JP4500087B2 - Anonymous communication method, anonymous communication system, authentication device, transmission device, relay device, reception device, unauthorized person identification device, and program - Google Patents

Description

  The present invention relates to a cryptographic application protocol technique using encryption and signature techniques, and more particularly to a technique capable of specifying an unauthorized user who exploits this anonymity while maintaining the anonymity of the information sender.

As a technique for protecting anonymity of an information sender on a network and privacy information such as transmission information and a communication partner, there is an anonymous communication method called onion routing (for example, see Non-Patent Document 1). However, in the case of anonymous communication such as onion routing, for example, even if a successful bidder of an electronic auction does not pay the price after receiving the merchandise, the fraudster cannot be specified.
On the other hand, the inventor of the present application can normally protect the anonymity of the sender by combining this onion routing and access authentication in Japanese Patent Application No. 2003-383761, but when the fraud of the sender is detected, It proposes a method that can identify the fraudsters through the cooperation of previously approved organizations.
P. F. Syberson, D.M. M.M. Goldschlag, and M.M. G. Reed “Anonymous connections and onion routing,” In Proc. of the 1997 IEEE Symposium on Security and Privacy, IEEE Press, pp. 44-54, May. 1997.

However, in the case of the method of Japanese Patent Application No. 2003-383761, the information sender must access the authentication server every time anonymous communication is performed for user authentication. As a result, there is a possibility that access concentrates on the authentication server and the authentication server cannot sufficiently perform the service.
The present invention has been made in view of the above points, and can identify an unauthorized user who abuses this anonymity while maintaining the anonymity of the information sender, and information to a specific server. It aims at making it possible to suppress concentration.

  In the first aspect of the present invention, in order to solve the above-described problem, first, as pre-processing, the authentication unit of the authentication apparatus generates a signature generation key (TSK) and a signature verification key (TPK) for the sender, In the certificate generation means, the key certificate includes the concealed sender information (STI) obtained by concealing the sender information (TI) and the signature verification key (TPK), and proves the validity of the signature verification key (TPK). A document (TCE) is generated. Then, the authentication device output means outputs the signature generation key (TSK) and the key certificate (TCE) to the transmission device, and the signature generation key (TSK) and the key certificate (TCE) are output to the transmission device memory. Store it.

  Here, the process in the authentication device necessary for anonymous communication is executed as a preliminary process before the start of anonymous communication. Further, the signature generation key (TSK) and key certificate (TCE) used for this anonymous communication are stored in the transmission device memory, and the transmission device does not need to access the authentication device when executing anonymous communication. As described above, concentration of access to the authentication device can be prevented. Also, if the digital signature (S) and key certificate (TCE) of the message using the signature generation key (TSK) are presented to the relay device in the transmission process and the relay device can verify it, the relay The device is acting as an authentication device. Thereby, it is possible to obtain the same effect as that via the authentication device during communication.

In the communication process, the transmission device signature generation unit generates a digital signature (S) of the message using the signature generation key (TSK), and the transmission device transmission unit generates the digital signature (S) and the key certificate (S). TCE) is transmitted to the receiving device through the anonymous communication path. The receiving device receiving means receives the digital signature (S) and the key certificate (TCE), and stores the key certificate (TCE) in the receiving device memory.
Here, the key certificate (TCE) includes the concealed sender information (STI), but the sender information (TI) cannot be obtained from the key certificate (TCE) except for the authentication device. In addition, communication of each data is performed through an anonymous communication path. As described above, the anonymity of the information sender can be maintained.

Further, when the information sender is fraudulent, the extraction means of the receiving device extracts the key certificate (TCE) corresponding to the fraudster from the receiving device memory, and uses the extracted key certificate (TCE). Then, the receiving device output means outputs to the authentication device. Then, the authentication device input means of the authentication device accepts the input of the key certificate (TCE), and the unauthorized person identification means corresponds to the confidential sender information (STI) included in the input key certificate (TCE). Sender information (TI) to be obtained is obtained.
Here, the authentication apparatus can obtain the sender information (TI) from the confidential sender information (STI) included in the input key certificate (TCE). Thereby, an unauthorized information sender can be specified.

In the second aspect of the present invention, in order to solve the above-described problem, first, as pre-processing, in the authentication unit of the authentication apparatus, the signature generation key (SK ₀ ), the signature verification key (PK ₀ ), and each relay for the sender A signature generation key (SK _k ) and a signature verification key (PK _k ) (k is a natural number) for the device (R _k ) are generated, and the key certificate of the signature verification key (PK ₀ ) is generated in the certificate generation unit of the authentication device and (CE _0), signature verification key (PK _k) of the key certificate _(CE k) (encrypt the operator information of the relay device by the public key of the unauthorized user identification device _{(Y) (R k) (} RI k) Encryption operator information (ERI _k ). Further, the authentication device encryption means generates encrypted information (C ₀ = E (TI, Y)) obtained by encrypting the sender information (TI) using the public key (Y) of the unauthorized person specifying device. Thereafter, in the authentication device output means, the signature generation key (SK ₀ ), the key certificate (CE ₀ ), and the encryption information (C ₀ ) are output to the transmission device, and the signature generation key (SK _k ) and the key are output. The certificate (CE _k ) is output to each relay device (R _k ). Then, the signature generation key (SK ₀ ), key certificate (CE ₀ ), and encryption information (C ₀ ) are stored in the transmission device memory, and the signature generation key (SK _k ) and key certificate are stored in the relay device memory. Store (CE _k ).

Here, the process in the authentication device required for anonymous communication is executed as a preliminary process before the start of anonymous communication. Also, the signature generation key (SK ₀ ), key certificate (CE ₀ ), and encryption information (C ₀ ) used for this anonymous communication are stored in the transmission device memory, and the signature generation key (SK _k ) and key certificate are stored. (CE _k ) is stored in the relay device memory. Therefore, it is not necessary for the transmission device or the relay device to access the authentication device when anonymous communication is executed, and access concentration to the authentication device can be prevented.
In the communication process, the transmission device signature generation unit generates a digital signature (S ₀ ) of the encrypted information (C ₀ ) using the signature generation key (SK ₀ ) stored in the transmission device memory, and transmits the digital signature (S ₀ ). In the device transmission means, the encrypted information (C ₀ ), the digital signature (S ₀ ), and the key certificate (CE ₀ ) are transmitted to the first relay device (R ₁ ) constituting the anonymous communication path, and anonymous communication is performed. In the relay device receiving means of each relay device (R _i ) (i is a natural number) constituting the path, the encrypted information (C _i-1 ), the digital signature (S _i-1 ), and the key certificate (CE _i-1) ), The digital signature (S _i-1 ) is verified by using the key certificate (CE _i-1 ) in the relay device signature verification means, and the verification result of the digital signature (S _i-1 ) is passed. If there is, the encryption information in the relay device encryption means Encryption information (C _i ) obtained by encrypting (C _i-1 ), digital signature (S _i-1 ), and key certificate (CE _i-1 ) with the public key (Y) of the unauthorized person identification device generated, in the relay device signature generation unit, using the relay device signature generation key stored in the memory (SK _i), generates a digital signature of the encrypted information _{(C i) (S i)} , in the relay device transmitting means The encryption information (C _i ), the digital signature (S _i ), and the key certificate (CE _i ) stored in the relay device memory are used to configure the next relay device (anonymous communication channel is configured). If the next relay device does not exist, it is transmitted to the receiving device, and the receiving device receiving means transmits the encrypted information (C _n ), digital signature (S _n ), and key certificate (CE) transmitted through the anonymous communication path. _n) (n is located at the end of the anonymous channel Receiving a natural number) corresponding to the relay device, the reception device signature verification unit, using the key certificate (CE _n), verifies the digital signature (S _n), the verification result is passed to the digital signature (S _n) If there is, the encryption information (C _n ) is stored in the receiving device memory.

