JP2004282575A - Interaction key generation method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To make it clear when and who shares asymmetrical private key corresponding to an interaction key by verifying the relation between information and a public key (interaction key) which are transmitted and received in a key shared protocol. <P>SOLUTION: A plurality of user terminals (Alice and Bob) are provided and the asymmetrical shared key CK is secretly shared by using the key shared protocol Z. A center (Charley), which is an observer, calculates, by using an algorithm α, a group public key (interaction key IK) corresponding to the secretly shared asymmetrical shared key CK from intercepted communication (interaction sentence IM) between the terminals. At the point in time when the asymmetrical shared key CK is secretly shared, the interaction key IK is also already becomes calculable and a real time nature is guaranteed. The relation between the information to be transmitted and received by using the key shared protocol Z and the public key (interaction key) is verified by the center and it is made clear when and who secretly shares the asymmetrical shared key CK corresponding to the interaction key IK. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention relates to a conversation key and a method for generating the conversation key, and more particularly, to a conversation key that is a public key corresponding to a secret key and enables a key sharing protocol to know who shared the secret key and when.
[0002]
[Prior art]
A method of sharing a common key in a conventional key sharing scheme will be described. As a method of sharing a common key between Alice and Bob, a Diffie-Hellman method, many variations thereof, and a method in which these are extended between three or more entities (for example, [BD94]) are known. The shared common key is often used for common key encryption and MAC (message authenticator). In addition, a value that is a source of a common key is encrypted by RSA, such as SSL 3.0 [SSL] / TLS 1.0 [TLS] that provides a secure session between Server and Client (when the key sharing scheme is RSA). A delivery method is also known, and the shared common key is used for the common key encryption and the MAC.
[0003]
In these methods, in order to use a shared common key as a secret key of public key encryption, Alice and Bob holding the common key calculate by using a procedure for generating a public key from a common key determined in advance. It may be made public and the verifier verifies that all public keys are equal. Hereinafter, this method will be referred to as Simple Method.
[0004]
A method for sharing a public key and a secret key will be described. A method of sharing the RSA public key and secret key between Alice and Bob [PS98, G99] or a method of sharing between three or more entities [BF97] is known. These schemes have the characteristic that all entities participating in the protocol can calculate the public key, but for the private key, each entity can calculate only its share.
[0005]
However, in [PS98, G99], only the entity that participates in the protocol can calculate the public key using its own private key. In [BF97], an entity called a helper, which cannot obtain a shared value of a secret key, is assumed to participate in the protocol, and only the helper can calculate a public key. After all, in these schemes, only the entity participating in the protocol can calculate the public key. Therefore, in order for the verifier to obtain the public key, similarly to the Simple Method, an entity participating in the protocol needs to publish the public key after calculating it.
[0006]
The Simple Method will be described. An example is shown in which the number of users is set to 2 for simplicity, a common key is shared among a plurality of users, and each user discloses a public key calculated from the common key to a verifier. Alice and Bob each have a public key Y_AliceAnd Y_Bob, Secret key X_AliceAnd X_BobAnd the verifier is Y_AliceAnd Y_BobYou know. Alice and Bob share a procedure for calculating a public key from a common key in advance.
[0007]
The processing of Alice and Bob is as follows.
Step 1: The common key CK is shared using an existing key sharing scheme (for example, Diffie-Hellman).
Step 2: Alice is a public key PK using the common key CK as a secret key of public key cryptography._Alice(Bob is PK_Bob) Is calculated.
Step3: Alice is PK_Alice(Bob is PK_Bob) For X_Alice(Bob is X_Bob) Using digital signature SIG_Alice(Bob is SIG_Bob) Is calculated.
Step4: Alice is PK_Alice(Bob is PK_Bob) And SIG_Alice(Bob is SIG_Bob) To the verifier.
[0008]
The process of the verifier is as follows.
Step5: Signature SIG_AliceAnd SIG_BobVerify If successful, go to Step 6; otherwise, end.
Step6: PK_Alice= PK_BobIf it is, it is accepted, and if not, it ends.
[0009]
The call content proof will be described. Call content certification is a service that certifies the content of a call made between a plurality of entities to a third party after the call. There are electronic notarization and time stamps as services that can be used for conventional call content certification. The time stamp is a technique for proving that the content existed at a certain point in time. In order to use these services for certifying the contents of a call, the contents of the call are mainly transmitted to the respective Authorities and a digital signature of each Authority is issued, and the user of the service verifies the digital signature with the verifier. Prove the content of the call by making it public. FIG. 7 shows a procedure of an example of a conventional call contents certifying method.
[0010]
[Non-patent document 1]
[BF97] D. Boneh, M .; Franklin, "Efficient Generation of Shared RSA Keys," Advanced in Cryptology-CRYPTO '97, pp. 425-439, Springer-Verlag, 1997.
[Non-patent document 2]
[BD94] M. Burmester, Y .; Desmedt, "A Security and Efficient Conference Key Distribution System", Advances in Cryptology-EUROCRYPT'94, pp. 139-157. 275-285, Springer-Verlag, 1994.
[Non-Patent Document 3]
[DF89] Y. Desmedt, Y .; Frankel, "Threshold cryptosystems", Advances in Cryptology-Crypto '89, LNCS 435, pp. 307-315, Springer-Verlag, 1989.
[Non-patent document 4]
[TLS] T.I. Dierks, C.I. Allen, "The TLS Protocol Version 1.0," Request for Comments: 2246, 1999.
[Non-Patent Document 5]
[SSL] A. Freier, P .; Karlton, and P.M. Kocher, "The SSL Protocol Version 3.0," Transport Layer Security Working Group, INTERNET-DRAFT, 1996.
[Non-Patent Document 6]
[G99] N.P. Gilboa, "Two Party RSA Key Generation," Advanced in Cryptology-CRYPTO'99, pp. 116-129, Springer-Verlag, 1999.
[Non-Patent Document 7]
[P91] T.I. Pederson, "A Threshold Cryptosystem with a Trusted Party," Advanced in Cryptology-EURO. 522-526, Springer-Verlag, 1991.
[Non-Patent Document 8]
[PS98] G.I. Poupard, J .; Stern, "Generation of Shared RSA Keys by Two Partners," "Advanced in Cryptology -...", pp. 11-24, Springer-Verlag, 1998.
[Non-Patent Document 9]
[S79] A. Shamir, "How to share a secret", Comm. Assoc. Comput. Mach. , Vol. 22, no. 11, pp. 612-3, 1979.
[0011]
[Problems to be solved by the invention]
However, in the conventional Simple Method, the verifier can only verify that the signature is equal to the signature of the public key, and thus has the following problem.
(1) The verifier does not know when the released public key corresponds to the shared key shared by whom.
(2) The verifier cannot accept the public key when there is a user who does not disclose the public key.
[0012]
Further, the conventional method of certifying the contents of a call has two major problems. One problem is that the call time and the signature issuance time are not the same, so that real-time performance is lacking. The second problem is that the content of the call received by the Authority is not guaranteed to be the content of the call in the first place. Even if Alice and Bob's signatures are issued for the call contents M (for example, a contract), Alice and Bob are not necessarily the callers. This is because the entity (Alice) that signed earlier does not know who is the entity that signs later, and cannot guarantee that it is the signature of the caller.
[0013]
For example, as the content of the call received by Authority,
Alice assumed call content: SIG (SECRET_Alice, M) @SIG (SECRET_Bob, M) ‖M
Alice unexpected call content: SIG (SECRET_Alice, M) @SIG (SECRET_Charley, M) ‖M
Both are possible.
[0014]
In order to solve this, the name of Alice and Bob can be described in the call content, but the call content and its signature cannot be prepared in advance, it takes time for the verifier and Authority to confirm each time, the call content There is a problem that it cannot be performed if the data is encrypted.
[0015]
The following methods exist to solve these.
(1) There is a system in which hardware for taking a communication log of a telephone is built in a telephone or the like, and a time stamp is added to call data. This is a voice recording and notarization system that can add a time stamp synchronized with Coordinated Universal Time (UTC) to call data during a telephone transaction or the like. The time certification service is a time certification authority, and the time stamp authority and the voice logging system are combined. The use of time authentication by a third party can ensure the reliability of the call contents. However, there is a problem that there is no real-time property, and that the guarantee that the record is the content of the call depends on the reliability of the hardware that logs.
(2) Secret key SECRET that has only Alice and Bob_{Alice Bob}The verifier verifies the call contents with the public key corresponding to the secret key. However, SIG (SECRET_{Alice Bob}, M) @SIG (SECRET_Alice, M) @SIG (SECRET_{B ob}, M) @M, it cannot be denied that there is an entity having the same secret key other than Alice and Bob, and real-time performance is not guaranteed.
[0016]
Further, if the DH-type interactive key generation method, which assumes only two users, is simply extended to three or more, the amount of computation and the amount of communication of each user increase depending on the number of users, There is a problem that the efficiency is greatly reduced.
[0017]
SUMMARY OF THE INVENTION The present invention solves the above-mentioned conventional problems, enables verification of the relationship between information transmitted / received in a key sharing protocol and a public key (conversation key), and determines when and who shared a secret key corresponding to the conversation key. The purpose is to be able to understand. It is another object of the present invention to extend the number of users to three or more DH-type interactive key generation methods without lowering the efficiency. That is, the verifier can calculate a public key (interactive key) corresponding to a secret key shared by the key sharing protocol from information transmitted and received between users in the key sharing protocol, and can share the secret key. At this point, the public key (conversation key) is also made computable, so that real-time performance is guaranteed. The time stamp is a technology for proving that the content existed at a certain point in time, whereas the conversation key is a technology for proving that there is no common key corresponding to the conversation key before a certain point in time. It is.
[0018]
[Means for Solving the Problems]
In order to solve the above-mentioned problem, the present invention provides a key exchange system comprising a plurality of terminals having key exchange means capable of calculating an asymmetric common key and a center. And a means for calculating a conversation key which is a group public key using an asymmetric common key as an asymmetric secret key from intercepted communication.
[0019]
With this configuration, the relationship between the information transmitted and received in the key sharing protocol and the public key (conversation key) can be verified, and it is possible to know when and who shared the asymmetric secret key corresponding to the conversation key. When there are three or more users, the amount of calculation and the amount of communication can be reduced by adopting a ring-type communication path and limiting the communication destination of each user.
[0020]
BEST MODE FOR CARRYING OUT THE INVENTION
Hereinafter, embodiments of the present invention will be described in detail with reference to FIGS.
[0021]
(First Embodiment)
In the first embodiment of the present invention, an asymmetric common key is secretly shared among a plurality of user terminals by a key sharing protocol using a secret sharing scheme. This is a threshold cryptosystem (TC) type conversation key sharing system that calculates a group public key (conversation key) corresponding to an asymmetric common key shared by.
[0022]
FIG. 1 is a conceptual diagram of a conversation key sharing system according to the first embodiment of the present invention. In FIG. 1, a user 1 (Alice) and a user 2 (Bob) are parties who make a call requiring certification. The observer 3 (Charley) is a center that intercepts communication and certifies the contents of a call. The dialogue 4 is data for key sharing communicated between users. The common key 5 is an encryption key secretly shared by the user. The conversation key 6 is a public key corresponding to the common key 5, and can be generated by anyone from the conversation text 4 and the public information.
[0023]
FIG. 2 is a configuration diagram of the conversation key sharing system according to the first embodiment of the present invention. In FIG. 2, a key exchange means 7 is a means for calculating an asymmetric common key from a dialogue sentence. The interception unit 8 is a unit that intercepts communication between terminals. The conversation key calculation means 9 is a means for calculating a conversation key from a conversation sentence. FIG. 3 is a flowchart showing the operation procedure of the conversation key sharing system.
[0024]
The operation principle and operation procedure of the interactive key sharing system according to the first embodiment of the present invention will be described. First, the concept of the "dialogue key" will be described with reference to FIG. There are multiple entities that communicate, for example, Alice (user 1) and Bob (user 2). In this example, the number is two, but may be three or more. Alice and Bob execute a key sharing protocol Z and share a common key CK. This common key CK is a group secret key of a public key system (asymmetric key system). There is an entity (observer 3 (Charley)) that generates a conversation key IK without performing key sharing by observing (intercepting) communication between Alice and Bob. The “conversation key” is a group public key using the common key CK as an asymmetric secret key. The conversation key must be able to be calculated by the algorithm α from the public conversation IM transmitted and received between Alice and Bob in the key sharing protocol Z.
[0025]
The greatest feature of the "interactive key" is that Charley itself can determine when and by whom the public key corresponds to the asymmetric common key shared. For example, Alice and Bob are assumed to be users having a mobile phone or a PC, and Charley is assumed to be a GW or ISP of a communication carrier. At this time, as the application of the conversation key, it is possible to issue a call content proof and a public key certificate. In the former case (call contents proof), Alice and Bob make an encrypted / signed call (for example, a contract-related call) using an asymmetric common key, and Charley records the call and requests the verifier to make a request. This is a service that uses the conversation key to certify the contents of a call. The latter (public key certificate issuance) is a service by which Charley issues a public key certificate for the conversation key. In any case, it is advantageous that the verifier of the contents of the call or the certificate can determine who and when the conversation key is shared.
[0026]
Terms are defined as follows:
(1) User: A user who shares an asymmetric common key. No attack on the observer due to collusion between users is assumed. When the number of users is 2, they are called Alice and Bob.
(2) Observer: a third party capable of observing a dialogue between users, and a polynomial time algorithm α for calculating a dialogue key IK from a dialogue text IM, and a polynomial algorithm β for verifying a relationship between the dialogue text IM and the dialogue key IK. Have. If the number of observers is 1, it is called Charley.
(3) Asymmetric common key (CK): An asymmetric common key secretly shared by a plurality of users by a key sharing protocol at a certain point in time. In order to distinguish it from the common key (symmetric secret key) of the secret key system (symmetric key system) which is not the public key system (asymmetric key system), it is called an asymmetric common key. An individual secret key of the public key method is called an asymmetric secret key.
