JP5863605B2 - Key exchange system, request device, response device, key exchange method, and program - Google Patents

Description

  The present invention relates to an application technology of information security technology, and more particularly to a key exchange technology for sharing a common session key between devices.

  A conventional key exchange technique includes a key exchange method based on a key encapsulation mechanism. An example of the key exchange method based on the key encapsulation mechanism is the FSXY method (see Non-Patent Document 1). Hereinafter, the FSXY system described in Non-Patent Document 1 will be described in detail.

[Description of FSXY method]
In the following description, it is assumed that a common session key SK is shared between the requesting device and the response device. The requesting device is identified by the identifier U _A and the responding device is identified by the identifier U _B.
<Preparation>
Let к be a security parameter.

Let F = {F _к : Dom _к × FS _к → Rng _к } _{к be} a family of functions having a domain {Dom _к } _к , a key space {FS _к } _к , and a range {Rng _к } _к . At this time, if F _к and true random function RF _к : Dom _к → Rng _к cannot be distinguished for a polynomial time discriminator D, F = {F _к } _к is called a pseudo-random function.

Let Ext: S × X → Y be a function having a finite seed space S, a finite domain X, and a finite range Y. For any distribution D _X on this time, if the _{H ∞ (DX) ≧ k X} , Δ ((U S, Ext (U S, D X)), (U S, U Y)) ≦ negl If is true, Ext is called a strong random extractor. Where Δ is a statistical distance, U _S , U _X , and U _Y are uniform distributions on S, X, and Y, and | X | = n ≧ k, | Y | = k, and | S | = d.

Let (KeyGen, EnCap, DeCap) and (wKeyGen, wEnCap, wDeCap) be the key encapsulation mechanisms (KEM, Key Encapsulation Mechanism), respectively. The key generation algorithms KeyGen and wKeyGen receive the security parameter к and the random number r _g ∈RS _G, and output the public key ek and the secret key dk. However, RS _G is a random number space for key generation. The key encapsulation algorithms EnCap and wEnCap receive the public key ek and the random number r _e ∈RS _E, and output the KEM key K∈KS and the ciphertext CT∈CS. However, RS _E random number space of key encapsulation, KS is KEM key space, CS is a ciphertext space. The decryption algorithms DeCap and wDeCap receive the secret key dk and the ciphertext CTεCS, and output the KEM key KεKS.
<Parameter>
F: {0,1} ^* × FS → RS _E , F ': {0,1} ^* × FS → RS _E , G: {0,1} ^* × FS → {0,1} ^к is a pseudo-random function And However, FS is the key space of the pseudo-random function (| FS | = к), RS E random number space key encapsulation algorithms, RS _G is a random number space key generation algorithm. Let Ext: SS × KS → FS be a random random extractor using a seed s∈SS chosen at random. However, SS is the seed space and KS is the KEM key space.
<Long-term public key and long-term secret key>
The requesting device randomly selects σ _A ∈FS and r _A ∈RS _G, and obtains (ek _{A, 1} , dk _{A, 1} ) ← KeyGen (1 ^к , r _A ) by the key generation algorithm KeyGen. The responding device randomly selects σ _B ∈FS and r _B ∈RS _G, and obtains (ek _{B, 1} , dk _{B, 1} ) ← KeyGen (1 ^к , r _B ) by the key generation algorithm KeyGen. The long-term private key of the requesting device is (dk _{A, 1} , σ _A ), the long-term public key is (ek _{A, 1} ), the long-term private key of the responding device is (dk _{B, 1} , σ _B ), and the long-term public key is ( ek _{B, 1} ).
<Key exchange>
Requesting device randomly short private key _{r A, 1 ∈FS, r '} A, 1 ∈FS, select r _{A, 2} ∈RS _G, calculates the equation (1) (2).

The requesting device generates first transmission information (U _A , U _B , CT _{A, 1} , ek _{A, 2} ) and transmits it to the response device. However, U _A is an identifier indicating a requesting device, and U _B is an identifier indicating a response device.

When the response device receives the first transmission information (U _A , U _B , CT _{A, 1} , ek _{A, 2} ) from the requesting device, the short-term secret key r _{B, 1} ∈FS, r ′ _{B, 1} Choose ∈FS, r _{B, 2} ∈RS _E , and calculate Equations (3) and (4).

Then, the response device generates second transmission information (U _A , U _B , CT _{B, 1} , CT _{B, 2} ) and transmits it to the requesting device.

Subsequently, the responding device calculates the following formulas (5) to (8) and sets the session identifier ST = (U _A , U _B , ek _{A, 1} , ek _{B, 1} , CT _{A, 1} , ek _{A, 2} , CT _{B, 1} , CT _{B, 2} ).