Here, the encrypted information (C _i ) can be decrypted only by the unauthorized person identifying device, and other third parties cannot obtain the sender information (TI). In addition, communication of each data is performed through an anonymous communication path. As described above, the anonymity of the information sender can be maintained.
Further, when the information sender is fraudulent, the extracting means of the receiving device extracts the encrypted information (C _n ) corresponding to the unauthorized person from the receiving device memory, and the receiving device output means encrypts the information sender. The information (C _n ) is output to the unauthorized person identification device, and the unauthorized person identification device decrypting means sequentially decrypts the encrypted information (C _n ), and the encrypted information (C _p ) and the digital signature (S _p ) and it acquires the key certificate (CE p) _(p is from 0 to less than n an integer), verify the relay unauthorized searching means of the unauthorized user identification device, by a digital signature (S _p) the key certificate (CE _p) When the verification result is unsuccessful, the encryption operator information (ERI _{p + 1} ) possessed by the key certificate (CE _{p + 1} ) is decrypted, the operator information (RI _{p + 1} ) is obtained, and the relay fraud search means All validation results If it is acceptable, the unauthorized sender identification means decrypts the encrypted information (C ₀ ) and obtains sender information (TI).

Here, the unauthorized person identification device can obtain the sender information (TI) by decrypting the encrypted information (C ₀ ). Thereby, an unauthorized information sender can be specified.

  As described above, in the present invention, it is possible to identify an unauthorized user who abuses this anonymity while maintaining the anonymity of the information sender, and to suppress the concentration of information on a specific server. .

Embodiments of the present invention will be described below with reference to the drawings.
[First Embodiment]
First, a first embodiment of the present invention will be described.
<Overall configuration>
FIG. 1 is a diagram illustrating a configuration of an anonymous communication system 1 in the present embodiment.
As illustrated in FIG. 1, the anonymous communication system 1 according to the present embodiment includes an authentication device 10 operated by the authentication organization 110, transmission devices 20-1 to X used by information senders 120-1 to X, and a relay device 30. -1 to W, and receivers 40-1 to 40-Z used by information receivers 140-1 to 140-Z.
The transmission devices 20-1 to X, the relay devices 30-1 to W, and the reception devices 40-1 to Z are communicably connected through a network 50 such as the Internet. Further, the authentication organization 110, the senders 120-1 to 120X, and the receivers 140-1 to 140-Z exchange information offline using a portable recording medium such as an IC (integrated circuit).
Note that the authentication device 10, the transmission devices 20-1 to X, the relay devices 30-1 to W, and the reception devices 40-1 to Z in this example are constructed by causing a known computer to execute a predetermined program. Is.

<Each apparatus configuration and processing method>
2A is a block diagram illustrating the configuration of the authentication device 10 described above, and FIG. 2B is a block diagram illustrating the configuration of the transmission device 20 (transmission devices 20-1 to X). It is. 3A is a block diagram illustrating the configuration of the relay device 30 (relay devices 30-1 to 30-W), and FIG. 3B illustrates the reception device 40 (receiver devices 40-1 to 40-1). It is a block diagram which illustrated the composition of Z). FIG. 4 is a flowchart for explaining the pre-processing of the present embodiment, FIG. 5 is a flowchart for explaining the transmission processing, and FIG. 6 is a conceptual diagram for explaining the transmission processing. Furthermore, FIG. 7 is a flowchart for explaining an unauthorized person identification process in this embodiment.

Hereinafter, the configuration of each apparatus and the processing method that configure the anonymous communication system 1 in the present embodiment will be described with reference to these drawings. Hereinafter, a case where the sender 120-1 transmits information to the receiver 140-1 will be described as an example.
<Pre-processing>
First, in the key memory 12 of the authentication device 10 (FIG. 2A), a secret key (SK) for creating a key certificate, a public key (PK) corresponding thereto, and a cipher for encrypting sender information Stores the encryption key (K). Further, in the path setting memory 25 of the transmission device 20-1 (FIG. 2B: transmission device 20), the address (A ₀ ) of the reception device 40-1 as the transmission partner, all the relay devices 30-1 to 30-1 are stored. A plurality of encryption functions corresponding to the address of W and each of the relay devices 30-1 to 30-1W are stored that can be decrypted only by the corresponding relay device 30-1 to 30-W. Furthermore, the key memory 31 of each relay device 30-1 to W (FIG. 3A: relay device 30) stores a decryption key (RK _k ) (k is a natural number) necessary for decryption of this encryption function. Keep it.

When the sender 120-1 (sending user) desires anonymous communication, the sender 120-1 first submits an identification certificate to the certification authority 110 offline. Upon receiving this, the certification body 110 examines it and, if it is deemed appropriate (approved), authenticates the sender information (personal information such as name, address, and telephone number) of the sender 120-1. Store in the sender information memory 11 of the device 10. Thereafter, the following processing is executed in the authentication device 10 (FIG. 2A).
First, the authentication means 13 generates a signature generation key (TSK) and a signature verification key (TPK) for the approved sender 120-1 (FIG. 4A: step S1). Here, the signature generation key (TSK) is a secret key in a public key cryptosystem such as RSA, and the signature verification key (TPK) is a public key corresponding thereto.

Next, in the authentication device encryption means 14, the sender information (TI) of the approved sender 120-1 is extracted from the sender information memory 11, and the encryption key (K) is extracted from the key memory 12. Extract. And the authentication apparatus encryption means 14 produces | generates the encryption sender information (STI = E (TI, K)) which encrypted this sender information (TI) with the encryption key (K). Then, it is sent to the certificate generation means 15 (step S2). Note that E (α, β) means a ciphertext obtained by encrypting α using the key β.
Next, the certificate generation means 15 extracts the secret key (SK) from the key memory 12, receives the concealed sender information (STI) from the authentication device encryption means 14, and receives the signature verification key (TPK) from the authentication means 13. ). The certificate generation means 15 includes the confidential sender information (STI) and the signature verification key (TPK), and authenticates the signature certificate key (TPK) with a key certificate (TCE = ( TPK, E (TPK, SK), STI) are generated (step S3), that is, E (TPK, SK) and signature verification key (TPK) obtained by encrypting the signature verification key (TPK) with the secret key (SK). And concealed sender information (STI) is generated as a key certificate (TCE).

Next, the authentication device output unit 16 receives the signature generation key (TSK) generated by the authentication unit 13 and the key certificate (TCE) generated by the certificate generation unit 15 and sends them to the sender 120. -1 is output to the transmission device 20-1 used (step S4). Specifically, for example, these signature generation key (TSK) and key certificate (TCE) are output to a general-purpose recording medium (such as an IC card) for the transmission apparatus 20-1, and these data are output to this The data is recorded on a portable recording medium, and the portable recording medium is mailed to the sender 120-1.
Upon receiving this, the sender 120-1 sends the signature generation key (TSK) and the key certificate (TCE) stored in the portable recording medium to the transmission device 20-1 (FIG. 2B: transmission device). 20) is read (input) by the transmission device input means 21 (FIG. 4B: step S5). The read signature generation key (TSK) and key certificate (TCE) are sent to the transmission device memory 22 and stored therein (step S6).
In this example, the signature generation key (TSK) and the key certificate (TCE) are provided via a general-purpose recording medium such as an IC card. 110, receiving a certification key such as a password in advance, and using this certification key, a signature generation key (TSK) and a key certificate (TCE) are sent from the authentication device 10 to the transmission device 20-1 online. It may be transmitted.

<Communication processing>
In the present embodiment, anonymous communication from the transmission device 20-1 to the reception device 40-1 is performed through an anonymous communication path configured by onion routing (for example, see Non-Patent Document 1) (FIG. 6).
When starting anonymous communication in this embodiment, first, the sender 120-1 inputs a message (MSG) to be transmitted to the transmission device 20-1 (FIG. 2 (b): transmission device 20) and transmits it. The device 20-1 stores this message (MSG) in the message memory 23.
Next, the route setting means 26 refers to the address information of the relay devices 30-1 to 30-W stored in the route setting memory 25, and determines the relay device 30 to be interposed and its relay order (FIG. 5A). ): Step S11). In this example, the relay devices 30-1 to 30-n are selected and the relay devices 30-1, 2,. . . , N is selected (FIG. 6) (of course, other relay devices and other relay orders may be selected).

