JP2886516B2 - Encryption key sharing system - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] 1. Field of the Invention [0002] The present invention relates to a system for sharing an encryption key for performing cryptographic communication between entities on a network.

[0002]

2. Description of the Related Art In recent years, when communication is performed on a network such as the Internet, a communication technique using cipher text has been desired to maintain confidentiality of communication data.

[0003] As this kind of communication technology, for example, RSA as a public key method is famous. In addition, when communication is performed between entities included in a network,
The transmitting entity encrypts the communication data (plaintext) using the encryption key and transmits it to the receiving entity, which then decrypts the original communication data using the same encryption key as the transmitting-side encryption key. A common encryption key sharing method is generally known. Here, the entity is
It refers to a device such as a terminal connected to a network, a user of the device, software of the device, or a group of them, and a subject that performs communication.

In such an encryption key sharing method, for example, a paper "NON-PUBLIC KEY D" by Rolf Blom
ISTRIBUTION / Advances in Cryptology: Proceedings o
fCRYPTO '82 / Plenum Press 1983, pp.231-236 ", and a paper by Rolf Blom," An Optimal Class of Symmet
ric Key Generation Systems / Advances in Cryptolog
y: EUROCRYPT '84 / Springer LNCS 209, 1985, pp.335-
338 ", or Japanese Patent Publication No. 5-48980 or U.S. Pat. No. 5,016,276.

[0005] In these techniques, a center established on a network is obtained by applying in advance a center algorithm that only the center keeps secret to an identifier (name, address, etc.) that is unique and open to each entity. Is distributed to each entity as a private key unique to each entity. Then, when communicating between the entities, each of the entities generates a common encryption key between the entities by applying the identifier of the entity on the other end of the communication to the private key held by itself, The communication data is encrypted and decrypted using the common encryption key.

More specifically, the center algorithm is
For example, when this is expressed as a function P (x, y) of variables x and y indicating arbitrary two identifiers, P (x, y) = P
It is set to have the symmetry (y, x). Then, among the variables x and y of the function P (x, y), for example, a function P (x, i) in which the value of the variable y is the actual identifier i of each entity (hereinafter referred to as Pi (x) Express)
Is distributed to each entity as a private key of each entity. Thereafter, when the entity with the identifier i communicates with the entity with the other identifier j, the entity with the identifier i acts on its own private key Pi (x) with the other party's identifier j (the value of the variable x is changed). j)
i (j) is generated as an encryption key. Similarly, the identifier j
On the entity side, Pj (i) obtained by applying the identifier i of the other party to its own private key Pj (x) is generated as an encryption key. At this time, due to the aforementioned symmetry, Pi
(J) = Pj (i), whereby the identifiers i, j
Will be able to obtain a common encryption key.

[0007] According to such a cryptographic key sharing method, each entity only has the identifier of the communication partner act on its own private key, and can communicate with any other entity without involvement of the center. Can be obtained, so that the cryptographic communication system in the network can be simplified.

[0008] In such an encryption key sharing method, the inability to easily decrypt the center algorithm is an important issue in securing the confidentiality of encrypted communication.

However, while such an encryption key sharing method has the above-mentioned advantages, any of the private keys of the respective entities, the encryption keys generated therefrom, and the communication data encrypted with the encryption keys are not included. Since the information related to the center algorithm is included and the center algorithm is common to each entity, for example, Matsumoto's paper "Performance of Linear Sc
hemes for the Keypredistribution System / IEICE Te
chnical Report on Information Security, May 20, 198
8, pp. 29-32 ”, it is generally easy to be vulnerable to attacks by collusion of multiple entities.

When the name of an entity is used as an identifier, many similar names are likely to appear, so the dispersibility of the identifier is poor (it tends to cause a bias in the distribution of the identifier values). Many similar personal keys are likely to appear in the individual keys of each entity. Therefore, the so-called differential attack is apt to occur.

Therefore, in the above-described encryption key sharing method, it has been desired to enhance security against various attacks.

[0012]

SUMMARY OF THE INVENTION In view of the foregoing, it is an object of the present invention to increase the security against various attacks while generating a common encryption key for communication and simplifying an encryption communication system on a network. Encryption key sharing system
The purpose is to provide a system.

[0013]

SUMMARY OF THE INVENTION An encryption key sharing system according to the present invention is provided.
In order to achieve the above object, a first aspect of the present invention is a system for encrypting and decrypting communication data between terminal devices of communicating entities in a network including terminal devices of a plurality of entities and a center. A system in which a common encryption key is generated and owned by both terminal devices , wherein the center has a weight function common to each entity.
Center algorithm, including the constrained integral transformation algorithm
Is secretly stored , an identifier unique to each entity and openness is converted by the center algorithm to generate a private key unique to each entity, and the private key and the integral conversion algorithm with the weighting function are used. advance distributed to the terminal device of each entity, each d
-Entities of the terminal device, when communicating with each other, are distributed to the self to the identifier of the communication partner entity together
The integral transformation algorithm with weight function and the private key
By the action of bets, characterized in that owned by generating a common encryption key to each other the entity.

According to the first aspect of the present invention, the private key of each entity is generated by the center by converting the identifier of each entity by the center algorithm including the integral conversion algorithm. Even if the identity of each entity itself is poorly distributed,
When the integral conversion algorithm operates on the identifier, the resulting data can be more dispersed. Therefore, the dispersibility of the private key is enhanced, and a private key having low similarity for each entity is generated in the center and distributed to each entity together with the integral conversion algorithm. Then, at the time of communication between the entities , the terminal device of each entity applies the integral conversion algorithm and the private key distributed to itself to the identifier of the communication partner entity. At this time, since the private key of each entity includes a component based on the integral conversion algorithm, by applying not only the private key but also the integral conversion algorithm to the identifier of the communication partner entity, An algorithm part other than the integral conversion algorithm of the center algorithm (this part has the above-mentioned symmetry) generates a common encryption key between the communicating entities.

Thus, according to the first aspect of the present invention,
By converting the identifier of each entity by a center algorithm including an integral conversion algorithm, a private key unique to each entity for generating a common encryption key at the time of communication is generated. As a result, security against differential attacks and the like is increased. Then, when the communication is only the own communication partner identifier
By simply acting on the integral transformation algorithm and the private key distributed to the user, a common encryption key with the entity of the communication partner can be generated without involvement of the center as in the related art.

Therefore, according to the first aspect of the present invention, it is possible to increase the security against attacks such as differential attacks while generating a common encryption key for communication and simplifying an encryption communication system on a network. Thus, a simple and highly reliable cryptographic communication system can be provided.

The identifier is fixedly used for each entity, such as a mail address on the network, a domain name, or a combination thereof, in addition to the name, address, etc. of each entity. Anything that is open to the other party may be used.

