JP2000216769A - Secret key generating method, encryption method and encryption communication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an encryption communication method which adopts ID- NIKS where the scale of a mathematical structure is minimized, a coalition problem can be avoided and building of the encryption system is facilitated. SOLUTION: In this encryption communication method, a plurality of centers 1 that distribute a specific secret key to each entity are provided, specific information (ID information) for each entity is divided into several parts, and all private keys generated for divided specific information parts are distributed to the entities. Each entity uses a component corresponding to the divided specific information of an opposite side entity included in a secret key specific to each entity to generate a common key.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a secret key generation method for generating a private key unique to an entity, an encryption method for encrypting information so that the contents of the information cannot be understood by anyone other than the parties, and a cipher text. The present invention relates to an encryption communication method for performing communication.

[0002]

2. Description of the Related Art In a modern society called an advanced information society, important documents and image information in business are transmitted, communicated, and processed in the form of electronic information based on a computer network. Such electronic information has a property that it can be easily copied and it is difficult to distinguish a copy from an original, and thus the importance of information security is emphasized. In particular, "sharing of computer resources",
The realization of a computer network that satisfies the elements of “multi-access” and “wide area” is indispensable for the establishment of an advanced information society, but this includes elements inconsistent with the problem of information security between the parties. As an effective method for resolving such inconsistency, cryptographic technology that has been used mainly in military and diplomatic aspects in the past history of humankind has attracted attention.

[0003] Encryption means exchanging information so that the meaning of the information cannot be understood by anyone other than the parties. In encryption, it is encryption to convert an original sentence (plaintext) that anyone can understand into a sentence (ciphertext) whose meaning is unknown to a third party, and decryption is to return the ciphertext to plaintext. The entire process of encryption and decryption is collectively called an encryption system. In the encryption process and the decryption process, secret information called an encryption key and a decryption key are used, respectively. Since a secret decryption key is required at the time of decryption, only a person who knows the decryption key can decrypt the ciphertext, and the encryption can maintain the confidentiality of the information.

[0004] The encryption key and the decryption key may be the same or different. An encryption method in which both keys are equal is called a common key encryption method, and DES (Data Encryption Standards) adopted by the United States Department of Commerce Standard Bureau is a typical example. Conventional examples of such a common key cryptosystem can be classified into the following three methods.

[0005] A first method is to secretly store all common keys with a partner who may perform encrypted communication. Second method A method in which keys are shared by preliminary communication each time cryptographic communication is performed (a key sharing method using Diffie-Hellman, a key distribution method using a public key method, etc.). Third method The transmitting-side entity and the receiving-side using public specific information (ID (Identity) information) that specifies an individual such as the name and address of each user (entity) without performing preliminary communication. In which the same entity independently generates the same common key (KPS (Key Predistribution System),
ID-NIKS (ID-based Non-Interactive Key Shari
ng Schemes)).

[0006]

The above three conventional methods have the following problems. In the first method, since all common keys are stored, the method is not suitable for a network society in which an unspecified number of users act as entities and perform cryptographic communication. Also, the second method has a problem in that preliminary communication for key sharing is required.

[0007] The third method does not require preliminary communication, and can generate a common key with an arbitrary partner by using the ID information of the disclosed partner and a unique secret parameter distributed in advance from the center. So it is a convenient way. However, there are the following two problems. One is the center
It is a Big Brother (which holds the secret of every entity and becomes a Key Escrow System). Another is that a certain number of entities may be able to compute the secret of the center when collaborating. Many attempts have been made to avoid this collusion problem in terms of computational complexity, but it is difficult to completely solve it.

The difficulty of the collusion problem arises from the fact that the secret parameter based on the ID information has a double structure of the center secret and the personal secret. In the third method, an encryption system is composed of the public parameters of the center, the public ID information of the individual, and the two types of secret parameters. Even if each entity shows the personal secret distributed to each other, the center secret is used. Should not be exposed. Therefore, there are many problems to be solved in realizing the construction of the encryption system.

