JP2021093665A - Key exchange system, information processing device, key exchange method, and program - Google Patents

Abstract

To provide an asynchronous identity-based multi-party key exchange protocol.SOLUTION: A key exchange system includes a transmitting terminal belonging to the same group, one or more receiving terminals, and an auxiliary server that assists in exchanging group keys. The transmitting terminal encrypts a group key with an encryption key provided by the auxiliary server, and transmits a first ciphertext generated so as to be encrypted with an ID-based encryption using the identification information of the receiving terminal to the auxiliary server. The auxiliary server generates a divided ciphertext divided for each of the receiving terminals from the first ciphertext received from the transmitting terminal, and transmits the divided ciphertext to the receiving terminal. The receiving terminal decrypts the divided ciphertext received from the auxiliary server with a user private key corresponding to the identification information of the receiving terminal, and acquires an encryption/decryption key. The receiving terminal requests the auxiliary server to decrypt the encryption group key. The auxiliary server transmits the decrypted group key to the receiving terminal using the decryption key corresponding to the encryption key.SELECTED DRAWING: Figure 9

Description

The present invention relates to a key exchange system, an information processing device, a key exchange method and a program.

In recent years, with the spread of communication tools that enable group conversations, attention has been focused on multi-person key exchange technology that efficiently exchanges keys between multiple people. As one of the multi-party key exchange techniques, a protocol called ID-DMKD is known (see Non-Patent Document 1). ID-DMKD is a synchronous multi-party key exchange protocol, which is a technology in which users exchange keys on a star-type communication network centered on a server to efficiently share keys. Further, since ID-DMKD is an ID-based key exchange protocol, it also has a feature that a public key infrastructure is not required.

Kazuki YONEYAMA, Reo YOSHIDA, Yuto KAWAHARA, Tetsutaro KOBAYASHI, Hitoshi FUJI, Tomohide YAMAMOTO, "Exposure-Resilient Identity-Based Dynamic Multi-Cast Key Distribution", IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences 2018 E101.A-6 , pp929-944, 2018.

However, since ID-DMKD is a synchronous protocol, all users in the group need to be online. Therefore, the applicable applications are limited.

One embodiment of the present invention has been made in view of the above points, and an object of the present invention is to realize an asynchronous ID-based multi-party key exchange protocol.

In order to achieve the above object, the key exchange system according to the embodiment includes a first terminal, one or more second terminals belonging to the same group as the first terminal, the first terminal, and the first terminal. A key exchange system including an auxiliary server that assists in exchanging a group key with two terminals, wherein the first terminal encrypts the group key with an encryption key generated by the auxiliary server. An encryption means that generates a first encrypted text in which the encrypted group key is encrypted by ID-based encryption using the identification information of the first or more second terminals after generating the encrypted group key. The auxiliary server has a first transmission means for transmitting the first cipher to the auxiliary server, and the auxiliary server sends the first cipher received from the first terminal to the one or more first. A dividing means for generating a divided code sentence divided for each of the two terminals, and a divided code sentence corresponding to the second terminal to the online second terminal among the above-mentioned one or more second terminals. A second transmitting means for transmitting and a second encryption text received from the second terminal in response to a decryption request from the second terminal are decrypted with a decryption key corresponding to the encryption key. It has 1 decoding means and a 3rd transmission means for transmitting the information decoded by the 1st decoding means to the 2nd terminal, and the 2nd terminal received from the auxiliary server. A second decryption means for decrypting the divided encryption text into the encryption group key by the user private key corresponding to the identification information of the second terminal, and a noise-added encryption in which noise is added to the encryption group key. It is characterized by having a noise adding means for generating a modified group key and a requesting means for requesting the auxiliary server to decrypt the encrypted group key with noise.

An asynchronous ID-based multi-party key exchange protocol can be realized.

It is a figure which shows an example of the whole structure of the key exchange system which concerns on this embodiment. It is a figure which shows an example of the hardware configuration of a computer. It is a figure which shows an example of the functional structure when a communication terminal is a transmission terminal. It is a figure which shows an example of the functional structure when a communication terminal is a receiving terminal. It is a figure which shows an example of the functional structure of the key exchange auxiliary server. It is a figure which shows an example of the functional structure of a private key generation server. It is a flowchart which shows an example of a setup process. It is a flowchart which shows an example of the ID-based private key generation processing. It is a sequence diagram which shows an example of a key exchange process. It is a figure which shows an example of the whole structure of the key exchange system in application example 1. FIG. It is a figure which shows an example of the functional structure of a mail server. It is a sequence diagram which shows an example of mail sending and receiving processing. It is a figure which shows an example of the whole structure of the key exchange system in application example 2. It is a figure which shows an example of the functional structure of a file sharing server. It is a sequence diagram which shows an example of a file sharing process.

Hereinafter, an embodiment of the present invention will be described. In the present embodiment, the key exchange system 1 that realizes the asynchronous ID-based multi-party key exchange protocol will be described. In the asynchronous multi-person key exchange protocol, it is not necessary for everyone in the group to be online when exchanging keys (group keys). For this reason, asynchronous ID-based multi-party key exchange protocols are used not only for synchronous applications (for example, telephone, VPN (Virtual Private Network), online chat, etc.), but also for example, mail, file sharing, offline chat, etc. It can also be applied to asynchronous applications. A group is a set of users who exchange keys.

Further, as described above, by realizing the key exchange protocol based on the ID, a public key infrastructure becomes unnecessary. Therefore, it is not necessary to link the user and the public key with the public key infrastructure, or to manage the certificate by the user.

As a conventional technique of an asynchronous multi-way key exchange protocol, the techniques described in References 1 and 2 below are known.

