JP3953235B2 - Cryptographic communication method and cryptographic communication system - Google Patents

Description

【００２４】
（ｊ番目（ｊ＝１，２，・・・，ｄ_g ）の分割センタ10での準備処理）
▲１▼ 素数Ｐ^(j) を生成して、これを公開する。
▲２▼ 秘密対称行列Ｔ^(j) を生成する。
【００２５】
（エンティティの登録処理）
エンティティｉに登録を依頼された統括センタ１及び各分割センタ10は、以下のような処理を行う。
▲１▼ 統括センタ１は、ｊ∈Ｗ_i なるｊ番目の分割センタ10に対して、エンティティｉ用の秘密ベクトルｘ_i の計算を依頼する。
▲２▼ ｊ番目の分割センタ10は、ベクトルｖ_i を用いて、エンティティｉ用の秘密ベクトルｘ_i ^(j) を下記（３）に従って計算し、これを統括センタ１へ送付する。
ベクトルｘ_i ^(j) ≡Ｔ^(j) ベクトルｖ_i （mod Ｐ^(j) ） …（３）
▲３▼ 統括センタ１は、エンティティｉに固有の法Ｐ_i を下記（４）に従って求めた後、中国人の剰余定理を用いて秘密ベクトルｘ_i を下記（５）に従って計算する。ここで、秘密ベクトルｘ_i はＰ_i を法として一意に定まる。
【００２６】
【数２】

【００２７】
▲４▼ 統括センタ１は、更に、個人秘密乱数ベクトルｒ_i を用いてエンティティｉの秘密鍵ｓ_i を下記（６）に従って計算し、これをエンティティｉへ秘密裏に送る。
【００２８】
【数３】

【００２９】
（エンティティ間の共有鍵の生成処理）
エンティティｉは、以下のような計算手順によって、通信対象のエンティティｍとの共有鍵Ｋ_imを求める。
▲１▼ エンティティｉとエンティティｍとの間での共通の法Ｐ_imを下記（７）に従って求める。
【００３０】
【数４】

【００３１】
▲２▼ 下記（８）に従ってＫ_im′を計算する。
【００３２】
【数５】

【００３３】
▲３▼ 下記（９）に従って共有鍵Ｋ_imを計算する。但し、Ｄは統括センタ１が予め公開している自然数であり、下記（10）の条件を満たす。
【００３４】
【数６】

【００３５】
次に、上述した暗号システムにおけるエンティティ間の情報の通信について説明する。図２は、２人のエンティティｉ，ｍ間における情報の通信状態を示す模式図である。図２の例は、エンティティｉが平文（メッセージ）Ｍを暗号文Ｃに暗号化してそれをエンティティｍへ伝送し、エンティティｍがその暗号文Ｃを元の平文（メッセージ）Ｍに復号する場合を示している。
【００３６】
エンティティｉ側には、エンティティｍの個人識別情報ＩＤ_m を入力し、関数ｈ（・）を利用してベクトルｖ_m （公開鍵）を得る公開鍵生成器11と、統括センタ１から送られる秘密鍵ベクトルｓ_i と公開鍵生成器11からの公開鍵であるベクトルｖ_m と公開された自然数Ｄとに基づいてエンティティｉが求めるエンティティｍとの共有鍵Ｋ_imを生成する共有鍵生成器12と、共有鍵Ｋ_imを用いて平文（メッセージ）Ｍを暗号文Ｃに暗号化して通信路30へ出力する暗号化器13とが備えられている。
【００３７】
また、エンティティｍ側には、エンティティｉの個人識別情報ＩＤ_i を入力し、関数ｈ（・）を利用してベクトルｖ_i （公開鍵）を得る公開鍵生成器21と、統括センタ１から送られる秘密のベクトルｓ_m と公開鍵生成器21からの公開鍵であるベクトルｖ_i と公開された自然数Ｄとに基づいてエンティティｍが求めるエンティティｉとの共有鍵Ｋ_miを生成する共有鍵生成器22と、共有鍵Ｋ_miを用いて通信路30から入力した暗号文Ｃを平文（メッセージ）Ｍに復号して出力する復号器23とが備えられている。
【００３８】
次に、動作について説明する。エンティティｉからエンティティｍへ情報を伝送しようとする場合、まず、エンティティｍの個人識別情報ＩＤ_m が公開鍵生成器11に入力されてベクトルｖ_m （公開鍵）が得られ、得られたベクトルｖ_m が共有鍵生成器12へ送られる。また、統括センタ１及び分割センタ10にて上記（３）〜（６）に従って求められたベクトルｓ_i が共有鍵生成器12へ入力される。そして、上記式（７）〜（９）に従って共有鍵Ｋ_imが求められ、暗号化器13へ送られる。暗号化器13において、この共有鍵Ｋ_imを用いて平文（メッセージ）Ｍが暗号文Ｃに暗号化され、暗号文Ｃが通信路30を介して伝送される。
【００３９】
通信路30を伝送された暗号文Ｃはエンティティｍの復号器23へ入力される。エンティティｉの個人識別情報ＩＤ_i が公開鍵生成器21に入力されてベクトルｖ_i （公開鍵）が得られ、得られたベクトルｖ_i が共有鍵生成器22へ送られる。また、統括センタ１及び分割センタ10にて上記（３）〜（６）に従って求められたベクトルｓ_m が共有鍵生成器22へ入力される。そして、上記式（７）〜（９）に従って共有鍵Ｋ_miが求められ、復号器23へ送られる。復号器23において、この共有鍵Ｋ_miを用いて暗号文Ｃが平文（メッセージ）Ｍに復号される。
【００４０】
なお、先行例１の手法を基本とした方式に本発明を適用した場合について説明したが、本発明は先行例２の手法を基本とした方式にも適用できる。この場合には、例えば、上記（６）に加えて下記（11）のような秘密鍵ベクトルｓ_i ′を用いて、鍵共有を行うようにすれば良い。但し、Ｑ_i はエンティティｉ固有の法である。この場合には、鍵共有の段階で個人秘密乱数ベクトルｒ_i が消去されるので、そのベクトルｒ_i の成分を大きく設定することが可能である。
【００４１】
【数７】