[0009] The present invention has been made in view of such circumstances, and divides specific information (ID information) into several pieces, and transmits all secret keys based on the divided specific information to entities from a plurality of centers. ID-NIK, which can minimize the mathematical structure by distributing, avoids collusion problems, and facilitates construction of its cryptographic system
It is an object of the present invention to provide a secret key generation method, an encryption method, and an encryption communication method using S.

[0010]

According to a first aspect of the present invention, there is provided a method for generating a secret key unique to each entity to be transmitted from a center to each entity, wherein the specific information of each entity is divided. A secret key unique to each entity is generated using specific information.

According to a second aspect of the present invention, the center sends a secret key unique to each entity from the center to each entity, and the entity encrypts the plaintext using the secret key unique to the entity sent from the center. In an encryption method for encrypting, the divided specific information obtained by dividing the specific information of each entity is used to generate a secret key unique to each entity, which is included in the secret key.
The plaintext is encrypted into a ciphertext using a common key generated using a component corresponding to the division specifying information of the other party as the destination of the ciphertext.

According to a third aspect of the present invention, the center transmits a secret key unique to each entity from the center to each entity, and one of the entities transmits a common key obtained from the secret key unique to the entity sent from the center. To encrypt the plaintext into ciphertext and transmit it to the other entity,
The other entity decrypts the transmitted ciphertext into the original plaintext using the same common key as the common key, which is obtained from the private key unique to the entity sent from the center. In the cryptographic communication method for performing information communication by using a plurality of centers, each of the plurality of centers generates a secret key unique to each entity by using divided specific information obtained by dividing specific information of each entity. Each entity generates the common key using a component included in its own private key and corresponding to the division specifying information of the partner entity.

The various cryptosystems based on entity specific information that have been proposed to solve the collusion problem have been unsuccessful because the center secret cannot be determined from the entity collusion information. This is because the ingenuity was sought too much for the mathematical structure. If the mathematical structure is too complex, the methods to prove security are also difficult. Therefore, in the present invention, the mathematical structure is minimized by dividing the specific information of the entity into several pieces and distributing all the secret keys for each of the divided specific information to the entity.

In the present invention, a plurality of centers are provided, and each center generates a secret key corresponding to one piece of specific information of a certain entity. Therefore, no one center holds the secret of all entities, and each center does not become a Big Brother. Further, since the mathematical structure is minimized, it is easy to avoid the collusion problem, and it is also easy to realize a cryptosystem. Furthermore, since each entity sends its own secret key for generating a common key from the center and holds it in a table format in advance, the time required for generating the common key can be greatly reduced.

[0015]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiments of the present invention will be specifically described below. FIG. 1 is a schematic diagram showing the configuration of the cryptographic communication system of the present invention. A plurality (K) of centers 1 that can reliably conceal information are set, and these centers 1 can be, for example, public institutions of society.
The point that a plurality of centers 1 are provided is different from the third conventional method.

Each of these centers 1 and this cryptosystem
A plurality of entities a,
b,..., z are secret communication paths 2_a1, ..., 2_aK, 2_b1,
…, 2 _bK, ..., 2_z1, ..., 2_zKConnected by
From each center 1 via these secret communication paths.
The key information is transmitted to each entity a, b, ..., z
Swelling. Also, there is no communication between the two entities.
The communication paths 3ab, 3az, 3bz, ... are provided.
Communication information is encrypted via the routes 3ab, 3az, 3bz, ...
Ciphertext is now transmitted between entities
ing.

[First Embodiment] First, a first embodiment, which is a basic system of the present invention, will be described.

