JP2865654B1 - Key update method - Google Patents

Abstract

In a system including a base station and a plurality of terminals, only a specific terminal is excluded, and the remaining terminals share an update key as soon as possible. A pre Each terminal holds the first terminal information n _i are relatively prime. As a preparation, the base station determines a key K and a secret key e, and distributes the second terminal information X _i = K ^e modn _i to the corresponding terminal. If to exclude specific terminal T _1, the base station notifies simultaneously to each terminal the _{(n 1, X 1, e} ). Terminal T
Each terminal T _i other than _1, it is possible to obtain the key K with the following procedure. From (n ₁ , n _i ), y _i = 1 / n ₁ mod n _i , y _{k
= 1 / n i mod n 1} (2 ≦ i ≦ 5) satisfy the integer y _i,
y _k , and the integers y _i , y _k and terminal information X _i of terminal _i.
And the terminal information X k of the terminal _k , K ^e = X _i · y _i · n _k +
X _k · y _k · n _i mod n _i · n _k is calculated, and an update key K is obtained from the secret keys e and K ^e . However, terminal T ₁ has (n ₁ , X ₁ , e)
Finding the key K is as difficult as breaking the RSA encryption. Therefore, only by broadcasting (n ₁ , X ₁ , e) from the base station to each terminal, the update key can be shared by the remaining terminals excluding the specific terminal.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method for updating an encryption key in a star-type communication system comprising a base station and a plurality of terminals, and more particularly, to a method for securely securing a secret key common to all terminals other than the terminal specified by the base station. It relates to a key update method for delivery.

[0002]

2. Description of the Related Art In a star-type communication system in which a base station manages a plurality of terminals, a base station and a plurality of terminals under the umbrella form a group, and the group shares the same group secret key to perform broadcast cryptographic communication. Consider doing it. Information encrypted using the group secret key can be decrypted only by terminals in the group holding the same secret key.

[0003] In some cases, it may be desired to exclude a specific terminal from this group. This is the case, for example, when a certain terminal in the group is stolen and fraudulent activities such as eavesdropping on encrypted communication using the terminal and transmission of false information are considered. At this time, it is necessary for the base station managing the secret key to remove the stolen terminal as soon as possible, update the group secret key, and share the new secret key only with the remaining terminals. .

FIG. 9 shows a key updating method in a first conventional example for sharing key data with a terminal other than the terminal specified by the base station. In FIG. 9, five terminals T _{1 to} T ₅ indicated by 2 to 6
Hold unique keys k _{1 to} k ₅ , respectively.
Manages the unique keys of all terminals. In this case, for example, the base station 1 to the exclusion of the terminal T _1, will be described to distribute the new common secret key to other terminals T ₂ through T _5.

[0005] First, the base station 1 generates a secret key K, encrypts it using k ₂ to k ₅ as keys, and distributes them to the terminals T _{2 to} T ₅ , respectively. Each of the terminals T _{2 to} T ₅ other than the excluded terminal T ₁ decrypts this using the unique key and obtains the secret key K. In FIG. 9, for example, Ek ₂ (K)
Is a cipher text obtained by encrypting K with a unique key k _2. Since the data on this communication path is encrypted with the unique keys of the terminals T _{2 to} T ₅ , the secret key K generated by the base station 1 is obtained even if the terminal T ₁ eavesdrops on this communication data. Can not do it.

However, in this method, in order to generally exclude one terminal from N terminals, the base station requires (N−
1) The encryption must be performed once and (N-1) data must be transmitted. As the group grows, this task becomes very burdensome for the base station. Further, it is necessary to stop the operations such as the encryption communication in the group until all the stations are updated. However, if the operation stop period until the distribution to the (N-1) stations is completed is long, this is a serious problem.

FIG. 10 shows a key updating method in the second conventional example disclosed in Japanese Patent Publication No. 5-46731. In the second conventional example, a technique of public key encryption is used. In FIG.
Five terminals T ₁ through T ₅ indicated by 6, respectively maintains its own private key _{(e 1, d 1) ~} (e 5, d 5). Here, it is assumed that each secret key (e _i , d _i ) is such that e _i · d _i mod (p−1) = 1 (p is a prime number that is open to the system). The base station 1 manages the public keys p ₁ = g ^e1 mod p,..., P ₅ = g ^e5 mod p of all terminals. Where g is an integer of system public, public key p _i and the system public information g of each terminal,
It is difficult to obtain the secret key (e _i , d _i ) of each terminal from p if the bit length is long, which results in a discrete logarithm problem.
Similar to the conventional example 1, to eliminate the terminal T _1, first, the base station generates a random number R, to generate a key K = g ^R mod p, which from ^{_{Z 2 = p 2 R mod p}} , · .., Z ₅ = p ₅ ^R mod p is obtained and delivered to each of T _{2 to} T ₅ except for the terminal T ₁ . Each terminal i other than the terminal T _1, received Z _i and a private key d _i
, Using the common update key K = Z _i ^di mod p (= (p _i ^R ) ^di mod p = ((g ^ei ) ^di ) ^R mod
p = g ^R mod p).

[0008] Unlike the first conventional example, this method does not allow the base station to know the secret key of each terminal, so that the security can be improved over the first embodiment in that the unauthorized use of the base station can be prevented. ing.

[0009]

However, in the conventional key updating method, in order to exclude one terminal from N terminals, the base station performs (N-1) times of encryption and (N −
1) Data must be transmitted. For example, 10
Consider a case in which one terminal is excluded from the 00 terminals and a new common secret key is shared by the remaining 999 terminals. At this time, in the first and second conventional examples, it is necessary to perform 999 encryption processes and 999 ciphertext transmissions. In any case, these operations are very burdensome for the base station.

[0010] Generally, a terminal is not so high in computational power due to the necessity of realizing it at a small size and at low cost. In such a terminal, it is necessary to update the key at a high speed. In the second conventional example, a terminal needs a modular exponentiation operation with a long bit length in order to obtain a key. Implementing this operation on a terminal having a low computational capacity is a considerable burden, and the processing time required for key update becomes long.

In view of the foregoing, the present invention is a method of excluding only a specific terminal and sharing distribution key information with another terminal, and realizes a key updating method characterized by the following points. With the goal. (1) The traffic from the base station to the terminal is small.

[0012] The time required for encryption processing in the base station is small,
The amount of cipher text sent is small.

The business suspension period until all stations are updated is short. (2) The key can be updated at a high speed by a terminal having a low calculation capability.

The processing at the terminal can be reduced.

[0015]

According to the present invention, in order to solve the above-mentioned problem, a key updating method is provided in a base station at GCD (n _i , n _j ) = 1 (1 ≦ i, j ≦ N; i ≠ j; N
Is to generate a n _i satisfying the number of terminals), as well as stored in the base station as the first terminal information, and distributed to each terminal i, satisfy ^{_{n i <K e <n i}} · n j (K, e ) was determined ^{_{arbitrarily, X i = K e mod n}} i (GCD (X i, n i) = 1) to calculate the, as well as stored in the base station as the second terminal information, each terminal i When distributing and updating the key, the first terminal information _nk and the second terminal information X of the terminal k specified by the base station are
The _k, and notifies simultaneously all terminals from the base station, in all the terminals i excluding terminal k, with n _i and _{n k, y i = 1 /} n k mod n i, y k = 1 / n i mod n _k (i ≠
Integer y _i satisfying k), determine the y _k, the integer y _i, and y _k, a terminal information X _i of the terminal i, and a terminal information X _k of the terminal _{^{k, · K e = X i}} · y i a _{n k + X k · y k} · n i mod n i · n k was calculated and the structure that determine the update key K from the secret key e and K ^e.

With this configuration, the key can be updated only by broadcasting from the base station to all terminals.
Since the business suspension period for key update can be shortened and the processing at the terminal can be reduced, the key can be updated at a high speed on a terminal with low computational power.

