JP2001044987A - Batch authentication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make the number of times for a power remainder operation con stant by deciding the presence of a wrong person when the specific checking is unsatisfactory with a communication unit. SOLUTION: A base station generates a large prime number (p) and a large (q) are opens them to the public and also generates an element (g) whose rank in a multiplication group Zp is equal to (q) to publicize it to the public. Every terminal (i) generates an optional integer si to safely store it as a secret key and also generates vi=g-si mode p as a public key to pen it to the public. Then the terminal (i) selects a random number ri and calculates the information xi=gri mod p to transmit it to the base station. The base station selects a random number (e) and broadcasts it to every terminal (i). The terminal (i) calculates the verification information yi=ri+si.e mod q and sends it to the base station. Then the base station checks X1×X2×...Xn=g(y1+y2+...+yn) (v1×v2×...×vn)e mod p to decide that all authenticated terminals (i) are right when the checking is satisfactory and to decide the presence of a wrong person when the checking is unsatisfactory respectively.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to a batch authentication method, and more particularly, to a batch authentication method in a communication system including a plurality of communication devices.

[0002]

2. Description of the Related Art In a communication system capable of broadcasting, a base station sometimes issues a simultaneous command to a plurality of terminals.
At this time, the base station cannot generally specify which terminal is receiving the simultaneous command. Therefore, if a terminal capable of receiving is authenticated and confirmed before the simultaneous command, it is understood that at least the authenticated terminal has received the simultaneous command.
Also, by giving the group key only to the terminal that has been authenticated after authentication, the simultaneous command encrypted using the group key can be decrypted only by the authenticated terminal, so that the simultaneous command can be issued only to the authenticated terminal. .

[0003] As a conventional authentication method, a Schnorr authentication method (for details, refer to the following document: "HANDBOOK of APPLIED CR"
YPTOGRAPHY ”Menezes, van Oorschot, Vanstone,
CRC Publishing, pp414-416) and the Tatsuaki Okamoto authentication method (detailed in "Authentication Based on Discrete Logarithm Problem" in the following materials.
"Contemporary Cryptography" Tatsuaki Okamoto, Hiroshi Yamamoto Co-authored, Sangyo Tosho, pp.
160-pp.161) are known. The former is very excellent because of a small amount of calculation, and the latter is very excellent because of its high security. However, in order to authenticate a plurality of parties, it is necessary to perform individual authentication, and when there are a large number of parties to authenticate, it takes a very long time until all the authentications are completed. FIG. 9 shows a Schnorr authentication method in a one-to-one communication system. FIG.
Figure 2 shows the Okamoto Tatsuaki authentication method in a one-to-one communication system.

[0004]

However, if the above-mentioned conventional authentication method is applied to a broadcast communication system including a plurality of communication devices and is used in a situation where a plurality of communication devices are simultaneously authenticated, the number of communication devices is reduced. However, there is a problem that the calculation time becomes very long as the value of “増 加” increases.

SUMMARY OF THE INVENTION The present invention solves the above-mentioned conventional problem, and proposes an excellent authentication method which can set the number of times of the power-residue calculation which takes the longest time in authentication to a fixed number of times regardless of the number of communication devices for authentication. The purpose is to provide.

[0006]

In order to solve the above-mentioned problems, according to the present invention, in a communication system including n (n ≧ 2) communication devices, a large prime number is defined as p, q.
(Q | p−1), the element is g (g whose order in the multiplicative group Z _p is q), the ID of the communication device is i (1 ≦ i ≦ n),
An arbitrary integer is s _i (1 ≦ s _i ≦ q−1), and the communication device i securely stores s _i as a secret key and v _i (=
g- ^si modp), and (1) the communication device i as the prover
The random number _{r i (1 ≦ r i ≦} q-1) to Pick prior information x _i (=
g ^ri modp) to calculate the verifier communication device j (j ≠
i, 1 ≦ j ≦ n), and (2) the communication device j
(1 ≦ e ≦ q−1) is selected and transmitted to the communication device i, and (3)
The communication device i calculates the verification information y _i (= r _i + s _i · e modq) and sends it to the communication device j. (4) The communication device j has x ₁ × x ₂ ×
... × x _n = g ^{(y1 + y2 +} ... ^{+ Yn)} (v ₁ × v ₂ ×... × v _n ) ^e mod
p is checked, and if it is satisfied, all the authenticated communication devices i are determined to be valid, and if not, it is determined that there is an unauthorized person.

