JP2942395B2 - Network system for secret communication - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a secret communication network system employing a public key cryptosystem for concealing and authenticating data.

[0002]

2. Description of the Related Art An encryption system is an effective technique for transmitting certain information on a public channel while protecting certain information from spoofing or eavesdropping by a third party. In the public key cryptosystem, which is one of the cryptosystems, the number of keys held in secret by each terminal does not depend on the number of terminals in the entire network. Therefore, the number of terminals in a LAN, satellite communication, satellite broadcasting, an interbank network, etc. It is suitable for many large-scale networks, and has received special attention in recent years. However, if the public key cryptosystem ensuring sufficient security is realized by software using, for example, a computer of several MIPS, the processing speed is generally as low as several hundred bps at most. Therefore, usually, a high-speed secret key cryptosystem is used for encrypting a large amount of data, and a public key cryptosystem is used for delivery of a secret shared key between a transmitter and a receiver required for the secret key cryptography. For example, in satellite broadcasting, by using a public key cryptosystem for distribution of a key required for data scrambling, each user can achieve an object with easy key management. Further, since the public key cryptosystem also has an authentication function, it can be used, for example, to confirm a user in personal computer communication or to authenticate a partner in a money transaction.

[0003] In the public key cryptosystem, due to its nature,
It is necessary to ensure the integrity of the public key, that is, to ensure that the data used as the public key of the terminal i is definitely the public key of the terminal i. This is because, for example, if the data used as the public key of the terminal i is actually the terminal k,
The following inconvenience occurs when the public key is used. First, when the terminal j performs encrypted communication with the terminal i, the cipher text using the public key of the terminal i (actually, the public key of the terminal k) can be decrypted with the secret key of the terminal k that the sender j does not want. That is, the terminal k obtains a message addressed to the terminal j by the terminal j. Also, if the terminal k impersonates the terminal i and creates a signature, the terminal j becomes the public key of the terminal i (actually, the terminal k
Calculation using the public key of the
Misrecognize

[0004] Next, as an example of the prior art, a method for ensuring the integrity of a public key using terminal identification information (hereinafter referred to as ID) and an existing public communication network will be described. The ID is identification information unique to the terminal, such as the name and address, which is known to anyone, and is information that can be identified by just looking at it without having to keep a list.

[0005] Ensuring integrity of public key using ID 1
One means is to employ public key generation means. The public key generation means is a means for generating the public key of the communication partner using the public information of the center, the ID of the communication partner, and the public information of the communication partner, thereby ensuring the integrity of the generated public key. The public information of the communication partner used here is generated by using the secret key of the center and the identification information of each terminal so that only the center can forge. Here, the meaning that it cannot be forged means that it is impossible for an unauthorized person to create the public information of the terminal for generating the “public key corresponding to the secret key selected by the user”. Even if an erroneous public key is generated from the public information of a terminal and the public key is used, there is no security problem because no terminal knows the corresponding private key.
Therefore, in this method, the validity of the public key can be confirmed indirectly, and the generated public key can be used as it is.

The present applicants disclosed means relating to public key generation in Japanese Patent Application Nos. 2-324479 and 324480. FIG. 3 shows the configuration of the public key generation means in this conventional example. In the figure, 1 is a terminal i, 2 is a center A, and 3 is a terminal j. The procedure of the conventional example will be described below with reference to FIG. <Steps for Setting Up Center A> (1) The center A generates a prime number q and generates a primitive root g of a complete remainder system modulo q. Further, a certain hash function h is determined. Here, the hash function h is a data compression type one-way function satisfying the following four conditions.
(1) h is not calculated independently for each block which is a message division unit, but is calculated by a method depending on all bits of the message. (2) For any given message M and its hash value h (M), it is very difficult to find another message X such that h (M) = h (X). (3) Regarding h, h (X · Y) （h (X) · h
(Y) must be satisfied. (4) h (M) can be calculated at high speed. Specifically, the information amount is set to 1 by taking the exclusive OR of the odd-numbered information and the next even-numbered information sequentially from the first in a signal string composed of many 1s or 0s.
/ 2.

[0007] At present, the following two methods are typically used in a secret communication network system. The first is a method in which a secret key encryption method DES (Data Encryption Standard) is applied to a message in a CBC (Cipher Block Chaining) mode. The second is
This is a method in which an encryption function (second-order congruential expression) of the secret key cryptosystem Rabin is applied to a message in the CBC mode. In addition,
These are described in detail in Shinichi Ikeno and Kenji Koyama, "Modern Cryptography", published by the Institute of Electronics, Communication and Communication Engineers.