【００４２】
以下、本発明の方式におけるエンティティ間での鍵共有に必要な諸条件について説明する。
【００４３】
（各要素のビット数）
十分に高い確率で鍵共有を成功させるためには、エンティティｉに固有の秘密乱数ベクトルｒ_i の各成分の大きさＬ_r を log ₂（Ｐ_im），Ｄよりも十分小さく設定する必要がある。即ち、下記（12）とし、更に下記（13）となるようにすれば良い。また、ＬＬＬ法による結託攻撃に対してより安全にするためには、下記（14）を満たすようにＬ_r を設定する。なお、ｅは桁上がりのための余裕、ｋは設計値である。
【００４４】
【数８】

【００４５】
（関数ｇ）
関数ｇにより、第２ＩＤベクトルｗ_i が定まるが、ベクトルｗ_i は、秘密鍵ベクトルｘ_i の法Ｐ_i 及び鍵共有の際に用いる法Ｐ_imの設定に用いられる。従って、法Ｐ_i 及び法Ｐ_imがある程度以上の大きさになるように、ベクトルｗ_i の成分が１となる個数（ベクトルｗ_i の重み＝＃Ｗ_i ）及び＃｛Ｗ_i ∩Ｗ_m ｝の大きさを適切に与える必要がある。
【００４６】
＃Ｗ_i 及び＃｛Ｗ_i ∩Ｗ_m ｝がある一定の大きさよりも必ず大きくなるようなベクトルｗ_i ，ベクトルｗ_m を生成するためには、例えばＩＤ情報をある一方向性関数ｈ（・）に通したデータをＭ系列符号のような定重み符号で符号化すれば良い。符号長ｎビット，重み２ｄの定重み符号語を第２ＩＤベクトルとした場合、異なる２つの符号語の１の位置はｄ箇所で必ず一致する。従って、この定重み２ｄの符号語を用いることにより、法Ｐ_imの大きさをある大きさ以上にすることが可能である。
【００４７】
例えば、３ビットの情報記号に対して、符号長ｎ＝２³ −１＝７，重み２ｄ＝２^k-1 ＝４となる定重み符号を考える。この場合、情報記号は（０，０，０）を除いて３ビットで表せるので、７種類存在する。エンティティｉの第２ＩＤベクトルが符号語（１，１，１，０，０，１，０）、エンティティｍの第２ＩＤベクトルが符号語（１，０，０，１，０，１，１）で与えられた場合、Ｐ_im＝Ｐ⁽¹⁾ Ｐ⁽⁶⁾ となる。
【００４８】
（定重み符号による第２ＩＤベクトルの生成）
後述するように、第２ＩＤベクトルの０の成分の割合が高ければ高い程、ＬＬＬ法を用いた結託攻撃に対する安全性は高くなるが、０の成分の割合を高くすれば、＃｛Ｗ_i ∩Ｗ_m ｝をある値以上に保つことは容易でない。これを実現するために、以下のような定重み符号を階層的に適用する。
【００４９】
▲１▼ ｈ（・）を一方向性関数として、エンティティのＩＤ情報から生成した値をｂ＝２^k −１進数で表記する。即ち、下記（15）のように定義する。
【００５０】
【数９】

【００５１】
▲２▼ ｗ_ij′を符号化し、この符号語をｃ_ijとする。但し、符号化は、Ｍ系列（例：ｋ＝３の場合に(1001011))をｗ_ij′ビットだけ左巡回シフトすることによって行う。
▲３▼ ｃ_i0の０の位置をｂビットの０に置き換え、１の位置を左から順に下記（16）に示すｂビットの符号語で置き換える。これにより、符号長ｂ² ，重み（２^k-1 ）² の符号語に拡大することができる。
【００５２】
【数１０】

【００５３】
▲４▼ 以上の処理をｔ回階層的に繰り返すことにより、符号長ｂ^t ，重み（２^k-1 ）^t の符号語に拡大することができる。なお、異なる第２ＩＤベクトルのビットＡＮＤをとった場合の１の個数、即ち＃Ｗ_imは必ず（２^k-2 ）^t 以上となる。
【００５４】
上記▲１▼〜▲４▼を簡単な例で説明する。ｋ＝３，ｂ＝２^k −１＝７，ｔ＝２とした場合、以下のようになる。
ｈ（ＩＤ_A ）＝14761 ＝６＋３・７＋０・７² ＋１・７³ ＋２・７⁴
ベクトルｗ_A ′＝（６，３，０，１，２）
ベクトルｗ_A ′の符号化：
（６，３，０，１，２）→(1100101, 1011100, 1001011, 0010111, 0101110) この場合、ｇ（ＩＤ_A ）の計算結果は、下記（17）で与えられる。
【００５５】
【数１１】

