JP2004513542A - Method and system for processing customer requests - Google Patents

Abstract

The present invention provides a method and system for securely processing a customer's source request.
The source request can be sent to at least one first entity. The method for processing the source request comprises: a) transmitting the source request from a customer to the or each first entity; and b) transmitting the or each first entity to a computer. And c) adding information about the originating request by the or each first entity upon receipt of the originating request, thereby creating a first modified request. And d) transmitting at least a portion of the first modified request to at least a computer-based entity; and e) at least one of the first modified request by the computer-based entity. Using a computer from at least a portion of the first modified request after receiving the F) transmitting at least a portion of the computer-generated entity result to the or each first entity; and g) transmitting the computer-generated entity result to the Or obtaining a first entity result therefrom and transferring at least a portion thereof after receipt by each respective first entity; and h) receiving at least a portion of said first entity result by said customer. And obtaining customer results therefrom.
[Selection diagram] Fig. 1

Description

については何も知ることはなく、送信者はσについての情報は何ももたない。
【００４８】
より正確には、アリスは送信者として機能し、ボブは彼の入力の全てのビットｙ_ｉについて値Ｋ’_ｉ＝Ｋ_ｊ，ｙｉを得るが、
【数２】

については何も知ることはない。同時に、アリスは、ｙ_ｉについては何も知ることはない。
【００４９】
さらに、アリスは、ｉ＝１、・・・、ｎｘに対して、Ｌ’_ｉ＝Ｌ_ｉ、ｘｉとしてｘを表す鍵を計算し、ｅ、Ｌ’_１、・・・、Ｌ’_ｎｘ、ｕをボブに送る。
【００５０】
（ＩＩＩ）この第２のアルゴリズム評価（ｅ、Ｌ’_１、・・・、Ｌ’_ｎｘ、Ｋ’_１、・・・Ｋ’_ｎｙ）は、暗号化の回路、ｘの表記、および対応する鍵によるｙの表記を、入力として使用する。この評価によって、ボブがｚを回復できる、鍵Ｕ’_１、・・・、Ｕ’_ｎｚを出力し、アリスとボブがこのプロトコルに従う場合は、ｚ＝ｇ（ｘ、ｙ）となる。
【００５１】
この第１のアルゴリズム構造（ｃｏｎｓｔｒｕｃｔ）および第２のアルゴリズム評価（ｅｖａｌｕａｔｅ）の実施は、たとえばＯ．Ｇｏｌｄｒｅｉｃｈ、Ｓ．ＧｏｌｄｗａｓｓｅｒおよびＳ．Ｍｉｃａｌｉよって「Ｈｏｗ ｔｏ ｃｏｎｓｔｒｕｃｔ ｒａｎｄｏｍ ｆｕｎｃｔｉｏｎｓ」、Ｊｏｕｒｎａｌ ｏｆ ｔｈｅ ＡＣＭ ３３ （１９８６年）、　ｎｏ． ４， ７９２ − ８０７で提示されるような、ブロック暗号によって実際に実現できる、擬似ランダム関数によって実現できる。ブロック暗号は、ソフトウェアで実施する場合でさえ、非常に高速の暗号関数である。
【００５２】
以下に、この暗号化の回路構造を、一つのもしくは第１のエンティティをもつ安全なモバイルコード計算を実現するために、どのように使用するかを説明する。複数のエンティティに拡張することは、後で考慮する。
【００５３】
このコンピュータ使用エンティティＴは、暗号化方式の公開鍵を発行する。対応する暗号化および解読の操作は、それぞれ、Ｅ_Ｔ（・）およびＤ_Ｔ（・）で示す。全てのエンティティは、安全な承認されたリンクを介して通信でき、これは、標準の公開鍵暗号およびデジタル署名を使用することによって実現できる。
【００５４】
基本的な機構は、Ｏが、２つの値ξおよびｚを計算する、暗号化の回路ｅを構築することである。このコード発信元Ｏは、ｅを第１のエンティティＨに送信するが、Ｔのために、ｋにある全ての鍵を暗号化し、ξに対応するｕ内には、鍵の対（ｕ_ｘで示す）は含めない。その結果、第１のエンティティＨは、ξに付いて何も知ることはない。次に、第１のエンティティＨは、ｙを表す暗号化の鍵をｋから選択し、コンピュータ使用エンティティＴを関与させて、対話的な一つのラウンド内で、それを解読する。次いで、この第１のエンティティＨは、この回路を評価し、ｚを得る。この場合、この第１のエンティティＨは、また、回路からξを決定できるＯに対して、ξの表記を出力する回路内の鍵を戻す。
【００５５】
Ｃを、前述の部分の表記を僅かに変更した、（ｎ_ｘ＋ｎ_ｙ）個の入力ビットｘ_１、・・・、ｘ_ｎｘ、ｙ_１、・・・、ｙ_ｎｙの同じ入力、および（ｎ_ｘ＋ｎ_ｚ）個の出力ビットξ_１、・・・、ξ_ｎｘ、ｚ_１、・・・、ｚ_ｎｚから、（ξ、ｚ）＝（ｇ（ｘ、ｙ）、ｈ（ｘ、ｙ））を計算するバイナリ回路とする。この方式は、以下に説明するように、５つのステップ１）から５）で処理する。
【００５６】
１）Ｏは計算を独自に識別するストリングｉｄ、たとえばＯの名前、ｇおよびｈの記述、および、シーケンスカウンタなど含むｉｄを、選択する。Ｏは構造（ｃｏｎｓｔｒｕｃｔ）（Ｃ）を呼び出し、ｕが、合計（ｎ_ｘ＋ｎ_ｙ）個の鍵の対を含む、前述したような（ｅ、ｌ、ｋ、ｕ）を得る。ｕ_ｘはインデックス１、・・、ｎ_ｘをもつｕの対を示し、ｕ_ｚは、インデックスｎ_ｘ＋１、・・・、ｎ_ｘ＋ｎ_ｚをもつｕの対を示す。
【００５７】
ｉ＝１、・・・、ｎ_ｙおよびｂ∈｛０，１｝に対し、以下の式を計算する。
【数３】

【００５８】
ｋが、前述した全てのＫの対のリストを示すとする。次いで、Ｏは、前述のように、ｉ＝１、・・・、ｎ_ｘに対してＬ’_ｉ＝Ｌ_ｉ、ｘｉとし、第１のエンティティＨに、ｉｄ、ｅ、Ｌ’_１、・・・、Ｌ’ｎ_ｘ、ｋ、ｕを送る。
【００５９】
２）第１のエンティティＨは、ｉ＝１、・・・ｎ_ｙに対して、
【数４】

を、自身の入力ｙを表す暗号として設定し、これらを、ｉｄとともに、コンピュータ使用エンティティＴに送信する。
【００６０】
３）コンピュータ使用エンティティＴは、ｉ＝１、・・・、ｎ_ｙに対して
【数５】