(2) The center A determines the secret key Sa,
Pa≡g ^sa modq ... [1] is generated. Here, 'a' is a suffix indicating that it is the value of the center A, and the same applies to the following variables. Here, 'modq' indicates the remainder when divided by q (note that m
od is the Latin abbreviation for modulus.) (3) Publish (q, g, h, Pa) to the system as the public key of the center A.

<Step of Generating Terminal Information of Terminal i by Center A>
Hereinafter, steps when the center A generates the terminal information of the terminal i will be described. Using the terminal information, the terminal i obtains its own secret key. (1) The terminal i generates a random number xi, and uses this to generate yi≡
g ^xi modq ... to calculate the [2]. Then, the generated value yi and the own IDi are indicated to the center A, and a request for generating terminal information is made.

(2) The center A generates a random number rai, and generates the following terminal information uai, vai using the terminal generated value yi sent from the terminal and the secret key Sa of the center A. Here, 'ai' is a subscript indicating that the center A is a value generated for the terminal i. ^{uai≡g rai × yi modq ... [3} ] Hai≡h (uai, IDi) ... [4] vai≡Hai × Sa + rai mod (q-1) ... [5] (3) Center A terminal information UAI, a vai It is distributed to the terminal i using a public communication channel.

(4) The terminal i receiving vai from the center A generates its own secret key Si by the following equation using the random number xi generated in (1). Si @ vai + xi mod (q-1) [6] <Public Key Generation Step> A case where the terminal j generates the public key of the terminal i will be described. (1) Terminal j receives terminal information uai and IDi from terminal i. (2) The following calculation is performed to obtain the public key Pi of the terminal i.

[0012] Hai≡h (uai, IDi) ... [ 7] Pi≡Pa Hai × uai modq ... [8] It should be noted, [8] the right side of the equation ^{= Pa Hai × uai modq ≡g Sa} * Hai × g rai × yi modq (From [1] and [3]) {g ^{Hai * Sa} × g ^rai × g ^xi modq (from [2]) {g ^{Hai * Sa + rai + xi} modq≡g ^{vai + xi} modq (from [5]) Since g ^Si modq (from [6]) holds, the right side of equation [8] is replaced by an index (Index).
The secret key Si of the terminal i in the cryptographic system based on the calculation
It may be considered as a public key Pi (remainder modulo q) corresponding to (exponent).

The features of this conventional example are shown below. (1) The secret key of the terminal i cannot be obtained at the center as well as at the other terminals. As shown in the equation [6], the terminal i generates its own secret key Si using the terminal information vai issued by the center A and xi generated by itself and secret only for the terminal i. That's why.

(2) Terminal information ua issued by the center A
i and vai can be delivered using a public communication channel. This is because the confidentiality of the terminal's secret key depends only on the confidentiality of the terminal-generated xi for the reason (1) above, and the security is not deteriorated even if the terminal information issued by the center is made public. . (3) The secret key of the terminal can be easily updated. In the terminal secret key generation step, the center A uses a random number.
By changing this random number, it is possible to cope with the reissuance of the secret key of the terminal.

(4) Hierarchization is easy. FIG. 4 shows an example of hierarchization. In the figure, 1 is a terminal i, 2 is a center A, 3 is a terminal j, and 4 is a center B. First, the center B discloses the public key Pb. Then, the center A is authenticated, and information uba and vba are issued. The center A obtains its own secret key Sa using this information. Next, Center A
Authenticates the terminal i, and issues terminal information uai, vai of the terminal i using the secret key Sa determined earlier. The terminal i obtains its own secret key Si using the terminal information. At this time, the terminal j receives the information uba of the center A and the information uai of the terminal i from the terminal i, and uses the public key Pb of the center B to apply the public key generation method in two stages as follows:
Find the public key of terminal i. (a) The public key Pa of the center a is obtained using the public key Pb of the center B, uba, and IDa. (b) Public key Pa of center A obtained in (a), uai, I
The public key Pi of the terminal i is obtained using Di.

Thereafter, the terminal j encrypts and communicates data (public key) to the terminal i using the public key Pi of the terminal i, and the terminal i decrypts the data using its own private key Si, and Get the data. Also, the terminal j confirms the signature generated by the terminal i using its own secret key Si using the obtained public key Pi of the terminal i.