(Preparation processing in the center 1) The center 1 prepares the following public key and private key, and publishes the public key. Public key P Large prime L Size of ID vector (L = KM) K Number of divided blocks of ID vector M Size of divided ID vector Secret key g Primitive element of GF (P) H ^2M × 2 ^M composed of random numbers _j Symmetric matrix (j = 1, 2,..., K) Personal secret random number of α _ij entity i (however, α _i1 α _i2 ... Α _iK ≡1 (mod P−1))

An ID vector, which is specific information indicating the name and address of each entity, is defined as an L-dimensional binary vector,
As shown in FIG.
Each time, it is divided into K blocks. For example, the ID vector (vector I _i ) of the entity i is divided as in Expression (1). Each vector I _ij (j =
, K) are called ID division vectors.

[0020]

(Equation 1)

(Entity Registration Processing) Each center 1 that has been requested to register with the entity i, for the prepared key and the K ID divided vectors of the entity i, has K corresponding secret key vectors s _ij ( j = 1,2,
..., K) by the following equations (2-1), (2-2), ..., (2-
K), and sends the obtained vector s _ij secretly to complete the registration.

[0022]

(Equation 2)

However, when g is a scalar and A and B are matrices, B = g ^A indicates that a power of g is performed for each (μ, ν) component of A. That is, Equation (3) is obtained.
H _j [vector I _ij ] represents a row obtained by extracting one row corresponding to the vector I _ij from the symmetric matrix H _j ,
The operation of [•] is defined as a reference.

[0024]

(Equation 3)

(Generation process of common key between entities)
Entity i has its own secret key vector s_i1From among
Vector I that is an ID division vector of entity m_m1
Vector s of the component corresponding to_i1[Vector I _m1]
And for each block of j = 2,..., K
Secret key vector s_ijFrom the vector I_mjCorresponding to
Component vector s_ij[Vector I_mj] For each block
Pick out. Then, modulo P, the vector s_i1[Vect
Le I_m1] And all remaining vectors s_ij[Bek
Toll I_mj] (J = 2,..., K)
And the symmetric key K_imAsk for. This K_imOperation to find
The equation is specifically Equation (4)._imIs an entity
Common key K obtained from m side _miMatches.

[0026]

(Equation 4)

Next, communication of information between entities in the above-described cryptographic system will be described. FIG.
It is a schematic diagram which shows the communication state of information between human entities a and b. The example of FIG. 2 is a case where the entity a encrypts a plaintext (message) M into a ciphertext C and transmits it to the entity b, and the entity b decrypts the ciphertext C into the original plaintext (message) M. Is shown.

In the j-th (j = 1, 2,..., K) -th center 1, vectors s _aj ,
A secret key generator 1a for obtaining s _bj (secret key) according to the above equation (2-j) is provided. Then, when registration is requested from each of the entities a and b, the entity a, b
The secret key vectors s _aj and s _bj of b are sent to the entities a and b.

On the entity a side, each of the K centers 1
Unique secret key vector s _a1 sent from, ..., s _aj,
, A memory 10 storing s _aK in a table format;
A component corresponding to the entity b from these secret key vector vector s _a1 [Vector I _b1], ..., vector s _aj [Vector I _bj], ..., component selection of selecting the vector s _aK [Vector I _bK] Key generator 12 for generating a common key K _ab between a unit 11 and an entity b obtained by an entity a using these selected components.
And an encryptor 13 for encrypting a plaintext (message) M into a ciphertext C using the common key K _ab and outputting the same to the communication path 30.

Each center 1 is located on the entity b side.
, A unique secret key vector s _b1 , ..., s _bj ,
, _SbK is stored in a table format in a memory 20;
A component corresponding to the entity a from these secrets Vector s _b1 [vector I _a1], ..., vector s _bj [vector I _aj], ..., component selection unit to select a vector s _bK [Vector I _aK] 21, and a common key generator 22 that generates a common key K _ba for the entity a determined by the entity b using the selected components,
A _decryptor 23 is provided for decrypting the ciphertext C input from the communication channel 30 into a plaintext (message) M using the common key _Kba and outputting the same.

