JP4608246B2 - Anonymous communication method - Google Patents

Description

  The present invention relates to a new technology related to a cryptographic application protocol using encryption and signature technology, and relates to an anonymous communication method for protecting the privacy of a sender and preventing an unauthorized operation of a user who exploits anonymity.

(1) Conventionally, information on a transmitting terminal that has performed fraudulent processing on an administrator of an ISP server or a proxy server that relays a communication path connecting the transmitting terminal and the receiving terminal based on information transmitted to the receiving terminal. There is a way to seek disclosure and identify unauthorized users.
(2) On the other hand, a server service called an anonymous proxy has a function of relaying the communication path, removing the IP address of the transmission source device, and transferring only the body text to the receiving terminal or another anonymous proxy. A technology that increases anonymity is used for various devices on the road.
(3) Furthermore, a technique called onion routing is known as a technique for concealing the entire communication path by relaying a multi-stage anonymous proxy to the communication path and encrypting the addresses of the individual relay proxies in layers. Thus, there is an effect that it is difficult for the network monitoring server (including eavesdropping) to identify which receiving terminal the transmitting terminal is communicating with (Non-Patent Document 1).
PFSyverson, DMGoldschlag, and MGReed “Anonymous connections and onion routing,” In Proc. Of the 1997 IEEE Symposium on Security and Privacy, IEEE Press, pp. 44-54, May. 1997

In (1), the user of the transmitting terminal and the address of the receiving terminal are basically known to the ISP server or proxy server, and there is a concern about privacy problems such as leakage of communication logs. On the other hand, in (2), anonymity increases as the number of anonymous proxies increases. In that case, in order to identify unauthorized users, it is necessary to request disclosure from the receiving terminal to the manager of each anonymous proxy. In addition, the process is complicated, and if even one anonymous proxy communication log is lost, it becomes difficult to identify an unauthorized user. In addition, management of communication logs by all anonymous proxies can be a significant operational burden. (3) can be configured in the same manner as (2), but is originally a method in which the portal server determines a communication path (anonymous proxy to be relayed) ahead, and eventually (1) or (2) Such a problem is inevitable. In any of (1) to (3), it is necessary to disclose information on a server that relays at least a communication path connecting a transmitting terminal and a receiving terminal in order to identify an unauthorized user. It can be said that there is not much flexibility for disclosure control. In particular, when using overseas anonymous proxies, it may be difficult to determine whether or not to disclose even if it is entrusted to the law.

  Here, according to the invention on which the domestic priority claim application, which will be described in detail later, is based (hereinafter referred to as priority basis invention), the transmitting terminal is a user who is currently operating the transmitting terminal. Generates a ciphertext for information, sends the ciphertext to the receiving terminal together with the text, and the receiving terminal is a third party who has the authority to decrypt the ciphertext for the user information if there is an unauthorized operation by the anonymous user Present the ciphertext to the institution, request the disclosure of the user information, and the third party terminal decrypts the ciphertext in response to the disclosure request of the receiving terminal. Anonymous communication that can communicate with the receiving terminal anonymously without giving user information, but if the user performs an unauthorized operation, the user information will be disclosed, so that an unauthorized operation exploiting anonymity is also prevented A method was proposed.

By the way, this priority basis invention can identify the unauthorized user only after there is information for tracking the user and agreements of a predetermined number or more of third party organizations approved in advance. For this reason, the receiving terminal needs to individually store information for tracking the user in all communications that may be illegally used. Storing this information has a large amount of information compared to the storage of communication records performed in general communications, so that even if unauthorized use is not performed, the burden on the recipient himself is large. Become.
In view of the above circumstances, the present invention realizes that the external organization performs the process of storing the information for tracking the user, which should be performed by the receiver himself, in the anonymous communication method in the priority basis invention, An anonymous communication method that reduces the burden on the user.

  The present invention provides an anonymous communication method in which a transmission terminal can communicate with a reception terminal anonymously without giving user information, the transmission terminal generates a ciphertext for user information that is currently operating the transmission terminal, and The ciphertext is sent to the receiving terminal together with the text, and the receiving terminal presents the ciphertext to a third party that has the authority to decrypt the ciphertext for the user information when there is an unauthorized operation by the anonymous user. The third party terminal decrypts the ciphertext in response to the disclosure request of the receiving terminal, and the transmitting terminal is anonymous without giving the user information normally. Although it is possible to communicate with the receiving terminal, since the user information is disclosed if the user performs an unauthorized operation, the unauthorized operation that misappropriates anonymity is also prevented, and on top of that, the anonymous communication termination aggregation that relays the transmitting and receiving terminals Equipped with equipment By storing the ciphertext of the user information on behalf of the terminal, the receiving terminal anonymous communication method for performing anonymous communication without implementing storage mechanism for anonymous communication is configured.

  Specifically, first, the user correctly performs the registration procedure of the registration information of the user with respect to the authentication server. This is realized by the user performing identity verification to the authentication server administrator offline. In addition, in order to disclose anonymous user information only when a single or multiple third-party organizations are set in advance and only a certain number of third-party organizations agree, A third party cooperates to operate each terminal and generate a public key and a secret key for public key cryptography. At the time of communication between the transmission terminal and the reception terminal, one or more proxy servers are relayed between the transmission / reception terminals in order to protect the privacy of the user. Then, in order to keep secret addresses other than the adjacent servers or terminals in the communication path for each relay server and receiving terminal, the transmitting terminal discloses the addresses of the respective relay servers and receiving terminals to the relay server adjacent to the previous stage. Encrypt individually with a key in layers. By using a technology that encrypts the addresses of devices in the communication path in layers, called onion routing, if each device decrypts the ciphertext with its own private key, another ciphertext and the destination to send it Since only the address can be obtained, it is difficult to know the entire communication path connecting the transmitting terminal and the receiving terminal even if the device is in the communication path. On the other hand, in order to make it possible to disclose the user information only in special circumstances such as unauthorized operation of the user, the encrypted text that encrypts the user information held by the authentication server with the public key of the third party terminal So that each device in the communication path can not reject the fact of transmission and reception by using the signature. As a result, the receiving terminal presents the ciphertext to a third party, and if a certain number or more of the third parties agree, the third party operates the terminal of each user and encrypts the user. The user information can be disclosed by decrypting the information. This anonymous communication method is also equipped with an anonymous communication termination aggregation device that relays the transmission / reception terminal, and stores the ciphertext of the user information on behalf of the reception terminal, so that the reception terminal has a storage mechanism for anonymous communication The structure which performs anonymous communication, without having implemented.

  According to the anonymous communication method of the present invention, as long as the user does not perform an unauthorized operation, the collusion of the managers of all servers that relay the communication path connecting the transmission terminal and the reception terminal, or a certain number of third parties or more As long as there is no collusion of the institution, it can be difficult to know which receiving terminal the user has communicated with using the sending terminal, and in order to prevent unauthorized operation by the user who abuses anonymity It is assumed that user information can be disclosed only when a certain number of third-party organizations have agreed, and the receiving terminal can use the user for all communications that may be illegally used. It is no longer necessary to store the information for tracking individual information, and the burden on the recipient who stores the user tracking information, which is large compared with the storage of communication records used in general communication, is reduced. It was.

An embodiment of the priority basis invention will be described with reference to FIG.
(First embodiment)
The transmitting terminal in the LAN relays the proxy server and ISP server to connect to the authentication server on the Internet, and after receiving the authentication from the authentication server, the transmitting terminal relays the proxy server and ISP server to the auction website. An example of access, and a request for disclosure of user information of the unauthorized user is received from the auction website administrator assuming that the user of the transmitting terminal has presented the name and address of the contact despite the successful bid. An example in which a plurality of third party organizations cooperate to disclose user information of the unauthorized user will be described in detail with reference to the drawings.

An anonymous communication method (pre-processing) in this embodiment is shown in FIG.
First, the third party terminal A used by the third party _A generates a public key / private key pair (PK _A , SK _A ) for public key cryptography as a pre-process, and is stored on the Internet. read and write to but can be anyone, erase, the information public server that can not be rewritten, to upload the public key PK _a of its own. However, it is assumed that there is means for correctly displaying who the public key written in the storage area of the information disclosure server is, for example, assuming PKI (public key infrastructure). Similarly, a third-party institution terminal B is also public key to generate a secret key pair (PK _B, SK _B), to upload the public key PK _B of itself to the information public server. The third-party organization is not specifically defined here. For example, the third-party organization A is a public consumer protection organization and the third-party organization B is a legal service business organization. It is desirable from the viewpoint of the possibility of collusion that it is easy to be approved by the government and is a different industry. The authentication server first generates a signature generation key and signature verification key (sk, vk) for digital signature as pre-processing, and uploads its own signature verification key vk to the information disclosure server.
On the other hand, the user first confirms the identity correctly by, for example, performing offline identification to the authentication server administrator as a pre-process, and the authentication server administrator issues a user ID and password to the user when the confirmation is completed.

FIG. 3 shows an anonymous communication method (Web site access of a transmission terminal) in this embodiment.
Next, a procedure for the transmission terminal used by the user to access the auction website will be described.
Now, it is assumed that the transmission terminal is connected to the LAN and can access various servers on the Internet by relaying a proxy server in the LAN connected to the ISP server by a dedicated line. First, the transmitting terminal accesses the authentication server on the Internet, and transmits the user ID and password input by the user on the browser to the authentication server. At this time, in order to prevent eavesdropping of secret information such as a password, the communication path is assumed to be encrypted using an SSL (secure sockets layer) protocol or the like.

The authentication server confirms the identity of the user from the user ID stored in the DB, and if the password is correct, the user information UI including the name, address, etc. of the user is used as the public key of the third party terminals A and B. The ciphertext C = E (E (UI, PK _A ), PK _B ) encrypted in multiple times with C and the authentication server signature σ = S (C || TS for the data concatenation C || TS of the current time TS , Sk) is generated and (C, TS, σ) is returned to the transmitting terminal. Here, E and S are an encryption function for public key cryptography and a signature generation function for digital signature, respectively. Also, PK _A and PK _B are downloaded in advance from the information disclosure server, and the selection of the encryption algorithm and signature algorithm is also written in the information disclosure server, and is common to the entire system in the present invention.

The transmitting terminal that receives (C, TS, σ) first downloads the signature verification key vk of the authentication server from the information disclosure server, and (C || TS) = V (σ, vk) holds, that is, the signature is correctly signed. Make sure. Here, V is a signature verification function of a digital signature. Then, (C, TS, σ) is attached to the message msg to be transmitted to the auction website and transmitted to the auction website. On the other hand, if the above confirmation items are illegal, take measures such as reporting an error to the authentication server.
The auction website that receives (msg, C, TS, σ) first confirms that (C || TS) = V (σ, vk) holds. Here, it is assumed that vk is downloaded in advance from the information disclosure server. Then confirm that the TS is within the expiration date. The reason for adding TS here is that if σ = S (C, sk) is simply set, spoofing is possible when (C, σ) leaks. If at least one of the above two confirmation items is illegal, access is denied.
The auction website that has received msg as described above subsequently executes the event requested by msg in the same way as normal web communication.
Next, a procedure for disclosing the user information of the unauthorized user will be described on the assumption that the user of the transmission terminal has presented a prominent name or address despite a successful bid.