[Reference 1]
Katriel Cohn-Gordon, Cas Cremers, Luke Garratt, Jon Millican, and Kevin Milner, "On ends-to-ends encryption: Asynchronous group messaging with strong security guarantees", IACR Cryptology ePrint Archive, 2017.
[Reference 2]
Colin Boyd, Gareth T. Davies, Kristian Gjosteen, Yao Jiang, "Offline Assisted Group Key Exchange", International Conference on Information Security 2018, volume 11060 of LNCS, pp.268-285, Springer, 2018.
However, both the multi-person key exchange protocols described in References 1 and 2 above are public key based (ie, a public key infrastructure is required). In addition, in the multi-person key exchange protocol described in Reference 1 above, there is a limit to the number of times key exchange can be performed. For example, applications such as email are considered to use a new group key (that is, to exchange keys) each time a message is received, but it is difficult to predict the total number of messages received in advance. Therefore, it is preferable that there is no limit to the number of times the key can be exchanged.

On the other hand, although the multi-person key exchange protocol described in Reference 2 above does not limit the number of times key exchange can be performed, it does not satisfy MEX security. Therefore, if the user's temporary private key is leaked, The security of the group key is not guaranteed. The MEX security is the security against leakage of both the temporary private key and the long-term private key.

Therefore, in the present embodiment, as an asynchronous ID-based multi-person key exchange protocol, there is no limit to the number of times key exchange can be performed, and the group key is used for the temporary private key and the long-term private key of each user belonging to the group. Assuming that there is a leak other than a combination that can be clearly calculated (for example, a combination of a temporary private key and a long-term private key of the same user, a combination of a master key of a private key generation server and a temporary private key of a certain user, etc.) However, it constitutes a multi-party key exchange protocol in which the security of the group key is not lost.

Further, in the present embodiment, ID-based multi-receiver sign transcription is used as the ID-based cryptography of the multi-party key exchange protocol. As a result, the calculation of the signature part in the ID-based cryptography and the length of the ciphertext can be configured so as not to be proportional to the number of people in the group (the number of users belonging to the group), and efficient multi-person key exchange can be realized. Can be done. For ID-based multi-receiver sign transcription, refer to Reference 3 below, for example.

[Reference 3]
Fagen Li, Hu Xiong, and Xuyun Nie, "A New Multi-Receiver ID-Based Signcryption Scheme for Group Communications", In: Proceedings of International Conference on Communications, Circuits and Systems, pp. 296-300, IEEE CS, 2009.
<Overall configuration>
First, the overall configuration of the key exchange system 1 according to the present embodiment will be described with reference to FIG. FIG. 1 is a diagram showing an example of the overall configuration of the key exchange system 1 according to the present embodiment.

As shown in FIG. 1, the key exchange system 1 according to the present embodiment includes a plurality of communication terminals 10, a key exchange auxiliary server 20, and a secret key generation server 30. Further, each communication terminal 10, the key exchange auxiliary server 20, and the private key generation server 30 are connected so as to be communicable via, for example, a communication network N such as the Internet.

The communication terminal 10 is various terminals used by users who exchange group keys. As the communication terminal 10, for example, a PC (personal computer), a smartphone, a tablet terminal, a telephone, or the like can be used. However, the present invention is not limited to these, and any terminal can be used as the communication terminal 10.

In the present embodiment, the creator of the group (that is, the user who starts the key exchange) is the "sender", the other users belonging to the group are the "receivers", and the communication terminal 10 used by the sender is "transmitted". The "terminal 11" and the communication terminal 10 used by the receiver are also referred to as "reception terminal 12". Further, assuming that the number of receiving terminals 12 is n (n is an integer of 1 or more), when distinguishing each of the receiving terminals 12, "reception terminal 12 _i " (i = 1, ..., N). It is expressed as.

The key exchange auxiliary server 20 is a server device that assists key exchange between communication terminals 10. The key exchange auxiliary server 20 generates, for example, an encryption key for encrypting the group key and a decryption key for decrypting the group key.

The private key generation server 30 is a server device that generates a master private key used for ID-based cryptography and a user private key (ID-based private key).

<Configuration of asynchronous ID-based multi-party key exchange protocol>
Here, the configuration of the asynchronous ID-based multi-party key exchange protocol in the present embodiment will be described. First, in the asynchronous ID-based multi-person key exchange protocol in the present embodiment, the key exchange of the group key is performed by the following procedures 1 to 9. Here, an ID is assigned to each communication terminal 10 and the key exchange auxiliary server 20, and it is assumed that each communication terminal 10 and the key exchange auxiliary server 20 hold an ID-based private key corresponding to their own ID. To do. Further, it is assumed that each communication terminal 10 and the key exchange auxiliary server 20 generate and hold a long-term secret key used for calculating a hash value, which will be described later, in advance. The ID is identification information that identifies each communication terminal 10, its user, and the key exchange auxiliary server 20, and any identification information can be used. As ID, for example, user's e-mail address, SNS (Social Networking Service) user ID, telephone number, address, name, my number, biometric information such as DNA, IP (Internet Protocol) address, MAC (Media Access Control) address , URL (Uniform Resource Locator), credit card number, manufacturing unique number of device or device, etc.

Step 1: The transmitting terminal 11 requests the key exchange auxiliary server 20 for the encryption key. The key exchange auxiliary server 20 generates a pair of an encryption key and a decryption key using the hash value of its own long-term private key and a temporary private key, and transmits the encryption key to the transmitting terminal 11.

Step 2: The transmitting terminal 11 generates a group key to be shared by users in the group, and encrypts the group key using the encryption key and the hash value of its own long-term private key and temporary private key. ..

Step 3: The transmitting terminal 11 encrypts the encrypted group key by ID-based cryptography using the hash value of its own long-term private key and temporary private key and the ID of each recipient belonging to the group. To do. As described above, ID-based multi-receiver sign transcription is used as this ID-based cryptography.

Step 4: The transmitting terminal 11 transmits the ciphertext of the group key encrypted by the ID-based cryptography in the above step 3 to the key exchange auxiliary server 20.

Step 5: The key exchange auxiliary server 20 divides the ciphertext for each recipient, and when each recipient comes online, transmits the ciphertext for the recipient.

