JP2000216766A - Exclusive key sharing method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To accelerate updating of confidential communication by allowing each terminal, capable of being specified by a base station, to hold a secret key and the secret information of a self-terminal calculated from the number of terminals and to find new secret information according to received information, when the base station conducts broadcast communication. SOLUTION: Each terminal, (i) capable of being specified by a base station, holds a secret key S and a secret information Si satisfying a relational expression defined by a number N of terminals, and the base station holds information including an element (g) of a specified term calculated by the relational expression and secret information S1 to SN. The base station calculates preparation information C1 from the relational expression, calculates elimination information C2 from the secret information Sa of a specific terminal (a), performs broadcast communication of both the number (a) of the terminal (a) and the information C1 to all terminals, finds a shared key K with all of the terminals (j) except the terminal (a), and each terminal (j) finds the key K with the base station by using the information C1 and C2 and own confidential communication Sj. The base station conducts broadcast communication to all of the terminals, finds a new element (g'), replaces it with an element (g), and each terminal (i) finds new confidential communication Si'.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an encryption key sharing method in a star communication system or the like comprising a base station and a plurality of terminals, and more particularly to a method for securing a secret key common to all terminals other than the terminal specified by the base station. And a key sharing method for securely delivering a shared secret key only to a specific terminal.

[0002]

2. Description of the Related Art In a star-type communication system in which a base station manages a plurality of terminals, a base station and a plurality of terminals under the umbrella form a group, and the group shares the same group secret key to perform broadcast cryptographic communication. May be done. In this case, the information encrypted using the group secret key can be decrypted only by terminals in the group holding the same secret key.

[0003] In some cases, it is desired to exclude a specific terminal from this group. This is the case, for example, when a certain terminal in the group is stolen, and there is a possibility that the terminal may be tampered with, such as eavesdropping on encrypted communication using the terminal or transmitting false information. At this time, it is necessary for the base station managing the secret key to remove the stolen terminal as soon as possible, update the group secret key, and share the new secret key only with the remaining terminals. .

In some cases, it is necessary to form a new group. This is the case when terminals outside the group are joined to the group, or when terminals from another group are combined into one group. At this time, the base station needs to share the key of the new group with terminals constituting the group as soon as possible.

In order to achieve such an object, the present inventor has previously proposed an efficient exclusive key sharing method as described below.

[0006] In a communication system capable of broadcasting, comprising a base station and N (N is an integer of 2 or more) terminals connected to the base station, a secret key is S, and a prime number larger than S and N or The power of a prime is p, the divisor of (p-1) is q, the number of terminals that can be specified by the base station (hereinafter referred to as the number of specific terminals) is 1, and each terminal i (1 ≦ i ≦ N) is , S = {λ (i, ×) × S _i (the sum is performed for _i （) (however, S _i = S + f ₁ × i modq (f ₁ is a nonzero GF (q) element) λ (i, Λ ) = {{L / (L−i)} (the product is performed on L∈Λ− {i})} is a secret information S _i satisfying N terminals. And the base station (S,
p, g, S ₁ ,..., S _N ). (1) The base station sets the element of GF (p) to g, and
When the element of (q) is k, preparation information C ₁ = g ^k modp is calculated. (2) The base station, the exclusion information _{C 2 = g ^ (k ×} S a modq) modp from the secret information S _a particular terminal a calculated, broadcast along with preparation information C ₁ with a particular terminal number a to all terminals connect. (3) The base station transmits all the terminals j (j ≠) except the specific terminal a.
a) A shared key K = gｇ (k × S modq) modp is obtained. (4) Each terminal j (j ≠ a) has the preparation information C ₁ and the exclusion information C ₂
And its own secret information S _j , the modulo q of S _j and λ (j, Λ)
The exponent is the power residue value C ₁ ^ (S _j × λ (j, ｑ) modq) modp of C ₁ , and the exponent is λ (a, Λ) obtained on the modulus q. The product of C _{2 and} the power residue value C ₂ ^ (λ (a, Λ) modq) modp C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq)
By calculating modp, a shared key K with the base station is obtained.

[0007] In this way, key sharing can be performed only by broadcasting from the base station to all terminals, so that the business suspension period for key sharing can be shortened and processing at the terminals can be reduced. Key sharing can be performed at high speed on terminals with low ability.

[0008]

However, the above key sharing method has the following three problems. (1) It is desirable to periodically update the secret information of the terminal in order to enhance security. However, if new secret information is delivered to each terminal, the amount of communication and the time until the update is completed have increased. . In general, updating confidential information requires updating of public information, and updating of public information stored in a public directory or a terminal locally also increases update time. (2) In order to continue excluding the terminal excluded by the previous exclusive key sharing even in all subsequent exclusive key sharing, processing is required for each exclusive key sharing. (3) In order to perform exclusive key sharing in a system including only terminals, all terminals have public information of all other terminals, or a public list in which the information is published. In addition, since it is a method in which anyone can become the chair terminal, it is not possible to cope with the case where the chair terminal is fixed to a certain terminal in operation.

[0009] The present invention solves the above-mentioned problems, updates the secret information of all terminals while minimizing the traffic and the update time, and eliminates once without performing processing for each exclusive key sharing. It is an object of the present invention to continuously eliminate terminals, to prevent each terminal from holding public information of all terminals and to make a public list unnecessary, and to allow only a certain terminal to be a chair terminal.

[0010]

According to the present invention, there is provided a broadcast communication system comprising a base station and N (N is an integer of 2 or more) terminals connected to the base station. Let the secret key be S,
And p is a prime number or a power of a prime number greater than N,
The divisor of (p-1) is q, the number of terminals that the base station can specify (hereinafter referred to as the number of specific terminals) is 1, and each terminal i (1 ≦ 1)
i ≦ N) is given by S = {λ (i, Λ) × S _i (the sum is performed for i∈Λ) (where S _i = S + f ₁ × i modq (where f ₁ is a nonzero GF (q) element) , Λ (i, Λ) = Π {L / (L−i)} (product is performed on L∈Λ− {i}), where Λ is a set consisting of any two of N terminals) Secret information S _i that satisfies
(S, p, g, S ₁ ,..., S _N ), and (1) the base station
When the element of GF (p) is g and the element of non-zero GF (q) is k, the preparation information C ₁ = g ^k modp is calculated. (2) The base station calculates the secret information S of the specific terminal a. _a
Exclusion information C ₂ = g ^ (k × S _a modq) modp and broadcasts it to all terminals together with the specific terminal number a and the preparation information C _1. (3) The base station excludes the specific terminal a A shared key K = g ^ (k × S modq) modp with all terminals j (j ≠ a) is obtained. (4) Each terminal j (j ≠ a) obtains preparation information C ₁ and exclusion information C ₂ . Using its own secret information S _j , S _j and λ (j,
The power residue value C ₁ ^ (S _j × λ (j, Λ) modq) modp of C ₁ with the product of Λ) on modulus q as the exponent and λ (a, Λ) determined on modulus q The product of C _{2 and} the power residue value of C ₂ C ₂ ^ (λ (a, Λ) modq) modp C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a , Λ) modq)
By calculating modp, a shared key K with the base station is obtained,
(I) The base station arbitrarily generates an element e of non-zero GF (q) and broadcasts e to all terminals. (Ii) The base station generates a new element g ′ = g ^{1 / e modq} modp And (iii) each terminal i obtains new secret information S _i ′ = S _i × e modq (where (g ′) ^Si ′ modp = (g) ^Si modp holds) The configuration was adopted.

With this configuration, the communication amount of the base station is as small as e, and the public information other than the system parameter source g is not changed, so that the secret information can be updated at high speed.

In an exclusive key sharing method for a communication system comprising N terminals (N is an integer of 2 or more) connected to each other and capable of broadcasting, (i) the system administrator is not zero. An element e of GF (q) is arbitrarily generated, and e is broadcast to all terminals. (Ii) The system administrator ^obtains a new element g ′ = g ^{1 / e modq} modp and ^obtains an element g to be managed. Replacement, (iii) each terminal i
Is configured to obtain new secret information S _i ′ = S _i × e modq.