Thereafter, in the route setting means 26, the addresses (A _{1 to} A _n ) of the selected relay devices 30-1 to _n , the address (A ₀ ) of the receiving device 40-1, and each relay device 30 from the route setting memory 25. The encryption functions (E _{1 to} E _n ) that correspond to −1 to _{n and} can be decrypted only by the relay devices 30-1 to 30- _n are extracted. Then, the path setting means 26 uses the multilayer encryption information (H ₀ = E ₁ (A ₂ ‖E ₂ (A ₃ ‖... ‖E _n-1 (A _n ‖E _n (A ₀ ))). .)) Is generated (step S12).
That is, the route setting unit 26 First, encrypted by the encryption function _{E n} the address of the receiving apparatus _{40-1 (A 0) (E n} (A 0)) to. Further, the data combination (A _n ‖E _n (A ₀ )) of the ciphertext (E _n (A ₀ )) and the address (A _n ) of the relay device 30 -n is encrypted by the encryption function E _n-1 . (E _n-1 (A _n ‖E _n (A ₀ ))). Furthermore, the data combination (A _n-1 ‖E _n ) of the ciphertext E _n-1 (A _n ‖E _n (A ₀ )) and the address (A _n-1 ) of the relay device 30-(n-1). _-1 (A _n ‖E _n (A ₀ )) is encrypted by the encryption function E _n-2 (E _n-2 (A _n-1 ‖E _n-1 (A _n ‖E _n (A ₀₎ Then, the same processing is repeated, and the multilayer encryption information (H ₀ = E ₁ (A ₂ ‖E ₂ (A ₃ ‖... ‖E _n-1 (A _n ‖E _n (A ₀ )) ...)) is generated.

Next, the transmission device signature generation means 24 extracts a signature generation key (TSK) from the transmission device memory 22 and extracts a message (MSG) from the message memory 23. Then, the transmission device signature generation unit 24 generates a digital signature (S = Sig (MSG, TSK)) of the message using the signature generation key (TSK), and transmits the digital signature (S) and the message (MSG). The data is sent to the device transmission means 27 (step S13). Sig (α, β) indicates a digital signature of α obtained by encrypting α with a key β.
Next, the transmitting device transmitting unit 27 receives the multilayer encryption information (H ₀ ) from the path setting unit 26, receives the key certificate (TCE) from the transmitting device memory 22, and receives the digital signature (from the transmitting device signature generating unit 24). S) and a message (MSG). Then, the transmission device transmission unit 27 transmits these pieces of information to the reception device 40-1 through the anonymous communication path including the relay device 30 (step S14).

That is, first, the transmission device 20-1 transmits these pieces of information to the first relay device 30-1 determined in step S11 through the network 50. The relay device 30-1 (FIG. 3 (a): relay device 30), in the relay device receiving means 32, multi-layer encryption information (H ₀ (multi-layer encryption information H _i : i = 0)), message (MSG) The digital signature (S) and the key certificate (TCE) are received, the message (MSG), the digital signature (S) and the key certificate (TCE) are sent to the signature verification means 33, and the multi-layer encryption information ( _Hi ) Is sent to the decryption means 34 (FIG. 5B: step S21).

The signature verification unit 33 acquires the public key (PK) stored in the key memory 12 of the authentication device 10 online or offline, and the decryption result of E (TPK, SK) included in the key certificate (TCE) is the signature. The verification key (TPK) is verified. Then, the signature verification unit 33 decrypts the digital signature (S = Sig (MSG, TSK)) by using the signature verification key (TPK) that has passed, and whether or not the decryption result is a message (MSG). Is verified (step S22).
Here, when the decryption result of E (TPK, SK) is not the signature verification key (TPK) (step S23), or the decryption result of the digital signature (S = Sig (MSG, TSK)) is the message (MSG). If not, the process ends with an error (step S24).

On the other hand, when the decryption result of the digital signature (S = Sig (MSG, TSK)) is a message (MSG) (step S23), the decryption means 34 stores the decryption key (RK ₁ ) (RK _{i + 1} ) from the key memory 31. : I = 0), the multilayer encrypted information (H ₀ ) is decrypted, and A ₂ ‖E ₂ (A ₃ ‖... ‖E _n-1 (A _n ‖E _n (A ₀ )).・ ・) Get. Thereby, the relay apparatus 30-1 can know the address (A ₂ ) (A _{i + 2} : i = 0) of the relay apparatus 30-2 to be transmitted next.
Then, the relay device transmission unit 35 receives the message (MSG), the digital signature (S), and the key certificate (TCE) from the signature verification unit 33, and receives the multilayer encryption information (H ₁ = E ₂ ( A ₃ ‖... ‖ E _n-1 (A _n ‖E _n (A ₀ ))... (Multilayer encryption information H _{i + 1} : i = 0)) and the address (A ₂ ). Then, the relay device transmission means 35 sends the message (MSG), digital signature (S), key certificate (TCE), and multi-layer from the signature verification means 33 to the relay device 30-2 specified by this address (A ₂ ). The encrypted information (H ₁ (multilayer encrypted information H _{i + 1} : i = 0)) is transmitted through the network 50 (step S26).

Thereafter, the same processing is repeated in each of the relay devices 30-2 to 30-n selected in step S11, and finally the message (MSG), digital signature (S), and key certificate (TCE) are transmitted to the relay device 30-. n is transmitted to the receiver 40-1 (FIG. 6).
In the above communication path, the multilayer encryption information (H _i ) can be decrypted only by the relay device 30- (i + 1) to which it is transmitted. Therefore, only the relay device 30- (i + 1) can know the relay device 30- (i + 2) address (A _{i + 2} ). If two or more relay devices 30 are relayed, one relay device 30 cannot know the addresses of both the transmission device 20-1 and the reception device 40-1. Thereby, the communication fact between the transmission device 20-1 and the reception device 40-1 can be concealed. Note that, as described above, the intervening relay devices 30, the number, and the relay order are not determined in advance, but are determined by the transmission device 20-1 for each communication. As a result, it is possible to prevent a situation in which two or more relay devices collide and the communication facts between the transmission device 20-1 and the reception device 40-1 are exposed.

Next, the receiving device receiving means 41 (FIG. 3 (b): receiving device 40) of the receiving device 40-1 receives the message (MSG), the digital signature (S), and the key certificate (TCE). The signature is sent to the signature verification means 42 (step S31).
The signature verification means 42 verifies the digital signature (S) by the same method as in step S22 described above (step S32), and if it fails (step S33), it ends in error (step S34) and passes. (Step S33), the message (MSG), digital signature (S), and key certificate (TCE) are stored in the receiving device memory (step S35).

Note that the return path from the receiving apparatus 40-1 to the transmitting apparatus 20-1 can be established by performing session management and tracing the transmission path in reverse. Alternatively, as another means, the receiving device 40-1 generates multi-layer encrypted information (H) for reply and transmits it to the receiving device 40-1 together with the message (MSG). The reply message may be sent back by using the reply multilayer encryption information H in the same manner as at the time of transmission.
Moreover, the confidentiality of the message can be enhanced by encrypting the transmission message / reply message so that only the reception device 40 / transmission device 20 can decrypt it.

<Unauthorized person identification processing>
Next, a process for specifying an unauthorized sender 120 when an injustice such as no payment from the anonymous sender 120 occurs will be described.
When the sender 120 who transmitted information to the receiver 140-1 is illegal, the receiver 140-1 gives an instruction for specifying the unauthorized person specifying the message (MSG), for example, to the receiver 40-1 ( FIG. 3B: Input to the extraction means 44 of the receiving device 40) (FIG. 7A: Step S41). The extracting unit 44 extracts the key certificate (TCE) corresponding to this message (MSG), that is, corresponding to the unauthorized person, and sends it to the receiving device output unit 45 (step S42). The receiving device output means 45 outputs this key certificate (TCE) to the authentication device 10 (step S43). Specifically, for example, the key certificate (TCE) is stored in a portable recording medium such as an IC card, and the portable recording medium is mailed to the certification authority 110. At this time, for example, past logs of communication data such as transmission / reception messages and key certificates are also stored in the portable recording medium.

