JP4576341B2 - Management device, communication device, communication information search device, system thereof, method thereof and program thereof - Google Patents

Description

  The present invention relates to application of information security technology, and more particularly to communication technology using automatic recognition technology.

In recent years, wireless tag systems using automatic tag recognition technology such as RFID (Radio Frequency Identification) have been introduced. This system is composed of a tag device that is a small information recording medium, a reader device that is a reader, and a server device that manages a database, and is used for logistics management and the like. The main points of this technique are shown below.
[Processing of tag device]
The tag device transmits an ID unique to each tag device to the reader device by wireless communication.
[Processing of reader device]
The reader device reads the ID from the tag device by wireless communication, and obtains distribution information of the tag device by inquiring to the database of the server device using the ID.
[Server device processing]
The server device manages a database of IDs and physical distribution information of each tag device, and replies to inquiries by ID from the reader device.

As a typical example of such a technique, the output value of the tag device is changed for each output by a hash chain to prevent the tag device from being traced. There is a method for protecting privacy (for example, see Non-Patent Document 1).
In this method, a secret value s _i corresponding to each ID is stored in the memory of each tag device. In response to the call from the reader device, the tag device outputs the hash value G (s _i ) of the secret value s _i of the memory as an output value. At that time, the tag device reads the secret value s _i from the memory, and overwrites and updates the secret value in the memory with the hash value H (s _i ). On the other hand, the server device holds a correspondence database of IDs and secret values s _i corresponding to the respective tag devices. Then, the server device searches the brute force to determine whether the output value from the tag device matches the hash chain value of the secret value s _i , and determines an ID corresponding to the output value.

In the case of this method, every time the tag device outputs an output value, the secret value in the memory is overwritten and updated. Therefore, the output values of the tag device differ for each output, and these output values appear to the attacker as simple random numbers. Even if the attacker acquires the secret value stored in the memory by tamper or the like, the updated secret value does not correspond to the output value transmitted from the tag device before the update. This update is performed by applying a hash function to the secret value. From the one-way property of the hash function, it is difficult to obtain the secret value before update from the secret value at a certain time. Therefore, the attacker cannot know the correspondence between the tag device and the communication history. Thereby, tracking of the tag device can be prevented.
Miyako Ohkubo, Koutarou Suzuki, and Shingo Kinoshita, Cryptographic Approach to "Privacy-Friendly" Tags, RFID Privacy Workshop, November 2003.

However, in the case of the method of Non-Patent Document 1, there is a problem that the old database administrator can track the tag device even after the database administrator of the server device has changed. That is, in the case of the method of Non-Patent Document 1, the old database administrator knows the ID and secret value corresponding to each tag device. Therefore, the old database manager can track the tag device even after another person becomes the database manager.
A similar problem occurs when the owner of the tag device can know the secret value stored in the memory. That is, in this case, even after the old owner has transferred the tag device to another person, the value output from the tag device can be easily obtained thereafter. Therefore, this old owner can track the tag device after transfer.

Such a problem is not limited to the wireless tag system using the tag automatic recognition technology, but is common to a system that automatically recognizes communication information updated by a one-way function. And such a problem originates in that once the handling authority of communication information is given, the authority cannot be restrict | limited after that.
The present invention has been made in view of such points, and in a system for automatically recognizing communication information updated by a one-way function, a technique for protecting privacy by limiting the authority to handle communication information. The purpose is to provide.

  In order to solve the above-described problems, the present invention provides a management apparatus that grants the right to handle communication information updated by a one-way function. The management apparatus includes a secret value table storage unit that stores a secret value table in which an identifier and a first secret value are associated with each other, and information for specifying a one-way function as a node. Node selection that selects nodes from tree structure data in which the sex function is different from each other, and the composite map of the one-way function corresponding to the parent node and the predetermined one-way function becomes the one-way function corresponding to the child node A one-way function extracting unit that extracts a one-way function corresponding to the node selected by the node selecting unit, and a one-way function extracted by the one-way function extracting unit is applied to the first secret value. A unidirectional function calculation unit that generates a unidirectional function value, an authority information generation unit that generates authority information including the unidirectional function value, and an authority information output unit that outputs authority information. The “information for specifying the one-way function” of the tree structure data includes information that the corresponding one-way function does not exist [the one-way function is empty (for example, corresponding to the root node)]. Including.

  Here, the one-way function value included in the authority information is a value obtained by applying the one-way function to the first secret value, and this one-way function corresponds to one of the nodes of the tree structure data. To do. The one-way functions corresponding to the nodes of the tree structure data satisfy the condition that “one-way functions corresponding to sibling nodes are different from each other”. In addition, the one-way function corresponding to the node of the tree structure data is the one-way function corresponding to the child node is “the composite map of the one-way function corresponding to the parent node and the predetermined one-way function”. To satisfy the relationship. Therefore, the value obtained by sequentially applying the one-way function to the one-way function value included in the authority information is a descendant of the “node corresponding to the one-way function used to generate the one-way function value”. Only a value obtained by causing the one-way function corresponding to the node to act on the first secret value. That is, from this authority information alone, the one-way function corresponding to the ancestor node, sibling node, or descendant node of the sibling node of this “node corresponding to the one-way function used to generate the one-way function value”. Cannot be obtained by acting on the first secret value. Based on the characteristics of the tree structure data and the nature of the one-way function. As a result, the one-way function corresponding to the descendant node of the node corresponding to the one-way function used for generating the one-way function value is applied to the first secret value to the person who has been given the authority information. The authority to handle only the communication information obtained from the determined values is given.

  In the present invention, preferably, the authority information is information for giving an authority to generate communication information. This authority information is given to a communication device (for example, a tag device) that outputs communication information updated by a one-way function. The communication device causes the one-way function corresponding to the descendant node of the node corresponding to the one-way function used for generating the one-way function value included in the given authority information to act on the first secret value. Only communication information obtained from values can be generated.

  In the present invention, preferably, the authority information is information for granting a search authority for communication information, and includes a one-way function value and an identifier corresponding to the first secret value used for the generation. This authority information is given to a communication information search device (for example, the aforementioned server device) that identifies an identifier corresponding to the communication information updated by the one-way function. The communication information search apparatus applies a one-way function corresponding to a descendant node of a node corresponding to the one-way function used for generating the one-way function value included in the granted authority information to the first secret value. Only communication information obtained from the determined values can be searched.

  Preferably, in the present invention, the authority information generation unit generates authority information for granting communication information search authority and authority information for granting communication information generation authority, and searches for communication information. The authority information for assigning includes a one-way function value and an identifier corresponding to the first secret value used for generating the one-way function value. Here, the authority information for granting the search authority for the communication information is given to the communication device that outputs the communication information updated by the one-way function. Further, the authority information for giving the authority to generate communication information is given to the communication information searching apparatus that identifies the identifier corresponding to the communication information updated by the one-way function.

Preferably, in the present invention, the secret value table is a table in which the identifier, the first secret value, and the second secret value are associated with each other, and the authority information generation unit includes the one-way function value, the second secret value, and the like. Generate authority information including.
In addition, the communication device of the present invention includes a generation authority information storage unit that stores authority information (including a one-way function value) output from the management device, and a one-way function read from the generation authority information storage unit. A communication information generation unit that generates a communication information by causing a predetermined one-way function to act on information including a value, and a communication information output unit that outputs the communication information. The communication device causes the one-way function corresponding to the descendant node of the node corresponding to the one-way function used for generating the one-way function value included in the given authority information to act on the first secret value. Only communication information obtained from values can be generated.

  In addition, the communication information search device of the present invention stores a search for storing authority information (including a one-way function value and an identifier corresponding to the first secret value used for generation thereof) output from the management device. An authority information storage unit, an input unit that receives input of communication information, a search value generation unit that generates a search value obtained by applying a predetermined unidirectional function to information including the unidirectional function value of the authority information, and communication It has a comparison part which judges whether information and a search value correspond, and an extraction part which extracts an identifier corresponding to a search value which matched communication information from a search authority information storage part. The communication information search apparatus applies a one-way function corresponding to a descendant node of a node corresponding to the one-way function used for generating the one-way function value included in the granted authority information to the first secret value. Only communication information obtained from the determined values can be searched.

  In the present invention, in a system that automatically recognizes communication information updated by a one-way function, it is possible to limit the authority to handle communication information and protect privacy.