As described above, since the verification formulas that exist for each communication device of the Schnorr authentication method and the Tatsuaki Okamoto authentication method are collectively verified, the communication for authenticating the number of power-residue operations is performed. The number of times can be fixed regardless of the number of aircraft. Further, the number of times of verification until an unauthorized communication device i is specified can be made smaller than the number of times of searching for all communication devices i.

[0008]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiments of the present invention will be described below in detail with reference to FIGS.

A first embodiment of the (First Embodiment) In a communication system comprising a base station and four terminal, node i calculates the pre-information x _i choose a random number r _i To the base station, the base station selects a random number e and sends it to the terminal i, and the terminal i calculates the verification information y _i and sends it to the base station,
This is an authentication method in which the base station determines that all of the terminals i are valid when the verification is valid, and determines that there is an unauthorized person when the verification is not valid.

FIG. 1 to FIG. 4 are diagrams showing the state of each step of the batch authentication method using the Schnorr authentication method according to the first embodiment of the present invention. FIG. 1 is a diagram showing the step (1). FIG. 2 is a diagram showing the step (2).
FIG. 3 is a diagram showing the step (3). FIG. 4 is a diagram showing the step (4). 1 to 4, a verifier 1 is a base station that verifies the authenticity of a terminal. Prover 2
Is a terminal that proves to be a genuine terminal. The broadcast communication network 3 is a wireless communication path capable of performing broadcast communication.

The procedure of the batch authentication method according to the first embodiment of the present invention configured as described above will be described. A communication system including a base station and four terminals will be described as an example.

Step (1): As shown in FIG. 1, the base station (verifier) preliminarily sets a large prime number p of about 1024 bits.
Generate and publish a large q of about 160 bits (where q is a factor of p-1). Also, an element g whose order in the multiplicative group Z _p is q is generated and made public.

The terminal (prover) ID is i (1 ≦ i ≦ 4)
And Each terminal i is an arbitrary integer s _i(1 ≦ s_i≤q-
1), and s_iAnd keep it private as a private key
V as the key_i= G^-si Generate and publish modp. Further, a random number r_i(1 ≦ r_i≤q-
1) Select the previous information x_i= G^ri Calculate modp and send to base station.

Step (2): As shown in FIG. 2, the base station selects a random number e (1 ≦ e ≦ q−1) and broadcasts it to each terminal.

Step (3): As shown in FIG. 3, the terminal i calculates verification information y _i = r _i + s _i · e modq and transmits it to the base station.

Step (4): As shown in FIG. 4, the base station satisfies x ₁ × x ₂ ^×× x _n = g ^{(y1 + y2 +} ... ^{+ Yn)} (v ₁ × v ₂ ×... ×
v _n ) ^e modp is checked, and if it is satisfied, all of the authenticated terminals i are determined to be valid. If not, it is determined that there is an unauthorized person.

Here, a method of efficiently searching for an unauthorized terminal by a method similar to the binary search will be described. In the present invention,
Verification is performed by confirming that the verification formula x ₁ × ... × x _n = g ^{(y1 +} ... ^{+ Yn)} (v ₁ ×... × v _n ) ^e modp holds. It is very inefficient to identify unauthorized terminals using the usual Schnorr authentication method. Therefore, if the verification equation does not hold, the base station:
Performing verification by dividing all terminals into multiple groups, and then performing verification by further dividing groups where the verification formula does not hold into multiple groups until the illegal terminal can be identified, Reduce the number of verifications before identifying. An efficient identification method of a fraudulent person by a method similar to the binary search method will be described with an example in which the number of terminals is eight.

The base station verifies that the following equation holds. x ₁ × x ₂ × x ₃ × x ₄ × x ₅ × x ₆ × x ₇ × x ₈ = g ^{(y1 + y2 + y3 + y4 + y5 + y6 + y7 + y8)}・ (v ₁ × v ₂ × v ₃ × v ₄ × v ₅ × v ₆ × v ₇ × v ₈ ) ^e modp (1)

If the above equation does not hold, the terminals are set to 1-4 and 5-
8 and the verification is performed in the same manner. x ₁ × x ₂ × x ₃ × x ₄ = g ^{(y1 + y2 + y3 + y4)} (v ₁ × v ₂ × v ₃ × v ₄ ) ^e modp (2) x ₅ × x ₆ × x ₇ × x ^{_{8 = g (y5 + y6 +}} y7 + y8) (v 5 × v 6 × v 7 × v 8) e modp (3)

Here, when equation (2) does not hold,
Verification is performed in the same manner by grouping into 1 and 2 and 3 and 4. x ₁ × x ₂ = g ^{(y1 + y2)} (v ₁ × v ₂ ) ^e modp (4) x ₃ × x ₄ = g ^{(y3 + y4)} (v ₃ × v ₄ ) ^e modp (5)

Here, when equation (4) does not hold,
The same verification is performed for each of 1 and 2. x ₁ = g ^y1 v ₁ ^e modp (6) x ₂ = g ^y2 v ₂ ^e mod p (7)

Here, if equation (7) does not hold,
An unauthorized person can be identified as the terminal 2.