を解読し、ｉ番目の解読されたストリングが、識別子ｉｄおよびインデックスｉを含んでいることを、検証する。全てのチェックが成功である場合は、このコンピュータ使用エンティティＴは、解読鍵Ｋ’_１、・・・Ｋ’ｎ_ｙを、この第１のエンティティＨに戻す。
【００６１】
４）第１のエンティティＨは、第２のアルゴリズムの評価（ｅ、Ｌ’_１、・・・、Ｌ’_ｎｘ、Ｋ’_１、・・・、Ｋ’_ｎｙ）に関与し、Ｕ’_１、・・・Ｕ’_{ｎｘ＋ｎｚ}を得る。次いで、この第１のエンティティＨは、ｉ＝１、・・・、ｎ_ｚに対してＵ_{ｎｘ＋ｉ、ｚｉ}＝Ｕ’_ｎｘ＋ｉとなるような、ｚ＝（ｚ_１、・・・、ｚ_ｎｚ）を決定し、残りの値Ｕ’_１、・・・、Ｕ’_ｎｘを、コード発信元Ｏに転送する。
【００６２】
５）コード発信元Ｏは、ｉ＝１、・・・、ｎｘに対して、Ｕ_ｉ、ξｉ＝Ｕ’_ｉとなるような、出力ξ＝（ξ_１、・・・、ξ_ｎｘ）を決定する。
【００６３】
セキュリティの増強には、コンピュータ使用エンティティＴは、適応可能な選択暗号文への攻撃に対して安全である、これは柔軟性の欠如を意味するが、公開鍵暗号システムを使用しなければならず、これは、Ｄ．Ｄｏｌｅｖ、Ｃ．ＤｗｏｒｋおよびＭ．Ｎａｏｒによって、「Ｎｏｎ−ｍａｌｌｅａｂｌｅ ｃｒｙｐｔｏｇｒａｐｈｙ」、ＳＩＡＭ Ｊｏｕｒｎａｌ ｏｎ Ｃｏｍｐｕｔｉｎｇ ３０ （２０００年）、 ｎｏ．２， ３９１−４３７に記載されている。コード発信元Ｏおよび第１のエンティティＨは、また、その入力を委託しなければならない。実際のシステムでは、これらの全ては、たとえば、Ｍ．ＢｅｌｌａｒｅおよびＰ．Ｒｏｇａｗａｙによって「Ｒａｎｄｏｍ ｏｒａｃｌｅｓ ａｒｅ ｐｒａｃｔｉｃａｌ： Ａ ｐａｒａｄｉｇｍ ｆｏｒ ｄｅｓｉｇｎｉｎｇ ｅｆｆｉｃｉｅｎｔ ｐｒｏｔｏｃｏｌｓ」、Ｐｒｏｃ． １ｓｔ ＡＣＭ Ｃｏｎｆｅｒｅｎｃｅ ｏｎ Ｃｏｍｐｕｔｅｒ ａｎｄ Ｃｏｍｍｕｎｉｃａｔｉｏｎｓ ｓｅｃｕｒｉｔｙ， １９９３年に、記載された、安全なハッシュ関数を使用した、いわゆる「ｒａｎｄｏｍ ｏｒａｃｌｅ ｍｏｄｅｌ」で、実現できる。この場合には、公開鍵暗号方式および回路暗号用の擬似ランダム関数が、Ｍ．ＮａｏｒおよびＯ．Ｒｅｉｎｇｏｌｄによって、「Ｎｕｍｂｅｒ−ｔｈｅｏｒｅｔｉｃ ｃｏｎｓｔｒｕｃｔｏｎｓ ｏｆ ｅｆｆｉｃｉｅｎｔ ｐｓｅｕｄｏ−ｒａｎｄｏｍ ｆｕｎｃｔｉｏｎｓ」、 Ｐｒｏｃ． ３８ｔｈ ＩＥＥＥ Ｓｙｍｐｏｓｉｕｍ ｏｎ Ｆｏｕｎｄａｔｉｏｎｓ ｏｆ Ｃｏｍｐｕｔｅｒ Ｓｃｉｅｎｃｅ （ＦＯＣＳ）、 １９９７年に、記載された、Ｄｉｆｆｉｅ−Ｈｅｌｌｍａｎ問題の困難さに基づく離散ロガリズムを使って、実施できる。
【００６４】
以下に、前述した方法の拡張を、図１に示すような複数のエンティティＨ_１、・・・、Ｈ_ｌをもつ一般のモバイル計算機構を実現するために、開示する。この概念は、各エンティティが、前述の基本方式のステップ２）〜４）を実行し、それから、このエージェントを次のエンティティに送信する場合には、本質的なものである。
【００６５】
すなわち、コード発信元Ｏは、各エンティティＨ_１、・・・、Ｈ_ｌのために、一つの暗号化回路ｅを用意し、ｊ＞ｌに対して、ｅ^{（ｊ−１）}からの暗号化状態ｘ_ｊ−１を、ｅ^（ｊ）に組み込む。これは、ｅ^（ｊ）への入力の隠れ表記を解読するための、ｅ^{（ｊ−１）}からの出力鍵Ｕ１’^{（ｊ−１）}、・・・、Ｕ’ｎｘ^{（ｊ−１）}を使用することによって、成し遂げられる。
【００６６】
Ｅ_ｋ（・）およびＤ_ｋ（・）によって示される鍵ｋの下で、暗号化動作および解読動作をそれぞれともなう対称暗号システムでは、この暗号システムは、潜在的な鍵Ｕおよび暗号文ｃが与えられることにより、Ｕの下での暗号化によってｃが得られるか否かについて、高い確率を持って決定できるような、十分な冗長性を含んでいる。この方式に対しての変更点は、以下の通りである。
【００６７】
１ａ）コード発信元Ｏは、前述したｅに対しての方法と同じ方法で、ｊ＝１、・・・、ｌに対してｅ^（ｊ）、ｌ^（ｊ）、ｋ^（ｊ）、ｕ^（ｊ）および
【数６】

を得る。しかし、このコード発信元Ｏは、ｅ^（ｌ）に対してのみ、値Ｌ’_ｉ＝Ｌ’_ｉ、ｘｉ ^（ｌ）を選択する。このｊ番目のステージの識別子は、ｉｄ｜｜ｊに設定される。このコード発信元Ｏはまた、２つの暗号
【数７】

を用意する。ただし、それぞれｊ＞１、およびｉ＝１、・・・、ｎｘであり、これらの値をＶ_ｉ、０ ^（ｊ）およびＶ_ｉ、１ ^（ｊ）に割り当てる前に、これらの値をランダムに交換する。このような対のリストをｖ^（ｊ）と呼ぶ。
【００６８】
次に、このコード発信元Ｏは、
【数８】