The certification authority 110 refers to the past log recorded on the portable recording medium, determines the validity of the appeal of the receiver 140-1, and if it is determined to be valid, the authentication apparatus 10 (FIG. 2). The key certificate (TCE) recorded on the portable recording medium is input to the authentication device input means 17 of (a)), and the authentication device input means 17 accepts this input (FIG. 7 (b): step. S45).
The input key certificate (TCE) is sent to the unauthorized person specifying means 18, and the unauthorized person specifying means 18 transmits corresponding to the confidential sender information (STI) included in the input key certificate (TCE). Person information (TI) is obtained. In this example, the unauthorized person specifying means 18 extracts the encryption key (K) from the key memory 12, thereby decrypting the concealed sender information (STI) and obtaining the sender information (TI). As a result, an unauthorized person is identified.

<Features of this embodiment>
As described above, in the present embodiment, in the authentication apparatus 10, the signature generation key (TSK) for the approved sender 120-1 and the concealed sender information (STI) obtained by concealing the sender information (TI) A key certificate (TCE) including a signature verification key (TPK) is generated, and these are issued in advance to the sender 120-1. Thereby, it is not necessary for the transmission devices 20-1 to X to access the authentication device 10 every time communication processing is performed, and concentration of access to the authentication device 10 can be suppressed.

In addition, the sender 120-1 uses the transmission device 20-1 to attach a digital signature (S) to the message (MSG) using the signature generation key (TSK), and attaches these together with the key certificate (TCE) to onion routing. Is transmitted to the receiving device 40-1 through the anonymous communication path constituted by Thus, the anonymity of the sender 120-1 is maintained and the validity of the message is guaranteed.
Further, since the digital signature (S) and the key certificate (TCE) are presented to the relay devices 30-1 to 30-W in the transmission process, and the relay devices 30-1 to 30-W verify this, the relay device 30 -1 to W act as a proxy for the authentication device 10. Thereby, the authentication effect similar to having passed through the authentication apparatus 10 at the time of communication can be acquired. If there are a plurality of relay apparatuses 30-1 to 30 -W, an access distribution effect can be generally expected.

If the sender 120-1 is illegal, the receiver 140-1 using the receiver 40-1 passes the key certificate (TCE) to the authentication authority 110, and the authentication authority 110 Is used to identify the sender 120-1 from this key certificate (TCE). Thereby, an unauthorized person can be specified.
Needless to say, the present invention is not limited to the above-described embodiment, and can be modified as appropriate without departing from the spirit of the present invention. For example, in the above-described embodiment, the transmission device and the relay device are separate devices, but the functions of these devices may coexist in a single device. Further, in this embodiment, the sender information (TI) is concealed to generate the concealed sender information (STI). However, in the authentication device 10, the sender information (TI) table is kept secret. The information that becomes the key of each sender information (TI) may be the confidential sender information (STI). In this case, the unauthorized person specifying means 18 searches the table based on the sent concealed sender information (STI), and sends the sender information (TI) corresponding to the concealed sender information (STI). , Identify as fraudulent information. The various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes.

[Second Embodiment]
Next, a second embodiment of the present invention will be described.
<Overall configuration>
FIG. 8 is a diagram illustrating a configuration of the anonymous communication system 200 in the present embodiment.
As illustrated in FIG. 8, the anonymous communication system 200 of the present embodiment includes an authentication device 210 operated by the authentication authority 310, transmission devices 220-1 to X used by information senders 320-1 to X, and relay device operation. Relay devices 230-1 to 230 -W used by the users 330-1 to W, receiving devices 240-1 to 240 -Z used by the information receivers 340-1 to Z, and a plurality of unauthorized person specifying organizations 350 that specify unauthorized persons. -1 to U have a plurality of unauthorized person identification devices 250-1 to 250-V, respectively.

Further, the authentication device 210, the transmission devices 220-1 to X, the relay devices 230-1 to W, the reception devices 240-1 to Z, and the unauthorized person identification devices 250-1 to V can communicate through a network 260 such as the Internet. It is connected to the. Further, the authentication organization 310, the senders 320-1 to X, the relay device operators 330-1 to W, the receivers 340-1 to Z, and the unauthorized person identification organizations 350-1 to U can be, for example, ICs or the like. Exchange information offline using a portable recording medium.
Note that the authentication device 210, the transmission devices 220-1 to X, the relay devices 230-1 to W, the reception devices 240-1 to Z, and the unauthorized person identification devices 250-1 to V in this example are assigned to a known computer. It is constructed by executing the program.

<Each apparatus configuration and processing method>
FIG. 9 is a block diagram illustrating the configuration of the authentication device 210 described above, FIG. 10 is a block diagram illustrating the configuration of the transmission device 220 (transmission devices 220-1 to X), and FIG. It is the block diagram which illustrated the composition of device 230 (relay devices 230-1 to W). 12A is a block diagram illustrating the configuration of the receiving device 240 (receiving devices 240-1 to Z), and FIG. 12B is an unauthorized person specifying device 250 (illegal person specifying device). It is a block diagram illustrating the configuration of 250-1 to V). FIG. 13 is a flowchart for explaining the pre-processing of this embodiment, and FIGS. 14 and 15A are flowcharts for explaining the transmission processing. Further, FIG. 15B and FIG. 16 are flowcharts for explaining the unauthorized person identification processing in this embodiment.

Hereinafter, the configuration of each apparatus and the processing method that configure the anonymous communication system 200 in the present embodiment will be described using these drawings. Hereinafter, a case where the sender 320-1 transmits information to the receiver 340-1 will be described as an example.
<Pre-processing>
First, a plurality of unauthorized person identification devices 250-1 to 250-V cooperate to create a single public key (Y) (corresponding to “public key (Y) of unauthorized person identification device)” of a certain public key cryptographic function. ,Publish. The ciphertext encrypted using the public key (Y) can be decrypted only when a plurality of unauthorized person identification devices 250-1 to 250V cooperate. In addition, as an application, a public key of a threshold encryption that can be decrypted only when an unauthorized person identification device 250-1 to 250-V with a certain threshold number or more cooperates with the public key (Y) It may be used as For a specific example of this threshold cipher, a threshold Paillier cipher (for example, “R. Crmer, I. Damgard, and JB Nielsen,“ Multiparty computation from threshold homomorphic encryption, ”Eurocrypt '01, LNCS 2045, pp 280-300, Springer-Verlag, 2001.) and threshold RSA ciphers (eg “R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin,“ Robust and efficient sharing of RSA functions , "CRYPTO '96, Springer-Verlag, 1996.").

Further, the key memory 212 of the authentication device 210 (FIG. 9) stores a secret key (SK) for creating a key certificate, a corresponding public key (PK), and the above-described public key (Y). Further, in the path setting memory 225 of the transmission device 220-1 (FIG. 10: transmission device 220), the address (A ₀ ) of the reception device 240-1 as the transmission partner and the addresses of all the relay devices 230-1 to W are stored. And a plurality of encryption functions corresponding to each of the relay devices 230-1 to 230-W, and only the corresponding relay devices 230-1 to 230-W can be decrypted. Furthermore, in the key memory 231 of each relay device 230-1 to W (FIG. 11: relay device 230), the decryption key (RK _k ) (k is a natural number) necessary for decryption of the encryption function and the above-described public key (Y) is stored.

In addition, each relay device operator 330-1 to W provides each relay device operator information (operator name, address, telephone number, etc.) to the certification authority 310 offline, and the certification authority 310 relays it. The device operator information (RI _k : kε {1, 2,..., W}) is stored in the relay device operator information memory 217 of the authentication device 10 (FIG. 9). Furthermore, when the sender 320-1 (sending user) desires anonymous communication, the sender 320-1 first provides an identity verification to the certification authority 310 offline, and the certification authority 310 then confirms the approved sender 320. -1 sender information is stored in the sender information memory 211 of the authentication device 210 (FIG. 9). Thereafter, in the authentication apparatus 210, the following processing is executed.