(4) Dialogue: Plaintext exchange between users performed for sharing the asymmetric common key CK. This plain text is called an interactive text (IM).
(5) Dialogue key (IK): a public key of a group including all users as members, and is calculated by a polynomial time algorithm α using an input as a dialogue text IM and an output as a dialogue key IK. Here, the conversation key IK is a public key using the asymmetric common key CK shared by the conversation text IM as an asymmetric secret key.
(6) Verifier: A third party other than the caller (user) and the observer, who requests verification of the call contents.
[0027]
Hereinafter, conditions to be satisfied by the present invention will be described. Although the conditions required in the general key sharing scheme are omitted, they must be satisfied in the present invention.
(1) Possibility of generation: There is a polynomial time algorithm α that calculates a conversation key IK from a conversation sentence IM.
(2) Verifiability: There is a polynomial time algorithm β that verifies the relationship between the conversation sentence IM and the conversation key IK.
(3) Tolerance: When all users can calculate the asymmetric symmetric key CK, the observer can also calculate the conversation key IK without fail.
(4) Confidentiality: The observer cannot obtain the asymmetric common key CK from the conversation IM.
[0028]
Hereinafter, the symbols used in the present invention are defined and briefly described.
(1) p: a large prime number. The large prime number is, for example, a prime number of about 1024 bits, and is a large number that cannot effectively solve the discrete logarithm problem.
(2) q: a large prime number that divides (p-1). For example, it is a prime number of about 160 bits.
(3) g: Z^* _pIs an element whose order is q. That is, Z^* _pIn the above multiplicative group, g^q= 1 modp, and for r where 0 <r <q, g^r≠ 1 modp. Z^* _pIs a set of integers from 0 to less than p and relatively prime to p. Z_qIs a set of integers from 0 to less than q. If p is a prime number, Z^* _pIs Z_p− {0}. p, q, and g are fixed parameters, and are assumed to be shared by all entities in advance. In this example, for the sake of simplicity, a discrete logarithm problem type cryptosystem is used, but elliptic curve cryptography may be used.
(4) H: Hash function.
(5) X_i: The asymmetric secret key of the user i.
(6) Y_i: Asymmetric secret key X of user i_iIs the public key for. Here, for the sake of simplicity, the same key pair is used for public key encryption and digital signature, but in practice it is desirable to use different key pairs.
(7) i: X_iIs a user ID that keeps a secret, and is an integer of (1 ≦ i ≦ n). A user whose ID is an integer i is called user i or User i.
(8) P_ENC (y, m): a function for encrypting the plaintext m by the public key y using the public key y. It can be decrypted with the asymmetric secret key corresponding to the public key y.
(9) C_ENC (K, m): a function for encrypting the plaintext m with the symmetric secret key K by the symmetric secret key method. It can be decrypted using the symmetric secret key K.
(10) MAC (K, m): a function for generating a MAC (message authenticator) for the plaintext m using the symmetric secret key K. With the symmetric secret key K, it is possible to verify whether or not t has been tampered with.
(11) SIG (x, m): a function for signing plaintext m with asymmetric secret key x. The signature can be verified using the public key corresponding to the asymmetric secret key x. Here, an attached signature scheme is assumed as an example.
(12) L (Ψ, w): Lagrange interpolation coefficient (Ψ: set, w: integer),
L (Ψ, w) = Π_{t ∈Ψ＼ {W}}  t / (tw) modq
Is defined by {W} is a set obtained by removing the set {w} from the set Ψ.
[0029]
Next, an outline of a threshold cryptosystem (TC) type conversation key generation method will be described. Let the total number of users be n (2 ≦ n ≦ q−1). A threshold value at which a secret value can be restored from a shared value in the secret sharing method is (n + 1). That is, if there are (n + 1) or more shared values, the secret value can be restored. The total number of variance values is 2n (a set of variance value numbers is Δ). By using such a threshold cryptosystem, a key sharing method capable of generating a conversation key can be configured. See [DF89] and [P91] for details of the secret sharing scheme.
[0030]
Each user i performs the following processing.
Step 1: An asymmetric common key CK (∈Z_q) Variance value_2i-1, CK_2i(∈Z_q).
Step2: IK_i(= G ＾ (CK_2i-1) Modp), CK_2i, Verification value F_i(The power of the polynomial used for generating the variance value is defined as an index, g is the base, and p is a modulus.)
Step3: IK_i, CK_2i, F_iPublish.
Step 4: The asymmetric symmetric key CK is restored from a total of (n + 1) distributed values (publicized n and one of the own).
[0031]
Charley performs the following processing.
Step5: All IK_i, CK_2iTo F_iAnd if it succeeds, it will go to Step 6, and if it fails, it will show Error.
Step6: IK = Π_{i = 1} ⁿ  (IK_i ^{L ( Δ , 2i-1)}* G ＾ (CK_2i* L (Δ, 2i))) Calculate the modp. The result is IK = g^CK  modp.
[0032]
Charley, IK_iAnd g ＾ (CK_2i) To collect the variance of (n + 1) or more, so that IK can be calculated. However, CK_2iCannot be recovered because only n or less can be collected.
[0033]
The Threshold cryptosystem (TC) type interactive key generation method will be described in detail.
(1) Process of user i
(Step 1)
a) Random number R_i(∈Z_q).
b) Z_qArbitrary n-order polynomial f_i(W) is generated.
c) f_{i, 0}= R_iAs
f_i(W) = f_{i, 0}* W⁰+ F_{i, 1}* W¹+ ・ + F_{i, n}* Wⁿ
Is calculated.
d) F_i= ｛F_{i, k}= G ＾ (f_{i, k}) | K = 0, 1,..., N} is calculated.
e) CK_{i, j}= F_i(J) (j = 1... 2n) is calculated. User i holds two variance values. At this time, j corresponding to i is (2i-1) and (2i).
f) For all users v (v ≠ i) other than themselves,
ENC_{i, v}= P_ENC (Y_v, I‖CK_{i, 2v-1}‖CK_{i, 2v})
Is calculated.
g) ENC_{i, v}SIG (X_i, I @ ENC_{i, v}) And ENC_{i, v}To the user v.
h) F_iSIG (X_i, I‖F_i) And calculate F_iAnd to all users. Here, ‖ means connection.
[0034]
(Step 2)
a) ENC of all users v (v @ i)_{v, i}, SIG (X_v, V @ ENC_{v, i}), F_v, SIG (X_v, V‖F_v) To receive.
b) Y_vAnd SIG (X_v, V @ ENC_{v, i}) And if successful, ENC_{v, i}To X_iDecrypt with CK_{v, 2i-1}‖CK_{v, 2i}Get. If not, send Error to all users.
c) CK_2i-1= Σ_{v = 1} ⁿ  CK_{v, 2i-1}  Calculate modq.
d) CK_2i= Σ_{v = 1} ⁿ  CK_{v, 2i}  Calculate modq.
e) IK_i= G ＾ (CK_2i-1) Calculate the modp.
f) IK_i, CK_2iSIG (X_i, I‖IK_i‖CK_2i) And IK_i, CK_2iAnd to all users.
[0035]
(Step 3)
a) When the set of the own variance value and the number of the received variance value is φ,
CK = Σ_{h ∈φ}  (CK_h* L (φ, h)) modq
Is calculated. As a result, CK = Σ_{i = 1} ⁿ  R_i  modq.
[0036]
(2) Charley processing
(Step 1)
a) For i = 1,..., n, Y_iAnd SIG (X_i, I‖F_i) And SIG (X_i, I‖IK_i‖CK_2i) Is verified, and if the verification is successful, proceed to b). If the verification fails, an error is transmitted to all users, and the process ends.
b) For i = 1,... n, IK_iAnd CK_2iIs verified by the equation (1).
g ＾ (CK_j) = Π_{i = 1} ⁿ  (Π_{k = 0} ⁿ  F_{i, k}＾ (j^k)) Modp ... (1)
Π_{k = 0} ⁿ  F_{i, k}＾ (j^kModp = Π_{k = 0} ⁿ  (G ＾ (f_{i, k})) ＾ (j^k) Modp
= Π_{k = 0} ⁿ  g ＾ (f_{i, k}* J^k) Modp
= G ＾ (Σ_{k = 0} ⁿ  f_{i, k}* J^k) Modp
= G ＾ (f_i(J)) modp
= G ＾ (CK_{i, j}) Modp
Π_{i = 1} ⁿ  (G ＾ (CK_{i, j})) Modp
= G ＾ (Σ_{i = 1} ⁿ  CK_{i, j}) Modp
= G ＾ (CK_j) Modp
If the verification fails, an error is transmitted to all users, and the process ends.
c) Dialogue key
IK = Π_{i = 1} ⁿ  (IK_i ^{L ( Δ , 2i-1)}* G ＾ (CK_2i* L (Δ, 2i)) modq
Is calculated. Although verification by equation (1) and generation of IK can be performed by each user, in this example, Charley performs the verification collectively.
[0037]
Next, an outline of the configuration and functions of the interactive key sharing system will be described with reference to FIG. A user 1 (Alice) and a user 2 (Bob), which are communication terminals or the like, have a key exchange unit 7. The key exchange means 7 can calculate an asymmetric common key, which is a group secret key of the public key system, from the dialogue 4. The observer 3 (Charley), which is a center, calculates a conversation key, which is a group public key using an asymmetric symmetric key as an asymmetric secret key, from an interception means 8 capable of intercepting communication between terminals and a conversation 4 of the intercepted communication. And a conversation key calculation means 9.
[0038]
The key exchange unit 7 includes a transmission / reception unit, a random number generation unit, a calculation unit, a storage unit, and the like. The basic function of the key exchange means 7 is the same as the key exchange means in the conventional cryptographic communication system, and the detailed description is omitted. The intercepting means 8 is the same as a normal receiving means, and is not different from the conventional one. The conversation key calculation means 9 is a means for calculating a conversation key from the conversation sentence 4 using an algorithm unique to the present invention. The method for calculating the conversation key is as described above.
[0039]
Next, a specific example of the conversation key sharing method when n = 2 (threshold value 3, number of shares 4) will be described with reference to FIG. Let User 1 be Alice and User 2 be Bob. Here, for simplicity, the user ID 1 is written as Alice, and X₁To X_AliceNotation. Others are also the same.
[0040]
Alice (i = 1) is Step1,
a) Random number R_Alice(∈Z_q).
b) constant term f_{Alice, 0}Is a random number R_AliceAnd Z_qAny arbitrary second-order polynomial f_Alice(W) is generated.
f_Alice(W) = R_Alice+ F_{Alice, 1}* W¹+ F_{Alice, 2}* W²
c) Set F of verification values_AliceGenerate
F_Alice= ｛F_{Alice, k}= G ＾ (f_{Alice, k}Modp | k = 0,1,2｝
Although this is a set, it is actually represented as a number in which each element is concatenated.
d) Generate original data of the variance value.
CK_{Alice, j}= F_Alice(J) (j = 1,..., 4)
That is,
CK_{Alice, 1}= F_Alice(1) = R_Alice+ F_{Alice, 1}* 1 + f_{Alice, 2}* 1²
CK_{Alice, 2}= F_Alice(2) = R_Alice+ F_{Alice, 1}* 2 + f_{Alice, 2}* 2²
CK_{Alice, 3}= F_Alice(3) = R_Alice+ F_{Alice, 1}* 3 + f_{Alice, 2}* 3²
CK_{Alice, 4}= F_Alice(4) = R_Alice+ F_{Alice, 1}* 4 + f_{Alice, 2}* 4²
e) Encrypt the original data of the variance value.
ENC_{Alice, Bob}= P_ENC (Y_Bob, CK_{Alice, 3}‖CK_{Alice, 4})
f) Signature SIG (X_Alice, Alice @ F_Alice‖ENC_{Alice, Bob}) Is calculated.
g) concatenate each data,
Alice @ F_Alice‖ENC_{Alice, Bob}‖SIG (X_Alice, Alice @ F_Alice‖ENC_{Alice, Bob})
And sends it to Bob.
[0041]
In Step 2,
a) Receiving data from Bob, Y_BobAnd SIG (X_Bob, Bob @ F_Bob‖ENC_Bob) And ENC if successful_{Bob, Alice}To X_AliceDecrypt with CK_{Bob, 1}And CK_{Bob, 2}Get.
b) Calculate the variance value.
[0042]
CK_j= CK_{Alice, j}+ CK_{Bob, j}  modq (j = 1, 2)
That is,
CK₁= CK_{Alice, 1}+ CK_{Bob, 1}  modq
CK₂= CK_{Alice, 2}+ CK_{Bob, 2}  modq
c) Calculate the original data of the conversation key.
IK_Alice= G ＾ (CK₁) Modp
d) Signature SIG (X_Alice, Alice @ IK_Alice‖CK₂).
e) concatenate each data,
Alice @ IK_Alice‖CK₂‖SIG (X_Alice, Alice @ IK_Alice‖CK₂)
And sends it to Bob.
[0043]
In Step 3,
a) Receiving data from Bob, Y_BobAnd SIG (X_Bob, Bob @ IK_Bob‖CK₄), And if successful, compute the asymmetric secret key.
CK = CK₁* L (Δ＼ ｛3｝, 1)
+ CK₂* L (Δ＼ ｛3｝, 2)
+ CK₄* L (Δ＼ ｛3｝, 4) modq
= (CK_{Alice, 1}+ CK_{Bob, 1}  modq) * (2 / (2-1)) (4 / (4-1))
+ (CK_{Alice, 2}+ CK_{Bob, 2}  modq) * (1 / (1-2)) (4 / (4-2))
+ (CK_{Alice, 4}+ CK_{Bob, 4}  modq) * (1 / (1-4)) (2 / (2-4)) modq
= ｛(R_Alice+ F_{Alice, 1}* 1 + f_{Alice, 2}* 1²)
+ (R_Bob+ F_{Bob, 1}* 1 + f_{Bob, 2}* 1²)｝ * (8/3)
+ ｛(R_Alice+ F_{Alice, 1}* 2 + f_{Alice, 2}* 2²)
+ (R_Bob+ F_{Bob, 1}* 2 + f_{Bob, 2}* 2²)｝ * (-2)
+ ｛(R_Alice+ F_{Alice, 1}* 4 + f_{Alice, 2}* 4²)
+ (R_Bob+ F_{Bob, 1}* 4 + f_{Bob, 2}* 4²)｝ * (1/3)
= (R_Alice+ R_Bob) * ((8/3) -2+ (1/3))
+ (F_{Alice, 1}+ F_{Bob, 1}) * ((8/3) -4+ (4/3))
+ (F_{Alice, 2}+ F_{Bob, 2}) * ((8/3) -8+ (16/3))
= R_Alice+ R_Bob  modq
This calculation is an operation on GF (q).
