JP3464153B2 - Encryption communication method and encryption communication system - Google Patents

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a highly secure cryptographic communication method and system for encrypting information so that only the parties concerned can understand the content of the information.

[0002]

2. Description of the Related Art In a modern society called an advanced information society, business-important document / image information is transmitted and processed in the form of electronic information based on a computer network. Such electronic information has the property that it can be easily copied and that it is difficult to distinguish the copy from the original, and the problem of information preservation is emphasized. In particular, "Computer resource sharing",
The realization of a computer network satisfying the elements of "multi-access" and "wide area" is indispensable for establishing an advanced information society, but this includes elements that are inconsistent with the issue of information security between the parties. As an effective method for resolving such a contradiction, a cryptographic technique which has been used mainly in military and diplomatic aspects in the past history of human beings has been receiving attention.

Cryptography is the exchange of information so that the meaning of the information cannot be understood by anyone other than the parties concerned. In cryptography, converting an original text (plaintext) that anyone can understand into a text (ciphertext) whose meaning is unknown to a third party is encryption, and returning a ciphertext to plaintext is decryption. The whole process of encryption and decryption is collectively called an encryption system. Secret information called an encryption key and a decryption key are used in the encryption process and the decryption process, respectively. Since a secret decryption key is required for decryption, only a person who knows this decryption key can decrypt the ciphertext, and the confidentiality of information can be maintained by the encryption.

The encryption key and the decryption key may be the same or different. An encryption system in which both keys are the same
It is called a symmetric key cryptosystem, and is adopted by the US Department of Commerce Standards Bureau.
ES (Data Encryption Standards) is a typical example. Also, as an example of an encryption system in which both keys are different, an encryption system called a public key encryption system has been proposed. In this public key cryptosystem, each user (entity) who uses the cryptosystem creates a pair of encryption key and decryption key, publishes the encryption key in the public key list, and keeps only the decryption key secret. It is an encryption system that does. In the public key cryptosystem, the pair of encryption key and decryption key are different from each other, and the one-way function is used so that the decryption key cannot be calculated from the encryption key.

The public key cryptosystem is an epoch-making cryptosystem in which the cryptographic key is disclosed, and is suitable for the above-mentioned three elements necessary for establishing an advanced information society. The research has been actively carried out for the purpose of utilizing it in the field of, and the RSA cryptosystem has been proposed as a typical public key cryptosystem. This RSA cryptosystem is realized by utilizing the difficulty of factorization as a one-way function. In addition, various methods have been proposed for public key cryptosystems that utilize the difficulty of solving the discrete logarithm problem (discrete logarithm problem).

Further, an encryption system has been proposed which utilizes ID (Identity) information for identifying an individual such as the address and name of each entity. In this encryption system, an encryption key common to both senders and receivers is generated based on the ID information. In addition, the encryption technique based on this ID information includes (1) a method requiring preliminary communication between the sender and the receiver prior to ciphertext communication, and (2) a standby between the sender and the receiver prior to ciphertext communication. There is a method that does not require communication. In particular, the method (2) does not require preliminary communication, and thus is highly convenient for the entity, and is considered to be the core of the future encryption system.

The encryption system according to the method (2) is ID-
NIKS (ID-based non-interactive key sharing sch
It is called "eme)" and employs a method of sharing an encryption key using ID information of a communication partner without performing preliminary communication. The ID-NIKS is a system in which it is not necessary to exchange a public key and a private key between senders and receivers, and a list of keys and a service by a third party are not necessary, and secure communication can be performed between arbitrary entities.

FIG. 7 is a diagram showing the principle of this ID-NIKS system. The shared key generation system is constructed around this center, assuming the existence of a reliable center. In FIG. 7, the ID information such as the name, address, and telephone number of the entity X, which is the specific information of the entity X, is represented by h (ID _X ) using the hash function h (·). The center calculates the secret information S _Xi for an arbitrary entity X based on the center public information {PC _i }, the center secret information {SC _i } and the ID information h (ID _X ) of the entity X as follows. Then, secretly entity X
Distribute to. S _Xi = F _i ({SC _i }, {PC _i }, h (ID _X ))

The entity X exchanges a shared key K _XY for encryption and decryption with another arbitrary entity Y, secret information {S _Xi } of the entity X itself, center public information {PC _i } and the other party. ID information h of the previous entity Y
It is generated as follows using (ID _Y ). K _XY = f ({S _Xi }, {PC _i }, h (ID _Y )) Also, the entity Y similarly generates a key to the entity X as a shared key K _YX . If the relationship of K _XY = K _{YX is} always established, the keys K _XY and K _YX can be used as an encryption key and a decryption key between the entities X and Y.

In the public key cryptosystem described above, for example, RSA
In the case of an encryption system, the length of the public key is ten times more than the current telephone number, which is extremely complicated. On the other hand, ID-
In NIKS, if each ID information is registered in the form of a name list, a shared key can be generated with an arbitrary entity by referring to this name list. Therefore, if the ID-NIKS system as shown in FIG. 7 is safely realized, a convenient encryption system can be constructed on a computer network to which many entities join. For these reasons, ID-NIKS is expected to become the center of future cryptosystems.