を、第１のエンティティＨに、一つのメッセージに含めて、送信する。
【００６９】
２ａ）ｊ＞１に対しては、Ｈ_ｊが、基本方式のステップ２を実行するときに、ｅ^{（ｊ−１）}を評価する前に、Ｈ_ｊ−１から、ｖ^（ｊ）およびＵ’_１ ^{（ｊ−１）}、・・・、Ｕ’_ｎｘ ^{（ｊ−１）}を受信する。
【００７０】
Ｕ’_ｉ ^{（ｊ−１）}を、Ｅに対する対称鍵として、エンティティ毎に解釈し、解読する一つの暗号文Ｖ_ｉ、０ ^（ｊ）およびＶ_ｉ、１ ^（ｊ）を決定し、次いで、適合する方を解読する。これは、エージェントの現在の状態ｘ_ｊにある、ｉ番目のビットの忘却（ｏｂｌｉｖｉｏｕｓ）表記Ｋ_ｉ ^（ｊ）をもたらす。これらの鍵は、次いで、ｅ^（ｊ）を評価するために使用される。
【００７１】
３ａ）Ｈ_ｊがｅ^（ｊ）の評価から出力を得たときは、Ｈ_ｊは、Ｈ_ｊ−１から受け取った全てのデータを、Ｕ’_１ ^（ｊ）、・・・、Ｕ’_ｎｘ ^（ｊ）とともに、Ｈ_ｊ＋１へ転送する。サークルの終端では、Ｈ_ｌは、Ｕ’_ｉ ^（ｌ）を、コード発信元Ｏに戻す。
【００７２】
コンピュータ使用エンティティＴがコードを生成する。
【００７３】
ＯおよびＴの役割を交換した場合には、コンピュータ使用エンティティＴが、暗号化回路を生成する。この回路は、このプロトコルに従うと考えられるため、全回路の正確性のために、費用のかかるゼロ知識証明を追加する必要はない。したがって、他のエンティティの操作、および、エラー強さを保証する対応証明は、より簡単になる。このコンピュータ使用エンティティＴは、この回路を構築するために、ｇおよびｈを知らなければならないが、このＴは、第１のプロトコルメッセージ中のＯから、Ｃの解読を得ることができる。
【００７４】
三当事者の忘却通信プロトコルが、Ｍ．Ｎａｏｒ、Ｂ．ＰｉｎｋａｓおよびＲ．Ｓｕｍｍｅｒによって、「Ｐｒｉｖａｃｙ ｐｒｅｓｅｒｖｉｎｇ ａｕｃｔｉｏｎｓ ａｎｄ ｍｅｃｈａｎｉｓｍ ｄｅｓｉｇｎ」、Ｐｒｏｃ．１ｓｔ ＡＣＭ Ｃｏｎｆｅｒｅｎｃｅ ｏｎ Ｅｌｅｃｔｒｏｎｉｃ Ｃｏｍｍｅｒｃｅ、１９９９年で紹介されたように使用されている。その場合、選択者の役割が、この選択者と、受信者と呼ばれる第三の当事者との間で分けられる。忘却通信の標準概念と比較して、受信者は、選択者によって指定された出力メッセージｍ_σを得るが、選択者自身は何も知ることはない。このいわゆる「プロキシ」忘却通信は、以下の３つのメッセージを使用して、実現できる。それは、選択者から受信者へ、受信者から送信者へ、および、送信者から受信者へのメッセージである。
【００７５】
このプロトコルは、また、二当事者間の標準の忘却通信の、１ラウンドの実施を使用する。これは、Ｃ．Ｃａｓｈｉｎ、Ｊ．Ｃａｍｅｎｉｓｃｈ、Ｊ．ＫｉｌｉａｎおよびＪ．Ｍｕｌｌｅｒの、論文「Ｏｎｅ−ｒｏｕｎｄ ｓｅｃｕｒｅ ｃｏｍｐｕｔａｔｉｏｎ ａｎｄ ｓｅｃｕｒｅ ａｕｔｏｎｏｍｏｕｓ ｍｏｂｉｌｅ ａｇｅｎｔｓ」、Ｐｒｏｃ．２７ｔｈ Ｉｎｔｅｒｎａｔｉｏｎａｌ Ｃｏｌｌｏｑｕｉｕｍ ｏｎ Ａｕｔｏｍａｔａ、 Ｌａｎｇｕａｇｅｓ ａｎｄ Ｐｒｏｇｒａｍｍｉｎｇ（ＩＣＡＬＰ）（Ｕ．Ｍｏｎｔａｎａｒｉ、 Ｊ．Ｐ．ＲｏｌｉｍおよびＥ．Ｗｅｌｚｌ、ｅｄｓ．）、Ｌｅｃｔｕｒｅ Ｎｏｔｅｓ ｉｎ Ｃｏｍｐｕｔｅｒ Ｓｃｉｅｎｃｅ、ｖｏｌ．１８５３、Ｓｐｒｉｎｇｅｒ、Ｊｕｌｙ ２０００年、ｐｐ．５１２−５２３に記載された方法を使用して、実現できる。
【００７６】
基本方式と同様、暗号化回路構造の構成要素が適用される。このプロトコルを、一つのエンティティＨをもつ、モバイルコードの基本事例用に、記述する。Ｏが、Ｅ_Ｏ（・）、Ｄ_Ｏ（・）によってそれぞれ示される、暗号化操作および解読操作をともなう公開鍵暗号方式を使用すると仮定する。Ｏは、ｎ_ｘ並列三当事者忘却通信内の選択者として、各ビットｘに対して、計算を開始する。Ｏは、これらの隠れ選択を、この三当事者忘却通信内の受信者として機能するＨに、ＣおよびＥ_Ｏ（・）とともに送信する。Ｈは、この適当なデータを、送信者として機能する、すなわちこの三当事者の忘却通信中の鍵の対Ｌを送信する、Ｔに転送する。さらに、Ｈはまた、ｎ_ｙ並列１ラウンド忘却通信（選択者の役割を担う）に対する入力も、ｙの各ビット用に、用意する。Ｈは、これらを、ＣおよびＥ_Ｏ（・）の記述とともに、Ｔに送信する。この場合、Ｔは、鍵の対Ｋを、１ラウンド忘却伝送内に送信する。
【００７７】
Ｔは、ｃｏｎｓｔｒｕｃｔ（Ｃ）を呼び出し、ｅ、および、鍵の対ｌ、ｋおよびｕを得る。Ｔは、Ｅ_Ｏ（ｕ_ｘ）、ｅ、ｕ_ｚ、および、全ての忘却通信プロトコル中の最終流れとともに、Ｈに応答する。
【００７８】
以上から、Ｈはｘを表す鍵Ｌ’_１、・・・、Ｌ’_ｎｘ、および、ｙを表す鍵Ｋ’_１、・・・、Ｌ’_ｎｙを決定できる。Ｈは、評価（ｅｖａｌｕａｔｅ）（ｅ、Ｌ’_１，・・・、Ｌ’_ｎｘ、Ｋ’_１、・・・、Ｋ’_ｎｙ）を実行し、前述したようにＵ’_１、・・・、Ｕ’_{ｎｘ＋ｎｙ}を得る。次いで、Ｈは、Ｕ’_ｎｘ＋１、・・・、Ｕ’_{ｎｘ＋ｎｚ}およびｕ_ｚから、自身の出力ｚを判断し、Ｅ_０（ｕ_ｘ）とともに、Ｕ’_１、・・・、Ｕ’_ｎｘを、Ｏに転送する。このことによって、Ｏは、自身の出力ξを得ることが可能になる。
【００７９】
以下には、一つのホストまたは第１のエンティティＨ_１から、ｌ個のホストＨ_１、・・・、Ｈ_ｌへ拡張した、プロトコルを示す。このプロトコルは、第１のホストに対しては、前述したように開始する。しかし、Ｈ_２、・・・Ｈ_ｌに対するステップは、僅かに異なっている。すなわち、三当事者忘却通信、および、Ｅ_Ｏの下での暗号化は、使用されない。代わりに、Ｔは、ｅ^（ｊ）の入力の中にあって、前述したｖ^（ｊ）のように、ｅ^{（ｊ−１）}からの、ｕ^{（ｊ−１）}中の出力鍵に基づいて、エージェントの状態ｘ_ｊ−１を表している、鍵ｌ^（ｊ）を暗号化する。この鍵ｕ^{（ｊ−１）}は、ステップｊ−１とステップｊの間にあるＴによって記憶でき、もしくは、Ｈ_ｊ−１およびＨ_ｊを介してＴへ伝送されるプロトコル流れとともに、Ｅ_Ｔ（・）によって暗号化して、送信できる。さらに、最後のホストは、ＴからＥ_０（・）とともに暗号化されたｕ_ｘを得、これを、前述したように、Ｏへ転送する。
【００８０】
この通信パタンは、基本方式のパタンと同じである。ＯからＨ_１への一つのメッセージ、各Ｈ_ｊ−１からＨ_ｊへの一つのメッセージおよびＨ_ｊからＯへの一つのメッセージが存在し、これに、各ホストとコンピュータ使用エンティティＴとの間の一つの通信流れが加わる。エラー強さは、悪意をもって改変されない公開鍵暗号方式、および、非対話式のゼロ知識証明を、使用することによって、追加できる。しかし、この結果は、ゼロ知識証明が、潜在的に大きな暗号化回路を必要とはしないので、より実用的である。さらに、この暗号化回路構造は、公開鍵で操作する代わりに、ブロック暗号によって実施できる。
【００８１】
開示の実施形態は、いずれも、例示の、および／または、説明したうちの、一つまたはいくつかの他の実施形態と、組み合わせることができる。これは、本実施形態の、一つまたは複数の特徴に対しても、可能である。
【００８２】
本発明は、ハードウェア、ソフトウェア、または、ハードウェアおよびソフトウェアの組み合わせで実現できる。どの種類のコンピュータシステム、または、本明細書で開示の方法を実現するために適した他の装置が、適している。ハードウェアおよびソフトウェアの典型的な組み合わせは、ロードおよび実行すると、本明細書で開示の方法を実行できるような、コンピュータシステムを制御するコンピュータプログラムを備えた、汎用目的のコンピュータシステムであることができる。本発明は、本明細書で開示の方法を実施できる全ての特徴を備え、コンピュータシステムにロードすると、本方法を実施可能な、コンピュータプログラム製品にも、組み込むことができる。
【００８３】
コンピュータプログラム、または、本明細書でいうところのコンピュータプログラムとは、情報処理能力を有するシステムが、特定の機能を、直接、もしくは、ａ）他の言語、コードもしくは表記に変換、ｂ）異なるマテリアルフォームの形の再生成の、一方もしくは両方の後に、実行することを引き起こすような、いずれの言語における、命令の組のコードもしくは表記の、すべての表現を意味する。
【図面の簡単な説明】
【図１】本発明に従った通信の流れを示す図である。
【図２】通信の流れをより詳細に示す図である。
【図３】通信の流れの他の例を示す図である。[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention relates to a method and system for processing customer requests. More particularly, the present invention relates to mobile agent cryptographic security.
[0002]
[Prior art]
In an increasing world of networks, mobile code is an increasingly important programming paradigm. Mobile code provides a way to adapt to structures that coordinate calculations in distributed systems. At present, the Internet is full of mobile code fragments, such as Java applets, which represent only a simple form of mobile code.
[0003]
A mobile agent is an autonomously functioning mobile code for continuously collecting, filtering, and processing information on behalf of a user. Mobile agents combine the benefits of an agent paradigm, such as reacting to changing environments, autonomous behavior, with features that execute remote code. That is, a mobile agent operates within a computer network and can move between servers as needed to achieve its purpose. Important applications include data retrieval from large repositories with limited bandwidth or disconnected users, and mobile computing of software and network configuration management. The concept of a mobile agent roaming the Internet can be realized immediately when this paradigm is incorporated into large-scale applications.
[0004]
Mobile code is interpreted as a program created by one entity (called the "source") and then transmitted to an entity, its host, just before being executed by the host. In other words, the mobile code is ready to execute without requiring manual intervention for the host, such as performing an installation or performing a setup routine. In addition, the mobile agent can operate continuously and autonomously with the connection from the source disconnected, and freely move to another host during its valid time. Such an agent is also called an itinerant agent. Mobile code is exposed to various security threats. A malicious host can examine the code and try to learn the secrets performed by the agent, and this knowledge can be used to interact with the agent in order to gain unfair advantage. The host may also try to tamper with the result of the calculation.
[0005]
There are at least two security issues that arise in the field of mobile code. It is (1) protecting the host from malicious code, and (2) protecting the code from the malicious host. This first problem has received considerable attention because computer viruses and Trojans are an imminent threat. The current solution is to execute code with tight access control and execute code in a so-called sandbox and use a trust relationship with the code generator.
[0006]
Protecting mobile code is described in T.A. Sander and C.E. F. Tschudin in their paper "Protecting mobile agents against malicious hosts, Mobile Agents and Security" (G. Vigna, ed.), Lecture Notebook. 1419, Springer, 1998, note that tools from theoretical encryption, as described, may be effective in executing mobile code in the form of an encrypted form on an unauthorized host. Until now, it was considered impossible by some mobile code researchers. Most protocols for so-called secure computation require several rounds of two-way interaction, but they are not applicable to achieve security for mobile applications and integrity for their output. It is possible. Sander and Tschudin concluded that only functions that could be represented as polynomials could be safely computed in this manner. The next work by Sander et al. Sander, A, Young and M.S. "Non-Interactive CryptoComputing for NC" Proc. The 40th IEEE Symposium on Foundations of Computer Science (FOCS), 1999, is to extend this scheme to all functions that can be calculated by logarithm-level circuits, such as those described in 1999.
[0007]
The top form of the code is active mobile code that performs some direct action on the host. This often leaks information about the encryption computation to the host. Thus, any output must be received only by the source.
[0008]
The basic problem with active mobile code is that a malicious host can see the output of the computation and easily run this code again with different inputs. The only existing defense for active mobile code against malicious hosts is to use approved hardware. This suggests that mobile code be executed exclusively inside hardware that has been manipulated to prevent tampering, and that when exiting an approved environment, be encrypted as soon as possible. Yes, and need that.
[0009]
US Patent No. 6,026,374 provides potential consumers with a description of information products without disclosing the content of all information products that could jeopardize the merchant's interests , Systems and methods that use trusted third parties. The consumer believes that the third party has given an accurate description of the information for sale, while the seller believes that the third party has I do not believe it. The system may include summaries of information product sellers, consumers of such products, and trusted third parties, each operating as a node in a communication network such as the Internet. A disadvantage of this system and method is that the third party must be a trusted organization and the third party must have information and knowledge about everything. This can be dangerous if the third party is cracked. In addition, several messages are required to process the consumer's request.