The responding device uses the session identifier ST = (U _A , U _B , ek _{A, 1} , ek _{B, 1} , CT _{A, 1} , ek _{A, 2} , CT _{B, 1} , CT _{B, 2} ) (9) is calculated, and a session key SK is generated.

  Finally, the responding device ends the session and deletes all session information.

On the other hand, when receiving the second transmission information (U _A , U _B , CT _{B, 1} , CT _{B, 2} ) from the response device, the requesting device calculates the following equations (10) to (14), and The identifier ST = (U _A , U _B , ek _{A, 1} , ek _{B, 1} , CT _{A, 1} , ek _{A, 2} , CT _{B, 1} , CT _{B, 2} ) is generated.

And the requesting device uses the session identifier ST = (U _A , U _B , ek _{A, 1} , ek _{B, 1} , CT _{A, 1} , ek _{A, 2} , CT _{B, 1} , CT _{B, 2} ) (15) is calculated, and a session key SK is generated.

  Finally, the requesting device ends the session and deletes all session information.

Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K., “Strongly Secure Authenticated Key Exchange from Factoring, Codes, and Lattices.”, Public Key Cryptography 2012, pp.467-484.

In the above-described FSXY method, the response device cannot execute the key encapsulation algorithm wEnCap unless it receives the short-term public key ek _{A, 2} from the requesting device, so the order of processing must be strictly observed between the two parties. I must. For this reason, there is a problem that the time required for the entire key exchange procedure becomes longer if a delay occurs in the transmission of information from the transmitting device to the requesting device.

Moreover, the above-mentioned FSXY system does not satisfy strong forward safety. Strong forward security means that an attacker intervenes on a communication path for a session and modifies the message, and even after obtaining the long-term secret key of the requesting device and the responding device after generating the session key, This is the security that prevents obtaining session key information. In the FSXY system, for example, the attacker generates the second ciphertext CT _{B, 1} and the third ciphertext CT _{B, 2} using the short-term public key ek _{A, 2} of the requesting device, and impersonates the responding device as the requesting device. Can be sent to. At this time, the attacker knows the second key K _{B, 1} and the third key K _{B, 2} because he has executed the key encapsulation mechanism wEnCap. If the long-term secret key dk _{B, 1} of the responding device can be obtained after the session is completed, the first ciphertext CT _{A, 1} can be decrypted to obtain the first key K _{A, 1} . Thus, since the attacker can obtain the session key SK, the FSXY method does not satisfy the strong forward security.

  The present invention has been made in view of such points, and provides a key exchange technique that can change the order of key exchange procedures, reduce the influence of delay, and satisfy strong forward safety. With the goal.

In order to solve the above problem, the key exchange system of the present invention shares a session key SK between a requesting device and a response device. The requesting device includes a request side storage unit, a short-term key pair generation unit, a first encryption unit, a request side output unit, a second key decryption unit, a third key decryption unit, and a request side session key generation unit. The response device includes a response side storage unit, a third encryption unit, a second encryption unit, a response side output unit, a first key decryption unit, a third key generation unit, and a response side session key generation unit. The request-side storage unit has a request-side sender private key sk _AS generated by a sender key generation algorithm SKeyGen of an arbitrary signature application and a request-side reception generated by a receiver key generation algorithm RKeyGen of a signature application. Person secret key sk _AR is stored. The response side storage unit stores the response side sender private key sk _BS generated by the sender key generation algorithm SKeyGen and the response side receiver secret key sk _BR generated by the receiver key generation algorithm RKeyGen. Yes.

The short-term key pair generation unit included in the requesting device obtains the short-term public key ek _A and the short-term secret key dk _A using a key generation algorithm wKeyGen of a key encapsulation mechanism in which key generation and ciphertext generation are independent. The first encryption unit included in the requesting device receives the request-side sender private key sk _AS , the response-side recipient public key pk _BR generated by the receiver key generation algorithm RKeyGen, and the short-term public key ek _A as inputs. The first ciphertext CT _A and the first key K _A are generated using the sign-encryption algorithm SC of sign-signation. The request side output unit included in the request device transmits the first ciphertext CT _A and the short-term public key ek _A to the response device.

The third encryption unit included in the response device receives the random number r _{B, 2} and generates the third ciphertext CT _{B, 2} using the ciphertext generation algorithm wEnCapC of the key encapsulation mechanism. The second encryption unit included in the response device includes a response-side sender secret key sk _BS , a request-side receiver public key pk _AR generated by the receiver key generation algorithm RKeyGen, and a third ciphertext CT _{B, 2} . As an input, a second ciphertext CT _{B, 1} and a second key K _{B, 1} are generated using the signature encryption algorithm SC. The response side output unit included in the response device transmits the second ciphertext CT _{B, 1} and the third ciphertext CT _{B, 2} to the requesting device.