[0044]
The procedure of Bob will be described. Here, for the sake of simplicity, the user ID 2 is written as Bob, and X₂To X_BobNotation. Others are also the same. Bob (i = 2) is Step1,
a) A random number R of about 160 bits_Bob(∈Z_q).
b) The constant term is a random number R_BobAnd Z_qAny arbitrary second-order polynomial f_Bob(W) is generated.
f_Bob(W) = f_{Bob, 0}+ F_{Bob, 1}* W¹+ F_{Bob, 2}* W²
c) Set F of verification values_BobGenerate
F_Bob= ｛F_{Bob, k}= G ＾ (f_{Bob, k}) | K = 0,1,2｝
Actually, each element is represented as a connected number.
d) Generate original data of the variance value.
CK_{Bob, j}= F_Bob(J) for j = 1, ..., 4
e) Encrypt the original data of the variance value.
ENC_{Bob, Alice}= P_ENC (Y_Alice, CK_{Bob, 1}‖CK_{Bob, 2})
f) Signature SIG (X_Bob, Bob @ F_Bob‖ENC_{Bob, Alice}) Is calculated.
g) concatenate each data,
Bob @ F_Bob‖ENC_{Bob, Alice}‖SIG (X_Bob, Bob @ F_Bob‖ENC_{Bob, Alice})
And sends it to Bob.
[0045]
In Step 2,
a) Receiving data from Alice, Y_AliceAnd SIG (X_Alice, Alice @ F_Alice‖ENC_{Alice, Bob}) And ENC if successful_{Alice, Bob}To X_BobDecrypt with CK_{Alice, 3}And CK_{Alice, 4}Get.
b) Calculate the variance value.
CK_j= CK_{Alice, j}+ CK_{Bob, j}  modq (j = 3, 4)
c) Calculate the original data of the conversation key.
IK_Bob= G ＾ (CK₃) Modp
d) Signature SIG (X_Bob, Bob @ IK_Bob‖CK₄).
e) concatenate each data,
Bob @ IK_Bob‖CK₄‖SIG (X_Bob, Bob @ IK_Bob‖CK₄)
And sends it to Bob.
[0046]
In Step 3,
a) Receiving data from Alice, Y_AliceAnd SIG (X_Alice, Alice @ IK_Alice‖CK₂), And if successful, compute the asymmetric secret key.
CK = CK₂* L (Δ＼ ｛1｝, 2)
+ CK₃* L (Δ＼ ｛1｝, 3)
+ CK₄* L (Δ＼ ｛1｝, 4) modq
= (CK_{Alice, 2}+ CK_{Bob, 2}  modq) * (3 / (3-2)) (4 / (4-2))
+ (CK_{Alice, 3}+ CK_{Bob, 3}  modq) * (2 / (2-3)) (4 / (4-3))
+ (CK_{Alice, 4}+ CK_{Bob, 4}  modq) * (2 / (2-4)) (3 / (3-4)) modq
= ｛(R_Alice+ F_{Alice, 1}* 2 + f_{Alice, 2}* 2²)
+ (R_Bob+ F_{Bob, 1}* 2 + f_{Bob, 2}* 2²)｝ * 6
+ ｛(R_Alice+ F_{Alice, 1}* 3 + f_{Alice, 2}* 3²)
+ (R_Bob+ F_{Bob, 1}* 3 + f_{Bob, 2}* 3²)｝ * (-8)
+ ｛(R_Alice+ F_{Alice, 1}* 4 + f_{Alice, 2}* 4²)
+ (R_Bob+ F_{Bob, 1}* 4 + f_{Bob, 2}* 4²)｝ * 3
= (R_Alice+ R_Bob) * (6-8 + 3)
+ (F_{Alice, 1}+ F_{Bob, 1}) * (12-24 + 12)
+ (F_{Alice, 2}+ F_{Bob, 2}) * (24-72 + 48)
= R_Alice+ R_Bob  modq
This calculation is an operation on GF (q).
[0047]
Charley in Step3,
a) Y_AliceUsing,
SIG (X_Alice, Alice @ F_Alice‖ENC_Alice)When
SIG (X_Alice, Alice @ IK_Alice‖CK₂),
Y_BobUsing,
SIG (X_Bob, Bob @ F_Bob‖ENC_Bob)When
SIG (X_Bob, Bob @ IK_Bob‖CK₄),
If successful, the processing of b) is performed.
b) F_AliceAnd F_BobUsing IK_A, CK₂And IK_B, CK₄Is verified, and if successful, the processing of c) is performed.
[0048]
c) Calculate the conversation key.
IK = IK_Alice{(L (Δ, 1)) * g} (CK₂* L (Δ, 2))
* IK_Bob{(L (Δ, 3)) * g} (CK₄* L (Δ, 4)) modp
= G ＾ (CK₁* (2 / (2-1)) (3 / (3-1)) (4 / (4-1)))
* G ＾ (CK₂* (1 / (1-2)) (3 / (3-2)) (4 / (4-2)))
* G ＾ (CK₃* (1 / (1-3)) (2 / (2-3)) (4 / (4-3)))
* G ＾ (CK₄* (1 / (1-4)) (2 / (2-4)) (3 / (3-4))) modp
= G ＾ (CK₁* 4 + CK₂* (-6) + CK₃* 4 + CK₄* (-1)) modp
= G^CK  modp
(CK₁* 4 + CK₂* (-6) + CK₃* 4 + CK₄* (-1))
= (CK_{Alice, 1}+ CK_{Bob, 1}) * 4 + (CK_{Alice, 2}+ CK_{Bob, 2}) * (-6)
+ (CK_{Alice, 3}+ CK_{Bob, 3}) * 4 + (CK_{Alice, 4}+ CK_{Bob, 4}) * (-1)
= ｛(R_Alice+ F_{Alice, 1}* 1 + f_{Alice, 2}* 1²)
+ (R_Bob+ F_{Bob, 1}* 1 + f_{Bob, 2}* 1²)｝ * 4
+ ｛(R_Alice+ F_{Alice, 1}* 2 + f_{Alice, 2}* 2²)
+ (R_Bob+ F_{Bob, 1}* 2 + f_{Bob, 2}* 2²)｝ * (-6)
+ ｛(R_Alice+ F_{Alice, 1}* 3 + f_{Alice, 2}* 3²)
+ (R_Bob+ F_{Bob, 1}* 3 + f_{Bob, 2}* 3²)｝ * 4
+ ｛(R_Alice+ F_{Alice, 1}* 4 + f_{Alice, 2}* 4²)
+ (R_Bob+ F_{Bob, 1}* 4 + f_{Bob, 2}* 4²)｝ * (-1)
= (R_Alice+ R_Bob) * (4-6 + 4-1)
+ (F_{Alice, 1}+ F_{Bob, 1}) * (4-12 + 12-4)
+ (F_{Alice, 2}+ F_{Bob, 2}) * (4-24 + 36-16)
= (R_Alice+ R_Bob)
= CK
[0049]
The safety will be described. A TC-type dialogue sentence is composed of a variance value of the asymmetric common key CK and a power-residue value using the variance value as an exponent. The share value of the asymmetric symmetric key CK is a Shamir secret sharing scheme [S79] of (threshold value n + 1, share value number 2n). Since the number of share values disclosed is n, the amount of information is Charley. Cannot recover the asymmetric symmetric key CK. Further, since finding the exponent of the power-residue value results in a discrete logarithm problem, IK_iAnd the variance value from_iIt is difficult to find a coefficient used for generating a variance value from the calculation amount.
[0050]
As described above, in the first embodiment of the present invention, the interactive key sharing system uses the key sharing protocol using the secret sharing method to secretly share the asymmetric common key among a plurality of user terminals, Is a Threshold cryptosystem (TC) type that calculates a group public key (dialogue key) corresponding to a secretly shared asymmetric common key from communication between intercepted terminals. A system can be realized.
[0051]
(Second embodiment)
According to the second embodiment of the present invention, an asymmetric common key is secretly shared between two user terminals by a key sharing protocol using the DH method, and the center secretly performs communication from the intercepted terminals. This is a Diffie-Hellman (DH) type interactive key sharing system that calculates a group public key (interactive key) corresponding to a shared asymmetric common key.
[0052]
FIG. 4 is a flowchart showing an operation procedure of the interactive key sharing system according to the second embodiment of the present invention. The basic configuration of the conversation key sharing system according to the second embodiment is the same as that of the first embodiment shown in FIG.
[0053]
The operation principle and operation procedure of the interactive key sharing system according to the second embodiment of the present invention will be described. First, an outline of the key sharing method and the conversation key generation method will be described. The DH-type interactive key sharing scheme is based on a simple key-sharing method between Alice and Bob using public key cryptography and Charley's interactive key generation method, and a verification method of an interactive sentence IM and an interactive key IK using the DH problem. Become.
[0054]
Alice's secret random number is R_Alice(∈Z_q), The conversation key source data IK_Alice(= G ＾ (R_Alice) Modp) and a random number R_AliceTo Bob's public key Y_BobAnd sends it to Bob. Bob also has the conversation key source data IK, like Alice._BobAnd the random number R_BobIs encrypted with the public key of Alice and transmitted.
[0055]
Alice and Bob use the asymmetric symmetric key CK (= R_Alice+ R_Bob  modq). Charley is the conversation key
IK = IK_Alice* IK_Bob  modp
= G ＾ (R_Alice+ R_Bob) Modp
Is calculated to obtain a conversation key IK corresponding to the asymmetric common key CK.
[0056]
Conversation sentence IM and conversation key source data IK_AliceA verification method will be described. Conversation sentence IM and conversation key source data IK_Alice, IK_BobThe purpose of the verification method is to_Alice, IK_BobA random number R corresponding to_Alice, R_BobThat Alice and Bob hold, respectively, a random number R_Alice, R_BobIt is to verify without knowing. Bob uses a random number D as a challenge._Bob(∈Z_q) Is an exponentiation residue value CHA_{Bob, Alice}(= G ＾ (D_Bob) Send modp) to Alice. Alice responds with a challenge CHA_{Bob, Alice}To a random number R_AliceRES to the power of_{Alice, bob}(= (G ＾ (D_Bob)) ＾ (R_Alice) Send modp) to Bob. Bob is the response RES_{Alice, Bob}After receiving the random number D_BobPublish.
[0057]
Charley RES_{Alice, Bob}, D_BobOnly when published in the order
RES_{Alice, Bob}≡IK_Alice＾ (D_Bob) (Modp)
Verify If successful, Alice is the conversation key source data IK_AliceA random number R corresponding to_AliceApprove to have. Random number D_BobBefore the release of_AliceWithout knowing the conversation key source data IK_Alice(= G ＾ (R_Alice) Modp) and Challenge CHA_{Bob, Alice}(= G ＾ (D_Bob) Response RES from modp)_{Alice, bob}(= (G ＾ (D_Bob)) ＾ (R_AliceComputing modp) can be reduced to a DH problem. Thus, Charley is a random number R_AliceWithout knowing Alice, random number R_AliceCan be verified.
[0058]
Next, with reference to FIG. 4, the operation procedure of the Diffie-Hellman (DH) type interactive key sharing system will be described in detail by combining the interactive key generation method, the interactive sentence, and the interactive key verification method. Note that each user can verify the expressions (2) and (3) and generate the conversation key, but in this example, Charley collectively performs the verification.
[0059]
Alice is Step1,
a) Random number R_Alice, D_Alice(∈Z_q).
b) Original data of conversation key
IK_Alice= G ＾ (R_Alice) Modp
Is calculated.
c) Challenge
CHA_{Alice, Bob}= G ＾ (D_Alice) Modp
Is calculated.
d) Signature SIG (X_Alice, Alice @ IK_Alice‖ CHA_{Alice, Bob}) And IK_Alice, CHA_{Alice, Bob}And sends it to Bob.
[0060]
Bob is in Step2,
a) Alice's public key Y_AliceAnd the signature SIG (X_Alice, Alice @ IK_Alice‖ CHA_{Alice, Bob}) Is verified, and if it fails, it ends._Bob, D_Bob(∈Z_q).
b) Original data of conversation key
IK_Bob= G ＾ (R_Bob) Modp
Is calculated.
c) Challenge
CHA_{Bob, Alice}= G ＾ (D_Bob) Modp
Is calculated.
d) Response
RES_{Bob, Alice}= CHA_{Alice, Bob}＾ (R_Bob) Modp
Is calculated.
e) Signature SIG (X_Bob, Bob @ IK_Bob‖ CHA_{Bob, Alice}‖RES_{Bob, Alice}) And IK_Bob, CHA_{Bob, Alice}, RES_{Bob, Alice}With Alice.
[0061]
Alice is Step3,
a) Bob's public key Y_BobUsing the signature SIG (X_Bob, Bob @ RES_{Bob, Alice}‖ CHA_{Bob, Alice}‖IK_Bob), Exit if unsuccessful, response if successful
RES_{Alice, Bob}= CHA_{Bob, Alice}＾ (R_Alice) Modp
Is calculated.
b) Ciphertext
ENC_{Alice, Bob}= P_ENC (Y_Bob, Alice @ R_Alice)
Is calculated.
c) Signature SIG (X_Alice, Alice @ ENC_{Alice, Bob}‖D_Alice‖RES_{Alice, Bob}) And ENC_{Alice, Bob}, D_Alice, RES_{Alice, Bob}And sends it to Bob.