Step 6: The receiving terminal 12 decrypts the ciphertext received from the key exchange auxiliary server 20 with its own ID-based private key, and obtains the group key encrypted in step 2 above.

Step 7: The receiving terminal 12 adds noise to the encrypted group key obtained in step 6 above, and requests the key exchange auxiliary server 20 to decrypt the encrypted group key after the noise is added. ..

Step 8: The key exchange auxiliary server 20 decrypts the encrypted group key after adding noise using the decryption key generated in step 1 above, and sends it back to the receiving terminal 12.

Step 9: The receiving terminal 12 receives the group key to which noise is added from the key exchange auxiliary server 20, removes the noise, and obtains the group key.

The group key is shared among the users in the group by the above steps 1 to 9. As shown in steps 1 to 9 above, data is not directly exchanged between the sender and the receiver, so the sender does not need to be online at the same time as other users, and is asynchronous. It can be seen that it is. In addition, since both the long-term private key and the temporary secret key generated on the spot are used in the encryption, key generation, and noise addition parts, either one of the same users' private key (long-term private key or temporary) is used. The group key cannot be calculated only from the private key). Therefore, it can be seen that the high security is satisfied in consideration of the leakage of both the temporary private key and the long-term private key of the user.

Further, since the key exchange auxiliary server 20 is requested to decrypt after adding noise to the group key encrypted in the above procedure 7, the key exchange auxiliary server 20 cannot obtain the group key information. .. Further, the ID-based multi-receiver sign transcription is used in the above procedure 3. As a result, the ID can be used as the user's public key as it is, so a public key infrastructure is not required, and the calculation of the signature part and the length of the ciphertext are not proportional to the number of people in the group, so that efficient key exchange can be performed. Can be done.

In order to perform key exchange according to the above steps 1 to 9, in this embodiment, the following hash function H and ID-based multi-receiver sign cryptography (IBE_Setup, IBE_Extract, IBE_Signcryption, Ciphertext_Division, IBE_Unsigncryption) (see Reference 3) ) And the blind key encapsulation mechanism (KEM_Setup, KEM_Encap, Blind, KEM_Decap, Unblind) (see Reference 2) to construct an asynchronous ID-based multi-way key exchange protocol. Hereinafter, the transmitting terminal 11 is also referred to as A and the receiving terminal 12 _i is also referred to as i, and the _{group key mek is shared between the transmitting terminal 11 and n receiving terminals 12 i} (i = 1, ..., N). The case will be described.

・ Hash function
H (stk, epk) → r: An algorithm that outputs a hash value r by inputting the long-term secret key stk and the temporary secret key epk of the communication terminal 10 or the key exchange auxiliary server 20.

That is, the hash function H generates a pseudo random number value from the long-term secret key and the temporary secret key. In this embodiment, the case where the hash function H is used will be described, but the present invention is not limited to this, and any generation method such as using a twisted pseudo-random function (see Non-Patent Document 1) instead of the hash function H is used. May generate a pseudo-random value from the long-term private key and the temporary private key.

・ ID-based multi-receiver sign transcription
IBE_Setup (1 ^k ) → (msk, Params _IBE ): An algorithm that inputs the security parameter k and outputs the master private key msk for ID-based cryptography and the public information Params _IBE. Here, the public information Params _IBE includes a master public key P _pub , each communication terminal 10 (that is, a transmitting terminal 11 and each receiving terminal 12 _i ), and an ID of the key exchange auxiliary server 20.

IBE_Extract (ID _U , msk) → sk _{U : ID-based private key sk U} of the communication terminal 10 or the key exchange auxiliary server 20 by inputting _{the ID ID U of the} communication terminal 10 or the key exchange auxiliary server 20 and the master private key msk. Is output. Here, U ∈ {A, 1, ..., n, server}, where the key exchange auxiliary server 20 is a server.

IBE_Signcryption (ID ₁ ,…, ID _n , Cap, r) → c _mek : ID ID ₁ ,… ID _{n of} all receiving terminals 12 _i and the encryption of the Blinded Key Encapsulation Mechanism (Blinded KEM) An algorithm that takes the ciphertext Cap of the encryption key and the hash value r as input, and outputs the _{ciphertext c mek in} which the ID-based multi-receiver signature is performed for _{Cap as ID 1} , ... ID _{n. Here, let r = H (stk A} , epk _A ), where stk _A is the long-term private key _{of the transmitting terminal 11 and epk A} is the temporary private key of the transmitting terminal 11.

Ciphertext_Division (c _mek , ID _i ) → c _{mek, i} : Enter the ciphertext c _mek and the ID ID _i of the receiving terminal 12 _i , and input the ciphertext c _mek to each receiving terminal 12 _i (i = 1, ... ·, An algorithm that divides for n) and outputs the ciphertext c _{mek, i for the receiving terminal 12 i in it.}

_{IBE_Unsigncryption (c mek, i, sk} i, ID A, P pub) → Cap: ciphertext c _mek for the receiving terminal 12 _i, and _i, and ID-based private key sk _i of the receiving terminal 12 _i, of the transmitting terminal 11 Entering ID ID _A and public key P _pub , the sender's signature is verified, and if the signature is correct _{, the decryption result Cap of the ciphertext c mek, i} is output, and if the signature is not correct, decryption fails. An algorithm that outputs ⊥ indicating that it has been done.

・ Blind key encapsulation mechanism
KEM_Setup (1 ^k , r) → (ek, dk): An algorithm that inputs the security parameter k and the hash value r and outputs the encryption key pair (encryption key ek and decryption key dk) for KEM. _{Here, r = H (stk server} , epk _server ), where stk _server is the long-term private key _{of the key exchange auxiliary server 20 and epk server} is the temporary private key of the key exchange auxiliary server 20.

KEM_Encap (ek, r) → (Cap, mek): Group key mek and group key mek encrypted with encryption key ek by inputting KEM encryption key ek and hash value r An algorithm that outputs Cap. Here, let r = H (stk _A , epk _A ).