Here, the performance comparison with the conventional authentication method will be described. In a communication system composed of a plurality of communication devices, the number of power-residue operations of a verifier required to identify an unauthorized communication device according to the present invention and the Schnorr authentication method is defined as the total number of communication devices serving as provers as n. Compare.

When verifying that there is no unauthorized communication device, the present invention is always fixed twice, while
In the case of the orr authentication method, 2n modular exponentiation operations are required. For example, in the case of n = 256, the present invention requires two times, whereas the Schnorr authentication method requires 512 power-residue operations.

In the case of the present invention, a power-residue operation is further required 4 log ₂ n times in order to specify an unauthorized communication device. For example, if n = 256, the number of times is 32 in the present invention, so that the total of the above two times is 34 times, which is more efficient than the Schnorr authentication method which requires 512 times. In addition, since there are actually fewer cases where an unauthorized communication device exists, the present invention, which can be verified by two power-residue operations twice, can be used only to confirm the presence of an unauthorized communication device. Regardless, it is practically more efficient than the Schnorr authentication method, which always requires 2n times of verification.

In the present embodiment, an example in the case of a wireless communication path has been described. However, the present invention can also be used in a client-server system on the Internet or Ethernet where a server authenticates a plurality of clients simultaneously.

As described above, in the first embodiment of the present invention, the authentication method is as follows. In a communication system including a base station and four terminals, terminal i selects random number r _i and stores previous information x _i . The base station selects the random number e and sends it to the terminal i. The terminal i calculates the verification information y _i and sends it to the base station. Since all i are judged to be valid, and if they are not satisfied, it is judged that there is a fraudulent person. Therefore, the verification formulas are collectively verified, and the communication for authenticating the number of power-residue operations is performed. The number of times can be fixed regardless of the number of aircraft.

(Second embodiment) Second embodiment of the present invention
Is a communication system consisting of a base station and four terminals.
Terminal i is a random number r_1i, R_2iSelect the previous information x_iTo
Calculate and send it to the base station, and the base station calculates
Select and send to terminal i, and terminal i verifies verification information y_1i, Y _2iTo
Calculate and send to base station, base station g₁ ^{(y11 + y12 +}…
^{+ y1n)} g_Two ^{(y21 + y22 +}…^{+ y 2n)}= X₁× x_Two×… × x_n (v₁
× v_Two×… × v_n)^e modp is checked, and if
Judging all terminals that have issued a certificate are legitimate and does not hold
In this case, the authentication method determines that there is an unauthorized person.

FIG. 5 to FIG. 8 are diagrams showing the state of each step of the batch authentication method using the Tatsuaki Okamoto authentication method according to the second embodiment of the present invention. FIG. 5 is a diagram showing the step (1). FIG. 6 is a diagram showing step (2).
FIG. 7 is a diagram showing the step (3). FIG. 8 is a diagram showing the step (4).

The procedure of the batch authentication method according to the second embodiment of the present invention configured as described above will be described. A communication system including a base station and four terminals will be described as an example.

Step (1): As shown in FIG. 5, the base station (verifier) sets a large prime p of about 1024 bits in advance.
Generate and publish a large q of about 160 bits (where q is a factor of p-1). Also, an element g whose order in the multiplicative group Z _p is q is generated and made public.

The terminal (certifier) ID is i (1 ≦ i ≦ 4)
And Each terminal i is an arbitrary integer s _1i, S_2i(1 ≦
s_1i, S_2i≦ q−1), and s_1i, S_2iWith the secret key
And store it securely and use v_i= G₁ ^s1ig_Two ^s2i Publish modp. Random number r_1i, R_2i(1 ≦ r_1i, R_2i≤q-
1) Select the previous information x_i= G₁ ^r1ig_Two ^r2i Calculate modp and send it to the base station.

Step (2): As shown in FIG. 6, the base station selects a random number e of 1024 bits and broadcasts it to each terminal i.