The second key decryption unit included in the requesting device includes the requesting-side receiver private key sk _AR , the responding-side sender public key pk _BS generated by the sender key generation algorithm SKeyGen, and the second ciphertext received from the responding device. Using CT _{B, 1} and third ciphertext CT _{B, 2} as input, a second key K _{B, 1} is generated using a decryption algorithm USC for signing. The third key decryption unit included in the requesting device receives the short-term secret key dk _A and the third ciphertext CT _{B, 2} as input, and uses the decryption algorithm wDeCap of the key encapsulation mechanism to obtain the third key K _{B, 2} . Generate. Requesting the session key generation unit provided in the request apparatus, have use first key K _A and the second key K _{B, 1} and a third key K _{B, 2,} and short-term public key ek _A and the first ciphertext CT _A Session key SK is generated from session identifier ST including _second ciphertext CT _{B, 1} and third ciphertext CT _{B, 2} .

The first key decryption unit included in the response device includes the response-side receiver private key sk _BR , the request-side sender public key pk _AS generated by the transmitter key generation algorithm SKeyGen, and the first ciphertext received from the request device. Using CT _A and short-term public key ek _A as input, first key K _A is generated using decryption algorithm USC. The third key generation unit included in the response device receives the short-term public key ek _A and the random number r _{B, 2} as input, and uses the encapsulation key generation algorithm wEnCapK of the key encapsulation mechanism to obtain the third key K _{B, 2} . Generate. Responder session key generation unit provided in the response apparatus, have use first key K _A and the second key K _{B, 1} and a third key K _{B, 2,} and short-term public key ek _A and the first ciphertext CT _A Session key SK is generated from session identifier ST including _second ciphertext CT _{B, 1} and third ciphertext CT _{B, 2} .

  According to the key exchange technique of the present invention, the procedure of the responding device can be executed in parallel without receiving information from the requesting device, so that the influence of delay can be reduced. In addition, since the attacker cannot generate information to be transmitted to the requesting device without knowing the secret key of the responding device, the attacker can satisfy strong forward security.

It is a figure which illustrates the function structure of a key exchange system. It is a figure which illustrates the function structure of a request | requirement apparatus. It is a figure which illustrates the function structure of a response apparatus. It is a figure which illustrates the processing flow of the key exchange method. It is a figure which illustrates the processing flow of the key exchange method.

  Prior to the description of the embodiments, the basic concept of the present invention will be described.

[Points of Invention]
In this invention, by using a key encapsulation mechanism and a signature that are independent of key generation and ciphertext generation, it is possible to change the order of the key exchange procedures, and the influence of delay can be reduced. The key exchange technology that satisfies the requirements is realized.

<Description of key encapsulation mechanism where key generation and ciphertext generation are independent>
The key encapsulation mechanism in which key generation and ciphertext generation are independent is a key encapsulation mechanism that can generate a ciphertext without public key information. For example, “Taher El Gamal,“ A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. ”, CRYPTO 1984, pp.10- 18, 1984. (Reference 1) ”. The key encapsulation mechanism described in Reference 1 includes a key generation algorithm wKeyGen, a ciphertext generation algorithm wEnCapC, an encapsulation key generation algorithm wEnCapK, and a decryption algorithm wDeCap. The key generation algorithm wKeyGen and the decryption algorithm wDeCap are the same as the normal key encapsulation mechanism. Ciphertext generation algorithm wEnCapC as an input system public parameter and the random number r _e ∈RS _E, and outputs the ciphertext CT∈CS. However, RS _E random number space of the ciphertext generation, CS is a ciphertext space. Encapsulation key generation algorithm wEnCapK as an input the public key ek and random number r _e, to output the KEM key K∈KS. However, KS is a KEM key space.

In the key encapsulation mechanism described in Reference 1, since the ciphertext generation algorithm wEnCapC can be executed before receiving the short-term public key ek _{A, 2} , before the response device receives the information from the requesting device. It is also possible to transmit information from the responding device to the requesting device. That is, since each device can generate and transmit information independently of information received from the other party, the order of key exchange procedures can be changed. Thereby, even if a delay occurs in the communication path from the requesting device to the response device, the response device does not need to wait for reception of information from the requesting device, and the influence of the delay can be reduced.