[0062]
Bob is in Step4,
a) Alice's public key Y_AliceUsing the signature SIG (X_Alice, Alice @ ENC_{Alice, Bob}‖D_Alice‖RES_{Alice, Bob}) And if successful, X_BobIn ENC_{Alice, Bob}, And R_AliceGet.
b) Ciphertext
ENC_{Bob, Alice}= C_ENC (H (R_Alice), R_Bob)
Is calculated.
c) Signature SIG (X_Bob, Bob @ ENC_{Bob, Alice}‖D_Bob) And ENC_{Bob, Alice}, D_BobWith Alice.
d) Asymmetric common key
CK = R_Bob+ R_Alice  modq
Is calculated.
[0063]
Alice in Step5,
a) Y_BobUsing SIG (X_Bob, Bob @ ENC_{Bob, Alice}‖D_Bob), And if successful, H (R_Alice) In ENC_{Bob, Alice}, And R_BobGet.
b) Asymmetric common key
CK = R_Alice+ R_Bob  modq
Is calculated.
[0064]
Charley in Step5,
a) Y_AliceUsing
SIG (X_Alice, Alice @ IK_Alice‖ CHA_{Alice, Bob})When
SIG (X_Alice, Alice @ ENC_{Alice, Bob}‖D_Alice‖RES_{Alice, Bob}),
Y_BobUsing
SIG (X_Bob, Bob @ IK_Bob‖ CHA_{Bob, Alice}‖RES_{Bob, Alice})When
SIG (X_Bob, Bob @ ENC_{Bob, Alice}‖D_Bob),
If the verification is successful, b) is executed, and if the verification is not successful, Error is transmitted to Alice and Bob.
b) Formula
RES_{Alice, Bob}≡IK_Alice＾ (D_Bob) (Modp) (2)
RES_{Bob, Alice}≡IK_Bob＾ (D_Alice) (Modp) (3)
Is verified, and if it is established, c) is executed. If it is not established, Error is transmitted to Alice and Bob. That is, if established,
RES_{Alice, Bob}= CHA_{Bob, Alice}＾ (R_Alice) Modp
= (G ＾ (D_Bob)) ＾ (R_Alice) Modp
= G ＾ (D_Bob* R_Alice) Modp
IK_Alice＾ (D_Bob) Modp
= (G ＾ (R_Alice)) ＾ (D_Bob) Modp
= G ＾ (D_Bob* R_Alice) Modp
And similarly,
RES_{Bob, Alice}= CHA_{Alice, Bob}＾ (R_Bob) Modp
= (G ＾ (D_Alice)) ＾ (R_Bob) Modp
= G ＾ (D_Alice* R_Bob) Modp
IK_Bob＾ (D_Alice) Modp
= (G ＾ (R_Bob)) ＾ (D_Alice) Modp
= G ＾ (D_Alice* R_Bob) Modp
Becomes
c) Calculate the conversation key.
IK = IK_Alice* IK_Bob  modp
= G ＾ (R_Alice) * G ＾ (R_Bob) Modp
= G ＾ (R_Alice+ R_Bob) Modp
[0065]
The safety will be described. If the encryption method used is secure and the discrete logarithm problem is computationally difficult, the ciphertext ENC_iAnd the power residue value IK_iFrom Charley to R_iObtaining is obviously difficult.
[0066]
As described above, in the second embodiment of the present invention, the interactive key sharing system secretly shares an asymmetric common key between two user terminals by a key sharing protocol using the DH method, A Diffie-Hellman (DH) type, which calculates a group public key (dialogue key) corresponding to a secretly shared asymmetric common key from communication between intercepted terminals, is based on the Diffie-Hellman key sharing method. Thus, a conversation key sharing system can be realized.
[0067]
(Third embodiment)
According to the third embodiment of the present invention, an asymmetric common key is secretly shared between two user terminals by a key sharing protocol using the RSA method. This is an RSA-type interactive key sharing system that calculates a group public key (dialogue key) corresponding to a shared asymmetric common key.
[0068]
The operation principle and operation procedure of the interactive key sharing system according to the third embodiment of the present invention will be described. The basic configuration of the conversation key sharing system according to the third embodiment is the same as that of the first embodiment shown in FIG. The difference is that it is based on the principle of RSA encryption.
[0069]
U is a prime number of about 1024 bits. e is the public key of the RSA and is a number of about 16 bits. For example, e = (2¹⁶+1) (Fermer prime number). U and e are shared by all entities (user A, user B, and center). For ease of explanation, assume that user A is Alice, user B is Bob, and the center is Charley.
[0070]
Alice is Step1,
a) Random number R of about 1024 bits_Alice(1 ≦ R_Alice<U) is generated.
b) Ciphertext
ENC_{Alice, Bob}= P_ENC (Y_Bob, R_Alice)
Is calculated and transmitted to Bob.
[0071]
Bob is in Step2,
a) Asymmetric secret key X_BobUsing the ciphertext ENC_{Alice, Bob}Is decrypted.
b) A random number R of about 1024 bits_Bob(1 ≦ R_Bob<U) is generated. R_Alice* R_Bob> U.
c) Prime number Q of about 512 bits_BobGenerate If e is not a prime number, (Q_Bob-1) is relatively prime to e. Furthermore, Q_Bob* R_Bob> U.
d) Original data of conversation key
IK_Bob= Q_Bob* R_Bob  modU
Is calculated.
e) Product of random numbers
R_{Alice, Bob}= R_Alice* R_Bob  modU
And IK_BobWith Alice.
[0072]
Alice is Step3,
a) Prime number P of about 512 bits_AliceGenerate If e is not a prime number, (P_Alice-1) is relatively prime to e. R_Alice* P_Alice> U.
b) Original data of conversation key
IK_Alice= R_Alice* P_Alice  modU
Is calculated and transmitted to Bob.
c) Q_Bob= (R_Alice* IK_Bob) / R_{Alice, Bob}  Calculate modU.
d) Calculate an asymmetric secret key d satisfying the following equation.
d * e @ 1 (mod LCM (P_Alice-1, Q_Bob-1))
[0073]
Bob is in Step4,
a) P_Alice= IK_Alice/ R_Alice  Calculate modU.
b) Calculate an asymmetric secret key d satisfying the following equation.
d * e @ 1 (mod LCM (P_Alice-1, Q_Bob-1))
Thus, the asymmetric secret key d is shared.
[0074]
Charley in Step4,
a) Conversation key law
IK = (IK_Alice* IK_Bob) / R_{Alice Bob}  modU
= (R_Alice* P_Alice* Q_Bob* R_Bob) / (R_Alice* R_BobModU
= (P_Alice* Q_BobModU
Is calculated.
[0075]
The public key (conversation key) corresponding to the asymmetric secret key d is the exponent e, and the modulus is IK. If the exponent e is a prime number of about 16 bits, the secret prime P_Alice, Q_BobIs LCM (P_Alice-1, Q_Bob-1) Since it is smaller and relatively prime to it, it satisfies the RSA public key condition. If the exponent e is not a prime, the secret prime P_Alice, Q_BobTo (P_Alice-1), (Q_Bob-1) may be determined so as to be relatively prime to the power index e.
[0076]
As described above, in the third embodiment of the present invention, the interactive key sharing system secretly shares an asymmetric common key between two user terminals by a key sharing protocol using the RSA method, Since an RSA type is used to calculate a group public key (dialogue key) corresponding to a secretly shared asymmetric common key from communication between intercepted terminals, an interactive key sharing system based on RSA encryption can be realized.
[0077]
(Fourth embodiment)
In the fourth embodiment of the present invention, an asymmetric common key is secretly shared between a plurality of user terminals by a key sharing protocol. This is a call content certification system that calculates a group public key (conversation key) corresponding to a key and verifies a signature using an asymmetric common key with the conversation key.
[0078]
FIG. 5 is a configuration diagram of a call content certification system according to the fourth embodiment of the present invention. In FIG. 5, a verifier 10 is a person who requests a user to verify the contents of a call. The dialogue storage unit 11 is a unit that stores a dialogue between users. The signature verification unit 12 is a unit that verifies the user's signature with the conversation key. Other basic configurations are the same as those of the first embodiment shown in FIG.
[0079]
The operation procedure of the call contents certification system according to the fourth embodiment of the present invention configured as described above will be described. First, the application of the conversation key will be described. As an application in which a conversation key is effective, proof of call contents (contract etc.) is considered. Here, the call content proof is an application that enables a third party to confirm the call content by adding a signature to the call content between a plurality of users.
[0080]
Generally, in the conventional call content certification, a Trusted Authority or a signature of each caller is added. Therefore, there is a possibility that a plurality of signatures are added to the content of the call, and the first signer does not know who will sign later. Therefore, this call content proof is not necessarily suitable for contracts and the like. In order to solve this, it is conceivable to add a signature using an asymmetric secret key shared by all the callers. However, unlike a conversation key, a public key obtained by a signature verifier in the conventional Simple Method cannot be used for such a purpose because it is not known when and who shared the key.
[0081]
In the present invention, a conversation key is used, and a condition is added that "Charley securely records the conversation text and the contents of the conversation and publishes them on demand." The set of {Alice and Bob, Charley} assumes {GW of mobile phone and communication carrier}, and {Server or Proxy of PC and ISP}. An example of a call content proof between Alice and Bob using a conversation key is shown.
[0082]
With reference to FIG. 5A, a procedure for registering the contents of a call in Example 1 will be described.
1. Alice and Bob ask Charley for observation.
2. Alice and Bob talk IM_AliceAnd IM_BobAre exchanged, and the asymmetric common key CK is shared.
3. Alice uses the ciphertext CT generated as follows._Alice, Signature SM_AliceI, SM_{Alice II}, Fingerprint FP_AliceTo Bob.
3-1. Call text PT_AliceFrom fingerprint FP_Alice(= H (PT_Alice)).
3-2. Call text PT_AliceIs encrypted with the asymmetric common key CK or the conversation key IK, and the ciphertext CT_AliceGenerate
3-3. Asymmetric secret key X_AliceAnd the asymmetric common key CK,_Alice‖H (CT_Alice) Signature SM_AliceI, SM_{Alice II}Generate
4. Bob uses the ciphertext CT generated similarly to Alice._Bob, Signature SM_BobI, SM_{Bob II}, Fingerprint FP_BobTo Alice.
5. The recipient (Alice) uses the ciphertext CT_BobFrom call text PT_BobTo obtain H (PT_Bob) = Check FP, then sign SM_BobI, SM_{Bob II}Verify Recipient (Bob) uses ciphertext CT_AliceFrom call text PT_AliceTo obtain H (PT_Alice) = FP_AliceAfter confirming the signature SM_AliceI, SM_{Alice II}Verify
6. Charley is IM_Alice, IM_Bob, CT_Alice, CT_Bob, FP_Alice, FP_Bob, SM_AliceI, SM_{Alice II}, SM_BobI, SM_{Alice II}Save.
[0083]
With reference to FIG. 5A, the procedure of the call content verification of Example 1 will be described.
1. The verifier requests Alice or Bob for a call proof.
2. Alice or Bob asks Charley to certify the call contents.
3. Alice or Bob is a call PT_Alice, PT_BobPublish.
4. Charley is IM_Alice, IM_Bob, CT_Alice, CT_Bob, FP_Alice, FP_Bob, SM_AliceI, SM_{Alice II}, SM_BobI, SM_{Alice II}Publish.
5. The verifier uses the interactive text IM_Alice, IM_BobGenerates a conversation key IK from the_Alice, PT_BobFrom fingerprint FP_Alice, FP_BobGenerate
6. Verifier is FP_Alice, FP_Bob, CT_Alice, CT_Bob, IK, Y_Alice, Y_BobUsing the signature SM_AliceI, SM_{Alice II}, SM_BobI, SM_{Bob II}And if the verification is successful, the call sentence PT_Alice, PT_BobAccept.
[0084]
With reference to FIG. 5B, a procedure for registering the contents of a call in Example 2 will be described. The difference from Example 1 is that a cipher text CT and a signature for H (PT) are transmitted.
1. Alice and Bob ask Charley for observation.
2. Alice and Bob talk IM_AliceAnd IM_BobAre exchanged, and the asymmetric common key CK is shared.
3. Alice uses the ciphertext CT generated as follows._AliceAnd signature SM_AliceI, SM_{Alice II}To Bob.
3-1. Call text PT_AliceFrom, H (PT_Alice).
3-2. Call text PT_AliceIs encrypted with the conversation key IK and the ciphertext CT_AliceGenerate
3-3. Secret key X_AliceAnd H (PT_Alice) Signature SM_AliceI, SM_{Alice II}Generate
4. Bob uses the ciphertext CT generated similarly to Alice._BobAnd signature SM_BobI, SM_{Bob II}To Alice.
6. Charley is IM_Alice, IM_Bob, CT_Alice, CT_Bob, SM_AliceI, SM_{Alice II}, SM_BobI, SM_{Bob II}Save.
[0085]
With reference to FIG. 5B, a description will be given of the procedure of the call content verification of the second example. The difference from Example 1 is that Charley calculates the ciphertext CT from the published call text PT, calculates H (CT) from the ciphertext CT, and verifies the signature.
1. The verifier requests Alice or Bob for a call proof.
2. Alice or Bob asks Charley to certify the call contents.
3. Alice or Bob is a call PT_Alice, PT_BobPublish.
4. Charley is IM_Alice, IM_Bob, CT_Alice, CT_Bob, SM_AliceI, SM_{Alice II}, SM_BobI, SM_{Bob II}Publish.
5. Charley is a call IM_Alice, IM_BobGenerates the conversation key IK from
6. Charley is a publicized PT_Alice, PT_BobTo ciphertext CT_Alice, CT_BobIs calculated, and the ciphertext CT_Alice, CT_BobTo H (CT_Alice), H (CT_Bob) To calculate the conversation key IK and the public key Y._Alice, Y_BobUsing the signature SM_AliceI, SM_{Alice II}, SM_BobI, SM_{Bob II}Verify
7. If the verification is successful, the verifier can call PT_Alice, PT_BobAccept.
[0086]
With reference to FIG. 5B, a procedure for registering the contents of a call in Example 3 will be described. The difference from Example 1 is that signatures for the call texts PT and H (PT) are transmitted.