In the first aspect of the present invention, examples of the integral transform algorithm include Fourier transform (including fast Fourier transform), Laplace transform, Miller transform, Hilbert transform, and the like. Although it is possible to use them, these integral transforms are defined on an analytical infinite interval. On the other hand, in the first aspect of the present invention, since the identifier converted by the integral conversion algorithm is expressed on a finite interval (for example, a coset on a finite ring), the identifier is converted using a computer or the like. When data is subjected to integral conversion, anomalous dispersion (asialing) of the conversion result is likely to occur.

[0019] Therefore, in the first aspect of the present invention, Tei Ru using the integral transformation algorithm with a weighting function before Symbol integral transformation algorithm. As described above, when performing the integral conversion on the identifier, by adding the weight function, it is possible to prevent the abnormal dispersion described above. Further, since the weight function can be arbitrarily set as long as it can prevent abnormal dispersion, the personal key obtained by converting an identifier by a center algorithm including an integral conversion algorithm to which the weight function is added is included in the personal key. , An unknown component based on the weight function is added. As a result, the security of the cryptographic communication system to which the first aspect of the present invention is applied can be further improved.

When the weight function is added in this manner, the weight function is basically provided at the end of the data section of the identifier.
The value is set so as to approach “0”. In this case, in the first aspect of the present invention, the weight function is further determined to be an unpredictable pattern by the random number data generated in the center. More preferably, one-time random number data is used as the random number data. The determination of the weight function based on the random number data is performed by determining the degree of change in the value of the weight function in the section of the identifier data (a form approaching “0” at the end of the section) based on the random number data. Will be In addition, the one-time random number data is random number data having no reproducibility or extremely poor reproducibility, and more specifically, the frequency of appearance of each bit number constituting the random number data is the same for any number, and There is no correlation between random number data, and such random number data can be generated, for example, based on the timing when a human inputs a certain phrase or sentence to a computer.

By determining the weight function in an unpredictable pattern based on the random number data, it becomes difficult for an attacker to predict the weight function, and the encryption function to which the first aspect of the present invention is applied becomes difficult. Security of the communication system can be improved. In particular, when the weighting function is determined based on the one-time random number data, the reproducibility of the random number data is excluded, so that the security of the system is further improved.

As described above, various types of integral conversion algorithms can be applied. In particular, in the first embodiment of the present invention, it is preferable to use a Fourier transform algorithm as the integral conversion algorithm. That is, the Fourier transform is an integral transform that can be performed quickly and easily using a computer, and generally, the data resulting from the transform is likely to be dispersed. Therefore, by using such a Fourier transform algorithm as an integral transform algorithm, the private key can be quickly and easily generated from an identifier, and at the same time, the dispersibility of the private key is effectively increased, and The security of the communication system can be significantly improved.

In the first aspect of the present invention, the center converts the identifier of each of the entities by the center algorithm into a unique one-to-one correspondence which is unique to each entity and unknown to each entity. An algorithm for performing the randomizing transformation using the individual random number data to generate the private key, and canceling out the randomizing transformation component contained in the private key and the weight;
Each pre-entity identifier transformation algorithm, which consists of a function with integral transformation algorithm with said individual key
Of each entity, and the terminal of each entity
Device, when communicating with each other, generating a common encryption key to each other the entity by the action of the identifier transformation algorithm which is distributed to the self to the identifier of the communication partner and the <br/> the private key together And own.

Here, the randomizing conversion is performed by changing the value of each bit of a data sequence representing the identifier converted by the center algorithm by the individual random number data, or by arranging and converting the data sequence. Alternatively, they are performed by processing them in combination.

According to this, in addition to the center algorithm, the private key includes a component obtained by the randomization transformation. Then, at this time, the randomizing conversion is performed by one-time individual random data (random data having no reproducibility or extremely poor reproducibility) unique to each entity and unknown to each entity. , For each private key of each entity,
Each different incidental component will be included. as a result,
Security against various attacks of the cryptographic communication system can be further strengthened.

In this case, at the time of communication, the private key acting on the identifier of the entity on the other end includes a component obtained by the randomization transformation for each entity. For this reason, an identifier conversion algorithm including an algorithm for canceling this and the integral conversion algorithm is distributed to each entity together with the private key, and upon communication, the identifier conversion algorithm and the private By using the key, a common encryption key can be generated between the communicating entities.

When the randomizing conversion is performed as described above,
The randomization conversion can be performed by, for example, performing a layout conversion of a data string representing a result of conversion of the identifier of each entity by the center algorithm using the one-time individual random number data.

[0028] More preferably, a data string representing a result of conversion of the identifier of each entity by the center algorithm includes a plurality of unnecessary bits, and the randomizing conversion is performed by changing the value of the unnecessary bits to the one-time individual random number. Randomizing the data, and further converting the entire data string including the unnecessary bits into the single random data.
This is performed by changing the arrangement.

As described above, the value of the unnecessary bit of the data sequence representing the identifier of each entity converted by the center algorithm is randomized by the one-time individual random number data, and the value of the data sequence including the unnecessary bit is further randomized. By rearranging and converting the entire data with the single random data , the attacker (decryptor of the cryptographic communication system) finds where in the acquired data there is a portion corresponding to the unnecessary bits, and where in the acquired data, The security of the cryptographic communication system is enhanced.

Further, the one-time individual random number data for performing the randomizing transformation includes the one-time individual random number data of each entity.
It is generated based on a predetermined process in the terminal device , and more specifically, the predetermined process is performed by the terminal device of each entity.
This is an input operation by a human at the device, and the one-time individual random number data is generated based on the temporal timing of the input operation.

As described above, the terminal device of each entity
Definitive human by the input operation (e.g., operation of inputting a certain sentence or phrase) by generating a random number data based on the temporal timing of the random number data is not reproducible, or becomes extremely poor reproducibility, the One-time individual random number data can be generated accurately.

Next, a second aspect of the present invention is a method for encrypting and decrypting communication data between terminal devices of communicating entities in a network including terminal devices of a plurality of entities and a center. Both common encryption keys
A system that owns generated by the terminal device, before
The center is a common center algorithm for each entity.
Rhythm is kept in secret, the and openness identifier unique for each entity that has been converted by said center algorithm, and more and each entity is unique for each entity by one of the individual random number data of unknown It generates a unique private key for each entity by performing a randomized conversion, previously distributed and an identifier transformation algorithm for canceling out the components of the randomized conversion included in the private key and said individual key to the terminal device of each entity Place the terminal device of each entity, when communicating with each other, the identifier transformation algorithm and before being distributed to the self-identification <br/> terminal of the communication partner entity together
The entity together by the action of a serial private key
Characterized in that it owns to generate a common encryption key.

[0033] According to the second aspect of the present invention, the private key of each of the entities is obtained by using the center algorithm to determine the identifier of each of the entities by the center algorithm (this includes the above-mentioned symmetric part). It is generated by subjecting the transformed data to randomizing transformation based on individual random data (unreproducible or very poorly reproducible) unique to each entity and unknown to each entity. , Each individual key of each entity will include a separate, accidental component. As a result, the security against various attacks of the cryptographic communication system to which the second aspect of the present invention is applied is enhanced. In this case, similar to the case described in the first aspect, since the private key of each entity includes a component by the randomization transformation for each entity, an algorithm for canceling the component is used. The included identifier conversion algorithm is distributed to each entity together with the private key. When communicating, each entity
By applying the identifier conversion algorithm and the private key to the identifier of the entity on the other end by the terminal device of the entity, it is possible to generate a common encryption key between entities performing communication without involvement of the center. it can.