[0017]

BEST MODE FOR CARRYING OUT THE INVENTION
In a communication system including a base station and N (N is an integer of 2 or more) terminals connected to the base station, the base station stores a first terminal information of the terminal. A side storage unit, a second base station side storage unit that stores second terminal information, the terminal, the terminal information storage unit that stores the first terminal information and the second terminal information, It includes a receiving unit, a first calculating unit, and a second calculating unit.
The first terminal information of a terminal of ≦ i ≦ N is disjoint, that is, GCD (n _i , n _j ) = 1 (1 ≦ i, j ≦
N; i is ≠ j) to become integral n _i, second terminal information as an integer secret key ^{_{e, n i <K e <}} n i · n j (1 ≦
i, j ≦ N; i ≠ j), where K is information for generating an update key, the power exponentiation value X _i = K of the secret key e and the modulus of the integer n _i is modulo. K ^e modn _i
(GCD (X _i , n _i ) = 1). (1) In the base station, at the time of key update, the first terminal information _nk and the second terminal information X of the terminal k specified by the base station are updated. _k is taken out from the base station side storage unit and notified to all terminals simultaneously. (2) In all terminals i, the receiving unit sets the first
It receives the terminal information n _k and the second terminal information X _k, (3) in all terminals i excluding terminal k, in the first calculation unit, a first terminal information of the terminal k and the terminal i with n _i and _{n k, y i = 1 /} n k mod n i, y k = 1 / n i mod n k
The integers y _i and y _k that satisfy (i ≠ k) are obtained, and the integers y _i and y _k are _calculated .
y _k , terminal information X _{i of} terminal i, and terminal information X k of terminal _k
From, to calculate the ^{_{K e = X i · y i}} · n k + X k · y k · n i mod n i · n k, (4) in all terminals i excluding terminal k, the second calculated in part, the update key K from the secret key e and K ^e
Is a key update method for obtaining (n _k ,
X _k ) has the effect of enabling key updating at terminals other than terminal k by simply broadcasting.

According to a second aspect of the present invention, there is provided a base station and N units (N is an integer of 2 or more) connected to the base station.
In the key updating device of the communication system including the first terminal, the base station stores a first terminal information of the first terminal.
Base station-side storage means and a second terminal information storing second terminal information.
Base station side storage means, the terminal includes terminal information storage means for storing the first terminal information and the second terminal information, and the i-th (1 ≦ i ≦ N) terminal The first terminal information is disjoint, that is, GCD (n _i , n
_{j) = 1 (1 ≦ i} , j ≦ N; a i ≠ j) to become integral n _i, second terminal information as an integer secret key e, n _i <
When K that satisfies K ^e <n _i · n _j is used as information for generating an update key, the secret key e is exponential and the integer n _i
Modular exponentiation value of K modulo ^{_{X i = K e mod n i}} (GCD
(X _i , n _i ) = 1), and (1) the base station transmits the first terminal information _nk and the second terminal information X _k of the terminal k specified by the base station at the time of key update. Means for taking out from the base station side storage means and notifying all terminals simultaneously. (2) All the terminals i have the first terminal information _nk of the terminal _k and the second terminal information _nk .
A receiving means for receiving the terminal information X _k, (3) in all terminals i excluding terminal k, in the first calculation unit, a first terminal information n _i and n of the terminal k and the terminal i _{Using k} , y _i = 1 / n _k mod n _i , y _k = 1 / n _i mod n _k (i
≠ k) satisfies the integer y _i, determined the y _k, the integer y _i, y _k
When the terminal information X _i of the terminal i, and a terminal information X _k of the terminal k, first compute the ^{_{K e = X i · y i}} · n k + X k · y k · n i mod n i · n k comprising a first calculation means, (4) a key update apparatus comprising a second calculating means which calculates an update key K from the in all terminals i secret key e and K ^e excluding terminal k, each terminal from the base station Has the effect of enabling key updating by terminals other than terminal k only by broadcasting (n _k , X _k ).

According to a third aspect of the present invention, there is provided a base station and N units (N is an integer of 2 or more) connected to the base station.
In a communication system comprising terminals, the base station comprises:
A first base station-side storage unit for storing first terminal information of the terminal; and a second base station-side storage unit for storing second terminal information, wherein the terminal includes the first terminal information. And the second
A terminal information storage unit for storing the terminal information of the first, second, and third calculation units, and a first calculation unit and a second calculation unit.
The first terminal information of the terminal of N) is disjoint, that is, GCD (n _i , n _j ) = 1 (1 ≦ i, j ≦ N; i ≠
j) is an integer n _i , and the second terminal information is defined as n _i <K ^e <(max of n _i for an arbitrary integer s (1 ≦ s <N), where the secret key e is an integer. the K satisfying value) ^{s + 1,} when the information for generating the update key, power residue value X _i = K for K modulo the integer n _i and to the secret key e
_{^{e mod n i (GCD (X}} i, n i) = 1) and is, (1) at said base station, at key update, the first terminal information n of the terminal k ₁ to k _s for the base station has identified _k1 and ~n _ks and second terminal information X _k1 to X _ks, removed from the base station-side memory unit notifies simultaneously to all terminals, in all terminals i (2), by the reception unit, the terminal k _{1 to} k _s of first terminal information n _k1 to
n _ks and the second terminal information X _{k1 to} X _ks are received. (3) In all the terminals i except the terminals k _{1 to} k _s , the terminal information n _i of the terminal i is calculated by the first calculation unit. Using the first terminal information n _{k1 to} n _ks of the terminals k _{1 to} k _s , M _i = M / n _i , M _k1
= M / n _k1 ,..., M _ks = M / n _ks (M = n _i · n _{k1 ·····)}
n _ks ; i ≠ k _{1 to} k _s ), and y _i = 1 / M _i mod n _i ,
y _k1 = 1 / M _k1 mod n _k1 ,..., y _ks = 1 / M _ks mod n
_ks , the integers y _i , y _{k1 to} y _ks are obtained, and the integers M _i , M _{k1 to} M _ks , y _i , y _k1 to y _ks , terminal information X _i of the terminal _i , and terminals k _{1 to} k _s Using the terminal information X _{k1 to} X _ks of
K ^e = X _i · M _i · y _i + X _k1 · M _k1 · y _k1 + ... + X _ks · M _ks ·
y _ks mod M is calculated. (4) In all the terminals i except for the terminals k _{1 to} k _s , the second calculation unit calculates the secret key e
And a key update method for determining the update key K from K ^e, the base station to each terminal and (n _k1 ~n _ks) a (X _k1 ~X _ks) only broadcasts, exclude a plurality of terminals Key updating can be performed.