[0010]
[Problems to be solved by the invention]
The present invention provides a method and system for a source to securely process a customer's request, ie, a request initiated by the customer. The source request is sent to the at least one first entity in a mobile code or mobile agent. A method for processing an originating request comprises the steps of: a) sending an originating request from a customer, ie, in the form of a customer's device, to the or each first entity; b) the or the first entity. Connecting each first entity to a computer-using entity; c) adding information about the originating request upon receipt of the originating request by the or each first entity; Creating a first modified request, and d) deriving at least a portion of the first modified request from a computer usage entity result obtained from at least a portion of the first modified request. Receiving by a computer-based entity; f) to the or each first entity; Transmitting at least a portion of the result of the computer-using entity; and g) receiving, by the or each first entity, at least a portion of the computer-using entity result derived from the first entity result. Later, transferring at least a portion thereof; and h) receiving at least a portion of the first entity result by a customer derived from the customer result.
[0011]
[Means for Solving the Problems]
It is advantageous that only the customer knows the result of this calculation, so that no other entity or host knows anything except the result directed to them. The mobile code or mobile agent containing the originating request is transmitted through the network to a number of entities, whereby the code or at least a fragment of the code is transmitted to any of the first entities. It runs safely without any additional client hardware. Security is gained through computer-usable entities, which are generally independent entities. This independent entity can be a computer-based service that performs cryptographic computations on behalf of the mobile agent, but knows nothing about cryptographic computations. This independent entity can serve as many different applications, without having to know anything about its usage before deploying the application. At the same time as privacy, authentication for the mobile agent can be achieved. In addition, the computation service itself does not know anything about this computation and is presumed not to collude with the source or first entity of the code.
[0012]
This independent entity is not tied to a specific service or application context, but is universal. For example, a secure computer-based server can be configured and operated by an independent entity.
[0013]
The method and system can be based on software and the hardware required for it, and therefore can be built and operated at low cost compared to any solution involving special hardware.
[0014]
The encryption operation is applicable to the mobile agent containing this request or result. Therefore, the integrity of the mobile agent can be beneficially guaranteed.
[0015]
If the originating request is made by applying cryptographic circuitry, then a secure computation of the request is achieved, and the source of the request determines how much information the entity receives. The advantage arises that one can decide what must be done.
[0016]
The originating request may include a function in an encrypted form. This is advantageous because other entities that process the originating request cannot derive valid information therefrom other than the results intended for these entities.
[0017]
The originating request, the first modified request, the computer use entity result, and the first entity result may include a portion of the encryption. This is advantageous because the information that needs attention is protected and cannot be read in plain text.
[0018]
This source request may include the offer document or other legal document. The request may also include purchasing information or customer information such as a shipping address or credit card number for a financial transaction.
[0019]
This first entity includes a web server that provides services or goods. This service can be anything, including simply buying, selling, lending, licensing or financial transactions.
[0020]
The result of this first entity may include customer information regarding the acceptance of the originating request. This is advantageous because the first entity can immediately deliver the service or goods and initiate the required processing.
[0021]
The customer result may include information of the first entity regarding acceptance of the originating request. The customer will therefore know that his request has been completed and that no further action is required.
[0022]
Preferred embodiments of the present invention are described below, by way of example only, with reference to the accompanying schematic drawings, in which:
[0023]
The accompanying drawings are provided for illustrative purposes only and need not be drawn to scale as a practical example of the invention.
[0024]
BEST MODE FOR CARRYING OUT THE INVENTION
With general reference to the figures, the features of the method and system for processing customer requests using the function of encryption are described in more detail below. Obviously, when using customer terms, it is meant to refer to a device, such as a computer or mobile device, used by the customer.
[0025]
An element defining the computation of a mobile code or mobile agent is that it operates autonomously and independently of the source of the code. The calculation of the secure mobile agent is modeled by a rule as shown in FIG. In this figure, the box is labeled according to the following description.
[0026]
Source O and l hosts (hereinafter entity H) on which the mobile agent (hereinafter referred to as agent for short) operates.₁... H_l).
[0027]
FIG. 1 shows a network, such as the Internet, by which the code origin O can be a₁And connect to H₁Is the second entity H₂Connected to further. This second entity H₂Is H_jConnect to the entity labeled_jIs H_{j + 1}In addition to this, it is possible for some other entities to be present while indicated by the dotted line. This entity H_{j + 1}Is H_lConnect to the entity labeled_lThen connects back to the code source. Each entity H₁, H₂… H_j, H_{j + 1}, H_lIs connected to the computer use entity T.
[0028]
Code source O and each entity H₁, H₂, ..., H_j, H_{j + 1}, H_lSends and receives only one message, including the agent. The code origin O is the first entity H₁Message to send to₀, And a later entity H_jIs H_{j + 1}Send a message to_jWhere j = 1... L−1 and the last entity H_lThe message returned to the code sender O is m_lIndicated by
[0029]
FIG. 2 shows a more detailed diagram of the communication flow shown in FIG. This code source O is a customer O in this figure, but in this figure it is connected to a first entity labeled H and further to an entity T using a computer. The method for processing the source request OR of the customer O, for example, the price request including the lowest level for the product, is performed as follows. Customer O sends a source request OR to the first entity H. This is m_ORIs indicated by the arrow labeled. This first entity H offers several products at a certain price. This first entity H connects to the computer-using entity T and, upon receiving the originating request OR, adds information I about the originating request OR, for example the price that it intends to accept, thereby making a first change. Created request FMR. This first modified request FMR is m_FMRSent to the computer use entity T as indicated by the arrow labeled. If the computer use entity T receives this first modified request FMR, it derives the computer use entity result CER without knowing anything from this calculation. Thereafter, the result CER of this computer-using entity is given to the first entity H by m_CERSent back as indicated by the arrow labeled. If this first entity H receives this computer-usable entity result CER, it derives a first entity result FER therefrom,_FERIs forwarded to the customer O as indicated by the arrow with the label The customer O can obtain a customer result CR from the first entity result FER. The customer result CR presents information on whether or not the source request OR has been completed to the customer O. This first entity H knows from this first entity result FER whether its offer has been accepted by the customer O or not. This source request OR may include information about the customer O, such that the first entity can immediately deliver the requested product, ie, address, credit card information.
[0030]
In the embodiment described above, the mobile agent visits several vendor sites and compares their offers. This source request OR is not based solely on price, but may also include other attributes. This source O or customer O wants to maintain privacy for their choices, but the shop is interested in knowing information about consumer capture and other vendor offers. ing. For complex offers, such as in the insurance industry, where prices are determined individually for each customer based on need, vendors want to keep the method of calculating prices secret. All of these requirements can be fulfilled by this mechanism, described for secure mobile code.