[0011]

In the ID-NIKS in which the shared key serving as the encryption key and the decryption key is shared with each other without performing preliminary communication using the ID information of the communication partner, a plurality of entities are provided. It is hoped that it will be sufficiently safe against attacks such as collusion. However, in the above-mentioned ID-NIKS, attack methods have been studied,
It involves the problem that the secret parameters of the center are exposed if an appropriate number of entities collude. Whether or not a cryptographically secure ID-NIKS can be constructed is an important issue in the advanced information society, and the search for a more ideal cryptosystem is being pursued.

The present invention has been made in view of the above circumstances, and the secret key generation function and the key sharing function are inseparable, the key can be stochastically shared, and a highly secure new ID is provided. -An object of the present invention is to provide a cryptographic communication method and a cryptographic communication system by NIKS.

[0013]

A cryptographic communication method according to a first aspect of the present invention is such that a secret key unique to each entity is sent from a center device to each of a plurality of entity devices, and one of the entity devices is sent from the center device. Using the shared key obtained from the private key unique to the entity and the public key of the other published entity, plaintext is encrypted into ciphertext and transmitted to the other entity device, and the other entity device is transmitted. The encrypted text obtained from the secret key unique to the entity sent from the center device and the public key of the one of the entities that has been made public are converted into the original plaintext using the same shared key as the shared key. In the cryptographic communication method in which information is communicated between entity devices by decrypting, the private key unique to each entity is a public key of each entity. It is a plurality of types of secret keys that are generated modulo each of a plurality of numbers using random numbers unique to each entity, and each entity device uses the plurality of types of secret keys and the public key of the counterpart entity. Then, a plurality of types of intermediate values modulo each of the numbers are obtained, and the shared key is generated by deleting the random numbers by adding the obtained plurality of types of intermediate values on the integer ring. It is characterized by

The cryptographic communication method according to claim 2 is the method according to claim 1.
In the above, the random number is a multi-dimensional random number vector.

A cryptographic communication method according to a third aspect is the first aspect.
Or 2, the arithmetic expression for generating two kinds of the secret keys in the center device is as follows:

[0016]

[Equation 5]

However, vector s _i : one secret key vector of entity i, t _i : the other secret key P, Q of entity i; published prime vector v _i : public key A, B of entity i: center secret A symmetric matrix vector γ _i consisting of random numbers of: a personal random number vector consisting of random numbers The arithmetic expression for generating the shared key in each of the entity devices is characterized by the following.

[0018]

[Equation 6]

However, K _ij : Shared key vector v _j generated by one entity i for the other entity _j : Public keys A _ij ′, B _ij ′ of entity j: for generating shared key K _ij Intermediate value

The encrypted communication method according to claim 4 is the method according to claim 1.
Or 2, the arithmetic expression for generating two kinds of the secret keys in the center device is as follows:

[0021]

[Equation 7]

However, vector s _i : one secret key vector of entity i, t _i : the other secret key P, Q of entity i; published prime vector v _i : public key A, B of entity i: center secret A symmetric matrix vector γ _i consisting of random numbers of: a personal random number vector consisting of random numbers, P and Q of k bits are set so as to satisfy the following equation, and P≡δ (mod R) Q≡ε (mod R) R: d-bit prime numbers δ, ε; e-bit number k>d> e An arithmetic expression for generating the shared key in each entity device is as follows.

[0023]

[Equation 8]

[0024] However, K _ij: common key K _ij one entity i generates for the other entity j ': median K _ij for generating a shared key K _ij ": generating a common key K _ij Is an intermediate value for K
Remainder c of _ij 'divided by R: Parameter related to key agreement probability

A cryptographic communication method according to a fifth aspect is the first aspect.
1 to 4, the public key of each entity is obtained by calculating the specific information of each entity using a hash function.

According to a sixth aspect of the present invention, a cryptographic communication system performs a process of encrypting plaintext, which is information to be transmitted, into a ciphertext, and a process of decrypting the transmitted ciphertext into an original plaintext. In a cryptographic communication system mutually performed between each entity, a public key unique to each entity and a secret random number unique to each entity are used to generate a plurality of types of private keys modulo each of a plurality of numbers. A center device to be sent to the device, a plurality of types of private keys of itself sent from the center device, and a public key unique to the entity to be communicated are used to obtain a plurality of types of intermediate values modulo each of the numbers. , The above-mentioned random numbers are erased by addition on the integer ring of the obtained plurality of intermediate values,
A plurality of entity devices that generate a shared key for performing the encryption process and the decryption process.

First, the conditions for realizing ID-NIKS and the conditions for secure ID-NIKS will be considered. However, i, j, y, and z represent entities, v _i is often the public key of entity i, which is a hash value of the ID, s _i is the private key of entity i, and K
_ij is a shared key with the entity j obtained by the entity i.

In order to realize ID-NIKS, the following three conditions 1 to 3 are necessary.