[0017]

However, in the network system for secret communication using the conventional public key generation means shown here, the secret key of each terminal and the public key use the value issued by the center which has authenticated it. 2
Not applicable when the terminal is authenticated by more than one center. This can also be seen from the fact that the secret key of the terminal is generated using the terminal information vai issued by the center A that has authenticated the terminal in equation [6].

That is, inconvenience occurs when the following situation is considered. The terminal j trusts the public key of the center A, and wants to generate the public key of the terminal i using the public key of the center A. On the other hand, the terminal k trusts the public key of the center B and wants to generate a public key of the terminal i using the public key of the center B. Then, the terminal i is authenticated by the centers A and B, and obtains terminal information from each. In this case, the public keys of the terminals i generated using the terminal information from the respective centers are different from each other. Therefore, it is not possible to simultaneously satisfy the demands of the terminals j and k.

Further, when considering the hierarchization, the secret key must be determined from the top of the hierarchy. When changing the structure, it is necessary to reconstruct from the top hierarchy. The present invention has been made in view of the above problems, and it is necessary to sufficiently satisfy the above-described fluid and complicated authentication relationship while preventing the above-mentioned four features of the conventional example from being impaired. It is an object of the present invention to provide a secret network communication system. For this purpose, the public key generation in the secret communication network system according to the present invention configures the terminal's secret key without using a center-issued value for authenticating the secret key.

[0020]

In order to achieve the above object, according to the first aspect of the present invention, a first terminal, a second terminal, and a terminal information issuing center having unique identification information are connected to each other. A terminal information issuing center having a public one-way function f and a public hash
A one-way function f is determined by the output value of f having the input of the result of the first operation of the first and second data as the output value of f of the first data. Equal to the result of a second operation that takes a value and said second data as inputs,
F which takes as input the result of the third operation of the first and second data
Is the output value of f of the first data and the output value of f
Is a function that is equal to the result of the fourth operation that receives the output value of f of the data of the terminal information issuing center, and the output value P of the one-way function f that receives the secret key S of the terminal information issuing center as the input. A system initial setting means for determining a public key of a terminal information issuing center, and notifying the first and second terminals of f, h and P as public information of the terminal information issuing center; A secret key is determined, and an output value of the one-way function f to which the secret key is input is obtained as a public key of the first terminal.
Terminal information requesting means for notifying the terminal information issuing center of the terminal information to the terminal information issuing center and requesting terminal information of the first terminal; and the terminal information issuing center generates a random number r and inputs the random number r A result u of a fourth operation using the output value of the one-way function f and the public key of the first terminal as inputs is obtained, and the identification information of the u and the first terminal is obtained by the public function h To the secret key S of the terminal information issuing center.
And the result of the first operation with the output value of the function h as the input, the result of the first operation and the result v of the third operation with the random number r as the input, and u, v Terminal information issuing means for issuing to the first terminal as first and second terminal information of the first terminal; and the first terminal having first and second terminal information u, v and the identification information of the first terminal, and the second terminal inputs the first terminal information u and the identification information of the first terminal to the disclosure function h, and the disclosure of the terminal information issuing center is performed. A result of a second operation using the input of the key P and the output of the function h is obtained, and a result of the fourth operation using the result of the second operation and the terminal information u as input, A fourth operation result obtained by inputting the reciprocal of the output value of the one-way function f having the information v as an input and a reciprocal in the fourth operation is represented by a first terminal And the public key generating means for the public key of
The first operation has the property that commutative law holds
The third operation and the fourth operation are commutative
This is a secret communication network system characterized in that it is an operation having the property that the rule and the binding rule are satisfied .