According to a fourth aspect of the present invention, there is provided a base station and N units (N is an integer of 2 or more) connected to the base station.
In a communication system comprising terminals, the base station comprises:
A first base station-side storage unit for storing first terminal information of the terminal; and a second base station-side storage unit for storing second terminal information, wherein the terminal includes the first terminal information. And the second
A terminal information storage unit for storing the terminal information of the first, second, and third calculation units, and a first calculation unit and a second calculation unit.
The first terminal information of the terminal of N) is disjoint, that is, GCD (n _i , n _j ) = 1 (1 ≦ i, j ≦ N; i ≠
j) is an integer n _i , and the second terminal information is defined as n _i <K ^e <(max of n _i for an arbitrary integer s (1 ≦ s <N), where the secret key e is an integer. the K satisfying value) ^{s + 1,} when the information for generating the update key, power residue value X _i = K for K modulo the integer n _i and to the secret key e
^e mod n _i (GCD (X _i , n _i ) = 1), and for an arbitrary integer t (1 ≦ t ≦ s), (1) in the base station, when updating the key, the base station the first terminal information n _k1 ~n _kt and second terminal information X _k1 to X _kt of the identified terminal k ₁ to k _t
Is retrieved from the base station side storage unit, and all the terminals are notified at the same time. (2) In the base station, f (1)
≦ f <st) pieces of first terminal information n _{r1 to} n _rf and f pieces of second terminal information X _{r1 to} X _rf are generated and notified to all terminals at once, and (3) all in the terminal i, by the reception unit, the terminal k ₁ first terminal information n _k1 ~n _ks and second terminal information X _k1 to X _ks and the first terminal information n _r1 ~n _rf of to k _s receiving the second terminal information X _r1 to X _rf and, (4) the terminal k ₁
In all terminals i except to k _t, in the first calculation unit, a first terminal information n _k1 ~n _ks and the first terminal information n _i and the terminal k ₁ to k _s of the terminal i first Terminal information n _{r1 of}
Ｎn _rf and the second terminal information X _r1 ＸX _rf , M _i
= M / n _i , M _k1 = M / n _k1 ,..., M _kt = M / n _kt , M
_r1 = M / n _r1 ,..., M _rf = M / n _rf (M = n _i · n
_k1 ···· n _kt · n _r1 ···· n _rf ; i ≠ k _{1 to} k _s ≠ r ₁ to
r _f ), and y _i = 1 / M _i mod n _i , y _k1 = 1 / M _k1 m
od n _k1 ,..., y _kt = 1 / M _kt mod n _kt , y _r1 = 1 / M
_r1 mod n _r1 ,..., y _rf = 1 / M _rf Integers y _i , y _{k1 to} y _ks satisfying the mod n _rf are obtained, and the integers M _i , M _{k1 to} M _kt ,
M _{r1 to} M _rf , y _i , y _k1 to y _kt , y _{r1 to} y _rf Terminal information X _i of terminal _i , terminal information X _{k1 to} X _ks of terminals k _{1 to} k _s , and the terminal information X _r1 to Using X _rf , K ^e = X _i · M _i · y _i + X
_k1 · M _k1 · y _k1 + ... + X _kt · M _kt · y _kt + X _r1 · M _r1 · y _r1
+ ... + X the _{rf · M rf · y rf mod} M is calculated, and (4) in all terminals i except terminal k ₁ to k _t, in the second calculation unit, the secret key e and K ^e a key update method for determining the update key K from the base station to each terminal and (n _k1 ~n _ks) a (X _k1 ~X _ks) only broadcasts, key update to the exclusion of a plurality of terminals Is performed.

The fifth aspect of the present invention is the first aspect of the present invention.
The key update method according to claim 1, wherein the base station is disjoint from the first terminal information of each terminal at the time of key update.
(N, _ni ) = 1 (1 ≦ i ≦ N), and an exponentiation value X = K ^e mod n (GCD (X , n) = 1), and at the arbitrary terminal i, the first calculation unit uses the first terminal information ni of the terminal _i and the integer n to obtain y _i = 1 / n. mod n _i , y = 1 / n _{i An} integer y _i , y that satisfies mod n is obtained, and from the integers y _i , y, terminal information X _i of terminal _i, and X, ^Ke = X _i. y _i · n + X · y · n
The _i mod n _i · n calculated, then in the second calculation unit, wherein is intended to obtain the update key K from the secret key e and K ^e, the base station to each terminal (n, X) the This has the effect that the key can be updated in all terminals only by transmitting the information.

According to a sixth aspect of the present invention, in the key updating method according to the first, third, fourth or fifth aspect, the integer n
Is the product of the prime numbers p and q generated by the base station,
It has the effect of making decryption difficult.

According to a seventh aspect of the present invention, in the key updating method according to the first, third, fourth, or fifth aspect, the first calculation unit of the terminal uses the extended Euclidean algorithm to obtain the integer y. _i and y _k are obtained, and have the effect of calculating at high speed.

According to an eighth aspect of the present invention, in the key updating method according to the first, third, fourth and fifth aspects, the second calculation unit of the terminal uses the Newton-Raphson method to calculate the integer K.
And has the effect of calculating at high speed.

According to a ninth aspect of the present invention, in the key updating method of the first, third, fourth and fifth aspects, the first terminal information is created by the base station, and the base station and the terminal are prepared in advance. Is distributed to the corresponding terminals by the encryption communication means provided in the terminal, and has an effect of safely distributing the first terminal information.

According to a tenth aspect of the present invention, in the key updating method according to the first, third, fourth, or fifth aspect, the base station generates arbitrary secret integers K and e, and First terminal information n of each terminal i stored in the base station side storage unit of
a second terminal information X _i calculated using _i, which is intended to be distributed to each terminal corresponding to the previous key update has the effect of enhancing the safety of the distribution of the terminal information.

[0027] 11. The invention according to the present invention, the key update method according to claim 3 and 4, wherein said information K for generating an update key (maximum value of n _i) ^s <K ^e < It satisfies (maximum value of n _i ) ^{s + 1} , and has an effect of preventing an integer K from being obtained even if a plurality of terminals specified by the base station collect terminal information of each terminal.

According to a twelfth aspect of the present invention, in the key updating method according to the first, fourth, or fifth aspect, when the key updating is performed continuously, the specific terminal k is updated at the i-th key updating. After the simultaneous communication of the terminal information of (i + 1)
Before the second key update, the base station does not calculate the second terminal information using the first terminal information of the terminal k and does not distribute the second terminal information to the terminal k. Is omitted.

According to a thirteenth aspect of the present invention, in the key updating method according to the first, third, fourth, or fifth aspect, the base station comprises:
Second terminal information of terminal j for newly added terminal j;
At the time of key update, the first and second terminal information of the specific terminal i that has performed the simultaneous call is notified, and the terminal j is provided with the first and second calculation units to obtain the update key K. This has the effect of distributing the update key to the terminal.

According to a fourteenth aspect of the present invention, in the key updating method according to the first, third, fourth, or fifth aspect, the first and second base station side storage units of the base station and the first and second base station side storage units are provided. 1,
The second terminal information storage unit is an area that cannot be observed or changed from the outside, and has an effect of preventing the theft of the key and the preparation information from the base station and the terminal.

According to a fifteenth aspect of the present invention, in the key updating method according to the first, third, fourth and fifth aspects, the integer e
Is a secret integer of the base station, and simultaneously notifies the integer e in addition to the terminal information transmitted by the base station at the time of key update, thereby preventing legitimate terminals from collusion before key update and enhancing security. It has the effect of doing.

According to a sixteenth aspect of the present invention, in the key updating method according to the first, third, fourth, or fifth aspect, a version number is added to the key K, and the base station does not have the same version number. The terminal j is notified to the corresponding terminal of the second terminal information of the terminal j and the first and second terminal information of the specific terminal i with which the simultaneous call was made at the time of key update.
The second calculation unit obtains the corresponding version of the key K, and has the effect of enabling the terminal that has failed to be updated to be followed by version management.

[0033] The invention described in claim 17 of the present invention is directed to claim 9.
The key updating method according to the above, wherein the digital signature of the base station is added in the encryption communication means provided in advance in the base station and each terminal, authentication of the base station by the terminal,
It has the effect of enhancing security by detecting falsification of n.

Hereinafter, an embodiment of the present invention will be described with reference to FIGS.
This will be described in detail with reference to FIG.

(First Embodiment) In a first embodiment of the present invention, in a system of a base station and five terminals, in the base station, GCD (n _i , n _j ) = 1 (1 ≦ i) , j ≦ 5; i ≠ j ) to become the first terminal information _{n i (= p i · q} i; p i, q i is secretly shared between each terminal i to the corresponding prime) and a base station ,
The base station arbitrarily determines a key K and a secret key e satisfying n _i <K ^e <n _i · n _j (1 ≦ i, j ≦ N; i ≠ j), and obtains second terminal information X _i = _{^{K e mod n i (GCD (}} X i, n i) = 1) as well as stored in the calculation to the base station, and distributed to each terminal 1-5, at key update, the terminal information of the terminal 1 to eliminate (n ₁ ,
X ₁ ) from the base station to terminals 2 to 5 at the same time.
In ~5 (n _i, n ₁₎ using _{a, y i = 1 / n 1} mod n i, y 1 = 1 / n i mod n 1 (2 ≦ i
≤5) Integers y _i , y ₁ satisfying the following condition are obtained, and from the integers y _i , y ₁ , terminal information X _i of terminal _i, and preparation information X _{1 of} terminal 1, ^Ke = X _i · y _{i · n 1 + X 1 · y} 1 · n i a mod n _i · n ₁ calculates a key update method for determining the update key K from the secret key e and K ^e.