<Explanation of sign encryption>
Sign encryption is an encryption method that performs encryption and signature simultaneously. When the ciphertext is generated, the receiver's public key and the sender's private key are required, and the validity of the ciphertext can be verified by using the sender's public key and the receiver's private key. For example, “Daiki Chiba, Takahiro Matsuda, Jacob CN Schuldt, Kanta Matsuura,“ Efficient Generic Constructions of Signcryption with Insider Security in the Multi-user Setting. ”, ACNS 2011, pp. 220. -237. (Reference document 2) ". The signature description described in Reference 2 includes a sender key generation algorithm SKeyGen, a receiver key generation algorithm RKeyGen, a signature encryption algorithm SC, and a decryption algorithm USC. The sender key generation algorithm SKeyGen receives the security parameter к and the random number r _S ∈RS _SG, and outputs the sender public key pk _S and the sender secret key sk _S. RS _SG is a random number space for generating a sender key. The recipient key generation algorithm RKeyGen receives the security parameter к and the random number r _R ∈RS _RG and outputs the recipient public key pk _R and the recipient secret key sk _R. RS _RG is a random number space for generating a recipient key. The signature encryption algorithm SC receives the sender private key sk _S , the recipient public key pk _R, and the message m, and outputs a KEM key K∈KS and a ciphertext CT∈CS. As described above, KS is a KEM key space, and CS is a ciphertext space. The decryption algorithm USC receives the receiver private key sk _R , the sender public key pk _S , the message m, and the ciphertext CT, and outputs the KEM key K if the ciphertext CT is correct. If the ciphertext CT is incorrect, error ⊥ is returned.

By using signature (SKeyGen, RKeyGen, SC, USC) instead of the conventional key encapsulation mechanism (KeyGen, EnCap, DeCap), the above-mentioned strong forward security can be satisfied. In other words, even if an attacker attempts to modify a message on the communication path, the correct ciphertext CT cannot be generated unless the sender secret key sk _S is known, and it is not possible to impersonate a legitimate response device. This is because it becomes possible.

[Embodiment]
Hereinafter, embodiments of the present invention will be described in detail. In addition, the same number is attached | subjected to the component which has the same function in drawing, and duplication description is abbreviate | omitted.
<Configuration>
A configuration example of a key exchange system 1 according to the present invention will be described with reference to FIG. The key exchange system 1 includes a request device 10 and a response device 20. The requesting device 10 and the response device 20 are connected to the network 90. The network 90 only needs to be configured so that connected devices can communicate with each other. For example, the network 90 can be configured with the Internet, a LAN (Local Area Network), a WAN (Wide Area Network), or the like.

  A configuration example of the requesting device 10 included in the key exchange system 1 will be described with reference to FIG. The requesting device 10 includes a control unit 101, a storage unit 102, a random number selection unit 110, a long-term key pair generation unit 115, a short-term random number selection unit 120, a short-term key pair generation unit 125, a first encryption unit 130, an output unit 135, an input Unit 140, second key decryption unit 145, third key decryption unit 150, and session key generation unit 155. The requesting device 10 is a special device configured by reading a special program into a known or dedicated computer having a CPU (Central Processing Unit), a RAM (Random Access Memory), and the like. The requesting device 10 executes each process under the control of the control unit 101. The storage unit 102 includes, for example, a main storage device such as a RAM (Random Access Memory), an auxiliary storage device including a semiconductor memory element such as a hard disk, an optical disk, or a flash memory, middleware such as a relational database or a key value store, and the like. Can be configured.

A configuration example of the response device 20 included in the key exchange system 1 will be described with reference to FIG. The response device 20 includes a control unit 201, a storage unit 202, a random number selection unit 210, a long-term key pair generation unit 215, a short-term random number selection unit 220, a third encryption unit 225, a second encryption unit 230, an output unit 235, an input Unit 240, first key decryption unit 245, third key generation unit 250, and session key generation unit 255. The response device 20 is a special device configured by reading a special program into a known or dedicated computer having a CPU (Central Processing Unit), a RAM (Random Access Memory), and the like. The response device 20 executes each process under the control of the control unit 201. The storage unit 202 includes, for example, a main storage device such as a RAM (Random Access Memory), an auxiliary storage device configured by a semiconductor memory element such as a hard disk, an optical disk, or a flash memory, middleware such as a relational database or a key value store, and the like. Can be configured.
<Parameter>
Let к be a security parameter.