Step (3): As shown in FIG. 7, the terminal i calculates y _1i = r _1i + s _1i · e modq y _2i = r _2i + s _2i · e modq and transmits it to the base station.

Step (4): As shown in FIG. 8, the base station calculates g ₁ ^{(y11 + y12 +} ... ^{+ Y1n)} g ₂ ^{(y21 + y22 +} ... ^{+ Y2n)} = x ₁ × x ₂
× ... × x _n (v ₁ × v ₂ × ... × v _n ) ^e modp is checked, and if it is satisfied, all the authenticated terminals are judged to be valid. If not, there is an unauthorized person. Judge.

Here, the security will be described. Schnor
Since the r authentication method seeks the basis of security that the discrete logarithm problem cannot be solved in polynomial time, it is considered that the present invention using the Schnorr authentication method also requires the basis of security in the same part. Can be Therefore, in order to have sufficient security, the size of the modulus p should be about 1024 bits and the modulus q
Needs to be about 160 bits and the size of the random number e is about 1024 bits. Similarly, in the present invention using the Okamoto Tatsuaki authentication method, similarly to the Okamoto Tatsuaki authentication method, the size of the modulus p is about 1024 bits, the size of the modulus q is about 160 bits, and the size of the random number e is It needs to be around 1024 bits.

It is assumed that the security may be different between the present invention and the Schnorr authentication method or the Tatsuaki Okamoto authentication method because of the collusion of a communication device as a prover. In conclusion, I think this is difficult. Because it is assumed that this is possible, the values of the Schnorr authentication method and the Tatsuaki Okamoto authentication are divided so that they can be synthesized by multiplication, and the Schnr
This is because a division value that can be impersonated with respect to the orr authentication method and the Okamoto Tatsuaki authentication can be created, so that if the Schnorr authentication method and the Okamoto Tatsuaki authentication are safe, the present invention is considered to be safe.

In the present embodiment, an example of a wireless communication path has been described. However, the present invention can also be used in a client-server system on the Internet or Ethernet where a server authenticates a plurality of clients simultaneously.

As described above, the second embodiment of the present invention
Then, the authentication method is changed to a communication system consisting of a base station and four terminals.
In the system, terminal i is a random number r_1i, R_2iChoose the precondition
Report x _iIs calculated and transmitted to the base station.
A random number e is selected and transmitted to the terminal i, and the terminal i
y_1i, Y_2iIs calculated and transmitted to the base station.₁
^{(y11 + y12 +}…^{+ y1n)} g_Two ^{(y21 + y22 +}…^{+ y2n)}= X₁× x_Two×…
× x_n (v₁× v_Two×… × v_n)^eCheck modp and hold
In that case, all terminals that have been authenticated are
If not, it is determined that there is a fraudulent person
So, verify the verification formulas together and verify that
The number of calculations is fixed regardless of the number of communication devices to be authenticated.
be able to.

[0040]

As is apparent from the above description, according to the present invention, in a communication system including n (n ≧ 2) communication devices, a large prime number is set to p, q (q | p−
1), and the element is g (g where the order in the multiplicative group Z _p is q)
And the communication device ID is i (1 ≦ i ≦ n), an arbitrary integer is s _i (1 ≦ s _i ≦ q−1), and the communication device i securely stores s _i as a secret key, V _i (= g ^-sim
odp), and (1) the communication device i as a prover
_{i (1 ≦ r i ≦ q} -1) before select the information x _i (= g ^ri mod
p) is calculated and the verifier is the communication device j (j ≠ i, 1 ≦ j)
≦ n), and (2) the communication device j transmits a random number e (1 ≦ e ≦ q
Transmitted to the communication device i choose -1), (3) communication device i is transmitted to the verification information _{y i (= r i + s} i · e modq) was calculated by the communication device j, (4) communication device j is x ₁ × x ₂ × ... × x _n = g
^{(y1 + y2 + ... + yn} ) a _{(v 1 × v 2 × ...} × v n) e modp and verification,
If it holds, all of the authenticated communication devices i are judged to be valid, and if not, it is judged that there is a fraudulent person. The effect is obtained that the number of times can be set to be constant regardless of the number.

If the verification expression does not hold, the communication device i is divided into a plurality of groups and the verification is performed again. It is illegal to divide the group where the verification expression does not hold into the plurality of groups and perform the verification. Since the repetition is repeated until the communication device i can be specified, the number of times of verification until the unauthorized communication device i is specified can be made smaller than the number of times of searching all the communication devices i.