The key update method according to the first embodiment of the present invention includes three steps: system setup, preparation phase, and key update.
Divided into two phases. Hereinafter, a case where the base station manages five terminals will be described for each phase.

FIG. 1 shows a setup of a key updating method according to the first embodiment of the present invention. In FIG. 1, 1
Is a base station, and 2 to 6 are terminals under the control of the base station. Reference numerals 7 to 11 denote storage units in each terminal which cannot be observed or changed from outside.

Each terminal T ₁ , T ₂ , T ₃ , T ₄ , T ₅ is a first terminal.
The terminal information n ₁ , n ₂ , n ₃ , n ₄ , and n ₅ are secretly held in this area, respectively. The first terminal information includes the greatest common divisor GCD (n _i , n) of arbitrary n _i and n _j (i, j = 1 to 5).
n _j ) are set to be relatively prime so that 1 is 1.

On the other hand, the base station secretly stores the first terminal information n _{1 to} n ₅ of each terminal in the storage unit 12 which cannot be externally observed or changed.

FIG. 2 shows a preparation phase of the first embodiment of the present invention. First, the base station 1 determines prime numbers p _i and q _i, and determines a product n _i (= p _i q _i ) of these.
Then, the key K and the secret key e, the first terminal information of all _{^{terminals, GCD (K e mod n i}} , n i) = 1 ^{_{and, n i <K e <n}} i · n j (1 ≦ i, j ≦ 5; i ≠ j). Where the modulo _ni is a prime number p _i , q
Since _i is the product of the probability that _{^{GCD (K e mod n i,}} n i) = 1 is _{satisfied, 1- (1 / p i +} 1 / q i) , and the prime number p _i, q _i of RSA cryptography If the value is set to be sufficiently large to about 100 decimal digits, the above condition is almost satisfied.

Next, the base station 1, the first terminal information n ₁ of the terminal T ₁ modulo obtains a power residue value X ₁ of the key K to the to the e. This is referred to as a second terminal information, and is represented by the formula ^{_{X 1 = K e mod n 1}} (GCD (X i, n i) = 1). Here, mod n ₁ is a symbol indicating the remainder when divided by n ₁ . The base station 1 similarly, obtains a second terminal information X ₂ to X ₅ of the terminal T ₂ through T _5, stores them in the storage unit 12, and distributes the corresponding terminal. The terminal stores this in the storage units 7 to 11, respectively. By the base station 1,
The work in the preparation phase for obtaining and distributing the second terminal information is time-consuming for each terminal, but the base station 1 originally has a large calculation power, and has a long time between the previous key update and the next key update. There is no problem because it only needs to be done when time is available.

FIG. 3 shows a key update phase when the terminal T ₁ is excluded. The base station 1 simultaneously notifies the _first and second terminal information n ₁ and X ₁ and the secret integer e of the terminal T ₁ to be excluded from the storage unit 12 to each terminal. At this time, the terminal T ₂ performs the following calculation using the held first and second terminal information to obtain the key K. (1) a first terminal of the terminal T ₁ and the terminal T ₂ information n _1, n ₂
Using, y ₁ = ₁ / n seek integer y _1, y ₂ satisfying _{2 mod n 1, y 2 =} 1 / n 1 mod n 2, and the integer y _1, y _2, terminal information of the terminal 2 and X _2, the first terminal information X ₁ Prefecture terminal, to calculate the ^{_{K e = X 2 · y 2}} · n 1 + X 1 · y 1 · n 2 mod n 1 · n 2. The integers y ₁ and y ₂ always exist because n ₁ and n ₂ are relatively prime, and can be obtained in polynomial time by the extended Euclidean algorithm, even for a terminal having a small calculation power. (2) from the integer e and K ^e using Newton-Raphson method obtains the update key K.

The above calculation can be performed in the same manner in the terminals T _{3 to} T ₅ , and as a result, a common key K can be shared by T _{2 to} T ₅ .

On the other hand, the terminal T ₁ cannot calculate y ₁ and y ₂ in the above (1) since the information broadcast from the base station and the held terminal information are the same. Therefore, the key K cannot be shared.

FIG. 4 shows the configuration of each terminal for performing the above processing. In FIG. 4, reference numeral 20 denotes a first terminal information storage unit that stores first terminal information, and 21 denotes a first terminal information storage unit.
A second terminal information storage unit that stores the second terminal information delivered from the base station 1 in the preparation phase. Also, 22 is
The broadcast notification receiving unit 23 that receives information distributed from the base station 1 in the key update phase is a first calculating unit that performs the calculation of (1). The first calculation unit 23 obtains the integers y _i and y _j using the first terminal information n _j distributed from the base station 1 and the stored value n _i in the first terminal information storage unit. twenty four
Is the second to perform the calculation of the above (2) in the key update phase
A calculator, wherein, using the output K ^e and the private key e of the first calculation unit performs calculation of (2), determine the key K.

FIG. 5 shows the configuration of the base station. twenty five
Is a first terminal information storage unit that stores first terminal information of all terminals, and 26 is a key generation unit that generates a secret key e, a key K, p _i , q _i, and a product n _i thereof. Reference numeral 27 denotes a terminal information generation unit that generates second terminal information using the output value of the key generation unit and the first terminal information of each terminal. Second terminal information X
_i is calculated modulo the first terminal information n _i of each terminal as a modular exponentiation value of the key K for e, and stored in the second terminal information storage unit 28.

Reference numeral 29 denotes an exclusion terminal designation unit for designating a terminal to be excluded. 30 designates first and second terminal information n _j , X x of the exclusion terminal T _j in the key update phase according to the designation of the exclusion terminal designation unit. _This is a broadcast notification unit that selects _j from the terminal information storage units 25 and 28 and notifies all terminals in a broadcast together with the secret key e.

Next, security in the first embodiment will be described. (1) It is difficult for all terminals to obtain the key K in the preparation phase. In the preparation phase, for example, terminal T ₁
Holds the following two types of information. First terminal information: n ₁ Second terminal information: X ₁ = K ^e mod n ₁ These pieces of information can be considered to correspond to the RSA encryption method and ciphertext, respectively. For this reason, if K and n are set to be sufficiently large, it is difficult to return to RSA encryption and obtain K from them. Note that the secret key e may be disclosed to each terminal in the preparation phase. However, if it becomes clear for the first time in the key update phase, it is possible to prevent the risk that the key K is decrypted by collusion between authorized terminals before the key update. It is considered more secure. Here, by setting the secret key e to a small fixed value, the amount of calculation of the terminal can be reduced. For example, e = 3 which is the minimum in the RSA encryption can be used. Further, it is necessary to store the first terminal information in a large number enough to counter the brute force attack. (2) It is difficult for the excluded terminal T ₁ to obtain the key K even in the key update phase. Information terminal T ₁ which is eliminated in the key update phase is retained, in addition to the above (1), only the private key e. Therefore, finding K by solving X ₁ = K ^e mod n ₁ results in RSA encryption if K and n are sufficiently large, and it becomes difficult to find K from these.

FIG. 6 shows a configuration at the time of key update in the case where periodic key update is performed by the above method. The base station obtains n that is relatively prime to the first terminal information of all terminals, and calculates X = K ^e mod n. Then, the terminals n and X and the secret key e are notified to all terminals simultaneously. At this time, the terminal T ₁ performs the following calculation using the held first and second terminal information n ₁ and X ₁ to obtain the key K. (1) using the first terminal information n ₁ and deployed n of the terminal T _1, obtaining the integer y _1, y satisfying _{y 1 = 1 / n mod n} 1, y = 1 / n 1 mod n . Integers y ₁ , y is n ₁ , n
Are necessarily prime to each other, and therefore, they can be obtained in polynomial time by the extended Euclidean algorithm even if the terminal has a small calculation power. Integers y ₁ , y
When the first terminal information n ₁ of the terminal T _1, the second terminal information X ₁
Using the distributed X and the integer n, calculate K ^e = X · y · n ₁ + X ₁ · y ₁ · n mod n ₁ · n. The integers y ₁ and y always exist because n ₁ and n are relatively prime, and can be obtained in polynomial time by the extended Euclidean algorithm, even for a terminal having less computational power. Here, K ^e is, because it meets the K ^e <n ₁ · n, it is possible to ignore the mod n ₁ · n. (2) a second terminal of the terminal T ₁ and the terminal T ₂ information X _1, X ₂
And an integer e and K ^e, obtains the update key K by using the Newton-Raphson method.