F: {0,1} ^* × FS → RS _E , F ': {0,1} ^* × FS → RS _E , G: {0,1} ^* × FS → {0,1} ^к is a pseudo-random function And Here, FS is a pseudo-random function key space (| FS | = к), RS _E is a signature random number space, and RS _G is a sender key generation and receiver key generation random space. Let Ext: SS × KS → FS be a random random extractor using a seed s∈SS chosen at random. However, SS is the seed space and KS is the KEM key space.
<Long-term public key and long-term secret key>
With reference to FIG. 4, an operation example in which the key exchange system 1 generates a long-term public key and a long-term secret key will be described in the order of procedures.

The random number selection unit 110 included in the requesting device 10 randomly selects σ _A ∈FS, r _AS ∈RS _G , and r _AR ∈RS _G (S110). The random numbers r _AS and r _AR are input to the long-term key pair generation unit 115. The long-term key pair generation unit 115 obtains a sender key (pk _AS , sk _AS ) ← SKeyGen (1 ^к , r _AS ) using a signature key generation algorithm SKeyGen (S116). Subsequently, the long-term key pair generation unit 115 obtains a recipient key (pk _AR , sk _AR ) ← RKeyGen (1 ^к , r _AR ) using a signatory recipient key generation algorithm RKeyGen (S117). Then, the long-term key pair generation unit 115 sets the long-term secret key of the requesting device 10 as (sk _AS , sk _AR , σ _A ) and the long-term public key as (pk _AS , pk _AR ) (S118). The generated long-term secret key (sk _AS , sk _AR , σ _A ) is stored in the storage unit 102. The generated long-term public key (pk _AS , pk _AR ) is made public. Any public method may be used as long as the long-term public key (pk _AS , pk _AR ) can be referred from the response device 20. For example, a long-term public key (pk _AS , pk _AR ) may be transmitted from the requesting device 10 to the response device 20 in advance, or a long-term public key using a separately prepared public key infrastructure (PKI). (pk _AS , pk _AR ) may be disclosed.

The random number selection unit 210 included in the response device 20 randomly selects σ _B ∈FS, r _BS ∈RS _G , and r _BR ∈RS _G (S210). The random numbers r _BS and r _BR are input to the long-term key pair generation unit 215. The long-term key pair generation unit 215 obtains the sender key (pk _BS , sk _BS ) ← SKeyGen (1 ^к , r _BS ) using the signer's sender key generation algorithm SKeyGen (S216). Subsequently, the long-term key pair generation unit 215 obtains a recipient key (pk _BR , sk _BR ) <-RKeyGen (1 ^к , r _BR ) using a signator's recipient key generation algorithm RKeyGen (S217). Then, the long-term key pair generation unit 215 sets the long-term secret key of the response device 20 as (sk _BS , sk _BR , σ _B ) and the long-term public key as (pk _BS , pk _BR ) (S218). The generated long-term secret key (sk _BS , sk _BR , σ _B ) is stored in the storage unit 202. The generated long-term public key (pk _BS , pk _BR ) is made public. The public method may be any method as long as the long-term public key (pk _BS , pk _BR ) can be referred to from the requesting device 10. For example, the long-term public key (pk _BS , pk _BR ) may be transmitted from the response device 20 to the requesting device 10 in advance, or a long-term public key using a public key infrastructure (PKI, Public Key Infrastructure) prepared separately. (pk _BS , pk _BR ) may be disclosed.
<Key exchange>
4 and 5, an operation example in which the requesting device 10 and the response device 20 of the key exchange system 1 share the session key SK will be described in the order of procedures. 4 and 5 show a series of procedures. “A1” in FIG. 4 continues processing to “A1” in FIG. 5, and “A2” in FIG. 4 continues processing to “A2” in FIG. Represents what to do.

Short-term random number selector 120 included in the request device 10, random random number _{r A, 1 ∈FS, r '} A, 1 ∈FS, selects _{r A, 2 ∈RS G (S120} ). The random number r _{A, 2} is input to the short-term key pair generation unit 125. The short-term key pair generation unit 125 calculates a key generation algorithm wKeyGen of a key encapsulation mechanism in which key generation and ciphertext generation are independent as shown in the following equation (16), and the short-term public key ek _A and the short-term secret key dk _A Is generated (S125).

The random numbers r _{A, 1} , r ′ _{A, 1} and the short-term public key ek _A are input to the first encryption unit 130. The first encryption unit 130 considers the short-term public key eK _A as a message using the request-side sender private key sk _AS and the response-side recipient public key pk _BR, and uses the sign-encryption algorithm SC for sign-signation. The first ciphertext CT _A and the first key K _A are generated by calculating as in the following equation (17) (S130).