[Condition 1 (secret key generation condition)] The center can obtain the corresponding secret key s _i from the public key v _i of the entity i using the secret key generation function f (·). s _i = f (v _i )

[Condition 2 (Shared Key Generation Condition)] The shared key K is calculated from the secret key s _i of the entity _i and the public key v _{j of the} entity j by using the shared key generation function g (·).
_ij can be obtained. K _ij = g (s _i , v _j )

[Condition 3 (Key Sharing Condition)] The shared key K _ij generated by the entity i for the entity j and the shared key K _ji generated by the entity j for the entity i are equal. K _ij = K _ji Therefore, the secret key generation function f is _{added to} the shared key generation function g (·).
The key agreement function F (•) obtained by substituting (•) with the public keys v _i and v _j as variables is a symmetric function. F (v _i , v _j ) = F (v _j , v _i ), where F (v _i , v _j ) = g (f (v _i ), v _j ) = g (s
_i , v _j )

Here, separability is defined as follows. Definition: The function f is defined as separable by the operation ◯ when the following formula is always satisfied, where ∘ is a suitable convertible method. f (x + y) = f (x) ○ f (y) for example, f (x) = ax, f (x) = a x is separable as shown below. f (x + y) = a (x + y) = ax + ay = f (x) +
f (y) f (x + y) = a x + y = a x · a y = f (x) · f
(Y) On the other hand, f (x) = ax + b is not separable as shown below. f (x + y) = a (x + y) + b = ax + ay + b f (x) + f (y) = ax + b + ay + b = ax + ay
+ 2b Therefore, f (x + y) ≠ f (x) + f (y)

The public key v _z attack target entity z is represented as a linear combination of the public key v _i colluder, moreover, can be separated in either one of the private key generating function or key sharing function polynomial time function If, then the entity's private key and shared key can be forged without requiring the center secret. This attack method has been conventionally called a linear attack.

[0034] Conventionally, it has been considered to facilitate that represents the public key v _z as a linear combination, method is to represent the public key v _z of the entity that you want to attack a linear combination is not always easy has also been developed. Therefore, a linear attack is performed with the public key v _z
Should be divided into an attack part in the first stage, where is expressed as a linear combination, and an attack part in the latter stage, where the function is separated and the key is forged in that case. In the following description, the former stage of this linear attack is called a combined attack, and the latter stage is called a separation attack to distinguish them. The linear attack is a combination of both the combined attack and the separated attack.

The following theorem holds for the separation attack. Theorem 1: (Separation attack on secret key) A combination attack with an integer coefficient is established for public key v _z ,
If the secret key generation function can be separated in polynomial time by the operation ◯, and the inverse element for the operation ◯ can be obtained in polynomial time, the secret key s _z can be forged in polynomial time by the separation attack with the secret key. Theorem 2: (Separation attack on the shared key) A combination attack with an integer coefficient is established for the public key v _z ,
If the secret key generation function can be separated in polynomial time by the operation ◯, and the inverse element for the operation ◯ is obtained in polynomial time, the shared key K _yz is forged in polynomial time by the separation attack using only the shared key. it can.

I that is safe against the separation attacks as described above
In order to configure D-NIKS, the following conditions 4 and 5 may be satisfied.

[Condition 4 (Security of Secret Key against Separation Attack)] It is difficult to separate the secret key generation function f in polynomial time.

[Condition 5 (Security of Shared Key Against Separation Attack)] It is difficult to separate the key sharing function F in polynomial time.

The condition 5 is very strict, and means that the function forms at the key sharing stage are separable and unsafe regardless of the calculation in the middle. For example, the product-sum type ID-NIKS or the power-product type ID-NIKS does not satisfy this condition.

In the present invention, the secret key generation function and the key sharing function cannot be separated, and the keys can be stochastically shared.
The inseparability is realized by erasing the random numbers by addition on the ring of integers after the operation on a finite field modulo a large prime number. In the present invention, it is based on the security that it is difficult to represent an arbitrary vector by a linear combination of the colluder's vectors when the magnitude of the coefficient is limited. In addition, the colluding threshold is increased by using a random number vector unique to each entity.

[0041]

FIG. 1 is a schematic diagram showing the configuration of a cryptographic communication system of the present invention. A center 1 that can trust the concealment of information is set, and this center 1 can be, for example, a public institution of society. The center 1 and a plurality of entities a, b, ..., Z as users who use this encryption system are secret communication paths 2a, 2b,
,, 2z, and the secret communication path 2a,
The secret key information is transmitted from the center 1 to the entities a, b, ..., Z via 2b ,. In addition, the communication path 3ab between the two entities,
3az, 3bz, ... Are provided, and these communication paths 3ab, 3b are provided.
The ciphertext obtained by encrypting the communication information via az, 3bz, ... Is transmitted between the entities.

(First Embodiment) A first embodiment of the ID-NIKS of the present invention (a basic method of adding a personal random number to a secret key and erasing the random number portion at the time of sharing) will be described below.