An anonymous communication method (user information disclosure) in this embodiment is shown in FIG.
It is assumed that the process for disclosing user information is performed on a disclosure server that can be read from and written to the storage area of only various websites and third-party terminals arranged on the Internet. Here, as with the information disclosure server, the disclosure server has means for specifying who wrote all the data written in the storage area of the disclosure server.

First, the auction website uploads evidence cheat and (C, TS, σ) that an anonymous user has performed an unauthorized operation to the disclosure server. Subsequently, the third party organization B only accesses the disclosure server, downloads (cheat, C, TS, σ), judges cheat to be illegal, and shows the validity of the signature. The terminal B generates a result of decrypting C using its own secret key SK _B, that is, E (UI, PK _A ) = D (C, SK _A ), and uploads this to the disclosure server, where D is It is a decryption function of public key cryptography. Similarly, when third party A accesses the disclosure server and downloads (cheat, E (UI, PK _A ), TS, σ), judges cheat is illegal, and the validity of the signature is indicated Only, a result of decrypting E (UI, PK _A ) from the third party terminal A using its own secret key SK _A, that is, UI = D (E (UI, PK _A ), SK _A ) is generated, Upload this to the disclosure server. Through the above procedure, the user information UI of the unauthorized user is disclosed on the disclosure server.

(Second Embodiment)
Next, a second embodiment will be described.
In the first embodiment, (1) if the authentication server and the auction website are collaborated, based on (C, TS, σ), the use of the user who has operated the transmission terminal accessing the auction website Information can be disclosed. (2) By uploading an unauthorized decryption result to the disclosure server by any of the third party terminals A and B, not only can the user information of the unauthorized user be disclosed, but which of the third party terminals Therefore, it is difficult to specify whether the user has performed fraudulent processing. Therefore, the anonymity of users in (1) and the anonymity of unauthorized users in (2) It can be said that it depends heavily on. On the other hand, this embodiment can be positioned as an approach for improving the above two points.

  In the second embodiment, a transmitting terminal directly connected to the Internet connects to a portal site provided with an authentication server on the Internet, and the transmitting terminal receives authentication on the portal site and determines a proxy server to relay. An example of accessing the anonymous bulletin board website after obtaining necessary information about the relay proxy server and the anonymous bulletin board website of the user from the portal site, and the user of the transmitting terminal defeats an individual's honor An example in which a plurality of organizations cooperate to disclose user information of an unauthorized user assuming that writing is performed on the anonymous bulletin board website will be described in detail with reference to the drawings.

An anonymous communication system in this embodiment is shown in FIG.
Here, technology is referred to as a verifiable secret sharing (Document 2: Okamoto, Yamamoto "modern cryptography" Section 14.5 (pp.217,218), see industry Books) by using a third-party organization X, Y, If two or more institutions among Z agree, a description will be given by taking as an example a technique capable of correctly performing a decryption process by using third party terminals X, Y, and Z, respectively. This makes it possible to correctly decrypt an arbitrary ciphertext even when one institution refuses to disclose. Note that the total number of third party organizations and the number of agreements that can be decrypted can be made variable without any technical problem and can be set to an arbitrary number.

An anonymous communication method (pre-processing) in this embodiment is shown in FIG.
The third party terminals X, Y, and Z used by the third party institutions X, Y, and Z respectively generate secret information s _X , s _Y , and s _Z as pre-processing, and then each secret information. Distribute to other third party terminals. This distribution, for example, third party terminal X is s _X from s _{X, Y,} s _X, generates a _Z, third party terminal Y to s _X, a _Y, a third party terminal Z s Send _{X and Z} respectively. Then the use of the verifiable secret sharing techniques, s _{X, Y} or s _X, it is not possible to obtain significant information about s _X only _Z, easily s _X by using the both becomes possible product. Further, in the verifiable secret sharing technique, the secret information is distributed (e.g. s _{X, Y} and s _{X, Z)} without revealing a correctly that secret information (e.g., s _X) can be recovered, distributed It is also possible to convince a device (for example, a third party organization Y, Z).

Next, the third party terminal X, Y, Z is a certain one-way function f included in the data in the storage area of the portal site that is arranged on the Internet and has a storage area where anyone can read and write. Are generated to generate PK _X = f (s _X ), PK _Y = f (s _Y ), and PK _Z = f (s _Z ), respectively, and upload them to the portal site. Here, since f is a one-way function, for example, it is difficult to obtain S _X from PK _X, and the same applies to other cases. Further, it is assumed that a function g can be downloaded from the portal site in the same manner, so that anyone can generate a public key PK = g (PK _X , PK _Y , PK _Z ). Here, the specific way of taking f and g is described in the above-mentioned document 2, and thus the description thereof is omitted.

  As in the first embodiment, the portal site including the authentication server first generates a set (sk, vk) of a signature generation key and signature verification key of a digital signature as a pre-process, and anyone can read and write Own signature verification key vk is stored in the storage area. On the other hand, as in the case of the first embodiment, the user first confirms the identity as a pre-process by, for example, offline identification to the portal site administrator, and the portal site administrator confirms the user ID and password. Is issued to the user.

Assume that there are N proxy servers, and each proxy server i (1 ≦ i ≦ N) has a public key for public key encryption, a set of private keys (PK _i , SK _i ), a signature generation key for digital signature, and signature verification A key pair (sk _i , vk _i ) is generated, and its own public key PK _i and signature verification key vk _i are uploaded to the portal site. Similarly, various websites including anonymous bulletin board websites (assuming that there are a total of M sites) public key, private key pair (PK ′ _j , SK ′ _j ) (1 ≦ j ≦ M), and signature generation key Then, a signature verification key pair (sk ′ _j , vk ′ _j ) is generated, and its own public key PK ′ _j and signature verification key vk ′ _j are uploaded to the portal site. Here, as in the first embodiment, it is assumed that there is means for specifying who wrote all the data written in the storage area of the portal site.

FIG. 7 shows an anonymous communication method (Web site access of the transmitting terminal) in this embodiment.
Next, a procedure for the transmission terminal used by the user to access the anonymous bulletin board website will be described.
First, the transmission terminal accesses the portal site on the Internet, and transmits the user ID and password input by the user on the browser to the authentication server. At this time, in order to prevent eavesdropping on secret information such as a password, the communication path is assumed to be encrypted using the SSL protocol or the like.
In response, the portal site confirms the identity of the user from the user ID stored in the DB of the authentication server. If the password is correct, the portal site stores the user information UI including the name, address, etc. A ciphertext C = E (UI, PK) encrypted with the public key PK stored in the area is generated.

Next, the transmission terminal downloads the proxy server and various website list lists stored in the storage area of the portal site, and selects the relay proxy server and website used by itself. Here, it is assumed that the proxy servers 1 and 2 and the anonymous bulletin board website are selected, and the list includes the IP address, public key, and signature verification key of each server. In addition, the public key encryption algorithm, digital signature algorithm, and common key encryption algorithm used in this embodiment are predetermined on the portal site, and are not particularly limited here. Next, the transmitting terminal performs the following process.
1. Create (determine) a message msg to be sent to the anonymous bulletin board website.
2. The common keys K ₁ , K ₂ and K ₃ are determined.
3. W ₂ = (Addr ₃ || E (K ₃ , PK ′ ₃ ) || Enc (msg, K ₃ )) is calculated.
4). W ₁ = (Addr ₂ || E (K ₂ , PK ₂ ) || Enc (W ₂ , K ₂ )) is calculated.
5). W ₀ = (Addr ₁ || E (K ₁ , PK ₁ ) || Enc (W ₁ , K ₁ )) is calculated.
Here, Addr ₃ , Addr ₂ , and Addr ₁ are the anonymous bulletin board website, the proxy server 2 and the IP address of the proxy server 1, respectively, and E and Enc are the encryption function for the public key encryption and the encryption function for the common key encryption, respectively. PK ' ₃ , PK ₂ , and PK ₁ are the anonymous bulletin board website, proxy server 2, public key of proxy server 1, and E (x, y), Enc (x, y), and x is the key Let us denote the ciphertext encrypted with y.

Finally, the transmitting terminal transmits W ₀ to the portal site.
The portal site that received W ₀ from the transmitting terminal, for the four sets of C generated earlier, its own IP address Addr ₀ , IP address Addr ₁ included in W ₀ , and current time TS ₀ , The signature σ ₀ = S (C || Addr ₀ || Addr ₁ || TS ₀ , sk) is generated using its own signature generation key sk. Then, (C, TS ₀ , σ ₀ ) is attached to W ′ ₀ = E (K ₁ , PK ₁ ) || Enc (W ₁ , K ₁ ) included in W ₀ , and the proxy server 1 is added according to Addr _1. (W ' ₀ , C, TS ₀ , σ ₀ ) is transmitted.
The proxy server 1 that has received (W ′ ₀ , C, TS ₀ , σ ₀ ) from the portal site downloads the signature verification key vk of the portal site from the portal site, and then (C || Addr ₀ || Addr ₁ || TS ₀ ) = V (σ ₀ , vk) is satisfied, that is, it is confirmed that it is correctly signed. Also, it is confirmed that the time TS ₀ is a valid time (close to the reception time). If the signature is invalid, take action by reporting an error to the portal site. Now, assuming that the signature verification is correct, the proxy server 1 decrypts E (K ₁ , PK ₁ ) included in W ′ ₀ using its own secret key SK ₁ and K ₁ = D (E ( K ₁ , PK ₁ ), SK ₁ ) are obtained. And further decrypts the Enc (W _1, K ₁₎ included in W _'0 with _{K 1, W 1 = Dec (} Enc (W 1, K 1), K 1) = (Addr 2 || E ( K ₂ , PK ₂ ) || Enc (W ₂ , K ₂ )). Subsequently, the public key PK is downloaded from the portal site, and the ciphertext C ₁ = E (C || Addr ₀ || Addr ₁ || TS ₀ | of (C, Addr ₀ , Addr ₁ , TS ₀ , σ ₀ ). | σ ₀ , PK). The C _1, Addr _1, and IP address Addr ₂ contained W _1, further against the four sets of current time TS _1, signed using the signature generation key sk ₁ itself σ ₁ = S (C ₁ | | Addr ₁ || Addr ₂ || TS ₁ , sk ₁ ). Finally, W _'1 = E contained in _{W 1 (K 2, PK 2} ) || Enc (W 2, K 2) to _{(C 1, TS 1, σ} 1) attach, proxy according Addr ₂ (W ′ ₁ , C ₁ , TS ₁ , σ ₁ ) is transmitted to the server 2.