First, in the authentication means 213, the signature generation key (SK ₀ ) and signature verification key (PK ₀ ) for the approved sender 320-1 and the signature generation for each relay device 230-1 to W (R _k ) are generated. A key (SK _k ) and a signature verification key (PK _k ) are generated (FIG. 13A: step S51). The generated signature generation key (SK ₀ , SK _k ) is sent to the authentication device output means 216, and the signature verification key (PK ₀ , PK _k ) is sent to the certificate generation means 215.
Next, in the authentication device encryption unit 214, the relay device operator information (RI _k ) of all the relay device operators 330-1 to 330-W is extracted from the sender information memory 211 and from the relay device operator information memory 217. The public key (Y) is extracted from the key memory 212. Then, the authentication device encryption unit 214 encrypts operator information each publisher information by a public key (Y) (RI _k) has been encrypted _{(ERI k = E (RI k} , Y)) to produce a (step S52).

The generated encryption operator information (ERI _k ) is sent to the certificate generation means 215. The certificate generation unit 215 receives this, receives the signature verification key (PK ₀ ) and the signature verification key (PK _k ) generated by the authentication unit 213, and extracts the secret key (SK) from the key memory 212. Then, the certificate generation unit 215, the key certificate of the signature verification key (PK ₀₎ and _{(CE 0 = (PK 0,} E (PK 0, SK)), key certificate of the signature verification key (PK _k) ( CE _k = (PK _k , E (PK _k , SK), ERI _k )) is generated (step S53), where the key certificate (CE _k ) is transferred to the relay device (R) by the public key (Y). _k ) has encrypted operator information (ERI _k ) _obtained by encrypting the operator information (RI _k ), and the generated key certificate (CE ₀ , CE _k ) is output from the authentication device. Sent to means 216.

Next, the authentication device encryption unit 214 extracts the sender information (TI) of the approved sender 320-1 from the sender information memory 211, and sends the sender information (TI) to the public key (Y ) Is generated (C ₀ = E (TI, Y)) and sent to the authentication device output means 216 (step S54).
The authentication device output means 216 outputs the signature generation key (SK ₀ ), the key certificate (CE ₀ ), and the encryption information (C ₀ ) to the transmission device 220-1, The generated key (SK _k ) and the key certificate (CE _k ) are output to each relay device 230-1 to W (R _k ) (step S 55).

Specifically, for example, the signature generation key (SK ₀ ), the key certificate (CE ₀ ), and the encryption information (C ₀ ) are output to a general-purpose recording medium (IC card or the like) for the transmission device 220-1. The signature generation key (SK _k ) and the key certificate (CE _k ) are output and recorded on a general-purpose recording medium for each of the relay devices 230-1 to W (R _k ). These portable recording media are mailed to the sender 320-1 and each relay device operator 330-1 to V.
The sender 320-1 that has received the portable recording medium for the sender 320-1 receives the signature generation key (SK ₀ ), key certificate (CE ₀ ), and encryption stored in the portable recording medium. of information _{(C 0),} the transmission device 220-1: to load to the transmitter input means 221 (FIG. 10 transmitting apparatus 220) (input) (FIG. 13 (b): step S55). The read signature generation key (SK ₀ ), key certificate (CE ₀ ), and encryption information (C ₀ ) are sent to the transmission device memory 222 and stored therein (step S56).

Each of the relay device operators 330-1 to 330-V, which has received the portable recording medium for each of the relay device operators 330-1 to 330-V, receives the signature generation key (SK) stored in the portable recording medium. _k ) and the key certificate (CE _k ) are read (input) by the relay device input means 236 of each relay device 230-1 to W (FIG. 11: relay device 230) (FIG. 13 (c): step S57 ). The read signature generation key (SK _k ) and key certificate (CE _k ) are sent to each relay device memory 237 and stored therein (step S58).

<Communication processing>
Also in this embodiment, as in the first embodiment, anonymous communication from the transmission device 220-1 to the reception device 240-1 is performed through the anonymous communication path configured by onion routing.
When starting anonymous communication, first, the sender 320-1 inputs a message (MSG) to be transmitted to the transmission device 220-1 (FIG. 10: transmission device 220), and the transmission device 220-1 This message (MSG) is stored in the message memory 223.
Next, the route setting means 226 refers to the address information of the relay devices 230-1 to 230-W stored in the route setting memory 225, and determines the relay device 230 to be interposed and its relay order (FIG. 14 (a)). ): Step S61). In this example, the relay devices 230-1 to 230-n are selected, and the relay devices 230-1, 2,. . . , N is selected. Note that n is the number of stages of the selected relay device, that is, a natural number corresponding to the relay device located at the end of the anonymous communication path.

Thereafter, the route setting unit 226, a routing memory 255, the address _(A 0) of the receiving apparatus 240-1 as a transmission partner, all relay device 230-1~W address _(A i), and the relay devices A plurality of encryption functions (E _i ) corresponding to 230-1 to 230 -W and decipherable only by the corresponding relay apparatuses 230-1 to 230 -W are extracted, and a message (MSG) is extracted from the message memory 223. Then, the path setting means 226 uses the multi-layer encryption information (H ₀ = E ₁ (A ₂ ‖E ₂ (A ₃ ‖... ‖E _n−1 (A _n ‖E) as in the _first embodiment. _n (A ₀ ‖MSG))...)) is generated (step S62).

Next, in the transmission device signature generation means 224, the signature generation key (SK ₀ ) stored in the transmission device memory 222, the encryption information (C ₀ ), and the multilayer encryption information (H ₀ ) received from the path setting means 226 Is used to generate a digital signature (S = Sig (C ₀ ‖H ₀ , SK ₀ )) between the encryption information (C ₀ ) and the multilayer encryption information (H ₀ ) (step S 63). For example, in the digital signature (S ₀ ), a flag indicating that one of the transmission apparatuses 220 has been generated is set (for use in the process of step S106 described later).
The generated digital signature (S ₀ ), multilayer encryption information (H ₀ ), and encryption information (C ₀ ) are sent to the transmission device transmission means 227. The transmitting device transmitting means 227 receives these, further extracts the key certificate (CE ₀ ) from the transmitting device memory 222, multi-layer encrypted information (H ₀ ), encrypted information (C ₀ ), digital signature (S ₀ ) and the key certificate (CE ₀ ) are transmitted through the network 260 to the first relay device 230-1 (R ₁ ) constituting the anonymous communication path (step S64).

Next, each relay device 230-i (R _i ) (i is a natural number constituting the anonymous communication path. In this example, the relay device 230-1 (i = 1) → the relay device 230-2 (i = 2). ) →... → relayed to the relay device 230-n (i = n)) sequentially performs the following processing.
First, in the relay device receiving means 232 (FIG. 11), the multilayer encrypted information (H _i-1 = E _i (A _{i + 1} ‖E _{i + 1} (A _{i + 2} ‖... E _n−1 (A _n ‖E _n ( A ₀ ‖ MSG))))), encryption information (C _i-1 ), digital signature (S _i-1 ), and key certificate (CE _i-1 ) are received (FIG. 14B). Step S71) The received multi-layer encryption information (H _i-1 ), encryption information (C _i-1 ), digital signature (S _i-1 ), and key certificate (CE _i-1 ) are: The signature verification unit 233 obtains the public key (PK) stored in the key memory 212 of the authentication device 210 online or offline, and the key certificate (CE _i-1 ). Using the same procedure as in the first embodiment, multi-layer encryption information (H _i-1) and the digital signature of the encrypted information _{(C i-1)} to _{(S i-1)} to verify (step S72).