The best mode for carrying out the present invention will be described below with reference to the drawings.
[First Embodiment]
First, a first embodiment of the present invention will be described.
In this embodiment, authority information for granting communication information generation authority is given to the tag device, authority information for giving communication information search authority is given to the server device, and the communication information generation range of the tag device and the server In this mode, the search range of the device is limited. The details will be described below.
<Overall configuration>
FIG. 1 is a conceptual diagram showing an overall configuration of a tag communication system 1 according to the first embodiment.

  As illustrated in FIG. 1, the tag communication system 1 includes a management server device 10 (corresponding to “management device”), a tag device 20 (corresponding to “communication device”), and a server device 40 (“communication information search device”). The reader device 60, the writer device 70, and the network 80. The server device 40 and the reader device 60, the management server device 10 and the server device 40, and the management server device 10 and the writer device 70 are respectively connected to the Internet or the like. Communication is possible through the network 80. Although only one tag device 20 is illustrated in FIG. 1, there are actually k tag devices 20 (k is a natural number). 1 illustrates one management server device 10, server device 40, reader device 60, and writer device 70, respectively, the management server device 10, server device 40, reader device 60, and writer device 70 are illustrated. The number of may be more than this.

<Configuration of Management Server Device 10>
FIG. 2 is a block diagram illustrating a functional configuration of the management server device 10 according to the first embodiment.
As illustrated in FIG. 2, the management server device 10 includes a memory 11, a random number generation unit 12, a node selection unit 13, a one-way function extraction unit 14, a one-way function calculation unit 15, an authority information generation unit 16, an authority. An information output unit 17, a control unit 18, and a temporary memory 19 are included. Here, the memory 11 includes storage units 11a to 11g that are areas for storing data, and the storage unit 11a corresponds to a “secret value table storage unit”.

  The management server device 10 is, for example, a publicly known device in which a central processing unit (CPU), a random access memory (RAM), a read only memory (ROM), an external storage device such as a hard disk, and a communication device such as a LAN card are connected via a bus. This is configured by causing a Neumann computer to execute a predetermined program. In this case, the memory 11 and the temporary memory 19 correspond to a register, a RAM, an external storage device or the like or a storage area in which they are combined. Data stored in the memory 11 and the temporary memory 19 will be described later. The random number generation unit 12, the node selection unit 13, the one-way function extraction unit 14, the one-way function calculation unit 15, and the authority information generation unit 16 correspond to a CPU in which a predetermined program is read. Further, the authority information output unit 17 corresponds to a communication device that is driven under the control of the CPU loaded with a predetermined program.

In addition, the management server device 10 executes each calculation process under the control of the control unit 18. Unless otherwise specified, each data is stored in the temporary memory 19 one by one as appropriate and used for each process. 2 indicate the flow of data, but the description of the flow of data input to and output from the control unit 18 and the temporary memory 19 is omitted.
<Configuration of Tag Device 20>
FIG. 3 is a block diagram illustrating a functional configuration of the tag device 20 according to the first embodiment.
As illustrated in FIG. 3, the tag device 20 includes a memory 21, a communication information generation unit 22, a communication information output unit 23, an update unit 24, a counter 25, an input unit 26, a writing unit 27, a count initialization unit 28, A memory 29 and a control unit 30 are included. Here, the memory 21 includes storage units 21a to 21d, and the storage units 21a and 21b correspond to “generation authority information storage units”. The data stored in the memory 21 will be described later.

  The memory 21 and the temporary memory 29 are readable / writable memories such as EEPROM (Electronically Erasable and Programmable Read Only Memory), FeRAM (Ferroelectric Random Access Memory), flash memory, NV (Nonvolatile) RAM, and the like. The communication information generation unit 22, the update unit 24, the counter 25, the count initialization unit 28, and the control unit 30 are, for example, an integrated circuit that executes each process or a CPU loaded with a predetermined program. The input unit 26 and the communication information output unit 23 are hardware for inputting and outputting data, respectively. For example, the input unit 26 and the communication information output unit 23 include an encoding / decoding circuit that performs encoding / decoding by NRZ code, Manchester encoding, mirror code, unipolar RZ encoding, etc., ASK (Amplitude Shift Keying) , PSK (Phase Shift Keying), FSK (Frequency Shift Keying), etc., modulation / demodulation circuits that perform modulation / demodulation, dipole antennas, microstrip antennas, loop coils, cored coils, etc. This is hardware that transmits and receives signals using the frequency of Science Medical band. The writing unit 27 is hardware that reads and writes data from and to the memory 21 under the control of the control unit 30.

In addition, the tag device 20 executes each process under the control of the control unit 30. Unless otherwise specified, each data is stored in the temporary memory 29 one by one as appropriate and used for each process. Also, the arrows in FIG. 3 indicate the flow of data, but the description of the flow of data input to and output from the control unit 30 and the temporary memory 29 is omitted.
<Configuration of Server Device 40>
FIG. 4 is a block diagram illustrating a functional configuration of the server device 40 according to the first embodiment.

As illustrated in FIG. 4, the server device 40 includes a memory 41, an input unit 42, a writing unit 43, counters 44 and 45, a search value generation unit 46, a comparison unit 47, an extraction unit 48, an output unit 49, and a control unit 50. And a temporary memory 51.
The server device 40 is configured, for example, by causing a known Neumann computer connected to an external storage device such as a CPU, RAM, ROM, and hard disk, or a communication device such as a LAN card by a bus to execute a predetermined program. . In this case, the memory 41 and the temporary memory 51 correspond to a register, a RAM, an external storage device or the like or a storage area in which these are combined. The data stored in these memory 41 and temporary memory 51 will be described later. Further, the counters 44 and 45, the search value generation unit 46, the comparison unit 47, and the control unit 50 correspond to a CPU into which a predetermined program has been read. Furthermore, the input unit 42 and the output unit 49 correspond to a communication device that is driven under the control of the CPU in which a predetermined program is read. The writing unit 43 and the extracting unit 48 correspond to hardware that reads / writes data from / to the memory 41 under the control of the CPU that has read a predetermined program.

In addition, the server device 40 executes each process under the control of the control unit 50. Further, unless explicitly indicated, each data is stored in the temporary memory 51 one by one as appropriate and used for each process. Further, the arrows in FIG. 4 indicate the flow of data, but the description of the flow of data input to and output from the control unit 50 and the temporary memory 51 is omitted.
<Configuration of Reader Device 60>
The reader device 60 is, for example, an external storage device such as a CPU, RAM, ROM, and hard disk, a communication device that wirelessly communicates signals with the tag device 20, and a known Neumann computer that is connected to a communication device such as a LAN card via a bus. It is configured by executing a predetermined program.

<Configuration of Writer Device 70>
The writer device 70 is, for example, an external storage device such as a CPU, RAM, ROM, and hard disk, a communication device that wirelessly communicates signals with the tag device 20, and a known Neumann computer that is connected to a communication device such as a LAN card via a bus. It is configured by executing a predetermined program.
<Pretreatment>
Next, preprocessing for operating the tag communication system 1 of this embodiment will be described.

[Preprocessing for Management Server Device 10]
First, the identifier id _m (mε [0, k−1]) corresponding to each tag device 20 is used as the data in the column 101 of the secret value table 100 and stored in the storage unit 11 a of the memory 11 of the management server device 10. [0, k-1] means a set of integers from 0 to k-1. Next, the random number generation unit 12 of the management server device 10 uses the generated pseudo-random number, and for each m, a secret value s _{chain, m} (corresponding to a “second secret value”) and a secret value t _{tree, m} (Corresponding to “first secret value”), and associating them with the identifier id _m as data in the columns 102 and 103 of the secret value table 100, respectively, and storing them in the storage unit 11a of the memory 11 of the management server device 10 To do. The secret value s _{chain, m} , t _{tree, m} is expressed in binary L bits (s _{chain, m} , t _{tree, m} ε {0,1} ^L ).

Further, the two hash functions F ₀ and F ₁ which are one-way functions are stored in the storage unit 11 d of the memory 11 of the management server device 10. The hash functions F ₀ and F ₁ are unidirectional mappings of {0, 1} ^L → {0, 1} ^L , and examples thereof include SHA-1.
Furthermore, the information for specifying the one-way function is a node, the one-way functions corresponding to the sibling nodes are different from each other, and the composite map of the one-way function corresponding to the parent node and the predetermined one-way function Is stored in the storage unit 11b of the memory 11 of the management server device 10 as a one-way function corresponding to the child node. The configuration of the tree structure data 110 is not limited, but in the example of this embodiment, the binary tree data having a depth d in which the following character strings are associated with each node is used as the tree structure data 110.