(Preparation Processing in Center 1) The center 1 prepares the following public key and secret key, and publishes the public key. Public key P, Q Large k-bit prime secret key A, B N × n symmetric matrix vector consisting of k-bit random numbers γ _{i A} private random number vector consisting of l-bit random numbers Also, I of the entity that is the specific information of the entity
At the same time, the one-way function vector h (•) that generates an n-dimensional public key vector consisting of an m-bit positive integer from D is also disclosed. However, the inner product of the random number vector γ _i and the public key vector v _j of any entity is set so as not to exceed P and Q. Here, in order to simplify the discussion, consider the case where the parameter b is set as in the following equation (1) and b> 0. As will be described later, this b is a parameter that is related to security and the probability of key sharing. Note that k = 1240, l = 200, m = 1000, n = 1000, b = 30
The degree is a proper value. b = k- (l + m + log ₂ n) (1)

(Entity registration processing) The center 1 requested to register the entity i uses the prepared key and the public key vector v _i (= vector h (ID _i )) of the entity i to obtain the following equation ( 2) and formula (3)
And in accordance with, I asked for and vector s _i and vector t _i of entity i, the vector s _i and vector t _i found to entity i send it in secret, to complete the registration. However, mod is a mod of the binary operator. That is, a mo
It is assumed that d P represents an arithmetic operation for obtaining a remainder obtained by dividing a by P.

[0045]

[Equation 9]

The above equation (3) is replaced by the following equation (3 ')
May be expressed as follows, and subtraction may be performed on the integer ring at the final stage of key sharing. However, in this case, the shared key K _ij described later may have a negative value. In the following description, the vector t _i will be obtained by the equation (3).

[0047]

[Equation 10]

(Process for Generating Shared Key Between Entities) The entity i performs the following calculation to obtain the shared key K _ij with the entity j. First, according to the equations (4) and (5) by the method P and the method Q, A _ij ′ and B
_ij ′, and then K _ij is calculated on the integer ring by the equation (6).
To get

[0049]

[Equation 11]

Next, communication of information between entities in the above-mentioned cryptosystem will be described. 2 is 2
It is a schematic diagram which shows the communication state of the information between the entities a and b of a person. In the example of FIG. 2, an entity a encrypts a plaintext (message) M into a ciphertext C, transmits the ciphertext C to the entity b, and the entity b decrypts the ciphertext C into the original plaintext (message) M. Shows.

The entity a side inputs the personal identification information ID _b entity b, or public key generator 11 to obtain a vector v _b (public key) by using a hash function, secret sent from the center 1 shared key K _ab and vector s _a and t _a and a public key from the public key generator 11 vector v _b and entities b obtaining the entity a based on the
There is provided a shared key generator 12 for generating the encryption key and an encryption device 13 for encrypting a plaintext (message) M into a ciphertext C using the shared key _Kab and outputting the encrypted text C to the communication path 30.

[0052] Furthermore, the entity b toward the entity to enter personal identification information ID _a of a, the public key generator 21 to obtain the vector v _a (public key) by using a hash function
And the secret vectors s _b and t _b sent from the center 1.
And a shared key generator 22 that generates a shared key K _ba with the entity a that the entity b seeks based on the vector v _a that is the public key from the public key generator 21, and a communication path using the shared key K _ba. There is provided a decryptor 23 which decrypts the ciphertext C input from 30 into a plaintext (message) M and outputs it.

Next, the operation will be described. When transmitting information from the entity a to the entity b, first, the personal identification information ID _b of the entity b is input to the public key generator 11 to obtain a vector v _b (public key), and the obtained vector v v _b is sent to the shared key generator 12. Further, the vectors s _a and t _a obtained from the center 1 according to the equations (2) and (3) are input to the shared key generator 12. Then, according to the equations (4) to (6), the shared key _Kab
Is requested and sent to the encryption device 13. In the encryptor 13, the plaintext (message) M is encrypted into the ciphertext C using this shared key K _ab , and the ciphertext C is transmitted via the communication path 30.

The ciphertext C transmitted through the communication path 30 is input to the decryptor 23 of the entity b. Personal identification information ID _a of the entity a is input to the public key generator 21 vector v _a (public key) is obtained, resulting vector v _a is sent to the common key generator 22. Further, the vectors x _b and t _b obtained from the center 1 according to the equations (2) and (3) are input to the shared key generator 22. Then, expressions (4) to (6)
Then, the shared key K _ba is obtained and sent to the decoder 23.
In the decryptor 23, the ciphertext C is decrypted into the plaintext (message) M using the shared key K _ba .

Next, the feasibility of this method will be verified. It is shown below that K _ij = K _ji is highly probable when b shown in the above equation (1) is increased. The following formula (7),
(8).

[0056]

[Equation 12]

Then, since A _ij ′ is as shown in formula (9), either formula (10-1) or formula (10-2) is established on the integer ring.

[0058]

[Equation 13]

Here, the inner product of the transposed vector of the random number vector γ _i and the public key vector v _j (the second part on the right side of equation (9)).
The term) is the number of (l + m) -bits added n, and is therefore a number less than 2 ^{l + m} · n, and A _ij ″ is k.
Since it is considered as a bit, the probability that the whole becomes larger than the modulus P by adding the inner product of the transposed vector of γ _i and the vector v _j is about (2 ^{l + m} · n) / 2 ^k = 1/2 ^b
Can be estimated. Therefore, the probability that equation (10-1) holds will be about 1-1 / 2 ^b .