Information from entity a to entity b
When transmitting the data, first, at each center 1, the equation (2-
1), (2-2),…, (2-K)
Secret key vector s stored in_a1, S_a2,
…, S_aKIs read out to the component selector 11. And
The component corresponding to the entity b in the classifier 11
Vector s_a1[Vector I_b1], Vector s_a2[Vect
Le I_b2], ..., vector s _aK[Vector I_bK] Is selected
It is sent to the common key generator 12. Common key generator 12
, A symmetric key using these components in accordance with equation (4).
K_abIs sent to the encryptor 13. Encryptor 1
3, the common key K_abUsing plain text (message
G) M is encrypted into a ciphertext C, and the ciphertext C is
Is transmitted via

The ciphertext C transmitted through the communication path 30 is input to the decoder 23 of the entity b. Each center 1 _obtains the secret key vector s _b1 , obtained in accordance with the equations (2-1), (2-2),..., (2-K) and stored in the memory 20 in advance.
s _b2, ..., s _bK is read out to the component selection unit 21. Then, in the component selector 21, the vector s _b1 [vector I _a1 ] and the vector s _b2 which are components corresponding to the entity a
[Vector I _a2 ],..., Vector s _bK [vector I _baK ] are selected and sent to the common key generator 22.
The common key generator 22 _{obtains the} common key K _ba according to the equation (4) using these components, and _sends it to the decryptor 23. The decryption unit 23 decrypts the ciphertext C into a plaintext (message) M using the common key _Kba .

In the method of the present invention, since the secret key vector unique to each entity is stored in advance in the memory on the entity side, the time required for generating a common key can be reduced.

Next, security in the system of the present invention will be described. Requirements for secure ID-NIKS include:
It is known that a secret key generation function and a key sharing function cannot be separated in polynomial time. The following shows that the method of the present invention satisfies this requirement.

(Secret key generation function) The system of the present invention has K secret key generation functions shown in equations (5) and (6).

[0036]

(Equation 5)

When H is arbitrarily symmetric, an equation (7),
As shown in (8), the reference function [•] is clearly inseparable.

[0038]

(Equation 6)

Therefore, the K secret key generation functions represented by the above equations (5) and (6) are inseparable as shown in equation (9).

[0040]

(Equation 7)

(Key Sharing Function) The key sharing function in the method of the present invention is shown in equation (10).

[0042]

(Equation 8)

As in the case of the secret key generation function, equation (10)
Is not separable, as shown in equation (11).

[0044]

(Equation 9)

Conventionally, attacks that break the entire cryptosystem by collusion of an unspecified number of entities (hereinafter referred to as non-acquisition collusion) have been discussed. On the other hand, in the case of attacking only a specific individual, it is also effective to acquire only the entities required for the attack and perform the attack with a smaller number of colluders (hereinafter referred to as acquisition collusion). Hereinafter, the security of the system of the present invention against these non-acquisition collusions and acquisition collusions will be considered.

(Security Against Non-Acquisition Collusion) The ID vector of an arbitrary entity can be represented by a linear combination of the collaborator's ID vectors (association attack), and the secret key generation function or the key sharing function requires polynomial time. In this case, it is possible to forge the secret key of another entity from the secret key of the colluder (separation attack). Such an attack is called a linear attack.

Also in the method of the present invention, the ID vectors of arbitrary entities can be expressed as a linear combination by using the ID vectors of the L independent colluders. That is, a combined attack by L or more entities is established. However, as described above, since the secret key generation function and the key sharing function are inseparable functions,
Even if a joint attack is made on an arbitrary entity, the secret key and common key of that entity cannot be forged by a separation attack. Therefore, the linear attack does not apply to the method of the present invention. Thus, for non-takeover collusions, the scheme of the present invention has a collusion threshold (minimum number of collateral required for a binding attack) much higher than L.

(Security against Acquisition Collusion) In the case of attacking a specific entity with respect to the scheme of the present invention, all entities required for the attack are acquired and all private keys of the acquired entity are used. The following random number replacement attack by the following is conceivable.