Blind (Cap, r) → (Cap _{blind, i} , bk _{i ): Group key cipher with noise Cap blind, i} with noise added to Cap by inputting Cap and hash value r, and this Outputs the noise removal key bk _{i for removing noise.} Here, long-term private key of the receiving terminal 12 _i to stk _i, as a temporary private key of the receiving terminal 12 _i to _{epk i, r = H (stk} i, epk i) to.

KEM_Decap (Cap _{blind, i} , dk) → mek _{blind, i} : Group key ciphertext with noise Cap _{blind, i} and decryption key dk for KEM are input, and the group key with noise with the cap removed mek _blind, Output _i.

Unblind (mek _{blind, i} , bk _i ) → mek: The group key with noise mek _{blind, i} and the noise removal key bk _i are input, and the group key mek with the noise removed is output.

<Hardware configuration>
Next, the hardware configurations of the communication terminal 10, the key exchange auxiliary server 20, and the private key generation server 30 included in the key exchange system 1 according to the present embodiment will be described. The communication terminal 10, the key exchange auxiliary server 20, and the private key generation server 30 can be realized by the hardware configuration of a general computer (information processing device), and can be realized by, for example, the hardware configuration of the computer 600 shown in FIG. Is. FIG. 2 is a diagram showing an example of the hardware configuration of the computer 600.

The computer 600 shown in FIG. 2 has an input device 601, a display device 602, an external I / F 603, a communication I / F 604, a processor 605, and a memory device 606 as hardware. Each of these hardware is communicably connected via bus 607.

The input device 601 is, for example, a keyboard, a mouse, a touch panel, or the like. The display device 602 is, for example, a display or the like. The computer 600 does not have to have at least one of the input device 601 and the display device 602.

The external I / F 603 is an interface with an external device. The external device includes a recording medium 603a and the like. Examples of the recording medium 603a include a CD (Compact Disc), a DVD (Digital Versatile Disk), an SD memory card (Secure Digital memory card), and a USB (Universal Serial Bus) memory card.

The communication I / F 604 is an interface for connecting to the communication network N. The processor 605 is, for example, various arithmetic units such as a CPU (Central Processing Unit) and a GPU (Graphics Processing Unit). The memory device 606 is, for example, various storage devices such as an HDD (Hard Disk Drive), an SSD (Solid State Drive), a RAM (Random Access Memory), a ROM (Read Only Memory), and a flash memory.

The communication terminal 10, the key exchange auxiliary server 20, and the private key generation server 30 included in the key exchange system 1 according to the present embodiment have, for example, various processes described later by having the hardware configuration of the computer 600 shown in FIG. Can be realized. The hardware configuration of the computer 600 shown in FIG. 2 is an example, and may be another hardware configuration. For example, the computer 600 may have a plurality of processors 605 or may have a plurality of memory devices 606.

<Functional configuration>
Next, the functional configurations of the communication terminal 10 (transmitting terminal 11 and receiving terminal 12), the key exchange auxiliary server 20, and the private key generation server 30 included in the key exchange system 1 according to the present embodiment will be described.

<< Transmission terminal 11 >>
The functional configuration when the communication terminal 10 is the transmission terminal 11 will be described with reference to FIG. FIG. 3 is a diagram showing an example of a functional configuration when the communication terminal 10 is a transmission terminal 11.

As shown in FIG. 3, the transmitting terminal 11 has an encryption key request processing unit 111, a group key generation encryption processing unit 112, and an ID-based signature encryption processing unit 113. Each of these parts is realized, for example, by a process in which one or more programs installed in the transmitting terminal 11 cause the processor to execute.

Further, the transmission terminal 11 has a long-term secret key storage unit 114, a public information storage unit 115, an ID-based secret key storage unit 116, an encryption key storage unit 117, and a group key storage unit 118. Each of these parts can be realized by using, for example, the memory device of the transmission terminal 11.

The encryption key request processing unit 111 requests the encryption key from the key exchange auxiliary server 20. As a result, the transmitting terminal 11 obtains the encryption key ek as a response to this request.

The group key generation encryption processing unit 112 executes the KEM_Encap algorithm to generate the group key mek and the group key cipher statement Cap.

The ID-based signature encryption processing unit 113 executes the IBE_Signcryption algorithm _{to generate the ciphertext c mek} and sends it to the key exchange auxiliary server 20.

The long-term secret key storage unit 114 stores the long-term secret key stk _A. The public information storage unit 115 stores the public information Params _IBE . The ID-based private key storage unit 116 stores the ID-based private key sk _A. The encryption key storage unit 117 stores the encryption key ek. The group key storage unit 118 stores the group key mek.

≪Receiving terminal 12≫
The functional configuration when the communication terminal 10 is the receiving terminal 12 will be described with reference to FIG. FIG. 4 is a diagram showing an example of a functional configuration when the communication terminal 10 is the receiving terminal 12.

As shown in FIG. 4, the receiving terminal 12 has a signature verification / decoding processing unit 121, a noise addition processing unit 122, a decoding request processing unit 123, and a noise removal processing unit 124. Each of these parts is realized, for example, by a process in which one or more programs installed in the receiving terminal 12 cause the processor to execute.

Further, the receiving terminal 12 has a long-term secret key storage unit 125, a public information storage unit 126, an ID-based secret key storage unit 127, a noise removal key storage unit 128, and a group key storage unit 129. Each of these parts can be realized by using, for example, the memory device of the receiving terminal 12.

The signature verification / decryption processing unit 121 executes the IBE_Unsigncryption algorithm to perform _{signature verification and decryption of the ciphertexts c mek and i} , and generates a group key ciphertext Cap.

The noise addition processing unit 122 executes the Blind algorithm to generate a _{noise-added group key cipher statement Cap blind, i} and a noise removal key bk _i.