According to a second aspect of the present invention, there is provided a first terminal having unique identification information, a second terminal, a terminal information issuing center, and a network connecting them, wherein the terminal information issuing center is a prime number. Alternatively, a power value q of a prime number, a primitive root g of the remainder field modulo q, and a public function h are determined, and the g is modulo the secret key S of the terminal information issuing center. Is determined as the public key of the terminal information issuing center, and the q,
system initial setting means for notifying g, h and P to the first and second terminals as public information of the terminal information issuing center; and the first terminal determines a secret key, and A power residue value of g, which is to be a secret key of the first terminal, is obtained as a public key of the first terminal, and the public key and identification information of the first terminal are notified to the terminal information issuing center; Terminal information requesting means for requesting terminal information of the first terminal; and the terminal information issuing center comprises a random number r
And a product u of a modular exponentiation value of g that is a power of a random number r modulo the q and a public key p from the first terminal is obtained, and the identification information of the u and the first terminal is disclosed to the public. Function h
And the sum v of the product of the output value of h and the secret key S of the terminal information issuance center and the random number r is obtained modulo the Euler function value of q, and u and v are determined by the first terminal of the first terminal. 1, as a second terminal information, terminal information issuing means for issuing to the first terminal, the first terminal, the second terminal to the first terminal information u and the second terminal information v, The first terminal transmits the identification information of the first terminal, and the second terminal inputs the first terminal information u and the identification information of the first terminal to the public function h, and outputs the output value of h modulo q. The product of the modular exponentiation value of the public key P of the terminal information issuing center to be expended and the first terminal information u is obtained, and the reciprocal of the modular exponentiation value of g to exponentiate the second terminal information v and the Public key generation means for using the product of the first terminal and the first terminal as a public key of the first terminal. It has been with the system.

In the invention according to claim 3, claim 1 is
Or a predetermined rule based on the public key created by the public key creating means or the shared key created using the public key and the numerical information to be transmitted or the numerical information of the originally transmitted information. Transmission information encryption means for generating encryption information to be transmitted using a network, and reception for extracting the information to be transmitted from the transmitted encryption information according to a predetermined rule using a shared key or a secret key The secret communication network system according to claim 1 or 2, further comprising information decryption means.

In the invention according to claim 4, the modulus q used for generating a secret key or a public key is a product of prime numbers, g
4. A secret communication system according to claim 1, wherein a primitive root or order of a prime factor of q is a number greater than or equal to a fifth power of a prime factor of q, or a product of such numbers. It is a network system. In the invention according to claim 5, a public key generation unit according to claim 2 or 4, wherein, according to claim 2 or 4, wherein the public key generation unit q
The modular exponentiation value of the public key P of the terminal information issuing center and the modular exponentiation value of the public value g modulo the q The secret communication network system is characterized by employing a public key generation means characterized in that the public key generation means is used for obtaining.

[0024]

In the secret communication network system employing the public key generation means according to the present invention having the above-described configuration, the second terminal can be configured so that the public information of the terminal information issuance center and the identification information of the first terminal can be obtained. , Terminal information u, v of the first terminal, which is information that can only be created by the terminal information issuing center
Is used to generate the public key of the first terminal, so that the integrity of the generated first terminal is guaranteed.

[0025]

FIG. 2 shows the overall configuration of a secret communication network system according to the present invention. In the figure, a center A and terminals i and j are connected by a public communication line. The center A is equipped with a large-capacity CPU, which obtains a prime number q and a primitive root g required for the secret communication system, performs startup of the secret communication system, and newly joins a terminal. . On the other hand, each of the terminals i and j is equipped with a relatively small computer, and generates a private key and a public key using information issued from the center when newly joining. Hold. At the time of encrypted communication, a public key of the transmission partner is generated using the identification information of the transmission partner and the terminal information, and the information to be transmitted is encrypted and transmitted. The receiving terminal decrypts the ciphertext using the secret key held by itself and obtains the original information. When a sender confirms a signature created using his / her private key, the sender generates a public key of the signature creator and uses it.

FIG. 1 shows the concept of the operation of the public key generation means in one embodiment of the secret communication network system according to the present invention. In the figure, 1 is a terminal i, 2 is a center A, and 3 is a terminal j. Hereinafter, a procedure for generating a public key in the embodiment will be described with reference to FIG. <Steps for Setting Up Center A> (1) The center A generates a prime number q and generates a primitive root g of a complete surplus system modulo q. Further, a certain hash function h is determined.

(2) The center A determines the secret key Sa,
Pa≡g ^Sa modq ... [9] is calculated. (3) Publish (q, g, h, Pa) to the system as a public key of the center. <Step of Issuing Terminal Information of Terminal i by Center A> Hereinafter, a procedure in which terminal i generates its own private key and public key and center A issues terminal information for the public key will be described.

(1) The terminal i determines a secret key Si and calculates a public key Pi corresponding to the secret key Si by using Pi≡g ^Si modq... [10]. Then, the public key Pi and its own IDi are shown to the center A, and a request for terminal information is issued. (2) The center a generates a random number rai, and generates the next terminal information uai, vai using the public key Pi of the terminal i and the secret key Sa of the center A.

[0029] ^{uai≡g rai × Pi modq ... [11} ] Hai≡h (uai, IDi) ... [12] vai≡Hai × Sa + rai mod (q-1) ... [13] (3) Center A terminal information UAI , Vai to the terminal i using a public communication channel.