1. Alice and Bob ask Charley for observation.
2. Alice and Bob talk IM_AliceAnd IM_BobAre exchanged, and the asymmetric common key CK is shared.
3. Alice uses the ciphertext CT generated as follows._AliceAnd signature SM_AliceI, SM_{Alice II}To Bob.
3-2. Call text PT_AliceIs encrypted with the asymmetric common key CK or the conversation key IK and the ciphertext CT_AliceGenerate
3-3. Asymmetric secret key X_AliceAnd H (PT_Alice) Signature SM_AliceI, SM_{Alice II}Generate
4. Bob uses the ciphertext CT generated similarly to Alice._BobAnd signature SM_BobI, SM_{Bob II}To Alice.
5. The recipient (Alice or Bob) obtains the call text PT from the ciphertext CT, generates H (PT), and then verifies the signature.
6. Charley is IM_Alice, IM_Bob, CT_Alice, CT_Bob, FP_Alice, FP_Bob, SM_AliceI, SM_{Alice II}, SM_BobI, SM_{Alice II}Save.
[0087]
With reference to FIG. 5B, the procedure of the call content verification of Example 3 will be described. The difference from Example 1 is that Charley calculates H (PT) from the call text PT and verifies the signature.
1. The verifier requests Alice or Bob for a call proof.
2. Alice or Bob asks Charley to certify the call contents.
3. Alice or Bob is a call PT_Alice, PT_BobPublish.
4. Charley is IM_Alice, IM_Bob, CT_Alice, CT_Bob, SM_AliceI, SM_{Alice II}, SM_{Bo bI}, SM_{Alice II}Publish.
5. Charley is a dialogue IM_Alice, IM_BobGenerates the conversation key IK from
6. Charley is a PT_Alice, PT_BobTo H (PT_Alice), H (PT_Bob), The conversation key IK and the public key Y_Alice, Y_BobUsing the signature SM_AliceI, SM_{Alice II}, SM_BobI, SM_{Bob II}Verify
7. If the verification is successful, the verifier can call PT_Alice, PT_BobAccept.
[0088]
Example 4 is a method of adding a signature of a recipient. In Examples 1 to 3, a signature using its own asymmetric secret key X is created for information (for example, FP, CT, PT) transmitted by Alice or Bob, and sent back to the sender.
[0089]
When the center (observer Charley) is Certificate Authority, it can also be used for an application that issues a public key certificate for a conversation key. Since the center (observer Charley) may be not only a prover but also a verifier, the center and the verifier may be integrated.
[0090]
As described above, in the fourth embodiment of the present invention, the call content certification system uses a key sharing protocol to secretly share an asymmetric common key among a plurality of user terminals, and the center establishes a communication between the intercepted terminals. , A group public key (conversation key) corresponding to the secret shared asymmetric common key is calculated, and the signature using the asymmetric common key is verified with the conversation key. Can be proved.
[0091]
(Fifth embodiment)
The fifth embodiment of the present invention is a call content certification system using a DH-type interactive key generation method for three or more users connected by a ring-type communication channel.
[0092]
FIG. 6 is a flowchart showing an operation procedure of the interactive key sharing system according to the fifth embodiment of the present invention. An example when the number of users is 5 is shown. The basic configuration of the conversation key sharing system according to the fifth embodiment is the same as that of the first embodiment shown in FIG. 2, but three or more users are connected by a ring communication channel. The points are different. In FIG. 6, since details are omitted, there is a part different from the description.
[0093]
The operation procedure of the call contents certification system according to the fifth embodiment of the present invention configured as described above will be described. In order to assume a ring communication channel, n (n ≧ 3) users are classified into the following three types.
Starter: a user who starts communication, and has a user ID of 1.
Relay: a user who relays communication, and user IDs are 2,..., N-1.
Terminator: a user who ends communication, and the user ID is n.
[0094]
Let λ be a set of all user IDs. That is,
λ = {1, 2,..., n}
ε_iIs a set of IDs of the users 2,..., I. That is,
ε_i= {2, ..., i}
δ_iIs a set of user IDs of users 1, i + 2,..., N. That is,
δ_i= Λ-ε_{i + 1}= {1, i + 2, ..., n}
[0095]
An example in which n = 5 will be described with reference to FIG.
In Step S1, the user 1 sets a random number R₁And D₁(∈Z_q) To generate the conversation key
IK₁= G ＾ (R₁) Modp
And the challenge
CHA₁= G ＾ (D₁) Modp
Is calculated and transmitted to the user 2.
[0096]
In Step R11, the user 2 enters a random number R₂(∈Z_q) To generate the conversation key
IK₂= G ＾ (R₂) Modp
And calculate the response
RES₂= CHA₁＾ (R₂) Modp
To calculate IK₂And RES₂And CHA₁Is transmitted to the user 3.
In Step R21, the user 3 enters the random number R₃(∈Z_q) To generate the conversation key
IK₃= G ＾ (R₃) Modp
And calculate the response
RES₃= CHA₁＾ (R₃) Modp
To calculate IK₃And RES₃And CHA₁Is transmitted to the user 4.
In Step R31, the user 4 enters the random number R₄(∈Z_q) To generate the conversation key
IK₄= G ＾ (R₄) Modp
And calculate the response
RES₄= CHA₁＾ (R₄) Modp
To calculate IK₄And RES₄And CHA₁Is transmitted to the user 5.
[0097]
In Step T1, the user 5 enters a random number R₅And D₅(∈Z_q) To generate the conversation key
IK₅= G ＾ (R₅) Modp
Calculate and challenge
CHA₅= G ＾ (D₅) Modp
And calculate the response
RES₅= CHA₁＾ (R₅) Modp
To calculate IK₅And CHA₅And RES₅Is transmitted to the user 1.
[0098]
In Step S2, the user 1 responds
RES₁= CHA₅＾ (R₁) Modp
And calculate RES₁And D₁Is transmitted to the user 2.
[0099]
In Step R12, the user 2
ENC_2,3= P_ENC (Y₃, 2 @ R₂)
Is calculated and transmitted to the user 3.
In StepR22, the user 3 uses the ciphertext
ENC_2,3= P_ENC (Y₃, 2 @ R₂)
With the asymmetric secret key X₃Decrypt using R₂Therefore, user 3 obtains (R₂, R₃). Cryptogram
ENC_3,4= P_ENC (Y₄, 3‖R₂+ R₃  modq)
Is calculated and transmitted to the user 4.
In Step R32, the user 4
ENC_3,4= P_ENC (Y₄, 3‖R₂+ R₃  modq)
With the asymmetric secret key X₄Decrypt using R₂+ R₃User 4, (R₂+ R₃, R₄). Cryptogram
ENC_4,5= P_ENC (Y₅, 4 @ R₂+ R₃+ R₄  modq)
Is calculated and transmitted to the user 5.
[0100]
At Step T2, the user 5
ENC_4,5= P_ENC (Y₅, 4 @ R₂+ R₃+ R₄  modq)
With the asymmetric secret key X₅Decrypt using R₂+ R₃+ R₄Therefore, the user 5 obtains (R₂+ R₃+ R₄, R₅). Cryptogram
ENC_5,1= P_ENC (Y₁, 5‖R₂+ R₃+ R₄+ R₅  modq)
And calculate the random number D₅At the same time, it transmits to user 1.
[0101]
In Step S3, the user 1
ENC_5,1= P_ENC (Y₁, 5‖R₂+ R₃+ R₄+ R₅  modq)
With the asymmetric secret key X₁Decrypt using R₂+ R₃+ R₄+ R₅Therefore, user 1 obtains (R₁, R₂+ R₃+ R₄+ R₅). Asymmetric secret key
CK = R₁+ R₂+ R₃+ R₄+ R₅  modq
Is calculated. Cryptogram
ENC_1,2= P_ENC (Y₂, 1 @ R₁+ R₃+ R₄+ R₅  modq)
Is calculated and transmitted to the user 2.
[0102]
In StepR13, the user 2
ENC_1,2= P_ENC (Y₂, 1 @ R₁+ R₃+ R₄+ R₅  modq)
With the asymmetric secret key X₂Decrypt using R₁+ R₃+ R₄+ R₅Therefore, user 2 obtains (R₁+ R₃+ R₄+ R₅, R₂). Asymmetric secret key
CK = R₁+ R₂+ R₃+ R₄+ R₅  modq
Is calculated. Cryptogram
ENC_2,3= C_ENC (H (R₂), R₁+ R₄+ R₅  modq)
Is calculated and transmitted to the user 3.
In Step R23, the user 3
ENC_2,3= C_ENC (H (R₂), R₁+ R₄+ R₅  modq)
With the hash value H (R_i-1) And decrypt using R₁+ R₄+ R₅Therefore, user 3 obtains (R₁+ R₄+ R₅, R₂, R₃). Asymmetric secret key
CK = R₁+ R₂+ R₃+ R₄+ R₅  modq
Is calculated. Cryptogram
ENC_3,4= C_ENC (H (R₂+ R₃), R₁+ R₅  modq)
Is calculated and transmitted to the user 4.
At Step R33, the user 4
ENC_3,4= C_ENC (H (R₂+ R₃  modq), R₁+ R₅  modq)
With the hash value H (R₂+ R₃  modq) to decrypt and₁+ R₅User 4, (R₁+ R₅, R₂+ R₃, R₄). Asymmetric secret key
CK = R₁+ R₂+ R₃+ R₄+ R₅  modq
Is calculated. Cryptogram
ENC_4,5= C_ENC (H (R₂+ R₃+ R₄  modq), R₁  modq)
Is calculated and transmitted to the user 5.
[0103]
In Step T3, the user 5
ENC_4,5= C_ENC (H (R₂+ R₃+ R₄  modq), R₁  modq)
With the hash value H (R₂+ R₃+ R₄  modq) to decrypt and₁Therefore, the user 5 obtains (R₁, R₂+ R₃+ R₄, R₅). Asymmetric secret key
CK = R₁+ R₂+ R₃+ R₄+ R₅  modq
Is calculated.
[0104]
In Step O1, the center is RES₂,…, RES₅Has been released since D₁, RES₁Is released, and then D₅Confirm that has been released. In Step O2, the center
RES₂* RES₃* RES₄* RES₅≡ (IK₂* IK₃* IK₄* IK₅) ＾ (D₁) (Modp)
RES₁≡IK₁＾ (D₅) (Modp)
Check. In StepO3, the center confirms all confirmations,
IK = IK₁* IK₂* IK₃* IK₄* IK₅  modp
= G ＾ (R₁+ R₂+ R₃+ R₄+ R₅) Modp
Is calculated.
[0105]
A case where there are n users and no verification is described. Let p be a prime number, q be a prime factor of (p-1), and g be an element of GF (q) whose order is q. The center is previously shared with users 1 to n (n ≧ 3) with p, q, and g as fixed parameters. X_iIs the asymmetric secret key of the user i. Y_iTo X of user i_iThe public key for. Let P_ENC (y, m) be a function that uses the public key y to encrypt the plaintext m into a ciphertext that can be decrypted with the asymmetric secret key corresponding to the public key y using the public key method. Let C_ENC (K, m) be a function that encrypts plaintext m with a symmetric secret key K into a ciphertext that can be decrypted with the symmetric secret key K. Let H be a hash function. This is a conversation key sharing method in which communication between n terminals capable of exchanging an asymmetric common key is intercepted at a center and a conversation key which is a group public key using the asymmetric common key as an asymmetric secret key is calculated.
[0106]
In Step S1, the user 1 sets a random number R₁(∈Z_q) To generate the conversation key
IK₁= G ＾ (R₁) Modp
Is calculated and transmitted to the user 2.
[0107]
In Step R1, the user 2 enters a random number R₂(∈Z_q) To generate the conversation key
IK₂= G ＾ (R₂) Modp
Calculate the ciphertext
ENC_2,3= P_ENC (Y₃, 2 @ R₂)
To calculate IK₂And ENC_2,3Is transmitted to the user 3.
When n ≧ 4, the user i (3 ≦ i ≦ n−1) receives a random number R_i(∈Z_q) To generate the conversation key
IK_i= G ＾ (R_i) Modp
Calculate the ciphertext
ENC_{i-1, i}= P_ENC (Y_i, I-1}_{j ∈ε i-1}R_j)
With the asymmetric secret key X_iDecrypt using Σ_{j ∈ε i-1}R_jGet the ciphertext
ENC_{i, i + 1}= P_ENC (Y_{i + 1}, I‖Σ_{j ∈ε i}R_j)
To calculate IK_iAnd ENC_{i, i + 1}To the user i + 1. Hereinafter, similar processing is sequentially performed for the users i + 1 to n-1.
[0108]
In Step T1, the user n sets a random number R_n(∈Z_q) To generate the conversation key
IK_n= G ＾ (R_n) Modp
Calculate the ciphertext
ENC_{n-1, n}= P_ENC (Y_n, N-1}_{j ∈ε n-1}R_j)
With the asymmetric secret key X_nDecrypt using Σ_{j ∈ε n-1}R_jGet the ciphertext
ENC_{n, 1}= P_ENC (Y₁, N}_{j ∈ε n}R_j)
To calculate IK_nAnd ENC_{n, 1}Is transmitted to the user 1.
[0109]
At Step S2, the user 1
ENC_{n, 1}= P_ENC (Y₁, N}_{j ∈ε n}R_j)
With the asymmetric secret key X₁Decrypt using Σ_{j ∈ε n}R_jTo obtain an asymmetric secret key
CK = R₁+ R₂+ ... + R_n  modq
Is calculated. Cryptogram
ENC_1,2= P_ENC (Y₂, 1‖Σ_{j ∈δ 1}R_j)
Is calculated and transmitted to the user 2.