The decryption request processing unit 123 requests the key exchange auxiliary server 20 to decrypt _{the noisy group key cipher statement Cap blind, i.} As a result, the receiving terminal 12 obtains _{the noisy group key mek blind, i as a result of this request.}

The noise reduction processing unit 124 executes the Unblind algorithm to generate the group key mek.

The long-term secret key storage unit 125 stores the long-term secret key stk _i . The public information storage unit 126 stores the public information Params _IBE . The ID-based private key storage unit 127 stores the ID-based private key sk _i . The noise reduction key storage unit 128 stores the noise removal key bk _i . The group key storage unit 129 stores the group key mek.

≪Key exchange auxiliary server 20≫
The functional configuration of the key exchange auxiliary server 20 will be described with reference to FIG. FIG. 5 is a diagram showing an example of the functional configuration of the key exchange auxiliary server 20.

As shown in FIG. 5, the key exchange auxiliary server 20 includes an encryption key pair generation processing unit 201, a ciphertext division processing unit 202, and a ciphertext decryption processing unit 203. Each of these parts is realized, for example, by a process in which one or more programs installed in the key exchange auxiliary server 20 cause the processor to execute.

Further, the key exchange auxiliary server 20 includes a long-term secret key storage unit 204, a public information storage unit 205, an ID-based secret key storage unit 206, an encryption key pair storage unit 207, a split ciphertext storage unit 208, and a string. It has an attached list storage unit 209. Each of these parts can be realized by using, for example, the memory device of the key exchange auxiliary server 20.

The encryption key pair generation processing unit 201 executes the KEM_Setup algorithm in response to the request from the transmitting terminal 11 to generate the encryption key ek and the decryption key dk, and uses the encryption key ek as a response to this request. It transmits to the transmission terminal 11.

When the ciphertext division processing unit 202 _{receives the ciphertext c mek} from the transmitting terminal 11, it executes the Ciphertext_Division algorithm to generate the ciphertext c _{mek, i that divides the ciphertext c mek} for each receiving terminal 12 _i. Moreover, the ciphertext division processing section 202, when the receiving terminal 12 _i comes online, and transmits the ciphertext c _mek for the receiving terminal 12 _i, a _i to the receiving terminal 12 _i.

Ciphertext decryption processing unit 203, the noise with group key ciphertext Cap _blind, when the decoding of _i is requested from the receiving terminal 12 _i, to generate KEM_Decap algorithm executed by the noise with group key mek _blind, a _i, this As a result of the request, the noisy group key mek _{blind, i} is transmitted to the receiving terminal 12 _i.

The long-term secret key storage unit 204 stores the long-term secret key stk _server . The public information storage unit 205 stores the public information Params _IBE . The ID-based private key storage unit 206 stores the ID-based private key sk _server . The encryption key pair storage unit 207 stores the encryption key pair of the encryption key ek and the decryption key dk. The divided ciphertext storage unit 208 stores the ciphertexts c _{mek and i for each receiving terminal 12 i} . The association list storage unit 209 stores list information in which each communication terminal 10 of the same group, the key exchange auxiliary server 20, and the IDs of each of these communication terminals 10 and the key exchange auxiliary server 20 are associated with each other.

<< Private key generation server 30 >>
The functional configuration of the private key generation server 30 will be described with reference to FIG. FIG. 6 is a diagram showing an example of the functional configuration of the private key generation server 30.

As shown in FIG. 6, the private key generation server 30 has a private key generation processing unit 301. The private key generation processing unit 301 is realized, for example, by a process of causing a processor to execute one or more programs installed in the private key generation server 30.

Further, the private key generation server 30 has a public information storage unit 302, a master secret key storage unit 303, and an association list storage unit 304. Each of these parts can be realized by using, for example, the memory device of the private key generation server 30 or the like.

The private key generation processing unit 301 executes the IBE_Setup algorithm to generate the master private key msk and the public information Params _IBE . Further, the private key generation processing unit 301 executes the IBE_Extract algorithm to generate the ID-based private key sk _U of each communication terminal 10 and the key exchange auxiliary server 20, and transmits the ID-based private key sk U to the corresponding communication terminal 10 or the key exchange auxiliary server 20. To do. U ∈ {A, 1, ..., n, server}.

The public information storage unit 302 stores the public information Params _IBE . The master secret key storage unit 303 stores the master secret key msk. The association list storage unit 304 stores list information in which each communication terminal 10 of the same group, the key exchange auxiliary server 20, and the IDs of each of these communication terminals 10 and the key exchange auxiliary server 20 are associated with each other.

<Processing flow>
Hereinafter, the flow of processing executed by the key exchange system 1 according to the present embodiment will be described.

≪Setup process≫
First, the setup process will be described with reference to FIG. 7. FIG. 7 is a flowchart showing an example of the setup process.

Step S101: The transmitting terminal 11 _{generates its own long-term secret key stk A} and stores it in the long-term secret key storage unit 114. Similarly, the receiving terminal 12 _i generates its own long-term secret key stk _i and stores it in the long-term secret key storage unit 125. Similarly, the key exchange auxiliary server 20 _{generates its own long-term secret key stk server} and stores it in the long-term secret key storage unit 204.

Step S102: The private key generation processing unit 301 of the private key generation server 30 executes IBE_Setup (1 ^{k ) with the predetermined security parameter 1 k} as an input, and generates the master private key msk and the public information Params _IBE. Then, the private key generation processing unit 301 stores the master private key msk in the master secret key storage unit 303, and stores the public information Params _IBE in the public information storage unit 302.

The execution order of steps S101 and S102 is not specified.

Step S103: The private key generation server 30 discloses the public information Params _IBE to each communication terminal 10 and the key exchange auxiliary server 20. _{As a result, the public information Params IBE} is stored in the public information storage unit 115 of the transmission terminal 11, the public information storage unit 126 of each receiving terminal 12, and the public information storage unit 205 of the key exchange auxiliary server 20. The private key generation server 30 may publish the _{public information Params IBE by any method.}

≪ID-based private key generation process≫
Next, the ID-based private key generation process will be described with reference to FIG. FIG. 8 is a flowchart showing an example of the ID-based private key generation process.