If the verification result is unacceptable (step S73), the process ends with an error (step S74). On the other hand, if it is acceptable (step S73), the relay device encryption unit 238 receives the multi-layer encryption information (H _i-1 ), the encryption information (C _i-1 ), and the digital from the relay device reception unit 232. The signature (S _i-1 ) and the key certificate (CE _i-1 ) are acquired, the public key (Y) is acquired from the key memory 231, the multilayer encryption information (H _i-1 ) and the encryption information ( C _i-1 ), digital signature (S _i-1 ), and key certificate (CE _i-1 ) are encrypted using the public key (Y) of the unauthorized person identification device (C _i = E ( H _i-1 ‖C _i-1 ‖S _i-1 ‖CE _i-1 , Y)) is generated (step S75). The encrypted information (C _i ) generated by the relay device encryption unit 238 is sent to the relay device signature generation unit 239. It is to be noted that by setting this encrypted information as (C _i = E (H _i-1 ‖C _i-1 ‖S _i-1 ‖CE _i-1 , Y)), an unauthorized person identifying apparatus 250 that can decrypt this information. However, it becomes possible to verify whether or not each of the relay devices 230-1 to 230-W correctly generates the multilayer encryption information (H _i-1 ).

Next, the decryption means 234 extracts the decryption key (RK _i ) from the key memory 231, receives the multilayer encryption information (H _i-1 ) from the relay device reception means 232, and receives this multilayer encryption information (H _{i− 1} ) is decrypted with the decryption key (RK _i ), and the next transmission destination address (A _{i + 1} ) and the multilayer encryption information (H _i = E _{i + 1} (A _{i + 2} ‖... E _n−1 (A _n)) ‖E _n (A ₀ ‖MSG))))) is obtained (step S76).
Next, the relay device signature generation unit 239 acquires the multilayer encryption information (H _i ) from the decryption unit 234, acquires the encryption information (C _i ) from the relay device encryption unit 238, and stores it in the relay device memory 237. stored signature generation key (SK _i) using a digital signature of the bit coupling of the encrypted information _{(C i)} and multi-encrypted information _{(H i) (S i =} Sig (C i ‖H i, SK i) ) Is generated (step S77).

Repeater transmitting unit 235 receives an address from the decoding unit 234 _{(A i + 1)} and multi-encrypted information _{(H i),} the digital signature from the relay device signature generation unit 239 and the encrypted information _{(C i)} the _{(S i)} The key certificate (CE _i ) is extracted from the relay device memory 237.
And this relay apparatus transmission means 235 is the next relay apparatus 230- (i + 1) (which configures the anonymous communication path) indicated by the address (A _{i + 1} ) (when there is no next relay apparatus which configures the anonymous communication path) In the receiving apparatus 240-1), the multi-layer encryption information (H _i ) (message (MSG) when i = n), encryption information (C _i ), digital signature (S _i ), and key certificate (CE) _i ) is transmitted through the network 260 (step S78).

After the above processing is repeated and relayed to the relay device 230-1 → relay device 230-2 →... → relay device 230-n, the reception device 240-1 receives the relay device 230 in the reception device reception unit 241. The message (MSG), encryption information (C _n ), digital signature (S _n ), and key certificate (CE _n ) transmitted from _n (see FIG. 15 (a)) ): Step S81). These pieces of information are sent to the receiving device signature verification means 242.
The receiving device signature verification means 242 obtains a public key (PK) stored in the key memory 212 of the authentication device 210 online or offline, and uses this and the key certificate (CE _n ) to send a message (MSG) and The digital signature (S _n ) of the encrypted information (C _n ) is verified (step S82).
If the verification result is unsuccessful, the process ends in error (step S84). If the verification is successful, the receiving apparatus signature verifying unit 242 determines that the message (MSG), the encrypted information (C _n ), the digital The signature (S _n ) and the key certificate (CE _n ) are sent to the receiving device memory 243 and stored (step S85).

<Unauthorized person identification processing>
Next, the unauthorized person identification process in this embodiment will be described.
If the sender 120 that transmitted information to the receiver 340-1 is fraudulent, the receiver 340-1 sends, for example, an unauthorized person identification processing instruction specifying the message (MSG) to the receiver 240-1 ( FIG. 12 (a): Input to the extraction means 244 of the receiving device 240) (FIG. 15 (b): Step S91).
The extraction unit 244 receives a message (MSG), encryption information (C _n ), digital signature (S _n ), and key certificate (CE _n ) corresponding to this designation, that is, corresponding to an unauthorized person from the receiving device memory 243. Extracted and sent to the receiving device output means 245 (step S92). Then, the receiving device output unit 245 outputs these pieces of information to the unauthorized person identifying devices 250-1 to 250-1 (step S93). Specifically, for example, these messages (MSG), encryption information (C _n ), digital signature (S _n ), and key certificate (CE _n ) are stored in a portable recording medium such as an IC card. A portable recording medium is mailed to any unauthorized person identification organization 350. At this time, for example, a past log of other communication data is also stored in the portable recording medium.

Upon receiving this, the unauthorized person identification organization 350 refers to the past log recorded on the portable recording medium, determines the validity of the appeal of the receiver 340-1, and determines that it is appropriate. A message (MSG), encryption information (C _n ), digital signature (which is recorded on the portable recording medium) is stored in the unauthorized person identification device input means 252 of any unauthorized person identification device 250 (FIG. 12B). S _n ) and the key certificate (CE _n ) are input (FIG. 16: step S101).
The unauthorized person identification device input means 252 includes the public key (PK), message (MSG), encryption information (C _n ), and key certificate (CE _n ) acquired from the key memory 212 of the authentication device 210 online or offline. Is used to confirm that the digital signature (S _n ) is valid, and if it is valid, this encrypted information (C _n ) is sent to the unauthorized person identifying device decrypting means 253 (if it is not valid, an error is detected). finish.).

The unauthorized person identification device decrypting means 253 extracts the secret key distribution information (SY _m ) corresponding to the public key (Y) from the key memory 251 and outputs a plurality of other unauthorized person identification devices 250 (other unauthorized person identification organizations). The shared information (SY _j ) of the secret key is obtained from the operation of 350. Then, the unauthorized person identifying device decrypting means 253 uses these to restore the encrypted information (C _n = E (H _n-1 ‖C _n-1 ‖S _n-1 ‖CE _n-1 , Y)) by 1 (Step S102 in p = n-1), multi-layer encryption information (H _n-1 ), encryption information (C _n-1 ), digital signature (S _n-1 ), and key certificate (CE _{n- 1} ) is obtained.

These are sent to the relay fraud search means 254. The relay fraud search means 254 uses the public key (PK) and the key certificate (CE _n-1 ), and the encrypted information (C _n-1 ) and the multi-layer encryption. The digital signature (S _n-1 ) of the information (H _n-1 ) is verified (step S103 when p = n-1).
Here, the verification result is rejected when the relay device 230-n that generated the encrypted information (C _n ) performs an illegal process. Therefore, when the verification result is rejected (step S104), the relay fraud search unit 254 extracts the secret key distribution information (SY _m ) corresponding to the public key (Y) from the key memory 251 and others. The secret key distribution information (SY _j ) is acquired from the plurality of unauthorized person identification devices 250 of the above, and using them, the encryption operator information (ERI _n ) included in the key certificate (CE _n ) is decrypted and operated. User information (RI _n ) is obtained, and the relay device operator 330-n that has performed this unauthorized processing is specified (step S105 when p = n−1).

On the other hand, if the verification result is acceptable (step S104), whether or not p = 0 (that is, the digital signature obtained by the decryption in step S102 is one of the transmission devices 220-1 to X). Whether or not the digital signature (S ₀ ) is attached. This is determined, for example, based on whether or not a flag (see step S63) indicating that any of the transmission apparatuses 220-1 to 220-X is attached to the digital signature is set. If p = 0 is not satisfied (step S106), the process returns to step S102 and the same process is repeated. When it is determined that p = 0 in the process of step S106 (when all the verification results in the relay fraud search unit 254 are passed), the relay fraud search unit 254 determines that the encrypted information (C ₀ ), digital signature (S ₀ ) and the key certificate (CE ₀ ) are sent to the unauthorized sender identification means 255. Receiving this, the unauthorized sender identifying means 255 extracts the secret key distribution information (SY _m ) corresponding to the public key (Y) from the key memory 251, and secret keys from the other unauthorized person identifying devices 250. the acquired shared information (SY _j), using these, to decrypt the encrypted information _{(C 0),} obtains the sender information corresponding to the key certificate (CE ₀₎ (TI) (step S107). Thereby, the personal information of the sender 320-1 who is an unauthorized person can be obtained.