(a) The root node is an empty character string φ∈ {0, 1} ⁰ .
(b) A node having a depth d ′ (d′ ∈ [1, d]) is a character string ω∈ {0,1} ^{d ′} expressed in binary d ′ bits.
(c) When a node of depth d ′ is a character string ω∈ {0,1} ^{d ′} , its left child node is ω | 0∈ {0,1} ^{d ′ + 1} and the right child The node is ω | 1∈ {0,1} ^{d ′ + 1} . Note that ω | 0 means bit combination of the character string ω and 0.
(d) The leaf node character string ωε {0,1} ^d corresponds to the integer i.

(e) The hash function _Fω corresponds to the character string ω of each node. The hash function F _ω is a hash function F ₀ , F ₁ corresponding to each bit of the character string ω expressed in binary (the hash function F ₀ corresponds to the bit “0”, and the bit “1” corresponds to the bit “1”). the hash function F ₁ is a composite map of the corresponding). Note that this composite mapping is a mapping in which corresponding hash functions are applied in the order from the most significant bit of the character string ω to the least significant bit. For example, ω = ab ... z if a (a, b, ..., z∈ {0,1}), the hash function F _omega, the synthetic mapping _{F ω = F z ... F b} F a.

FIG. 5 is a diagram illustrating such tree structure data 110. FIG. 5 shows an example when d = 3. The tree structure data 110 in the example of FIG. 5 includes nodes 112a to 112p, and each of the nodes 112a to 112p satisfies the above-described conditions (a) to (d). Also, FIG. 6 shows a one-way function tree data 120 is tree-structured data in which the hash function F _omega and node 122a~122p for each node 112a~112p of the tree structure data 110 illustrated in FIG. 5 FIG. Each of the nodes 122a to 122p satisfies the above-described condition (e). Although there is no particular limitation on the method of mounting the tree structure data 110 in the storage unit 11b, in this embodiment, a table in which a list of pointers of child nodes is associated with each node is the tree structure data 110. In this case, as illustrated in FIG. 2, the tree structure data 110 includes a column 111 indicating a pointer “p” corresponding to each node and a column 112 indicating a character string “ω (or φ)” corresponding to each node. And columns 113 and 114 respectively indicating the pointers “p ₁ ” and “p ₂ ” corresponding to the child nodes of each node.

[Preprocessing for Tag Device 20]
As preprocessing for the tag device 20, the hash functions F ₀ and F ₁ described above are stored in the storage unit 21 c of the memory 21 of each tag device 20. Further, the communication information generation unit 22 and the update unit 24 make it possible to use hash functions H and G, which are one-way functions, respectively. For this purpose, for example, the hash functions H and G may be incorporated in a program that realizes the communication information generation unit 22 and the update unit 24, or the hash functions H and G are stored in an area not shown in the memory 21. You may keep it. Note that the hash functions H and G are unidirectional mappings of {0, 1} ^* → {0, 1} ^L , and examples thereof include SHA-1. Note that {0, 1} ^* indicates a binary bit having an arbitrary bit length. In addition, the count initialization unit 28 makes available the value d indicating the depth of the tree structure data 110 described above. For this purpose, for example, the value d may be incorporated into a program that implements the count initialization unit 28, or the value d may be stored in an area (not shown) of the memory 21.

[Pre-processing for server device 40]
As preprocessing for the server device 40, the hash functions F ₀ and F ₁ described above are stored in the storage unit 41b of the memory 41 of the server device 40. In addition, the search value generation unit 46 makes it possible to use hash functions H and G that are one-way functions. Further, the counter 45 makes available a value d indicating the depth of the tree structure data 110 described above.
<Authorization process>
Next, the authority grant process performed by the management server device 10 will be described. In this embodiment, authority information for granting communication information generation authority is given to each tag device 20, and authority information for giving communication information search authority is given to the server device 40.

[Communication information generation authority assignment processing]
FIG. 7 is a flowchart for explaining communication information generation authority grant processing according to the first embodiment. Hereinafter, communication information generation authority grant processing according to this embodiment will be described with reference to FIG.
First, the node selection unit 13 selects a node ω (denoted as “ω _T ”) from the tree structure data 110 stored in the storage unit 11b of the memory 11, and stores this in the storage unit 11c (step S1). . This selection is performed based on the input value, for example. For example, the administrator of the management server device 10 specifies an ancestor node of the leaf node corresponding to the integer i in the range to which the authority to generate communication information is to be granted, and inputs information for specifying this node (not shown) ) inputted from the node selection unit 13 selects a node corresponding to the input information as a node omega _T. As another form, it may be performed in the order determined in advance to choose for this node omega _T. Further, the node ω _T may be different for each tag device 20.

Next, the one-way function extraction unit 14 reads the above-described node ω _T from the storage unit 11c, reads the hash functions F ₀ and F ₁ from the storage unit 11d based on the value, and reads the hash functions F ₀ , By synthesizing F ₁ , a hash function F _ωT (corresponding to “one-way function”) corresponding to the node ω _T is extracted. It should be noted, ωT of the subscript of the hash function _F ωT means ω _T. Note that the configuration of the hash function F _ωT is as shown in (e) above, and the generated hash function F _ωT is stored in the storage unit 11e (step S2).

Next, the control unit 18 substitutes 0 for the variable m, and stores the variable m in the temporary memory 19 (step S3). Next, the one-way function calculation unit 15 reads the variable m from the temporary memory 19, reads the secret value t _{tree, m} from the secret value table 100 of the storage unit 11a, and _{sets the} one-way function value t _{ωT, m} = F _ωT (t _{tree, m} ) is calculated and stored in the storage unit 11f (step S4). _{Incidentally, F ωT (T tree, m} ) is the input value of the hash function F _{.omega.T t tree,} and _{m, t tree,} by applying a hash function F _.omega.T to _m, means a process of obtaining the calculation result. Next, the authority information generation unit 16 reads the variable m from the temporary memory 19, extracts the secret value s _{chain, m} from the secret value table 100 of the storage unit 11a, reads the node ω _T from the storage unit 11c, and stores the storage unit A one-way function value _{tωT, m} is read from 11f. Then, the authority information generation unit 16 generates the generation authority information k _{T, m} = (s _{0, m} , t _{ωT, m} , ω _T ) as the secret value s _{0, m} = s _{chain, m} and generates this The authority information kT _{, m} is stored in the storage unit 11g (step S5). Note that (α, β, γ) means a bit string including bit strings of α, β, and γ.

Thereafter, the control unit 18 determines whether or not the variable m stored in the temporary memory 19 satisfies m = k−1 (step S6). When it is determined that m = k−1 is not satisfied, the control unit 18 sets a value obtained by adding 1 to the value of the variable m as a new value of the variable m, and stores the variable m in the temporary memory 19. (Step S7), and the process returns to Step S4. On the other hand, when it is determined that m = k−1 is satisfied, the authority information output unit 17 stores each generation authority information k _{T, m} (m∈ [0, k−1]) stored in the storage unit 11g. And transmitted to the writer device 70 through the network 80. The writer device 70 outputs each generation authority information k _{T, m} to the tag device 20 corresponding to each identifier id _m . Each tag device 20 receives the generation authority information k _{T, m} corresponding to its own identifier id _m at the input unit 26. The writing unit 27 of each tag device 20 _stores the secret value s _{0, m} of the received generation authority information k _{T, m} = (s _{0, m} , t _{ωT, m} , ω _T ) in the storage unit 21 a of the memory 21. store, stores one-way function value t _{.omega.T, m} and node omega _T in the storage unit 21b. In addition, the count initialization unit 28 sets the node ω _T stored in the storage unit 21b as the upper digit bit and sets the lower digit bit as 0 bit (or 0 bit string), and the initial count value i = ω in total d bits. _T | 0 ... 0 (binary notation) is generated, and the initial count value i is stored in the storage unit 21d. For example, in the tree structure data 110 of FIG. 5, when ω _T = 1 (node 112j / d = 3), the initial count value i is i = ω _T | 0 ... 0 = 100 (binary notation) ) And i = 4 in decimal notation. Further, the updating unit 24 stores a value obtained by applying the hash function G i times to the secret value s _{0, m} stored in the storage unit 21a as the secret value s _{i, m} in the storage unit 21a (step S8).