Step S201: The key exchange auxiliary server 20 and the private key generation server 30 are listed information in which each communication terminal 10 of the same group, the key exchange auxiliary server 20, and the IDs of each of these communication terminals 10 and the key exchange auxiliary server 20 are associated with each other. Is received via a secure channel. The list information may be received from, for example, the transmitting terminal 11 or from another device or device different from the transmitting terminal 11.

Step S202: Next, the private key generation processing unit 301 of the private key generation server 30 _{inputs the ID ID U} of any one of the communication terminal 10 and the key exchange auxiliary server 20 and the master private key msk as input to IBE_Extract. Execute (ID _U , msk) to generate the ID-based private key sk _U. Here, U ∈ {A, 1,…, n, server}. As a result, the ID-based private key sk _U (U ∈ {A, 1, ..., n, server}) of each communication terminal 10 and the key exchange auxiliary server 20 is generated. ID ID _U is obtained from the list information.

Step S203: Next, the private key generation processing unit 301 of the private key generation server 30 transfers the ID-based private key sk _U generated in step S202 to the corresponding communication terminal 10 or the key exchange auxiliary server 20 as a secure channel. Distribute via. Thus, an ID-based private key ID-based private key sk _A in the storage unit 116, the receiving terminal 12 _i ID-based private key storage unit 127 in the ID-based private key sk _i of the transmitting terminal 11, the key-replacement supporting server 20 _{The ID-based private key sk server} is stored in the ID-based private key storage unit 206 of the above.

≪Key exchange process≫
The key exchange process for exchanging the group key mek between the transmitting terminal 11 and the receiving terminal 12 will be described with reference to FIG. FIG. 9 is a sequence diagram showing an example of the key exchange process.

First, the encryption key request processing unit 111 of the transmission terminal 11 requests the encryption key from the key exchange auxiliary server 20 (step S301).

When the encryption key pair generation processing unit 201 of the key exchange auxiliary server 20 receives the encryption key request, it _{generates a temporary private key epk server} , and then has a security parameter k and a hash value r = H (stk _server , epk _server). ) Is input to KEM_Setup (1 ^k , r) to generate an encryption key pair of the encryption key ek and the decryption key dk (step S302). This encryption key pair is stored in the encryption key pair storage unit 207.

Next, the encryption key pair generation processing unit 201 of the key exchange auxiliary server 20 transmits the encryption key ek to the transmission terminal 11 among the encryption key pairs generated in step S302 above (step S303). The transmitting terminal 11 that has received the encryption key ek stores the encryption key ek in the encryption key storage unit 117.

The group key generation encryption processing unit 112 of the transmission terminal 11 generates the temporary private key epk _A , and then inputs the encryption key ek and the hash value r = H (stk _A , epk _A ) to KEM_Encap (ek, ek, Execute r) to generate the group key cipher statement Cap and the group key mek (step S304).

Next, the ID-based signature encryption processing unit 113 of the transmitting terminal 11 has ID ID ₁ , ... ID _{n of all the receiving terminals 12 i} , the group key ciphertext Cap, and the hash value r = H (stk _A , epk _A ). _{IBE_Signcryption (ID 1} ,…, ID _n , Cap, r) is executed by inputting and, and the _{ciphertext c mek} is generated (step S305).

Next, the ID-based signature encryption processing unit 113 of the transmission terminal 11 transmits the ciphertext c _mek generated in step S305 to the key exchange auxiliary server 20 (step S306).

Ciphertext division processing unit 202 of the key exchange auxiliary server 20 executes receives the ciphertext c _mek, Ciphertext_Division the ID ID _i of the receiving terminal 12 _i this ciphertext c _mek as input (c _mek, ID _i) the Then, the ciphertexts _{c mek and i} are generated by dividing the _{ciphertext c mek} for the receiving terminal 12 _i (step S307). As a result, for each i (i = 1, ..., N), the ciphertext _{c mek, i} in which the ciphertext _{c mek} is divided can be obtained. These ciphertexts c _{mek and i} are stored in the divided ciphertext storage unit 208.

Then, the ciphertext division processing unit 202 of the key exchange auxiliary server 20, if the receiving terminal 12 _i comes online, and transmits the ciphertext c _mek of the receiving terminal 12 for _i, a _i to the receiving terminal 12 _i ( Step S308).

The signature verification / decryption processing unit 121 of the receiving terminal 12 _i that has received the ciphertext c _{mek, i has the ciphertext c mek, i} , its own ID-based private key sk _i , the ID ID _{A of the} transmitting terminal 11, and the public key. IBE_Unsigncryption and P _pub as input _{(c mek, i, sk i} , ID a, P pub) running, performs signature verification and decryption (step S309). As a result, if the signature is correct, the ciphertext c _{mek, i} is decrypted by the group key ciphertext Cap, and if not, ⊥ indicating that the decryption failed is output. In the following, the description will be continued assuming that the group key cipher statement Cap has been obtained.

Next, the noise addition processing unit 122 of the receiving terminal 12 _{i generates a temporary private key epk i} , and then Blind ( _{stk i} , epk _i ) with the group key cipher statement Cap and the hash value r = H (stk i, epk i) as inputs. Cap, r) is executed to _{generate the noisy group key cipher statement Cap blind, i} and the noise removal key bk _i (step S310). The noise reduction key bk _i is stored in the noise removal key storage unit 128.

Next, the decryption request processing unit 123 of the receiving terminal 12 _i requests the key exchange auxiliary server 20 to decrypt _{the noisy group key cipher statement Cap blind, i (step S311).}

Ciphertext decryption processing unit of the key exchange auxiliary server 20 203 with noise group key ciphertext Cap _blind, when receiving the decoding request of _i, the noise with group key ciphertext Cap _blind, as inputs and _i and decryption key dk Execute KEM_Decap (Cap _{blind, i} , dk) and _{decrypt to the noisy group key mek blind, i} (step S312).