The above calculation can be performed in the same manner at the terminals T _{2 to} T ₅ , and as a result, the key K common to all the terminals
Can be shared. Each terminal performs the same procedure whether excluding a specific terminal or updating the key periodically,
The processing at the terminal is simplified. In addition, since the cause of the key update is not known at the terminal, the security of the entire system is improved.

[0051] In addition, in the preparation phase after the key update to the exclusion of the terminal T _1, it is possible to continue to eliminate the terminal T _1. This is, for example, when five terminals share a common secret key and perform encrypted communication within a group,
First love terminal T ₁ is to theft, this corresponds to share a new common secret key in the rest of the 4 terminal. Next, there is a scenario in which the terminal T ₂ is further stolen, and both the terminals T ₁ and T ₂ need to be excluded to share the next common key.

For this purpose, in the preparation phase after the elimination of the terminal T ₁ , the base station 1 does not obtain the second terminal information of the terminal T ₁ . In the next key update phase, the terminal T _1, in order not to hold the second terminal information of its own, can not be determined a new key. However, of course, during this preparation phase,
Base station seeking second terminal information of the terminal T _1, when distributed to the terminal T _1, including the terminal T ₁ again at the next key update phase to update the new key, eliminating the only terminal T ₂ Is also possible.

In the first embodiment, the second terminal information of each terminal is generated by the base station and delivered to each terminal in the preparation phase. However, this is generated by another organization and transmitted to the base station. It may be delivered to the terminal. Instead of distributing, a plurality of items stored in advance may be sequentially used for key update.

The encryption communication means may use secret key encryption or public key encryption. However, the use of public key cryptography enhances security against unauthorized use of the base station 1 because the base station 1 holds only the public key of each terminal. If a digital signature of the base station is added to the cryptographic communication means provided between the base station and each terminal, the terminal can be authenticated by the terminal and a tampering attack by n by a third party can be detected. , Safety is enhanced.

Also, a version number is added to the key K, and the base station sends to the terminal j whose version number does not match the second terminal information of the terminal j and the first terminal of the specific terminal i that has performed a simultaneous call at the time of key update. And the second terminal information is notified to the corresponding terminal, and in the terminal j, the first and second calculation units determine the key K of the corresponding version. Follow becomes possible.

As described above, according to the first embodiment of the present invention, in a system of a base station and a plurality of terminals, a key update method is performed in such a manner that GCD (n _i , n _j ) = 1 (1 ≦ i, j ≦ N; i ≠ j) First terminal information _ni is generated and stored in the base station, and is distributed to each terminal. _Ni < ^Ke < _ni · _nj arbitrarily determine the key K and the secret key e satisfying, the second terminal information ^{_{X i = K e mod n i}} (GCD (X i, n i) = 1) with the calculated stored in the base station , Distributed to each terminal, and the terminal information (n ₁ ,
The X _1), and notifies simultaneously to each terminal from the base station, using at each terminal _{(n i, n 1),} y i = 1 / n 1 mod n i, y 1 = 1 / n i mod n 1 Integers y _i , y ₁ satisfying the following conditions are obtained. From the integers y _i , y ₁ , the notified X _1, and the preparation information X _i of the terminal i, ^Ke = X _i y _i n ₁ + X ₁ the _{· y 1 · n i mod n} i · n 1 was calculated, since a configuration for obtaining the update key K from the integer e and K ^e using Newton-Raphson method, (n ₁ from the base station to each terminal, X _By simply broadcasting ₁ ), one terminal can be excluded, and the remaining terminals can update and share a new key.

(Second Real Rotation Form) In the second embodiment of the present invention, in a system of a base station and five terminals, GCD (n _i , n _j ) = 1 (1 ≦ i, j ≦ 5; as well as stored in i ≠ j) to become generating a first terminal information n _i to base station, and distributed to each terminal T ₁ through T _5, 2 sets the number of theft stations to eliminate as (the maximum value of n _i) ² <(maximum value of n _i) K ^{e <3} determines arbitrarily the key K and the secret key e satisfying, the second terminal information ^{_{X i = K e mod n i}} ( GCD (X _i , n _i ) = 1) is calculated and stored in the base station, and each terminal T _{1 to} T ₅ is calculated.
, And at the time of key update, terminal information (n ₁ , X ₁ ) and (n ₂ , X ₂ ) of the terminals T ₁ and T ₂ to be excluded are broadcast from the base station to all terminals simultaneously, and the terminal T ₃ through T ₅ by the (n _i, X _i) is notified as _{(n 1, X 1),} (n 2, X 2) _{using, M i = M / n i} , M 1 = M / n 1, M ₂ = M / n ₂ (M = n _i · n ₁ · n ₂ ; i ≠ 1,2) is obtained, y _i = 1 / M _i mod n _i , y ₁ = 1 / M ₁ mod n ₁ , integer y _i satisfying _{y 2 = 1 / M 2 mod} n 2, determine the y _1, y _2, the integer M _i,
Using M ₁ , M ₂ , y _i , y ₁ , y ₂ , preparation information X _i of terminal _i, and preparation information X ₁ , X ₂ of terminals T ₁ , T ₂ , ^Ke = X _i · M _{i · y i + X 1 · M} 1 · y 1 + X 2 · M 2 · y 2 a mod M calculated by obtaining update key K from the secret key e and K ^e, key update method that can simultaneously eliminate the two terminal It is. It is possible to eliminate any number of units by pre-set the number of theft stations at the time of generation of K ^e. For example, if X _i1 for excluding one unit and X _it for excluding t units are shared between the base station and the terminal in advance, excluding t units can be performed freely. In a system in which collusion between the theft stations cannot occur, the range of K ^e may be set to _ni <K ^e <(maximum of n _i ) ³ , and the range of K ^e may be increased. be able to.

The system setup and preparation phase of the second embodiment is the same as that of the first embodiment.

FIG. 7 shows a case where the terminals T ₁ and T ₂ are excluded. Base station 1, the first store has the terminal T _1, the second terminal information n _1, X ₁ and secret integer e, further first terminal T _2, the second terminal information n _2, X ₂ Notify all at once. At this time, the terminal T ₃ is notified (1) that the terminal T ₃ holds (n ₃ , X ₃ ) using the first and second terminal information held (n ₁ , X ₂ ). X ₁ ) and (e ₂ , X ₂ ), M ₁ = M / n ₁ , M ₂ = M / n ₂ , M ₃ = M / n ₃ (M = n ₁ · n ₂ · n ₃ ) , And integers y ₁ , y ₂ , and y ₃ satisfying y ₁ = 1 / M ₁ mod n ₁ , y ₂ = 1 / M ₂ mod n ₂ , and y ₃ = 1 / M ₃ mod n ₃ . Integers y ₁ , y ₂ ,
y ₃ always exists because n ₁ , n ₂ , and n ₃ are relatively prime, and can be obtained in polynomial time by the extended Euclidean algorithm, even for a terminal having a small calculation power. The integers M ₁ , M ₂ , M ₃ and y ₁ , y ₂ , y ₃ , the terminal T
_Using the second terminal information X ₃ of the _third terminal and the second terminal information X ₁ and X ₂ of the terminals T ₁ and T ₂ , ^Ke = X ₁ · M ₁ · y ₁ + X ₂ · M ₂ · y Calculate ₂ + X ₃ · M ₃ · y ₃ mod M.

(2) From the above K ^e and secret key e, Newton-Ra
The update key K can be obtained by using the phson method.