Therefore, according to the second aspect of the present invention,
The security against various attacks can be enhanced while generating a common encryption key for communication and simplifying the encryption communication system on the network, thereby providing a simple and highly reliable encryption communication system.

According to the second aspect of the present invention, the first
Similarly to the case described in the aspect described above, the randomizing conversion may be performed by performing a layout conversion by using the one-time individual random number data on a data sequence representing the identifier of each entity converted by the center algorithm. it can. And, more preferably, a data string representing a result of conversion of the identifier of each entity by the center algorithm includes a plurality of unnecessary bits, and the randomizing conversion is performed by changing the value of the unnecessary bits to the one-time individual random number data. And the entirety of the data string including the unnecessary bits is converted to the single random number data.
This is performed by changing the layout using data. This allows
The security of the cryptographic communication system to which the second aspect of the present invention is applied can be improved.

In a second aspect of the present invention, the first
Similarly to the case described in the aspect described above, the one-time individual random number data is generated based on a predetermined process in the terminal device of each entity, more specifically, the predetermined process is performed by each entity. This is an input operation by a human in the terminal device , and the one-time individual random number data is generated based on the temporal timing of the input operation. Thereby, the one-time individual random number data can be accurately generated.

[0037]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS One embodiment of the present invention will be described with reference to FIGS. First, an outline of an encryption communication system to which the encryption key sharing system of the present embodiment is applied will be described with reference to FIGS.

Referring to FIG. 1, in the present embodiment, a center 1 which is a basic construction body of a cryptographic communication system and a plurality of entities 2 which join the cryptographic communication system and perform cryptographic communication with each other are connected to the Internet. Can communicate with each other via a network 3 such as a personal computer communication network. Although not shown, the center 1 and each entity 2 include a computer machine such as a personal computer for performing actual communication and data processing, and a user of the computer machine.

In this system constructed on such a network 3, as shown in FIG. 2, each entity 2 that has joined the center 1 (in FIG. 2, each entity 2 is indicated by reference numerals i, j,...). ) Is a unique identifier yi, yj,... Corresponding to each (details will be described later).
Having. In this case, if i ≠ j, yi ≠ yj. Each entity 2 (i, j,...) Has a unique identifier generated by the center 1 based on the respective identifiers yi, yj,. Private keys Xi, Xj, ...
(Details will be described later. Hereinafter, collectively referred to as a personal key Xn as necessary). Further, when cryptographic communication is performed between arbitrary entities i and j, a common cryptographic key Kij for encrypting (transmitting side) and decrypting (receiving side) the communication data is stored in each entity i, j. For each j, a private encryption key K is generated using the private keys Xi and Xj of the entities i and j, respectively.
Using ij, cryptographic communication is performed between the entities i and j.

Before describing the system of this embodiment in more detail, the identifier yn will be described. In the present embodiment, the identifier yn of each entity 2 is unique to each entity 2, such as the name, address, mail address, domain name, or a combination thereof, of each entity 2. Use something. Incidentally, in the actual handling of the identifier yn in the computer machine of the center 1 and each entity 2, each identifier yn is treated as vector data obtained by encoding the identifier yn with, for example, a coset on a finite ring.

The system according to the present embodiment for performing the above-described cryptographic communication will be described in detail below with reference to FIGS.

Referring to FIG. 3, in the system according to the present embodiment, the individual entities i, j are processed after the center 1 has undergone advance preparation processing such as generation and distribution of the private key Xn and the like.
Communication between the devices is performed.

In the preparatory processing by the center 1,
When the center 1 is established or when the system is updated, the center 1 first generates a basic center algorithm for generating the private key Xn of each entity 2 (procedure 1).

In this embodiment, the center algorithm comprises a center matrix, a weight function, and an integral conversion algorithm.

Here, the integral conversion algorithm is an algorithm for performing an integral conversion on the data of the identifier yn of each entity 2. In the present embodiment, a Fourier transform (more specifically, a fast Fourier transform) is used as the integral transform algorithm. I do. As this type of Fourier transform, a plurality of types are known, and one of them is selected by the center 1 to generate a Fourier transform algorithm used in the present embodiment. Note that the Fourier transform algorithm is actually expressed as a matrix acting on the data of the identifier yn.

The weighting function is for preventing anomalous dispersion (aliasing) when Fourier transforming the identifier yn, which is data of a finite section, and the value of the weight function at the end point of the section of the data of the identifier yn. This is a function that approaches “0”. Further, the center matrix is a symmetric matrix, more specifically, a nonsingular symmetric matrix.

In this case, the weight function and the center matrix are generated using one-time random number data. That is,
Referring to FIG. 4, when generating the weight function and the center matrix, the center 1 first generates random number data based on an artificial operation of an operator in the computer machine of the center 1 (procedure 1-1). Specifically, for example, the operator inputs appropriate words and phrases, sentences, and the like to the computer machine of the center 1, and the input timing at this time (for example, the input time of each word and the time interval of input of each word)
Is sequentially measured by a computer machine. Then, random number data is generated in time series based on the measured input timing. Since the random number data generated in this way is generated based on the timing of an artificial input operation having an ambiguity, it is practically unreproducible and accidental, and thus a one-time random number is generated. Data is generated.

After generating the one-time random number data, the center 1 determines the weight function and the center matrix based on the generated one-time random number data (step 1-2). ). In this case, the weight function is determined by determining the degree of change of the value of the weight function in the section of the data of the identifier yn (a form approaching “0” at the end of the section) based on the one-time random number data. Is performed, whereby the weight function is determined to be an unpredictable pattern. Note that the weight function is actually expressed as a diagonal matrix. The determination of the center matrix is performed by determining the values of the components of the matrix using the one-time random number data while ensuring the symmetry and non-singularity.

The center algorithm composed of the center matrix, the weighting function, and the integral transform algorithm generated as described above is secretly stored in the center 1. In particular, the center matrix and the weighting function are stored in a center other than a specific person of the center 1. It is stored strictly so that a third party (including each entity 2 etc.) cannot refer to it. Note that these center algorithms are common to each entity 2.

Returning to FIG. 3, next, when each entity 2 (i, j...) Joins the system, the center 1 determines the center algorithm and the identifier of each entity 2 generated and stored as described above. Using yn and the like, a private key Xn unique to each entity 2 and an identifier conversion algorithm for generating a common encryption key Kij as described later are generated and distributed to each entity 2 (procedure 2). ).