For the sake of simplicity, the description will be made with an example in which the ID of the entity is four Chinese characters of the name (L = 4 × 16 = 64 bits) and one Chinese character is one block. That is, K =
4. Set M = 16.

Assume that the IDs of the entities Z, A, B, C, and D are set as follows, and the entities A, B, C, and D are acquired and the entity Z is attacked.

[0051]

(Equation 10)

The secret key of the entity Z is as follows.

[0053]

[Equation 11]

The colluder performs the following calculation to forge the secret key of the entity Z.

[0055]

(Equation 12)

Forged vector s _Z1 ′ to vector s _Z4 ′
_Have the same function as the vectors _sZ1 to _sZ4, respectively. Thus, in the situation where it is possible to acquire an entity necessary for an attack with respect to the method of the present invention, a collusion attack is certainly established.

However, in order to establish such a takeover collusion attack, a secret key of a colluder having exactly the same ID division vector is obtained for all K ID division vectors of the attack target entity. There is a need.
For one particular block, only one in every 2 ^M entities has the same ID split vector, and acquiring all K blocks of this special entity is a reality even if M = 10 and K = 100. It is not easy. Therefore, it can be said that the method of the present invention is safe even for a consignment. The parameters M and K can be set appropriately according to the scale of the encryption system and / or the required degree of security.

FIG. 4 is a diagram showing the configuration of an embodiment of the recording medium of the present invention. The program exemplified here is a process of selecting components corresponding to the entity m from the secret key vector s _ij sent from each center, and using the selected components, the common key K is calculated according to the equation (4). and a process for _{obtaining im} is recorded on a recording medium described below. The computer 40 is provided on each entity side.

In FIG. 4, a recording medium 41 that is connected online to a computer 40 is, for example, a WWW (World Wide) that is installed away from the installation location of the computer 40.
(Web) server computer, and the recording medium 41
Stores the program 41a as described above. By controlling the computer 40 by the program 41a read from the recording medium 41, each entity calculates a common key for the communication target entity.

The recording medium 42 provided inside the computer 40 uses, for example, a hard disk drive or a ROM installed therein, and the recording medium 42 stores the program 42a as described above. By controlling the computer 40 by the program 42a read from the recording medium 42, each entity calculates a common key for the communication target entity.

The recording medium 43 used by being loaded into the disk drive 40a provided in the computer 40 is a transportable medium such as a magneto-optical disk, a CD-ROM or a flexible disk. Is recorded. By controlling the computer 40 by the program 43a read from the recording medium 43, each entity calculates a common key for the communication target entity.

By the way, in order to avoid a random number substitution attack by a conspiracy, it is only necessary to take measures to prevent the divided blocks from being independently attacked. That is, the random number term may be erased only after all the blocks have been calculated. Two embodiments in which the first embodiment is improved based on such a viewpoint will be described below.

[Second Embodiment] Another example (second embodiment) of the present invention in which a random number erasing method is combined to enhance a random number replacement attack will be described.

(Preparation Processing in Center 1) As in the first embodiment, the center 1 prepares the following public key and private key, and publishes the public key. Public key P Large prime L Size of ID vector (L = KM) K Number of divided blocks of ID vector M Size of divided ID vector Secret key g Primitive element of GF (P) H ^2M × 2 ^M composed of random numbers _j Symmetric matrix (j = 1, 2,..., K) Personal secret random number of α _i entity i (however, α _i1 α _i2 ... Α _iK ≡1 (mod P−1))

In order to use the security of the RSA encryption,
P is set so that it is difficult to factorize P-1. To do this, P = 2pq + 1
(P, q: prime number) may be used.

Also, as in the first embodiment, the ID vector of each entity is divided into K blocks (ID division vectors) of block size M (see FIG. 2, equation (1)).

Further, as shown in the equation (12), ID-K-
Center 1 hash function h (·) to generate a one-dimensional first 2ID vector v _i is published. However, each component of the 2ID vector v _i generated by the hash function takes a positive integer, as shown in equation (13), and their sum becomes relatively small constant e.