The above calculation can be performed in the same way for the remaining terminals T ₄ and T ₅ , and as a result, the terminals T _{3 to} T ₅ can obtain the key K. On the other hand, the terminals T ₁ and T ₂ cannot obtain the key K. Therefore by eliminating the terminal T ₁ and the terminal T ₂ simultaneously, it is possible to share the update key in the rest of the terminal.

FIG. 8 shows a second method for simultaneously eliminating two terminals.
In the embodiment, the case where only one terminal is excluded is shown.

The base station 1 obtains n which is relatively prime to the first terminal information n _{i of} all terminals, and calculates X = K ^e mod n. If to eliminate only the terminal T _1, the base station,
First memory to which the terminal T _1, the second terminal information n ₁ and X ₁
And e and the X and n are notified to all terminals simultaneously.

At the terminal T ₂ , M = M / n, M ₁ = M / n ₁ , M ₂ = M / n ₂ (M = n · n ₁ · n ₂ ) and integers y, y ₁ and y ₂ satisfying y = 1 / M mod n, y ₁ = 1 / M ₁ mod n ₁ and y ₂ = 1 / M ₂ mod n ₂ , The integers M, M ₁ ,
M ₂ and y, y ₁ , y ₂ , second terminal information X _{2 of} terminal T ₂ ,
Using the notified ^{_{X 1, X, K e =}} X · M · y + X 1 · M 1 · y 1 + X 2 · M 2 · y 2 mod M is calculated, and updates key K from the secret key e and K ^e Ask for. The above calculations can be performed in the same way for the remaining terminals T _{3 to} T ₅ , and as a result, the terminals T _{2 to} T ₅ can obtain the key K. On the other hand, the terminal T ₁ cannot obtain the key K.
Therefore, the common update key can be shared by the remaining terminals.

In this way, the terminal T ₁ alone can be excluded, and the remaining terminals can share a common update key. It is possible to eliminate any number of units by pre-set the number of theft stations at the time of generation of K ^e. For example, X _it for excluding t units is shared in advance between the base station and the terminal, and when the number of stolen stations is known, they become as simple as possible (X, n),
If (X ′, n ′)... Are generated and delivered, up to t units can be eliminated freely.

[0066] As in the first embodiment, also in the second _{embodiment, GCD (n, n i)} = with 1 (i = 1 to 5), the periodic update of the update key It is possible to do.

[0067] Further, it is described to eliminate the specific terminal in the above description, when a new terminal T ₆ that holds the first terminal information n ₆ secret has been added, the second to the terminal by distributing the terminal information X _6, it is possible to perform additional and exclusion of terminals simultaneously. That is, the terminal T ₆ can calculate the update key from its own second terminal information X ₆ , the first and second terminal information of the excluded terminal, and the secret key e. Of course, the base station encrypts the latest update key K using the first terminal information n ₆ of the new terminal, and as a result, En ₆
The (K) may be distributed to the terminal T _6.

As described above, according to the second embodiment of the present invention, the key updating method is performed in a system of a base station and five terminals, where GCD (n _i , n _j ) = 1 in the base station. (1 ≦ i, j ≦ 5; i ≠ j) First terminal information _ni is generated and stored in the base station, and the number of theft stations to be distributed to each terminal T _{1 to} T ₅ and eliminated. And the secret key e that satisfies (maximum value of n _i ) ² <K ^e <(maximum value of n _i ) ³ is determined, and the second terminal information X _i = K ^e mod n _i (GCD (X _i , n _i ) = 1) is calculated and stored in the base station, and each terminal T _{1 to} T ₅ is calculated.
, And at the time of key update, terminal information (n ₁ , X ₁ ) and (n ₂ , X ₂ ) of the terminals T ₁ and T ₂ to be excluded are broadcast from the base station to all terminals simultaneously, and the terminal T ₃ through T ₅ by the (n _i, X _i) is notified as _{(n 1, X 1),} (n 2, X 2) _{using, M i = M / n i} , M 1 = M / n 1, M ₂ = M / n ₂ (M = n _i · n ₁ · n ₂ ; i ≠ 1,2) is obtained, y _i = 1 / M _i mod n _i , y ₁ = 1 / M ₁ mod n ₁ , integer y _i satisfying _{y 2 = 1 / M 2 mod} n 2, determine the y _1, y _2, the integer M _i,
Using M ₁ , M ₂ , y _i , y ₁ , y ₂ , terminal information X i of terminal _i, and preparation information X ₁ , X ₂ of terminals T ₁ , T ₂ , ^Ke = X _i · M _{i · y i + X 1 · M} 1 · y 1 + X 2 · M 2 · y 2 a mod M calculated by obtaining update key K from the secret key e and K ^e, and configured to simultaneously eliminate the two terminal Therefore, by simply broadcasting (n ₁ , X ₁ ) and (n ₂ , X ₂ ) from the base station to each terminal, the two terminals can be eliminated simultaneously. Further, by extending this method, three or more terminals can be eliminated, and further, an arbitrary number of terminals equal to or less than a predetermined number can be eliminated.

[0069]

As described above, according to the present invention, the key update method in the base station is GCD (n _i , n _j ) = 1 (1 ≦ i, j ≦ N; i ≠ j). 1, the terminal information n _i (= p _i q _i ; p _i , q _i are prime numbers) is secretly shared between the base station and each corresponding terminal i,
The base station arbitrarily determines a key K and a secret key e satisfying n _i <K ^e <n _i · n _j (1 ≦ i, j ≦ N; i ≠ j), and obtains second terminal information X _i = _{^{K e mod n i (GCD (}} X i, n i) = 1) as well as stored in the calculated base station, and distributed to each terminal 1 to n, at the time of key update, the terminal k by a base station specific terminal information (n _k, X _k) a notification simultaneously from the base station to the terminal 1~N and, using a terminal other than the terminal k and _{(n i, n k),} y i = 1 / n k mod n i, y _k = 1 / n _i mod n _k (i ≠
Integer y _i satisfying k), determine the y _k, the integer y _i, and y _k, a terminal information X _i of the terminal i, and a terminal information X _k of the terminal _{^{k, · K e = X i}} · y i the _{n k + X k · y k} · n i mod n i · n k calculated, since a configuration that obtains the update key K from the secret key e and K ^e, (n _k from the base station to all the terminals, X _k ), The same update key can be obtained at the remaining terminals by excluding one terminal, and the effect that the business suspension period for key update can be shortened can be obtained.

Further, the key update method is defined as an integer n that satisfies GCD (n, n _i ) = 1 (1 ≦ i ≦ N), which is relatively prime to the first terminal information of each terminal when the base station updates the key. , X = K ^e mod n (GCD (X _i , n) = 1) to each terminal at once, and at terminal i, using ( _ni , n), y _i = 1 / n mod n _i , y = 1 / n _i mod n (1 ≦ i ≦
N), integers y _i , y satisfying the following are obtained. From the integers y _i , y, the preparation information X _i of the terminal i, and the notified X _k , ^Ke = X _i・ y _{i nk} + XＸ. Since y · n _i mod n _i · n is calculated and the update key K is obtained from the secret keys e and K ^e , it can also be used for periodic update in which all terminals can obtain the update key. The base station does not need to be conscious of excluding a specific terminal or at the time of periodic updating, and has the effect of simplifying processing and improving security.