More specifically, referring to FIG. 5, in this procedure 2, the center 1 determines the identifier yn of the entity 2
The weighted fast Fourier transform is performed on the identifier yn by applying the Fourier transform algorithm and the matrix of the weight function to the data (vector data) (step 2-
1). Further, the vector data obtained by the procedure 2-1 is multiplied by the center matrix (procedure 2-2).
In this case, by adding redundancy to the data of the identifier yn, the weight data, the integral conversion algorithm, and the center matrix are added to the vector data obtained in the step 2-2 by the bit string meaningful as the data of the identifier yn. Appear and a plurality of other unnecessary bits appear.

On the other hand, the center 1 communicates with the entity 2 (for example, communication at the time of the joining procedure of the entity 2), and thereby has a one-time individuality which is unique to the entity 2 and which cannot be recognized by the entity 2. Generate random number data (procedure 2-3). Specifically, as in the case of generating the random number data of one time when determining the weighting function and the like as described above, the user is allowed to input a certain phrase or sentence on the computer machine of the entity 2, The computer 1 of the center 1 measures the timing of the artificial input operation of the entity 2 by successively receiving it on the center 1 side. Then, the individual random number data is generated based on the measured timing of the input operation. By generating the individual random number data in this manner, the individual random number data becomes accidental with no reproducibility, similar to the random number data at the time of generation of the weight function, and is unique to the entity 2. Thus, one-time individual random number data is obtained. Note that the entity 2 does not know what kind of input operation timing and what kind of random number data is generated, and it is not possible to accurately control the artificial input operation timing. Random number data to entity 2
Can not know.

Next, the center 1 randomizes each bit value of the unnecessary bits in the vector data obtained in the step 2-2 using the one-time individual random number data obtained in the step 2-3. (Procedure 2-4). Furthermore, the vector data obtained by combining the randomized unnecessary bits and the useful bits is randomly rearranged and converted by the one-time individual random number data (the arrangement of the components of the vector data is changed. Procedure 2-5). Thus, the vector data (identifier yn converted by the center algorithm) obtained in step 2-2 is subjected to randomization conversion.
Then, the vector data obtained by the randomizing transformation is generated as the private key Xn of the entity 2.
Note that the randomizing transformation is actually represented by a matrix (not necessarily a symmetric matrix), and more specifically, a matrix such that the transposed matrix and the inverse matrix of the matrix are equal.

The center 1 generates the identifier conversion algorithm from the one-time individual random number data, the Fourier transform algorithm and the weight function (step 2-6). The identifier conversion algorithm includes an algorithm for canceling the components of the randomization transformation reflected in the private key Xn (this is represented by an inverse matrix of a matrix representing the randomization transformation), the Fourier transformation algorithm, and a weighting function. Are synthesized (multiplied by matrices representing each of them).

The private key Xn and the identifier conversion algorithm corresponding to each entity 2 generated by the center 1 in this way are distributed to each entity 2 in advance by communication or the like (see procedure 2 in FIG. 3). The contents described above are details of the advance preparation process in the center 1.

After the center 1 generates the private key Xn and the identifier conversion algorithm of each entity 2 as described above, the one-time individual random number data corresponding to the entity 2 and a matrix representing the randomization conversion Delete without saving. In addition, each entity 2 receiving its own private key Xn and the identifier conversion algorithm stores them secretly in an appropriate storage device of its own computer machine.

Referring back to FIG. 3, after the above-described preparatory processing is performed, cryptographic communication is performed between arbitrary entities 2 as follows. Here, each entity 2
Among them, it is assumed that encrypted communication is performed between the entities i and j (i ≠ j), with the entity i as the transmitting side and the entity j as the receiving side.

In this cryptographic communication, the transmitting-side entity i first obtains a common encryption key Kij with the entity j from the private key Xi and the identifier conversion algorithm held by the transmitting-side entity i and the identifier yj of the receiving-side entity j. Generate (Procedure 3).

More specifically, referring to FIG.
The identifier yj of the receiving entity j is applied to the identifier conversion algorithm of the transmitting entity i on the computer machine of the entity i (the vector data of the identifier yj is multiplied by the matrix of the identifier conversion algorithm. Procedure 3-1). . Next, a common encryption key Kij with the entity j is generated by calculating an inner product of the vector data obtained by the procedure 3-1 and the private key Xi (vector data) of the transmitting entity i (procedure 3).
2).

Similarly, the receiving entity j is
As shown in FIG. 7, its own identifier conversion algorithm is applied to the identifier yi of the transmitting entity i on its own computer machine (step 3-1), and the resulting vector data and the private key of the entity j are obtained. Xj
(Step 3-2) to generate a common encryption key Kji with the entity i.

At this time, the common encryption key Kij uniquely generated by the transmitting entity i and the common encryption key Kji uniquely generated by the receiving entity j are the same.

That is, the private keys Xi and Xj held by the transmitting and receiving entities i and j, respectively.
Are the identifiers yi, y of the entities i, j, respectively.
j is vector data obtained by applying the above-described Fourier transform algorithm with a weight function, a center matrix, and a randomizing transform, and each entity i, j
Generates common encryption keys Kij and Kji, respectively.
The identifier conversion algorithm applied to the identifiers yj, yi of the entities j, i on the other side is a Fourier transform algorithm with a weighting function, and a randomization transform for each entity i, j reflected in each private key Xi, Xj. And an algorithm that cancels out the component. For this reason, in the inner product operation performed in the procedure 3-2, the influence of the randomizing transformation for each entity i, j is eliminated, and each common encryption key K obtained as a result of the inner product operation is removed.
ij and Kji are identifiers yi and yj of each entity i and j.
To which a Fourier transform algorithm with a weighting function has been applied, to which a center matrix has been further applied (vector data), and to the identifiers yj and yi of the entities j and i on the communication partner side, a Fourier transform algorithm with a weighting function has been applied. It is equal to the result obtained by calculating the inner product with the result (vector data). That is, if the vector data obtained by applying the Fourier transform algorithm with a weighting function to the identifiers yi and yj are yi 'and yj' (where yi 'and yj' are vertical vectors) and the center matrix is C ,
^{Kij = (yj ') T ·} C · yi', Kji = (yi ') T · C ·
yj '(where the suffix T in the formula means transposition).

Since the center matrix C is a symmetric matrix as described above, Kij = Kji. Therefore, the common encryption keys Kij and Kji generated separately by the respective entities i and j are the same, so that the entities i and j can share a common encryption key.

On the other hand, the transmitting entity i, which has generated the common encryption key Kij with the receiving entity j in the procedure 3 of FIG. 3 as described above, transmits the common encryption key Kij and the plaintext (to be transmitted to the receiving entity j). An encrypted communication message is generated from a document, a program, etc. (procedure 4). In this case, when generating the encrypted communication message, the common encryption key Kij
In addition, one-time random data is used.

More specifically, referring to FIG. 6, when generating an encrypted communication message, the transmitting entity i uses its own computer machine to perform the word and phrase processing in the same manner as in the preparatory processing in the center 1 described above. One-time random number data (hereinafter referred to as “encryption communication random number data”) is generated based on the temporal timing of an input operation of text and text (step 4-1), and the one-time encryption communication random number data is generated. Is encrypted using the common encryption key Kij as an original key (procedure 4-2). In this case, the encryption is, for example, 3
This is performed according to the DES (Data Encryption Standard) having a stage configuration.