Then, the ciphertext decryption unit 203 of the key exchange auxiliary server 20 transmits noise with group key mek _blind obtained in step S312 described _above, the _i to the receiving terminal 12 _i (step S313).

Receiving terminal 12 _i of the noise removal processing unit 124, the noise with group key mek _blind, upon receiving the _i, the noise with group key mek _blind, Unblind (mek _blind and _i and noise removal key bk _i as _{input, i,} bk _i ) is executed to generate a group key mek from which noise has been removed (step S314). As a result, the group key mek can be obtained at _{the receiving terminal 12 i.} The group key mek is stored in the group key storage unit 129.

・ Application example 1
Hereinafter, as an application example 1, a case where the key exchange system 1 according to the present embodiment is applied to send and receive e-mails within a group will be described. In Application Example 1, an e-mail address is assumed as the ID, but the ID is not limited to this, and any other identification information may be used.

<Overall configuration>
First, the overall configuration of the key exchange system 1 in Application Example 1 will be described with reference to FIG. FIG. 10 is a diagram showing an example of the overall configuration of the key exchange system 1 in the application example 1.

As shown in FIG. 10, the key exchange system 1 in the application example 1 further includes a mail server 40. The mail server 40 sends and receives (including forwarding) mail.

<Functional configuration>
Next, the functional configuration of the mail server 40 included in the key exchange system 1 in the application example 1 will be described with reference to FIG. FIG. 11 is a diagram showing an example of the functional configuration of the mail server 40.

As shown in FIG. 11, the mail server 40 has a mail transmission / reception processing unit 401 and a mail data storage unit 402. The mail transmission / reception processing unit 401 receives the mail transmitted from the communication terminal 10 and also transmits the mail stored in the mail data storage unit 402 to the communication terminal 10. The mail data storage unit 402 stores the mail received from the communication terminal 10.

<Flow of mail transmission / reception processing>
Hereinafter, the flow of the mail transmission / reception processing executed by the key exchange system 1 in the application example 1 will be described with reference to FIG. FIG. 12 is a sequence diagram showing an example of mail transmission / reception processing.

First, the key exchange system 1 shares a group key between the transmitting terminal 11 and the receiving terminal 12 by the key exchange process shown in FIG. 9 (step S401).

Transmitting terminal 11, after creating the email the email address of the receiving terminal 12 _i is designated as the destination address, to encrypt the mail using the group key shared in step S401 described above, create an encrypted mail (Step S402). Then, the transmitting terminal 11 transmits this encrypted mail to the mail server 40 (step S403).

When the mail transmission / reception processing unit 401 of the mail server 40 receives the encrypted mail, the mail transmission / reception processing unit 401 saves the encrypted mail in the mail data storage unit 402 (step S404). Then, the mail transmission and reception processing unit 402 of the mail server 40, for example, if the receiving terminal 12 _i comes online, the encrypted electronic mail stored in the mail data storage unit 402 and transmits to the receiving terminal 12 _i (step S405).

When the receiving terminal 12 _i receives the encrypted mail from the mail server 40, the receiving terminal 12 i decrypts the encrypted mail by using the group key shared in the above step S401 (step S406). Thus, in addition to the receiving terminal 12 _i of the specified e-mail address as a destination address without the mail contents can be seen, it is possible to send and receive mail.

・ Application example 2
Hereinafter, as an application example 2, a case where the key exchange system 1 according to the present embodiment is applied to file sharing will be described. In Application Example 2, file sharing is assumed on an in-house file server, and an employee number is assumed as an ID. However, the ID is not limited to this, and any other identification information may be used.

<Overall configuration>
First, the overall configuration of the key exchange system 1 in Application Example 2 will be described with reference to FIG. FIG. 13 is a diagram showing an example of the overall configuration of the key exchange system 1 in the application example 2.

As shown in FIG. 13, the key exchange system 1 in the application example 2 further includes a file sharing server 50. The file sharing server 50 shares a file among a plurality of users.

<Functional configuration>
Next, the functional configuration of the file sharing server 50 included in the key exchange system 1 in the application example 2 will be described with reference to FIG. FIG. 14 is a diagram showing an example of the functional configuration of the file sharing server 50.

As shown in FIG. 14, the file sharing server 50 has a file data storage unit 501. The file data storage unit 501 stores the file transmitted (uploaded) from the communication terminal 10.

<Flow of file sharing process>
Hereinafter, the flow of the file sharing process executed by the key exchange system 1 in the application example 2 will be described with reference to FIG. FIG. 15 is a sequence diagram showing an example of file sharing processing.

First, the key exchange system 1 shares a group key between the transmitting terminal 11 and the receiving terminal 12 by the key exchange process shown in FIG. 9 (step S501).

The transmitting terminal 11 uses the group key shared in step S501 to encrypt a file (electronic file) shared with other users in the group to create an encrypted file (step S502). .. Then, the transmitting terminal 11 transmits (uploads) this encrypted file to the file sharing server 50 (step S503). As a result, the encrypted file is saved in the file data storage unit 501 of the file sharing server 50 (step S504).

Thereafter, the receiving terminal 12 _i downloads the encrypted file stored in the file data storage unit 501 of the file sharing server 50 (step S505), the encrypted file using the group key shared in step S501 described above Is decoded (step S506). As a result, the file can be shared without seeing the contents of the file other than the communication terminal 10 of the users of the same group.

The present invention is not limited to the above-described embodiment disclosed in detail, and various modifications and modifications, combinations with known techniques, and the like are possible without departing from the scope of claims.