[Communication information search authority grant processing]
FIG. 8 is a flowchart for explaining the communication information search authority grant processing in the first embodiment. Hereinafter, communication information search authority grant processing according to this embodiment will be described with reference to FIG.
First, the node selection unit 13 selects a node ω (denoted as “ω _S ”) from the tree structure data 110 stored in the storage unit 11b of the memory 11, and stores this in the storage unit 11c (step S11). . This selection is performed based on the input value, for example. For example, the administrator of the management server device 10 specifies an ancestor node of the leaf node corresponding to the integer i in the range to which the search authority for communication information is to be granted, and inputs information for specifying the node (not shown) The node selection unit 13 selects the node corresponding to the input information as the node ω _S. As another form, the selection of the node ω _S may be performed according to a predetermined order. The node ω _S may be different for each tag device 20.

Next, the one-way function extraction unit 14 reads the above-described node ω _S from the storage unit 11c, reads the hash functions F ₀ and F ₁ from the storage unit 11d based on the value, and reads the hash functions F ₀ , A hash function F _ωS (corresponding to “one-way function”) corresponding to the node ω _S is extracted by synthesizing F ₁ . It should be noted, ωS of the subscript of the hash function _F ωS means ω _S. The configuration of the hash function F _ωS is as shown in (e) above, and the generated hash function F _ωS is stored in the storage unit 11e (step S12).

Next, the control unit 18 substitutes 0 for the variable m, and stores the variable m in the temporary memory 19 (step S13). Next, the one-way function calculation unit 15 reads the variable m from the temporary memory 19, reads the secret value t _{tree, m} from the secret value table 100 of the storage unit 11a, and _{sets the} one-way function value t _{ωS, m} = F _ωS (T _{tree, m} ) is calculated and stored in the storage unit 11f (step S14). Next, the authority information generation unit 16 reads the variable m from the temporary memory 19, extracts the identifier id _m and the secret value s _{chain, m} from the secret value table 100 of the storage unit 11a, and selects the node ω _S from the storage unit 11c. Read and read the unidirectional function value _{tωS, m} from the storage unit 11f. Then, the authority information generation unit 16 generates search authority information k _{S, m} = (id _m , s _{0, m} , t _{ωS, m} , ω _S ) as the secret value s _{0, m} = s _{chain, m.} The search authority information k _{S, m} is stored in the storage unit 11g (step S15).

Thereafter, the control unit 18 determines whether or not the variable m stored in the temporary memory 19 satisfies m = k−1 (step S16). When it is determined that m = k−1 is not satisfied, the control unit 18 sets a value obtained by adding 1 to the value of the variable m as a new value of the variable m, and stores the variable m in the temporary memory 19. (Step S17), and the process returns to Step S14. On the other hand, when it is determined that m = k−1 is satisfied, the authority information output unit 17 stores each search authority information k _{S, m} (m∈ [0, k−1]) stored in the storage unit 11g. And transmitted to the server device 40 through the network 80. The server device 40 receives the search authority information k _{S, m} at the input unit 42. The writing unit 43 of the server apparatus 40 uses the identifier id _m of each received search authority information k _{S, m} = (id _m , s _{0, m} , t ω _{S , m} , ω _S ) as data in the column 201, and The authority information 200 which is a table in which the value s _{0, m} is the data in the column 202, the one-way function value t ω _{S , m} is the data in the column 203, and the data in the node ω _S column 204 is the storage unit 41a of the memory 41. (Step S18).

<Communication processing>
A communication process performed after the above process will be described. In this process, the tag device 20 generates and outputs the communication information a _{i, m} using the generation authority information k _{T, m} described above, and the server device 40 identifies the identifier corresponding to the received communication information a _{i, m.} Search for id _m . Note that the server device 40 does not know which tag device 20 the received communication information a _{i, m} is output from.
FIG. 9 is a flowchart for explaining communication processing according to the first embodiment. Note that solid arrows in FIG. 9 indicate the temporal flow of processing in each apparatus, and broken arrows indicate the temporal flow of processing between apparatuses. Hereinafter, the communication processing of this embodiment will be described with reference to this figure.

[Processing of tag device 20]
The processing of the tag device 20 is started, for example, when the tag device 20 enters the communication area of the reader device 60 and receives a trigger signal transmitted from the reader device 60. When such a trigger occurs, the communication information generation unit 22 of the tag device 20 reads the secret value s _{i, m} from the storage unit 21a of the memory 21 and the unidirectional function value t _{ωT, m} from the storage unit 21b. The node ω _T is read, the hash functions F ₀ and F ₁ are read from the storage unit 21c, and the count value i is read from the storage unit 21d. Then, the communication information generation unit 22 generates communication information a _{i, m} = H (s _{i, m} , F _{ω ′} (t _{ωT, m} )) (step S21). Note that ω ′ in step S21 is a value that satisfies i = ω _T | ω ′. That is, bits except the upper bits omega _T binary notation count value i is omega '. And since t _{ωT, m} = F _ωT (t _{tree, m} ), F _{ω '} (t _{ωT, m} ) is F _ω' (t _{ωT, m} ) = F _{ω '} (F _ωT (t _{tree, m)} )) = F _i (t _{tree, m} ), where F _i is a hash function corresponding to the leaf node of the tree structure data 110.

The communication information a _{i, m} generated in this way is output from the communication information output unit 23 (step S22).
Next, the update unit 24 of the tag device 20, a secret value _{s i} from the storage unit 21a of the memory _21, reads the _m secret value _{s i,} the value G _{(s i, m)} subjected to a hash function G to _m the A new secret value s _{i + 1, m} is set, thereby overwriting the storage unit 21a and updating the secret value (step S23). Here, overwriting means that the secret value stored in the storage unit 21a is erased (including conversion to data that is difficult to restore), and a new secret value is stored in the storage unit 21a. . Then, the counter 25 reads the count value i from the storage unit 21d, sets i + 1 as the new count value i, and stores this new count value i in the storage unit 21d (step S24). Thereby, the count value i stored in the storage unit 21d is updated.
Thereafter, the tag device 20 executes the processes of steps S21 to S24 described above every time there is a predetermined trigger.

[Processing of Reader Device 60]
The reader device 60 receives the communication information a _{i, m} (step S22) output from the tag device 20 as described above (step S25) and transmits it to the server device 40 via the network 80 (step S26). .

[Processing of Server Device 40]
The server device 40 receives the communication information a _{i, m} transmitted from the reader device 60 at the input unit 42, and stores the communication information a _{i, m} in the storage unit 41c at the writing unit 43 (step S27). . Next, the counter 44 sets the count value p to 0, and stores this count value p in the temporary memory 51 (step S28). Further, the counter 45 extracts the node ω _S from the column 204 of the authority information 200 of the storage unit 41a, sets the node ω _S as the upper digit bit, and sets the lower digit bit as 0 bit (or 0 bit string). Bit initial count value j = ω _S | 0... 0 (binary notation) is generated, and this initial count value j is stored in temporary memory 51 (step S29). Next, the search value generation unit 46 reads the count values p and j from the temporary memory 51 and sets the identifier id _p and the secret values s _{0 and p} one from the columns 201 to 204 of the authority information 200 stored in the storage unit 41a. Loading directional function value t _{.omega.S, p} and node omega _S and, respectively, read the hash function _F 0, _{F 1} from the storage unit 41b. Then, the search value generation unit 46 generates a search value a _{j, p} ′ = H (G ^j (s _{0, p} ), F _{ω ″} (t _{ωS, p} )) (step S30). Note that ω ″ in step S30 is a value that satisfies j = ω _s | ω ″. That is, the bit excluding the upper bit ω _S of the count value j expressed in binary is ω ″. The search values a _{j, p ′} generated in this way are stored in the temporary memory 51.

Next, the comparison unit 47 reads the communication information a _{i, m} from the storage unit 41, reads the search values a _{j, p} ′ from the temporary memory 51, and sets the communication information a _{i, m} and the search values a _{j, p} ′. Are equal to each other (step S31). Here, if a _{i, m} = a _{j, p} ′, the extraction unit 48 reads the count value p from the temporary memory 51, and the identifier id _p (= id) from the column 201 of the authority information 200 of the storage unit 41 a. _m ) is extracted and output from the output unit 49 (step S36), and the process is terminated.