[0071] Also, the key update method, the base _{station, GCD (n i, n j} ) = 1 (1 ≦ i, j ≦ N; i ≠ j) to generate a composed first terminal information n _i with storage in the base station, and distributed to each terminal 1 to n, (maximum value of n _i) the number of stolen station as two to eliminate ² <K ^e <(maximum value of n _i) key meeting the ³ K and determine arbitrarily the secret key e, a second terminal information ^{_{X i = K e mod n i}} (GCD (X i, n) = 1) with storing the calculation to the base station, each terminal 1 N and the terminal k and the terminal m specified by the base station at the time of key update.
The terminal information (n _k , X _k ) and (n _m , X _m ) of the terminal k are simultaneously reported from the base station to all terminals, and (n _i , X _m )
Using (n _k , X _k ) and (n _m , X _m ) notified as X _i , M _i = M / n _i , M _k = M / n _k , M _m = M / n _m ( M = n _i · n _k · n _m ; i ≠ k, m), y _i = 1 / M _i mod n _i , y _k = 1 / M _k mod n _k , y _m = 1 / M _m mod n _m integer satisfying the y _i, y _k, determine the y _m, the integer M _i,
Using M _k , M _m , y _i , y _k , y _m , terminal information X i of terminal _i, and terminal information X _k , X _m of terminals k and m, ^Ke = X _i · M _i · y the _{i + X k · M k ·} y k + X m · M m · y m mod M calculated by obtaining update key K from the secret key e and K ^e, has a configuration that simultaneously eliminates two terminals Therefore, the base station sends (n _k , X _k ) and (n _m ,
X _m ) can be eliminated simultaneously by simply broadcasting X _m ).

[Brief description of the drawings]

FIG. 1 is a diagram showing a setup in a key updating method according to a first embodiment of the present invention;

FIG. 2 is a diagram showing a preparation phase in the key update method according to the first embodiment;

[3] In the key update method according to the first embodiment, shows the key update phase to eliminate the terminal T _1,

FIG. 4 is a diagram showing a configuration of each terminal in the key updating method according to the first embodiment;

FIG. 5 is a diagram showing a configuration on a base station side in a key updating method according to the first embodiment;

FIG. 6 is a diagram showing a key update phase in the case of a periodic update in the key update method according to the first embodiment;

FIG. 7 is a diagram showing a key update phase when specific terminals T ₁ and T ₂ are simultaneously excluded in the key update method according to the second embodiment;

FIG. 8 is a diagram showing a key update phase when only a specific terminal T ₁ is excluded in the second embodiment;

FIG. 9 is a diagram showing a key updating method in a first conventional example,

FIG. 10 is a diagram showing a key updating method in a second conventional example.

[Explanation of symbols]

1 base station 2-6 terminal T ₁ through T ₅ 7 to 11 first terminal storage unit 20 of the storage unit 12 base station in the terminal information storing section 21 and the second terminal information storage unit 22 broadcast notification receiving unit 23 first Calculation unit 24 second calculation unit 25 first terminal information storage unit (base station) 26 key K, p, q, n generation unit 27 second terminal information calculation unit 28 second terminal information storage unit (base station) Station) 29 Excluded terminal designation section 30 Broadcast notification section

Continuation of the front page (56) References Natsume Matsuzaki, Jun Anzai “Group Key Update Method Suitable for Mobile Communication (III)” IEICE Technical Report, Vol. 611, (March 18, 1998), p. 57-62 (ISEC97-74) Natsume Matsuzaki, Jun Anzai "Group Key Update Method Suitable for Mobile Communication (II)" IEICE Technical Report, Vol. 611, (March 18, 1998), p. 51-56 (ISEC97-73) Natsume Matsuzaki, Jun Anzai “Group Key Update Method Suitable for Mobile Communication (I)” 1998 Symposium on Cryptography and Information Security (January 28-31, 1998), SCIS'98 − 5.2. E (58) Field surveyed (Int.Cl. ⁶ , DB name) G09C 1/00-5/00 H04K 1/00-3/00 H04L 9/00-9/38 H04B 7/24-7/26 H04Q 7/02-7/38 INSPEC (DIALOG) JICST File (JOIS)

Claims (17)