The proxy server 2 that has received (W ′ ₁ , C ₁ , TS ₁ , σ ₁ ) from the proxy server 1 downloads the signature verification key vk ₁ of the proxy server 1 from the portal site, and then (C ₁ || Addr ₁ || Addr ₂ || TS ₁ ) = V (σ ₁ , vk ₁ ) is satisfied, that is, it is confirmed that it is correctly signed. Also, confirm that time TS ₁ is a valid time (close to the reception time). Here, if the signature is invalid, it is dealt with by reporting an error to the proxy server 1 or the like. Now, assuming that the signature verification is correct, the proxy server 2 then decrypts E (K ₂ , PK ₂ ) included in W ′ ₁ using its own secret key SK ₂ , and K ₂ = D (E ( K ₂ , PK ₂ ), SK ₂ ) are obtained. And further K ₂
Is used to decode Enc (W ₂ , K ₂ ) included in W ′ ₁ and W ₂ = Dec (Enc (W ₂ , K ₂ ), K ₂ ) = (Addr ₃ || E (K ₃ , PK _'3) obtain a _{|| Enc (msg, K 3)} ). Subsequently, the public key PK is downloaded from the portal site, and the ciphertext C ₂ = E (C ₁ || Addr ₁ || Addr ₂ || TS of (C ₁ , Addr ₁ , Addr ₂ , TS ₁ , σ ₁ ) ₁ || σ ₁ , PK). The signature σ ₂ = S (C ₂ || using the signature generation key sk ₂ for the four sets of IP address Addr ₃ and current time TS ₂ included in C ₂ , Addr ₂ and W _2. Addr ₂ || Addr ₃ || TS ₂ , sk ₂ ). Finally, (C ₂ , TS ₂ , σ ₂ ) is attached to W ′ ₂ = E (K ₃ , PK ′ ₃ ) || Enc (msg, K ₃ ) included in W _2, and anonymous according to Addr ₃ (W ′ ₂ , C ₂ , TS ₂ , σ ₂ ) is transmitted to the bulletin board website.

The anonymous bulletin board website that has received (W ′ ₂ , C ₂ , TS ₂ , σ ₂ ) from the proxy server 2 downloads the signature verification key vk ₂ of the proxy server 2 from the portal site, and then (C ₂ || Addr ₂ || Addr ₃ || TS ₂ ) = V (σ ₂ , vk ₂ ) is satisfied, that is, it is confirmed that it is correctly signed. Also, confirm that the time TS ₂ is a valid time (close to the reception time). Here, if the signature is invalid, it is dealt with by reporting an error to the proxy server 2 or the like. Now that the signature verification is correct, the anonymous bulletin board website then decrypts E (K ₃ , PK ′ ₃ ) contained in W ′ ₂ using its own secret key SK ′ ₃ , and K ₃ = D (E (K ₃ , PK ′ ₃ ), SK ′ ₃ ) is obtained. Further, if Enc (msg, K ₃ ) included in W ′ ₂ is decoded using K ₃ , msg which is the body text from the transmitting terminal can be obtained.

As described above, the anonymous bulletin board Web site that has received msg executes the event requested by msg thereafter.
Here, when the anonymous bulletin board website wants to return msg ′ to the transmission terminal whose IP address is unknown, for example, the anonymous bulletin board website generates B ₃ = Enc (msg ′, K ₃ ) and uses this as a proxy server. 2, the proxy server 2 that has received B ₃ from the anonymous bulletin board website generates B ₂ = Enc (B ₃ , K ₂ ), transmits this to the proxy server 1, and B ₂ is sent to the proxy server 2. The proxy server 1 that received the message generates B ₁ = Enc (B ₂ , K ₁ ), transmits this to the portal site, and the portal site that receives B ₁ from the proxy server 1 sends B ₁ to the transmitting terminal. The transmitting terminal that has transferred and finally received B ₁ from the portal site can obtain msg ′ by sequentially decoding B ₁ using K ₁ , K ₂ , and K ₃ .

Here, the reason why each server in the communication path performs the encryption process on the received data is as follows.
First, if each server only forwards msg 'to the adjacent device in the previous stage, for example, if the anonymous bulletin board website and the portal site collaborate, the sending terminal that accessed the anonymous bulletin board website is operated based on msg'. It becomes possible to disclose the user information of the user. In addition, for an attacker who can eavesdrop on data output from the anonymous bulletin board website and data input to the portal site, an anonymous proxy is provided between the portal site and the anonymous bulletin board website because of the uniqueness of the data. Relaying a server makes no sense.
These problems cannot be solved even if the anonymous bulletin board website encrypts msg 'using the anonymous user's key as long as the ciphertext is unchanged in the communication path.
However, the encryption process of each server by the method described above can prevent anonymity infringement due to the collusion of the server and the eavesdropping on the local communication path.

The anonymous communication method (user information disclosure) of this embodiment is shown in FIG.
Next, a procedure for disclosing the user information of the unauthorized user will be described on the assumption that the user of the transmission terminal has made a writing that defeats an individual's honor on the anonymous bulletin board website. The process for disclosing user information is performed on the portal site.
First, the anonymous bulletin board Web site uploads evidence cheat and (C ₂ , Addr ₂ , Addr ₃ , TS ₂ , σ ₂ ) that an anonymous user has performed an illegal operation to the disclosure server.
Subsequently, the third party organization X accesses the portal site, downloads R ₃ = (cheat, C ₂ , Addr ₂ , Addr ₃ , TS ₂ , σ ₂ ), judges cheat to be illegal, and signs σ _2. Only when the validity of the time TS ₂ is indicated, the secret information s _{X of the} own party from the third party terminal X and the secret information s _{Y, X} , s _Z, distributed from the third party terminals Y and Z Partially decrypt C ₂ using _X. This is C _{2, X.} And upload partially decoded data C _{2, X} against the C ₂ to the portal site. Here, the validity of the time TS ₂ means whether the TS ₂ is within a preset system parameter range.

Similarly third party Z downloads the R ₃ accesses the portal site determines that illegally cheat, and if the validity of the signature and the time is indicated only secret from third parties Z own information s _Z and third party terminal X, the secret information distributed from _{Y s X, Z, s Y} , partially decodes the C ₂ using _Z. Let this be C2 _{, Z.} And upload the partially decoded data C _{2, Z} with respect to the C ₂ to the portal site.
Then, if the verifiable secret sharing technique is used, the decryption result R ₂ = (C ₁ || Addr ₁ || Addr ₂ || TS ₁ || σ ₁ ) from C _{2, X} , C _{2, Z} to C ₂ is obtained. Obtainable. Further, the validity of the processing results for C _{2, X} and C _{2, Z} can be verified by the zero knowledge proof technique, so that the third party terminal can prove that the unauthorized processing has not been performed. Thus properly C ₂ is guaranteed to be decoded. However, the details of the above technique are described in (Reference 3: P. Feldman, “A practical scheme for non-interactive verifiable secret sharing,” In Proc. Of the 28th IEEE Symposium on the Foundations of Computer Scince (FOCS), IEEE Press, pp. 427-437, Oct. 1987.) and the like are not described here.

On the other hand, when the third party terminal determines that the signature or time is not valid for the information presented on the anonymous bulletin board website, the anonymous bulletin board website is regarded as an illegal process and the process is terminated. The reason is that if the signature or time is not valid, the anonymous bulletin board Web site should refuse to receive transmission data (W ′ ₂ , C ₂ , TS ₂ , σ ₂ ) from the proxy server 2. .
Thereafter, it is assumed that C ₂ is correctly decrypted and the decryption result R ₂ = (C ₁ || Addr ₁ || Addr ₂ || TS ₁ || σ ₁ ) is uploaded to the portal site.

Subsequently, the third party institution X accesses the portal site, downloads R ₂ , and only when the validity of the signature σ ₁ and the time TS ₁ is shown, the third party terminal X sends its own confidential information s _X And C ₁ is partially decrypted using secret information s _{Y, X} , s _{Z, X} distributed from the third party terminals Y, Z. This is C1 _{, X.} And upload partially decoded data C _{1, X} against the C ₁ to the portal site. Here, the validity of time TS ₁ means whether or not the time interval between TS ₁ and TS ₂ is within a preset system parameter range.
Similarly, the third party terminal Z accesses the portal site, downloads R ₂ , and only when the validity of the signature σ ₁ and the time TS ₁ is shown from the third party terminal Z, own secret information s _Z And C ₁ is partially decrypted using the secret information s _{X, Z} , s _{Y, Z} distributed from the third party terminals X, Y. Let this be C1 _{, Z.} And upload partially decoded data C _{1, Z} with respect to the C ₁ to the portal site. Here, the ciphertext can be decrypted if at least two third party terminals now cooperate, and of course, the third party terminal to process may be Y.

Then, if the verifiable secret sharing technique is used, the decryption result R ₁ = (C || Addr ₀ || Addr ₁ || TS ₀ || σ ₀ ) of C ₁ is obtained from C _{1, X} and C _{1, Z.} be able to. Further, since the correctness of the processing results for C _{1, X} and C _{1, Z} can be verified by the zero knowledge proof technique, it can be proved that the third-party terminal does not perform unauthorized processing. This ensures that C ₁ is correctly decoded.
On the other hand, if the third party terminal determines that the signature or time is not valid, the proxy server 2 corresponding to the IP address Addr ₂ is regarded as an illegal process and the process is terminated. The reason is that, if the signature or time is not valid, the proxy server 2 should originally refuse to receive transmission data (W ′ ₁ , C ₁ , TS ₁ , σ ₁ ) from the proxy server 1.

Thereafter, it is assumed that C ₁ is correctly decrypted and the decryption result R ₁ = (C ₁ || Addr ₀ || Addr ₁ || TS ₀ || σ ₀ ) is uploaded to the portal site.
Subsequently, the third party institution X accesses the portal site, downloads R ₁ , and only when the validity of the signature σ ₀ and the time TS ₀ is indicated, the third party terminal X transmits its own secret information s _X And C is partially decrypted using the secret information s _{Y, X} , s _{Z, X} distributed from the third party terminals Y, Z. This is C _X. Then, the data C _X partially decrypted for C is uploaded to the portal site. Here, the validity of time TS ₀ means whether or not the time interval between TS ₀ and TS ₁ is within a preset system parameter range.

Similarly, only when the third party Z accesses the portal site, downloads R ₁ , and the validity of the signature σ ₀ and the time TS ₀ is indicated, the third party terminal Z sends its own secret information s _Z And C is partially decrypted using the secret information s _{X, Z} , s _{Y, Z} distributed from the third party terminals X, Y. This is C _Z. Then, the data C _Z partially decrypted for C is uploaded to the portal site. Here, if at least two third party terminals cooperate now, the ciphertext can be decrypted. Of course, the third party terminal to process may be Y.
Then, if a verifiable secret sharing technique is used, a C decryption result UI can be obtained from C _X and C _Z. This makes it possible to disclose unauthorized person information. In addition, since the processing result validity for C _X and C _Z can be verified by the zero knowledge proof technique, it can be proved that the third-party terminal does not perform unauthorized processing. This ensures that C is correctly decrypted.