On the other hand, if a _{i, m} = a _{j, p} ′ is not satisfied, the control unit 50 determines whether or not the count value j stored in the temporary memory 51 is j = 2 ^d −1 (step S1). S32) If j = 2 ^d −1, the value obtained by adding 1 to the count value j by the counter 45 is set as a new count value j, the count value j is stored in the temporary memory 51, and the process goes to step S30. Return (step S33). On the other hand, if the count value j is j = 2 ^d −1, the control unit 50 determines whether or not the count value p stored in the temporary memory 51 is p = k−1 (step S34). . If p = k−1 is not satisfied, the counter 44 adds 1 to the count value p as a new count value p, stores the count value p in the temporary memory 51, and returns the process to step S29. (Step S35). On the other hand, if p = k−1, the output unit 49 outputs an error indicating a search failure (step S37), and the process ends.

<Features of this embodiment>
The features of this embodiment are shown below.
[Limitation of authority to generate communication information]
As described above, the generation authority information k _{T, m} = (s _{0, m} , t _{ωT, m} , ω _T ) is given from the management server device 10 to the tag device 20 of the present embodiment. Using this information, communication information a _{i, m} = H (s _{i, m} , F _{ω ′} (t _{ωT, m} )) is generated.
Here, t _{ωT, m} included in the generation authority information k _{T, m} is a unidirectional function value satisfying t _{ωT, m} = F _ωT (t _{tree, m} ), and is usually secret from t _{ωT, m.} It is difficult to obtain the value t _{tree, m} . Therefore, F _{ω ′} (t _{ωT, m} ) = F _{ω ′} (F _ωT (t _{tree, m} )) that can be generated by the tag device 20 to which the generation authority information k _{T, m} is given is the secret value t _{tree, m. Is} a value obtained by applying a composite mapping of the hash functions F _{ω ′} , F _ωT to. FIG. 10 is a diagram showing one-way function tree data 120 for explaining this. For example, _assume that the hash function _FωT corresponds to the node 122j. In this case, the combined mapping of the hash functions F _{ω ′} and F _ωT is only the hash function corresponding to the nodes 122 k to 122 p, and the tag device 20 has the hash function corresponding to the secret values t _{tree, m} and the nodes 122 k to 122 p. Only the values given with can be obtained. That is, the authority to generate communication information a _{i, m} can be restricted within this range.

Even if the owner of the tag device 20 can know the generation authority information k _{T, m} = (s _{0, m} , t _{ωT, m} , ω _T ) given to the tag device 20, The range of communication information a _{i, m that} the owner can know, that is, the tracking range is limited to the range of the generation authority. Therefore, after the owner of the tag device 20 is changed, the range that the old owner can track is also limited to this range, and the privacy of the new owner can be protected.
[Limitation of communication information tracking authority]
As described above, search authority information k _{S, m} = (id _m , s _{0, m} , t _{ωS, m} , ω _S ) is given to the server device 40 of this embodiment from the management server device 10. To generate a search value a _{j, p} '= H (G ^j (s _{0, p} ), F _ω'' (t _{ωS, p} )), and the search value a _{j, p} ′ and communication information a _i, comparing the _m, communication information a _i, to search for the identifier id _m corresponding to _m.

Here, t _{ωS, p} included in the search value a _{j, p} ′ is a unidirectional function value satisfying t _{ωS, p} = F _ωS (t _{tree, p} ), and is usually secret from t _{ωS, m.} It is difficult to obtain the value t _{tree, p} . Therefore, F _{ω ″} (t _{ωS, p} ) = F _{ω ″} (F _ωS (t _{tree, p} )) that can be generated by the server device 40 given the search authority information k _{S, m} is the secret value t _{tree. , p} are only values obtained by _performing a composite mapping of the hash functions F _{ω ″} and F _ωS . In other words, the generation authority of the search value a _{j, p} ′, that is _, the search authority of the communication information a _{i, m} can be restricted within this range. This will be described with reference to FIG. For example, _assume that the hash function _FωS corresponds to the node 122j. In this case, the combined mapping of the hash functions F _{ω ″} and F _ωS is only the hash function corresponding to the nodes 122k to 122p, and the server device 40 has the hash corresponding to the nodes 122k to 122p to the secret values t _{tree, p.} Only the value with the function can be obtained. As described above, F _{ω ′} (t _{ωT, m} ) used for generating the communication information a _{i, m applies} a hash function corresponding to the leaf node of the tree structure data 110 to the secret value t _{tree, m.} It is the value that was made to. Accordingly, the server device 40 is practically given only the search authority for the communication information a _{i, m} generated using the hash function of the nodes 122l, 122m, 122o, 122p.

Then, it is _{assumed that} the administrator of the server device 40 can know the search authority information k _{S, m} = (id _m , s _{0, m} , t _{ωS, m} , ω _S ) given to the server device 40. However _, the range of search values a _{j, p} ′ that the administrator can know, ie, the tracking range, is limited to the range of search authority. Therefore, after the administrator of the server device 40 is changed, the range that can be traced by the old administrator is also limited to this range, and it becomes possible to protect the privacy of the owner of the tag device 20 after the administrator is changed.

[Efficiency]
Since the arithmetic processing of the tag device 20 can be realized mainly only by the hash function operation, the circuit scale incorporated in the tag device 20 can be reduced. This is suitable for the tag device 20 that requires a low price. Further, since the communication information a _{i, m} is generated using the hash function associated with the tree-structured node as described above, the server device 40 searches for one search value a _{j, p} ′ = H (G ^j (s _{0, p} ), F _{ω ″} (t _{ωS, p} )) F _{ω ″} (t _{ωS, p} ) required for _obtaining hash functions F ₀ , F ₁ The number of times is only log ₂ (n) times, and the search efficiency of the server device 40 is also good. Here, n is the maximum number of responses of the tag device 20.

[Inability to trace by a third party]
Further, due to the indistinguishability of the hash function H, the communication information a _{i, m} appears to be random. Therefore, it is impossible to determine whether the two pieces of communication information a _{i, m} are output from the same tag device 20 without knowing the secret information id _m , s _{i, m} , t _{ωT, m} .
[Forward security]
Furthermore, from the unidirectionality of the hash function G, even if the tag device 20 is tampered or the like and the secret information s _{i, m} etc. is leaked, the past s _{i-q, m} is not known. . As a result, even if such a situation occurs, the past behavior of the tag device 20 is not tracked using the past communication history.

[Second Embodiment]
Next, a second embodiment of the present invention will be described.
The present embodiment is a modification of the first embodiment, and in the same manner as in the first embodiment, a limited search authority is given to the server device, and an unlimited communication information generation right is given to the tag device. It is. The details will be described below. In the following description, differences from the first embodiment will be mainly described, and description of matters common to the first embodiment will be omitted.
<Overall configuration>
The management server device 10 is the same as the first embodiment except that the management server device 310 is replaced with the management server device 310 and the tag device 20 is replaced with the tag device 320.

<Configuration of management server device>
FIG. 11 is a block diagram illustrating a functional configuration of the management server device 310 according to the second embodiment. In FIG. 11, the same reference numerals as those in FIG. 2 are assigned to portions common to the first embodiment.
As illustrated in FIG. 11, the management server device 310 includes a memory 11, a random number generation unit 12, a node selection unit 313, a one-way function extraction unit 314, a one-way function calculation unit 315, an authority information generation unit 316, an authority. An information output unit 17, a control unit 18, and a temporary memory 19 are included.
As in the first embodiment, the management server device 310 is also connected to a known Neumann computer in which, for example, an external storage device such as a CPU, RAM, ROM, and hard disk, and a communication device such as a LAN card are connected by a bus. This is configured by executing the program. In this case, the node selection unit 313, the one-way function extraction unit 314, the one-way function calculation unit 315, and the authority information generation unit 316 correspond to a CPU loaded with a predetermined program.

In addition, the management server device 310 executes each calculation process under the control of the control unit 18. Unless otherwise specified, each data is stored in the temporary memory 19 one by one as appropriate and used for each process. Further, the arrows in FIG. 11 indicate the flow of data, but the description of the flow of data input to and output from the control unit 18 and the temporary memory 19 is omitted.
<Configuration of Tag Device 320>
FIG. 12 is a block diagram illustrating a functional configuration of the tag device 320 according to the second embodiment. In FIG. 12, the same reference numerals as those in FIG. 3 are assigned to portions common to the first embodiment.