<Step of Generating Public Key> A procedure in which the terminal j generates the public key of the terminal i will be described. (1) Terminal j receives IDi and terminal information uai, vai authenticated by center A from terminal i. (2) The following calculation is performed to obtain the public key Pi of the terminal i.

[0031] Hai≡h (uai, IDi) ... [ 14] Pi≡Pa Hai × uai × g -vai modq ... [15] In addition, the right-hand side of the [15] formula ^{≡Pa Hai × uai × g -vai modq} ≡g ^{Sa * Hai} × g ^rai × Pi × g ^-vai modq (from [9] [11]) ≡g ^{Hai * Sa + rai} × g ^-vai × Pi modq ≡g ^vai × g ^-vai × Pi modq ([13]よ り Pi holds. That is, the value obtained by Expression [15] matches the public key Pi determined by the terminal i in advance by Expression [10].

Thereafter, the terminal j encrypts the information to be sent using the obtained public key Pi and authenticated by the center using a public key cryptosystem such as RSA cryptography or El Gamal cryptography. The signal transmitted to the terminal i is transmitted by using a public communication network that does not always ensure the confidentiality of the signal itself, and the terminal i that has received the cipher uses its own secret key Si to encrypt the ciphertext. Decrypt or use the same means to make terminal i public key Pj of terminal j
^Is obtained and g ^si.sj is used as a shared key between them, and secret communication is performed using a public communication network using a secret key cryptosystem. In these cases, the basic principle of encryption and decryption of information to be transmitted using a public key and a shared key is that a transmission signal is usually a digital signal composed of 0s and 1s, especially a signal related to a computer. It is used as a signal, and it can be regarded as a binary number when it is divided into appropriate bits. Further, the transmission signal is continuous (for example, AM
In the case of (modulation), secret communication is performed in which the wave height is taken for each unit time interval, digitized, and further converted into a binary number. Here, the conversion into a binary number is based on the fact that in binary communication, techniques such as parity check are advanced in order to secure the accuracy of communication contents, and 8-bit, 16-bit, 32-bit, etc. Computer-related technology, as is often the case, is due to the adoption of binary digital signals.

For example, in secret communication using a shared key, the following method is used as a simple method. (1) In the transmission, a signal (for example, 100 consisting of 0 and 1) to be transmitted having the same number of bits to a shared key (for example, 101 consisting of 0 and 1) as a binary number is regarded as a binary number. After the addition, the sum (1001) is sent, and the receiving side subtracts the shared key (101) from the received signal (1001) to obtain the difference (100), and decrypts the sent signal. If the information is large, the information is divided into a large number of information having the same number of bits as the shared key, and the divided information is individually encrypted and decrypted.

(2) After dividing the transmission information into the same bit digits as the shared key, if the specific bit number of the shared key is 0, the corresponding bit number of the transmission information is kept as it is, and if it is 1, the bit number is reversed. (If the number of the transmission information is 1, it becomes 0; if it is 0, it becomes 1) Encrypt by conversion and perform the decryption by the same operation (accordingly, the shared key is (100) and the transmission information is (101))
Then, the encrypted transmission signal is (001).)

In addition, for example, the above-mentioned DES encryption employed in the current American banking system is used.
This encryption is an encryption / decryption method in which a 64-bit data block is used as a unit, and this input value is disturbed on the basis of transposition and substitution using a key. In the above embodiment, the terminal determines its own secret key and public key on its own. Therefore, when a terminal is authenticated by two or more centers, the public key of the terminal can be generated using the public key of each center and the terminal information issued by authenticating the terminal. it can. For example, centers A and B authenticate terminal i, and each terminal information (uai, v
ai) It is assumed that (ubi, vbi) has been issued. At this time,
Using the public key Pa of the center A, a value (P ^{ah (uai, IDi)} × uai × g ^-vai mod ⁾ generated from the equations [14] and [15]
q) and the value generated by using the public key Pb of the center B (P
b ^{h (uai, IDi)} × ubi × g− ^vbi modq) are both public keys Pi initially determined by the terminal i in equation [10].