(57) [Claims] 1. In a communication system including a base station and N (N is an integer of 2 or more) terminals connected to the base station, the base station stores first terminal information of the terminal. A first base station-side storage unit for storing second terminal information; and a second base station-side storage unit for storing second terminal information.
And a terminal information storage unit for storing the second terminal information and the second terminal information, a reception unit, a first calculation unit, and a second calculation unit, and the i-th (1 ≦ i ≦ N) terminal The first terminal information is an integer n _i that is relatively prime, that is, GCD (n _i , n _j ) = 1 (1 ≦ i, j ≦ N; i ≦ j), and the second terminal information Is a secret key e as an integer, and K that satisfies n _i <K ^e <n _i · n _j (1 ≦ i, j ≦ N; i ≠ j) is used as information for generating an update key. K that is the power of the secret key e and modulo the integer n _i
Modular exponentiation value ^{_{X i = K e mod n i}} (GCD (X i, n i) = 1) and is, (1) at said base station, at key update, the first terminal k to the base station has identified The terminal information n _k and the second terminal information X _k of the terminal _k are taken out from the base station side storage unit and are simultaneously notified to all terminals. (2) In all terminals i, the reception unit Receiving the first terminal information _nk and the second terminal information _Xk , and (3) all the terminals i except the terminal k
Then, in the first calculation unit, the terminal i and the terminal k
The first terminal information n _i and n _k with y _i = 1 / n _k mod n _{i of, y k = 1 / n i} mod n k (i ≠
k) become integers y _i, determined the y _k, the integer y _i, and y _k, a terminal information X _i of the terminal i, and a terminal information X _k of the terminal _{^{k, · K e = X i}} · y i the _{n k + X k · y k} · n i mod n i · n k calculated, (4) in all terminals i excluding terminal k, in the second calculation unit, updates from the secret key e and K ^e A key updating method, wherein a key K is obtained. 2. A key updating apparatus for a communication system comprising a base station and N (N is an integer of 2 or more) terminals connected to the base station, wherein the base station is a first terminal of the terminal. First base station-side storage means for storing information; and second base station-side storage means for storing second terminal information, wherein the terminal comprises the first terminal information and the second terminal information. And terminal information storage means for storing the i-th (1 ≦ i ≦
First terminal information of the terminal of N) are relatively prime, _{i.e., GCD (n i, n j} ) = 1 (1 ≦ i, j ≦ N; a i ≠ j) to become integral n _i, When the secret key e is an integer and K that satisfies n _i <K ^e <n _i · n _j is information for generating an update key, the second terminal information assumes that the secret key e is exponential. K modulo the integer n _i
Modular exponentiation value ^{_{X i = K e mod n i}} (GCD (X i, n i) = 1) and is, (1) the base station, when the key update, the first terminal k to the base station has identified Means for extracting terminal information n _k and second terminal information X _k from the base station side storage means and notifying all terminals simultaneously (2) All terminals i a receiving means for receiving the terminal information n _k and the second terminal information X _k, (3) in all terminals i excluding terminal k, in the first calculation unit, first the terminal k and the terminal i terminal information n _i and n _k the _{y i = 1 / n k mod} n i _{using, y k = 1 / n i} mod n k (i ≠
Integer y _i satisfying k), determine the y _k, the integer y _i, and y _k, a terminal information X _i of the terminal i, and a terminal information X _k of the terminal _{^{k, · K e = X i}} · y i _{n k + X k · y k} · n i comprising a first calculating means for calculating a _{mod n i · n k, (} 4) update key from said at every terminal i secret key e and K ^e except terminal k K A key updating device comprising: a second calculating unit that obtains 3. In a communication system including a base station and N (N is an integer of 2 or more) terminals connected to the base station, the base station stores first terminal information of the terminal. A first base station-side storage unit for storing second terminal information; and a second base station-side storage unit for storing second terminal information.
And a terminal information storage unit for storing the second terminal information and the second terminal information, a reception unit, a first calculation unit, and a second calculation unit, and the i-th (1 ≦ i ≦ N) terminal The first terminal information is an integer n _i that is relatively prime, that is, GCD (n _i , n _j ) = 1 (1 ≦ i, j ≦ N; i ≦ j), and the second terminal information is an integer of the secret key e, (the maximum value of ^{_{n i) n i <K e}} < for any integer s (1 ≦ s <n) of K satisfying ^{s + 1,} to generate an update key , The secret key e is exponential and the integer n _i is modulo K
Modular exponentiation value ^{_{X i = K e mod n i}} (GCD (X i, n i) = 1) and is, (1) at the base station, the key at the time of update, the terminal k ₁ to k of said base station has identified _s first terminal information n _k1 to
n _ks and second terminal information X _{k1 to} X _ks are taken out from the base station side storage unit and are simultaneously notified to all terminals. (2) In all terminals i, the reception units are used for the terminals k ₁ to X _ks. the first of k _s 1
Receives the terminal information n _k1 ~n _ks and second terminal information X _k1 ~X _ks, (3) in all terminals i except terminal k ₁ to k _s, in the first calculation unit, the terminal i using the terminal information n _i first terminal information n _k1 ~n _ks of the terminal _{k 1 ~k s, M i =} M / n i, M k1 = M / n k1, · · · M ks = M / n _ks (M = n _i · n _{k1 ····} n _ks ; i ≠ k ₁ ~
k _s ), and y _i = 1 / M _i mod n _i , y _k1 = 1 / M _k1 mod n _k1 ,..., y _ks = 1 / M _ks mod n _ks , integers y _i , y _k1 . y _ks is _calculated and the integers M _i , M
_k1 ~M _ks and y _i, y _k1 ~y _ks, a terminal information X _i of the terminal i,
Using the terminal information X _k1 ~X _ks of the terminal ^{_{k 1 ~k s, K e =}} X i · M i · y i + X k1 · M k1 · y k1 + ... + X ks · M ks ·
Calculate the y _ks mod M, and wherein the determination of the (4) terminal k ₁ In all terminals i except to k _s, in the second calculation unit, update key K from the secret key e and K ^e Key update method to use. 4. In a communication system including a base station and N (N is an integer of 2 or more) terminals connected to the base station, the base station stores first terminal information of the terminal. A first base station-side storage unit for storing second terminal information; and a second base station-side storage unit for storing second terminal information.
And a terminal information storage unit for storing the second terminal information and the second terminal information, a reception unit, a first calculation unit, and a second calculation unit, and the i-th (1 ≦ i ≦ N) terminal The first terminal information is an integer n _i that is relatively prime, that is, GCD (n _i , n _j ) = 1 (1 ≦ i, j ≦ N; i ≦ j), and the second terminal information is an integer of the secret key e, any relative integer s (1 ≦ s <n) , the n _i <K ^e <(maximum value of n _i) ^{s + 1} satisfy K, to generate the update key The secret key e and the integer n _i modulo K
Power residue value X _i = K ^e mod n _i (GCD (X _i , n _i ) = 1), and for any integer t (1 ≦ t ≦ s), (1)
In the base station, at key update, the first terminal information n _k1 ~n _kt and second terminal information X _k1 to X _kt of the base station has identified the terminal k ₁ to k _t, the base station side storage (2) In the base station, at the time of key update, f (1 ≦ f <st) pieces of first terminal information n
and _r1 ~n _rf, notifies simultaneously f-number of the second terminal information X _r1 to X _rf generated by all the terminals a, in all the terminals i (3),
In the receiving unit, the terminal k ₁ to k first terminal information n _k1 of _s
Receives ~n _ks and second terminal information X _k1 to X _ks and the first terminal information n _r1 ~n _rf and the second terminal information X _r1 ~X _rf, (4) the terminal k ₁ to k in all terminals i excluding _t, the first in the calculation unit, the first terminal information n _k1 ~n _ks and the first terminal of the first terminal information n _i and the terminal k ₁ to k _s terminal i the information n _r1 ~n _rf second terminal information X _r1 to X
_{Using rf} , M _i = M / n _i , M _k1 = M / n _k1 , _··· M _kt = M / n _kt , M _r1 = M / n _r1 , _··· M _rf = M / n _rf (M = n _i · n _k1 ····· n _kt · n _r1 ··· · n _rf ; i ≠ k _{1 to} k
_s ≠ r _{1 to} r _f ), and y _i = 1 / M _i mod n _i , y _k1 = 1 / M _k1 mod n _k1 , _... y _kt = 1 / M _kt mod n _kt , y _r1 = 1 / M _r1 mod n _r 1,... Y _rf = 1 / M _rf Integers y _i , y _{k1 to} y _ks satisfying the mod n _rf are obtained, and the integers M _i , M
_k1 ~M _kt, M _r1 ~M _rf and _{y i, y k1 ~y kt,} y r1 ~y rf
Terminal information X i of terminal _i and terminal information X _k1 of terminals k _{1 to} k _s
ＸX _ks and the terminal information X _r1 ＸX _rf , K ^e = X _i · M _i · y _i + X _k1 · M _k1 · y _k1 + ... + X _kt · M _kt ·
The _{y kt + X r1 · M r1} · y r1 + ... + X rf · M rf · y rf mod M is calculated, and (4) in all terminals i except terminal k ₁ to k _t, the second calculation in part, the key update method characterized by obtaining the update key K from the secret key e and K ^e. Wherein said base station, an integer n satisfying GCD an _{(n, n i) = 1} (1 ≦ i ≦ N) at the time of key update the disjoint to the first terminal information of each terminal, the The secret key e and the integer n
The modular exponentiation value of K, X = K ^e mod n (GCD (X, n) = 1), is given at the same time, and at the arbitrary terminal i, the first calculation unit Terminal information _ni and the integer n
_{Using, y i = 1 / n mod} n i, an integer satisfying the _{y = 1 / n i mod n} y i, determine the y, the integer y _i, and y, a terminal information X _i of the terminal i, the From X, K ^e = X _i · y _i · n + X · y · n _i mod n _i · n is calculated. Then, in the second calculation unit, the update key K is calculated from the secret keys e and K ^e. The key updating method according to claim 1, wherein the key updating is performed. 6. The key updating method according to claim 1, wherein the integer n is a product of prime numbers p and q generated by a base station. 7. The key updating method according to claim 1, wherein the first calculating unit of the terminal obtains the integers y _i and y _k using an extended Euclidean algorithm. . 8. The Newton-Rap in a second calculation unit of the terminal.
6. The key updating method according to claim 1, wherein the integer K is obtained using an hson method. 9. The method according to claim 1, wherein the first terminal information is created by the base station and distributed to corresponding terminals by cryptographic communication means provided in the base station and the terminal in advance. 4. The key updating method described in 4, 5 or 6. 10. The method according to claim 1, wherein the base station has an arbitrary secret integer K and e.
Is generated, the second terminal information X _i is calculated using the first terminal information n _i of each terminal i stored in the first base station side storage unit, and this is calculated before the key update. 6. The key updating method according to claim 1, wherein the keys are distributed to terminals corresponding to the key. 11. The information K for generating an update key
But, (n the maximum value of _i) ^s <K ^e <(maximum value of n _i) ^{s +} key update method according to claim 3, ^{4, wherein 1} and satisfies the. 12. In the case where the key update is performed continuously, after the terminal information of a specific terminal k is simultaneously broadcast in the i-th key update, before the (i + 1) -th key update,
6. The key updating method according to claim 1, wherein the base station does not calculate the second terminal information using the first terminal information of the terminal k and does not distribute the second terminal information to the terminal k. 13. The base station notifies the newly added terminal j of the second terminal information of the terminal j and the first and second terminal information of the specific terminal i with which the simultaneous call was made at the time of updating the key. 6. The key update method according to claim 1, wherein j includes the first and second calculation units to determine the update key K. 14. The first and second base station side storage units of the base station and the first and second terminal information storage units of the terminal,
6. The key updating method according to claim 1, wherein the area is a region that cannot be observed or changed from outside. 15. The method according to claim 1, wherein the integer e is a secret integer of a base station, and the integer e is broadcast in addition to terminal information transmitted by the base station at the time of key update.
4. The key updating method described in 4 or 5. 16. A version number is added to the key K,
The base station notifies the terminal j of which the version numbers do not match, to the corresponding terminal, the second terminal information of the terminal j, and the first and second terminal information of the specific terminal i that performed the simultaneous call at the time of key update, 6. The key updating method according to claim 1, wherein the terminal j obtains a corresponding version of the key K in the first and second calculation units. 17. The key updating method according to claim 9, wherein a digital signature of the base station is added to encryption communication means provided in the base station and each terminal in advance.