[0031]
In another embodiment, the shopping agent moves around the network and a number of vendors or entities H₁, H₂, ..., H_j, H_{j + 1}, H_lCollect offers from. In this case, prior agreement on the data format of the offer is helpful.
[0032]
FIG. 3 shows another embodiment using similar or similar parts as shown in FIGS. 1 and 2. The difference is that the code source O is₁, H₂ … H_lIs transmitted directly to the source request OR. In this case, the source request OR is the entity H₁, H₂, ..., H_lEach may be the same or different.
[0033]
A further embodiment describes electronic negotiation. Electronic negotiation between the consumer and one vendor can occur using a mechanism for secure mobile code visiting one host or one entity H. Typically, this vendor acts as the source O and downloads the applet to the consumer's (already in fact common on the Internet) browser. This applet is executed by the consumer using the help of the computer-using entity T, and the offer is displayed to the consumer. The vendor can also obtain some information, which must be clearly articulated in a "privacy statement" that runs simultaneously with the applet.
[0034]
Auctions with created bidding strategies provide an attractive application area for secure mobile agents. Bidding agents can conduct complex captures that are a function of time and other participant behavior, providing more flexibility to bidders compared to traditional one-parameter auctions that are purely price-based . Since many value criteria are interrelated, a bidder may take his bidding actions, for example, creating many value criteria he observed in the previous round, depending on other successful bidders. I'm interested in making decisions as dynamically as possible. If a bidder can express his strategy as a computable function, he will calculate an auction function, ie, auction results, with a strategy like personal input for all participants. Circuit can be constructed. This requires that the auction agent visit each bidder only once. However, in a possible case, the bidder would not be able to mathematically describe the strategy, and each round of the auction would visit each bidder once through the auction applet, It can be safely executed as if it were returned to the person. If the bid does not exceed the minimum increase, a bid or the end of the auction is output. If any mechanism for secure mobile computing is used, then any one entity H₁, H₂, ..., H_j, H_{j + 1}, H_lNor do they see all bids (like an auction organizer, its computer system, or its operator). The auctions created are common in electronic markets, fair trade, bandwidth auctions, and transfer exchanges, and bidders often prefer to combine items.
[0035]
Hereinafter, detailed implementation means will be described.
[0036]
Calculation: Let the state of the mobile agent be an element of the set X. Its initial state x₀Is determined by O. H_jBy the set Y_j, And H_jOutput to Z_jElement. This entity H_jThe above agent calculation is the new state of the agent x_j= G_j(X_j-1, Y_j) And output z_j= H_j(X_j-1, Y_j) Can be expressed by the following two functions.
g_j: X × Y_j→ X and h_j： X × Y → Z_j
O gets the final state of the agent, ξ = xl∈X. Function g_jAnd h_jIs all entities H₁… H_lIs known to.
[0037]
The mobile computing mechanism computes all j = 1,..., L, and x₀∈X, y_j∈Y_jFor (2l + 2) algorithms A₀, A₁, ..., A_l, B₁, ... B_lAnd D. However,
m₀= A₀(X₀)
m_j= A_j(M_j-1, Y_j) Where j = 1, ..., l
z_j= B_j(M_j-1, Y_j) Where j = 1,..., L
ξ = D (m_l)
The following two states are maintained: accuracy and privacy.
Accuracy: ξ = g_l(X_l-1, Y_l) And z_j= H_j(X_j-1, Y_j)
Where j = 1,..., L,
x_{j '}= G_{j '}(... (g₂(G₁(X₀, Y₁), Y₂) ...), y_{j '}) {Where, j = 1,..., 1-1.
Privacy: The inputs, outputs and calculations of all entities remain hidden from the source and from all other entities, except those derived from their own outputs. O knows only about ξ, but x₀Nothing is known about any yj other than those derived from and 、, and likewise H_jIs z_jKnow only about z_jAnd y_jX for j '<j, other than those derived from₀And y_jI don't know anything about
[0038]
For simplicity, the above mechanism assumes that the order in which agents visit all entities is fixed. Function π: Z_j→ Introduce {1, ..., l} and set the agent to H_jFrom, H_π(Z_j), This sequence is transformed into z_jExtend so that you can rely on In the case of a mobile code application with only one host, the first entity, this function g gives an output Ｏ of O and the function h gives an output z of H.
[0039]
A computer-using entity T is provided, which can be a common secure computer-based service. This computer-using entity T is all entities H that are online and execute agent applications.₁, ..., H_lOr, connected to the host and deployed for secure agent computation. Whatever the behavior of the computer use entity T itself, under the following assumptions, it does not get any information about the calculations. The assumption is that (1) the computer-using entity T does not collude with the source for any entity, and (2) the computer-using entity T conspires with any entity for the source or any other entity. That is not to do. All calculations are processed with minimal or no repetition. This mechanism is general and is not tied to any particular application. Thus, the service of the computer-using entity T can be provided as a public service for "secure mobile agent computing" on the Internet. In the role of O or H (eg, to make a shopping comparison), a client or customer who uses this service can use the computer-usable entity T to make sure that his / her privacy (eg, customer profiling and collecting markets). You don't have to be afraid to try to compromise data). In addition, the computer use entity T itself is interested in maintaining its reputation as a security provider.
[0040]
The above mechanism is based on functions in the encrypted form. For example, the encryption of a binary digital circuit implements this part of the agent computation. This can be realized by an encryption circuit structure as described below.
[0041]
Circuit structure of encryption
[0042]
A. C. Yao, in his dissertation "How to generate and exchange secrets," Proc. 27th IEEE Symposium of Computer Science (FOCS), 1986 pp. . The structure of Yao's encryption circuit, introduced at 162-167, is an interactive protocol for the evaluation of secret functions between two parties or entities. This is the description for the binary function g (.,.) And the parties Alice (with input x) and Bob (with input y). Bob receives the output z = g (x, y), but knows nothing else, and Alice knows nothing at all.
[0043]
(X₁, ..., x_nx), (Y₁, ..., y_ny) And (z₁, ..., z_nz) Indicate binary notations of x, y, and z, respectively, and C indicates a polynomial binary circuit for calculating g. The components of Yao's structure are (I) the first algorithmic construct (Alice) used by Alice to build the encryption circuit, (II) the transmission protocol between Alice and Bob, and (III) Bob the A second algorithm evaluate that allows g (x, y) to be searched. More precisely, these processes are as follows.
[0044]
(I) A first algorithm based on expectations (C) uses circuits as input and output tuples.
(E, l, k, u)
Where C is (n_x+ N_y) Input circuits C (•, •) can be considered to be encrypted, and l, k, u can be represented by a so-called key pair list corresponding to x, y, z, respectively. .
l = (L_1,0, L_1,1), ..., (L_{nx, 0}, L_{nx, 1})
k = (K_1,0, K_1,1), ..., (K_{ny, 0}, K_{ny, 1})
u = (U_1,0, U_1,1), ..., (U_{nz, 0}, U_{nz, 1})
[0045]
To calculate C (x, y) from cipher e, Bob computes L_{i, b}Is the input bit x_i= B, K_{i, b}Is the input bit y_i= B requires one "key" for each input bit. This key U_{i, 0}And U_{i, 1}Represents the output bits of the encryption circuit, ie, U_{i, b}Is generated, the output bit z_iIs set to b.
[0046]
When e encrypts, a particular method ensures that every gate of the circuit is given two keys, representing its own input bits, and the key representing the resulting output bits is easily It can be calculated, but the plaintext it represents should not reveal any information.
[0047]
(II) Alice and Bob, for example, Even, O.M. Goldreich and A.M. As described in Lempel, "Randomized Protocol for Signaling Contract", Communications of the ACM 28 (1985), 637-647, or as described in G.L. Brassard, C.I. Crepeau and J.M. -M. Robert "Information-theoretic reductions ammonium disclosure problems", Proc. 27th IEEE Symposium on Foundations of Computer Science (FOCS), tied to a protocol for oblivious transfer as described in 1986. This is two messages m₀And m₁A two-party interactive protocol for a sender with an input of, and for a selector with an input of bit σ. At the end, this chooser_σReceive
(Equation 1)