With this configuration, the communication amount of the system administrator is as small as e, and the public information other than the system parameter source g is not changed, so that the secret information can be updated at high speed.

In an exclusive key sharing method of a communication system capable of performing broadcast communication comprising a base station and N (N is an integer of 2 or more) terminals connected to the base station, (i) the base station Arbitrarily generates an element e of a nonzero GF (q), and generates a shared key K
Broadcasts the encrypted e encrypted using
(Ii) The base station ^obtains a new element g ′ = g ^{1 / e modq} modp and replaces it with the element g. (Iii) Each terminal j decrypts the encryption e using the shared key K and ^obtains the new secret information. S _j ′ = S _j × e modq was obtained.

[0015] With this configuration, the secret information of the terminal is updated using the random number distributed using the shared key shared by the exclusive key sharing, and the terminal excluded by the subsequent exclusive key sharing is restored. Can not do it.

Also, in the exclusive key sharing method of a communication system capable of performing broadcast communication comprising N (N is an integer of 2 or more) terminals connected to each other, (i) the chair terminal is a non-zero GF The element e of (q) is arbitrarily generated, and the encrypted e encrypted using the shared key K is broadcast to all terminals. (ii) The chair terminal ^{transmits the} new element g ′ = g ^{1 / e modq} modp is obtained and replaced with the element g. (iii) Each terminal j decrypts the encryption e using the shared key K and obtains new secret information S _j ′ = S _j × e modq.

With this configuration, the secret information of the terminal is updated by using the random number distributed by using the shared key shared by the exclusive key sharing, and the terminal excluded by the subsequent exclusive key sharing is restored. Can not do it.

Further, in an exclusive key sharing method for a communication system capable of performing broadcast communication comprising N (N is an integer of 2 or more) terminals connected to each other, a secret key is set to S, and Let p be a large prime or a power of a prime, and (p−
The divisor of 1) is q, the element of GF (p) is g, the number of specific terminals that can be specified by the chair terminal b is 1, and each terminal i (1 ≦ i
≤N) is S = {λ (i, ｉ) × S _i (the sum is performed for i∈Λ) (where S _i = S + f ₁ × i modq (f ₁ is a nonzero GF (q) element), λ (i, Λ) = Π {L / (L−i)} (product is performed on L∈Λ− {i}), where Λ is a set consisting of any two of N terminals) The secret information S _i to be satisfied is kept secret, and the chair terminal b
It includes a public key y = g ^S modp of all terminals, public information ^{_{y 1 = g S1 modp, y}} 2 = g S2 modp, ..., available ^{_{y N = g SN modp, (}} 1) chairperson terminal b is optionally generate original k of non-zero GF (q), calculates the preparation information ^{_{C 1 = g k modp, (}} 2) Chair terminal b is excluded from the public information y _a particular terminal a data C ₂ = y _a ^k modp is calculated and broadcast to all terminals together with the specific terminal number a and the preparation information C _1. (3) The chair terminal b obtains a shared key K = y ^k mod p, and (4) each terminal j ( j ≠ a, b) obtains λ (j, Λ) and λ (a, Λ), assuming that Λ = {j, a}, and obtains the preparation information C ₁ , the exclusion information C _2, and its own secret information S _j C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq)
The configuration is such that the shared key K is obtained by calculating modp.

With this configuration, the terminal other than the chair terminal does not need to hold the public information of the other terminal, and only the chair terminal can use the public information of the other terminal. Can not be.

[0020]

BEST MODE FOR CARRYING OUT THE INVENTION
A base station and N units (N is 2 or more) connected to the base station;
(Integer) terminals capable of broadcasting.
In the exclusive key agreement method, the secret key is S,
And p is a prime number or a power of a prime number greater than N,
The number of terminals that the base station can specify, where q is the divisor of (p-1)
(Hereinafter referred to as the number of specific terminals) is assumed to be 1, and each terminal i
(1 ≦ i ≦ N) is S = {λ (i, ｉ) × S_i(Sum is performed for i∈Λ) (However, S_i= S + f₁× i modq (f₁Is a nonzero GF (q)
), Λ (i, Λ) = Π {L / (Li)} (product is L に-{i}
Λ is a set consisting of any two of the N terminals.
Secret information S that satisfies_iConfidentially, and said
The base station performs the above (S, p, g, S ₁,…, S_N)
(1) The base station sets GF (p) to g and is not zero.
When the element of GF (q) is k, the preparation information C₁= G^k modp, and (2) the base station transmits the secret information of the specific terminal a.
S_aExclusion information C_Two= G ^ (k × S_a modq) modp is calculated, the specific terminal number a and the preparation information C₁With all terminals
(3) The base station communicates with the specific terminal a.
A shared key K = g ^ (k × S modq) modp with all the terminals j (j ≠ a) except for the terminal j (j ≠ a) is obtained.
C₁And the exclusion information C_TwoAnd own secret information S_jUsing,
Said S_jAnd the product of λ (j, Λ) on the modulus q
C₁Power residue C of₁^ (S_j× λ (j, Λ) modq) modp and the λ (a, Λ) obtained on the method q as an index.
Said C_TwoPower residue C of_Two^ (λ (a, Λ) modq) product with modp C₁^ (S_j× λ (j, Λ) modq) × C_Two^ (λ (a, Λ) modq)
By calculating modp, the shared key K with the base station is obtained.
(I) the base station assigns the element e of the non-zero GF (q)
And e is broadcast to all terminals. (Ii)
The base station is the new element g '= g^{1 / e modq} modp is obtained and replaced with the element g, and (iii) each terminal i
Is the new secret information S_i'= S_i× e modq (where (g ')^Si'modp = (g)^Si modp holds
Is an exclusive key agreement method that asks for
Securely update terminal private key with small traffic by only delivery
Has the effect of performing

According to a second aspect of the present invention, there is provided an exclusive key sharing method for a communication system capable of performing broadcast communication comprising N (N is an integer of 2 or more) terminals connected to each other,
Let S be a secret key, let p be a prime number or a power of a prime number larger than S and N, and q be a divisor of (p-1),
Let g be the element of GF (p), let the number of specific terminals that can identify the chair terminal (which can be any terminal) be 1, and let each terminal i (1 ≦ i ≦ N) be: S = Σλ (i , Λ) × S _i (the sum is performed for i∈Λ) (where S _i = S + f ₁ × i modq (f ₁ is a nonzero GF (q) element), λ (i, Λ) = Π {L / (L-i)} (product is carried out on L∈Λ- {i}), Λ is holding the secret information S _i satisfying a is) set consisting of any two of the N devices at the secret The prime number p, the divisor q,
The element g and the public key y = g ^S modp of all terminals managed by the system administrator, the system administrator by managed public information ^{_{y 1 = g S1 modp, y}} 2 = g S2 modp, ... , y _N = g ^SN modp, (1) the chair terminal is a non-zero GF (q)
Optionally generate original k of, calculate the preparation information ^{_{C 1 = g k modp, (}} 2) the chairman terminal calculates the exclusion information C ₂ = y _a ^k modp from the public information y _a particular terminal a , then broadcast to all terminals with preparation information C ₁ with a particular terminal number a, (3) the chairperson terminal, it obtains a shared key ^{K = y k modp, (4} ) the respective terminals j (j ≠ a) is , Λ = {j, a}
Λ (j, Λ) and λ (a, Λ) are obtained, and the preparation information C
C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq) by using ₁ , the exclusion information C ₂ and its own secret information S _j.
By calculating modp, a shared key K with the chair terminal is obtained, and (i) the system administrator determines a non-zero GF (q)
Arbitrarily generates an element e, and broadcasts the e to all terminals.
(Ii) The system administrator obtains a new element g ′ = g ^{1 / e modq} modp and replaces it with the element g to be managed. (Iii) Each terminal i has new secret information S _i ′ = S _i × e modq (at this time, (g ') ^Si ' modp = (g) ^Si modp holds)
Is an exclusive key sharing method for obtaining the secret key of public key cryptography by the system administrator by delivering a terminal private key of a small communication amount of only e and safely and quickly updating the secret key.