1 Key exchange system 10 Communication terminal 11 Sending terminal 12 Receiving terminal 20 Key exchange auxiliary server 30 Private key generation server 111 Encryption key request processing unit 112 Group key generation encryption processing unit 113 ID-based signature encryption processing unit 114 Long-term private key Storage unit 115 Public information storage unit 116 ID-based secret key storage unit 117 Encryption key storage unit 118 Group key storage unit 121 Signing verification / decryption processing unit 122 Noise addition processing unit 123 Decryption request processing unit 124 Noise removal processing unit 125 Long-term secret Key storage unit 126 Public information storage unit 127 ID-based secret key storage unit 128 Noise removal key storage unit 129 Group key storage unit 201 Cryptographic key pair generation processing unit 202 Cryptocurrency division processing unit 203 Cryptographic decryption processing unit 204 Long-term secret key storage unit Department 205 Public information storage unit 206 ID-based secret key storage unit 207 Encryption key pair storage unit 208 Divided code text storage unit 209 Linked list storage unit 301 Private key generation processing unit 302 Public information storage unit 303 Master secret key storage unit 304 string Attached list storage N communication network

Claims (8)

A first terminal, one or more second terminals belonging to the same group as the first terminal, and an auxiliary server that assists the exchange of group keys between the first terminal and the second terminal. Is a key exchange system that includes
The first terminal is
After generating an encryption group key in which the group key is encrypted with the encryption key generated by the auxiliary server, the encryption group key is ID-based encrypted using the identification information of the one or more second terminals. An encryption means that generates the first cipher statement encrypted by
It has a first transmission means for transmitting the first ciphertext to the auxiliary server, and has.
The auxiliary server
A dividing means for generating a divided ciphertext in which the first ciphertext received from the first terminal is divided for each of the one or more second terminals.
A second transmission means for transmitting a divided ciphertext corresponding to the second terminal to the online second terminal among the one or more second terminals.
A first decryption means for decrypting a second ciphertext received from the second terminal with a decryption key corresponding to the encryption key in response to a decryption request from the second terminal.
It has a third transmission means for transmitting the information decoded by the first decoding means to the second terminal.
The second terminal is
A second decryption means for decrypting the divided ciphertext received from the auxiliary server into the encryption group key with the user private key corresponding to the identification information of the second terminal.
A noise addition means for generating a noise-added encryption group key in which noise is added to the encryption group key, and
A requesting means for requesting the auxiliary server to decrypt the encrypted group key with noise, and
A key exchange system characterized by having. The second ciphertext is the noise-encrypted encryption group key.
The first decoding means is
The noise-added encryption group key received from the second terminal is decrypted into a noise-containing group key by the decryption key corresponding to the encryption key.
The third transmission means is
The noise-added group key is transmitted to the second terminal,
The second terminal is
When the noise-added group key is received from the auxiliary server, the noise-removing means for removing noise from the noise-added group key by the noise-removing key for removing the noise added to the encrypted group key by the noise-adding means is provided. The key exchange system according to claim 1, wherein the key exchange system is provided. The encryption means is
After generating the encryption group key using the first random number generated from the long-term secret key and the temporary secret key of the first terminal and the encryption key, the first random number and the 1 The key exchange system according to claim 1 or 2, wherein the first ciphertext is generated by using the identification information of the second terminal. The noise adding means is
Any one of claims 1 to 3, wherein the encrypted group key with noise is generated by using the second random number generated from the long-term secret key and the temporary secret key of the second terminal. The key exchange system described in the section. The auxiliary server
Claims 1 to 1, further comprising a key generation means for generating the encryption key and the decryption key using a second random number generated from the long-term private key and the temporary private key of the auxiliary server. The key exchange system according to any one of 4. An information processing device that assists in the exchange of group keys between a first terminal and one or more second terminals belonging to the same group as the first terminal.
In response to the request from the first terminal, an encryption key and a decryption key are generated using random numbers generated from the long-term secret key and the temporary secret key of the information processing device, and the encryption key is used as described above. A key generation means to be transmitted to the first terminal,
When the first ciphertext of the group key encrypted by the encryption key and the encryption by the ID-based encryption is received from the first terminal, the first ciphertext is transmitted to the first or more first ciphertext. A division means for generating a division ciphertext divided for each of the two terminals,
A first transmission means for transmitting a divided ciphertext corresponding to the second terminal to the online second terminal among the one or more second terminals.
In response to the decryption request from the second terminal, the decryption means for decrypting the noisy second ciphertext received from the second terminal with the decryption key.
A second transmission means for transmitting noise-added information obtained as a decoding result of the decoding means to the second terminal, and a second transmission means.
An information processing device characterized by having. A first terminal, one or more second terminals belonging to the same group as the first terminal, and an auxiliary server that assists the exchange of group keys between the first terminal and the second terminal. Is a key exchange method in a key exchange system that includes
The first terminal is
After generating an encryption group key in which the group key is encrypted with the encryption key generated by the auxiliary server, the encryption group key is ID-based encrypted using the identification information of the one or more second terminals. And the encryption procedure to generate the first cipher statement encrypted by
The first transmission procedure of transmitting the first ciphertext to the auxiliary server is executed.
The auxiliary server
A division procedure for generating a divided ciphertext in which the first ciphertext received from the first terminal is divided for each of the one or more second terminals, and a division procedure.
A second transmission procedure for transmitting a split ciphertext corresponding to the second terminal to the online second terminal among the one or more second terminals, and a second transmission procedure.
A first decryption procedure for decrypting a second ciphertext received from the second terminal with a decryption key corresponding to the encryption key in response to a decryption request from the second terminal.
The third transmission procedure of transmitting the information decoded by the first decoding procedure to the second terminal is executed.
The second terminal
A second decryption procedure for decrypting the divided ciphertext received from the auxiliary server into the encryption group key with the user private key corresponding to the identification information of the second terminal.
A noise addition procedure for generating a noise-added encryption group key in which noise is added to the encryption group key, and
The request procedure for requesting the auxiliary server to decrypt the encrypted group key with noise, and
A key exchange method characterized by performing. A program for causing a computer to function as each means in a first terminal, a second terminal, or an auxiliary server included in the key exchange system according to any one of claims 1 to 5.

Images