As illustrated in FIG. 12, the tag device 320 includes a memory 21, a communication information generation unit 322, a communication information output unit 23, an update unit 24, a counter 25, an input unit 26, a writing unit 327, a temporary memory 29, and a control unit 30. have.
Note that the communication information generation unit 322 is, for example, an integrated circuit that executes each process or a CPU loaded with a predetermined program. The writing unit 327 is hardware that reads and writes data from and to the memory 21 under the control of the control unit 30.
In addition, the tag device 320 executes each process under the control of the control unit 30. Unless otherwise specified, each data is stored in the temporary memory 29 one by one as appropriate and used for each process. Also, the arrows in FIG. 3 indicate the flow of data, but the description of the flow of data input to and output from the control unit 30 and the temporary memory 29 is omitted.

<Pretreatment>
Next, preprocessing for operating the tag communication system of this embodiment will be described.
[Preprocessing for Management Server Device 310]
This is the same as the pre-processing for the management server device 10 in the first embodiment.
[Preprocessing for Tag Device 320]
As preprocessing for the tag device 20, the hash functions F ₀ and F ₁ described above are stored in the storage unit 21 c of the memory 21 of each tag device 20. Further, the communication information generation unit 22 and the update unit 24 make it possible to use hash functions H and G, which are one-way functions, respectively.

[Pre-processing for server device 40]
This is the same as in the first embodiment.
<Authorization process>
Next, the authority grant process performed by the management server apparatus 310 will be described. In this embodiment, unrestricted authority information for giving communication information generation authority is given to each tag device 320, and authority information for giving communication information search authority is given to the server device 40.
[Communication information generation authority assignment processing]
The authority information generation unit 316 extracts the secret value s _{chain, m} , t _{tree, m} from the secret value table 100 of the storage unit 11a of the memory 11 for each mε [0, k−1], and the secret value s _{0. , m} = s _{chain, m} , generation authority information k _{T, m} = (s _{0, m} , t _{tree, m} ) is generated, and the generation authority information k _{T, m} is stored in the storage unit 11g.

After that, the authority information output unit 17 generates each generation authority information k _{T, m} stored in the storage unit 11g.
(mε [0, k−1]) is transmitted to the writer device 70 through the network 80. The writer device 70 outputs each generation authority information k _{T, m} to the tag device 320 corresponding to each identifier id _m . Each tag device 320 receives the generation authority information k _{T, m} corresponding to its own identifier id _m at the input unit 26. The writing unit 327 of each tag device 320 stores the secret value s _{0, m} of the received generation authority information k _{T, m} = s _{0, m} , t _{tree, m} ) in the storage unit 21a of the memory 21, and the secret The value t _{tree, m} is stored in the storage unit 21b. The counter 25 sets the count value i to 0, and stores the count value i in the storage unit 21d.

[Communication information search authority grant processing]
The communication information search authority granting process is the same as the node selecting part 313, the one-way function extracting part 14, the one-way function calculating part 15, and the right information generating part 16; 314, the one-way function calculation unit 315, and the authority information generation unit 316 are the same as those in the first embodiment except for execution (FIG. 8).

<Communication processing>
A communication process performed after the above process will be described.
FIG. 13 is a flowchart for explaining communication processing according to the second embodiment. Note that solid arrows in FIG. 13 indicate the temporal flow of processing within each device, and broken arrows indicate the temporal flow of processing between devices. Hereinafter, the communication processing of this embodiment will be described with reference to this figure. In the following, processing when the tag device 320 outputs communication information for the i-th time will be described.

[Processing of tag device 320]
When there is a trigger similar to that of the first embodiment, the communication information generation unit 322 of the tag device 320 reads the secret value s _{i, m} from the storage unit 21a of the memory 21, and the secret value t _tree from the storage unit 21b. _{, m} , the hash functions F ₀ and F ₁ are read from the storage unit 21c, and the count value i is read from the storage unit 21d. Then, the communication information generation unit 322 generates communication information a _{i, m} = H (s _{i, m} , F _i (t _{tree, m} )) (step S41).
The communication information a _{i, m} generated in this way is output from the communication information output unit 23 (step S42).

Next, the update unit 24 of the tag device 20, a secret value _{s i} from the storage unit 21a of the memory _21, reads the _m secret value _{s i,} the value G _{(s i, m)} subjected to a hash function G to _m the A new secret value s _{i + 1, m} is set, thereby overwriting the storage unit 21a and updating the secret value (step S43). Then, the counter 25 reads the count value i from the storage unit 21d, sets i + 1 as the new count value i, and stores this new count value i in the storage unit 21d (step S44). Thereby, the count value i stored in the storage unit 21d is updated.

Thereafter, the tag device 20 executes the processes of steps S41 to S44 described above every time there is a predetermined trigger.
The subsequent processing (steps S45 to S57) of the reader device / server device is the same as steps S25 to S37 of the first embodiment.
<Features of this embodiment>
As in the first embodiment, the tracking authority of the administrator of the server device 40 can be limited, and privacy protection can be realized ([Limitation of communication information tracking authority]). In addition, [efficiency] [untrackability by a third party] [forward security] similar to the first embodiment can be realized.

[Third Embodiment]
Next, a third embodiment of the present invention will be described.
This embodiment is a modification of the first embodiment, and in the same manner as in the first embodiment, a limited authority for generating communication information is given to the tag device, and an unlimited search right is given to the server device. It is. The details will be described below. In the following description, differences from the first embodiment will be mainly described, and description of matters common to the first embodiment will be omitted.
<Overall configuration>
The management server device 10 is the same as the first embodiment except that the management server device 410 is replaced with the management server device 410 and the server device 40 is replaced with the server device 440.

<Configuration of Management Server Device 410>
FIG. 14 is a block diagram illustrating a functional configuration of the management server device 410 according to the third embodiment. In FIG. 14, the same reference numerals as those in FIG. 2 are assigned to portions common to the first embodiment.
As illustrated in FIG. 14, the management server device 410 includes a memory 11, a random number generation unit 12, a node selection unit 413, a one-way function extraction unit 414, a one-way function calculation unit 415, an authority information generation unit 416, an authority. An information output unit 17, a control unit 18, and a temporary memory 19 are included.

Similar to the first embodiment, the management server device 410 is also connected to a known Neumann computer in which a communication device such as an external storage device such as a CPU, RAM, ROM, and hard disk or a LAN card is connected by a bus. This is configured by executing the program. In this case, the node selection unit 413, the one-way function extraction unit 414, the one-way function calculation unit 415, and the authority information generation unit 416 correspond to a CPU into which a predetermined program has been read.
In addition, the management server device 410 executes each calculation process under the control of the control unit 18. Unless otherwise specified, each data is stored in the temporary memory 19 one by one as appropriate and used for each process. Further, the arrows in FIG. 11 indicate the flow of data, but the description of the flow of data input to and output from the control unit 18 and the temporary memory 19 is omitted.

<Configuration of Server Device 440>
FIG. 15 is a block diagram illustrating a functional configuration of the server device 440 according to the third embodiment. In FIG. 15, the same reference numerals as those in FIG. 4 are given to portions common to the first embodiment.
As illustrated in FIG. 15, the server device 440 includes a memory 41, an input unit 42, a writing unit 443, counters 44 and 445, a search value generation unit 446, a comparison unit 47, an extraction unit 48, an output unit 49, and a control unit 50. And a temporary memory 51.

The server device 440 is configured, for example, by causing a known Neumann computer connected to an external storage device such as a CPU, RAM, ROM, and hard disk, or a communication device such as a LAN card by a bus to execute a predetermined program. . In this case, the writing unit 443 corresponds to hardware that reads / writes data to / from the memory 41 under the control of the CPU that has read the predetermined program. The counter 445 and the search value generation unit 446 It corresponds to the read CPU.
In addition, the server device 440 executes each process under the control of the control unit 50. Further, unless explicitly indicated, each data is stored in the temporary memory 51 one by one as appropriate and used for each process. In addition, arrows in FIG. 15 indicate the flow of data, but the description of the flow of data input to and output from the control unit 50 and the temporary memory 51 is omitted.