According to a third aspect of the present invention, a base station is provided.
And N units connected to the base station (N is an integer of 2 or more)
Exclusive of communication system capable of broadcasting consisting of multiple terminals
In the key sharing method, the secret key is S, and the S and the
Let p be a prime number or a power of a prime number greater than N, and (p−
The divisor of 1) is q, and the number of terminals that the base station can identify (hereinafter
In the following, the number of specific terminals is assumed to be 1, and each terminal i (1 ≦ 1)
i ≦ N), S = Σλ (i, Λ) × S_i(Sum is performed for i∈Λ) (However, S_i= S + f₁× i modq (f₁Is a nonzero GF (q)
), Λ (i, Λ) = Π {L / (Li)} (product is L に-{i}
Λ is a set consisting of any two of the N terminals.
Secret information S that satisfies_iConfidentially, and said
The base station performs the above (S, p, g, S ₁,…, S_N)
(1) The base station sets GF (p) to g and is not zero.
When the element of GF (q) is k, the preparation information C₁= G^k modp, and (2) the base station transmits the secret information of the specific terminal a.
S_aExclusion information C_Two= G ^ (k × S_a modq) modp is calculated, the specific terminal number a and the preparation information C₁With all terminals
(3) The base station communicates with the specific terminal a.
A shared key K = g ^ (k × S modq) modp with all the terminals j (j ≠ a) except for the terminal j (j ≠ a) is obtained.
C₁And the exclusion information C_TwoAnd own secret information S_jUsing,
Said S_jAnd the product of λ (j, Λ) on the modulus q
C₁Power residue C of₁^ (S_j× λ (j, Λ) modq) modp and the λ (a, Λ) obtained on the method q as an index.
Said C_TwoPower residue C of_Two^ (λ (a, Λ) modq) product with modp C₁^ (S_j× λ (j, Λ) modq) × C_Two^ (λ (a, Λ) modq)
By calculating modp, the shared key K with the base station is obtained.
(I) the base station assigns the element e of the non-zero GF (q)
Encryption e generated at will and encrypted using the shared key K
To all terminals, and (ii) the base station transmits a new element g ′ = g^{1 / e modq} modp is obtained and replaced with the element g, and (iii) each terminal j
Decrypts the encrypted e using the shared key K,
Regulation secret information S_j'= S_j× e modq (where (g ')^Sj'modp = (g)^Sj modp holds
Is an exclusive key agreement method that seeks
The function of renewing the key and continuously eliminating excluded terminals
Have.

According to a fourth aspect of the present invention, there is provided an exclusive key sharing method for a communication system comprising N (N is an integer of 2 or more) mutually connected terminals capable of broadcasting.
Let S be a secret key, let p be a prime number or a power of a prime number larger than S and N, and q be a divisor of (p-1),
Let g be the element of GF (p), let the number of specific terminals that can identify the chair terminal (which can be any terminal) be 1, and let each terminal i (1 ≦ i ≦ N) be: S = Σλ (i , Λ) × S _i (the sum is performed for i∈Λ) (where S _i = S + f ₁ × i modq (f ₁ is a nonzero GF (q) element), λ (i, Λ) = Π {L / (L-i)} (product is carried out on L∈Λ- {i}), Λ is holding the secret information S _i satisfying a is) set consisting of any two of the N devices at the secret The public key y = g ^S modp and the public information y ₁ = g ^S1 modp, y ₂ = g ^S2 modp,..., Y _N = g ^SN modp of all terminals can be used, and (1) the chair terminal Is a non-zero GF (q)
Optionally generate original k of, calculate the preparation information ^{_{C 1 = g k modp, (}} 2) the chairman terminal calculates the exclusion information C ₂ = y _a ^k modp from the public information y _a particular terminal a , then broadcast to all terminals with preparation information C ₁ with a particular terminal number a, (3) the chairperson terminal, it obtains a shared key ^{K = y k modp, (4} ) the respective terminals j (j ≠ a) is , Λ = {j, a}
Λ (j, Λ) and λ (a, Λ) are obtained, and the preparation information C
C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq) by using ₁ , the exclusion information C ₂ and its own secret information S _j.
By calculating modp, a shared key K with the chair terminal is obtained, and (i) the chair terminal obtains a non-zero GF (q) element e.
Arbitrarily, and broadcasts the encrypted e encrypted using the shared key K to all terminals. (Ii) The chair terminal obtains a new element g ′ = g ^{1 / e modq} modp, (Iii) each terminal j
Decrypts the encrypted e using the shared key K and converts the new secret information S _j ′ = S _j × e modq (where (g ′) ^Sj ′ modp = (g) ^Sj modp holds) This is an exclusive key sharing method required, and has the effect of updating the secret key of the public key system by the chair terminal and continuously excluding excluded terminals.

According to a fifth aspect of the present invention, there is provided an exclusive key sharing method for a communication system capable of performing broadcast communication comprising N (N is an integer of 2 or more) mutually connected terminals.
Let S be a secret key, let p be a prime number or a power of a prime number larger than S and N, and q be a divisor of (p-1),
The element of GF (p) is g, the number of specific terminals that the chair terminal b can specify is 1, and each terminal i (1 ≦ i ≦ N) is S = {λ (i, ｉ) × S _i (sum is _i ) (where S _i = S + f ₁ × i modq (f ₁ is a nonzero GF (q) element), λ (i, Λ) = Π {L / (L−i)} (product Is performed for L∈Λ− {i}), Λ is a set consisting of any two of the N terminals), and secret information S _i satisfying the secret information is secretly held. , a public key y = g ^S modp of all terminals, public information ^{_{y 1 = g S1 modp, y}} 2 = g S2 modp, ..., available ^{_{y N = g SN modp, (}} 1) the chairman terminal b is Nonzero GF
optionally generate original k of (q), calculates the preparation information ^{_{C 1 = g k modp, (}} 2) the chairperson terminal b is public information y _a from the exclusion information C ₂ = y _a ^k of a particular terminal a the modp calculated, and broadcast to all terminals with preparation information C ₁ with a particular terminal number a, (3) the chairperson terminal b obtains a shared key ^{K = y k modp, (4} ) the respective terminals j ( j ≠ a, b) is Λ = {j,
λ (j, Λ) and λ (a, と し て) as a}, and using the preparation information C ₁ , the exclusion information C _2, and its own secret information S _j , C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq)
This is an exclusive key agreement method for finding the shared key K by calculating modp, and in a system consisting of only terminals, giving the authority of terminal exclusion only to the fixed chair terminal to enable terminal exclusion. Having.

The present invention according to claim 6 of the present invention is directed to claim 5
In the exclusive key agreement method described, all the terminals except the chair terminal b can use the public information y _b = g ^Sb modp of the chair terminal b, and the chair terminal b can use the secret information of the chair terminal b. with S _b, the particular terminal number a and preparation information C ₁ and exclusion information C ₂ to deliver to all terminals, adds a digital signature, each terminal j, using the public information y _b of the chair terminal The signature is verified, and the information delivered by the chair terminal is signed, and the terminal verifies the information delivered by the chair terminal, thereby improving the security.

According to a seventh aspect of the present invention, in the exclusive key agreement method according to the third or fourth aspect, the base station or the chair terminal distributes the element e to the specific terminal a. , the specific terminal (a) new secret information _{S a '= S a × e} modq ( this _{time, (g') ^ S a} 'modp = (g) ^ S a modp holds) are those seeking specific By distributing e to the terminal a and updating the secret key, it has the effect of returning the excluded specific terminal a.

[0027] The invention according to claim 8 of the present invention is directed to claim 1.
In the exclusive key agreement method according to any one of to 7, the multiplication operation is performed by:
It corresponds to an additive operation on a curve such as an elliptic curve on an arbitrary finite field, and has the effect of increasing the operation speed.

Hereinafter, an embodiment of the present invention will be described with reference to FIG.
This will be described in detail with reference to FIG.

(First Embodiment) In a first embodiment of the present invention, a non-zero GF (q) is used in a communication system comprising a base station and a plurality of terminals capable of performing broadcast communication.
Arbitrarily generates an element e, broadcasts it to all terminals, ^finds a new element g ′ (= g ^{1 / e modq} modp), replaces it with the element g,
This is an exclusive key sharing method in which each terminal i obtains new secret information S _i ′ (= S _i × e modq).