On the other hand, if the third party terminal determines that the signature or time is not valid, the proxy server 1 corresponding to the IP address Addr ₁ is regarded as an illegal process and the process is terminated. The reason is that if the signature or time is not valid, the proxy server 1 should originally refuse to receive the transmission data (W ′ ₀ , C, TS ₀ , σ ₀ ) from the portal site.
As a result of the above, disclosure of user information that has not been performed illegal operations is limited to the collusion of a certain number of third-party organizations or the collusion of the administrators of all relay servers in the communication path connecting the transmitting terminal and receiving terminal. Is expected to be difficult.

(Third embodiment)
Finally, a third embodiment will be described.
In the second embodiment, in order to prevent various devices (portal site, proxy server, anonymous bulletin board website) from appropriately switching data to a device adjacent to the subsequent stage in the communication path (anonymous bulletin board website). In order to prevent replacement of data uploaded to the portal site in order to request disclosure of user information), a chain of transmission data of various devices in the communication path between the transmission device and the reception device is formed by the signature and time Was. As a result, unauthorized processing is prevented by reducing the difficulty of signature forgery by various devices transmitting unauthorized data to an adjacent device. The reason why the times are linked here is to prevent the relay server from reusing past transmission data.

However, it is assumed that the problem that all servers synchronize time and how much time interval is allowed is not simple. Therefore, this embodiment provides a technique that can maintain the characteristics that the time management is unnecessary in the second embodiment and that the device in the communication path makes it difficult to perform unauthorized processing.
In the third embodiment, a transmitting terminal directly connected to the Internet connects to a portal site provided with an authentication server on the Internet, and the transmitting terminal receives authentication on the portal site and determines a proxy server to relay. An example of accessing the content sales site after acquiring necessary information about the relay proxy server and the content sales site of the user from the portal site, and the user of the transmitting terminal illegally sold the content purchased anonymously As an example, an example in which a plurality of organizations cooperate to disclose user information of the unauthorized user will be described in detail.
Since the system configuration in this embodiment is the same as that shown in FIG.
Here, as in the second embodiment, if two or more of the third party organizations X, Y, and Z agree using the verifiable secret sharing technique, the third party terminal X, A description will be given by taking as an example a technique that can correctly perform a decoding process by using Y and Z, respectively.

An anonymous communication method (pre-processing) in this embodiment is shown in FIG.
The third party terminals X, Y, and Z used by the third party institutions X, Y, and Z respectively generate secret information s _X , s _Y , and s _Z as pre-processing, and then each secret information. Distribute to other third party terminals. This distribution is performed, for example, by the third party terminal _X from s _X to s _{X, Y} , s _{X, Z}
S _{X, Y} is transmitted to the third party terminal Y, and s _{X, Z} is transmitted to the third party terminal Z. Then the use of the verifiable secret sharing technique s _{X, Y,} or s _X, it is not possible to obtain significant information about s _X only _Z, easily s _X is can be generated by using the both. Further, in the verifiable secret sharing technique, the secret information is distributed (e.g. s _{X, Y} and s _{X, Z)} without revealing a correctly that the secret information (e.g., s _X) can be recovered, the distributed system (For example, it is possible to convince a third party organization Y, Z).

Next, the third party terminal X, Y, Z is a certain one-way function f included in the data in the storage area of the portal site that is arranged on the Internet and has a storage area where anyone can read and write. Are generated to generate PK _X = f (s _X ), PK _Y = f (s _Y ), and PK _Z = f (s _Z ), respectively, and upload them to the portal site. Here, since f is a one-way function, it is difficult to obtain s _X from PK _X , for example, and so on. Furthermore, it is assumed that any function f ′ can be downloaded from the portal site in the same manner, so that anyone can generate a public key PK = f ′ (PK _X , PK _Y , PK _Z ). Here, since a specific method of taking f and f ′ is described in Document 2, description thereof is omitted.

及びデジタル署名の署名生成鍵、署名検証鍵の組（sk_i，vk_i）を生成し、ポータルサイトに自身の公開鍵PK_i及び署名検証鍵vk_iをアップロードする。ここでhは離散対数問題を安全性の拠り所とできるような巡回群の生成元、ａ_iは適当な値とする。なお、本記号の詳細な説明及びこの実施の形態で用いるオニオンルーティング技術のアルゴリズムは（文献４：千田他，“Ｍｉｘ−ｎｅｔにおける匿名性取り消しに関するセキュリティ考察，”信学技法，ISEC2002-152，pp.99-104, 2002年３月）に記載されているとおりである。 As in the first embodiment, the portal site including the authentication server first generates a set (sk, vk) of a signature generation key and signature verification key of a digital signature as a pre-process, and anyone can read and write Own signature verification key vk is stored in the storage area. On the other hand, as in the case of the first embodiment, the user first confirms the identity as a pre-process by, for example, offline identification to the portal site administrator, and the portal site administrator confirms the user ID and password. Is issued to the user.
It is assumed that there are N proxy servers, and each proxy server i (1 ≦ i ≦ N) is a set of public key and public key for public key encryption.

And a signature generation key and signature verification key pair (sk _i , vk _i ) of the digital signature, and uploads its own public key PK _i and signature verification key vk _i to the portal site. Here, h is a generator of a cyclic group that can use the discrete logarithm problem as the basis of safety, and a _i is an appropriate value. The detailed explanation of this symbol and the algorithm of the onion routing technology used in this embodiment are described in (Reference 4: Senda et al., “Security considerations regarding anonymity cancellation in Mix-net,” IEICE Technical, ISEC2002-152, pp. .99-104, March 2002).

及び署名生成鍵、署名検証鍵の組（sk’_j，vk’_j）を生成し、ポータルサイトに自身の公開鍵PK’_j及び署名検証鍵vk’_jをアップロードする（１≦ｊ≦Ｍ）。ここで、第１の実施の形態同様、ポータルサイトの記憶領域に書き込まれた全てのデータが、誰により書き込まれたものかを特定する手段を有するものとする。
また、この実施の形態では、検証可秘密分散技術を用いてプロキシサーバ及び各種Ｗｅｂサイトの秘密鍵を第三者機関端末に分配するようにする。その方法は、文献４に詳しいためここでは説明を省略するが、プロキシサーバｉの秘密鍵ａ_i、および各種Ｗｅｂサイトの秘密鍵ｂ_iは第三者機関端末Ｘ，Ｙ，Ｚのためにａ_i→ａ_i,X，ａ_i,Y，ａ_i,Z、ｂ_i→ｂ_i,X，ｂ_i,Y，ｂ_i,Zと分配される。そしてこれにより一定数以上の第三者機関が合意すれば、任意のプロキシサーバの処理を代替することができる。また、この第三者機関端末への秘密鍵の分配によってプロキシサーバ及び各種Ｗｅｂサイトの登録処理とみなすことができる。 Similarly, various Web sites including content sales sites (assuming that there are a total of M sites) are a set of public key and secret key.

A signature generation key and signature verification key pair (sk ′ _j , vk ′ _j ) is generated, and the public key PK ′ _j and signature verification key vk ′ _j are uploaded to the portal site (1 ≦ j ≦ M) . Here, as in the first embodiment, it is assumed that there is means for specifying who wrote all the data written in the storage area of the portal site.
In this embodiment, the secret key of the proxy server and various websites is distributed to the third party terminals using the verifiable secret sharing technique. Since the method is detailed in Document 4, description thereof is omitted here, but the secret key a _i of the proxy server i and the secret key b _i of various websites are a for the third party terminals X, Y, Z. _i → a _{i, X} , a _{i, Y} , a _{i, Z} , b _i → b _{i, X} , b _{i, Y} , b _{i, Z} are distributed. And if a certain number or more of third party organizations agree by this, processing of arbitrary proxy servers can be substituted. Further, it can be regarded as a registration process of the proxy server and various websites by distributing the secret key to the third party terminal.

FIG. 10 shows an anonymous communication method (Web site access of the transmitting terminal) in this embodiment.
Next, a procedure for the transmission terminal used by the user to access the content sales site will be described. First, the transmission terminal accesses the portal site on the Internet, and transmits the user ID and password input by the user on the browser to the authentication server. At this time, in order to prevent eavesdropping on secret information such as a password, the communication path is assumed to be encrypted using the SSL protocol or the like.
In response, the portal site confirms the identity of the user from the user ID stored in the DB of the authentication server. If the password is correct, the identifier corresponding to the user information UI including the name, address, etc. of the user A ciphertext C = E (ui, PK) is generated by encrypting ui with the public key PK stored in its own storage area. For example, ui is a UI index stored in the DB or a hash value of the UI.

  Next, the transmission terminal downloads the proxy server and various website list lists stored in the storage area of the portal site, and selects the relay proxy server and website used by itself. Here, it is assumed that the proxy servers 1 and 2 and the content sales site are selected, and the list includes the IP address, public key, and signature verification key of each server. In addition, the digital signature algorithm and the common key encryption algorithm used in this embodiment are predetermined on the portal site, and are not particularly limited here. However, in this embodiment, the public key encryption algorithm is not used as in the second embodiment, but the key sharing algorithm described in Document 4 is used. The reason will be explained later.

４．W₂＝(Addr₃||Enc(msg，K₃))を計算する。
５．W₁＝(Addr₂||Enc(W₂，K₂))を計算する。
６．W₀＝(Addr₁||Enc(W₁，K₁))を計算する。
ここで、Addr₃，Addr₂，Addr₁はそれぞれコンテンツ販売サイト、プロキシサーバ２、プロキシサーバ１のＩＰアドレスを、Encは共通鍵暗号の暗号化関数を、そしてEnc(x，y)で、ｘを鍵ｙで暗号化した暗号文を表すものとする。 Next, the transmitting terminal performs the following process.
1. Create (determine) a message msg to be sent to the content sales site.
2. G ₀ = h ^w is calculated (w is an appropriate random number).
3. Proxy servers 1, 2 and content sales site

4). W ₂ = (Addr ₃ || Enc (msg, K ₃ )) is calculated.
5. W ₁ = (Addr ₂ || Enc (W ₂ , K ₂ )) is calculated.
6). W ₀ = (Addr ₁ || Enc (W ₁ , K ₁ )) is calculated.
Here, Addr ₃ , Addr ₂ and Addr ₁ are the IP addresses of the content sales site, proxy server 2 and proxy server 1, Enc is the encryption function of the common key encryption, and Enc (x, y) is x Represents a ciphertext encrypted with a key y.