【００５６】
次に、本発明のＩＤ−ＮＩＫＳに対するＬＬＬアルゴリズムを用いた攻撃手法について考察する。
【００５７】
（第三者の秘密ベクトルの偽造攻撃）
ＬＬＬアルゴリズムを用いて犠牲エンティティｖの秘密鍵ベクトルｓ_v の近似値を求める手法について検討する。犠牲エンティティｖの秘密鍵ベクトルｓ_v の近似値を求めるためには、犠牲エンティティｖと同じ法Ｐ_v またはそれを因数に含む法で生成された結託エンティティの秘密鍵ベクトルが必要である。即ち、第２ＩＤベクトルが犠牲エンティティｖのそれと同じか、それを含むような第２ＩＤベクトルを有する結託エンティティが必要であり、第２ＩＤベクトルの構成を工夫することにより、この攻撃法を不可能とすることができる。
【００５８】
また、犠牲エンティティｖの法Ｐ_v の因数を部分的に含む法を有する結託エンティティによる攻撃法も考えられるが、もし各Ｐ^(j) における法で攻撃を行おうとしても、ベクトルｒ_i の成分がＰ^(j) よりも大きくなり、攻撃は不可能である。また、先行例２の手法に基づく方式では、ベクトルｒ_i の成分がより大きく設定可能であり、この攻撃法はより困難となる。更に、攻撃の最終段階で中国人の剰余定理を適用する必要があり、そのときに各結託エンティティ固有の小さな乱数項に大きな値が乗じられるので、このような攻撃手法も成功する確率は十分低い。
【００５９】
（センタ秘密行列を求める結託攻撃法）
ＬＬＬアルゴリズムを適用して、直接センタの秘密対称行列Ｔを導く攻撃に関して検討する。ここで、ｔ_p,j は対称行列Ｔの第ｐ行第ｊ列の成分であり、対称行列Ｔは、Ｔ≡Ｔ^(j) （mod Ｐ^(j) ）（ｊ＝１，２，・・・，ｄ_g ）を満たす。
【００６０】
結託エンティティｉの秘密鍵ベクトルｓ_i の第１成分は、下記（18）で表せる。これをｒ_i1について解くと、下記（19）となる。式（19）における既知項は下記（20）であり、未知項は下記（21）である。
【００６１】
【数１２】

【００６２】
ここで、ｎ人の結託エンティティ（ｉ＝１，２，・・・，ｎ）の上記式（19）における既知項と未知項とから、下記（22）の行列方程式を構成する。
【００６３】
【数１３】

【００６４】
上記（22）の右辺の［−ｒ₁₁，−ｒ₁₂，・・・，−ｒ_1n］は小さなベクトルであるため、これを格子の最小基底ベクトルと見なしてＬＬＬアルゴリズムを適用した場合には、下記（23）に示す未知項が求まる可能性がある。
【００６５】
【数１４】

【００６６】
下記（24）に示す未知項は、下記（25）に示す法のもとに一意に定まり、それらの桁数は下記（26）に示すものの桁数にほぼ等しくなる。
【００６７】
【数１５】

【００６８】
一方、エンティティｉが保有する秘密成分は、法Ｐ_i を用いて導出されており、未知項ｔ_p,j と結託エンティティｉが保有する秘密成分との桁数の大きさの比は、関数ｇ（・）の次元数ｄ_g とその成分が１である個数との比にほぼ等しくなる。この比をＲとした場合、このような結託攻撃が成功するためには、少なくともｄ_f Ｒの結託エンティティが必要となる。
【００６９】
従って、結託攻撃に対してより安全な方式にするためには、この比Ｒを大きくすれば良い。例えば、前述したようなＭ系列定重み符号を階層的に用いてｇ（・）を構成する場合、各パラメータをｋ＝３，ｔ＝４としたとき、その次元ｄ_g は７⁴ ＝2401となるのに対して、その重みは４⁴ ＝256 であり、比Ｒは約9.38となる。この場合、鍵共有の際に用いる法Ｐ_iwの大きさを規定するパラメータ＃Ｗ_imは２⁴ ＝16となる。更に、Ｐ^(j) を20ビット程度の素数とした場合、 log ₂（Ｐ_im）は約320 であり、結託攻撃に用いる共通の法の大きさは、下記（27）となる。
【００７０】
【数１６】