FIG. 1 is a diagram showing a normal state of the communication system in the exclusive key sharing method according to the first embodiment of the present invention. In FIG. 1, 7 is a base station, and 1 to 6 are terminals under the control of the base station. The broadcast communication network 8 is a communication path capable of performing broadcast communication by radio or the like. FIG. 2 is a diagram illustrating a method of updating the element g in the exclusive key sharing method according to the first embodiment of this invention. FIG. 3 is a diagram illustrating a secret key updating method in the exclusive key sharing method according to the first embodiment of this invention.

The exclusive key sharing method according to the first embodiment of the present invention will be described with reference to FIGS. As shown in FIG. 1, the base station 7 creates a secret key S and keeps it secret. A prime number or a prime power p greater than the secret key S and greater than the number of terminals 6 is created and held. One divisor q of (p-1) is obtained and held. Non-zero element f of GF (q)
To keep seeking _1.

The secret information S _i obtained by calculating S _i = f (i) using f (z) = S + f ₁ × z modq is encrypted and transmitted to each terminal i (1 ≦ i ≦ 6). Deliver secretly by means.

A set consisting of any two of the six terminals is denoted by Λ
When the secret information S _i is, S = Σλ (i, Λ ) × S i ( sum performed on i∈Λ) λ (i, Λ) = Π {L / (L-i)} ( product is L∈Λ- {i}). Where the set Λ− {i} is a set from the set Λ
It is a set excluding {i}. For example, if Λ = {1, 2}, λ (1, Λ) = Π {L / (L−1)} (L｝ {2}) = 2 / (2-1) = 2 λ (2, Λ) = Π ｛L / (L−2)｝ (L∈ {1}) = 1 / (1-2) = − 1Σ λ (i, Λ) × S _i (i∈Λ) = λ (1, Λ) × S ₁ + λ (2, Λ) × S ₂ = 2 × f (1) −f (2) = 2 · (S + f ₁ ) − (S + 2 · f ₁ ) = S

Each of the terminals 1,..., 6 holds the secret information S _i in the storage unit. The base station 7 stores the element g of the modulus p and GF (p) in the storage unit. The base station 7 sets public information y using secret information S ₁ ,..., S ₆ as exponents, modulo p, and g as a base.
₁ (= g ^S1 modp), y ₂ (= g ^S2 modp),..., Y ₆ (= g ^S6 mo
dp) is calculated and stored in the storage unit. The base station 7 calculates the public keys y (= g ^S modp) of all terminals having the secret keys S of all terminals 1,..., 6 as exponents, modulo p, and g as bases, and stores them in the storage unit. I do.

The case where the terminal 5 is excluded will be described. The base station 7 arbitrarily generates a non-zero element k of GF (q), sets k as an index, modulates p, and prepares information C ₁ (= g ^{k) using} g as a base.
modp). Using the integer k as an exponent and p as a modulus, the exclusion information C ₂ (= y ₅ ^k modp) based on the public information y ₅ of the terminal 5 specified by the base station 7 is calculated. k is exponential, p is modulo,
A shared key K (= y ^{k) based on} the public key y of all terminals 1 ^,.
modp = g ^ (S × k) modp). The above C ₁ , C ₂
And the specific terminal number 5 is broadcast to all terminals.

A key sharing phase in the case where a shared key is shared by all the terminals 1,..., 4, and 6 except the terminal 5 will be described. In the terminal 1, based on its own terminal number 1 and the received exclusion terminal number 5, Λ (1, Λ) = 5 / (5-1) = 5/4 λ (5, Λ) = 1 / (1-5) = − ／. Preparation information C ₁ (= g ^k modp) and exclusion information C
_{Using 2} (= y ₅ ^k modp), S ₁ and λ (1, Λ) are used as exponents, and a power residue value C ₁ ^ (λ (1, Λ) modq) modp with C ₁ as a base, and λ The product of (5, を) as an exponent and the power residue value C ₂ ^ (λ (5, Λ) modq) modp with C ₂ as a base C ₁ ^ (S ₁ × λ (1, Λ) modq) × C ₂ ^ (λ (5, Λ) modq) modp = g ^ (k × S ₁ × λ (1, Λ) modq) × g ^ (k × S ₅ × λ (5, Λ) modq) modp = g ^ (k × (S ₁ × λ (1, Λ) + S ₅ × λ (5, Λ) modq)) modp = g ^ (k × S modq) modp = K to obtain K.

The above calculations can be performed in the same manner in the terminals 2 to 4 and 6, and as a result, the terminals 1 to 4 and 6 can share the common key K.

On the other hand, in the terminal 5, the exclusion information C ₂ (= y ₅ ^k = g (k × S ₅ ) mod broadcast from the base station 7
p) and the power-residue value that can be calculated from the stored information
(= C ₁ ^{S 5} modp = g ^ (k × S ₅ ) modp) is the same, and Λ = {5}, and λ (5, Λ) cannot be obtained. Can not calculate the shared key K.

[0039] Each terminal, for K = g ^ (S × k ) modp, C 1 = g k modp, y = g S can not be obtained the secret key S from modp, each divided secret information S _i reuse it can. Therefore, there is no need to perform setup from the next key sharing, and the preparation phase and the key sharing phase may be repeated.

Referring to FIG. 2, a method in which base station 7 updates element g will be described. The base station 7 arbitrarily generates an element e (random number) of the non-zero GF (q) and broadcasts e to all terminals. The base station 7 ^obtains a new element g ′ = g ^{1 / e modq} modp and replaces it with the element g.

Referring to FIG. 3, a method for the terminal to update the secret key will be described. Each terminal i obtains and holds the new secret information S _i ′ = S _i × e modq. At this time, (g ′) ^Si ′ modp = (g) ^Si modp holds.

As described above, the first embodiment of the present invention
Now, let us assume that the exclusive key agreement method uses a non-zero GF (q)
Arbitrarily generates element e and broadcasts it to all terminals.
^{1 / e modq} Find modp, replace it with element g, and make each terminal i
Is the new secret information S_i× e modq
Thus, the secret key can be updated with a small amount of communication and a small amount of calculation.

(Second Embodiment) In a second embodiment of the present invention, in a communication system comprising six terminals connected to each other and capable of broadcasting, a system administrator
An element e of non-zero GF (q) is arbitrarily generated, e is broadcast to all terminals, a new element g ^{1 / e modq} modp is obtained, and replaced with an element g to be managed. Information S _i xe mo
This is an exclusive key agreement method for finding dq.

FIG. 4 is a diagram showing a normal state in the exclusive key sharing method according to the second embodiment of the present invention. In FIG. 4, a system administrator 9 is a reliable organization that can access the communication system, creates a public list, and provides it to the terminal. FIG. 5 is a diagram illustrating a method of updating the element g in the exclusive key sharing method according to the second embodiment of this invention. FIG.
FIG. 11 is a diagram illustrating a method for updating a secret key in an exclusive key sharing method according to the second embodiment of this invention.

The exclusive key sharing method according to the second embodiment of the present invention will be described with reference to FIGS. As shown in FIG. 4, in an exclusive key sharing method of a communication system including six terminals connected to each other and capable of broadcasting, a secret key is set to S, and a prime number greater than S and a prime number greater than 6. The number is p, the divisor of (p-1) is q, the element of GF (p) is g, and the number of specific terminals at which the chair terminal (any terminal can be specified) is 1.

Each terminal i (1 ≦ i ≦ 6) has S = {λ (i, Λ) × S _i (the sum is performed for i∈Λ) (where S _i = S + f ₁ × i modq (f ₁ is GF (q) which is not zero), λ (i, Λ) = {{L / (Li)} (product is performed on L∈Λ- {i}), Λ is an arbitrary one of the six terminals holding the secret information S _i the secret satisfying a set consisting of two) of. The prime number p, the divisor q, the element g managed by the system administrator, the public keys y = g ^S modp of all terminals managed by the system administrator, and the public information y ₁ = g managed by the system administrator ^{Since S1} modp, y ₂ = g ^S2 modp,..., Y ₆ = g ^S6 modp is published in a public list, each terminal can use them.