[0060] Similarly, 'for even, B _ij' B _ij is shown in equation (11), formula (12-1) on the ring of integers or formula (12
Any one of -2) is established, and the equation (12-1) is established with a probability of about 1-1 / 2 ^b .

[0061]

[Equation 14]

Therefore, K _ij is represented by any of the following equations (13-1), (13-2), (13-3) and (13-4). K _ij = A _ij ″ + B _ij ″ (13-1) K _ij = A _ij ″ + B _ij ″ −P (13-2) K _ij = A _ij ″ + B _ij ″ + Q (13-3) K _ij = A _ij "+ B _ij " -P + Q (13-4)

The probability that equation (13-1) holds is about (1-
Since 1/2 ^b ) ² ≈ 1-1 / 2 ^b-1 , the expression (13-1) is established with a very high probability if b is made sufficiently large. The probability that the formula (13-2) and the formula (13-3) are both satisfied is about (1/2 ^b ) · (1-1 / 2 ^b ), and the probability that the formula (13-4) is satisfied. ^Becomes about 1/2 ^2b , which are all very low probabilities.

On the other hand, the same applies to K _ji as well (about 1
Equation (13-1) is established with a very high probability of −½ ^b ) ² . Therefore, the probability that two entities i and j can share a key, that is, K _ij = K _ji , is about (1-
1/2 ^b ) ⁴ ≈ 1-1 / 2 ^b-2 . As described above, it is understood that the keys can be shared with a very high probability in the first embodiment. For example, in the case of the appropriate value described above, b =
Since sufficiently large as 30, the probability of failure in the key sharing, not only to only about one-half ^28.

Numerical examples of the first embodiment when n = 1 (both matrix and vector are scalars) are shown in FIGS. In addition, P, Q, A, B are decimal 10
Each vector v _i , v _j , γ _i , γ _j (actually a scalar) has three decimal digits. By setting such a number of digits, the inner product of the vector does not reach the number of digits of P and Q. In this example, the inner product is 3 digits × 3 digits, which is 6 digits, so that the upper 4 digits of A _ij and A _ji and the upper 4 digits of B _ij and B _ji are the same.

Next, consideration will be given to the security of the encryption system of the first embodiment. (Security of Private Key Against Separation Attack) Since this system has two private keys, there are two private key generation functions f _P and f _Q as shown in Expressions (14) to (16). However, the right side of Expression (14) is a function for generating an n-dimensional vector having a random number less than 2 ^l as a component.

[0067]

[Equation 15]

Substituting the vector x + vector y into the secret key generation function f _P gives the following equation (17). on the other hand,
The following formula (18) is established.

[0069]

[Equation 16]

Therefore, it can be seen that the range that the random number portion can take in Expression (18) is twice as large as that in Expression (17). If the number of variables is further increased, the effect of random numbers becomes larger, so the secret key generation function f _P cannot be separated. Similarly, the secret key generation function f _Q is also inseparable. That is, it becomes as shown in the following formulas (19) and (20), and the condition 4 is satisfied.

[0071]

[Equation 17]

(Security of Shared Key Against Separation Attack) The key sharing function F is expressed by the following equations (21) to (23).

[0073]

[Equation 18]

In equation (21), the first term is a separable function, but the second and third terms are separable functions (the truncation functions shown in equations (22) and (23) are , F (x +
y) = f (x) + f (y) or f (x) + f (y) +
Either of 1 holds, but in general, it is impossible to separate when considering the combination of multivariables, and thus the function μ and the function ν that use the truncation function are inseparable).
This key agreement function F cannot be separated. That is, equation (24)
And the condition 5 is satisfied.

[0075]

[Formula 19]

(Security against combined attack on finite field) If the matrix V in which the public key vectors v _i of the n independent colluders of primary order are arranged is the following equation (25), an arbitrary vector v _z can be obtained. On the other hand, the equations (26) and (27) can be obtained by using P and Q as the moduli.

[0077]

[Equation 20]

Then, as shown in equations (28) and (29), the vector v _z can be represented by a linear combination by n colluders.

[0079]

[Equation 21]

Here, if the following equation (30) is used, the vector s _z ′ can be obtained as in the equation (31) modulo P.

[0081]

[Equation 22]

Here, when the following equation (32) is set, it is expressed as the equation (33).

[0083]

[Equation 23]

Similarly, if the following equation (34) is set, the vector t _z ′ can be obtained as in the equation (35) modulo Q.

[0085]

[Equation 24]

If the random number term of the equation (33) is equal to the random number term of the equation (35) and the value is smaller than (l + b) bits, the random number part can be erased. Therefore, it is conceivable to use the vector s _z ′ obtained by colluding as a substitute for the true secret key vector s _z of the entity z. However, the vector s _z ′ cannot be substituted for the true secret key vector s _z for the following two reasons. (Reason 1) Left side of expression (26) and expression (27)
Since each component on the left side of is generally k bits, equation (33)
And the random number term in Eq. (35) are sufficiently large.
(Reason 2) Since the left side of Expression (26) is not equal to the left side of Expression (27), the random number term of Expression (33) is not equal to the random term of Expression (35), and the random number part cannot be erased.