Finally, the transmitting terminal transmits (G ₀ , W ₀ ) to the portal site.
(G _0, W ₀₎ portal received from the transmitting terminal includes a G _0, W contained in _{W 0 '0 = Enc (W} 1, K 1), and C were generated earlier and its own IP address, IP included in Addr ₀ and W ₀
Generate signature σ ₀ = S (G ₀ || W ' ₀ || C || Addr ₀ || Addr ₁ , sk) for the five sets of address Addr ₁ using its own signature generation key sk . Then, (G ₀ , W ′ ₀ , C, σ ₀ ) is transmitted to the proxy server ₁ according to Addr ₁ .

W’₀を復号してW₁＝Dec(Enc(W₁，K₁))＝(Addr₂||Enc(W₂，K₂))を得る。続いて、公開鍵PKをポータルサイトよりダウンロードし、(G₀，C，Addr₀，Addr₁，σ₀)の暗号文
C₁＝E(G₀||C||Addr₀||Addr₁||σ₀，PK)を生成する。

G₁、そしてW₁に含まれるW’₁＝Enc(W₂，K₂)、また、C₁，Addr₁、そしてW₁に含まれるＩＰアドレスAddr₂の五つの組に対して、自身の署名生成鍵sk₁を用いて署名σ₁＝S(G₁||W’₁||C₁||Addr₁||Addr₂，sk₁)を生成する。最終的に、Addr₂に従ってプロキシサーバ２に(G₁
，W’₁，C₁，σ₁)を送信する。 The proxy server 1 that has received (G ₀ , W ′ ₀ , C, σ ₀ ) from the portal site downloads the signature verification key vk of the portal site from the portal site, and then (G ₀ || W ′ ₀ || C || Addr ₀ || Addr ₁ ) = V (σ ₀ , vk) holds, that is, confirms that the signature is correct. If the signature is invalid, take action by reporting an error to the portal site. Now that the signature verification is correct, the proxy server 1 then uses the received G ₀ = h ^w and its private key a ₁ ,

W ′ ₀ is decoded to obtain W ₁ = Dec (Enc (W ₁ , K ₁ )) = (Addr ₂ || Enc (W ₂ , K ₂ )). Next, the public key PK is downloaded from the portal site, and the ciphertext of (G ₀ , C, Addr ₀ , Addr ₁ , σ ₀ )
C ₁ = E (G ₀ || C || Addr ₀ || Addr ₁ || σ ₀ , PK) is generated.

G _1, and W _'1 = Enc contained in _{W 1 (W 2, K 2} ), also with respect to C _1, Addr _1, and IP address Addr ₂ five pairs contained in W _1, its A signature σ ₁ = S (G ₁ || W ′ ₁ || C ₁ || Addr ₁ || Addr ₂ , sk ₁ ) is generated using the signature generation key sk ₁ . Finally, according to Addr ₂ , proxy server 2 (G ₁
, W ′ ₁ , C ₁ , σ ₁ ).

計算した後、W’₁を復号してW₂＝Dec(Enc(W₂，K₂)，K₂)＝(Addr₃||Enc(msg，K₃))を得る。続いて、公開鍵PKをポータルサイトよりダウンロードし、(G₁，C₁，Addr₁，Addr₂，σ₁)の暗号文C₂＝E(G₁||C₁||Addr₁||Addr₂||σ₁，PK)を生成する。

G₂、そしてW₂に含まれるW’₂＝Enc(msg，K₃)、また、C₂，Addr₂、そしてW₂に含まれるＩＰアドレスAddr₃の五つの組に対して、自身の署名生成鍵sk₂を用いて署名σ₂＝S(G₂||W’₂||C₂||Addr₂||Addr₃，sk₂)を生成する。最終的に、Addr₃に従ってコンテンツ販売サイトに(G₂，W’₂，C₂，σ₂)を送信する。 The proxy server 2 that has received (G ₁ , W ′ ₁ , C ₁ , σ ₁ ) from the proxy server 1 downloads the signature verification key vk ₁ of the proxy server 1 from the portal site, and then (G ₁ || W ' ₁ || C ₁ || Addr ₁ || Addr ₂ ) = V (σ ₁ , vk ₁ ) is satisfied, that is, it is confirmed that it is correctly signed. Here, if the signature is invalid, it is dealt with by reporting an error to the proxy server 1 or the like. Now that the signature verification is correct, the proxy server 2

After the calculation, W ′ ₁ is decoded to obtain W ₂ = Dec (Enc (W ₂ , K ₂ ), K ₂ ) = (Addr ₃ || Enc (msg, K ₃ )). Subsequently, the public key PK is downloaded from the portal site, and the ciphertext C ₂ = E (G ₁ || C ₁ || Addr ₁ || Addr of (G ₁ , C ₁ , Addr ₁ , Addr ₂ , σ ₁ ) ₂ || σ ₁ , PK).

G _2, and W contained in _{W 2 '2 = Enc (msg} , K 3), also with respect to C _2, Addr _2, and IP address Addr ₃ five pairs contained in W _2, signature itself The signature σ ₂ = S (G ₂ || W ′ ₂ || C ₂ || Addr ₂ || Addr ₃ , sk ₂ ) is generated using the generation key sk ₂ . Finally, (G ₂ , W ′ ₂ , C ₂ , σ ₂ ) is transmitted to the content sales site according to Addr ₃ .

を計算した後、W’₂を復号して送信端末からの本文であるmsgを得ることができる。
以上により、msgを受け取ったコンテンツ販売サイトは、その後msgで要求されたイベントを実行する。ここでコンテンツ販売サイトがＩＰアドレスが不明の送信端末にコンテンツcontを返信する例は第２の実施の形態で記した通りであるため、説明を省略する。
この実施の形態における匿名通信方法（利用者情報開示）を図１１に示す。 The content sales site that has received (G ₂ , W ′ ₂ , C ₂ , σ ₂ ) from the proxy server 2 downloads the signature verification key vk ₂ of the proxy server 2 from the portal site, and then (G ₂ || W ' ₂ || C ₂ || Addr ₂ || Addr ₃ ) = V (σ ₂ , vk ₂ ) holds, that is, confirms that the signature is correctly made. Here, if the signature is invalid, it is dealt with by reporting an error to the proxy server 2 or the like. Now that the signature verification is correct, the content sales site

After calculating, W ′ ₂ can be decrypted to obtain msg which is the body text from the sending terminal.
As described above, the content sales site that has received msg executes the event requested by msg thereafter. Here, the example in which the content sales site returns the content cont to the transmitting terminal whose IP address is unknown is as described in the second embodiment, and thus the description thereof is omitted.
The anonymous communication method (user information disclosure) in this embodiment is shown in FIG.

Next, a procedure for disclosing the user information of the unauthorized user will be described assuming that the user of the transmitting terminal illegally bought and sold the content purchased anonymously.
The process for disclosing user information is performed on the portal site.
First, the content sales site has a cheat that an anonymous user has performed an illegal operation, information msg that is evidence of purchasing the content, and (G ₂ , W ′ ₂ , C ₂ , Addr ₂ , Addr ₃ , σ ₂ ) To the disclosure server.

Next, the third party organization X accessed the portal site
R ₃ = (cheat, msg, G ₂ , W ' ₂ , C ₂ , Addr ₂ , Addr ₃ , σ ₂ ) was downloaded, cheat was judged to be illegal, and the effectiveness of msg, σ ₂ was shown only then the secret information itself from third party terminal X s _X and third party terminal Y, the secret information s _Y distributed from _{Z, X,} s _Z, partially decode the C ₂ with _X To do. This is C _{2, X.} Further, W ′ ₂ is partially decrypted using the secret information b _{3, X} distributed from the content sales site. This is W ′ _{2, X.} Then, upload (C _{2, X} , W ' _{2, X} ) to the portal site.

Similarly, third-party organization Z downloads R ₃ from the portal site, judges cheat to be illegal, and only when the validity of msg, σ ₂ is indicated, from third-party organization terminal Z itself C ₂ is partially decrypted using the secret information s _Z and the secret information s _{X, Z} , s _{Y, Z} distributed from the third party terminals X, Y. Let this be C2 _{, Z.} Further, W ′ ₂ is partially decrypted using the secret information b _{3, Z} distributed from the content sales site. Let this be W'2 _{, Z.} Then, upload (C _{2, Z} , W ' _{2, Z} ) to the portal site.

Then C ₂ By using a verifiable secret sharing _{techniques, X,} to obtain a decoding result R ₂ = C ₂ from _{C 2, Z (G 1 ||} C 1 || Addr 1 || Addr 2 || σ 1) be able to. Further, the validity of the processing results for C _{2, X} and C _{2, Z} can be verified by the zero knowledge proof technique, so that the third-party terminal can prove that the unauthorized processing has not been performed. Thus properly C ₂ is guaranteed to be decoded. Furthermore, a decoding result msg of W ′ ₂ can be obtained from W ′ _{2, X} and W ′ _{2, Z.} In addition, since the correctness of the processing results for W'2 _{, X} and W'2 _{, Z} can be verified by the zero knowledge proof technology, it is proved that the third-party terminal does not perform unauthorized processing. it can. This ensures that W ′ ₂ is correctly decoded. The details of the above technique are the same as in the second embodiment, and are not described here because they are detailed in Document 3.

On the other hand, if the third party terminal determines that the signature is not valid for the information presented by the content sales site, the content sales site is regarded as an illegal process and the process is terminated. The reason is that if the signature is not valid, the content sales site should refuse to receive the transmission data (G ₂ , W ′ ₂ , C ₂ , σ ₂ ) from the proxy server 2. Similarly, if the decryption result of W ′ ₂ does not become the msg presented by the content sales site, the content sales site is regarded as an illegal process and the process is terminated. The reason is that the third party terminal can correctly reproduce the decryption process of the content sales site by the verifiable secret sharing technique.

Thereafter, C ₂ is correctly decrypted and the decryption result of C ₂
R ₂ = (G ₁ || C ₁ || Addr ₁ || Addr ₂ || σ ₁ ) is uploaded to the portal site, and the decryption result of W ' ₂ also matches the msg presented by the content sales site. Proceed with the story.
Subsequently, the third party organization X accesses the portal site, downloads R _2, and own secret information s _{X from the} third party terminal _X and secret information s _Y distributed from the third party terminals Y and Z. _{, X} , s _{Z, X} partially decode C ₁ . This is C1 _{, X.} Further, (Addr ₃ || W ′ ₂ ) is partially encrypted using the secret information a _{2, X} distributed from the proxy server 2. This is W'1 _{, X.} This (C _{1, X} , W ' _{1, X} ) is uploaded to the portal site.