<Pretreatment>
Next, preprocessing for operating the tag communication system of this embodiment will be described.
[Preprocessing for Management Server Device 410]
This is the same as the pre-processing for the management server device 10 in the first embodiment.
[Preprocessing for Tag Device 20]
This is the same as in the first embodiment.
[Preprocessing for server device 440]
As preprocessing for the server device 440, the hash functions F ₀ and F ₁ described above are stored in the storage unit 41b of the memory 41 of the server device 440. In addition, the search value generation unit 446 makes it possible to use hash functions H and G that are one-way functions. The counter 445 makes available a value d indicating the depth of the tree structure data 110 described above.

<Authorization process>
Next, the authority grant process performed by the management server device 410 will be described. In the present embodiment, as in the first embodiment, the communication information generation authority restricted is given to the tag device 20, and the search authority without restriction is given to the server device 440.
[Communication information generation authority assignment processing]
The communication information search authority granting process is the same as the node selecting part 413, the one-way function extracting part 14, the one-way function calculating part 15, and the right information generating part 16; 414, the one-way function calculation unit 415, and the authority information generation unit 416 are the same as those in the first embodiment except for execution (FIG. 7).

[Communication information search authority grant processing]
The authority information generation unit 416 extracts the identifier id _m and the secret value s _{chain, m} , t _{tree, m} from the secret value table 100 of the storage unit 11a of the memory 11 for each m∈ [0, k-1], Search authority information k _{S, m} = (id _m , s _{0, m} , t _{tree, m} ) is generated as a secret value s _{0, m} = s _{chain, m} , and the search authority information k _{S, m} is stored in the storage unit 11g.
Thereafter, the authority information output unit 17 transmits the search authority information k _{S, m} (mε [0, k−1]) stored in the storage unit 11 g to the server device 440 through the network 80. The server device 440 receives the search authority information k _{S, m} at the input unit 42. The writing unit 443 of the server device 40 uses the identifier id _m of each received search authority information k _{S, m} = (id _m , s _{0, m} , t _{tree, m} ) as data in the column 501 and uses the secret value s _{0. ,} M is data in the column 502, and authority information 500, which is a table in which the secret value t _{tree, m} is data in the column 503, is stored in the storage unit 41a of the memory 41.

<Communication processing>
A communication process performed after the above process will be described.
FIG. 16 is a flowchart for explaining communication processing according to the third embodiment. Note that solid arrows in FIG. 16 indicate the temporal flow of processing within each device, and broken arrows indicate the temporal flow of processing between devices. Hereinafter, the communication processing of this embodiment will be described with reference to this figure.
[Processing of Tag Device 20 / Reader Device 60]
The processing of the tag device 20 / reader device 60 (steps S61 to S66) is the same as that of the first embodiment (steps S21 to S26).

[Process of Server Device 440]
The server device 40 receives the communication information a _{i, m} transmitted from the reader device 60 at the input unit 42, and stores the communication information a _{i, m} in the storage unit 41c at the writing unit 43 (step S67). . Next, the counter 44 sets the count value p to 0, and stores this count value p in the temporary memory 51 (step S68). Further, the counter 445 sets the count value j to 0 and stores this count value j in the temporary memory 51 (step S69). Next, the search value generation unit 446 reads the count values p, j from the temporary memory 51, and the identifier id _p and the secret value s _{0, p} , t from the columns 501 to 203 of the authority information 500 stored in the storage unit 41a. _{tree and p} are read, and the hash functions F ₀ and F ₁ are read from the storage unit 41b. Then, the search value generation unit 446 generates a search value a _{j, p} ′ = H (G ^j (s _{0, p} ), F _j (t _{tree, p} )) (step S70). The search values a _{j, p ′} generated as described above are stored in the temporary memory 51.

Next, the comparison unit 47 reads the communication information a _{i, m} from the storage unit 41, reads the search values a _{j, p} ′ from the temporary memory 51, and sets the communication information a _{i, m} and the search values a _{j, p} ′. Are equal to each other (step S71). Here, if a _{i, m} = a _{j, p} ′, the extraction unit 48 reads the count value p from the temporary memory 51, and the identifier id _p (= id) from the column 501 of the authority information 500 of the storage unit 41 a. _m ) is extracted and output from the output unit 49 (step S76), and the process is terminated.

On the other hand, if a _{i, m} = a _{j, p} ′ is not satisfied, the control unit 50 determines whether or not the count value j stored in the temporary memory 51 is j = 2 ^d −1 (step S1). S72) If j = 2 ^d -1 is not satisfied, the counter 45 adds 1 to the count value j as a new count value j, stores this count value j in the temporary memory 51, and proceeds to step S70. Return (step S73). On the other hand, if the count value j is j = 2 ^d −1, the control unit 50 determines whether or not the count value p stored in the temporary memory 51 is p = k−1 (step S74). . If p = k−1 is not satisfied, the counter 44 adds 1 to the count value p as a new count value p, stores the count value p in the temporary memory 51, and returns the process to step S69. (Step S75). On the other hand, if p = k−1, the output unit 49 outputs an error indicating a search failure (step S77), and the process ends.

<Features of this embodiment>
As in the first embodiment, the authority to generate communication information of the server device 20 can be restricted, and the tracing authority of the old owner can be restricted. As a result, privacy protection can be realized ([Limitation of communication information generation authority]). In addition, [efficiency] [untrackability by a third party] [forward security] similar to the first embodiment can be realized.

[Modifications, etc.]
The present invention is not limited to the embodiment described above. For example, in each of the above-described embodiments, the tag device and the server device communicate with each other via the reader device. However, the reader device has a function of the server device, and the tag device and the reader device have a function. It is good also as a structure which performs a communication process. In this case, the communication information search authority is given not to the server device but to the reader device.

  Further, in each of the above-described embodiments, the case where the hash function is used as the one-way function has been described. However, another function that is difficult to obtain an inverse image as the one-way function may be used. As such a function, for example, a common key encryption function such as AES or Camellia may be used. In this case, the plaintext corresponds to the input value of the one-way function, and the ciphertext corresponds to the one-way function value.

Further, in each of the above-described embodiments, the hash chain value s _{i, m} of the secret value s _{0 , m} is used to generate the communication information a _{i, m} , but the hash chain value s _{i, m} is used. Alternatively, the communication information a _{i, m} may be generated. In this case, the communication information a _{i, m} includes a _{i, m} = H (F _{ω ′} (t _{ωT, m} )), a _{i, m} = H (F _i (t _{tree, m} )) and a _{i, m} = F _{ω ′} (t _{ωT, m} ), a _{i, m} = F _i (t _{tree, m} ) etc., and the search values a _{j, p} ′ are a _{j, p} ′ = H (F _{ω ″} (t _{ωT, m} )) = H (F _j (t _{tree, p} )), a _{j, p} ′ = F _{ω ″} (t _{ωT, p} ) = F _j (t _{tree, p} ), etc.

In each of the above-described embodiments, the number i of the hash chain of the secret value s _{0, m and} the number of operations of the hash functions F ₀ , F _{1 on} t _{tree, m} are the same i. However, the number of hash chains of the secret value s _{0, m} may be different from the number of operations of the hash functions F ₀ , F _{1 on} t _{tree, m} .

Also, the information for specifying the one-way function is a node, the one-way functions corresponding to the sibling nodes are different from each other, and the composite map of the one-way function corresponding to the parent node and the predetermined one-way function Is a one-way function corresponding to a child node, the tree structure data 110 is not limited to the above. For example, the child nodes of at least some of the nodes in the tree structure data 110 may be interchanged. Further, the tree structure data 110 may be multi-tree data instead of binary tree data. For example, when the tree structure data 110 is r-tree data, the character string corresponding to each node of the tree structure data 110 is a numerical value expressed in r-ary, and in the above-described embodiment, the two hash functions F ₀ , F Where ₁ is used, r hash functions F ₀ ,..., F _r−1 are used. In this case, the configuration of the unidirectional function tree data 120 corresponding to the tree structure data 110 also changes.

  In this embodiment, the tree structure data 110 is stored in the memory of the management server device in the preprocessing. However, instead of generating the tree structure data 110 in the preprocessing, only the generation rules of the tree structure data 110 are stored in the memory, and when granting the authority, the nodes of the tree structure data 110 are generated according to the generation rules. It is good also as a structure. In that case, it is not always necessary to generate all the nodes of the tree structure data 110.