Therefore, it can be said that the first embodiment is safe against a joint attack on a finite field due to the colluding of n persons.

(Safety Against Joining Attack on Integer Ring) By applying the Euclidean mutual division method by concatenation of (n + 1) or more n'people, it is considered that a joining attack on an integer ring is possible. To be That is, when the matrix V in which the public key vectors v _i of n'collusionists are arranged is the following expression (36), the coefficient vector u _z ′ (the component is the expression (38) on the integer ring) Can be obtained). .

[0089]

[Equation 25]

Next, the vector s _z ′ and the vector t _z ′ are obtained according to the equations (39) and (40).

[0091]

[Equation 26]

The obtained vector s _z ′ and vector t _z ′ are the true secret key vector s _z and the secret key vector t.
Compared to _z, 'but is larger one, all | u _zi | value is small, the vector gamma _z' random term vector gamma _z when the magnitude of (l + b) smaller than the bit, For any public key vector v _j , the following equation (41)
And the vector s _z ′ and the vector t _z ′ play the same role as the true secret key vector s _z and the secret key vector t _z .

[0093]

[Equation 27]

If the entity z desired to attack is determined and the colluder vector v _i and the coefficient vector u _z can be successfully found so that the vector v _z can be represented by a combination of small coefficients, it is not necessarily safe. I can't say.
However, it is generally difficult to obtain such a coefficient vector u _z . Therefore, the security is based on the fact that it is difficult to represent an arbitrary public key vector by a linear combination of colluder public key vectors when the size of the coefficient is limited.

(Probability of Combining Attack on Integer Ring) As described above, all the components u _zi of the coefficient vector u _z
If the value of | u _zi | becomes small, an attack by collusion is established. Since it is not easy to determine the entity z to attack and to consider the probability that the vector v _z can be represented by the linear convenience of the public key using a small coefficient, here, when changing the viewpoint and gathering N colluders, Focusing on the total number of public keys for which an attack succeeds, we consider the probability that an attack will be successful. However, if the size of the coefficient can be limited to w (≦ b) bits, the attack is established. In this case, the probability that the shared key created using the forged secret key will be the correct shared key is 1-1 / 2 ^bw .

When attacking by one person, if a coefficient whose size is limited to w bits is used, the vector v ₁ of one person can represent the public key of 2 ^w persons. When a set of these public keys and V _1, V ₁ is represented by the following formula (42).

[0097]

[Equation 28]

When two people attack, the vector v
_One and the vector v ₂ can be used to represent 2 ^2w public keys. If the set of these public keys is V ₂ , then V ₂
Is expressed by the following equation (43).

[0099]

[Equation 29]

Similarly, when N people attack, the vector v
_A maximum of 2 ^Nw public keys can be represented by a linear combination of ₁ , vector v ₂ , ..., Vector v _N. In order to select the colluders most efficiently, the vector v _i should be selected so as to satisfy the condition of Expression (44).

[0101]

[Equation 30]

Since the total number of public keys is 2 ^mn , and the maximum number of public keys for which an attack is established by colluding N persons is 2 ^Nw , the probability that a combined attack is established for any entity is 2 ^{It is Nw} / ^2mn . Furthermore, the probability that a true shared key with an arbitrarily selected entity can be forged is (2 ^Nw
/ 2 ^mn ). (1-1 / 2 ^bw ). If N is the collusion threshold n of the conventional sum-of-products type NIKS, the probability that a joint attack will be established is 1/2 ^{(mb) n} even if w = b, and ^1/2970000 when an appropriate value is used. Nothing more than.

(Lower limit of collusion threshold at which a joint attack on an integer ring is established) In the conventional joint attack against the product-sum type NIKS, there is no limitation on the size of the coefficient vector. If you choose n, 2 ^mn will be obtained by colluding those n people.
All public keys on the street could be represented by a linear combination. However, if the size of the coefficient is limited to w bits,
The total number of vector sets V _N represented by a linear combination of N public keys is 2 ^Nw at the maximum.

Assuming that N people have colluded, 2 ^mn
To represent all public keys in the street with a linear combination,
N must satisfy the condition of the following formula (45), that is, formula (46). 2 ^Nw ≧ 2 ^mn (45) N ≧ mn / w (46)

Therefore, it can be concluded that the first embodiment is an encryption method in which the lower limit of the collusion threshold is m / w times larger than that of the exponentiation type NIKS.

Actually, even if it is known that the vector v _z εV _N , the vector u _z satisfying the above equation (37) is not unique, and all the coefficients among them have m bits. Finding smaller ones may be even more difficult.

If an appropriate value is used, the colluder will (1-1 /
If we expect to succeed in forging a shared key with an arbitrary entity with a probability of 2 ¹⁰ ) or higher, we can only take a size up to w = 20 and the collusion threshold is m / w = 1000/20.
= 50, which is about 50 times better than the normal product-sum type NIKS.

(Second Embodiment) A second embodiment (application system of the first embodiment) of the ID-NIKS of the present invention will be described below.