【００７１】
この場合の本発明の方式に対する結託攻撃では、結託エンティティ数を９ｄ_f 以上必要とし、ＬＬＬアルゴリズムを用いた攻撃の際の計算は48020 ビット程度の演算になって、膨大な計算量を必要とする。
【００７２】
このように本発明の方式は、結託閾値と個々の乗除算の計算量との二点に関して、先行例１，２に比べて、ＬＬＬアルゴリズムを用いた結託攻撃に対してより安全な方式となっている。また、上述した暗号通信システムでは、１つの統括センタと複数の分割センタとが設けられ、各分割センタがエンティティの秘密ベクトルを求めるようにしたので、全てのエンティティの秘密を１つのセンタが握るようなことはなく、 Big Brother 問題を解決できている。
【００７３】
図３は、本発明の記録媒体の実施の形態の構成を示す図である。以下に説明する記録媒体に記録されており、上記（４）に示す各エンティティ固有の法を求める処理と、上記（５），（６）に示す各エンティティ固有の秘密鍵を計算する処理とを含むプログラムがロードされるコンピュータ40は、統括センタ１側に設けられている。また、以下に説明する記録媒体に記録されており、上記（７）に示すエンティティ間での共通の法を求める処理と、上記（８），（９）に示すエンティティ間の共有鍵を計算する処理とを含むプログラムがロードされるコンピュータ40は、各エンティティ側に設けられている。
【００７４】
図３において、コンピュータ40とオンライン接続する記録媒体41は、コンピュータ40の設置場所から隔たって設置される例えばＷＷＷ(World Wide Web)のサーバコンピュータを用いてなり、記録媒体41には前述の如きプログラム41a が記録されている。記録媒体41から読み出されたプログラム41a がコンピュータ40を制御することにより、統括センタ１において各エンティティ固有の秘密鍵を生成し、各エンティティにおいて通信対象のエンティティに対する共有鍵を生成する。
【００７５】
コンピュータ40の内部に設けられた記録媒体42は、内蔵設置される例えばハードディスクドライブまたはＲＯＭなどを用いてなり、記録媒体42には前述の如きプログラム42a が記録されている。記録媒体42から読み出されたプログラム42a がコンピュータ40を制御することにより、統括センタ１において各エンティティ固有の秘密鍵を生成し、各エンティティにおいて通信対象のエンティティに対する共有鍵を生成する。
【００７６】
コンピュータ40に設けられたディスクドライブ40ａに装填して使用される記録媒体43は、運搬可能な例えば光磁気ディスク，ＣＤ−ＲＯＭまたはフレキシブルディスクなどを用いてなり、記録媒体43には前述の如きプログラム43a が記録されている。記録媒体43から読み出されたプログラム43a がコンピュータ40を制御することにより、統括センタ１において各エンティティ固有の秘密鍵を生成し、各エンティティにおいて通信対象のエンティティに対する共有鍵を生成する。
【００７７】
【発明の効果】
以上詳述したように、本発明では、各エンティティ毎に各エンティティ固有の法を設定し、設定した法により各エンティティ固有の秘密鍵を生成するようにしたので、ＬＬＬアルゴリズムに基づく攻撃に対して安全性を高くすることが可能となる。
【図面の簡単な説明】
【図１】本発明の暗号通信システムの構成を示す模式図である。
【図２】２人のエンティティ間における情報の通信状態を示す模式図である。
【図３】記録媒体の実施の形態の構成を示す図である。
【図４】ＩＤ−ＮＩＫＳのシステムの原理構成図である。
【符号の説明】
１ 統括センタ
10 分割センタ
11，21 公開鍵生成器
12，22 共有鍵生成器
13 暗号化器
23 復号器
30 通信路
40 コンピュータ
41，42，43 記録媒体[0001]
BACKGROUND OF THE INVENTION
  The present inventionIs darkENCRYPTION COMMUNICATION METHOD AND ENCRYPTION COMMUNICATION SYSTEMToRelated.
[0002]
[Prior art]
In a modern society called an advanced information society, important business documents and image information are transmitted, communicated and processed in the form of electronic information based on a computer network. Such electronic information has the property that it can be easily copied, and it is difficult to distinguish between a copy and the original, and the problem of information maintenance is regarded as important. In particular, the realization of a computer network that satisfies the elements of "computer resource sharing", "multi-access", and "broadening" is essential for establishing an advanced information society. Contains conflicting elements. As an effective technique for resolving such contradiction, attention has been paid to cryptographic techniques that have been used mainly in the military and diplomatic aspects of human history.
[0003]
Cryptography is the exchange of information so that the meaning of the information cannot be understood by anyone other than the parties. In cryptography, encryption is the conversion of an original sentence (plain text) that anyone can understand into a sentence (cipher text) whose meaning is unknown to a third party, and decryption is to convert the cipher text back to plain text. The entire process of encryption and decryption is collectively called an encryption system. In the encryption process and the decryption process, secret information called an encryption key and a decryption key is used, respectively. Since a secret decryption key is required at the time of decryption, only a person who knows the decryption key can decrypt the ciphertext, and the confidentiality of information can be maintained by the encryption.
[0004]
The encryption key and the decryption key may be the same or different. An encryption system in which both keys are equal is called a common key encryption system, and DES (Data Encryption Standards) adopted by the US Bureau of Commerce Standards is a typical example. In addition, as an example of an encryption system in which both keys are different, an encryption system called a public key encryption system has been proposed. In this public key cryptosystem, each user (entity) using the cryptosystem creates a pair of encryption key and decryption key, publishes the encryption key in the public key list, and keeps only the decryption key secret It is a cryptographic system that does. In the public key cryptosystem, the pair of encryption key and decryption key are different, and the decryption key cannot be calculated from the encryption key by using a one-way function.
[0005]
The public key cryptosystem is an epoch-making cryptosystem that publishes an encryption key, and conforms to the above three elements necessary for establishing an advanced information society. In order to make use of the RSA cryptosystem, the research is actively conducted, and the RSA cryptosystem is proposed as a typical public key cryptosystem. This RSA cryptosystem is realized using the difficulty of prime factorization as a one-way function. In addition, public-key encryption system that uses the difficulty of solving the discrete logarithm problem (discrete logarithm problem) have also been proposed various methods.
[0006]
In addition, an encryption system using ID (Identity) information for identifying an individual such as an address and a name of each entity has been proposed. In this encryption system, a common encryption key is generated between the sender and the receiver based on the ID information. In addition, the encryption technique based on this ID information includes (1) a method that requires preliminary communication between the sender and receiver prior to ciphertext communication, and (2) a backup between the sender and receiver prior to ciphertext communication. There are methods that do not require communication. In particular, since the method (2) does not require preliminary communication, the convenience of the entity is high, and it is considered to be the center of the future encryption system.
[0007]
The encryption system using the method (2) is called ID-NIKS (ID-based non-interactive key sharing scheme), and the encryption key is shared without performing preliminary communication using the ID information of the communication partner. The method to do is adopted. ID-NIKS is a method that does not require the exchange of a public key and a secret key between senders and receivers, and does not require a list of keys or a service by a third party, and allows secure communication between arbitrary entities.
[0008]
FIG. 4 is a diagram showing the principle of the ID-NIKS system. Assuming the existence of a reliable center, the shared key generation system is configured around this center. In FIG. 4, ID information such as the name, address, and telephone number of the entity X, which is the specific information of the entity X, is represented by h (ID) using a hash function h (•)._X). The center makes center public information {PC for any entity X_i}, Center secret information {SC_i} And ID information h (ID of entity X_X) Based on the secret information S_XiAnd secretly distribute to entity X.
S_Xi= F_i({SC_i}, {PC_i}, H (ID_X))
[0009]
Entity X is shared with any other entity Y for shared key K for encryption and decryption_XY, Secret information of entity X itself {S_Xi}, Center disclosure information {PC_i} And ID information h (ID of the entity Y of the other party_Y) To generate as follows.
K_XY= F ({S_Xi}, {PC_i}, H (ID_Y))
Similarly, entity Y is also entity XAgainstShared key K_YXIs generated. If always K_XY= K_YXIf this relationship is established, this key K_XY, K_YXCan be used as an encryption key and a decryption key between entities X and Y.
[0010]