Knows nothing about, and the sender has no information about σ.
[0048]
More precisely, Alice acts as a sender, and Bob checks all bits y of his input_iFor the value K '_i= K_{j, yi}, But
(Equation 2)

You don't know anything about. At the same time, Alice has y_iYou don't know anything about.
[0049]
In addition, Alice finds L ′ for i = 1,._i= L_{i, xi}And calculate a key representing x, e, L ′₁, ..., L '_nx, Send u to Bob.
[0050]
(III) This second algorithm evaluation (e, L '₁, ..., L '_nx, K '₁, ... K '_ny) Uses as input the circuit of encryption, the notation of x, and the notation of y with the corresponding key. This evaluation allows Bob to recover z, the key U '₁, ..., U '_nzAnd if Alice and Bob follow this protocol, then z = g (x, y).
[0051]
The implementation of the first algorithm structure and the second algorithm evaluation is performed, for example, by O.M. Goldreich, S.M. Goldwasser and S.M. "How to construct random functions," Journal of the ACM 33 (1986), {no. 4, 792-807, which can be realized by a pseudo-random function, which can actually be realized by a block cipher. Block ciphers are very fast cryptographic functions, even when implemented in software.
[0052]
The following describes how this encryption circuit structure is used to implement secure mobile code computation with one or a first entity. Extension to multiple entities will be considered later.
[0053]
This computer use entity T issues a public key in an encryption system. The corresponding encryption and decryption operations are E_T(•) and D_TIndicated by (•). All entities can communicate over a secure approved link, which can be achieved by using standard public key cryptography and digital signatures.
[0054]
The basic mechanism is that O constructs a circuit e of encryption, which computes two values ξ and z. This code source O sends e to the first entity H, but for T encrypts all the keys in k, and in u corresponding to 、, the key pair (u_x) Are not included. As a result, the first entity H does not know anything about ξ. Next, the first entity H selects the encryption key representing y from k and involves the computer-using entity T to decrypt it in one interactive round. This first entity H then evaluates the circuit and obtains z. In this case, the first entity H also returns the key in the circuit that outputs the notation of ξ to O, who can determine ξ from the circuit.
[0055]
C is slightly modified from the notation of the above-mentioned part, (n_x+ N_y) Input bits x₁, ..., x_nx, Y₁, ..., y_nyThe same input, and (n_x+ N_z) Output bits ξ₁, ..., ξ_nx, Z₁, ..., z_nz, A binary circuit that calculates (ξ, z) = (g (x, y), h (x, y)). This scheme involves five steps 1) to 5), as described below.
[0056]
1) O selects a string id that uniquely identifies the computation, eg, an id that includes the name of O, a description of g and h, and a sequence counter. O calls the construct (C), and u sums (n_x+ N_y(E, l, k, u) as described above, including the key pairs. u_xIs the index 1, ..., n_xDenote a pair of u with_zIs the index n_x+1, ..., n_x+ N_zIs shown as a pair of u.
[0057]
i = 1,..., n_yAnd the following equation is calculated for b {0,1}.
(Equation 3)