[0047] Chair terminal arbitrarily generate the original k of GF (q) is not zero, calculate the preparation information C ₁ = g ^k modp, specific terminal a public information y _a from the exclusion information C ₂ = y _a a the ^k modp is calculated and broadcast to all terminals with preparation information C ₁ with a particular terminal number a. The chair terminal obtains a shared key K = y ^k modp.

Each terminal j (j ≠ a) obtains λ (j, Λ) and λ (a, Λ) by setting Λ = {j, a}, and prepares the preparation information C ₁ , the exclusion information C ₂ and its own. Using the secret information S _j , C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq)
By calculating modp, a shared key K with the chair terminal is obtained.

Referring to FIG. 5, a method of updating element g will be described. The system administrator 10 arbitrarily generates an element e (random number) of a non-zero GF (q) and broadcasts e to all terminals. The system administrator ^obtains a new element g ′ = g ^{1 / e modq} modp and replaces it with the element g to be managed.

Referring to FIG. 6, a method of updating the secret key will be described. Each terminal i obtains and holds the new secret information S _i ′ = S _i × e modq. In this ^{case, (g ') Si' modp} = (g) Si m
odp holds.

As described above, in the second embodiment of the present invention, the exclusive key agreement method is such that the system administrator arbitrarily generates an element e of a non-zero GF (q) and assigns e to all terminals. And a new element g ^{1 / e modq} modp is obtained and replaced with the element g to be managed. Each terminal i is configured to obtain new secret information S _i × e modq. Can update the secret key.

(Third embodiment) Third embodiment of the present invention
Is a broadcast consisting of six terminals connected to a base station.
In a communication system where communication is possible,
GF (q) is generated arbitrarily, and the secret e
Broadcasts the encrypted data e to all terminals, ^{1 / e 
modq} modp is obtained and replaced with the element g.
Is decrypted using the shared key K and the new secret information S_j×
This is an exclusive key agreement method for finding e modq.

FIG. 7 is a diagram showing an exclusive key sharing method according to the third embodiment of the present invention. FIG. 8 is a diagram illustrating a random number distribution method according to the third embodiment of this invention. FIG. 9 is a diagram illustrating a method of continuously excluding a terminal.

The exclusive key sharing method according to the third embodiment of the present invention will be described with reference to FIGS. As shown in FIG. 7, in a communication system capable of performing broadcast communication including a base station 7 and six terminals connected to the base station 7, a secret key is S, and a prime number greater than S and 6 or a prime number The exponent is p, the divisor of (p-1) is q, and the number of terminals that the base station can specify (hereinafter, referred to as the number of specific terminals) is 1.

Each terminal i (1 ≦ i ≦ 6) has S = {λ (i, Λ) × S _i (the sum is performed for i∈Λ) (where S _i = S + f ₁ × i modq (f ₁ is GF (q) which is not zero), λ (i, Λ) = {{L / (Li)} (product is performed on L∈Λ- {i}), Λ is an arbitrary one of the six terminals the secret information S _i satisfying a is) set consisting of two holding secret.

The base station holds (S, p, g, S ₁ ,..., S ₆ ). Let g be the element of GF (p) and GF (q) that is not zero
Is calculated, preparation information C ₁ = g ^k modp is calculated. The exclusion information C ₂ = g ^ (k × S ₃ modq) modp is calculated from the secret information S _{3 of} the specific terminal 3, and is broadcast to all terminals together with the specific terminal number 3 and the preparation information C ₁ . All terminals j (j ≠
3) Find a shared key K = g ^ (k × S modq) modp.

Each terminal j (j ≠ 3) uses the preparation information C ₁ , the exclusion information C _2, and its own secret information S _j to obtain S _j and λ (j, Λ).
Index modular exponentiation value _{C 1 ^ (S j × λ} (j, Λ) modq) and modp, lambda was determined on modulo q to (3, lambda) of the index the product on the law q, of C ₁ The product of C _{2 with} the power residue value C ₂ ^ (λ (3, Λ) modq) modp C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (3, Λ ) modq)
By calculating modp, a shared key K with the base station is obtained and held.

Referring to FIG. 8, a method of delivering random number e will be described. The base station 7 arbitrarily generates an element e (random number) of the non-zero GF (q), and broadcasts the encrypted e encrypted using the shared key K to all terminals. ^{Find a} new element g ′ = g ^{1 / e modq} modp and replace it with the element g.

With reference to FIG. 9, a method of continuation exclusion will be described. Each terminal j decrypts the encryption e using the shared key K, obtains and holds the new secret information S _j ′ = S _j × e modq. At this time, (g ′) ^Sj ′ modp = (g) ^Sj
modp holds.

As described above, in the third embodiment of the present invention, the exclusive key agreement method uses a non-zero GF (q) at the base station.
Arbitrarily generates an element e of the new element g ^{1 / e modq} modp
Is replaced with the element g, and each terminal j decrypts the encryption e using the shared key K to obtain the new secret information S _j × e modq. Can be updated, and specific terminals can be continuously eliminated.

(Fourth Embodiment) Fourth Embodiment of the Present Invention
Is a broadcast consisting of six terminals connected to each other.
In a communication system where communication is possible,
GF (q) is generated arbitrarily, and the secret e
Broadcasts the encrypted data e to all terminals, ^{1 / e 
modq} modp is obtained and replaced with the element g.
Is decrypted using the shared key K and the new secret information S_j×
This is an exclusive key agreement method for finding e modq.

FIG. 10 is a diagram showing an exclusive key sharing method according to the fourth embodiment of the present invention. FIG. 11 shows a fourth embodiment of the present invention.
It is a figure showing the random number distribution method of an embodiment. FIG.
FIG. 4 is a diagram showing a method of continuously excluding a terminal.

Referring to FIGS. 10 to 12, a fourth embodiment of the present invention will be described.
An exclusive key sharing method according to the embodiment will be described. FIG.
As shown in FIG. 0, in a communication system capable of broadcast communication consisting of six terminals connected to each other, let S be a secret key, and let p be a prime number greater than 6 or a prime number greater than 6.
And the divisor of (p-1) is q, the element of GF (p) is g, and the chair terminal (an arbitrary terminal can be used. Here, terminal 6 is the chair terminal) can be specified. The number of specific terminals is assumed to be one.

Each terminal i (1 ≦ i ≦ 6) has S = {λ (i, Λ) × S _i (the sum is performed for _i ）) (where S _i = S + f ₁ × i modq (f ₁ is GF (q) which is not zero), λ (i, Λ) = {{L / (Li)} (product is performed on L∈Λ- {i}), Λ is an arbitrary one of the six terminals the secret information S _i satisfying a is) set consisting of two holding secret. Since the public key y = g ^S modp and the public information y ₁ = g ^S1 modp, y ₂ = g ^S2 modp,..., Y ₆ = g ^S6 modp of all terminals are put on a public list and made public, each terminal Can be used.

The chair terminal arbitrarily generates a non-zero element k of GF (q) and calculates preparation information C ₁ = g ^k modp. The chair terminal calculates the exclusion information C ₂ = y ₃ ^k modp from the public information y _{3 of} the specific terminal 3 and broadcasts it to all terminals together with the specific terminal number 3 and the preparation information C ₁ . The chair terminal obtains a shared key K = y ^k modp.

Each terminal j (j ≠ 3) obtains λ (j, Λ) and λ (3, Λ) by setting Λ = {j, 3}, and prepares information C ₁ , exclusion information C _2, and its own. Using the secret information S _j , C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (3, Λ) modq)
By calculating modp, a shared key K with the chair terminal is obtained.

Referring to FIG. 11, a method of delivering random numbers will be described. The chair terminal arbitrarily generates an element e (random number) of a non-zero GF (q), and broadcasts the encrypted e encrypted using the shared key K to all terminals. The chair terminal ^obtains a new element g ′ = g ^{1 / e modq} modp and replaces it with the element g.

Referring to FIG. 12, a method of continuation exclusion will be described. Each terminal j decrypts the encryption e using the shared key K, obtains and holds the new secret information S _j ′ = S _j × e modq. At this time, (g ') ^Sj ' modp = (g) ^Sj
modp holds.