Further, the plaintext is encrypted using the one-time random number data for encryption communication (before encryption) generated in step 4-1 as a key (step 4-3). This encryption is performed by, for example, a three-stage DES, as in the procedure 4-2.

Then, by combining the encrypted random number data obtained in step 4-2 with the ciphertext obtained in step 4-3 (to form one set), the receiving entity j
Is generated. The encrypted communication message generated in this manner is transmitted from the computer machine of the entity i to the computer machine of the entity j.

It is preferable that the cryptographic communication random number data is generated and updated every time cryptographic communication is performed. However, the cryptographic communication random number data is updated every time cryptographic communication is performed several times. The same cryptographic communication random number data may be used in the batch cryptographic communication).

On the other hand, the receiving entity j that has received the encrypted communication message is the entity i generated as described above.
The encrypted communication message is decrypted by using the common encryption key Kji (= Kij) with the above, and finally the plaintext is obtained (procedure 5).

That is, referring to FIG. 7, first, by using a common encryption key Kji (= Kij) with entity i as an original key, an encrypted random number in an encrypted communication message received from entity i is obtained. The data is decrypted into random number data for encrypted communication (procedure 5-1). Next, by using the decrypted random number data for encrypted communication as a key, the encrypted text of the encrypted communication message is decrypted into plain text (procedure 5-
2). Thereby, the receiving entity j finally knows the contents of the desired plaintext from the entity i, and the cryptographic communication between the entities i and j is completed.

The computer machine of each entity 2 that performs the above-described processing for cryptographic communication is configured as shown in the block diagram of FIG. 8, for example.

That is, the computer machine of each entity 2 includes a keyboard 4, a CPU (not shown),
M and a main unit 5 composed of a ROM and the like, and a database 6 composed of a hard disk or the like for storing the personal key Xn and an identifier conversion algorithm, a plain text such as a text and a program, and a cryptographic communication telegram. . The main unit 5 includes, as its functional components, a common key generation unit 7 that generates a common encryption key, an encryption / decryption processing unit 8 that performs encryption / decryption processing of communication data, and random number data for encryption communication. And a data storage memory 10 for storing data such as a common encryption key generated by the common key generation unit 7 during encryption communication and random number data for encryption communication generated by the random number generation unit 9. Provided.

The computer machine of each entity 2 having such a configuration operates as follows.
The process for the encrypted communication as described above is performed.

That is, when generating the common encryption key (procedure 3), first, the personal key Xn to be used and the identifier conversion algorithm are controlled by the keyboard 4 in the computer machine on both the transmission side and the reception side. The specified private key Xn and the identifier conversion algorithm are fetched from the database 6 into the common key generation unit 7 of the main unit 5. Further, the identifier yn of the communication partner is input to the main unit 5 by the keyboard 4. Then, the common key generation unit 7 of the main unit 5 generates a common encryption key by applying the identifier conversion algorithm and the private key Xn to the input data of the identifier yn as described above (step 3-1). 3-2), the generated common encryption key is stored in the data storage memory 10.

On the transmitting computer machine,
Data (input operation data such as words and sentences) for generating the random number data for encryption communication is input to the main body unit 5 by the keyboard 4. Then, the random number generation unit 9 of the main body unit 5 generates the one-time random number data for encryption communication as described above based on the input data (see the above-described procedure 4-
1) The generated random number data for encrypted communication is stored in the data storage memory 10.

Further, on the transmitting computer machine, the plain text to be transmitted in the database 6 is
, And the designated plaintext is fetched from the database 6 into the encryption / decryption processing unit 8.
Then, the encryption / decryption processing unit 8 includes the data storage memory 10
Is encrypted using the common encryption key also stored in the data storage memory 10 (the above-described procedure 4-2), and the plaintext is encrypted using the encrypted random number data as a key. Encrypt (the above procedure 4-3).
The encrypted communication random number data and the plaintext encrypted by the encryption / decryption processing unit 8 in this way are stored in the database 6 as an encrypted communication message composed of them, and then separately sent to the computer machine of the communication partner. Sent.

On the other hand, in the receiving computer machine that has received the encrypted communication message, the encrypted communication message is stored in the database 6 and is taken into the encryption / decryption processing unit 8. Then, the encryption / decryption processing unit 8 uses the common encryption key stored in the data storage memory 10 to decode the encrypted random number data in the encrypted communication message into random number data for encrypted communication (the above-described procedure 5-1), Further, using the decrypted random number data for encrypted communication as a key, the encrypted plaintext in the encrypted communication message is decrypted to the original plaintext (the above-described procedure 5-2). The plaintext encrypted by the encryption / decryption processing unit 8 in this manner is held in the database 6.

In the system of this embodiment constructed as described above, when the center 1 generates the private key Xn of each entity 2 (preparation processing), the identifier yn such as the name of each entity 2 is used. To apply the algorithm of the Fourier transform as an integral transform to
Even if n itself has many similar ones, the dispersibility of data obtained by performing a Fourier transform on the data is improved, and the dispersibility of the private key Xn obtained by applying a center matrix or the like to the data can be improved. As a result, it is possible to make it difficult to decode a center algorithm such as a center matrix of the center 1 by a so-called differential attack.

In this case, in addition to Fourier transform, Laplace transform, Miller transform, Hilbert transform and the like can be used as the integral transform. In the present embodiment, Fourier transform (more specifically, fast Fourier transform) is used. Is used, it is possible to remarkably improve the dispersibility as described above, and at the same time, it is possible to perform the arithmetic processing for performing the Fourier transform on the identifier yn at a high speed by using a computer machine.

When the private key Xn is generated, a weight function is added as a center algorithm, so that it is possible to prevent abnormal dispersion of data obtained by Fourier transforming data of the identifier yn on a finite section. At the same time, for an attacker trying to decipher the center algorithm, in addition to the center matrix and Fourier transform algorithm,
Because the number of unknown algorithm elements called weight functions increases,
Decoding the center algorithm can be made more difficult. In particular, since the weight function is generated in an unpredictable shape based on the one-time random number data, it is possible to more reliably secure the above-described difficulty in decoding.

Further, when generating the private key Xn, in addition to the center algorithm, a randomizing transformation based on the single random data unique to each entity 2 is added. Contains components based on a randomizing transform that are individual for each entity 2 and that are not correlated with each other. For this reason, for example, even if a plurality of entities 2 collude and attempt to decrypt the center algorithm or the like from the private key Xn held by each, it is extremely difficult to decrypt the center algorithm. In this case, in particular, in the randomizing transformation, of the data obtained by applying the Fourier transformation, the weighting function and the center matrix to the identifier yn, the value of the unnecessary bit is randomized by one-time individual random number data.
Since the arrangement conversion is performed by combining the unnecessary bits and the useful bits, the private key Xn obtained by the randomization conversion is obtained.
It is not known which part of the data contains the data corresponding to the unnecessary bit, and the above-mentioned decoding becomes more difficult. For the reader, in order to completely break the system of the present embodiment, as many as four types of algorithms of a center matrix, a weight function, a Fourier transform (integral transform), and a randomize transform are used from data such as the private key Xn. Must be decrypted, and such decryption is virtually impossible.