The first ciphertext CT _A and the short-term public key ek _A are input to the output unit 135. The output unit 135 generates first transmission information (U _A , U _B , CT _A , ek _A ) and transmits it to the response device 20 (S135). As described above, U _A is an identifier indicating the requesting device 10, and U _B is an identifier indicating the response device 20.

Short-term random number selector 220 included in the response device 20, random random number _{r B, 1 ∈FS, r '} B, 1 ∈FS, selects _{r B, 2 ∈RS E (S220} ). The random number r _{B, 2} is input to the third encryption unit 225. The third encryption unit 225 calculates the ciphertext generation algorithm wEnCapC of the key encapsulation mechanism in which key generation and ciphertext generation are independent as shown in the following equation (18) _, and generates the third ciphertext CT _{B, 2} (S225).

The random numbers r _{B, 1} , r ′ _{B, 1} and the third ciphertext CT _{B, 2} are input to the second encryption unit 230. The second encryption unit 230 considers the third ciphertext CT _{B, 2} as a message by using the response-side sender private key sk _BS and the request-side receiver public key pk _AR , and signing the signature The algorithm SC is calculated as in the following equation (19) to generate the second ciphertext CT _{B, 1} and the second key K _{B, 1} (S230).

The second ciphertext CT _{B, 1} and the third ciphertext CT _{B, 2} are input to the output unit 235. The output unit 235 generates the second transmission information (U _A , U _B , CT _{B, 1} , CT _{B, 2} ) and transmits it to the requesting device 10 (S235). As described above, U _A is an identifier indicating the requesting device 10, and U _B is an identifier indicating the response device 20.

The second transmission information (U _A , U _B , CT _{B, 1} , CT _{B, 2} ) transmitted by the output unit 235 included in the response device 20 is input to the requesting device 10 via the input unit 140 included in the requesting device 10. Is done.

The second ciphertext CT _{B, 1} and the third ciphertext CT _{B, 2} are input to the second key decryption unit 145. The second key decryption unit 145 considers the third ciphertext CT _{B, 2} as a message using the request-side receiver private key sk _AR and the response-side sender public key pk _BS, and decrypts the signature encryption algorithm USC. Is calculated as in the following equation (20) to generate the second key KB _{, 1} (S145).

The third ciphertext CT _{B, 2} is input to the third key decryption unit 150. The third key decryption unit 150 uses the short-term secret key dk _A to calculate a decryption algorithm wDeCap of a key encapsulation mechanism in which key generation and ciphertext generation are independent as shown in the following equation (21), and the third key K _{B, 2} is generated (S150).

The first key K _A , the second key K _{B, 1} and the third key K _{B, 2} are input to the session key generation unit 155. The session key generation unit 155 calculates the following equations (22) to (24) using the strong random extractor Ext, and generates values K ′ ₁ , K ′ ₂ , K ′ ₃ (S151, S152, S153). ).

Next, the session key generation unit 155 generates a session identifier ST = (U _A , U _B , pk _AS , pk _AR , pk _BS , pk _BR , ek _A , CT _A , CT _{B, 1} , CT _{B, 2} ). Generate (S154). Then, the session key SK is generated by calculating the following equation (25) using the session identifier ST (S155).

  Finally, the requesting device 10 ends the session and deletes all session information.

On the other hand, the first transmission information (U _A , U _B , CT _A , ek _A ) transmitted by the output unit 135 included in the requesting device 10 is input to the response device 20 via the input unit 240 included in the response device 20. .

The first ciphertext CT _A and the short-term public key ek _A are input to the first key decryption unit 245. The first key decryption unit 245 uses the response-side receiver private key sk _BR and the request-side sender public key pk _AS , regards the short-term public key eK _A as a message, and sets the sign-encryption decryption algorithm USC as follows: Calculation is performed as in Expression (26), and the first key K _A is generated (S245).

The random number r _{B, 2} is input to the third key generation unit 250. Using the short-term public key ek _A , the third key generation unit 250 calculates an encapsulation key generation algorithm wEnCapK of a key encapsulation mechanism in which key generation and ciphertext generation are independent as shown in the following equation (27), A third key K _{B, 2} is generated (S250).

The first key K _A , the second key K _{B, 1} and the third key K _{B, 2} are input to the session key generation unit 255. The session key generation unit 255 calculates the above formulas (22) to (24) using the strong random extractor Ext, as in the session key generation unit 155 included in the requesting device 10, and the values K ′ ₁ and K ′. ₂ and K ′ ₃ are generated (S251, S252, S253).