As described above, in the fourth embodiment of the present invention, the exclusive key agreement method is applied to the case where the chair terminal is a non-zero GF.
The element e of (q) is arbitrarily generated, the encrypted e encrypted using the shared key K is broadcast to all terminals, and the new element g ^{1 / e modq} m
odp is obtained and replaced with the element g. Each terminal j decrypts the encryption e using the shared key K, and obtains the new secret information S _j × e mod
Since q is obtained, the secret key can be updated with a small amount of communication and a small amount of calculation, and the specific terminal can be continuously eliminated.

It is necessary to create a new secret key / public key pair in order to restore the terminal that has been continuously excluded. Although the previous public key cannot be used, a new secret key / public key pair cannot be used. The terminal that has been continuously excluded can be restored without creating it. This can be done as follows.

The base station or the chair terminal delivers the original e to the specific terminal 3, and the specific terminal 3 sends the new secret information S ₃ '= S ₃ × e modq (where (g') ^ S _{3 'modp = (g) ^} S 3 modp is satisfied) is determined. In this way, the previous public key can be used as it is, without newly creating a pair of the private key and the public key. In the case where there are a plurality of specific terminals and only some of them are to be restored, e may be secretly delivered only to the terminal to be restored.

(Fifth Embodiment) In a fifth embodiment of the present invention, in a communication system capable of performing broadcast communication comprising six terminals connected to each other, a chair terminal is set to a non-zero GF. optionally generate original k of (q), calculates the preparation information C _1, to calculate the elimination information C ₂ from the public information y _a particular terminal a, to all terminals with preparation information C ₁ with a particular terminal number a and broadcasting, it obtains a shared key K, each terminal by using the secret information S _j exclusion information C ₂ and itself and preparation information C _1, an exclusive key sharing method for obtaining the shared key K.

FIG. 13 is a diagram showing an exclusive key sharing method according to the fifth embodiment of the present invention. A key sharing method according to the fifth embodiment of the present invention will be described with reference to FIG.
In a communication system capable of broadcast communication consisting of six terminals connected to each other, a secret key is S, a prime number greater than S and 6 or a power of a prime number is p, and a divisor of (p-1) Is q, the element of GF (p) is g, and the number of specific terminals that the chair terminal 2 can specify is 1.

Each terminal i (1 ≦ i ≦ 6) has S = {λ (i, Λ) × S _i (the sum is performed for _i ）) (where S _i = S + f ₁ × i modq (f ₁ is GF (q) which is not zero), λ (i, Λ) = {{L / (Li)} (product is performed on L∈Λ- {i}), Λ is an arbitrary one of the six terminals the secret information S _i satisfying a is) set consisting of two holding secret. Chair terminal 2
Publishes the public key y = g ^S modp and the public information y ₁ = g ^S1 modp, y ₂ = g ^S2 modp,..., Y ₆ = g ^S6 modp of all the terminals in a public list and makes them public. Can use these.

The chair terminal 2 arbitrarily generates an element k of GF (q) which is not zero, and calculates preparation information C ₁ = g ^k modp. The exclusion information C ₂ = y _a ^k modp from the public information y _a particular terminal a is calculated and broadcast to all terminals with preparation information C ₁ with a particular terminal number a. Find the shared key K = y ^k modp.

Each terminal j (j ≠ a, b) obtains λ (j, Λ) and λ (a, Λ) by setting Λ = {j, a}, and prepares preparation information C ₁ and exclusion information C ₂ . Using its own secret information S _j , C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq)
The shared key K is obtained by calculating modp.

Note that all terminals except the chair terminal can use the public information y _b = g ^Sb modp of the chair terminal, and the chair terminal delivers to all terminals using the secret information S _b of the chair terminal. the elimination information C ₂ and a specific terminal number a and preparation information C ₁ to, by adding a digital signature, the terminals j, using the public information y _b Chair terminal can verify the signature.

As described above, in the fifth embodiment of the present invention, the exclusive key agreement method is applied to the case where the chair terminal is a non-zero GF.
optionally generate original k of (q), calculates the preparation information C _1, to calculate the elimination information C ₂ from the public information y _a particular terminal a, to all terminals with preparation information C ₁ with a particular terminal number a Broadcast,
Obtains the shared key K, each terminal by using the secret information S _j exclusion information C ₂ and itself and preparation information C _1, since the structure for obtaining the shared key K, can exclude certain terminal to secure the chair terminal .

Note that the base station or the chair terminal delivers the original e to the specific terminal a, and the specific terminal a sends the new secret information S _a ′ = S _a × e modq (where (g ′) ^ S _a 'modp = (g) ^ S _a modp holds), the excluded terminal can be restored.

Further, by making the multiplication operation correspond to an addition operation on a curve such as an elliptic curve on an arbitrary finite field, the operation can be performed at high speed.

[0081]

As described above, according to the present invention, an exclusive communication system capable of performing broadcast communication comprising a base station and N (N is an integer of 2 or more) terminals connected to the base station is provided. In the key sharing method, a secret key is S, a prime number greater than S and N or a power of a prime number is p, a divisor of (p-1) is q, and the number of terminals that can be specified by the base station (hereinafter, a specific terminal) Each terminal i (1 ≦ i ≦ N) is defined as S = {λ (i, Λ) × S _i (the sum is performed for i∈Λ) (where S _i = S + f ₁ × i modq (F ₁ is a non-zero element of GF (q)), λ (i, Λ) = ／ {L / (L−i)} (product is performed on L∈Λ− {i}), Λ is N units Secret information S _i that satisfies the secret information S _i that satisfies the following conditions.
(S, p, g, S ₁ ,..., S _N ), and (1) the base station
When the element of GF (p) is g and the element of non-zero GF (q) is k, the preparation information C ₁ = g ^k modp is calculated. (2) The base station calculates the secret information S of the specific terminal a. _a
Exclusion information C ₂ = g ^ (k × S _a modq) modp and broadcasts it to all terminals together with the specific terminal number a and the preparation information C _1. (3) The base station excludes the specific terminal a A shared key K = g ^ (k × S modq) modp with all terminals j (j ≠ a) is obtained. (4) Each terminal j (j ≠ a) obtains preparation information C ₁ and exclusion information C ₂ . Using its own secret information S _j , S _j and λ (j,
The power residue value C ₁ ^ (S _j × λ (j, Λ) modq) modp of C ₁ with the product of Λ) on modulus q as the exponent and λ (a, Λ) determined on modulus q The product of C _{2 and} the power residue value of C ₂ C ₂ ^ (λ (a, Λ) modq) modp C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a , Λ) modq)
By calculating modp, a shared key K with the base station is obtained,
(I) The base station arbitrarily generates an element e of non-zero GF (q) and broadcasts e to all terminals. (Ii) The base station generates a new element g ′ = g ^{1 / e modq} modp And (iii) each terminal i obtains new secret information S _i ′ = S _i × e modq (where (g ′) ^Si ′ modp = (g) ^Si modp holds) With the configuration, the communication amount of the base station is as small as e, and the public information other than the system parameter source g is not changed, so that the secret information can be updated at high speed.

Further, in the exclusive key sharing method of a communication system capable of performing broadcast communication comprising N (N is an integer of 2 or more) terminals connected to each other, (i) the system administrator
An element e of a non-zero GF (q) is arbitrarily generated, e is broadcast to all terminals, and (ii) the system administrator ^obtains a new element g ′ = g ^{1 / e modq} modp and manages the element. g, and (iii) each terminal i
Is configured to obtain new secret information S _i ′ = S _i × e modq, so that the communication amount of the system administrator is e
Since the public information other than the system parameter source g is not changed, the secret information can be updated at high speed.

Further, in the exclusive key sharing method of a communication system capable of performing broadcast communication comprising a base station and N (N is an integer of 2 or more) terminals connected to the base station, (i) the base station Arbitrarily generates an element e of a nonzero GF (q), and generates a shared key K
Broadcasts the encrypted e encrypted using
(Ii) The base station ^obtains a new element g ′ = g ^{1 / e modq} modp and replaces it with the element g. (Iii) Each terminal j decrypts the encryption e using the shared key K and ^obtains the new secret information. Since S _j ′ = S _j × e modq is obtained, the secret information of the terminal is updated using a random number distributed by using the shared key shared by the exclusive key sharing, and the subsequent exclusive key sharing is performed. The effect that the excluded terminal cannot be returned can be obtained.