In the system of this embodiment, in order to generate a common encryption key at the time of encrypted communication, the identifier conversion including an algorithm for canceling the randomized conversion component reflected in the private key Xn is performed. The algorithm needs to be distributed to each entity 2 together with the private key Xn. However, the identifier conversion algorithm is
Since the algorithm for canceling the component by the randomization transformation, the Fourier transformation algorithm, and the weighting function are combined, the randomization transformation algorithm, the weighting function, and the Fourier transformation algorithm which constitute the center algorithm of the center 1 from the identifier transformation algorithm are used. It is also very difficult to decipher individually.

Therefore, according to the system of the present embodiment,
In terms of security of the system, it is practically impossible to decipher the center algorithm of the most important center 1 from the private key Xn of each entity 2.

Further, when performing encrypted communication between arbitrary entities i and j, the plaintext itself is not encrypted using the common encryption key Kij, but the plaintext does not have a biased characteristic. Since the random number data for reciprocal encryption communication is encrypted as a key, and the random number data for encryption communication as a key for decrypting the encrypted plaintext is encrypted using the common encryption key Kij, the encryption is performed. Even if a third party intercepts the communication data, it is difficult to decrypt the common encryption key Kij from the communication data. Then, the common encryption key Kij
Since it is difficult to decrypt the private key Xn, information on the private key Xn of each entity 2 included in the common encryption key Kij and information on the center algorithm included in the private key Xn may be obtained by a third party. Have difficulty. Further, since the plaintext is encrypted using the random number data for encrypted communication as a key, the confidentiality of the plaintext is also ensured.

Therefore, according to the present embodiment, a cryptographic communication system with high security against various attacks can be provided.
At the time of cryptographic communication between any of the entities i and j, each of the entities i and j has its own private key Xi, X
j and the identifier conversion algorithm,
, Yi, the common encryption key Kij can be generated and shared without involvement of the center 1 or prior notification between the entities i, j, etc., so that not only security is high, but also A simple and highly versatile cryptographic communication system can be provided. Note that the identifier yn plays an important role in generating the common encryption key Kij as described above.
A. Shamir's paper `` Identity-Based Cryptosystems a
nd Signature Schemes / Advances in Cryptology: Proce
eding of CRYPTO '84 / Springer LNCS 196,1985, pp.47
-53 ".

Next, a more theoretical effectiveness of the system of this embodiment will be described.

In the present system, the calculation of the private key of each entity 2 and the calculation of the common encryption key are performed based on a linear transformation, and this linear transformation will be described below.

First, let Xif be a private key of entity i necessary for generating a common encryption key between f entities 2. At this time, the general idea for constructing the above linear transformation is to arbitrarily select an f-input symmetric transformation g (a function of f variables having symmetry) and obtain a private key Xif of the entity i. Xif (ξ ₁ ,..., Ξ _{f -1} ) = g (yi, ξ ₁ ,..., に 対 し て) for the identifier yi of the entity i.
_f-1 ) is determined as an f-1 input conversion that satisfies _f-1 ). Here, ξ with a subscript is a variable indicating an arbitrary identifier. In this case, the linear transformation can be found such that the kernel of the f-input symmetric transformation g follows a multiple linear mapping (f-fold linear mapping), which is basically defined in a linear space over a finite field. And generalized to the coset on the ring.

The present system is for the case where f = 2, and the above-mentioned linear transformation is defined as follows.

Here, in the following description, the center 1
Is a set of entities belonging to E, a set of identifiers is I,
Let K be a set of common encryption keys (see FIG. 1). Further, Q is a commutative ring having a unit element, J is a coset of order m on Q, K is a coset of order h on Q, and the elements of J and K are m−
A vertical vector, h-vertical vector. If Q is a body, J and K are linear spaces of dimensions m and h, respectively. The order m is equal to the total number of identifiers.

Further, R is a linear transformation constituting a mapping from I to J, and is hereinafter referred to as identity transformation. This identity transformation basically corresponds to a transformation for performing a Fourier transformation (integration transformation) with a weighting function on the data of the identifier when corresponding to the system of the above-described embodiment.
Further, as will be described later, the conversion is extended to a conversion including the randomizing conversion.

Assuming the above, first, J ₂ (J
Symmetric Q-order multiple linear mapping (a two-input symmetric transformation) from a set of two elements of
J ₂ → K is arbitrarily selected and determined. This g corresponds to a conversion for generating a common encryption key corresponding to these two identifiers from those obtained by performing identity conversion of two arbitrary identifiers.

Further, a given identifier yi (∈I)
, The matrix xi of h rows and m columns on Q becomes xi · η = g
(R (yi), η). Here, η is an arbitrary m-longitudinal vector on Q and is an element of J (the same applies hereinafter).

Further, for a given yi (∈I), one input is made so that Xi (ξ) = xi · R (ξ) (where ξ is an arbitrary element of I; the same applies hereinafter). Conversion Xi
Constitution of (ξ).

This Xi (ξ) is a private key for the entity i, and the private key Xi (ξ) is a one-input conversion V
When i is defined as Vi (η) = xi · η using the matrix xi, it is expressed by the following equation.

Xi (ξ) = Vi (R (ξ)) When there are a plurality of centers, Vi (η) = xi ·
The "xi" part in η is replaced by the sum of the matrices xi determined as described above for each center.

When the private key Xi is defined in this manner, Xa (yb) = Xb (ya) for an arbitrary entity a, b∈E, as can be easily understood from the above description. That is, if the entities a and b input the identifiers yb and ya of the other party to the respective private keys Xa and Xb,
A common encryption key Xa (yb) = Xb (ya) is obtained.

Even if a multivariable polynomial is selected instead of the multiple linear mapping g, it is included in the applicable range of the linear transformation of the present system. The reason for this is that any polynomial can be rewritten into a linear polynomial by a suitable transformation of the set of unknowns, and that such a transformation can be absorbed into the identity transformation R. Furthermore, some transforms can be viewed as a combination of a linear transform and an operation such as an exponential function.

Next, the performance of the linear conversion of the present system and the role of the identity conversion R will be described.

For any transformation A, Cd (A), Ce
Let (A) be the complexity of the description of the transformation A and the complexity of the evaluation of the transformation A, respectively. At this time, the conversions Xi, R,
The following relational expression holds for Vi.