In the above-described public-key cryptosystem, for example, the length of the public key for RSA cryptosystem becomes ten times the current phone number is extremely complicated. On the other hand, in ID-NIKS, if each ID information is registered in the form of a name list, a shared key can be generated with an arbitrary entity by referring to the name list. Therefore, if the ID-NIKS system as shown in FIG. 4 is implemented safely, a convenient cryptosystem can be constructed on a computer network to which many entities join. For these reasons, ID-NIKS is expected to become the center of future cryptographic systems.
[0011]
[Problems to be solved by the invention]
ID-NIKS that shares the encryption key and the shared key that is the decryption key without performing preliminary communication using the ID information of the communication partner is sufficient against attacks such as collusion of multiple entities. It is desirable to be safe. However, in the ID-NIKS as described above, an attack method is studied, and if an appropriate number of entities collide, the secret parameter of the center is exposed. Whether or not a cryptographically secure ID-NIKS can be constructed is an important issue in the advanced information society, and the search for more ideal cryptosystems is underway.
[0012]
In order to increase the security against the collusion attack as described above, a random number component is added in advance to the secret key distributed from the center to each entity, and this random component is removed by a non-linear operation at the time of key sharing. A method in which a shared key is obtained (hereinafter referred to as preceding example 1), a set of a plurality of secret keys including a random number component for each entity is generated by operations on two finite fields, and at the time of key sharing A method in which a random key component is removed by adding these secret keys on an integer ring to obtain a shared key (Japanese Patent Application No. 10-262035, Japanese Patent Application No. 10-338190, etc. Have been devised by the present inventors.
[0013]
Both of the preceding example 1 and the preceding example 2 are characterized in that the secret key generation function and the key sharing function cannot be separated, and the key sharing succeeds with a sufficiently high probability. Compared to collusion attacks. However, when the dimension of the ID vector is relatively small, the application of the LLL (Lenstra-Lenstra-Lovasz) algorithm can be used not only to forge a third-party secret key but also to attack the center secret matrix. It was clarified that there was a possibility.
[0014]
  The present invention has been made in view of such circumstances, and is highly safe against attacks based on the LLL algorithm.DarkNo. communication methodas well asCryptographic communication systemTheThe purpose is to provide.
[0015]
[Means for Solving the Problems]
  In the cryptographic communication method according to claim 1, a secret key unique to each entity is sent from the center apparatus to each entity apparatus, and one entity apparatus is disclosed with the secret key unique to the entity sent from the center apparatus. The plaintext is encrypted into ciphertext using the shared key obtained from the public key of the entity and transmitted to the other entity device, and the ciphertext transmitted by the other entity device is sent from the center device. By decrypting the original plaintext using the same shared key as the shared key, which is obtained from the private key unique to the entity and the public key of the one entity that has been made public,In a method that does not require preliminary communication between entity devices prior to ciphertext communication,In an encryption communication method for communicating information between entity devices,The center device isSet a unique law for each entity,Set for each entityGenerating a secret key unique to each entity according to a specific law;The one and other entity devices are set for each entity.A common method is obtained based on a unique method, and the shared key is generated by the obtained common method.
[0017]
  The encryption communication method according to claim 2 is the method of claim 1,The center device isFind each entity's secret vector using each entity's public key,For each entitySecret vector and each entity specificPersonal secret random vectorAndSet for each entityBy its own lawGenerate a secret key unique to each entityIt is characterized by that.
  The cryptographic communication method according to claim 3 is the method according to claim 1 or 2,The center device isPublic key of each entityThe, Based on the specific information of each entity.
  ClaimItem 4The cryptographic communication system according to the present invention includes a process for encrypting plaintext, which is information to be transmitted, into ciphertext, and a process for decrypting the transmitted ciphertext into the original plaintext,In a method that does not require preliminary communication between multiple entity devices prior to ciphertext communication,In a cryptographic communication system that mutually performs between a plurality of entity devices, means for setting a unique method for each entity, means for generating a secret key unique to each entity by the set method, and the generated secret key for each entity A center device comprising means for sending to the device;Set for each entitySeeking common law based on specific lawMeans, andAccording to the obtained common law, the own private key sent from the center device and the communication target entityNoUsing the public keyDoProcessing and decryptionDoGenerate a shared key for processingWith meansAnd a plurality of entity devices.
[0018]
In the present invention, a method unique to each entity is set for each entity, and a secret key unique to each entity is generated by the set method. Therefore, unlike the conventional ID-NIKS including the preceding examples 1 and 2, since a common method is not used for all entities when generating a secret key, it is powerful against attacks using the LLL algorithm. Become.
[0019]
DETAILED DESCRIPTION OF THE INVENTION
Hereinafter, embodiments of the present invention will be specifically described.
FIG. 1 is a schematic diagram showing a configuration of a cryptographic communication system according to the present invention. One central center 1 and d that can trust the concealment of information_gOne division center 10 is set. These central center 1 and division center 10 can correspond to, for example, public organizations of society. The central center 1 and a plurality of entities a, b,..., Z as users who use this cryptographic system are connected by secret communication paths 2a, 2b,. , 2b,..., 2z, secret key information is transmitted from the center 1 to the entities a, b,. Further, communication paths 3ab, 3az, 3bz,... Are provided between the two entities, and ciphertexts obtained by encrypting communication information via the communication paths 3ab, 3az, 3bz,. Are transmitted between each other.
[0020]
The present invention can be applied to both the method based on the method of the first example and the method based on the method of the second example. However, in the following example, the method is based on the method of the first example. A case where the present invention is applied will be described.
[0021]
(Preparation process at the general center 1)
(1) First ID vector (d_fDimension, each component is L_fA one-way function f (•) for generating (bit) is disclosed.
(2) Second ID vector (d_gA one-way function g (•) for generating dimensions, each component is an element of GF (2) is disclosed.
(3) Unique random vector r of entity i_i(D_rDimension, each component is L_rBit).
[0022]
However, the first ID vector and the second ID vector of the entity i are represented by the following (1) and (2), respectively, and the second ID vector w_iA set of indices whose components are 1 for W_i= {J | w_ij= 1}.
[0023]
[Expression 1]