Next, the session key generation unit 255, like the session key generation unit 155 of the requesting device 10, has a session identifier ST = (U _A , U _B , pk _AS , pk _AR , pk _BS , pk _BR , ek _A , CT _A , CT _{B, 1} , CT _{B, 2} ) are generated (S254). Then, the session key generation unit 255 generates the session key SK by calculating the above equation (25) using the session identifier ST, similarly to the session key generation unit 155 included in the requesting device 10 (S255). .

  Finally, the response device 20 ends the session and deletes all session information.

<Effect>
As described above, according to the key exchange technique of the present invention, the response device 20 transmits the third ciphertext CT _B to the requesting device 10 using the ciphertext generation algorithm wEnCapC of the key encapsulation mechanism in which key generation and ciphertext generation are independent. _{, 2} , the second transmission information (U _A , U _B , CT _{B, 1} , CT _{B, 2} ) can be generated without receiving the short-term public key ek _A from the requesting device 10. As a result, even if a delay occurs in the communication path from the requesting device 10 to the response device 20, the influence can be reduced.

In addition, since the response device 20 generates the second ciphertext CT _{B, 1} to be transmitted to the requesting device 10 by the signature application algorithm SC of the signature application, the attacker uses the sender secret key sk _BS of the response device 20. The second transmission information (U _A , U _B , CT _{B, 1} , CT _{B, 2} ) cannot be generated without knowing it. Thereby, an attacker cannot impersonate the response device 20, and strong forward safety can be satisfied.
[Program, recording medium]
The present invention is not limited to the above-described embodiment, and it goes without saying that modifications can be made as appropriate without departing from the spirit of the present invention. The various processes described in the above-described embodiments are not only executed in time series according to the order described, but may be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes.

  When various processing functions in each device described in the above embodiment are realized by a computer, the processing contents of the functions that each device should have are described by a program. Then, by executing this program on a computer, various processing functions in each of the above devices are realized on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

1 Key exchange system 10 Request device 20 Response device 90 Network 101 Control unit 102 Storage unit 110 Random number selection unit 115 Long-term key pair generation unit 120 Short-term random number selection unit 125 Short-term key pair generation unit 130 First encryption unit 135 Output unit 140 Input Unit 145 second key decryption unit 150 third key decryption unit 155 session key generation unit 201 control unit 202 storage unit 210 random number selection unit 215 long-term key pair generation unit 220 short-term random number selection unit 225 third encryption unit 230 second encryption Unit 235 output unit 240 input unit 245 first key decryption unit 250 third key generation unit 255 session key generation unit

Claims (5)