[0110]
In Step R2, the user 2
ENC_1,2= P_ENC (Y₂, 1‖Σ_{j ∈δ 1}R_j)
With the asymmetric secret key X₂Decrypt using Σ_{j ∈δ 1}R_jTo obtain an asymmetric secret key
CK = R₁+ R₂+ ... + R_n  modq
Is calculated. Cryptogram
ENC_2,3= C_ENC (H (R₂) 、 Σ_{j ∈δ 2}R_j)
Is calculated and transmitted to the user 3.
When n≥4, the user i (3≤i≤n-1)
ENC_{i-1, i}= C_ENC (H (Σ_{j ∈ε i-1}R_j) 、 Σ_{j ∈δ i-1}R_j)
With the hash value H (Σ_{j ∈ε i-1}R_j) To decrypt using Σ_{j ∈δ i-1}R_jTo obtain an asymmetric secret key
CK = R₁+ R₂+ ... + R_n  modq
Is calculated. Cryptogram
ENC_{i, i + 1}= C_ENC (H (Σ_{j ∈ε i}R_j) 、 Σ_{j ∈δ i}R_j)
Is calculated and transmitted to the user i + 1. Hereinafter, similar processing is sequentially performed for the users i + 1 to n-1.
[0111]
In Step T2, the user n is ciphertext
ENC_{n-1, n}= C_ENC (H (Σ_{j ∈ε n-1}R_j) 、 Σ_{j ∈δ n-1}R_j)
With the hash value H (Σ_{j ∈ε n-1}R_j) To decrypt using Σ_{j ∈δ n-1}R_jGet. Asymmetric secret key
CK = R₁+ R₂+ ... + R_n  modq
Is calculated.
[0112]
In Step C1, the center sets the conversation key
IK = IK₁* IK₂* ・ ・ ・ * IK_n  modp
= G ＾ (R₁+ R₂+ ... + R_n) Modp
Is calculated.
[0113]
A case in which there are n users and verification is performed will be described. The following Steps are assumed to proceed in the order of S1 → R1 (n−2 steps) → T1 → S2 → R2 (n−2 steps) → T2 → S3 → R3 (n−2 steps).
[0114]
Starter (user 1)
In Step S1, a random number R₁, D₁∈Z_qGenerate Original data of conversation key
IK₁= G ＾ (R₁) Mod p
And the challenge
CHA₁= G ＾ (D₁) Mod p
Is calculated, and user 2 is given an IK₁And CHA₁Send IK₁And CHA₁Can be pre-calculated.
[0115]
Response at Step S2
RES₁= CHA_n＾ (R₁) Modp
Is calculated, and user 2 is given D₁And RES₁Send
[0116]
In Step S3, the ciphertext
ENC_{n, 1}= P_ENC (Y₁, N}_{i ∈ε n}R_i  modq)
With the asymmetric secret key X₁Decrypt using Σ_{i ∈ε n}R_iGet. Cryptogram
ENC_1,2= P_ENC (Y₂, 1‖Σ_{i ∈δ 1}R_i  modq)
Is calculated and transmitted to the user 2.
[0117]
Relay (user i, 2 ≦ i ≦ n−1)
In Step R1, a random number R_i∈Z_qGenerate the conversation key source data
IK_i= G ＾ (R₁) Modp
And the response
RES_i= CHA₁＾ (R_i) Modp
Is calculated and IK is given to user i + 1._iAnd RES_iAnd CHA₁Send IK_iCan be pre-calculated. This process is sequentially performed for the users 2 to n-1.
[0118]
In Step R2, when n ≧ 4, the user i (3 to n−1)
ENC_{i-1, i}= P_ENC (Y_i, I-1}_{j ∈ε i-1}R_j  modq)
With the asymmetric secret key X_iDecrypt using Σ_{j ∈ε i-1}R_jGet.
The user i (2-n-1) is
ENC_{i, i + 1}= P_ENC (Y_{i + 1}, I‖Σ_{j ∈ε i}R_j  modq)
Is calculated and transmitted to the user i + 1. This process is sequentially performed for the users 2 to n-1.
[0119]
In Step R3, the user 2
ENC_1,2= P_ENC (Y₂, 1‖Σ_{i ∈δ 1}R_i  modq)
With the asymmetric secret key X₂Decrypt using Σ_{i ∈δ 1}R_iGet.
When n ≧ 4, the user i (3 to n−1) is
ENC_{i-1, i}= C_ENC (H (Σ_{j ∈ε i-1}R_j  modq), Σ_{j ∈δ i-1}R_j  modq)
With the hash value H (Σ_{j ∈ε i-1}R_j  modq) and decrypt it._{j ∈δ i-1}R_jGet.
The user i (2-n-1) is
ENC_{i, i + 1}= C_ENC (H (Σ_{j ∈ε i}R_j  modq), Σ_{j ∈δ i}R_j  modq)
Is calculated and transmitted to the user i + 1. This process is sequentially performed for the users 2 to n-1.
[0120]
Terminator (user n)
In Step T1, a random number R_n, D_n∈Z_qGenerate Original data of conversation key
IK_n= G ＾ (R_n) Modp
And the challenge
CHA_n= G ＾ (D_n) Modp
And the response
RES_n= CHA₁＾ (R_n) Modp
Is calculated. IK_nAnd CHA_nCan be pre-calculated. IK_nAnd RES_nAnd CHA_nSend
[0121]
In Step T2, cipher text
ENC_{n-1, n}= C_ENC (H (Σ_{j ∈ε n-1}R_j  modq), Σ_{j ∈δ n-1}R_j  modq)
With the hash value H (Σ_{j ∈ε n-1}R_j  modq) and decrypt it._{j ∈δ n-1}R_jGet. Cryptogram
ENC_{n, 1}= P_ENC (Y₁, N}_{i ∈ε n}R_i  modq)
, And D_nTo the user 1.
[0122]
Observer (center) is (RES) in Step O1.₂, ..., RES_n) → (D₁, RES₁) → D_nConfirm that they are published in the order of. In Step O2,
Π_{i ∈ε n}RES_i≡ (Π_{i ∈ε n}IK_i) ＾ (D₁) (Modp)
RES₁≡IK₁＾ (D_n) (Modp)
Check.
In Step O3, if the confirmation in Step O1 and Step O2 is OK,
IK = Π_{i ∈λ}  IK_i  modp
Is calculated.
[0123]
After calculating the asymmetric symmetric key CK, each terminal performs a verification equation.
Π_{i = 1} ⁿIK_i{G} (CK) (modp)
Is verified, and if not satisfied, the center is notified. This is necessary to confirm that the correspondence between the actually shared asymmetric common key CK and the conversation key IK accepted by the center is correct.
[0124]
A digital signature of the sender can be added to all outgoing messages, and the receiver can receive the message only if the signature is successfully verified. After the center calculates the conversation key, a public key certificate for the conversation key can be issued. The public key certificate for the conversation key can be encrypted with the conversation key and sent to the user who shared the conversation key. The user can perform the same verification as the center.
[0125]
When using the El Gamal encryption function as the public key encryption function P_ENC (•), the IK_i(1 ≦ i ≦ n) can be used in place of the modular exponentiation value of the random number in El Gamal encryption. A public key cryptographic function P_ENC (•) can be used instead of the symmetric secret key cryptographic function C_ENC (•). An operation on a finite field can be calculated in correspondence with an operation on an elliptic curve.
[0126]
The user may be a mobile phone in a mobile phone system, and the center may be a gateway or a base station of a communication carrier of the mobile phone system. The user may be a terminal having an Internet connection function such as a PC / PDA, and the center may be a web server or a proxy server or a router. The user can be a terminal having a local communication function such as a PC / PDA, and the center can be a specific terminal or a LAN server. When there are a plurality of centers, the user can communicate via the plurality of centers.
[0127]
As described above, in the fifth embodiment of the present invention, the call content certification system is configured to use the DH-type interactive key generation method for three or more users connected by a ring-type communication path, so that the efficiency is improved. The number of users can be expanded to three or more without lowering the number of users.
[0128]
【The invention's effect】
As is apparent from the above description, according to the present invention, a center of a key exchange system including a plurality of terminals having key exchange means capable of calculating an asymmetric common key and a center intercepts communication between terminals. Means and a means for calculating a conversation key which is a group public key using an asymmetric common key as an asymmetric secret key from intercepted communication. Can be verified, and it is possible to know when and who secretly shared the asymmetric common key corresponding to the conversation key.
[Brief description of the drawings]
FIG. 1 is a conceptual diagram of a conversation key sharing system according to a first embodiment of the present invention;
FIG. 2 is a configuration diagram of a conversation key sharing system according to the first embodiment of the present invention;
FIG. 3 is a flowchart showing an operation procedure of the conversation key sharing system according to the first embodiment of the present invention;
FIG. 4 is a flowchart showing an operation procedure of the interactive key sharing system according to the second embodiment of the present invention;
FIG. 5 is a configuration diagram of a conversation key sharing system according to a fourth embodiment of the present invention;
FIG. 6 is a flowchart showing an operation procedure of an interactive key sharing system according to a fifth embodiment of the present invention;
FIG. 7 is a flow chart showing a procedure of a conventional call content certification.
[Explanation of symbols]
1 user (Alice)
2 User (Bob)
3 Observer (Charley)
4 Dialogue sentences
5 Asymmetric secret key
6 conversation key
7 Key exchange means
8 Interception means
9 Conversation key calculation means
10 Verifier
11 Dialogue storage means
12 Signature verification means

Claims (30)

In a key exchange system comprising a plurality of terminals having a key exchange unit capable of calculating an asymmetric common key (a group secret key of a public key system) and a center, the center is an interception unit capable of intercepting communication between the terminals. And a means for calculating a conversation key which is a group public key using the asymmetric common key as an asymmetric secret key from the intercepted communication. Let p be a prime number, q be a prime factor of (p-1), g be an element of GF (q) whose order is q, and let p, q, g be fixed parameters and be shared in advance by all entities. And i (1 ≦ i ≦ n; n is an integer of 2 or more) is the ID of the user i, X _i is the asymmetric secret key of the user i, Y _i is the public key of the user i for X _i , and P_ENC ( y, m) is a function of encrypting the plaintext m by the public key method into a ciphertext that can be decrypted by the public key y using the asymmetric secret key corresponding to the public key y, and C_ENC (K, m) is defined as a function for encrypting a symmetric secret key method by symmetric secret key K plaintext m to ciphertext that can be decrypted by K, L ([psi, w) and, with respect to the set [psi and integer w L (Ψ, w) = Π t ∈ _{Ψ＼ ｛w｝} t / (tw) modq
Calculates a conversation key that is a group public key using the Lagrange interpolation coefficient defined as In the conversation key sharing method
In Step 1, each user i (i = 1... N)
a) Generate a random number R _i (∈Z _q )
b) Any n-order polynomial f _i (w) on Z _{q
^{f i (w) = f i}} , 0 * w 0 + f i, 1 * w 1 + · + f i, n * w n
And f _{i, 0} = R _i ,
c) Original data CK _{i, j} = f _i (j) of the asymmetric common key (j = 1... 2n)
And hold two variance values CK _{i, 2i-1} and CK _{i, 2i} ,
d) For all the users v (v ≠ i) other than the user i itself, the ciphertext ENC _{i, v} = P_ENC (Y _v , i‖CK _{i, 2v-1} ‖CK _{i, 2v} )
And sends it to user v,
In Step 2, each user i (i = 1... N)
a) receiving ENC _{v, i} of all users v (v ≠ i) other than user i,
b) ciphertext _{ENC v,} the _i decrypted by the asymmetric secret key _{X i,} to give _{CK v, 2i-1 ‖CK v} , the _2i,
c) original data of the asymmetric common key ^{_{CK 2i-1 = Σ v =}} 1 n CK v, 2i-1 modq
CK _2i = Σ _{v = 1} ⁿ CK _{v, 2i} modq
And calculate
d) Original data of conversation key IK _i = g ＾ (CK _2i−1 ) modp
And calculate
e) sending IK _i , CK _2i to all users v (v ≠ i) other than user i,
In Step 3, each user i (i = 1... N)
a) A set of the variance value number held by the user i and the received variance number is φ = {2i-1, 2, 4,..., 2n}.
As the asymmetric common key CK = Σ _{h ∈φ} (CK _h * L (φ, h)) modq
= Σ _{i = 1} ⁿ R _i modq
And calculate
The center is
a) Receiving IK _i and CK _2i of each user,
b) A set Δ of variance numbers is represented by Δ = {1, 2, 3,..., 2n}.
As a conversation key ^{_{IK = Π i = 1 n {}} IK i ^ (L (Δ, 2i-1)) * g ^ (CK 2i * L (Δ, 2i))} modp
= G ＾ (CK) modp
A conversation key sharing method characterized by calculating Let p be a prime number, q be a prime factor of (p-1), g be an element of GF (q) whose order is q, and let p, q, g be fixed parameters and be shared in advance by all entities. And i (1 ≦ i ≦ n; n is an integer of 2 or more) is the ID of the user i, X _i is the asymmetric secret key of the user i, Y _i is the public key of the user i for X _i , and P_ENC ( y, m) is a function of encrypting the plaintext m by the public key method into a ciphertext that can be decrypted by the public key y using the asymmetric secret key corresponding to the public key y, and C_ENC (K, m) is defined as a function for encrypting a symmetric secret key method by symmetric secret key K plaintext m to ciphertext that can be decrypted by K, L ([psi, w) and, with respect to the set [psi and integer w L (Ψ, w) = Π t ∈ _{Ψ＼ ｛w｝} t / (tw) modq
Calculates a conversation key that is a group public key using the Lagrange interpolation coefficient defined as In the conversation key sharing method
In Step 1, each user i (i = 1... N)
a) Generate a random number R _i (∈Z _q )
b) Any n-order polynomial f _i (w) on Z _{q
^{f i (w) = f i}} , 0 * w 0 + f i, 1 * w 1 + · + f i, n * w n
And f _{i, 0} = R _i ,
c) Verification value F _i = {F _{i, k} = g} (f _{i, k} ) | k = 0,1,..., n}
Is calculated and sent to all users,
d) Original data CK _{i, j} = f _i (j) of the asymmetric common key (j = 1... 2n)
And hold two variance values CK _{i, 2i-1} and CK _{i, 2i} ,
e) Ciphertext ENC _{i, v} = P_ENC (Y _v , iεCK _{i, 2v−1} ‖CK _{i, 2v} ) for all users v (v ≠ i) other than user i itself
And sends it to user v,
In Step 2, each user i (i = 1... N)
a) receiving the _{ENC v,} i, _{F v} of all other than the user i own user v (v ≠ i),
b) ciphertext _{ENC v,} the _i decrypted by the asymmetric secret key _{X i,} to give _{CK v, 2i-1 ‖CK v} , the _2i,
c) original data of the asymmetric common key ^{_{CK 2i-1 = Σ v =}} 1 n CK v, 2i-1 modq
CK _2i = Σ _{v = 1} ⁿ CK _{v, 2i} modq
And calculate
d) Original data of conversation key IK _i = g ＾ (CK _2i−1 ) modp
And calculate
e) sending IK _i , CK _2i to all users v (v ≠ i) other than user i,
In Step 3, each user i (i = 1... N)
a) A set of the variance value number held by the user i and the received variance number is φ = {2i-1, 2, 4,..., 2n}.