Similarly, the third party institution Z accesses the portal site and downloads R _2, and the secret information s _{Z from the} third party terminal _Z and the secret information s _X distributed from the third party terminals X and Y are displayed. _{, Z} , s _{Y, Z} to partially decode C ₁ . This is C _{1, Z.} Further, (Addr ₃ || W ′ ₂ ) W ′ ₁ is partially encrypted using the secret information a _{2, Z} distributed from the proxy server 2. Let this be W'1 _{, Z.} Then, upload (C _{1, Z} , W ' _{1, Z} ) to the portal site. Here, if at least two third party terminals cooperate now, the ciphertext can be decrypted. Of course, the third party terminal to process may be Y.

Then, if the verifiable secret sharing technique is used, a decryption result R ₁ = (G ₀ || C || Addr ₀ || Addr ₁ || σ ₀ ) of C ₁ is obtained from C _{1, X} and C _{1, Z.} be able to. In addition, since the processing result validity for C _{1, X} and C _{1, Z} can be verified by the zero knowledge proof technique, it can be proved that the third-party terminal does not perform unauthorized processing. This ensures that C ₁ is correctly decoded. Furthermore _{W '1, X, W'} 1, ' encryption ₍₂ Results W from _{Z Addr 3 || W)' 1} = Enc (Addr 3 || W '2) can be obtained. In addition, the correctness of the processing results for W'1 _{, X} and W'1 _{, Z} can be verified by the zero-knowledge proof technology, so it is proved that the third-party terminal does not perform unauthorized processing. it can. This ensures that W ′ ₁ is correctly restored. Finally, the validity of the signature σ ₁ = S (G ₁ || W ′ ₁ || C ₁ || Addr ₁ || Addr ₂ , sk ₁ ) is verified. Note that this verification is performed by the third party terminals X and Z, but the restored W ′ ₁ is required.

On the other hand, when the third party terminal determines that the signature is not valid, the proxy server 2 is regarded as an unauthorized process and the process is terminated. The reason is that if the signature is not valid, the proxy server 2 should originally refuse to receive transmission data (G ₁ , W ′ ₁ , C ₁ , σ ₁ ) from the proxy server 1.
After that, C ₁ is correctly decrypted and is the decryption result of C ₁
R ₁ = (G ₀ || C || Addr ₁ || Addr ₂ || σ ₁ ) is uploaded to the portal site and the signature of the proxy server 1 is assumed to be correct.

Subsequently, the third party organization X accesses the portal site, downloads R _1, and secret information s _{X of the} own party from the third party terminal _X and secret information s _Y distributed from the third party terminals Y and Z. _{, X} , s _{Z, X} to partially decode C. This is C _X. Further, (Addr ₂ || W ′ ₁ ) is partially encrypted using the secret information a _{1, X} distributed from the proxy server 1. This is W ′ _{0, X.} This (C _X , W ′ _{0, X} ) is uploaded to the portal site.
Similarly, the third party organization Z accesses the portal site, downloads R ₁ , own secret information s _{Z from the} third party terminal _Z, and secret information s _X distributed from the third party terminals X and Y. _{, Z} , s _{Y, Z} to partially decode C. This is referred to as C _Z. Further, (Addr ₂ || W ′ ₁ ) is partially encrypted using the secret information a _{1, Z} distributed from the proxy server 1. This is W ′ _{0, Z.} This (C _Z , W ′ _{0, Z} ) is uploaded to the portal site. Here, if at least two third party terminals cooperate now, the ciphertext can be decrypted. Of course, the third party terminal to process may be Y.

Then, if the verifiable secret sharing technique is used, the decryption result ui of C can be obtained from C _X and C _Z. As a result, it is possible to request disclosure of unauthorized person information to the portal site administrator. In addition, since the processing result validity for C _X and C _Z can be verified by the zero knowledge proof technique, it is possible to prove that the third-party terminal does not perform unauthorized processing. This ensures that C is correctly decrypted. Furthermore, the encryption result W ′ ₀ = Enc (addr ₂ || W ′ ₂ ) of (Addr ₂ || W ′ ₁ ) can be obtained from W ′ _{0, X} and W ′ _{0, Z.} In addition, the correctness of the processing results for W ' _{0, X} and W' _{0, Z} can be verified by the zero knowledge proof technology, so that the third-party terminal is proved not to perform unauthorized processing. it can. This correctly W _'0 is guaranteed to be restored by. Finally, the validity of the signature σ ₀ is verified.

On the other hand, when the third party terminal determines that the signature is not valid, the proxy server 1 is regarded as an unauthorized process and the process is terminated. The reason is that if the signature is not valid, the proxy server 1 should originally refuse to receive transmission data (G ₀ , W ′ ₀ , C, σ ₀ ) from the portal site.
Finally, the portal site administrator releases the user information UI corresponding to ui.
As a result of the above, disclosure of user information that has not been performed illegal operations is excluding collusion of a certain number of third-party organizations, or collusion of administrators of all relay servers in the communication path connecting the transmitting terminal and receiving terminal. Can be expected to be difficult. Further, there is an advantage that time management is not necessary with respect to the second embodiment. Furthermore, according to Document 4, for example, another ciphertext whose decryption result is msg with respect to the plaintext, ciphertext, and public key pair (msg, W ′ ₂ , G ₂ ) in this embodiment, It has been proved that it is difficult to obtain the public key pair (W ″ ₂ , G ′ ₂ ). Due to the nature of this collision difficulty, the transmitter and receiver according to the time in the second embodiment It is possible to have a function equivalent to the chain of transmission data of various devices in the communication path between the relay server and the various websites, ie, it is possible to prevent the relay server and various Web sites from reusing past transmission data.

  In addition, the proxy server requires (1) no log management, (2) registration processing such as identity verification is required, as in the case of the sending terminal, and (3) an adjacent device or third party in the communication path in the case of unauthorized processing Since the unauthorized processing is exposed by the engine terminal, no special processing or problem occurs when the transmitting terminal also serves as a proxy server. That is, a user can sometimes use his / her own device as a transmission terminal and sometimes operate as a proxy server. This can be viewed as a solution approach to the operational problem of proxy server load and who provides and manages the proxy server for what purpose.

Next, a fourth embodiment will be described.
In the first to third embodiments of the priority basis invention described above, the receiver prepares special equipment individually to track the sender's anonymity abuse. Therefore, by establishing a connection operator that operates this special equipment, and using this connection operator in common for each receiver, it is possible to record information on user tracking without having to prepare this special equipment individually. In the fourth embodiment, the storage and use services can be provided.
Conventionally, as a technical means for protecting the privacy of a sender in communication, there is anonymous communication in which a receiving terminal or a third party cannot specify a transmitting terminal. The above-described onion routing, which is one of the anonymous communication technologies, is a technology for concealing the entire communication path by relaying a multi-stage anonymous proxy to the communication path and encrypting the addresses of the individual relay proxies in layers. This has the effect of making it difficult for a network monitoring server (including eavesdropping) to identify which receiving terminal the transmitting terminal is communicating with.

  Furthermore, “Japanese Patent Application No. 2003-383761, Anonymous communication method”, which is a priority basis invention, is a technology that can identify a user who abuses anonymity. In the anonymous communication method in the priority basis invention, in order to protect the privacy of the user at a high level, the communication log of the transmitting terminal is not centrally managed, and to which receiving terminal the transmitting terminal communicated On the other hand, only if a certain number or more of a pre-approved third-party organization has agreed to make the disclosure control of user information exploiting anonymity flexible. This is a technology that enables users to be identified.

The above-described priority basis invention can identify an unauthorized user only after there is information for tracking the user and an agreement of a predetermined number or more of third party organizations approved in advance. For this reason, the receiving terminal needs to individually store information for tracking the user in all communications that may be illegally used.
Storing this information has a large amount of information compared to the storage of communication records performed in general communications, so that even if unauthorized use is not performed, the burden on the recipient himself is large. Become.
From the above circumstances, in the fourth embodiment, in the anonymous communication method in the priority basis invention, the external organization performs the process of storing the information for tracking the user to be performed by the receiver himself. This is intended to reduce the burden on the recipient.

The fourth embodiment will be specifically described with reference to FIG. FIG. 12 corresponds to FIG. 5 in the priority basis invention, and components having the same name have equivalent functions.
In FIG. 12, 1000 is a set of user terminals that perform anonymous communication, 5000 is a connection provider that provides an anonymous communication termination service, and 4000 is a content provider that provides content. Reference numerals 1200 and 1300 denote user terminals that perform anonymous communication. Reference numerals 1201 and 1301 denote users who operate the user terminal 1200 and the user terminal 1300, respectively.
Referring to FIG. 13, reference numeral 5100 denotes an anonymous communication termination aggregation device installed by the connection operator E. 5111 is a communication port identifier corresponding to an anonymous communication termination mechanism described later, 5112 is a communication port identifier for transfer to a transfer mechanism described later, 5120 is an anonymous communication termination mechanism, 5130 is an information storage mechanism for tracking unauthorized persons, and 5140 is content. A proxy acquisition mechanism 5150 is a transfer mechanism. The unauthorized person tracking information storage mechanism 5130 stores information for tracking the user including the encrypted text of the receiving terminal user information in place of all the receiving terminals.
Referring to FIG. 14, reference numeral 4100 denotes a content server apparatus installed by the content provider 4000. 4130 is a content proxy acquisition mechanism, and 4111 is a communication port for the content server mechanism. Reference numeral 4110 denotes a firewall mechanism.
The anonymous communication terminal aggregation device 5100 of the connection provider 5000 and the content server device 4100 of the content provider 4000 are connected by a secure communication path (not shown).

Here, the function of each mechanism will be described.
The firewall mechanism 4110 passes the communication between the inside and outside of the organization with respect to the combination of the address of the inner terminal, the communication port identifier of the inner terminal, the address of the outer terminal, the communication port identifier of the outer terminal, and the communication direction. It is possible to register the definition of availability. The firewall mechanism 4110 has a function of monitoring communication connecting the inside and outside of the organization and passing or blocking the communication according to the definition of whether or not it can pass.
Anonymous communication termination aggregation mechanism 5120 is provided in the auction website and the anonymous bulletin board website in the priority basis invention, and has the function of processing anonymous communication data to obtain the text from the transmission terminal, and also the anonymous communication described in the priority basis invention Has a function of performing the response process.

The content proxy acquisition mechanism 5140 receives the content acquisition request that has arrived at the content server device 4100 as a content acquisition request from itself, and the response content from the content server device 4100, and sends the response to itself. It has a function of returning a content acquisition request to the transmission source.
The transfer mechanism 5150 has a function of transferring communication that has arrived at the transfer mechanism 5150 as it is to a predetermined transfer destination.
Note that user terminals 1200 and 1300 have a function of starting anonymous communication, which is included in the transmission terminal in the priority basis invention. The content server device 4100 has a function of returning a response to the text from the transmission terminal provided in the auction website and the anonymous bulletin board website in the priority basis invention. In addition, the portal site, proxy server, and third party organization provided with the authentication server in the priority basis invention are also included in the fourth embodiment. To do.