[0058]
Let k denote the list of all K pairs described above. Then, O is, as described above, i = 1,._xL '_i= L_{i, xi}And the first entity H has id, e, L '₁, ..., L'n_x, K, u.
[0059]
2) The first entity H is i = 1,... N_yAgainst
(Equation 4)

Is set as a cipher representing its own input y, and these are transmitted to the computer use entity T together with the id.
[0060]
3) The computer use entity T is i = 1,..., N_yAgainst
(Equation 5)

To verify that the i-th decrypted string contains the identifier id and index i. If all checks are successful, the computer-usable entity T determines the decryption key K '₁, ... K'n_yIs returned to the first entity H.
[0061]
4) The first entity H evaluates the second algorithm (e, L '₁, ..., L '_nx, K '₁, ..., K '_ny) And U '₁... U '_{nx + nz}Get. Then, this first entity H is i = 1,..., N_zU for_{nx + i, zi}= U '_{nx + i}Z = (z₁, ..., z_nz) To determine the remaining value U ′₁, ..., U '_nxTo the code transmission source O.
[0062]
5) The code source O is U for i = 1,._{i, ξi}= U '_iThe output ξ = (ξ₁, ..., ξ_nx).
[0063]
For increased security, the computer-usable entity T is secure against attacks on adaptive selective ciphertext, which implies a lack of flexibility, but must use a public key cryptosystem. This is D.E. Dolev, C.I. Dwork and M.W. Naor, "Non-mallable cryptography", SIAM Journal on Computing 30 (2000), no. 2, 391-437. The code origin O and the first entity H must also commit their input. In a practical system, all of these are, for example, Bellare and P.M. "Random sources are practical: A paradigm for designing effective protocols" by Rogaway, Proc. This can be realized by a so-called “random oracle model” using a secure hash function described in 1st ACM Conference on Computer and Communications security, 1993. In this case, the pseudo-random function for the public key cryptography and the circuit cryptography is described in M. Naor and O.M. Reingold, “Number-theoretical constructions of effective pseudo-random functions”, Proc. 38th IEEE Symposium on Foundations of Computer Science (FOCS), 1997, which can be implemented using discrete logarithm based on the difficulty of the Diffie-Hellman problem, described in 1997.
[0064]
In the following, an extension of the method described above will be described for a plurality of entities H as shown in FIG.₁, ..., H_lIn order to realize a general mobile computing mechanism having This concept is essential if each entity performs steps 2) -4) of the basic scheme described above and then sends this agent to the next entity.
[0065]
That is, the code transmission source O transmits each entity H₁, ..., H_l, One encryption circuit e is prepared, and for j> l, e^(J-1)Encryption state x from_j-1To e^(J)Incorporate in This is e^(J)E to decode the hidden notation in the input to^(J-1)Output key U1 'from^(J-1), ..., U'nx^(J-1)Can be achieved by using
[0066]
E_k(•) and D_kIn a symmetric cryptosystem with an encryption operation and a decryption operation, respectively, under a key k indicated by (•), the cryptosystem is given a potential key U and a ciphertext c under U Is sufficiently redundant so that it can be determined with a high probability whether or not c can be obtained by encryption. The changes to this method are as follows.
[0067]
1a) The code source O sends e to j = 1,...^(J), L^(J), K^(J), U^(J)and
(Equation 6)

Get. However, this code source O has e^(L)Only for_i= L '_{i, xi} ^(L)Select The identifier of this j-th stage is set to id || j. This code source O also has two ciphers
(Equation 7)

Prepare Here, j> 1, and i = 1,..., Nx, respectively, and these values are represented by V_{i, 0} ^(J)And V_{i, 1} ^(J)These values are exchanged randomly before being assigned to. Let v be a list of such pairs^(J)Call.
[0068]
Next, this code sender O
(Equation 8)

Is transmitted to the first entity H in one message.
[0069]
2a) For j> 1, H_jPerforms e2 when performing step 2 of the basic scheme.^(J-1)Before evaluating_j-1From, v^(J)And U '₁ ^(J-1), ..., U '_nx ^(J-1)To receive.
[0070]
U '_i ^(J-1)Is interpreted as a symmetric key for E for each entity and one ciphertext V_{i, 0} ^(J)And V_{i, 1} ^(J)And then decrypt the one that fits. This is the current state of the agent x_j, The oblivious notation K of the i-th bit_i ^(J)Bring. These keys are then^(J)Used to evaluate
[0071]
3a) H_jIs e^(J)When the output is obtained from the evaluation of_jIs H_j-1All data received from U '₁ ^(J), ..., U '_nx ^(J)With H_{j + 1}Transfer to At the end of the circle, H_lIs U '_i ^(L)To the code transmission source O.
[0072]
The computer use entity T generates the code.
[0073]
If the roles of O and T are exchanged, the computer-using entity T generates an encryption circuit. Since this circuit is considered to follow this protocol, there is no need to add costly zero-knowledge proofs for the accuracy of the whole circuit. Therefore, the operation of other entities and the proof of correspondence that guarantees the error strength become simpler. The computer-using entity T must know g and h in order to build this circuit, but this T can get the decryption of C from O in the first protocol message.
[0074]
A three party forgetting communication protocol is described in M. Naor, B .; Pinkas and R.A. Summer, "Privacy preserving actions and mechanism design", Proc. Used as introduced in the 1st ACM Conference on Electronic Commercial, 1999. In that case, the role of the selector is divided between this selector and a third party called the recipient. Compared with the standard concept of oblivion communication, the recipient can output the message m specified by the selector._σBut the chooser does not know anything. This so-called “proxy” forgetting communication can be realized using the following three messages. It is a message from the chooser to the recipient, the recipient to the sender, and the sender to the recipient.
[0075]
This protocol also uses a one-round implementation of a standard oblivious transfer between two parties. This is C.I. Cashin, J.M. Camenisch, J .; Kilian and J.M. Muller, "One-round secure composition and secure autonomous mobile agents", Proc. 27th International Colloquium on Automata, Languages and Programming (ICALP) (U. Montanari, JP Rolim and E. Welzl, eds.), Lecture Notes in Computers. 1853, Springer, July 2000, pp. 146-64. This can be achieved by using the method described in H.512-523.
[0076]
Like the basic scheme, the components of the encryption circuit structure are applied. This protocol is described for the basic case of mobile code with one entity H. O is E_O(•), D_OSuppose we use a public key cryptosystem with encryption and decryption operations, indicated by (•), respectively. O is n_xFor each bit x, as a selector in the parallel three-party forgetting communication, start the calculation. O sends these hidden choices to H, acting as recipients in this three-party forgetting communication, C and E_OSend with (•). H forwards the appropriate data to T, which acts as the sender, that is, sends the key pair L during the forgetting communication of the three parties. Further, H is also n_yAn input for the parallel one-round oblivious transfer (having the role of a selector) is also prepared for each bit of y. H defines these as C and E_OIt is transmitted to T with the description of (•). In this case, T sends the key pair K in one round forgetting transmission.
[0077]
T invokes construct (C) and obtains e and the key pair l, k and u. T is E_O(U_x), E, u_z, And the final flow in all forgetting communication protocols.
[0078]
From the above, H is the key L 'representing x.₁, ..., L '_nx, And a key K ′ representing y₁, ..., L '_nyCan be determined. H is an evaluation (e, L ')₁, ..., L '_nx, K '₁, ..., K '_ny), And as described above, U ′₁, ..., U '_{nx + ny}Get. Then H is U '_{nx + 1}, ..., U '_{nx + nz}And u_zFrom its own output z, E₀(U_x) And U '₁, ..., U '_nxTo O. This allows O to obtain its own output ξ.
[0079]
In the following, one host or the first entity H₁From l hosts H₁, ..., H_lShows the protocol, extended to The protocol starts for the first host as described above. But H₂… H_lAre slightly different. That is, three-party forgetting communication and E_OIs not used. Instead, T is e^(J)In the input of^(J)As in e^(J-1)From u^(J-1)Agent state x based on the output key in_j-1The key l^(J)To encrypt. This key u^(J-1)Can be stored by T between step j-1 and step j, or H_j-1And H_jE along with the protocol flow transmitted to T via_TIt can be encrypted by (•) and sent. In addition, the last host is T to E₀U encrypted with (•)_xWhich is transferred to O as described above.
[0080]
This communication pattern is the same as the pattern of the basic system. O to H₁One message to each H_j-1To H_jOne message to and H_jThere is one message from O to O, to which is added one communication flow between each host and the computer use entity T. Error strength can be added by using public key cryptography that is not maliciously altered, and non-interactive zero-knowledge proofs. However, this result is more practical because zero-knowledge proofs do not require potentially large encryption circuits. Further, this encryption circuit structure can be implemented by a block cipher instead of operating with a public key.
[0081]
Any of the disclosed embodiments can be combined with one or several other embodiments shown and / or described. This is also possible for one or more features of this embodiment.
[0082]
The present invention can be realized by hardware, software, or a combination of hardware and software. Any type of computer system or other device suitable for implementing the methods disclosed herein is suitable. A typical combination of hardware and software can be a general-purpose computer system with a computer program that, when loaded and executed, can perform the methods disclosed herein and control the computer system. . The invention has all the features that enable the method disclosed herein to be implemented and, when loaded into a computer system, can also be incorporated into a computer program product capable of performing the method.
[0083]
A computer program, or computer program for the purposes of this specification, is a system with information processing capabilities that converts certain functions directly or a) into another language, code or notation, and b) different materials. Means any representation of the code or notation of a set of instructions in any language that causes it to be executed after one or both of the regenerations of the form form.
[Brief description of the drawings]
FIG. 1 is a diagram showing a communication flow according to the present invention.
FIG. 2 is a diagram showing a communication flow in more detail.
FIG. 3 is a diagram showing another example of a communication flow.