[0068]

(Equation 13)

(Entity Registration Processing) Each center 1 that has been requested to register with the entity i, with respect to the prepared key and the K ID division vectors of the entity i, has K corresponding secret key vectors s _ij ( j = 1,2,
, K) by the following equations (14-1), (14-2),.
(14-K), and sends the obtained vector s _ij secretly to complete the registration.

[0070]

[Equation 14]

(Generation of Common Key Between Entities) Entity i is a publicly available hash function h (·)
Is used to find the vector v _m of the second ID vector of the partner entity m according to equation (15).

[0072]

(Equation 15)

Entity i has its own secret key vector
s_i1From the ID division vector of the entity m
Vector I_m1Vector s of the component corresponding to_i1[Vect
Le I _m1], And j = 2,.
Secret key vector s about the lock_ijVector
I_mjVector s of the component corresponding to_ij[Vector I_mj]
Select for each block. And modulo P, vector
Le s_i1[Vector I_m1] And all remaining vectors
Tors_ij[Vector I_mj] (J = 2, ..., K) in order
Next v_mjBy repeatedly raising to the power each time, the common key K
_imAsk for. This K_imThe expression for calculating
6) and this K_imIs the share determined from the entity m side.
Passkey K_miMatches.

[0074]

(Equation 16)

(Security Against Random Number Substitution Attack) In the actual examples of the entities A and B, since v _A2 ≠ v _B2 generally holds, a random number substitution attack is not established as shown in the following equation (17).

[0076]

[Equation 17]

[Third Embodiment] Another example (third embodiment) of the present invention in which the process of deleting personal random numbers is complicated by adding a constant term will be described.

(Preparation Processing in Center 1) As in the first embodiment, the center 1 prepares the following public key and private key, and publishes the public key. Public key N N = PQ (P, Q: large prime number) L Size of ID vector (L = KM) K Number of divided blocks of ID vector M Size of divided ID vector Secret key g Maximum generator modulo N H ^2M × ^2M symmetric matrix composed of _j random numbers (j = 1, 2,..., K) _αij The private secret random number of entity i (however, α _i1 α _i α _iK ≡1 (mod λ (N) ) Λ (・) is the Carmichael function)

Further, as in the first embodiment, the ID vector of each entity is divided into K blocks (ID division vectors) having a block size M (see FIG. 2, equation (1)).

(Entity Registration Processing) Each center 1 that has been requested to register with the entity i, with respect to the prepared key and the K ID division vectors of the entity i, obtains K corresponding secret key vectors s _ij ( j = 1,2,
.., K-1, K) by the following equations (18-1), (18-2),
..., calculated according to (18-K-1), (18-K).

[0081]

(Equation 18)

The third embodiment differs from the first embodiment in that α _i2 =... Α _{i, K−1} = α _i and α _i1 α _i α _iK ≡
1 (mod λ (N)) and K−2 personal random numbers β _i2 ,..., Β _{i, K−1} are further added. The center 1 obtains the vector t _i according to equation (19).
Here, β _i = β _i2 +... + Β _{i, K−1} . The obtained vector s _ij and vector t _i are secretly sent to complete the registration.

[0083]

[Equation 19]

(Generation of Common Key Between Entities)
First, each i of j = 2,..., K−1
Secret key vector s about the lock_ijFrom among the entities
Vector I that is an ID division vector of tee m _mjCorresponding to
Column vector s_ij[Vector I_mj] Is selected for each block.
And sum them all S_imAs in equation (20)
Ask.

[0085]

(Equation 20)

Further, the entity i _selects a column corresponding to the vector I _mj that is the ID division vector of the entity m from the secret key vector s _i1 of the first block and the secret key vector s _iK of the last block. Select, S
_{Using the im} and the vector t _i , a calculation as in the following equation (21) is performed to obtain a common key _Kim . This K _im matches the common key K _mi obtained from the entity m side.