That is, in this unauthorized person identifying process, the unauthorized person identifying device decrypting means 253 sequentially decrypts the encrypted information (C _n ), and the encrypted information (C _p ), the digital signature (S _p ), and the key certificate (CE). _p ) (p is an integer between 0 and less than n) (step S102), and the relay fraud search means 254 verifies the digital signature (S _p ) with the key certificate (CE _p ) (step S103). When the verification result is unsuccessful, the encryption operator information (ERI _{p + 1} ) included in the key certificate (CE _{p + 1} ) is decrypted to obtain the operator information (RI _{p + 1} ) (step S105), and the relay fraud search If the verification of the unit 254 was passed all, in the unauthorized sender identifying unit 255, decrypts the encrypted information (C _0), obtains the sender information (TI) (step 107).

<Features of this embodiment>
In this embodiment, the authentication device 210 outputs the signature generation key (SK ₀ ), key certificate (CE ₀ ), and encryption information (C ₀ ) to the transmission device 220-1 as offline pre-processing. The signature generation key (SK _k ) and the key certificate (CE _k ) are output to each relay device 230-1 to 230 -W, and these pieces of information are transmitted to the transmission device 220-1 and each relay device 230-1. Stored in ~ W. Accordingly, it is not necessary for the transmission devices 220-1 to X to access the authentication device 210 every time communication processing is performed, and concentration of access to the authentication device 210 can be suppressed.

Further, the sender 320-1 uses the transmission device 220-1, attaches a digital signature (S) to the message (MSG), attaches a digital signature (S ₀ ) to the encrypted information (C ₀ ), and Is transmitted to the receiving device 240-1 through an anonymous communication path configured by onion routing. As a result, the anonymity of the sender 320-1 is maintained and the validity of the message is guaranteed.
Further, since the relay device 230-1 to W in the transmission process verifies the digital signature (S, S _i-1 ), the relay device 230-1 to W acts as a proxy for the authentication device 210. Become. As a result, the same authentication effect as that obtained via the authentication device 210 during communication can be obtained. If there are a plurality of relay apparatuses 230-1 to 230 -W, generally the effect of access distribution can be expected.

In addition, when the sender 320-1 is fraudulent, the fraudster specifying device 250 decrypts the encrypted information (C ₀ ) and specifies the sender 320-1 who has performed the fraud. Thereby, an unauthorized person can be specified.
In this embodiment, in the unauthorized person identification process, the relay fraud search unit 254 verifies the digital signature (S _p ) with the key certificate (CE _p ) (step S103), and the verification result is unacceptable. In this case, the encryption operator information (ERI _{p + 1} ) included in the key certificate (CE _{p + 1} ) is decrypted to obtain the operator information (RI _{p + 1} ) (step S105). As a result, even if an unauthorized process is performed in the relay device 230 and an unauthorized sender 320-1 cannot be identified, the presence of such an unauthorized relay device 230 can be detected. A relay device 230 can be identified.

Furthermore, in this embodiment, since encryption information (C ₀ ) and encryption operator information (ERI _k ) are generated by threshold encryption, a plurality of specific devices 250-1 to 250 -V must cooperate. These cannot be decrypted. As a result, it is possible to suppress a situation in which the encryption information (C ₀ ) or the encryption operator information (ERI _k ) is illegally decrypted and the privacy of the sender or the relay device operator is leaked.
Needless to say, the present invention is not limited to the above-described embodiment, and can be modified as appropriate without departing from the spirit of the present invention. For example, the above embodiment may be subjected to a key certificate falsification prevention process in the relay apparatus described in Patent Document 1. As a result, it is possible to prevent a situation in which the key certificate is tampered with in the relay device and the unauthorized person cannot be identified. In addition, the various processes described above are not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processes or as necessary.

Further, when each configuration in each of the above-described embodiments is realized by a computer, processing contents of functions that each device should have are described by a program. The processing functions are realized on the computer by executing the program on the computer.
The program describing the processing contents can be recorded on a computer-readable recording medium. The computer-readable recording medium may be any medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, or a semiconductor memory. Specifically, for example, the magnetic recording device may be a hard disk device or a flexible Discs, magnetic tapes, etc. as optical disks, DVD (Digital Versatile Disc), DVD-RAM (Random Access Memory), CD-ROM (Compact Disc Read Only Memory), CD-R (Recordable) / RW (ReWritable), etc. As the magneto-optical recording medium, MO (Magneto-Optical disc) or the like can be used, and as the semiconductor memory, EEP-ROM (Electronically Erasable and Programmable-Read Only Memory) or the like can be used.

The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.
A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads the program stored in its own recording medium and executes the process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

  According to the present invention, for example, in a field where anonymous communication such as an electronic auction is performed, it is possible to specify a user who abuses this anonymity (for example, a user who does not pay a fee and only runs away with a product). It becomes possible.

The figure which illustrated the composition of the anonymous communications system in a 1st embodiment. FIG. 2A is a block diagram illustrating the configuration of an authentication device according to the first embodiment. FIG. 5B is a block diagram illustrating a configuration of a transmission device. FIG. 4A is a block diagram illustrating a configuration of a relay device. FIG. 5B is a block diagram illustrating a configuration of a receiving device. The flowchart for demonstrating the pre-processing in 1st Embodiment. The flowchart for demonstrating the transmission process in 1st Embodiment. The conceptual diagram for demonstrating the transmission process in 1st Embodiment. The flowchart for demonstrating the unauthorized person identification process in 1st Embodiment. The figure which illustrated the composition of the anonymous communications system in a 2nd embodiment The block diagram which illustrated the composition of the authentication device in a 2nd embodiment. The block diagram which illustrated the composition of the transmitting device in a 2nd embodiment. The block diagram which illustrated the composition of the relay device in a 2nd embodiment. (A) is the block diagram which illustrated the composition of the receiving device in a 2nd embodiment. FIG. 5B is a block diagram illustrating the configuration of an unauthorized person identification device. The flowchart for demonstrating the pre-processing in 2nd Embodiment. The flowchart for demonstrating the transmission process in 2nd Embodiment. (A) is a flow chart for explaining transmission processing in a 2nd embodiment. FIG. 6B is a flowchart for explaining an unauthorized person identification process according to the second embodiment. The flowchart for demonstrating the unauthorized person identification process in 2nd Embodiment.

Explanation of symbols

1,200 Anonymous communication system 10,210 Authentication device 20,220 Transmission device 30,230 Relay device 40,240 Reception device 250 Unauthorized person identification device

Claims (13)