Further, in the exclusive key sharing method of a communication system capable of performing broadcast communication comprising N terminals (N is an integer of 2 or more) connected to each other, (i) the chair terminal is a non-zero GF The element e of (q) is arbitrarily generated, and the encrypted e encrypted using the shared key K is broadcast to all terminals. (ii) The chair terminal ^{transmits the} new element g ′ = g ^{1 / e modq} (iii) Each terminal j decrypts the encryption e using the shared key K and obtains new secret information S _j ′ = S _j × e modq. The secret information of the terminal is updated by using the random number distributed by using the shared key shared by the private key sharing, so that the terminal excluded by the subsequent exclusive key sharing can be prevented from returning.

Further, in an exclusive key sharing method for a communication system capable of performing broadcast communication comprising N (N is an integer of 2 or more) terminals connected to each other, a secret key is set to S, and S and N Let p be a large prime or a power of a prime, and (p−
The divisor of 1) is q, the element of GF (p) is g, the number of specific terminals that can be specified by the chair terminal b is 1, and each terminal i (1 ≦ i
≤N) is S = {λ (i, ｉ) × S _i (the sum is performed for i∈Λ) (where S _i = S + f ₁ × i modq (f ₁ is a nonzero GF (q) element), λ (i, Λ) = Π {L / (L−i)} (product is performed on L∈Λ− {i}), where Λ is a set consisting of any two of N terminals) The secret information S _i to be satisfied is kept secret, and the chair terminal b
It includes a public key y = g ^S modp of all terminals, public information ^{_{y 1 = g S1 modp, y}} 2 = g S2 modp, ..., available ^{_{y N = g SN modp, (}} 1) chairperson terminal b is optionally generate original k of non-zero GF (q), calculates the preparation information ^{_{C 1 = g k modp, (}} 2) Chair terminal b is excluded from the public information y _a particular terminal a data C ₂ = y _a ^k modp is calculated and broadcast to all terminals together with the specific terminal number a and the preparation information C _1. (3) The chair terminal b obtains a shared key K = y ^k mod p, and (4) each terminal j ( j ≠ a, b) obtains λ (j, Λ) and λ (a, Λ), assuming that Λ = {j, a}, and obtains the preparation information C ₁ , the exclusion information C _2, and its own secret information S _j C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq)
Since modp is calculated to obtain the shared key K, terminals other than the chair terminal do not need to hold the public information of other terminals, and only the chair terminal can use the public information of other terminals. Therefore, the effect is obtained that the other terminal cannot be the chair terminal.

[Brief description of the drawings]

FIG. 1 is a diagram showing a normal state in a key sharing method according to a first embodiment of the present invention;

FIG. 2 is a diagram showing a method of updating an element g in the key sharing method according to the first embodiment;

FIG. 3 is a diagram showing a method for updating a secret key in the key sharing method according to the first embodiment;

FIG. 4 is a diagram showing a normal state in the key sharing method according to the second embodiment of the present invention;

FIG. 5 is a diagram showing a method of updating an element g in the key sharing method according to the second embodiment;

FIG. 6 is a diagram showing a method for updating a secret key in the key sharing method according to the second embodiment;

FIG. 7 is a diagram showing an exclusion state of a terminal 3 in the key sharing method according to the third embodiment of the present invention;

FIG. 8 is a diagram showing a random number distribution method in the key sharing method according to the third embodiment;

FIG. 9 is a diagram showing a method for excluding continuation of a terminal in the key sharing method according to the third embodiment;

FIG. 10 is a diagram showing an exclusion state of a terminal 3 in a key sharing method according to a fourth embodiment of the present invention;

FIG. 11 is a diagram showing a random number distribution method in the key sharing method according to the fourth embodiment;

FIG. 12 is a diagram showing a method for eliminating continuation of a terminal in the key sharing method according to the fourth embodiment;

FIG. 13 is a diagram illustrating a method for fixing a chair terminal in a key sharing method according to a fifth embodiment of the present invention.

[Explanation of symbols]

 1-6 terminal 1-terminal 6 7 base station 8 broadcast network 9 system administrator 10 chair terminal

 ────────────────────────────────────────────────── ─── Continued on the front page (72) Inventor Natsume Matsuzaki 3-20 Shin-Yokohama, Kohoku-ku, Yokohama-shi, Kanagawa 8 Inside Advanced Mobile Communication Security Technology Research Institute, Inc. (72) Inventor Tsutomu Matsumoto Kakikindai, Aoba-ku, Yokohama-shi, Kanagawa 13-45 F term (reference) 5J104 AA16 AA22 EA01 EA04 EA19 EA28 EA30 MA06 NA16 NA18 PA01 PA04 PA05 5K067 AA34 EE22 HH36

Claims (8)

