other conference members obtained from the public information of the key generation center 1.
D information ID _m and one-way hash function f (), h
The common key K _M is calculated from ().

At about the same time, the work key holding means 33 holds an arbitrary work key K _W given by the user A, gives it to the encryption means 31 as a message at the start of communication, and also to the key switching means 34. give.

The key switching means 34 passes the common key K _M from the common key generation means 32 and gives it to the encryption means 31 for a certain period at the start of communication, and after the lapse of the certain period, the working key holding means 33. The work key K _W of the above is given to the encryption means 31.

Therefore, the encryption means 31 uses the common key K _M as an encryption key for a certain period at the start of communication, and the working key K _M is used.
Send _W information as a message.

Similarly, the common key generating means 5 is also applied to the receiving side terminal 5.
2 generates the common key K _M , and the key switching means 54 gives this common key K _M to the decryption means 51 at the start of communication.

Therefore, the encrypted message of the work key K _W sent from the transmission side terminal 3 via the communication path 4 is decrypted by the decryption means 51 with the common key K _M , and the work key holding means 53. Hold.

Then, the information of the work key K _W is received by the receiving side terminal 5.
, The key switching means 34 of both terminals 3 and 5,
Reference numeral 54 switches the encryption key given to the encryption means 31 to the work key K _W , and thereafter, the message originally intended to be transmitted is encrypted and decrypted using the work key K _W for communication. Therefore, the ciphertext is in the state shown in FIG. The work key K _W can be arbitrarily set and can be freely changed during communication.

In the case of this embodiment, users A, B, C, ...
There is only one common key K _M among the conference members M including
Is used only for a short time at the start of communication, and thereafter, communication can be performed using an arbitrary work key K _W , so that the security of the common key and the message can be further improved.

[0059]

As described above, the cryptographic system of the present invention enables the postal-type cryptographic communication such as a fax based on the cryptographic system based on ID information.
Further, since various measures have been added to prevent attack (encryption of the cipher), there is an effect that a high degree of security can be maintained even with a simple algorithm.
Furthermore, since a conference key that can be shared by a plurality of persons can be used, when a message having the same content is transmitted to a plurality of persons, the message need only be transmitted once and the processing can be facilitated.

[Brief description of drawings]

FIG. 1 is a configuration diagram showing an embodiment of a key generation center in a cryptographic system of the present invention.

FIG. 2 is a block diagram showing an embodiment of terminals on the transmitting side and the receiving side in the cryptographic system of the present invention.

FIG. 3 is a configuration diagram showing another embodiment of terminals on the transmitting side and the receiving side in the cryptographic system of the present invention.

FIG. 4 is a diagram showing a logical configuration of a ciphertext in the embodiment of FIG.

[Explanation of symbols]

 1 ... Key generation center 2 ... User 3 ... Transmission side terminal 31 ... Encryption means 32 ... Common key generation means 33 ... Working key holding means 34 ... Key switching means 4 ... Communication path 5 ... Reception side terminal 51 Decryption means 52 ... Common key generation means 53 ... Working key holding means 54 ... Key switching means 6 ... Receiving side terminal 61 ... Decryption means 62 ... Common key generation means

Claims (5)

[Claims] 1. A user-specific I for each user
A secret key is generated and given to the user by an operation including application of a one-way hash function based on D information and application of an exponential function using a base of a prime number as a base, and the user is added to the secret key. Between the sender and the receiver based on the key generation center that provides predetermined information including the person ID list as public information, the secret key of the sender user, and the public ID information of the conference members excluding the sender user and other public information. In the conference except for the sender terminal that generates a common key with the conference members without requiring preliminary communication and encrypts the message with this common key, and the secret key of the receiving user and the receiving user. Reception that generates a common key from the member's public ID information and other public information without requiring preliminary communication between the sender and the receiver, and decrypts the received ciphertext with the common key Cryptosystem is characterized in that a terminal. 2. The key generation center calculates N = PQ for two arbitrarily selected large prime numbers P and Q to make N public information, and L = LCM {P-1, Q-1}. = 2αβγ (LCM {}
Is a least common multiple), and L, α and odd β, γ are obtained, a common primitive element g of finite fields GF (P) and GF (Q) of P and Q is obtained, and an arbitrary one-way hash function f ( ), H () to make public information, and for the ID _m which is the ID information of the user m, I _mf = 2f (ID _m ) +1 I _mh = 2h (ID _m ) +1 is calculated, and S _m = βI _mf + γI _mh (mod L) (mod is modulo) is calculated and g _mf = g ** (αS _m β) (mod N) g _mh = g ** (αS _m γ) (mod N) (** Is the power of the right value to the left value), and G _m = {g _mf , g _mh } is given to the user m as a secret key for generating the conference key, and the sender terminal sends the sender key. User A's secret keys g _Af and g _Ah , ID information ID _m of other conference members, and one-way hash function f ().
, H () to K _M = (g _Af ** (Π _{m; MA} I _mf )) ・ (g _Ah ** (Π _{m; MA} I _mh )) (mod N) (Π _{m; MA} I _mf is the conference The common key K _M is calculated by multiplying I _mf for all the other members m except the sending user A from the member M), and at the receiving terminal, the secret key g _Bf of the receiving user B is calculated. , G _Bh and ID information ID _m of other conference members and one-way hash function f ().
, H () to K _M = (g _Bf ** (Π _{m; MB} I _mf )) ・ (g _Bh ** (Π _{m; MB} I _mh )) (mod N) (Π _{m; MB} I _mf is a conference 2. The cryptographic system according to claim 1, wherein the common key K _M is calculated by multiplying I _mf for all the other members m except the receiving user B from the member M). 3. α, β, γ are transformed by covering them with some unknown random number, and two odd numbers I _mf , I _{mh are converted} from the ID information ID _m.
The cryptographic system according to claim 2, wherein the cryptosystem is obtained by transforming 4. The key generation center ICs the generated secret key.
The encryption system according to claim 1, wherein the encryption system is recorded on a card and given to each user. 5. The information of a working key is encrypted and decrypted by a common key for communication at the start of communication, and then the message is encrypted and decrypted by a working key for communication. The encryption system according to 2, 3, or 4.