[0024]
(Jth (j = 1, 2,..., D_g) Preparatory processing at division center 10)
▲ 1 ▼ Prime number P^(j)Generate and publish this.
(2) Secret symmetric matrix T^(j)Is generated.
[0025]
(Entity registration process)
The central center 1 and each division center 10 requested to register with the entity i perform the following processing.
(1) The control center 1 has j∈W_iThe secret vector x for entity i_iRequest the calculation.
(2) The j-th division center 10 is a vector v_i, The secret vector x for entity i_i ^(j)Is calculated according to the following (3), and is sent to the general center 1.
Vector x_i ^(j)≡T^(j)Vector v_i(Mod P^(j)(3)
(3) The headquarters center 1 determines the law P specific to the entity i._iIs obtained according to (4) below, and the secret vector x is calculated using the Chinese remainder theorem._iIs calculated according to the following (5). Where secret vector x_iIs P_iIs uniquely determined by the law.
[0026]
[Expression 2]

[0027]
(4) The general center 1 further determines the personal secret random number vector r_iEntity i's private key s_iIs secretly sent to entity i in accordance with (6) below.
[0028]
[Equation 3]

[0029]
(Common key generation process between entities)
The entity i uses the following calculation procedure to share the shared key K with the entity m to be communicated._imAsk for.
(1) Common law P between entity i and entity m_imIs obtained according to the following (7).
[0030]
[Expression 4]

[0031]
(2) K according to (8) below_im′ Is calculated.
[0032]
[Equation 5]

[0033]
(3) Shared key K according to (9) below_imCalculate However, D is a natural number publicly disclosed by the general center 1 and satisfies the following condition (10).
[0034]
[Formula 6]

[0035]
Next, communication of information between entities in the above-described encryption system will be described. FIG. 2 is a schematic diagram showing a communication state of information between two entities i and m. In the example of FIG. 2, entity i encrypts plaintext (message) M into ciphertext C and transmits it to entity m, and entity m decrypts ciphertext C into original plaintext (message) M. Show.
[0036]
On the entity i side, the personal identification information ID of the entity m_mAnd using the function h (•), the vector v_mA public key generator 11 for obtaining (public key) and a secret key vector s sent from the central center 1_iAnd the vector v which is the public key from the public key generator 11_mAnd the shared key K with the entity m that the entity i obtains based on the published natural number D_imA shared key generator 12 for generating a shared key K_imAnd an encryptor 13 that encrypts plaintext (message) M into ciphertext C and outputs it to the communication path 30.
[0037]
Further, on the entity m side, the personal identification information ID of the entity i_iAnd using the function h (•), the vector v_iA public key generator 21 for obtaining (public key) and a secret vector s sent from the central center 1_mAnd the vector v which is the public key from the public key generator 21_iAnd the shared key K with the entity i that the entity m obtains based on the published natural number D_miA shared key generator 22 for generating a shared key and a shared key K_miAnd a decryptor 23 that decrypts the ciphertext C input from the communication path 30 into a plaintext (message) M and outputs it.
[0038]
Next, the operation will be described. When transmitting information from entity i to entity m, first, the personal identification information ID of entity m_mIs input to the public key generator 11 and the vector v_m(Public key) is obtained, and the obtained vector v_mIs sent to the shared key generator 12. Further, the vector s obtained in accordance with the above (3) to (6) at the general center 1 and the division center 10._iIs input to the shared key generator 12. And the shared key K according to the above formulas (7) to (9)_imIs sent to the encryptor 13. In the encryptor 13, the shared key K_imIs used to encrypt the plaintext (message) M into the ciphertext C, and the ciphertext C is transmitted via the communication path 30.
[0039]
The ciphertext C transmitted through the communication path 30 is input to the decryptor 23 of the entity m. Personal identification information ID of entity i_iIs input to the public key generator 21 and the vector v_i(Public key) is obtained, and the obtained vector v_iIs sent to the shared key generator 22. Further, the vector s obtained in accordance with the above (3) to (6) at the general center 1 and the division center 10._mIs input to the shared key generator 22. And the shared key K according to the above formulas (7) to (9)_miIs sent to the decoder 23. In the decryptor 23, this shared key K_miIs used to decrypt the ciphertext C into plaintext (message) M.
[0040]
In addition, although the case where this invention was applied to the system based on the method of the prior example 1 was demonstrated, this invention is applicable also to the system based on the method of the prior example 2. FIG. In this case, for example, in addition to the above (6), a secret key vector s as shown in (11) below._iIt is sufficient to perform key sharing using ′. However, Q_iIs a law specific to entity i. In this case, the private secret random vector r at the key sharing stage_i, The vector r_iIt is possible to set a large component.
[0041]
[Expression 7]

[0042]
Hereinafter, various conditions necessary for key sharing between entities in the method of the present invention will be described.
[0043]
(Number of bits for each element)
In order to succeed in key sharing with a sufficiently high probability, a secret random vector r unique to entity i_iThe size L of each component of_rLog₂(P_im), D must be set sufficiently smaller than D. That is, the following (12) may be set, and the following (13) may be set. In order to make it safer against collusion attacks by the LLL method,_rSet. Note that e is a margin for carry and k is a design value.
[0044]
[Equation 8]