[Claims] 1. A base station and N units connected to the base station
(N is an integer of 2 or more)
In an exclusive key agreement method of a communication system, a secret key is denoted by S.
And a prime number or a prime number greater than S and N
The base station is specified by p and the divisor of (p-1) be q.
The number of terminals that can be used (hereinafter referred to as the number of specific terminals) is 1,
Note that each terminal i (1 ≦ i ≦ N) is S = {λ (i, Λ) × S_i(Sum is performed for i∈Λ) (However, S_i= S + f₁× i modq (f₁Is a nonzero GF (q)
), Λ (i, Λ) = Π {L / (Li)} (product is L に-{i}
Λ is a set consisting of any two of the N terminals.
Secret information S that satisfies_iConfidentially, and said
The base station performs the above (S, p, g, S ₁,…, S_N)
(1) The base station sets GF (p) to g and is not zero.
When the element of GF (q) is k, the preparation information C₁= G^k modp, and (2) the base station transmits the secret information of the specific terminal a.
S_aExclusion information C_Two= G ^ (k × S_a modq) modp is calculated, the specific terminal number a and the preparation information C₁With all terminals
(3) The base station communicates with the specific terminal a.
A shared key K = g ^ (k × S modq) modp with all the terminals j (j ≠ a) except for the terminal j (j ≠ a) is obtained.
C₁And the exclusion information C_TwoAnd own secret information S_jUsing,
Said S_jAnd the product of λ (j, Λ) on the modulus q
C₁Power residue C of₁^ (S_j× λ (j, Λ) modq) modp and the λ (a, Λ) obtained on the method q as an index.
Said C_TwoPower residue C of_Two^ (λ (a, Λ) modq) product with modp C₁^ (S_j× λ (j, Λ) modq) × C_Two^ (λ (a, Λ) modq)
By calculating modp, the shared key K with the base station is obtained.
(I) the base station assigns the element e of the non-zero GF (q)
And e is broadcast to all terminals. (Ii)
The base station is the new element g '= g^{1 / e modq} modp is obtained and replaced with the element g, and (iii) each terminal i
Is the new secret information S_i'= S_i× e modq (where (g ')^Si'modp = (g)^Si modp holds
An exclusive key agreement method characterized in that: 2. An exclusive key sharing method for a communication system comprising N (N is an integer of 2 or more) mutually connected terminals capable of performing broadcast communication, wherein the secret key is S, Let p be a prime number or a power of a prime number greater than N,
The divisor of (p-1) is q, the element of GF (p) is g, the number of specific terminals that can specify the chair terminal (which can be any terminal) is 1, and each terminal i (1 ≤i≤N is given by S = {λ (i, Λ) × S _i (the sum is performed for i∈Λ) (where S _i = S + f ₁ × i modq (where f ₁ is a nonzero GF (q) element) ), Λ (i, Λ) = Π {L / (L−i)} (product is performed on L∈Λ− {i}), Λ is a set composed of any two of the N terminals. the secret information S _i satisfying certain) holds the secret, the prime number p, the divisor q managed by the system manager,
The element g and the public key y = g ^S modp of all terminals managed by the system administrator, the system administrator by managed public information ^{_{y 1 = g S1 modp, y}} 2 = g S2 modp, ... , y _N = g ^SN modp, (1) the chair terminal is a non-zero GF (q)
Optionally generate original k of, calculate the preparation information ^{_{C 1 = g k modp, (}} 2) the chairman terminal calculates the exclusion information C ₂ = y _a ^k modp from the public information y _a particular terminal a , then broadcast to all terminals with preparation information C ₁ with a particular terminal number a, (3) the chairperson terminal, it obtains a shared key ^{K = y k modp, (4} ) the respective terminals j (j ≠ a) is , Λ = {j, a}
Λ (j, Λ) and λ (a, Λ) are obtained, and the preparation information C
C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq) by using ₁ , the exclusion information C ₂ and its own secret information S _j.
By calculating modp, a shared key K with the chair terminal is obtained, and (i) the system administrator determines a non-zero GF (q)
Arbitrarily generates an element e, and broadcasts the e to all terminals.
(Ii) The system administrator obtains a new element g ′ = g ^{1 / e modq} modp and replaces it with the element g to be managed. (Iii) Each terminal i has new secret information S _i ′ = S _i × e modq (at this time, (g ') ^Si ' modp = (g) ^Si modp holds)
An exclusive key agreement method characterized in that: 3. A base station and N units connected to the base station
(N is an integer of 2 or more)
In an exclusive key agreement method of a communication system, a secret key is denoted by S.
And a prime number or a prime number greater than S and N
The base station is specified by p and the divisor of (p-1) be q.
The number of terminals that can be used (hereinafter referred to as the number of specific terminals) is 1,
Note that each terminal i (1 ≦ i ≦ N) is S = {λ (i, Λ) × S_i(Sum is performed for i∈Λ) (However, S_i= S + f₁× i modq (f₁Is a nonzero GF (q)
), Λ (i, Λ) = Π {L / (Li)} (product is L に-{i}
Λ is a set consisting of any two of the N terminals.
Secret information S that satisfies_iConfidentially, and said
The base station performs the above (S, p, g, S ₁,…, S_N)
(1) The base station sets GF (p) to g and is not zero.
When the element of GF (q) is k, the preparation information C₁= G^k modp, and (2) the base station transmits the secret information of the specific terminal a.
S_aExclusion information C_Two= G ^ (k × S_a modq) modp is calculated, the specific terminal number a and the preparation information C₁With all terminals
(3) The base station communicates with the specific terminal a.
A shared key K = g ^ (k × S modq) modp with all the terminals j (j ≠ a) except for the terminal j (j ≠ a) is obtained.
C₁And the exclusion information C_TwoAnd own secret information S_jUsing,
Said S_jAnd the product of λ (j, Λ) on the modulus q
C₁Power residue C of₁^ (S_j× λ (j, Λ) modq) modp and the λ (a, Λ) obtained on the method q as an index.
Said C_TwoPower residue C of_Two^ (λ (a, Λ) modq) product with modp C₁^ (S_j× λ (j, Λ) modq) × C_Two^ (λ (a, Λ) modq)
By calculating modp, the shared key K with the base station is obtained.
(I) the base station assigns the element e of the non-zero GF (q)
Encryption e generated at will and encrypted using the shared key K
To all terminals, and (ii) the base station transmits a new element g ′ = g^{1 / e modq} modp is obtained and replaced with the element g, and (iii) each terminal j
Decrypts the encrypted e using the shared key K,
Regulation secret information S_j'= S_j× e modq (where (g ')^Sj'modp = (g)^Sj modp holds
An exclusive key agreement method characterized in that: 4. An exclusive key sharing method for a communication system comprising N (N is an integer of 2 or more) mutually connected terminals capable of performing broadcast communication, wherein the secret key is S, Let p be a prime number or a power of a prime number greater than N,
The divisor of (p-1) is q, the element of GF (p) is g, the number of specific terminals that can specify the chair terminal (which can be any terminal) is 1, and each terminal i (1 ≤i≤N is given by S = {λ (i, Λ) × S _i (the sum is performed for i∈Λ) (where S _i = S + f ₁ × i modq (where f ₁ is a nonzero GF (q) element) ), Λ (i, Λ) = Π {L / (L−i)} (product is performed on L∈Λ− {i}), Λ is a set composed of any two of the N terminals. and the secret information S _i satisfying certain) and kept secret, a public key y = g ^S modp of all terminals, public information ^{_{y 1 = g S1 modp, y}} 2 = g S2 modp, ..., y N = g ^SN modp can be used, (1) the chair terminal is a non-zero GF (q)
Optionally generate original k of, calculate the preparation information ^{_{C 1 = g k modp, (}} 2) the chairman terminal calculates the exclusion information C ₂ = y _a ^k modp from the public information y _a particular terminal a , then broadcast to all terminals with preparation information C ₁ with a particular terminal number a, (3) the chairperson terminal, it obtains a shared key ^{K = y k modp, (4} ) the respective terminals j (j ≠ a) is , Λ = {j, a}
Λ (j, Λ) and λ (a, Λ) are obtained, and the preparation information C
C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq) by using ₁ , the exclusion information C ₂ and its own secret information S _j.
By calculating modp, a shared key K with the chair terminal is obtained, and (i) the chair terminal obtains a non-zero GF (q) element e.
Arbitrarily, and broadcasts the encrypted e encrypted using the shared key K to all terminals. (Ii) The chair terminal obtains a new element g ′ = g ^{1 / e modq} modp, (Iii) each terminal j
Decrypts the encrypted e using the shared key K and converts the new secret information S _j ′ = S _j × e modq (where (g ′) ^Sj ′ modp = (g) ^Sj modp holds) Exclusive key agreement method characterized by seeking. 5. An exclusive key sharing method for a communication system comprising N (N is an integer of 2 or more) mutually connected terminals capable of performing broadcast communication, wherein the secret key is S, Let p be a prime number or a power of a prime number greater than N,
The divisor of (p-1) is q, the element of GF (p) is g, the number of specific terminals that can be specified by the chair terminal b is 1, and each terminal i
(1 ≦ i ≦ N) is given by: S = {λ (i, Λ) × S _i (the sum is performed for i∈Λ) (where S _i = S + f ₁ × i modq (f ₁ is not zero and GF (q) ), Λ (i, Λ) = Π {L / (L−i)} (product is performed on L∈Λ− {i}), Λ consists of any two of the N terminals. and the secret information S _i satisfying a is) set and held in secret, the chairperson terminal b is a public key y = g ^S modp of all terminals, public information ^{_{y 1 = g S1 modp, y}} 2 = g S2 modp,..., y _N = g ^SN modp, and (1) the chair terminal b has a non-zero GF
optionally generate original k of (q), calculates the preparation information ^{_{C 1 = g k modp, (}} 2) the chairperson terminal b is public information y _a from the exclusion information C ₂ = y _a ^k of a particular terminal a the modp calculated, and broadcast to all terminals with preparation information C ₁ with a particular terminal number a, (3) the chairperson terminal b obtains a shared key ^{K = y k modp, (4} ) the respective terminals j ( j ≠ a, b) is Λ = {j,
λ (j, Λ) and λ (a, と し て) as a}, and using the preparation information C ₁ , the exclusion information C _2, and its own secret information S _j , C ₁ ^ (S _j × λ (j, Λ) modq) × C ₂ ^ (λ (a, Λ) modq)
An exclusive key sharing method wherein a shared key K is obtained by calculating modp. 6. All terminals except the chair terminal b can use the public information y _b = g ^Sb modp of the chair terminal b, and the chair terminal b uses the secret information S _b of the chair terminal b. Te, the elimination information C ₂ and a specific terminal number a and preparation information C ₁ to deliver the entire terminal, adds a digital signature, each terminal j, using the public information y _b of the chairperson terminal, verification of the signature 6. The exclusive key sharing method according to claim 5, wherein 7. The base station or the chair terminal distributes the element e to the specific terminal a, and the specific terminal a
Is the new secret information _{S a '= S a × e} modq ( this _{time, (g') ^ S a} 'modp = (g) ^ S a modp holds) according to claim 3, 4, characterized in that to determine the Exclusive key agreement method as described. 8. The exclusive key agreement method according to claim 1, wherein the multiplication operation corresponds to an addition operation on a curve such as an elliptic curve on an arbitrary finite field.