As pre-processing,
In the authentication unit of the authentication device, the signature generation key for the sender (SK ₀₎ and the signature verification key _(PK 0), and each relay device signature generation key for _{(R k)} (SK _k) and the signature verification key _(PK k) (K is a natural number)
In the certificate generating means of the authentication device, the public of the signature key certificate of the verification key (PK ₀₎ and (CE _0), key certificate of the signature verification key _{(PK k) (CE k)} ( unauthorized user identification device And encryption operator information (ERI _k ) _obtained by encrypting the operator information (RI _k ) of the relay device (R _k ) with the key (Y).
The authentication device encryption means generates encrypted information (C ₀ = E (TI, Y)) obtained by encrypting the sender information (TI) using the public key (Y) of the unauthorized person specifying device,
In the authentication device output means, the signature generation key (SK ₀ ), the key certificate (CE ₀ ), and the encryption information (C ₀ ) are output to the transmission device, and the signature generation key (SK _k ) And the key certificate (CE _k ) to each relay device (R _k ),
In the transmission device memory, the signature generation key (SK ₀ ), the key certificate (CE ₀ ), and the encryption information (C ₀ ) are stored.
In the relay device memory, the signature generation key (SK _k ) and the key certificate (CE _k ) are stored,
As communication processing,
The transmitter signature generation unit, using the transmission apparatus memory stored the signature generation key (SK _0), generates a digital signature of the encrypted information _{(C 0) (S 0)} ,
In the transmitting device transmitting means, the encrypted information (C ₀ ), the digital signature (S ₀ ), and the key certificate (CE ₀ ) are transmitted to the first relay device (R ₁ ) constituting the anonymous communication path. And
In the relay device receiving means of each relay device (R _i ) (i is a natural number) constituting the anonymous communication path, the encrypted information (C _i-1 ), the digital signature (S _i-1 ), and the key certificate (CE _i-1 )
The relay device signature verification means verifies the digital signature (S _i-1 ) using the key certificate (CE _i-1 ),
If the verification result of the digital signature (S _i-1 ) is successful, the encryption information (C _i-1 ), the digital signature (S _i-1 ), and the key certificate ( CE _i-1 ) is encrypted with the public key (Y) of the unauthorized person identifying device to generate encrypted information (C _i ),
In the relay device signature generation unit, using the relay device memory stored the signature generation key (SK _i), it generates a digital signature of the encrypted information _{(C i) (S i)} ,
In the relay device transmitting means, the encrypted information (C _i ), the digital signature (S _i ), and the key certificate (CE _i ) stored in the relay device memory are used to configure the anonymous communication path. To the relay device (reception device if there is no next relay device constituting the anonymous communication path),
In the receiving device receiving means, the encrypted information (C _n ), the digital signature (S _n ), and the key certificate (CE _n ) (n is transmitted at the end of the anonymous communication path) transmitted through the anonymous communication path. Natural number corresponding to the relay device that is located)
The receiving device signature verification means verifies the digital signature (S _n ) using the key certificate (CE _n ),
When the verification result of the digital signature (S _n ) is passed, the encrypted information (C _n ) is stored in the receiving device memory,
As an unauthorized person identification process,
If the unauthorized user identification process instruction for specifying the encrypted information (C _n) corresponding to the unauthorized person is input to the extracting means of the receiving apparatus, the extraction means of the receiving apparatus, from the reception device memory, Extract the encrypted information (C _n ) corresponding to the unauthorized person,
In the receiving device output means, the encrypted information (C _n ) is output to the unauthorized person identifying device,
In the unauthorized person identifying device decrypting means, the encrypted information (C _n ) is sequentially decrypted, and the encrypted information (C _p ), the digital signature (S _p ), and the key certificate (CE _p ) (p is 0). And an integer less than n)
In the relay fraud search means of the unauthorized person identification device, the digital signature (S _p ) is verified by the key certificate (CE _p ), and if the verification result is unacceptable, the key certificate (CE _{p + 1} ) Decrypts the encryption operator information (ERI _{p + 1} ) possessed by the client to obtain the operator information (RI _{p + 1} ),
When all the verification results in the relay fraud search means are acceptable, the unauthorized sender identification means of the unauthorized person identification device decrypts the encrypted information (C ₀ ) and obtains the sender information (TI). ,
An anonymous communication method characterized by that. An anonymous communication method according to claim 1 ,
The public key (Y) of the unauthorized person identification device is
It is a public key of a threshold encryption method that can be decrypted only when each shared information stored in a plurality of unauthorized person identification devices is used more than a certain threshold number .
An anonymous communication method characterized by that.   An authentication device, a transmission device, a relay device, a reception device, and an unauthorized person identification device;
  The authentication device
  Signature generation key for the sender (SK ₀ ) And signature verification key (PK) ₀ ), And each relay device (R _k Signature generation key (SK) _k ) And signature verification key (PK) _k ) (K is a natural number)
  The signature verification key (PK ₀ ) Key certificate (CE) ₀ ) And the signature verification key (PK) _k ) Key certificate (CE) _k ) (Relay device (R _k ) Operator information (RI _k ) Encryption operator information (ERI) _k ). ) And a certificate generation means for generating
  Using the public key (Y) of the unauthorized person identification device, the encrypted information (C ₀ = E (TI, Y)) for generating authentication device encryption means;
  The signature generation key (SK ₀ ), The above key certificate (CE ₀ ) And the encrypted information (C ₀ ) To the transmitting device, and the signature generation key (SK) _k ) And key certificate (CE) _k ) For each relay device (R _k Authentication device output means for outputting to
  The transmitting device transmits the signature generation key (SK). ₀ ), The above key certificate (CE ₀ ) And the encrypted information (C ₀ ) Having a transmitter memory for storing
  The relay device transmits the signature generation key (SK _k ) And key certificate (CE) _k A relay device memory for storing
  The transmitter is
  The signature generation key (SK) stored in the transmitter memory ₀ ) And the encrypted information (C ₀ ) Digital signature (S ₀ Transmitting device signature generating means for generating
  The encryption information (C ₀ ) And the above digital signature (S ₀ ) And key certificate (CE) ₀ ) And the first relay device (R ₁ And a transmitting device transmitting means for transmitting to
  Each relay device (R _i ) (I is a natural number)
  Encryption information (C _i-1 ) And the above digital signature (S _i-1 ) And key certificate (CE) _i-1 ) To receive the relay device;
  The above key certificate (CE _i-1 ) And the digital signature (S _i-1 ) For verifying the relay device signature,
  Digital signature (S _i-1 ) If the verification result is passed, the encryption information (C _i-1 ) And digital signature (S _i-1 ) And key certificate (CE) _i-1 ) Is encrypted with the public key (Y) of the unauthorized person identification device (C) _i Relay device encryption means for generating)
  The signature generation key (SK) stored in the relay device memory _i ) And the encrypted information (C _i ) Digital signature (S _i Relay device signature generating means for generating
  The encryption information (C _i ) And the above digital signature (S _i ) And the key certificate (CE) stored in the relay device memory _i Relay device transmitting means for transmitting to the next relay device that constitutes the anonymous communication path (or the receiving device if there is no next relay device that constitutes the anonymous communication path),
  The receiving device is
  The encrypted information transmitted through the anonymous channel (C _n ) And the above digital signature (S _n ) And key certificate (CE) _n ) (N is a natural number corresponding to the relay device located at the end of the anonymous communication path)
  The above key certificate (CE _n ) And the digital signature (S _n Receiving device signature verification means for verifying
  Digital signature (S _n ) Verification result is passed, the encryption information (C _n ) Is stored in the receiver memory;
  The above encrypted information (C _n ) Is input from the receiving device memory, the encrypted information (C _n Extraction means for extracting)
  The encrypted information (C _n And a receiving device output means for outputting to the unauthorized person identifying device,
  The unauthorized person identification device
  The encryption information (C _n ) In order, and the encrypted information (C _p ) And the above digital signature (S _p ) And key certificate (CE) _p ) (P is an integer less than or equal to 0 and less than n)
  Digital signature (S _p ) For the key certificate (CE) _p ), And if the verification result fails, the key certificate (CE _{p + 1} Encryption operator information (ERI) _{p + 1} ) And its operator information (RI _{p + 1} Relay fraud search means for
  If all the verification results in the relay fraud search means are acceptable, the encrypted information (C ₀ ) And unauthorized sender identification means for obtaining the sender information (TI).
  An anonymous communication system characterized by that. The authentication apparatus of the anonymous communication system of Claim 3 . The transmission device of the anonymous communication system according to claim 3 . The relay apparatus of the anonymous communication system of Claim 3 . The receiving device of the anonymous communication system according to claim 3 . The unauthorized person identification device of the anonymous communication system according to claim 3 . A program for causing a computer to function as the authentication device according to claim 4 . A program for causing a computer to function as the transmission device according to claim 5 . A program for causing a computer to function as the relay device according to claim 6 . A program for causing a computer to function as the receiving device according to claim 7 . A program for causing a computer to function as the unauthorized person identification device according to claim 8 .

Images