Cd (Xi) = Cd (R) + Cd (Vi) Ce (Xi) ≦ Ce (R) + Ce (Vi) In this case, the input (identifier) of the conversion Xi indicating the private key is w.
If it is described in [bit], Cd (Vi) = hmw [bit] holds for the complexity Cd (Vi) of the description of the conversion Vi. In addition, the complexity Ce (Vi
), Ce (Vi) = O (hm) [Q-operation] holds. Here, O (hm) [Q-operation] means the order of hm on the commutative ring Q, and this value is approximately O (w ² ) [bit conversion], that is, w ² Can be evaluated by order. Then, when a small commutative ring Q (for example, Galois field GF [2]) is selected, Ce (Vi) becomes low.

Therefore, the complexity Cd (X
i) and the evaluation complexity Ce (Xi) are the description complexity Cd (R) of the identity transformation R and the evaluation complexity C
e (R) is greatly affected.

Here, consider a case where one or a plurality of entities j trying to break the system use respective private keys Xj.

Obviously, the perfect defeat of the system is to determine the above-mentioned multiple linear mapping g: J ₂ → K. In this case, in order to completely break the system, the centers either cooperate or have the same number as the order of the multiple linear mapping g (which is roughly equal to the total number m of identifiers (= order of J)). It requires the cooperation of the entities and is practically impossible.

Further, consider the possibility that some entities j can determine the private key Xi of another entity i. In this problem, the identity conversion R plays an important role as described below.

First, "all the entities j of the subset B of the set E of the whole entities cooperate, and these entities j∈B become the whole {Xj
Even if | j {B} is used, information such as useful for determining the private key Xi of any entity i in the set EB cannot be obtained. "
For each entity i in B, the identity transformation R (yi) is the sum of the respective identity transformations R (yj) of entity j in B, {R (yj) |
is linearly independent of j {B} ". Therefore, the information-theoretic security of the linear transformation of the present system is reduced to the fact that any subset U of the set {R (yi) | i {E} is linearly independent. Therefore, there is a strong relationship between the linear transformation and the linear algebraic permutation combination. In evaluating the security of the linear transformation, in particular, m rows and n columns (where n = # E = e entity E Parity check matrix H =
(R (y1), ......, R (yn)) linear code LR that is defined by ^{= {z∈Q n | H · z} = 0}, i.e.,
It is important to consider a set of codewords z represented by n-longitudinal vectors on the commutative ring Q such that the product with the parity check matrix H is a zero vector. The so-called Hamming
ing) Equivalent to the existence of a code word z (∈LR) having a weight s and the fact that the private key Xi of a specific entity i can be derived by the cooperation of s-1 entities j. That is easily guided.

On the other hand, by individualizing the identity conversion R as follows (the identity conversion R is unique to each entity), it becomes difficult to break the system even if a large number of entities collude. That is, for the set {R (yj) | j {B} of the identity transformation R (yj) of each entity j (j∈B) that is going to break the system, the identity transformation R (yi) of the other entity i is Linearly dependent, R
If (yi) = ΣCj · R (yj) (where Cj is an appropriate coefficient), as is clear from the definition of the private key described above, the private key Xi and the entity j (j∈B) of the entity i Xi = ΣCj · Xj for the private key Xj of
Holds. Therefore, the set B of each entity j trying to break the system can easily know the private key Xi of another entity i. However, when the identity conversion R is individualized, the conversion R
Is unique to each entity, it is not easy to find, for a given set B of entities j, an entity i having an identifier yi that can decrypt another private key Xi. In other words, set B
Cannot know which entity i's private key Xi can be decrypted from information such as the private key Xj possessed by them. Conversely, for the entity i having the given identifier yi, the private key X
It is also not easy to find the set B containing the identifier yj that can decode i. In other words, even if the entity i having the private key Xi to be decrypted is specified, it is not possible to know which entity should collude to decrypt the private key Xi. in this way,
Individualizing the identity transformation R is of essential importance in increasing the theoretical security of the system.

When individualizing the identity transformation R in this way, various linear transformations can be selected, but they are basically classified into two categories.

One is the use of an identity transform R such that the corresponding linear code LR is a well-known algebraic or algebraic geometric code, and the other is the identity transform R Is randomized individually for each entity.

In this case, in the former method, if the total number m of identifiers is increased for security, the required data amount tends to be large. For example, a primitive element is α and Q = GF (q): a Galois field, and h = 1,
Let β be the power of α (log β = ξ · log α), further, let R (ξ) = [1, β, β ² ,..., β ^m-1 ] ^T, and I be {0, 1, 2,. Suppose that it was encoded as n-1}. Since this identity conversion R has no one-way property,
Although not a strict linear transformation, R. Blom's paper, An O
ptimal Class of Symmetric Key Generation Systems ''
The linear code LR corresponds to a so-called Reed-Solomon code. In this method, the total number n of entities in the network needs to be smaller than q in the Galois field Q = GF (q). For example, when n = 10 ¹² , the minimum Q becomes GF (2 ⁴⁰ ), which requires an extremely large data amount.

On the other hand, the latter method of randomizing the identity conversion R individually for each entity is as follows:
This is a technique realized by the randomizing transformation in the above-described embodiment. According to this technique, the total number m of identifiers is m.
Even if the value (which is equal to the total number n of the entities in the present system) is large, there are a large number of identity conversions R that can perform high-speed processing and require a small amount of data.

On the other hand, the following relational expression corresponding to the above-mentioned asymptotic Varshamov-Gilbert limit equation is obtained by the same method as that for deriving the well-known asymptotic Varshamov-Gilbert limit equation.

M / n + r ≦ Φ (b / n) where r = m · log _q (q−1) where Φ is Φ (u) = u · log _q (q−1) −u · log _q u-
(1-u) log _q is a function defined by (1-u). Also, b in the above inequality is the total number (= # B) of entities j trying to break the system.

The above inequality defines the limit of the total number b of entities j required to break the system, and means that the system cannot be broken with the number of entities b for which this inequality does not hold.

Then, based on this inequality, any m
For b and b, it is derived that there is an identity conversion R such that even if at most b entities j collude, the private key Xi of another entity i cannot be decrypted. It can also be seen that individual randomization of the identity transform R often results in a good linearly independent structure while satisfying the above conditions.

Accordingly, the present system can provide a highly secure system by individually randomizing the identity conversion R. In other words, the system uses the individual randomization of the identity transformation R to increase the complexity Cd of the description of the transformation R
(R) and the complexity of the evaluation Ce (R),
The security of the system is ensured by increasing the description complexity Cd (Xi) and the evaluation complexity Ce (Xi) of the private key Xi.

In practice, for example, Q = GF [2], m = 819
2, when h = 64, Cd (Xi) = 64 [Kby
te]. In this case, the encryption communication can be performed between any two entities on the system including up to 10120 entities by using the 160-bit common encryption key. Then, for example, the clock 200MH
When a 32-bit CPU and a 640 Kbyte memory are used in z, each personal key can be calculated within 20 ms. Furthermore, the system cannot completely break the system unless 8192 entities collude, and due to the individual randomization of each entity, if more than 256 entities collude,
No information about the private key of another entity can be obtained.