As the asymmetric common key CK = Σ _{h ∈φ} (CK _h * L (φ, h)) modq
= Σ _{i = 1} ⁿ R _i modq
And calculate
The center is
a) Each user of _{F i,} IK i, receives the _{CK 2i, i = 1, ·} , n contrast, the g ^ IK _i and _{CK 2i (CK j) = Π} i = 1 n (Π k = 0 ⁿ F _{i, k} ＾ (j ^k )) modp
If verification is not successful, send an error message to all users and exit. If verification is successful,
b) conversation key ^{_{IK = Π i = 1 n {}} IK i ^ (L (Δ, 2i-1)) * g ^ (CK 2i * L (Δ, 2i))} modp
= G ＾ (CK) modp
A conversation key sharing method characterized by calculating Let p be a prime number, q be a prime factor of (p-1), g be an element of GF (q) whose order is q, and use the above-mentioned p, q, g as fixed parameters for user A, user B, and center. is previously shared by the X _a and asymmetric private key of the user a, and the X _B and asymmetric private key of the user B, the public key Y _a for X _a of the user a, X _B of the user B to Y _B And P_ENC (y, m) as a function of encrypting plaintext m with a public key y into a ciphertext that can be decrypted with an asymmetric secret key corresponding to public key y using a public key method, and C_ENC (K, m) is a function that encrypts the plaintext m into a ciphertext that can be decrypted with the symmetric secret key K using the symmetric secret key K using the symmetric secret key system, H is a hash function, and two units capable of exchanging the asymmetric common key are used. The communication between the terminals at the center In the interactive key sharing method for calculating the conversation key is a group public key and asymmetric private key Tsukagi,
In Step 1, the user A
a) Generate a random number R _A (∈Z _q )
b) dialogue key of the original data _{IK A = g ^ (R A} ) modp
And sends it to User B,
In step 2, user B
a) Generate a random number R _B (∈Z _q )
b) dialogue key of the original data _{IK B = g ^ (R B} ) modp
And sends it to user A,
In step 3, user A
a) Ciphertext ENC _{A, B} = P_ENC (Y _B , A‖R _A )
And sends it to User B,
In step 4, user B
decoding the _{ENC A, B} with the a) asymmetric secret key _{X B,} to obtain a random number _{R A,}
b) ciphertext _{ENC B, A = C_ENC (H} (R A), R B)
And sends it to user A,
c) an asymmetric common key _CK = _R B + _R A _modq
And calculate
In Step 5, the user A
decoding the _{ENC B, A} using a) the hash value H _{(R A),} to obtain a random number _{R B,}
b) Asymmetric symmetric key CK = R _A + R _B modq
And calculate
In Step 5, the center
a) dialogue key _IK = _{IK A} * _IK B modp
= G ＾ (R _A + R _B ) modp
A conversation key sharing method characterized by calculating Let p be a prime number, q be a prime factor of (p-1), g be an element of GF (q) whose order is q, and use the above-mentioned p, q, g as fixed parameters for user A, user B, and center. is previously shared by the X _a and asymmetric private key of the user a, and the X _B and asymmetric private key of the user B, the public key Y _a for X _a of the user a, X _B of the user B to Y _B And P_ENC (y, m) as a function of encrypting plaintext m with a public key y into a ciphertext that can be decrypted with an asymmetric secret key corresponding to public key y using a public key method, and C_ENC (K, m) is a function that encrypts the plaintext m into a ciphertext that can be decrypted with the symmetric secret key K using the symmetric secret key K using the symmetric secret key system, H is a hash function, and two units capable of exchanging the asymmetric common key are used. The communication between the terminals at the center In the interactive key sharing method for calculating the conversation key is a group public key and asymmetric private key Tsukagi,
In Step 1, the user A
a) Generate random numbers R _A and D _A (∈Z _q )
b) dialogue key of the original data _{IK A = g ^ (R A} ) modp
And calculate
c) challenge _{CHA A, B = g ^ (} D A) modp
And calculate
Send _d) IK _{A, CHA} A, _B to user B,
In step 2, user B
a) Generate random numbers R _B , D _B (∈Z _q )
b) dialogue key of the original data _{IK B = g ^ (R B} ) modp
And calculate
c) Challenge CHA _{B, A} = g ＾ (D _B ) modp
And calculate
d) response _{RES B, A = CHA A,} B ^ (R B) modp
And calculate
Send _{e) IK B, RES B,} A, CHA B, _A to user A,
In step 3, user A
a) Response RES _{A, B} = CHA _{B, A} ＾ (R _A ) modp
And calculate
b) Ciphertext ENC _{A, B} = P_ENC (Y _B , A‖R _A )
And calculate
Send _{c) ENC A, B, D} A, RES A, _B to user B,
In step 4, user B
a) Decrypt ENC _{A, B} with asymmetric secret key X _B to obtain random number _RA ,
b) ciphertext _{ENC B, A = C_ENC (H} (R A), R B)
And calculate
Send _{c) ENC B,} A, and _{D B} to the user A,
d) asymmetric common key _CK = _R B + _R A _modq
And calculate
In Step 5, the user A
decoding the _{ENC B, A} using a) the hash value H _{(R A),} to obtain a random number _{R B,}
b) Asymmetric symmetric key CK = R _A + R _B modq
And calculate
In Step5 center, a random number after the challenge _(D A, D _B) only when is published,
a) Based on the data obtained by intercepting the communication,
_{RES A, B ≡IK A ^ (} D B) (modp)
_{RES B, A ≡IK B ^ (} D A) (modp)
It is verified whether or not is established. If it is not established, an error is transmitted to the user A and the user B, and if it is established,
b) interactive key _IK = _{IK A} * _IK B modp
= G ＾ (R _A + R _B ) modp
A conversation key sharing method characterized by calculating And prime the U, the e and RSA public key, said U, allowed to share in advance e to users A and B and the center, the X _A and asymmetric private key of the user A, the X _B of the user B asymmetric asymmetry and private key, and public key _{Y a} for _{X a} of the user a, and the public key of _{Y B} for _{X B} of the user B, P_ENC the (y, m), the public key y, corresponding to the public key y A function for encrypting a plaintext m by a public key method into a ciphertext that can be decrypted with a secret key, intercepting a communication between two terminals capable of exchanging an asymmetric common key at a center and converting the asymmetric common key to an asymmetric secret In a conversation key sharing method for calculating a conversation key, which is a group public key,
In Step 1, the user A
a) Generate a random number R _A (1 ≦ R _A <U),
b) Ciphertext ENC _{A, B} = P_ENC (Y _B , _RA )
And sends it to User B,
In step 2, user B
decodes the _{ENC A, B} using a) asymmetric secret key _{X B,}
b) Generate a random number R _B (1 ≦ R _Bob <U) so that R _A * R _B >U;
c) Generate a prime Q _Bob such that (Q _Bob -1) and the public key e are prime to each other and Q _Bob * R _Bob > U,
d) Original data of conversation key IK _Bob = Q _Bob * R _Bob modU
And calculate
e) a random number of the product _{R A, B = R A *} R B modU
And sends it to User A with IK _Bob ,
In step 3, user A
a) Generate a prime number P _A such that (P _A -1) and the public key e are relatively prime and R _A * P _A > U,
b) dialogue key of the original data _{IK A = R A * P A} modU
And sends it to User B,
c) a random number of the user _{B Q B = (R A *} IK B) / R A, B modU
Calculate and get
d) equation _{d * e≡1 (mod LCM (P} A -1, Q B -1))
Asymmetric secret key d that satisfies
In step 4, user B
a) prime numbers of user _{A P A = IK A / R} A modU
Calculate and get
b) equation _{d * e≡1 (mod LCM (P} A -1, Q B -1))
Asymmetric secret key d that satisfies
In Step 4, the center
a) dialogue key _{IK = (IK A * IK B} ) / R A, B modU
A conversation key sharing method characterized by calculating 4. The interactive key sharing according to claim 3, wherein when El Gamal encryption is used as the public key encryption P_ENC (•), Fi _{, 0} is used in place of the modular exponentiation value of the random number in El Gamal encryption. Method. A plurality of terminals having key exchange means capable of calculating an asymmetric common key, an interception means capable of intercepting communication between the terminals, and a dialog being a group public key using the asymmetric common key as an asymmetric secret key from the intercepted communication; A key exchange system comprising: a center having a means for calculating a key, wherein the center securely records a dialogue sentence and a call content, and publishes it on demand, and makes the call content registration possible. ask the observation to all users center to join, each user i sends a dialogue IM _i to all other users to share an asymmetric common key CK, each user i, fingerprint FP from the call statement PT _{i i} (= H (PT _i )), and encrypts the call text PT _i with the asymmetric common key CK or the conversation key IK to generate the cipher text CT _i and uses the asymmetric secret key X _i and the asymmetric common key CK. And each F _i ‖H (CT _i) for signing _{SM iI,} generates _{SM iii,} generated ciphertext CT _i, signatures _{SM iI, SM iii,} transmits a fingerprint FP _i to all other users, each user ciphertext to obtain a call statement PT _i from CT _i, to verify the signature after confirming the _{H (PT i) = FP i} , center, of all users _{IM i, CT i, FP i} , SM iI, the _{SM iII} The verifier requests the user i for the call contents proof, the user i requests the center for the call contents proof, all the users publish PT _i , and the center checks the IM _i and CT of all the users. _i , FP _i , SM _iI , SM _iII , and the verifier generates a conversation key IK from the conversation text IM _{i of} all users, generates a fingerprint FP _i from the call text PT _i , and generates a fingerprint FP _i from the cipher text CT _i. H (CT _i ) and calculate the conversation key I A _method for verifying signatures SM _iI , SM _iII using K and public keys Y _i of all users, and accepting a call text PT _i if the verification is successful, the method for certifying a call content using a conversation key. A plurality of terminals having key exchange means capable of calculating an asymmetric common key, an interception means capable of intercepting communication between the terminals, and a dialog being a group public key using the asymmetric common key as an asymmetric secret key from the intercepted communication; In a method for certifying a call in a key exchange system comprising: a center having a means for calculating a key, the center securely records a dialogue sentence and a call, and publishes the conversation as requested, and registers the call in a call registration. ask the observation to all users center to join, each user i sends a dialogue IM _i to all other users to share an asymmetric common key CK, each user i, interactive call statement PT _i key to generate a CT _i encrypted with IK, using an asymmetric private key _{X i} and asymmetric common key CK, signature _SM iI for H (CT _i) respectively _to generate _{SM iii,} generated ciphertext CT _i, signed Send SM _iI, the _{SM iII} to all other users, the center, all users of _{IM i, CT i, SM iI} , to save the _{SM iII,} verifier, to request the call content proving to user i, the user i is, ask the call content proving to the center, all users, to publish a call statement PT _i, center, all users of _{IM i, CT i, SM iI} , publish the _{SM iII,} interactive statement of all users to generate a dialogue key IK from IM _i, using the conversation key IK to compute the cipher text CT _i from the call statement PT _i, from the ciphertext CT _i to calculate the H (CT _i), interactive key IK and all users A _method for verifying signatures SM _iI and SM _iII using Y _i of ( ₁₎ , and a verifier accepting the call text (PT _i) if the verification is successful. A plurality of terminals having key exchange means capable of calculating an asymmetric common key, an interception means capable of intercepting communication between the terminals, and a dialog being a group public key using the asymmetric common key as an asymmetric secret key from the intercepted communication; In a method for certifying a call in a key exchange system comprising: a center having a means for calculating a key, the center securely records a dialogue sentence and a call, and publishes the conversation as requested, and registers the call in a call registration. all users to participate are asked to observe the center, each user i sends a dialogue IM _i to all other users to share an asymmetric common key CK, each user i, asymmetric secret key X _i and asymmetric using the common key CK, signature _SM iI for H (PT _{i), respectively,} to generate a _{SM iii,} send the call statement PT _i, signatures _{SM iI,} the _{SM iii} to all other users, center, complete healing The of _{IM i, PT i, SM iI} , to save the _{SM iII,} verifier, to request the call content proving to user i, user i, ask the call content proving to the center, all users, call statement The center publishes PT _i , the center publishes IM _i , PT _i , SM _iI , SM _iII of all users, calculates H (PT _i ) from the call text PT _i , and _obtains H (PT _i ) from the conversation text IM _{i of} all users. It generates a conversation key IK, verifies the signatures SM _iI and SM _iII using the conversation key IK and the public keys Y _i of all users, and if the verification is successful, the verifier accepts the call text PT _i. A call content proof method using a conversation key. 11. The method according to claim 8, wherein the center and the verifier are integrated. When the signature of the received information is correct and the content of the PT is accepted, the user _{j applies} the signature SM _jIII using its own asymmetric secret key _Xj to the information (eg, FP, CT, PT) transmitted by the user _{#. 11. The} contents of the conversation according to claim 8, wherein the center stores the signature SM _jIII and publishes it together with another message when requested. Proof method. Let p be a prime number, q be a prime factor of (p-1), g be an element of GF (q) whose order is q, and p, q, g be fixed parameters, and user 1 to user n (n ≧ 3) and is previously shared center, the _{X i} and asymmetric private key of the user i, and a public key of _{Y i} for _{X i} of user i, P_ENC the (y, m), the public key y, published A function for encrypting the plaintext m into a ciphertext that can be decrypted with the asymmetric secret key corresponding to the key y by a public key method, and C_ENC (K, m) is converted into a ciphertext that can be decrypted with the symmetric secret key K and the plaintext m is symmetrically secreted. Let H be a hash function, λ be a set of all user IDs {1, 2,..., N} and ε _{i be} a set of user IDs {2, ..., and i}, a set of user ID and _{δ i {1, i + 2} , ···, n _{(= Λ-ε i + 1} ) and then, calculates the conversation key is a group public key to an asymmetric private key the asymmetric common key communication intercepts at the center between the asymmetric common key exchange is n number possible of the terminal In the conversation key sharing method,
Step S1: The user 1 generates a random number R ₁ (∈Z _q ), and generates conversation key original data IK ₁ = g ＾ (R ₁ ) modp
Is calculated and sent to user 2,
Step R1: User 2 generates a random number R ₂ (∈Z _q ), and generates conversation key original data IK ₂ = g ＾ (R ₂ ) modp
, And the ciphertext ENC _2,3 = P_ENC (Y ₃ , 2‖R ₂ )
Is calculated and sent to user 3,
The user i (3 ≦ i ≦ n−1) generates a random number R _i (∈Z _q ), and generates conversation key original data IK _i = g ＾ (R _i ) modp.