[0045]
(Function g)
By function g, the second ID vector w_iIs determined, but the vector w_iIs the secret key vector x_iLaw P_iAnd method P used for key sharing_imUsed for setting. Therefore, the law P_iAnd law P_imThe vector w so that is larger than a certain size_iThe number of components of 1 (vector w_iWeight = # W_i) And # {W_i∩W_m} Needs to be given an appropriate size.
[0046]
#W_iAnd # {W_i∩W_m} Is a vector w that must be greater than a certain size_i, Vector w_mFor example, data obtained by passing ID information through a certain one-way function h (•) may be encoded by a constant weight code such as an M-sequence code. When a constant-weight codeword having a code length of n bits and a weight of 2d is used as the second ID vector, the position of 1 of two different codewords always matches at d locations. Therefore, by using the code word of this constant weight 2d, the modulus P_imIt is possible to make the size of a larger than a certain size.
[0047]
For example, for a 3-bit information symbol, the code length n = 2^Three-1 = 7, weight 2d = 2^k-1Consider a constant weight code such that = 4. In this case, there are seven kinds of information symbols because they can be expressed by 3 bits except for (0, 0, 0). The second ID vector of entity i is a code word (1, 1, 1, 0, 0, 1, 0), and the second ID vector of entity m is a code word (1, 0, 0, 1, 0, 1, 1). P, if given_im= P⁽¹⁾P⁽⁶⁾It becomes.
[0048]
(Generation of second ID vector by constant weight code)
As will be described later, the higher the proportion of the zero component of the second ID vector, the higher the security against collusion attacks using the LLL method. However, if the proportion of the zero component is increased, # {W_i∩W_m} Is not easy to keep above a certain value. In order to realize this, the following constant weight codes are applied hierarchically.
[0049]
(1) Using h (•) as a one-way function, the value generated from the entity ID information is b = 2.^kExpressed in -1 decimal number. That is, it is defined as (15) below.
[0050]
[Equation 9]

[0051]
▲ 2 ▼ w_ij′ Is encoded and this code word is expressed as c_ijAnd However, encoding is performed using an M sequence (eg, (1001011) when k = 3)._ijThis is done by performing a left cyclic shift by 'bits.
(3) c_i0The 0 position is replaced with b bit 0, and the 1 position is replaced with the b bit code word shown in the following (16) from the left. Thereby, the code length b², Weight (2^k-1)²Can be expanded to
[0052]
[Expression 10]

[0053]
(4) By repeating the above processing hierarchically t times, the code length b^t, Weight (2^k-1)^tCan be expanded to Note that the number of 1s when the bit AND of different second ID vectors is taken, that is, #W_imIs always (2^k-2)^tThat's it.
[0054]
The above (1) to (4) will be described with a simple example. k = 3, b = 2^kWhen −1 = 7 and t = 2, it is as follows.
h (ID_A) = 14761 = 6 + 3 ・ 7 + 0 ・ 7²+ 1 · 7^Three+2.7^Four
Vector w_A′ = (6, 3, 0, 1, 2)
Vector w_A′ Encoding:
(6, 3, 0, 1, 2) → (1100101, 1011100, 1001011, 0010111, 0101110) In this case, g (ID_A) Is given by (17) below.
[0055]
## EQU11 ##

[0056]
Next, an attack technique using the LLL algorithm for ID-NIKS of the present invention will be considered.
[0057]
(Third-party secret vector forgery attacks)
The secret key vector s of the victim entity v using the LLL algorithm_vA method for obtaining an approximate value of is considered. The secret key vector s of the victim entity v_vTo obtain an approximate value of the same method P as the sacrificial entity v_vOr, the secret key vector of the collusion entity generated by the method including it as a factor is necessary. In other words, a collusion entity having a second ID vector whose second ID vector is the same as or including that of the victim entity v is necessary, and this attack method is made impossible by devising the configuration of the second ID vector. be able to.
[0058]
Also, the law P of the sacrificial entity v_vAn attack method with a collusion entity having a method that partially includes the factors of^(j)If you try to attack with the law in_iThe component of P^(j)It is bigger than it can be attacked. In the method based on the method of the preceding example 2, the vector r_iThis attack method becomes more difficult. Furthermore, it is necessary to apply the Chinese remainder theorem at the final stage of the attack, and at that time, a small random number term unique to each collusion entity is multiplied by a large value, so the probability that such an attack technique will also succeed is sufficiently low .
[0059]
(Collusion attack method for finding the center secret matrix)
Consider an attack that directly applies the secret symmetric matrix T of the center by applying the LLL algorithm. Where t_{p, j}Is a component of the pth row and jth column of the symmetric matrix T, and the symmetric matrix T is expressed as T≡T^(j)(Mod P^(j)) (J = 1, 2,..., D_gIs satisfied.
[0060]
Secret key vector s of collusion entity i_iThe first component can be expressed by the following (18). R_i1Solving for, it becomes (19) below. The known term in the equation (19) is the following (20), and the unknown term is the following (21).
[0061]
[Expression 12]

[0062]
Here, the matrix equation of the following (22) is formed from the known term and the unknown term in the above equation (19) of n collusion entities (i = 1, 2,..., N).
[0063]
[Formula 13]

[0064]
[-R on the right side of (22) above₁₁, -R₁₂, ..., -r_1n] Is a small vector, and when this is regarded as the minimum basis vector of the lattice and the LLL algorithm is applied, an unknown term shown in (23) below may be obtained.
[0065]
[Expression 14]

[0066]
The unknown terms shown in (24) below are uniquely determined based on the method shown in (25) below, and the number of digits is almost equal to the number of digits shown in (26) below.
[0067]
[Expression 15]