In the above-described embodiment, a center matrix is set as the center algorithm in addition to the weight function and the Fourier transform algorithm. However, the weight function itself can be used as the center matrix.

In the above-described embodiment, the Fourier transform is used as the integral transform.
Other forms of integral transform, such as Hilbert transform, may be used.

[Brief description of the drawings]

FIG. 1 is a diagram showing an entire configuration of an encryption communication system to which an embodiment of an encryption key sharing system according to the present invention is applied.

FIG. 2 is a diagram for conceptually explaining the basic structure of the system in FIG. 1;

FIG. 3 is a flowchart for explaining an outline of a processing procedure in the system of FIG. 1;

FIG. 4 is a flowchart showing details of a process in procedure 1 of FIG. 3;

FIG. 5 is a flowchart showing details of a process in procedure 2 of FIG. 3;

FIG. 6 is a flowchart showing details of processing in procedures 3 and 4 of FIG. 3;

FIG. 7 is a flowchart showing details of processing in procedures 3 and 5 of FIG. 3;

FIG. 8 is a block diagram showing a configuration of a computer machine for performing the processes of FIGS. 6 and 7.

[Explanation of symbols]

1 center, 2 (i, j, etc.) entity, 3 network, Xi, Xj, etc. private key, Kij common encryption key,
yi, yj, etc. Identifiers.

Continuation of front page (56) References JP-A-7-311673 (JP, A) JP-A-7-175411 (JP, A) JP-A-63-314585 (JP, A) Tsutomu Matsumoto "No communication of encryption key Method of sharing with: KEY PREDISTRIBUTION SYSTEM ”, IEICE Transactions, Vol. J71-A, No. 11, (1988), p. 2046-2053 Shinji Miyabuchi, "Can KPS Protect Privacy?" Electronics, September 1995 (No. 496), p. 51-53 Hideki Imai, "Coding Theory," 5th Edition, The Institute of Electronics, Information and Communication Engineers, (1994). p. 158-161 Masaaki Mitani, Shigeo Tsujii, Digital Signal Processing Series, Volume 3, Digital Filter Design, Shokodo, (1987), p. 75-78 James L. Massey and Shirley Serconek, "A Fourier Transform Approach to the Linear Complexity of Nonlinearly Filtered FilteredSequences," AdvanceCryptoPricePrinces. 332-340 (58) Fields investigated (Int.Cl. ⁶ , DB name) H04K 1/00-3/00 H04L 9/00-9/38 G09C 1/00-5/00

Claims (14)

(57) [Claims] In a network including a terminal device of a plurality of entities and a center, a common encryption key for encrypting and decrypting communication data between terminal devices of a communicating entity is generated by both terminal devices. a system owned by the center secret center algorithm including the <br/> integral transformation algorithm with a common weighting function for each entity
Are closely storage generates a unique private key is converted by the center algorithm and openness identifier unique to each entity to each entity, and its private key and the integral transformation algorithm with the weighting function each The terminal devices of the respective entities are distributed in advance to the terminal devices of the entities, and when communicating with each other, the terminal devices of the respective entities have their own identifiers of the entities on the communication partner side.
The entity together by the action of a distributed said weighting function with the integral transformation algorithm was before <br/> Symbol private key
Encryption key sharing system, characterized in that owned by generating a common encryption key. 2. The encryption key sharing according to claim 1, wherein said weight function is determined to be an unpredictable pattern by random number data generated at said center.
System . 3. The encryption key sharing system according to claim 2, wherein said random number data is one-time random number data.
M 4. The encryption key sharing system according to claim 1, wherein said integral transform algorithm is a Fourier transform algorithm. 5. The method according to claim 1, wherein the center converts the identifier of each of the entities by the center algorithm, and furthermore, stores the individual random number data unique to each entity and unknown once to each entity. Oh optionally with performing randomizing transformation to generate the private key, the identifier transformation algorithm comprising the algorithm and the weighting function with the integral transformation algorithm for canceling out the randomized conversion components included in said individual key with said individual key
Luo beforehand advance and distributed to the terminal device of each entity, each entity of the terminal device, when communicating with each other, the self to the identifier of the communication partner entity together
According to any one of claims 1 to 4, characterized in that owned by generating a common encryption key to each other the entity by applying a <br/> and deployed the identifier transformation algorithm and the private key Encryption key sharing system . Wherein said randomized conversion by the center, characterized in that by said data string representing what the identifier of each entity were transformed by the center algorithm, arranged converted by separate random number data of the one-time The encryption key sharing system according to claim 5, wherein 7. A data string representing a result obtained by converting the identifier of each entity by the center algorithm includes a plurality of unnecessary bits, and the randomizing conversion by the center converts the value of the unnecessary bits into the one-time individual Randomize with random number data, and further convert the entirety of the data string including the unnecessary bits into the one-time individual random number data.
The encryption key sharing system according to claim 6, characterized in that by further arrangement conversion. 8. The encryption key sharing system according to claim 6, wherein the one-time individual random number data is generated based on a predetermined process in a terminal device of each of the entities. 9. The method according to claim 1, wherein the predetermined processing is performed at an end of each of the entities.
9. The encryption key sharing system according to claim 8, wherein said one-time individual random number data is generated based on a temporal timing of an input operation by a human in a terminal device . 10. In a network including terminal devices of a plurality of entities and a center, a common encryption key for encrypting and decrypting communication data between terminal devices of communicating entities is generated by both terminal devices. a system owned by the center, the common center in each entity
It has been kept in secret Gorizumu, a and openness identifier unique for each entity that has been converted by said center algorithm, and more and each entity is unique for each entity by one of the individual random number data of unknown A randomization transformation is performed to generate a private key unique to each entity, and the private key and an identifier transformation algorithm for canceling the randomization transformation component included in the private key are distributed in advance to the terminal device of each entity. It should be noted that , when communicating with each other, the terminal devices of each of the above entities have their own identifiers of the entities on the other side of communication when communicating with each other.
The encryption key sharing characterized by owned by generating a common encryption key to each other the entity by applying a <br/> and deployed the identifier transformation algorithm and the private key sheet
Stem . Wherein said randomized conversion by the center, characterized in that by said data string representing what the identifier of each entity were transformed by the center algorithm, arranged converted by separate random number data of the one-time The encryption key sharing system according to claim 10, wherein
M 12. A data string representing a result of conversion of the identifier of each entity by the center algorithm includes a plurality of unnecessary bits, and the randomization conversion by the center converts the value of the unnecessary bits into an individual Randomizing with random number data, and further processing the entirety of the data string including the unnecessary bits with the one-time individual random number data
The encryption key sharing system of claim 11, wherein the performing by arranging converted by. 13. The encryption key sharing system according to claim 11, wherein the one-time individual random number data is generated based on a predetermined process in a terminal device of each of the entities. 14. The method according to claim 1, wherein the predetermined processing is performed by
14. The encryption key sharing system according to claim 13, wherein the one-time individual random number data is generated based on a temporal timing of the input operation by a human in the terminal device .