A key exchange system for sharing a session key SK between a requesting device and a response device,
The requesting device is:
Requester sender private key sk _AS generated by a sender key generation algorithm SKeyGen of an arbitrary signature, and requester receiver secret key sk _AR generated by a receiver key generation algorithm RKeyGen of the signature application A request storage unit storing
Using a key generation algorithm wKeyGen of a key encapsulation mechanism in which key generation and ciphertext generation are independent, a short-term key pair generation unit that calculates a short-term public key ek _A and a short-term secret key dk _A ,
Using the request-side sender private key sk _AS , the response-side recipient public key pk _BR generated by the receiver key generation algorithm RKeyGen, and the short-term public key ek _A as inputs, the signature application of the signature application. _A first encryption unit that generates a first ciphertext CT _A and a first key K _A using the option algorithm SC;
_A request side output unit for transmitting the first ciphertext CT _A and the short-term public key ek _A to the response device;
The request side receiver private key sk _AR , the response side sender public key pk _BS generated by the sender key generation algorithm SKeyGen, and the second ciphertext CT _{B, 1} and the third cipher received from the response device A second key decryption unit that receives the sentence CT _{B, 2} as an input and generates the second key K _{B, 1} using the decryption algorithm USC of the signature application;
_A third key decryption unit which receives the short-term secret key dk _A and the third ciphertext CT _{B, 2} as input and generates a third key K _{B, 2} using the decryption algorithm wDeCap of the key encapsulation mechanism; ,
Using the first key K _A , the second key K _{B, 1} and the third key K _{B, 2} , the short-term public key ek _A , the first ciphertext CT _A and the second ciphertext CT _{B , 1} and the third ciphertext CT _{B, 2} , a requesting session key generation unit that generates the session key SK from a session identifier ST,
With
The response device is:
A response side storage unit storing the response side sender secret key sk _BS generated by the sender key generation algorithm SKeyGen and the response side receiver secret key sk _BR generated by the receiver key generation algorithm RKeyGen; ,
A third encryption unit that generates the third ciphertext CT _{B, 2} using the random number r _{B, 2} as an input and the ciphertext generation algorithm wEnCapC of the key encapsulation mechanism;
Using the responder sender private key sk _BS , the requester receiver public key pk _AR generated by the receiver key generation algorithm RKeyGen, and the third ciphertext CT _{B, 2} as input, the signature encryption A second encryption unit that generates the second ciphertext CT _{B, 1} and the second key KB _{, 1} using an algorithm SC;
A response side output unit for transmitting the second ciphertext CT _{B, 1} and the third ciphertext CT _{B, 2} to the requesting device;
The response-side receiver private key sk _BR , the request-side sender public key pk _AS generated by the transmitter key generation algorithm SKeyGen, the first ciphertext CT _A and the short-term public key received from the requesting device as inputs and ek _a, using the decryption algorithm USC, a first key decryption unit for generating the first key K _a,
A third key generation unit that receives the short-term public key ek _A and the random number r _{B, 2} as input and generates the third key K _{B, 2} using the encapsulation key generation algorithm wEnCapK of the key encapsulation mechanism When,
Using the first key K _A , the second key K _{B, 1} and the third key K _{B, 2} , the short-term public key ek _A , the first ciphertext CT _A and the second ciphertext CT _{B , 1} and the third ciphertext CT _{B, 2} , the responding session key generating unit that generates the session key SK from the session identifier ST,
A key exchange system comprising: The request apparatus used in the key exchange system according to claim 1 . The response device used in the key exchange system according to claim 1 . A key exchange method for sharing a session key SK between a requesting device and a response device,
The requesting device uses a key generation algorithm wKeyGen of a key encapsulation mechanism in which key generation and ciphertext generation are independent to generate a short-term public key ek _A and a short-term secret key dk _A ,
The requesting device is a requesting-side sender secret key sk _AS generated by a sender key generation algorithm SKeyGen of an arbitrary signature application and a responding-side receiver generated by the receiver key generation algorithm RKeyGen of the signature application First encryption for generating a first ciphertext CT _A and a first key K _A by using the public key pk _BR and the short-term public key ek _A as input and using the signature encryption algorithm SC of the signature application Steps,
_A request side output step in which the requesting device transmits the first ciphertext CT _A and the short-term public key ek _A to the response device;
A third encryption step in which the response device generates a third ciphertext CT _{B, 2} using a random number r _{B, 2} as an input and a ciphertext generation algorithm wEnCapC of the key encapsulation mechanism;
The response device includes a response-side sender private key sk _BS generated by the sender key generation algorithm SKeyGen, a request-side receiver public key pk _AR generated by the receiver key generation algorithm RKeyGen, and the third A second encryption step for generating a second ciphertext CT _{B, 1} and a second key K _{B, 1} using the ciphertext CT _{B, 2} as an input, and using the signature algorithm SC;
A response side output step in which the response device transmits the second ciphertext CT _{B, 1} and the third ciphertext CT _{B, 2} to the requesting device;
The requesting device receives the requesting-side recipient secret key sk _AR , the responding-side sender public key pk _BS generated by the sender key generation algorithm SKeyGen, and the second ciphertext CT _B received from the responding device. _{, 1} and the third ciphertext CT _{B, 2} as input, and a second key decryption step of generating a second key K _{B, 1} using the signature encryption algorithm USC;
The requesting device receives the short-term secret key dk _A and the third ciphertext CT _{B, 2} as inputs and generates a third key K _{B, 2} using the decryption algorithm wDeCap of the key encapsulation mechanism. A three-key decryption step;
The requesting device uses the first key K _A , the second key K _{B, 1} and the third key K _{B, 2} to use the short-term public key ek _A , the first ciphertext CT _A and the first key A requesting session key generation step of generating the session key SK from a session identifier ST including two ciphertexts CT _{B, 1} and the third ciphertext CT _{B, 2} ;
The response device receives the response-side recipient private key sk _BR , the request-side sender public key pk _AS generated by the sender key generation algorithm SKeyGen, and the first ciphertext CT _A received from the request device. And a first key decryption step of generating the first key K _A using the decryption algorithm USC with the short-term public key ek _A as an input;
The response device receives the short-term public key ek _A and the random number r _{B, 2} as input and generates the third key K _{B, 2} using the encapsulation key generation algorithm wEnCapK of the key encapsulation mechanism. A third key generation step;
The response device uses the first key K _A , the second key K _{B, 1} and the third key K _{B, 2} to use the short-term public key ek _A , the first ciphertext CT _A and the first key A responding session key generation step of generating the session key SK from a session identifier ST including two ciphertexts CT _{B, 1} and the third ciphertext CT _{B, 2} ;
Including a key exchange method.   A program for causing a computer to function as the requesting device according to claim 2 or the response device according to claim 3.

Images