[0068]
On the other hand, the secret component possessed by entity i is_iAnd the unknown term t_{p, j}And the secret component of the collusion entity i, the ratio of the number of digits is the dimension number d of the function g (·)_gAnd the ratio of the number of components to 1 is almost equal. When this ratio is R, in order for such a collusion attack to succeed, at least d_fR collusion entities are required.
[0069]
Therefore, this ratio R may be increased in order to make the system safer against collusion attacks. For example, when g (·) is configured using the above-described M-sequence constant weight code hierarchically, when each parameter is set to k = 3, t = 4, the dimension d_gIs 7^Four= 2401, whereas its weight is 4^Four= 256, and the ratio R is about 9.38. In this case, the method P used for key sharing_iw#W that defines the size of_imIs 2^Four= 16. Furthermore, P^(j)Log is a prime number of about 20 bits, log₂(P_im) Is about 320, and the size of the common law used for collusion attacks is as follows (27).
[0070]
[Expression 16]

[0071]
In this case, in the collusion attack for the method of the present invention, the number of collusion entities is set to 9d._fAs described above, calculation in the case of an attack using the LLL algorithm is an operation of about 48,020 bits and requires a huge amount of calculation.
[0072]
  As described above, the method of the present invention is a safer method against collusion attacks using the LLL algorithm than the preceding examples 1 and 2 with respect to the collusion threshold value and the amount of calculation of each multiplication and division. ing.Further, in the above-described cryptographic communication system, one central center and a plurality of division centers are provided, and each division center obtains the secret vector of the entity, so that one center holds the secret of all the entities. There is nothing, Big brother The problem has been solved.
[0073]
FIG. 3 is a diagram showing the configuration of the embodiment of the recording medium of the present invention. Processes for obtaining a method specific to each entity shown in the above (4) and processes for calculating a secret key specific to each entity shown in the above (5) and (6). The computer 40 on which the program to be loaded is loaded is provided on the management center 1 side. In addition, it is recorded on the recording medium described below, and a process for obtaining a common method between entities shown in (7) above and a shared key between entities shown in (8) and (9) above are calculated. A computer 40 loaded with a program including processing is provided on each entity side.
[0074]
In FIG. 3, the recording medium 41 connected online with the computer 40 is a WWW (World Wide Web) server computer installed at a distance from the installation location of the computer 40. The recording medium 41 includes the above-described program. 41a is recorded. The program 41a read from the recording medium 41 controls the computer 40, thereby generating a secret key unique to each entity in the overall center 1, and generating a shared key for the entity to be communicated in each entity.
[0075]
The recording medium 42 provided in the computer 40 is a built-in hard disk drive or ROM, for example, and the recording medium 42 stores the program 42a as described above. The program 42a read from the recording medium 42 controls the computer 40, thereby generating a secret key unique to each entity in the overall center 1, and generating a shared key for the entity to be communicated in each entity.
[0076]
The recording medium 43 loaded and used in a disk drive 40a provided in the computer 40 is a portable medium such as a magneto-optical disk, a CD-ROM, or a flexible disk. 43a is recorded. The program 43a read from the recording medium 43 controls the computer 40, thereby generating a secret key unique to each entity in the overall center 1, and generating a shared key for the entity to be communicated in each entity.
[0077]
【The invention's effect】
As described above in detail, in the present invention, a method unique to each entity is set for each entity, and a secret key unique to each entity is generated by the set method. It becomes possible to increase safety.
[Brief description of the drawings]
FIG. 1 is a schematic diagram showing a configuration of a cryptographic communication system according to the present invention.
FIG. 2 is a schematic diagram showing a communication state of information between two entities.
FIG. 3 is a diagram illustrating a configuration of an embodiment of a recording medium.
FIG. 4 is a principle configuration diagram of an ID-NIKS system.
[Explanation of symbols]
1 Control Center
10 split center
11, 21 public key generator
12, 22 Shared key generator
13 Encryptor
23 Decoder
30 communication path
40 computers
41, 42, 43 Recording media

Claims (4)

A secret key unique to each entity is sent from the center device to each entity device, and one entity device shares the entity-specific secret key sent from the center device and the public key of the other entity that has been made public The plaintext is encrypted into ciphertext using the key and transmitted to the other entity device, and the ciphertext transmitted by the other entity device is disclosed as the private key unique to the entity sent from the center device. In addition, by using the same shared key as the shared key obtained from the public key of the one entity, decryption into the original plaintext requires preliminary communication between entity devices prior to ciphertext communication. specific at non scheme, the encryption communication method for communicating information between entity device, the center device, each of said entity Set law, the generating the respective entity-specific secret key by specific laws set for each entity, the one and the other entity device, commonly based on the unique law set for each of said entity A cryptographic communication method characterized in that the shared key is generated by the common method obtained. Specific the center apparatus, which obtains a secret vector for each entity using the public key of each entity, by using the secret vector of each was determined entity and each entity unique personal secret random number vector was set for each of the respective entities The cryptographic communication method according to claim 1, wherein a secret key unique to each entity is generated by the method of (1). The encryption communication method according to claim 1 , wherein the center device obtains a public key of each entity based on specific information of each entity. Preliminary communication between multiple entity devices is required prior to ciphertext communication for the process of encrypting plaintext, which is information to be transmitted, into ciphertext and the process of decrypting the transmitted ciphertext into the original plaintext In a cryptographic communication system that mutually performs between a plurality of entity devices in a scheme that does not, and means for setting a unique method for each entity, means for generating a secret key unique to each entity by the set method, and generation a center device comprising means for sending the private key to each entity apparatus, means asking you to common law based on the unique law set for each entity, and, by a common law determined, from the center device using the the sent its own unique private key and public key Entite I to be communicated, means for generating a shared key of a process for processing and decoding said encrypted Cryptographic communication system characterized by having a plurality of entity devices having.

Images