Claims (16)

A method for processing a source request (OR) of a customer (O), which can be transmitted to at least one first entity (H),
a) transmitting the source request (OR) from the customer (O) to the or each first entity (H);
b) connecting said or each first entity (H) to a computer-using entity (T);
c) adding, by the or each first entity (H), information (I) about the source request (OR) upon receipt of the source request (OR), thereby making a first change; Creating a completed request (FMR);
d) sending at least a portion of the first modified request (FMR) to at least the computer-usable entity (T);
e) after receiving at least a portion of the first modified request (FMR) by the computer using entity (T), from the at least part of the first modified request (FMR), Obtaining a result (CER);
f) transmitting at least a portion of the computer-usable entity result (CER) to the or each first entity (H);
g) after receiving, by the or each first entity (H), at least a part of the computer-usable entity result (CER), deriving a first entity result (FER) therefrom, Transferring the department;
h) receiving, by the customer (O), at least a portion of the first entity result (FER) from which a customer result (CR) is obtained;
Including, methods. A method for processing a source request (OR) of a customer (O) by a vendor (H),
a) receiving the source request (OR) from the customer (O) and adding information (I) relating to the source request, thereby creating a first modified request (FMR); When,
b) transmitting at least a portion of the first modified request (FMR) to at least a computer-using entity (T), which derives a computer-using entity result (CER) and returns at least a portion thereof;
c) after receiving by the first entity (H) at least a part of the computer-usable entity result (CER), deriving a first entity result (FER) therefrom and transferring at least a part thereof; , Whereby the customer (O) is able to derive a customer result (CR) from at least a portion of the first entity result (FER),
Method. A first modified request (FMR) from at least one first entity (H) containing at least a part of an originating request (OR) from a customer (O) by a computer-using entity (T) ) Is a method for processing
a) receiving the first modified request (FMR) from the or each first entity (H);
b) obtaining a computer use entity result (CER) from at least a portion of the first modified request (FMR);
c) deriving a first entity result (FER) and transmitting at least a portion of the computer-usable entity result (CER) to the or each first entity (H), forwarding at least a portion thereof; , Whereby said customer (O) can obtain a customer result (CR) from at least a part of said first entity result (FER),
Method. A method for processing an originator request (OR), comprising:
a) creating the source request (OR);
b) sending said source request (OR) to at least one first entity (H) so that said or each first entity (H) is associated with said source request (OR) Adding information (I), in this case creating a first modified request (FMR), and extracting at least a portion of said first modified request (FMR) from the computer-using entity result (CER) , At least a portion of the computer-using entity result (CER) and at least a portion of the computer-using entity result (CER) from which the or each first entity (FER) obtains a first entity result (FER). H) and transferring at least a portion thereof;
c) after receiving the at least part of the first entity result (FER), obtaining a customer result (CR) therefrom;
A method that includes The method according to one of claims 1 to 4, further comprising applying an encryption operation to the request (OR, FMR) and the result (CER, FER). 5. The method of claim 4, wherein creating the originating request (OR) comprises applying an encrypted circuit structure (C). A computer program element comprising program code means for performing the method according to any one of claims 1 to 6 when the program is executed on a computer. A computer program product stored on a computer usable medium, comprising a computer readable program means, for causing a computer to perform the method according to any one of claims 1 to 6. A system for processing a source request (OR), comprising:
A customer (O) connected to at least one first entity (H);
At least a computer usage entity (T) connected to said first entity (H);
The customer (O) adds the source request (OR) to the information (I) relating to the source request (OR), creates a first changed request (FMR), and performs the first change. Send at least a portion of the request for payment (FMR) to at least the computer-using entity (T), or to the or each first entity (H), wherein the computer-using entity (T) Deriving a computer-using entity result (CER) from said at least a portion of the modified request (FMR) of said one of said first and second entities; ) Wherein said or each first entity (H) transmits said computer-usage entity result (CER) Wherein deriving at least in part, a first entity results (FER), to transfer at least a portion thereof,
The customer (O) can derive a customer result (CR) from at least a portion of the first entity result (FER);
system. The system of claim 9, wherein the originating request (OR) comprises a function in the form of a form of encryption. 11. The system of claim 10, wherein the function in the form of a cryptographic form comprises a cryptographic circuit structure (C). The system of claim 9, wherein the source request (OR) is part of a mobile code. The source request (OR), the first modified request (FMR), the computer use entity result (CER), and the first entity result (FER) include a portion of encryption. 10. The system according to 9. 14. The system according to any one of claims 9 to 13, wherein the source request (OR) includes one or more of an offer, customer information, and purchase information. The system according to claim 9, wherein the first entity (H) comprises a web server providing service and / or customer information regarding the acceptance of an originating request (OR). The system of claim 9, wherein the customer result (CR) includes first entity information regarding acceptance of an originator request (OR).

Images