In the first embodiment, the generation authority information k _{T, m} = (s _{0, m} , t _{ωT, m} , ω _T ) is _assigned to the tag device 20, and the tag device 20 uses the node ω _T. The count value i is initially set, and the hash chain value s _{i, m} of the secret value s _{0, m} corresponding to the initially set count value i is initially set in the storage unit 21a. However, the hash chain values s _{i, m} may be generated by the management server device 10 and the generation authority information may be set as k _{T, m} = (s _{i, m} , t _{ωT, m} , ω _T ). In this case, the initial setting process of the hash chain value s _{i, m in} the tag device 20 becomes unnecessary.

In addition, the various processes described above are not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processes or as necessary. Needless to say, other modifications are possible without departing from the spirit of the present invention.
Further, when the above-described configuration is realized by a computer, processing contents of functions that each device should have are described by a program. The processing functions are realized on the computer by executing the program on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. The computer-readable recording medium may be any medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, or a semiconductor memory. Specifically, for example, the magnetic recording device may be a hard disk device or a flexible Discs, magnetic tapes, etc. as optical disks, DVD (Digital Versatile Disc), DVD-RAM (Random Access Memory), CD-ROM (Compact Disc Read Only Memory), CD-R (Recordable) / RW (ReWritable), etc. As the magneto-optical recording medium, MO (Magneto-Optical disc) or the like can be used, and as the semiconductor memory, EEP-ROM (Electronically Erasable and Programmable-Read Only Memory) or the like can be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

  As a field of use of the present invention, for example, a tag authentication system such as RFID, a personal authentication system such as an IC card, and the like can be exemplified.

FIG. 1 is a conceptual diagram showing an overall configuration of a tag communication system 1 according to the first embodiment. FIG. 2 is a block diagram illustrating a functional configuration of the management server device according to the first embodiment. FIG. 3 is a block diagram illustrating a functional configuration of the tag device according to the first embodiment. FIG. 4 is a block diagram illustrating a functional configuration of the server device according to the first embodiment. FIG. 5 is a diagram for illustrating the structure of the tree structure data. FIG. 6 is a diagram illustrating one-way function tree data that is tree structure data having a hash function _Fω corresponding to each node of the tree structure data illustrated in FIG. 5 as a node. FIG. 7 is a flowchart for explaining communication information generation authority grant processing according to the first embodiment. FIG. 8 is a flowchart for explaining the communication information search authority grant processing in the first embodiment. FIG. 9 is a flowchart for explaining communication processing according to the first embodiment. FIG. 10 is a diagram showing unidirectional function tree data. FIG. 11 is a block diagram illustrating a functional configuration of the management server device according to the second embodiment. FIG. 12 is a block diagram illustrating a functional configuration of the tag device according to the second embodiment. FIG. 13 is a flowchart for explaining communication processing according to the second embodiment. FIG. 14 is a block diagram illustrating a functional configuration of the management server device according to the third embodiment. FIG. 15 is a block diagram illustrating a functional configuration of the server device according to the third embodiment. FIG. 16 is a flowchart for explaining communication processing according to the third embodiment.

Explanation of symbols

1 Tag communication system 10, 310, 410 Management server device 20, 320 Tag device 40, 440 Server device

Claims (15)

A management device that grants the right to handle communication information updated by a one-way function,
A secret value table storage unit that stores a secret value table in which an identifier and a first secret value are associated with each other;
The information for specifying the one-way function is a node, and the one-way functions corresponding to the sibling nodes are different from each other, and the one-way function corresponding to the parent node and any one of the predetermined one-way function set from the tree structure data to be one-way function that synthesis mapping corresponding to the child node of the one-way function, and a node selector which selects nodes,
A one-way function extraction unit that extracts a one-way function corresponding to the node selected by the node selection unit;
A one-way function calculation unit that generates a one-way function value obtained by applying the one-way function extracted by the one-way function extraction unit to the first secret value;
An authority information generation unit that generates authority information including the one-way function value;
To the communication device to update the communication information by the one-way function, it has a, and authority information output unit for outputting the authority information,
The authority information, the communication device generates authority communication information corresponding to the value obtained by operating the one-way function selected from the one-way function set in the one-way function value contained in the authorization information management device, characterized in that information for granted. The management device according to claim 1,
The authority information generation unit further generates second authority information including the one-way function value and the identifier corresponding to the first secret value used for the generation,
The authority information output unit further outputs the second authority information to a communication information search apparatus that searches for an identifier corresponding to communication information updated by a one-way function.
The second authority information is
The communication information search authority for searching for an identifier corresponding to a communication information corresponding to a value obtained by applying a one-way function corresponding to the node selected by the node selection unit or its descendant node to the first secret value Information to be given to the device,
A management device characterized by that. A management device that grants the right to handle communication information updated by a one-way function,
A secret value table storage unit that stores a secret value table in which an identifier and a first secret value are associated with each other;
The information for specifying the one-way function is a node, and the one-way functions corresponding to the sibling nodes are different from each other, and the one-way function corresponding to the parent node and any one of the predetermined one-way function set from the tree structure data to be one-way function that synthesis mapping corresponding to the child node of the one-way function, and a node selector which selects nodes,
A one-way function extraction unit that extracts a one-way function corresponding to the node selected by the node selection unit;
A one-way function calculation unit that generates a one-way function value obtained by applying the one-way function extracted by the one-way function extraction unit to the first secret value;
An authority information generating unit that generates authority information including the one-way function value and the identifier corresponding to the first secret value used for the generation;
To the communication information search apparatus for performing searches for identifiers corresponding to the communication information to be updated by the one-way function, it has a, and authority information output unit for outputting the authority information,
The above authority information is
The communication information search authority for searching for an identifier corresponding to a communication information corresponding to a value obtained by applying a one-way function corresponding to the node selected by the node selection unit or its descendant node to the first secret value Ru information der for imparting to the apparatus,
A management device characterized by that. Be any of the management apparatus of claims 1 to 3,
The secret value table is
A table in which the identifier, the first secret value, and the second secret value are associated with each other;
The authority information generation unit
Generating the authorization information including the above one-way function value and the second private value,
A management device characterized by that. A communication device that outputs communication information updated by a one-way function,
And generating authority information storage unit for storing the authorization information including a one-way function value output from the management apparatus according to claim 1 or 2,
A unidirectional function selected from a predetermined unidirectional function set is applied to information including the unidirectional function value read from the generation authority information storage unit, and communication information corresponding to the obtained value is generated. A communication information generation unit;
A communication information output unit for outputting the communication information;
A communication apparatus comprising: A communication information search device for identifying an identifier corresponding to communication information updated by a one-way function,
One-way function value contained in the authorization information output from the management apparatus according to claim 3 and the search authority information storage unit which stores in association with corresponding identifiers to the first secret value used in the generation,
An input unit for receiving input of communication information;
Search value generation for generating a search value corresponding to a value obtained by applying a one-way function selected from a predetermined one-way function set to information including the one-way function value included in the authority information And
A comparison unit that determines whether or not the communication information and the search value match;
The identifier associated with the one-way function value corresponding to the search value matched with the communication information, an extraction unit that extracts from the search authority information storage unit,
A communication information search apparatus comprising: Communication system, comprising a management apparatus according to claim 1, the communication apparatus according to claim 5. Communication system, comprising a management apparatus according to claim 3, the communication information searching apparatus according to claim 6. A communication system comprising the management device according to claim 2 , the communication device according to claim 5 , and the communication information search device according to claim 6 . A management method for granting a right to handle communication information updated by a one-way function,
The secret value table storage unit, the node selection unit, the one-way function extraction unit, the one-way function calculation unit, the authority information generation unit, and the authority information output unit included in the management device according to claim 1 respectively execute. Management method for processing . A communication method for outputting communication information updated by a one-way function,
The communication method which performs the process which the production | generation authority information storage part, the communication information production | generation part, and communication information output part which the communication apparatus of Claim 5 has respectively performs . A communication information search method for identifying an identifier corresponding to communication information updated by a one-way function,
The communication information search method which performs the process which the search authority information storage part of Claim 6, an input part, a search value production | generation part, a comparison part, and an extraction part respectively perform . A program for causing a computer to function as the management device according to claim 1. A program for causing a computer to function as the communication device according to claim 5 . A program for causing a computer to function as the communication information search apparatus according to claim 6 .

Images