[0087]

(Equation 21)

(Consideration of Security) In this system, the expression (22)
If you set like_im= X_im2x_im3... x_{im
, K-1}Can be written as x_im2, X_im3, ..., x_{im, K-1}To
When a large number of equations as variables are collected, in principle, the key
Can be forged.

[0089]

(Equation 22)

However, in the method of the present invention, since the mathematical structure is minimized and there is no structure capable of separating these variables, all these variables must be attacked as independent variables. Requires a very large number of colluders. Also the last block so as to erase random substitution attack, since they must be attacked term shown in equation (22) as the independent variable, for example, in the case of M = 10, to attack attracting 2 ^{as 20} a particular equation Need and safety is improved.

In the third embodiment, the case has been described where the composite number N, for which prime factorization is difficult, is used as a modulus. However, it goes without saying that the same can be applied to the case where N = P.

[0092]

As described above in detail, in the present invention, a plurality of centers are provided, and each center generates a key corresponding to one piece of ID information divided by an entity. No one center holds the secret, and each center does not become a Big Brother. In addition, since the mathematical structure is minimized, it is easy to avoid the collusion problem, and it is also easy to realize an encryption system. Furthermore, since each entity has a unique secret key in advance, the time required to generate a common key can be greatly reduced.

ID-N according to the third conventional method described above
In IKS, in general, an L × L symmetric matrix is used as a center secret and a part of the information is distributed to entities as a vector composed of L components. It is only about L. On the contrary,
In the scheme of the present invention, it is possible to have a collusion threshold much higher than this L.

Even in the conventional method, it is possible to construct an ID-NIKS having a collusion threshold comparable to that of the present invention by using a 2 ^M × 2 ^M center secret matrix. However, the ID-NIKS configured as described above requires 2 ^M product operations or exponentiation operations for key sharing, which is not practical. Most of the systems are separable, and some colluders are required. There is a problem that the secret key of the entity represented by the linear combination is forged. On the other hand, in the method of the present invention, the number of held secret keys is increased, but the common key can be shared by at most K-1 exponentiation operations, and key generation can be performed at very high speed. And
Even if some entities are represented by a linear combination of colluders, it is possible to prevent the secret keys of those entities from being forged.

(Supplementary Note) The following items are further disclosed with respect to the above description. (1) The center sends a private key unique to each entity to each entity, and one entity encrypts plaintext into ciphertext using a common key obtained from the private key unique to the entity sent from the center. Transmitted to the other entity, the other entity converts the transmitted ciphertext into the original plaintext using the same common key as the common key, obtained from the private key unique to the entity sent from the center. In a cryptographic communication method for performing information communication between entities by decrypting, a plurality of the centers are provided, and each of the plurality of centers uses the divided specific information obtained by dividing the specific information of each entity. Generate an entity-specific private key, and each entity
The common key is generated using a component included in its own private key and corresponding to the division identification information of the other entity, and the entity specific random number is included in the division identification information of each entity. And a secret key unique to each entity. (2) The cryptographic communication method according to (1), wherein an arithmetic expression for generating a secret key in each of the centers is as follows.

[0096]

(Equation 23)

Where, vector s _ij : secret key (j = 1, 2,..., K) corresponding to j-th division specifying information of entity i [vector I _ij ]: j-th division specification of entity i Information P: Prime number K: Number of divisions of specific information of entity i g: Primitive element of GF (P) H _j : ^2M × ^2M symmetric matrix composed of random numbers M: Division size of specific information of entity i α _ij : The private secret random number of entity i (however, α _i1
Α _iK ≡1 (mod P−1)) (3) The cryptographic communication method according to the above (2), wherein an arithmetic expression for generating a common key in each entity is as follows.