This embodiment can be hierarchized similarly to the prior art. Furthermore, since a random number is used to generate terminal information, it is possible to easily cope with the update of the secret key and the public key of the terminal as in the conventional example. Next, the security of the present embodiment will be described. (1) Security of the secret key of the center A Obtaining the secret key Sa from the public key Pa of the center A is a problem of a discrete logarithm calculation in telecommunications and an exponential calculation in mathematics, that is, a large prime number q. It is difficult to find the index (Index) of the remainder Pa. In this embodiment, q is a large prime number of about 512 bits (approximately 150 decimal digits) so that practically sufficient security can be ensured from the viewpoint of the necessary amount of calculation even today when a large-scale computer is developed. 1 is made to have a large prime number as a divisor.

Here, the center A needs to change the random number rai every time in the terminal information generation step.
If the same random number rai is used, the terminal information va of the terminal i, j is obtained.
If i and vaj are generated, i and j are collaborated to form Sa≡ (vai-vaj) / (Hai-Haj) mod
The secret key of the center A can be obtained by the equation (q-1). Also, the relation between the center-generated random numbers rai and raj used to generate terminal information of arbitrary terminals i and j, that is, rai
If c of ≡c × raj mod (q−1) is obtained, S
a≡ (vai−c × vaj) / (Hai−c × Haj) mo
The secret key of the center can be obtained by d (q-1). Most other terminals are public information uai, uaj, P
To find this c from i and Pj, (uai / Pi) ≡ (u
aj / Pj) ^c modq needs to be solved for c, which is difficult unless obvious. Since a large number of programs and methods are currently available for generating random numbers, it is sufficient to use them. (2) Security of Private Key of Terminal Obtaining the private key Si from the public key Pi of the terminal i is q
It is difficult to take a large amount of calculation because the required calculation amount is enormous, not only at other terminals but also at the center. Also, in order for the third terminal to forge the public key of the terminal x, it is necessary to find uax and vax that satisfy the following expression [16].

G ^Sx × g ^vax Ｐａ Pa ^{h (uax, IDx)} × uax modq... [16] This means that Px calculated using the equations [14] and [15] is
This is because the public key corresponds to the secret key Sx of the forged terminal x. Here, the forger decides uax arbitrarily, and [1
6] It is difficult to obtain vax and Sx that satisfy the expression if q is sufficiently large. Conversely, vax is arbitrarily determined and [1
6] Finding uax and Sx that satisfy the equation is at least as difficult as the above-mentioned discrete logarithm problem and the problem of finding exponents.

Next, the processing time of public key generation and the required memory capacity in this embodiment will be described. First,
The modular exponentiation required to generate a public key is
As shown by the equation [15], there are a total of two operations, i.e., an operation for exponentiating the output value of the hash function modulo q and an operation for exponentiating terminal information v. This is approximately twice the processing amount of the related art. Of these operations, the operation of exponentiating the hash function value is reduced by reducing the output value of the hash function to a limit (for example, 128 bits) that does not degrade security. The public information for each terminal is uai, vai
(1 word = log2q bits). This memory capacity has also increased about twice as much as the conventional one.

By the way, the value of the modular exponentiation of Pa and g in the embodiment is calculated modulo q, a value corresponding to a value that can be taken as a power is previously obtained and stored in a table, and by referring to this table, Can be found at high speed. For example, a case will be described in which a power remainder value of Pa is obtained. First, Pa ² modq,
Pa ⁴ modq, Pa ⁸ modq, ..., Pa ² ＾ ^(k-1)
modq (here, “＾” indicates a power) is stored in a table. Then, to obtain Pa ^Hi modq, Hi may be binary-expanded, and the table value corresponding to each bit may be multiplied on a remainder system modulo q. In this case, the number of modular multiplication operations is k / 2 times on average, and three times the speed can be realized as compared with the case where no table value is used. Now that a high-speed memory is available at a low price, this high-speed calculation means using table values is an effective means for reducing the burden on the user.

For this reason, today, as information digitizing means, microcomputers, etc. have been developed, these high-speed calculation means are also adopted, so that the secret communication network system according to the present invention is already available. Public line, L
By diverting the equipment such as AN as it is, it can be realized without imposing a large burden on the user.