[Brief description of the drawings]

FIG. 1 is a state diagram of step (1) of an authentication method according to a first embodiment of the present invention;

FIG. 2 is a state diagram of step (2) of the authentication method according to the first embodiment of the present invention;

FIG. 3 is a state diagram of step (3) of the authentication method according to the first embodiment of the present invention;

FIG. 4 is a state diagram of step (4) of the authentication method according to the first embodiment of the present invention;

FIG. 5 is a state diagram of step (1) of the authentication method according to the second embodiment of the present invention;

FIG. 6 is a state diagram of step (2) of the authentication method according to the second embodiment of the present invention;

FIG. 7 is a state diagram of step (3) of the authentication method according to the second embodiment of the present invention;

FIG. 8 is a state diagram of step (4) of the authentication method according to the second embodiment of the present invention;

FIG. 9 is a diagram showing a procedure of a Schnorr authentication method in a conventional one-to-one communication system;

FIG. 10 is a diagram showing a procedure of a Tatsuaki Okamoto authentication method in a conventional one-to-one communication system.

[Explanation of symbols]

 1 Verifier 2 Prover 3 Broadcast Network

 ────────────────────────────────────────────────── ─── Continuing from the front page (72) Inventor Natsume Matsuzaki 3-20 Shin-Yokohama, Kohoku-ku, Yokohama-shi, Kanagawa 8 F-term in Advanced Mobile Communication Security Technology Research Institute, Inc. (reference) 5J104 AA07 AA22 BA03 KA02 KA05 NA02 NA18 NA37 5K067 AA14 AA33 CC13 CC14 DD17 EE02 HH05 HH21 HH24

Claims (3)

[Claims] 1. In a communication system including n (n ≧ 2) communication devices, large prime numbers are p and q (q | p−1), and an element is g (an order in the multiplicative group Z _p is q G)
The ID of the communication device is i (1 ≦ i ≦ n), and an arbitrary integer is s
_i (1 ≦ s _i ≦ q−1), the communication device i securely stores s _i as a secret key, and v _i (= g ^−si mod
exposes p), (1) the communication unit i is prover random number r _i (1 ≦ r _i ≦
q-1) is selected, the preceding information x _i (= g ^ri modp) is calculated and transmitted to the communication device j (j ≠ i, 1 ≦ j ≦ n) as a verifier. (2) The communication device j It sends the random number e to (1 ≦ e ≦ q-1 ) to pick the communicator i, (3) the communication device i is verification information _{y i (= r i + s} i · e mo
dq) is calculated and transmitted to the communication device j. (4) The communication device j calculates x ₁ × x ₂ ×... x _n = g ^{(y1 + y2 +} ... ^{+ yn)} (v ₁ × v ₂ ×. ×
v _n ) ^e modp, and if it is valid, the authenticated communication device i
The authentication method is characterized in that all of the above are judged to be legitimate, and if not, it is judged that there is an unauthorized person. 2. A communication system comprising n (n ≧ 2) communication devices.
In the stem, large primes are denoted by p, q (q | p-1).
G₁, G_Two(Multiplicative group Z_pG whose order is q₁,
g_Two), And the ID of the communication device is i (1 ≦ i ≦ n).
S_1i, S_2i(1 ≦ s_1i, S_2i≦ q-1)
And the communication device i is s_1i, S_2iSecure as a private key.
And v_i(= G₁ ^s1ig_Two ^s2i modp) public
(1) The communication device i as a prover is a random number r_1i, R_2i(1
≤r_1i, R_2i≦ q-1) and select the previous information x_i(= G₁ ^r1i
g_Two ^r2i modp) to calculate the communication device j that is the verifier.
(J ≠ i, 1 ≦ j ≦ n). (2) The communication device j is a random number e of k (= O (| p |)) bits.
Is selected and transmitted to the communication device i. (3) The communication device i_1i(= R_1i+ S_1i・ E
 modq), y_2i(= R _2i+ S_2i・ Calculate e modq)
(4) The communication device j is g₁ ^{(y11 + y12 +}…^{+ y1n)} g_Two ^{(y21 + y22 +}…^{+ y2n)}= X₁× x_Two
×… × x_n (v₁× v_Two×… × v_n)^e modp is verified, and if it is valid, all authenticated terminals are valid.
And if it does not work, there is a fraudster
An authentication method characterized by determining. 3. If the verification equation does not hold, the communication device i is divided into a plurality of groups and the verification is performed again. The group where the verification equation does not hold is further divided into a plurality of groups and the verification is performed. The authentication method according to claim 1, wherein the repetition is repeatedly performed until it can be identified as an unauthorized communication device i.