[0098]

(Equation 24)

Here, K _im : a common key vector s _ij [vector I _ij ] generated by one entity i for the other entity m: included in the secret key vector s _ij of the entity i, and specifying the division of the entity m (4) A common key generation device provided in an entity of the cryptographic communication system and configured to generate a common key used for encryption processing from plaintext to ciphertext and decryption processing from ciphertext to plaintext. Storage means for storing the private key unique to the entity created for each of the divided specific information obtained by dividing the specific information of the entity, and corresponding to the divided specific information of the entity of the communication partner from among the stored secret keys. A common key generation device comprising: a selection unit that selects a component; and a unit that generates the common key using the selected component. (5) A cryptographic communication system in which a plurality of entities mutually perform encryption processing for encrypting plaintext, which is information to be transmitted, into ciphertext, and decryption processing for decrypting the transmitted ciphertext into the original plaintext. , A plurality of centers that generate a private key unique to each entity by using the divided specific information obtained by dividing the specific information of each entity and send the generated private key to each entity, and are included in the own secret key transmitted from the center. And a plurality of entities that generate a common key used for the encryption processing and the decryption processing using components corresponding to the division specifying information of the communication target entity. (6) A computer-readable recording in which a program for generating, on the entity side, a common key used in the encryption process from plaintext to ciphertext and the decryption process from ciphertext to plaintext in the cryptographic communication system is recorded. A program for causing a computer to select, from a medium, a component corresponding to division specific information of an entity of a communication partner from a secret key unique to the entity created for each division specific information obtained by dividing the specific information of the entity. A recording medium comprising: code means; and program code means for causing the computer to generate the common key using selected components.

[Brief description of the drawings]

FIG. 1 is a schematic diagram showing a configuration of a cryptographic communication system of the present invention.

FIG. 2 is a schematic diagram showing an example of dividing an ID vector of an entity.

FIG. 3 is a schematic diagram illustrating a communication state of information between two entities.

FIG. 4 is a diagram showing a configuration of an embodiment of a recording medium.

[Explanation of symbols]

 Reference Signs List 1 center 1a secret key generator 10,20 memory 11,21 component selector 12,22 common key generator 13 encryptor 23 decryptor 30 communication path 40 computer 41,42,43 recording medium

Continued on the front page (51) Int.Cl. ⁷ Identification symbol FI Theme coat II (Reference) H04L 9/00 673A (72) Inventor Yasumichi Murakami 136 Takeda Mukodaicho, Fushimi-ku, Kyoto-shi, Kyoto Murata Machinery Co., Ltd. (72) Inventor Masao Kasahara 4-15-3 Aowai-in, Minoh-shi, Osaka F-term (reference) 5J104 AA01 AA16 EA02 EA26 JA03 NA02 NA27 NA30 PA07

Claims (3)

[Claims] 1. A method for generating a private key unique to each entity to be sent from a center to each entity,
A secret key generation method, characterized in that a secret key unique to each entity is generated by using split specific information obtained by dividing the specific information of each entity. 2. A method of transmitting a secret key unique to each entity from a center to each entity, and the entity encrypting a plaintext into a ciphertext using the private key unique to the entity sent from the center. Generating a secret key unique to each of the entities by using the split specific information obtained by dividing the specific information of each of the entities, and dividing the other party included in the secret key, which is the transmission destination of the ciphertext; An encryption method characterized by encrypting a plaintext into a ciphertext using a common key generated using a component corresponding to specific information. 3. A center transmits a secret key unique to each entity to each entity, and one entity encrypts plaintext into ciphertext using a common key obtained from the private key unique to the entity sent from the center. And transmits the encrypted text to the other entity using the same common key as the common key, obtained from the secret key unique to the entity sent from the center. In a cryptographic communication method for performing information communication between entities by decrypting into plain text, a plurality of centers are provided, and each of the plurality of centers uses divided specific information obtained by dividing specific information of each entity. A private key unique to each entity is generated by each entity, and each entity includes the specific identification information of the other entity included in its own private key. Wherein the common key is generated using a component corresponding to the information.