Next, the operation of the fourth embodiment will be described. Prior to the start of the operation of the fourth embodiment, it is assumed that all the pre-processing necessary for performing anonymous communication in the priority basis invention has been completed.
First, the “contract” in the fourth embodiment will be described with reference to FIG.
The connection operator 5000 sells an anonymous communication termination service using the anonymous communication termination aggregation device. The content provider 4000 concludes a contract for using the anonymous communication termination service with the connection provider 5000 and pays a service usage fee.

Next, with reference to FIGS. 13 and 14, the advance preparation of the anonymous communication termination aggregation device 5100 of the connection operator 5000 will be described.
The content provider 4000 has an address (public address) disclosed to the user (public address), a public communication port identifier, an address of the terminal storing the substance of the content (substance address), an entity Apply for the communication port identifier to the connection operator 5000.
The connection operator 5000 sets the public address applied for from the content operator 4000 as the address of the anonymous communication termination aggregation device.

Since the connection provider 5000 uses the anonymous communication termination mechanism communication port 5111 of the anonymous communication termination aggregation device 5100 as a communication port that accepts a content acquisition request to the content proxy acquisition mechanism 4130 via anonymous communication, communication for the anonymous communication termination mechanism is performed. Settings are made to associate the mouth 5111 with the anonymous communication termination mechanism 5120.
Since the connection operator 5000 uses the anonymous communication termination aggregation device 5112 as a communication port that accepts a content acquisition request to the content proxy acquisition mechanism 4130 through normal communication, communication to the transfer mechanism communication port 5112 is performed in the content business. To transfer to the physical address and communication port identifier 4111 for which application has been received from the user 4000.

The connection provider 5000 uses the public address, the public communication port identifier, the anonymous communication terminal, which received the application from the content provider 4000, as the transmission destination information of the content acquisition request performed by the content proxy acquisition mechanism 5140 of the anonymous communication terminal aggregation device 5100. A set of information of the mechanism communication port 5111, the entity address, and the communication port identifier 4111 is registered.
Prior preparation of the firewall mechanism 4110 will be described.
The content provider 4000 sets the firewall mechanism 4110 to allow communication between the content proxy acquisition mechanism 4130 inside the content provider 4000 and the content proxy acquisition mechanisms 5140 and 5150 outside the content provider 4000. Do. This setting is performed in conjunction with the contract that the content provider 4000 uses the anonymous communication service sold by the connection provider 5000 described above.

Processing of the user terminal 1200 will be described.
When the content of the content server device 4100 is acquired from the user terminal 1200 by anonymous communication, the user 1201 makes a content acquisition request using the anonymous communication method of the procedure in the priority basis invention. In the second embodiment of the priority basis invention, “anonymous bulletin board website” corresponds to the content server apparatus 4100, and “Addr3” corresponds to the public address and the communication port 5111 for anonymous communication termination mechanism. Therefore, when using the anonymous communication method of the procedure in the priority basis invention, the last stage of the anonymous communication path specifies a set of the public address and the communication port 5111 for anonymous communication termination mechanism.

When the user 1201 acquires the content of the content server device 4100 from the user terminal 1200 without using anonymous communication, the user 1201 sets the content for the set of the public address and the communication port identifier transfer mechanism communication port 5112. Make an acquisition request.
The process of the anonymous communication termination aggregation device 5100 will be described with reference to FIG.
When the anonymous communication termination aggregation device 5100 receives communication from the communication port 5111 for anonymous communication termination mechanism, the anonymous communication termination mechanism 5120 performs processing for obtaining the text from the anonymous communication data in the priority basis invention. Next, the anonymous communication termination aggregation device 5100 stores the unauthorized person tracking information in the priority basis invention in the unauthorized person tracking information storage mechanism 5130. In the second embodiment of the priority basis invention, the fraudulent tracking information corresponds to evidence that an anonymous user cheating is performed, and (C2, Addr2, Addr3, TS2, σ2). Next, the anonymous communication termination aggregation device 5100 performs a transmission process of the text obtained from the anonymous communication data by the content proxy acquisition mechanism 5140. The transmission destination at this time is obtained by referring to the set of the entity address and the communication port identifier 4111 corresponding to the public address of the application from the application information registered in advance preparation. After acquiring the response content from the content server device 4100, the anonymous communication termination aggregation device 5100 moves the received data from the content proxy acquisition mechanism 5140 to the anonymous communication termination mechanism 5120. The anonymous communication termination aggregation device 5100 performs the anonymous communication response process in the priority basis invention by the anonymous communication termination mechanism 5120.

In addition, when the anonymous communication termination aggregation device 5100 receives communication from the transfer mechanism communication port 5112, the transfer mechanism 5150 transfers the content acquisition request to the content server device 4100. After acquiring the response content from the content server device 4100, the transfer mechanism 5150 transfers the response content from the transfer mechanism communication port 5112 to the content acquisition request source.
The processing of the content server device 4100 will be described with reference to FIG.
When the content server device 4100 receives the content acquisition request at the content server mechanism communication port 4111, the firewall server 4110 confirms whether the communication request is permitted. When the communication is not permitted, the content server apparatus 4100 notifies the transmission source that the request is permitted and discards the received content. When the communication is permitted, the content server apparatus 4100 generates response content for the text by the content proxy acquisition mechanism 4130 and returns it to the transmission source. The above-described anonymous communication processing sequence is as shown in FIG.

Here, an example of the fourth embodiment will be specifically described.
As the user terminals 1200 and 1300 in FIG. 12, a personal computer on which Microsoft Windows (registered trademark) is installed is used.
The firewall mechanism 4110 is application software having a packet filtering function using an IP address as a terminal address and a port number as a communication port identifier. The content proxy acquisition mechanism 4130 is bulletin board software. The anonymous communication termination mechanism 5120, the unauthorized person tracking information storage mechanism 5130, and the content proxy acquisition mechanism 5140 are application software according to the operation of the fourth embodiment.

The content provider 4000 uses “www.site.com” as the public address of the content published by the content proxy acquisition mechanism 4130, “8081” as the public port number anonymous communication termination mechanism communication port 5111, and “real.site” as the actual address. "8000" as the port number 4111 is applied to the connection operator 5000.
The connection operator 5000 sets the public address of the anonymous communication termination aggregation device to “www.site.com” and sets the port number for anonymous communication termination mechanism communication port 5111 for anonymous communication to “8081”. Further, the port number transfer mechanism communication port 5112 for normal communication is set to “80”.

First, the packet filtering firewall mechanism 4110 is set to allow communication from all ports of the anonymous communication termination aggregation device to the port 4111 “8000” of the content server mechanism 4130 of the content server device 4100. Secondly, a setting is made to allow communication from all ports of the content server device 4100 to a port where communication of the anonymous communication termination aggregation device 5100 has been established. A safe communication path shall ensure safety with a dedicated line.
The operation of the embodiment will be described.

The user makes a content acquisition request by anonymous communication from the personal computer to the “8081” port of “www.site.com”.
The anonymous communication termination aggregation device 5100 that has received the content acquisition request by anonymous communication extracts the text of the content acquisition request and stores information for tracking an unauthorized person. Next, the anonymous communication termination aggregation device 5100 refers to the application information corresponding to the “8081” port of “www.site.com” and sets “real.site.com” as the transmission destination of the text of the content acquisition request. Get information on "8000" port. Next, the anonymous communication termination aggregation device 5100 transmits a content acquisition request to the “8000” port of “real.site.com”.

The response content returned from the “8000” port of “real.site.com” to the anonymous communication termination aggregation device 5100 is subjected to response processing by anonymous communication by the anonymous communication termination aggregation device 5100.
Thereafter, the response from the “8000” port of “real.site.com” arrives at the user terminal by the processing flow and procedure of FIG. 17 described above, and the content is finally presented to the user.
In addition to the above configuration, the fourth embodiment can also be implemented as follows.
The anonymous communication termination aggregation device 5120, the unauthorized person tracking information storage mechanism 5130, and the content proxy acquisition mechanism 5140 are partly implemented on different devices.

A part of each mechanism of the firewall mechanism 4110 and the content proxy acquisition mechanism 4130 of the content server device 4100 is implemented as a configuration realized on different devices.
In anonymous communication termination aggregation device 5100, by not operating or implementing transfer mechanism communication port 5112 and transfer mechanism 5150, content server device 4100 is disclosed as a service that accepts only anonymous communication without accepting normal communication. You can also.
In the anonymous communication termination aggregation device 5100, by providing a plurality of communication interfaces or by assigning a plurality of addresses to the same interface such as the IPalias function, the same device has a plurality of public addresses, and a public port anonymous communication termination By assigning the mechanism communication port 5111 to different numbers, an anonymous communication termination service can be simultaneously provided to a plurality of content server terminals.

As described above, according to the fourth embodiment, the receiver modifies the existing device configuration for the content service, which enables the receiver to track the unauthorized person who abuses the anonymity in the priority ground invention. You can use it without doing it.
The method of accepting only anonymous communication without accepting normal communication described in other embodiments allows the receiver to track the unauthorized person for all communications.
Moreover, the connection provider that provides the anonymous communication termination service according to this embodiment can provide the service in common to a plurality of customers with a single device.

Here, the first and third embodiments of the priority basis invention are similar to the fact that the fourth embodiment illustrated and described with reference to FIG. 12 corresponds to the second embodiment of the priority basis invention. The fourth embodiment can also be applied to this form.
That is, by applying the technical contents of the fourth embodiment in combination with the technical contents of the first to third embodiments, the transmitting terminal is anonymous without giving user information in normal times. Can communicate with the receiving terminal, but if the user performs an unauthorized operation, the user information will be disclosed, so that an unauthorized operation exploiting anonymity is also prevented, and the anonymous communication termination that relays the transmitting / receiving terminal on it By storing the ciphertext of the user information instead of the receiving terminal with the aggregation device, the receiving terminal is configured with an anonymous communication method for performing anonymous communication without implementing a storage mechanism for anonymous communication, and receiving The terminal does not need to store information for tracking users separately in all communications that may be used illegally, and the amount of information is less than that of communication records used in general communications. Big use Anonymous communication method burden recipient himself has been reduced stores information tracking can provide.

The figure which shows the anonymous communication system of 1st Embodiment. The figure which shows the anonymous communication method (pre-processing) of 1st Embodiment. The figure which shows the anonymous communication method (Web site access of a transmission terminal) of 1st Embodiment. The figure which shows the anonymous communication method (user information disclosure) of 1st Embodiment. The figure which shows the anonymous communication system of 2nd Embodiment. The figure which shows the anonymous communication method (pre-processing) of 2nd Embodiment. The figure which shows the anonymous communication method (Web site access of a transmission terminal) of 2nd Embodiment. The figure which shows the anonymous communication method (user information disclosure) of 2nd Embodiment. The figure which shows the anonymous communication method (pre-processing) of 3rd Embodiment. The figure which shows the anonymous communication method (Web site access of a transmission terminal) of 3rd Embodiment. The figure which shows the anonymous communication method (user information disclosure) of 3rd Embodiment. The figure explaining 4th Embodiment. The figure explaining the structure of an anonymous communication termination | terminus aggregation apparatus. The figure explaining the structure of a content server apparatus. The figure explaining a contract. The figure explaining the process of an anonymous communication termination | terminus aggregation apparatus. The figure which shows the processing sequence of anonymous communication.