Although the present invention has been described based on the embodiments, it goes without saying that the present invention is not limited to the above embodiments. That is, as a secret key generation means, it is easy to find the remainder from the exponent of the primitive root modulo a large prime number, but it is difficult to find the exponent from the remainder and the primitive root. Although the case where the generation means is employed has been described, it is a matter of course that other means may be employed if they have the same properties. For example, in the case of a prime having a large number of bits, the amount of calculation for confirming that the prime is a prime and finding a primitive root becomes enormous, so that q may be regarded as a prime in practice instead of a prime, specifically, most number several synthesis number of prime factors, integer should multiply values prime or not the importance of communication content is less, whereas easier find the primitive root if the computer capacity of the communication system is limited form of prime numbers 2 integer should multiply value +1 or -1 may be employed such. The two integer should multiply value +
In the case of a prime number in the form of 1 or −1, current personal computers often have bits of 8 bits, 16 bits, 32 bits and a power of 2, which is often convenient in programming processing. Further, instead of the primitive root, the order may be sufficiently large, specifically, a number whose order is 1/5 or more of the prime factor of the modulus q may be adopted. Even in this case, if the number of bits of the prime factor of the modulus q is 150 or more, it is practically sufficiently safe depending on the importance of the communication contents. In short, the most suitable prime number and the like are appropriately selected according to the equipment such as the capacity of the computer equipped in each terminal and the center, the importance of the communication contents, and the like. Further, in the embodiment, the principle of the public key itself is f (x) ≡
As a one-way function on g ^x mod q, the function is configured based on the property of f (a × b) ≡ ｛f (a)｝ ^b f (a + b) ≡f (a) × f (b) However, in general, a one-way function f, a binary operation op1 for which the commutative law holds, and a binary operation
op2, and a polynomial operation op3 that satisfies the commutative and associative laws
And op4 op1 (a, b) op2 (a, b) op3 (a, b) op4 (a, b) the following relationship f between (op1 (a, b)) ≡op2 (f (a), b) f (op3 (a, b)) ≡op4 (f (a), f
If (b)) holds, a similar public key generation method can be configured. Examples of the one-way function f that satisfies such properties include the above f (x) 他 g ^x mod q, and the one-way function of the so-called discrete logarithm problem on the elliptic curve y ² = x ³ + αx + β. It is considered to be a function.

Further, as a means for encrypting and decrypting information to be transmitted using a public key and a secret key, even if the information to be transmitted is not limited to a binary number and a decimal number or the like is used. Good. Next, the terminal j in the above embodiment is replaced by the terminal i
It goes without saying that the communication network used before obtaining the public key and the communication network used thereafter are not necessarily the same physically. Further, the communication network is not limited to a satellite broadcast or a LAN or NTT line, but includes offline communication such as transport of a floppy disk.

[0044]

As is apparent from the above description, in the secret network communication system according to the present invention, each terminal can determine the secret key and the public key without depending on the center that authenticates the terminal. Therefore, the present invention can be easily applied to existing systems that require various complicated authentication relationships. Furthermore, when the present invention is incorporated hierarchically, each layer only needs to determine the secret key independently. Therefore, when the hierarchical structure is changed, such as insertion or deletion, only the terminal information needs to be reissued only, which is not easily performed. I can. In addition, the features of the conventional secret network communication system are satisfied.

Further, in the calculation of the public key generation part, it is possible to realize a high-speed processing without impairing security by using a residue value obtained in advance.

[Brief description of the drawings]

FIG. 1 is a configuration diagram of a public key generation method according to an embodiment of the present invention.

FIG. 2 is an overall configuration diagram of a secret communication network according to the present invention.

FIG. 3 is a configuration diagram of a conventional public key generation method.

FIG. 4 is a diagram showing an example of hierarchization in a conventional public key generation method.

[Explanation of symbols]

 1 terminal i 2 center A 3 terminal j 4 center B

──────────────────────────────────────────────────続 き Continuation of the front page (56) References Natsume Matsuzaki, Shunji Harada, Makoto Tatebayashi “Proposal of Public Key Generation Method and Application of Encryption Key Distribution Method” IEICE Technical Report, Vol. 90, no. 365, (December 19, 1990), p. 37-46 (ISEC90-43) (58) Fields investigated (Int. Cl. ⁶ , DB name) G09C 1/00-5/00 H04K 1/00-3/00 H04L 9/00-9/38 JICST file (JOIS)

Claims (5)