In the first embodiment, it has been shown that an attack becomes difficult if b is set small. On the other hand, b
Decreasing the value reduces the probability that legitimate entities will be able to share the key correctly. That is, in the first embodiment, feasibility and safety are in a trade-off relationship with b as a parameter.

The second embodiment is an encryption system which is an improvement of the first embodiment and can share a key correctly even if b is made smaller. In the second embodiment, b =
If it is reduced to the limit of 0, a practical ID-NIKS that is very strong against collusion attacks can be constructed.

(Preparation Processing in Center 1) The center 1 prepares the following public key and secret key, and publishes the public key. Public key R d-bit prime number P, Q k-bit large prime number secret key A, B k-bit random number n ×
A personal random number vector center 1 consisting of n symmetric matrix vectors γ _i l-bit random numbers generates a relatively small d-bit prime number R in the above public key, and satisfies the following formulas (47) and (48). To generate k-bit prime numbers P and Q. P≡δ (mod R) (47) Q≡ε (mod R) (48) where δ and ε are the number of e bits and k>d> e.

At the same time, the one-way function vector h (•) for generating an n-dimensional public key vector consisting of an m-bit positive integer from the entity ID is also disclosed. However, b
= K− (l + m + log ₂ n) (≧ 0) is set very small. Note that k = 1210, l = 200, m = 1000, n = 10
The appropriate values are 00, b = 0, and d = 500, e = 50, c = 50 (the meaning of c will be described later).

(Entity Registration Processing) The center 1 requested to register the entity i uses the prepared key and the public key vector v _i of the entity _i (= vector h (ID _i )) 49) and formula (50)
And in accordance with, I asked for and vector s _i and vector t _i of entity i, the vector s _i and vector t _i found to entity i send it in secret, to complete the registration.

[0114]

[Equation 31]

(Process for Generating Shared Key Between Entities) The entity i performs the following calculation to obtain the shared key K _ij with the entity j. First, according to the equations (51) and (52) according to the method P and the method Q, A _ij ′ and B respectively.
'seek, then K _ij by equation (53) on the ring of integers' _ij seek, seeking K _ij' determined as shown remainder K _ij "divided by R in the formula (54), the remainder K _ij ″ _Is subjected to a truncation operation as shown in Expression (55) to obtain K _ij .

[0116]

[Equation 32]

Since the information communication operation between the entities is the same as that of the first embodiment, the description thereof is omitted.

Next, the feasibility of this method will be verified. It is shown below that if c is made sufficiently large, K _ij = K _ji with a high probability. As in the first embodiment, K _ij ′
Is the following equation (56-1), equation (56-2), equation (56-
3) and either of the expressions (56-4). K _ij ′ = A _ij ″ + B _ij ″ (56-1) K _ij ′ = A _ij ″ + B _ij ″ −P (56-2) K _ij ′ = A _ij ″ + B _ij ″ + Q… (56-3) ) K _ij ′ = A _ij ″ + B _ij ″ −P + Q (56-4)

K _ij ″ is represented by any one of the following expressions (57-1), (57-2), (57-3), and (57-4). K _ij ″ ≡ A _ij ″ + B _ij ″ (mod R)… (57
-1) K _ij ″ ≡A _ij ″ + B _ij ″ −δ (mod R) (57)
-2) K _ij ″ ≡A _ij ″ + B _ij ″ + ε (mod R) (57)
-3) K _ij ″ ≡A _ij ″ + B _ij ″ −δ + ε (mod R) (57)
-4)

Since δ and ε are e bits, lower e +
By truncating c bits, K _ij = K _ji with a probability of 1-1 / 2 ^c or more. Strictly speaking, it is necessary to consider the probability of moving down by reducing δ or the probability of moving up by adding ε, but this probability is 1/2
^{If it is de} and d is made sufficiently large, it becomes very small.
For example, when an appropriate value is used, the value is 1/2 ⁴⁵⁰ , which is very small. Thus, in the second embodiment, c
It can be seen that the key can be shared with an extremely high probability by increasing the.

Here, FIGS. 5 and 6 show numerical examples of the second embodiment when n = 1 (both matrix and vector are scalars). In addition, P, Q, A, B are decimal 10
Digit, R is 8 decimal digits, and each vector v _i , v _j , γ _i ,
γ _j (actually a scalar) is set to 5 decimal digits. Also, δ, ε
Was set to 1 decimal digit, and the last 2 digits were rounded down in decimal at the final stage.

Next, consideration will be given to the security of the encryption system of the second embodiment. The remainder calculation modulo R is concerned only with the improvement of the key sharing probability without impairing the security, and the second embodiment is based on exactly the same security as the first embodiment. In addition, in the second embodiment, since the non-separable truncation operation is further used in the final stage of the shared key generation processing, the security is further improved against the attack using the shared key.

Further, in any of the equations (56-1) to (56-4), if c is set to be sufficiently large, the key can be shared regardless of the size of b, It can be set as small as b = 0. For example, when an appropriate value is used, b = 0, so w = 0, and in that case, the value on the right side of equation (46) becomes infinite, and the attack by collusion is no longer practical. . In this case, the inner product of the public key vector v _j and the random number vector γ _i is k bits, which covers all the digits.