Claims (15)

Transmitting terminal, the receiving terminal, the authentication server, the anonymous communication termination aggregation device, using a system with a third party terminal, the transmitting terminal anonymously without giving the user information, the anonymous communication with the receiving terminal In the communication method,
The transmission terminal transmits user information of the transmission terminal to the authentication server, the authentication server generates a ciphertext for the user information of the transmission terminal, and a ciphertext for the user information is Send it to the sending terminal ,
The transmitting terminal transmits the ciphertext and text for the user information to the anonymous communication termination aggregation device ,
The anonymous communication termination aggregation device stores a ciphertext for the user information, transmits a text to the receiving terminal,
It said anonymous communication termination centralizing device, from the receiving terminal, when there is disclosure requirements of the ciphertext for the user information, the third party terminal having the decryption right ciphertext for the user information, the user Disclose ciphertext for information ,
The third party terminal, when the ciphertext for the user information is disclosed from the anonymous communication terminal aggregation device and an instruction to decrypt the ciphertext for the user information is input, the user information The anonymous communication method characterized by decrypting the ciphertext with respect to, and disclosing the user information generated by the decryption to the receiving terminal . In the anonymous communication method according to claim 1 ,
Transmitting terminal accesses the authentication server before communicating with the receiving terminal, the ciphertext for the a Subscriber information to obtain the signature of the authentication server from the authentication server, the cryptographic sentences the authentication server for the user information a child transmits a signature to the said anonymous communication termination aggregation device to the body co
Anonymous communication method according to claim. In the anonymous communication method according to claim 1 ,
The transmitting terminal accesses the authentication server before communicating with the receiving terminal, instead of obtaining the ciphertext for the user information of the transmission terminal to obtain the signature of the authentication server from the authentication server, of the transmission terminal child transmits the user information and the sets of signature of the authentication server to the anonymous communication termination aggregation device encrypts the body co and
Anonymous communication method according to claim. In the anonymous communication method according to claim 2 ,
Ciphertext transmitting end weekend for the user information, not get signature authentication server to the the of the authentication server, the authentication server, sending the ciphertext for the user information, the signature of the authentication server to another device and Shin, said another apparatus, sends the signature of dark Gobun及beauty the authentication server for that user information to anonymous communication termination aggregation device, the transmitting terminal, the Full-anonymous communication termination aggregator An anonymous communication method characterized by transmitting . In the anonymous communication method according to claim 3 ,
Transmitting end weekend, the without acquiring authentication server to the signature of the authentication server, authentication server, the user information of the transmission terminal, sends the signature of the authentication server to another device, said another device It is a set consisting of the user information and signature of the authentication server encrypts and sends the anonymous communication termination aggregation device, the transmitting terminal transmits the text to the anonymous communication termination aggregator An anonymous communication method characterized by that. In the anonymous communication method according to any one of claims 1 to 5 ,
One or more proxy servers are relayed in the communication path from the transmission terminal to the reception terminal, and the public information of the proxy server adjacent to the transmission side in the communication path is sent to the proxy server and the IP address of the reception terminal. by encrypting using the anonymous communication it characterized in that proxy servers nonadjacent, the specific address information of the transmission terminal, and a receiving terminal becomes difficult at each proxy server and the receiving terminal communication path Method. In the anonymous communication method according to claim 4 ,
To relay a communication path single or more proxy servers within, from the transmitting end end to the receiving terminal, the proxy server address information such as the IP address of the proxy server and the receiving terminal, you adjacent to the sender in a communication channel using the public key of by encrypting, each proxy server and the receiving terminal is characterized by specific becomes difficult adjacent have a have a proxy server, the sending terminal, and address information of the receiving terminal within a communication channel ,
The another apparatus is a proxy server adjacent to the authentication server on the receiving side,
Authentication server, and the ciphertext for the user information, its own address information, the proxy server address information adjacent to the receiving side, and with the signature of the authentication server by performing signature to four sets of current time information , transmits a cryptographic signature sentences the authentication server for the a Subscriber information to the proxy server which is adjacent to the receiving side,
When the proxy server adjacent to the authentication server on the transmission side receives the ciphertext for the user information and the signature of the authentication server, the proxy server verifies the signature of the authentication server. The ciphertext, the signature of the authentication server is accepted, the ciphertext for the user information and the set of the authentication server signature are encrypted, the ciphertext of the set, its own address information, the proxy server adjacent to the receiving side The proxy information is signed for the four sets of address information and current time information, and the ciphertext of the set and the signature of the proxy server are transmitted to the proxy server adjacent to the receiving side,
When the proxy server adjacent to the proxy server on both the transmission side and the reception side receives the pair of ciphertexts and the signature of the proxy server, the proxy server verifies the signature of the proxy server and see the set of ciphertext, the accepts the signature of the proxy server, the set of ciphertext and the set of proxy server signature encrypts the set of ciphertext, its address information, contact adjacent to the reception side address information of the proxy server, and performs signature of the proxy server for four sets of current time information, and sends the signature of the set of cryptographic sentences the proxy server next contact proxy server to the receiving side,
When the proxy server adjacent to the anonymous communication termination aggregation device on the receiving side receives the set of ciphertext and the signature of the proxy server, the proxy server verifies the signature of the proxy server. A sentence, the proxy server signature is received, the pair of ciphertext and the proxy server signature is encrypted, and the pair of ciphertext, own address information, address information of the receiving terminal, and current time information The proxy server signature is applied to the four groups, and the ciphertext of the pair and the proxy server signature are transmitted to the anonymous communication termination aggregation device adjacent to the receiving side.
Anonymous communication method according to claim. In the anonymous communication method according to claim 5 ,
To relay a communication path single or more proxy servers within, from the transmitting end end to the receiving terminal, the proxy server address information such as the IP address of the proxy server and the receiving terminal, you adjacent to the sender in a communication channel using the public key of by encrypting, each proxy server and the receiving terminal is characterized by specific becomes difficult adjacent have a have a proxy server, the sending terminal, and address information of the receiving terminal within a communication channel ,
The another apparatus is a proxy server adjacent to the authentication server on the receiving side,
Authentication server, and the user information, its own address information, the proxy server address information adjacent to the receiving side, and the signature of the authentication server by performing signature to four sets of current time information, the sending the signature of a Subscriber information Ho及 beauty the authentication server to the proxy server which is adjacent to the receiving side,
When the proxy server adjacent to the authentication server on the transmission side receives the user information and the signature of the authentication server, the proxy server verifies the signature of the authentication server, and only when valid, the user information and the authentication server The user information and the signature set of the authentication server are encrypted, and the ciphertext of the set, its own address information, the address information of the proxy server adjacent to the receiving side, and the current time information. The proxy server signature is applied to one set, the ciphertext of the set and the signature of the proxy server are transmitted to the proxy server adjacent to the receiving side,
When the proxy server adjacent to the proxy server on both the transmission side and the reception side receives the pair of ciphertexts and the signature of the proxy server, the proxy server verifies the signature of the proxy server and see the set of ciphertext, the accepts the signature of the proxy server, the set of cryptographic Bun及 beauty the set of proxy server signature encrypts the set of ciphertext, its address information, contact adjacent to the reception side address information of the proxy server, and performs signature of the proxy server for four sets of current time information, and sends the signature of the encrypted sentences the proxy server next contact proxy server to the receiving side,
When the proxy server adjacent to the anonymous communication termination aggregation device on the receiving side receives the set of ciphertext and the signature of the proxy server, the proxy server verifies the signature of the proxy server. A sentence, the proxy server signature is received, the pair of ciphertext and the proxy server signature is encrypted, and the pair of ciphertext, own address information, address information of the receiving terminal, and current time information The proxy server signature is applied to the four groups, and the ciphertext of the pair and the proxy server signature are transmitted to the anonymous communication termination aggregation device adjacent to the receiving side.
Anonymous communication method according to claim. In the anonymous communication method according to claim 7 ,
Authentication server is encrypted for the user information, its own address information, the proxy server address information adjacent to the receiving side, and the signature of the authentication server by performing signature to four sets of current time information and instead of, ciphertext for the user information, themselves the address information, the address information of the proxy server in contact next to the reception side, and the four sets of ciphertext this statement was encrypted to To sign the authentication server
Anonymous communication method. In the anonymous communication method according to claim 8 ,
Authentication server, the user information, its own address information, the proxy server address information adjacent to the receiving side, and to the signature of the authentication server by performing signature to four sets of current time information rather, the user information, themselves the address information, the address information of the proxy server in contact next to the receiving side, and wherein this statement by performing signature to four pairs of ciphertext encrypted Use signature of authentication server
Anonymous communication method. The anonymous communication method according to any one of claims 1 to 10, wherein the third-party terminal is N (N is an integer of 2 or more) .
The secret key to decrypt the ciphertext for the user information, the N number of owned by a third party terminal end is dispersed, n stand (where n is an integer of 1 or more and less than N) third party institutions of by using a secret key the terminal is distributed in each anonymous communication method as is possible and recovery Gosu benzalkonium the ciphertext for the a Subscriber information. In the anonymous communication method according to any one of claims 1, 2, 4 to 11 ,
The transmitting terminal transmits user information of the transmitting terminal to the authentication server,
The authentication server converts the transmission terminal of the user information identifier marked with corresponding to a Subscriber information, that the identifier and the user information of the transmission terminal
Anonymous communication method according to claim. In the anonymous communication method according to claim 3 ,
The transmitting terminal transmits user information of the transmitting terminal to the authentication server,
The authentication server converts the user information identifier marked with corresponding to a Subscriber information of the transmission terminal, and transmits the identifier to the transmitting terminal, the transmitting terminal user information of the transmission terminal Using the identifier as
Anonymous communication method according to claim. In the anonymous communication method according to claim 7 or 8 ,
Third party terminal, the indicated said set of encryption Bungahisage the proxy server-generated adjacent the transmitting side to the anonymous communication termination aggregation device, when an instruction to decode the set of ciphertext is input, the by decoding a set of ciphertext, the proxy server, the authentication server, and said decode the address information of the transmission terminal, anonymous communication method comprising the disclosed child any address information which is the decoding. In the anonymous communication method described in any one of Claims 1 thru | or 13 ,
There are a plurality of receiving terminals, and the anonymous communication termination aggregation device transmits a text for the receiving terminal to each receiving terminal and stores a ciphertext of the user information for the text.
An anonymous communication method characterized by the above.

Images