(57) [Claims] A first terminal having a unique identification information, a second terminal, a terminal information issuing center, and a network connecting the first terminal and the second terminal, wherein the terminal information issuing center has a public one-way function f; A function h, which is a public hash function, is determined, and the one-way function f is an output value of f that receives the result of the first operation of the first and second data as f Is equal to the result of the second operation with the input of the second data and the second data, and the output value of f with the result of the third operation of the first and second data as the input is A fourth data inputting the output value of f of the first data and the output value of f of the second data;
The output value P of the one-way function f, which receives the secret key S of the terminal information issuing center as an input, is determined as a public key of the terminal information issuing center. system initial setting means for notifying h and P to the first and second terminals as public information of the terminal information issuing center; and the first terminal in which the first terminal determines a secret key and inputs the secret key. The output value of the direction function f is obtained as the public key of the first terminal, and the public key of the first terminal and the identification information of the first terminal are notified to the terminal information issuing center.
Terminal information requesting means for requesting terminal information of the terminal, the terminal information issuing center generates a random number r, and outputs the one-way function f with the random number r as input and the first terminal A result u of a fourth operation using the public key as an input is obtained, and the identification information of the u and the first terminal are converted to the public function h.
To obtain a result of a first operation using the secret key S of the terminal information issuing center and the output value of the function h as inputs, and a third operation using the result of the first operation and the random number r as inputs. A calculation result v is obtained, and u and v are determined by the first and second terminals of the first terminal.
Terminal information issuing means for issuing to the first terminal as the terminal information of the first terminal; the first terminal transmits the first and second terminal information u, v and the identification information of the first terminal to the second terminal. Then, the second terminal inputs the first terminal information u and the identification information of the first terminal to the public function h, and inputs the public key P of the terminal information issuing center and the output of the function h. , The result of the second operation and the result of the fourth operation that receives the terminal information u, and the one-way operation that receives the second terminal information v. A public key generation unit that uses a fourth operation result of the output value of the function f and the reciprocal of the fourth operation in the fourth operation as an input and obtains a public key of the first terminal , wherein the first operation is commutative. An operation that has the property that the rule holds
And the third operation and the fourth operation are commutative and
A network system for secret communication, which is an operation having a property that a connection rule is satisfied . 2. A first terminal having a unique identification information, a second terminal, a terminal information issuing center, and a network connecting the first terminal and the second terminal, wherein the terminal information issuing center has a prime number or a power value q of a prime number. , The primitive root g of the remainder field modulo q and the public function h are determined, and the modular exponentiation value P of g, which modulates q and raises the secret key S of the terminal information issuing center, is A system initial setting means for determining a public key of the terminal information issuing center, and notifying the first and second terminals of the q, g, h and P as public information of the terminal information issuing center; The terminal determines a secret key, obtains a modular exponentiation value of g that is a secret key of the first terminal modulo the q as a public key of the first terminal, and determines the public key and the first
Terminal information requesting means for notifying the terminal information issuance center of the terminal information to the terminal information issuance center, and requesting terminal information of the first terminal; the terminal information issuance center generates a random number r;
The product u of the power-residue value of g that raises the random number r and the public key p from the first terminal is obtained modulo
Is input to the public function h, and the q
The sum v of the product of the output value of h, the secret key S of the terminal information issuing center, and the random number r is obtained by using the Euler function value of u as the modulus, and u and v are the first and second terminals of the first terminal. Terminal information issuing means for issuing to a first terminal as information; and the first terminal transmits first terminal information u to the second terminal.
And the second terminal information v and the identification information of the first terminal, and the second terminal inputs the first terminal information u and the identification information of the first terminal to the public function h, The product of the modular exponentiation value of the public key P of the terminal information issuing center, which is the output value of h modulo q, and the first terminal information u is obtained, and the second terminal information v is exponentiated. A secret communication network system, comprising: a public key generating unit that uses a product of a reciprocal of a power remainder value of g and the product as a public key of a first terminal. 3. Numerical information to be transmitted with a public key created by the public key creating means according to claim 1 or a shared key created using the public key, or information obtained by digitizing information to be originally transmitted. Transmission information encryption means for generating encryption information transmitted using a network according to a predetermined rule, and a predetermined rule using a shared key or secret key from the transmitted encryption information. The secret communication network system according to claim 1 or 2, further comprising a reception information decrypting means for extracting information to be transmitted. 4. A modulo q used for generating a secret key or a public key, a product of prime numbers is adopted, and g is a prime root or a number equal to or greater than a fifth power of a prime factor of q or such a number. 3. The product of claim 1, wherein the product of
Or a network system for secret communication according to 3. 5. A public key generation unit according to claim 2 or 4, wherein said terminal information distribution center power residue value of the public key P of the modulo q of claim 2 or 4, wherein the public key generation unit , And a public key generation means characterized in that a modular exponentiation value of the public value g modulo q is obtained by using a previously calculated modular value modulo q. Characteristic network system for secret communication.