[0124]

As described above in detail, in the present invention, P,
Since the random numbers are erased by the addition on the integer ring after the operation on the finite field modulo Q, the keys can be shared with a sufficiently high probability in practical use. In addition, the security is high because it is difficult to represent an arbitrary vector by a linear combination of the colluders' vectors when the size of the coefficient is limited. In particular, it has an effect that the colluding threshold against a linear attack is very large as compared with the conventional product-sum type NIKS. It is also possible to adjust the parameters according to the required degree of safety, in particular,
It is also possible to set n = 1.

[Brief description of drawings]

FIG. 1 is a schematic diagram showing a configuration of a cryptographic communication system of the present invention.

FIG. 2 is a schematic diagram showing a communication state of information between two entities.

FIG. 3 is a diagram showing an example of numerical values in the first embodiment.

FIG. 4 is a diagram showing an example of numerical values in the first embodiment.

FIG. 5 is a diagram showing an example of numerical values in the second embodiment.

FIG. 6 is a diagram showing a numerical example in the second embodiment.

FIG. 7 is a principle configuration diagram of an ID-NIKS system.

[Explanation of symbols]

1 center 11,21 public key generator 12,22 Shared key generator 13 Encryptor 23 Decoder 30 communication channels

─────────────────────────────────────────────────── ─── Continuation of the front page (56) Reference JP-A-3-169138 (JP, A) ID-based key agreement method that does not require preliminary communication, IEICE Technical Report, December 18, 1989, Vol. 89 No. 356, p. 43-51 (58) Fields investigated (Int. Cl. ⁷ , DB name) H04L 9/08 JISST file (JOIS)

Claims (6)

(57) [Claims] 1. A center device sends a private key unique to each entity to each of a plurality of entity devices, and one entity device sends the private key unique to the entity sent from the center device and the public key of the other entity. The plaintext is encrypted into a ciphertext by using the shared key obtained from the public key and transmitted to the other entity device, and the ciphertext transmitted by the other entity device is transmitted to the entity sent from the center device. Information is communicated between entity devices by decrypting to the original plaintext by using the same shared key as the shared key obtained from the unique secret key and the public key of the one of the published entities. In the encrypted communication method, the secret key unique to each entity is
A plurality of types of secret keys are generated using the public key of each entity and a random number unique to each entity, and each of a plurality of numbers is modulo each entity device. The public key is used to obtain a plurality of intermediate values modulo each of the numbers, and the random number is erased by adding the obtained intermediate values of the plurality of types on an integer ring. A cryptographic communication method, wherein the cryptographic communication method is characterized by being generated. 2. The cryptographic communication method according to claim 1, wherein the random number is a multidimensional random number vector. 3. An arithmetic expression for generating two kinds of the secret keys in the center device is as follows: Here, vector s _i : one secret key vector of entity i, t _i : the other secret key P, Q of entity i; open prime numbers A, B: symmetric matrix vector v _i consisting of random numbers of center secret: entity i 3. The cryptographic communication method according to claim 1, wherein the public key vector γ _{i is} a personal random number vector consisting of random numbers, and an arithmetic expression for generating the shared key in each of the entity devices is as follows. [Equation 2] However, K _ij : Shared key vector v _j generated by one entity i for the other entity j: Public key A _ij ′, B _ij ′ of entity j: Intermediate value for generating shared key K _ij 4. An arithmetic expression for generating two types of the secret keys in the center device is as follows: Here, vector s _i : one secret key vector of entity i, t _i : the other secret key P, Q of entity i; open prime numbers A, B: symmetric matrix vector v _i consisting of random numbers of center secret: entity i Public key vector γ _i : a personal random number vector composed of random numbers, P and Q of k bits are set so as to satisfy the following expression, and P≡δ (mod R) Q≡ε (mod R) where R: d 3. The cryptographic communication method according to claim 1, wherein the arithmetic expressions for generating the shared key in each of the entity devices are as follows: prime numbers δ, ε of bits; e number of bits k>d> e. [Equation 4] However, K _ij : One entity i generates for the other entity j Shared key K _ij ′: Intermediate value for generating shared key K _ij K _ij ″: Intermediate for generating shared key K _ij Value, K
Remainder c of _ij 'divided by R: Parameter related to key agreement probability 5. The cryptographic communication method according to claim 1, wherein the public key of each entity is obtained by calculating specific information of each entity using a hash function. 6. A cryptographic communication system for mutually performing a process of encrypting a plaintext, which is information to be transmitted, into a ciphertext, and a process of decrypting the transmitted ciphertext into an original plaintext, between a plurality of entity devices. In, a center device that uses a public key unique to each entity and a secret random number unique to each entity to generate a plurality of types of secret keys modulo each of a plurality of numbers and send the generated secret keys to each entity device, A plurality of kinds of intermediate values modulo each of the numbers are obtained using a plurality of kinds of private keys of the center device itself and a public key unique to the entity to be communicated, and a plurality of kinds of obtained intermediate values And a plurality of entity devices that generate a shared key for performing the encryption process and the decryption process so that the random number is erased by addition on the integer ring. Cryptographic communication system.