The calculated ciphertext _{ENC i-1, i = P_ENC} (Y i, i-1‖Σ j ∈ε i-1 R j)
_Is decrypted using the asymmetric secret key X _i to obtain Σ _{j ε i-1} R _j , and the ciphertext ENC _{i, i + 1} = P_ENC (Y _{i + 1} , i‖Σ _{j ∈ε i} R _j )
And sends it to user i + 1,
Step T1: The user n generates a random number R _n (∈Z _q ) and generates the conversation key original data IK _n = g ＾ (R _n ) modp
The calculated ciphertext _{ENC n-1, n = P_ENC} (Y n, n-1‖Σ j ∈ε n-1 R j)
_Is decrypted using the asymmetric secret key X _n to obtain Σ _{j ∈ε n-1} R _j , and the ciphertext ENC _{n, 1} = P_ENC (Y ₁ , n‖Σ _{j ∈ε n} R _j )
Is calculated and sent to user 1,
StepS2: user 1 ciphertext _{ENC n, 1 = P_ENC (Y} 1, n‖Σ j ∈ε n R j)
_Is decrypted using the asymmetric secret key X ₁ to obtain Σ _{j ∈ε n} R _j , and the asymmetric common key CK = R ₁ + R ₂ +... + R _n modq
Is calculated, and the ciphertext ENC _1,2 = P_ENC (Y ₂ , 1‖Σ _{j ∈δ 1} R _j )
Is calculated and sent to user 2,
StepR2: User 2 ciphertext _{ENC 1,2 = P_ENC (Y 2,} 1‖Σ j ∈δ 1 R j)
_Is decrypted using the asymmetric secret key X ₂ to obtain Σ _{j ∈δ 1} R _j , and the asymmetric common key CK = R ₁ + R ₂ +... + R _n modq
, And the ciphertext ENC _2,3 = C_ENC (H (R ₂ ), Σ _{j ∈δ 2} R _j )
Is calculated and transmitted to the user 3, and when n ≧ 4,
The user i (3 ≦ i ≦ n−1) receives the ciphertext ENC _{i−1, i} = C_ENC (H (Σ _{j ∈ε i−1} R _j ), Σ _{j ∈δ i−1} R _j )
_Is decrypted using a hash value H (Σ _{j ∈ε i-1} R _j ) to obtain Σ _{j ∈δ i-1} R _j , and the asymmetric symmetric key CK = R ₁ + R ₂ +... + R _n modq
, And the ciphertext ENC _{i, i + 1} = C_ENC (H (Σ _{j ∈ε i} R _j ), Σ _{j ∈δ i} R _j )
And sends it to user i + 1,
Step T2: The user n has ciphertext ENC _{n−1, n} = C_ENC (H (Σ _{j ∈ε n−1} R _j ), Σ _{j ∈δ n−1} R _j )
_Is decrypted using a hash value H (Σ _{j ∈ε n-1} R _j ) to obtain Σ _{j ∈δ n-1} R _j , and the asymmetric common key CK = R ₁ + R ₂ +... + R _n modq
And calculate
Step C1: The center sets the conversation key IK = IK ₁ * IK ₂ *... * IK _n modp
= G ＾ (R ₁ + R ₂ +... + R _n ) modp
A conversation key sharing method characterized by calculating Let p be a prime number, q be a prime factor of (p-1), g be an element of GF (q) having order q, and p, q, g be fixed parameters, and user 1 to user n (n ≧ 3) and is previously shared center, the _{X i} and asymmetric private key of the user i, and a public key of _{Y i} for _{X i} of user i, P_ENC the (y, m), the public key y, published A function for encrypting the plaintext m into a ciphertext that can be decrypted with the asymmetric secret key corresponding to the key y by a public key method, and C_ENC (K, m) is converted into a ciphertext that can be decrypted with the symmetric secret key K and the plaintext m is symmetrically secreted. Let H be a hash function, λ be a set of all user IDs {1, 2,..., N} and ε _{i be} a set of user IDs {2 , ..., a i}, a set of the [delta] _i user ID {1, i + 2, ···, _{} (= Λ-ε i +} 1) and then, calculates the conversation key is a group public key of the asymmetric common key communication intercepts at the center between the asymmetric common key exchange is n stand capable terminal and an asymmetric private key In the conversation key sharing method
Step S1: User 1 generates random numbers R ₁ , D ₁ ({Z _q ), and generates the conversation key original data IK ₁ = g ＾ (R ₁ ) modp
And the challenge CHA ₁ = g ＾ (D ₁ ) modp
And sends IK ₁ and CHA ₁ to user 2,
Step R1: The user i (3 ≦ i ≦ n−1) generates a random number R _i (∈Z _q ), and generates the conversation key original data IK _i = g ＾ (R _i ) modp
RES _i = CHA ₁ ＾ (R _i ) modp
And sends IK _i , RES _i, and CHA ₁ to user i + 1,
Step T1: User n generates random numbers R _n , D _n (∈Z _q ), and generates conversation key original data IK _n = g ＾ (R _n ) modp
And the challenge CHA _n = g ＾ (D _n ) modp
RES _n = CHA ₁ ＾ (R _n ) modp
And sends IK _n , RES _n, and CHA _n to user 1,
Step S2: The user 1 makes a response RES ₁ = CHA _n ＾ (R ₁ ) modp
And sends RES ₁ and D ₁ to user 2,
Step R2: The user 2 has the ciphertext ENC _2,3 = P_ENC (Y ₃ , 2‖R ₂ )
Is calculated and transmitted to the user 3, and when n ≧ 4,
The user i (3 ≦ i ≦ n−1) has the ciphertext ENC _{i−1, i} = P_ENC (Y _i , i−1‖Σ _{j εε i−1} R _j )
_Is decrypted using the asymmetric secret key X _i to obtain Σ _{j ε i-1} R _j , and the ciphertext ENC _{i, i + 1} = P_ENC (Y _{i + 1} , i‖Σ _{j ∈ε i} R _j )
And sends it to user i + 1,
StepT2: user n is ciphertext _{ENC n-1, n = P_ENC} (Y n, n-1‖Σ j ∈ε n-1 R j)
_Is decrypted using the asymmetric secret key X _n to obtain Σ _{j ∈ε n-1} R _j , and the ciphertext ENC _{n, 1} = P_ENC (Y ₁ , n‖Σ _{j ∈ε n} R _j )
And sends ENC _{n, 1} and D _n to user 1,
StepS3: user 1 ciphertext _{ENC n, 1 = P_ENC (Y} 1, n‖Σ j ∈ε n R j)
_Is decrypted using the asymmetric secret key X ₁ to obtain Σ _{j ∈ε n} R _j , and the asymmetric common key CK = R ₁ + R ₂ +... + R _n modq
Is calculated, and the ciphertext ENC _1,2 = P_ENC (Y ₂ , 1‖Σ _{j ∈δ 1} R _j )
Is calculated and sent to user 2,
StepR3: The user 2 has the ciphertext ENC _1,2 = P_ENC (Y ₂ , 1‖Σ _{j ∈δ 1} R _j )
_Is decrypted using the asymmetric secret key X ₂ to obtain Σ _{j ∈δ 1} R _j , and the asymmetric common key CK = R ₁ + R ₂ +... + R _n modq
, And the ciphertext ENC _2,3 = C_ENC (H (R ₂ ), Σ _{j ∈δ 2} R _j )
Is calculated and sent to user 3,
The user i (3 ≦ i ≦ n−1) receives the ciphertext ENC _{i−1, i} = C_ENC (H (Σ _{j ∈ε i−1} R _j ), Σ _{j ∈δ i−1} R _j )
_Is decrypted using a hash value H (Σ _{j ∈ε i-1} R _j ) to obtain Σ _{j ∈δ i-1} R _j , and the asymmetric symmetric key CK = R ₁ + R ₂ +... + R _n modq
, And the ciphertext ENC _{i, i + 1} = C_ENC (H (Σ _{j ∈ε i} R _j ), Σ _{j ∈δ i} R _j )
And sends it to user i + 1,
Step T3: The user n uses the ciphertext ENC _{n−1, n} = C_ENC (H (Σ _{j ∈ε n−1} R _j ), _{ｊ j ∈δ n−1} R _j )
_Is decrypted using a hash value H (Σ _{j ∈ε n-1} R _j ) to obtain Σ _{j ∈δ n-1} R _j , and the asymmetric common key CK = R ₁ + R ₂ +... + R _n modq
And calculate
Step C1: The center receives the RES _i , D ₁ and D _n of each user, verifies that the RES ₂ ,..., RES _n , D ₁ , RES ₁ , and D _n are released in that order, and the verification fails. If so, send an error message to all users and exit, if verification is successful,
StepC2: The center is
Ｉ _{i ∈ε 1} RES _i ≡ (Π _{i ∈ε 1} IK _i ) ＾ (D ₁ ) (modp)
_{RES 1 ≡IK 1 ^ (D n} ) (modp)
If the verification fails, send an error message to all users and exit. If the verification is successful,
Step C3: The center establishes a conversation key IK = Π _{i ∈λ} IK _i modp
A conversation key sharing method characterized by calculating Conversation key sharing method according to claim 13, wherein the previously calculated original data IK ₁ ~IK _n conversation key in advance. Conversation key sharing method according to claim 14, wherein the previously calculated original data _IK 1 _{~IK n} and Challenge CHA ₁ and CHA _n dialogue key in advance. The response calculation in Step C2 is
_{RES 1 ≡IK 1 ^ (D n} ) (modp)
_{RES 2 ≡IK 2 ^ (D 1} ) (modp), ···,
_{RES n ≡IK n ^ (D 1} ) (modp)
The method according to claim 14, wherein the method is performed individually. In Step 1, each user i (i = 1... N)
a) Generate a random number R _i (∈Z _q )
b) Any n-order polynomial f _i (w) on Z _{q
^{f i (w) = f i}} , 0 * w 0 + f i, 1 * w 1 + · + f i, n * w n
And f _{i, 0} = R _i ,
c) Verification value F _i = {F _{i, k} = g} (f _{i, k} ) | k = 0,1,..., n}
4. The method according to claim 3, wherein is calculated in advance. After calculating the asymmetric symmetric key CK, each terminal calculates a verification formula ^{ _{i = 1} ⁿ IK _i {g} (CK) (modp)
15. The interactive key sharing method according to claim 14, wherein the verification is performed, and if the verification is not satisfied, the center is notified. 15. The method according to claim 2, wherein a digital signature of the sender is added to all transmitted messages, and the receiver receives the message only when the signature is successfully verified. Conversation key sharing method. In the case of using the encryption function of the public key system encryption function P_ENC (·) as El Gamal _encryption, IK _A, IK _B or _{IK i (1 ≦ i ≦ n} ) the random number of modular exponentiation value of El Gamal encryption 15. The conversation key sharing method according to claim 4, wherein the conversation key sharing method is used instead. 15. The interactive key sharing method according to claim 4, wherein a public key cryptographic function P_ENC (•) is used instead of the symmetric secret key cryptographic function C_ENC (•). The interactive key sharing method according to any one of claims 2 to 5, wherein the center issues a public key certificate for the interactive key after calculating the interactive key. 24. The interactive key sharing method according to claim 23, wherein the public key certificate for the interactive key is encrypted with the interactive key and transmitted to the user who shared the interactive key. 25. The conversation key sharing method according to claim 2, wherein the user is a mobile phone in a mobile phone system, and the center is a gateway or a base station of a communication carrier of the mobile phone system. 25. The interactive key sharing method according to claim 2, wherein the user is a terminal having an Internet connection function such as a PC / PDA, and the center is a web server, a proxy server, or a router. . 25. The interactive key sharing method according to claim 2, wherein the user is a terminal having a local communication function such as a PC / PDA, and the center is a specific terminal or a LAN server. 25. The conversation key sharing method according to claim 2, wherein there are a plurality of the centers, and the user communicates via the plurality of centers. The method according to any one of claims 2 to 8, wherein the calculation on the finite field is calculated in correspondence with the calculation on the elliptic curve. 15. The conversation key sharing method according to claim 3, wherein the user performs the same verification as the center.

Images