JP5932709B2 - Transmission side device and reception side device - Google Patents

Description

  The present invention relates to encryption and digital signature technology.

  In order to guarantee the confidentiality of a communication path, that is, as a method for protecting information flowing on the communication path from the threat of eavesdropping, application of encryption technology is well known. As a method for guaranteeing the authenticity of a communication path, that is, for protecting information flowing on the communication path from threats of falsification and impersonation, application of an electronic signature technique is known. Further, as a technique for guaranteeing confidentiality and authenticity at the same time, there is a signed encryption technique using an encryption technique and an electronic signature technique.

    Two typical examples of signed encryption techniques are well known: the Sign-then-Encrypt scheme and the Encrypt-then-Sign scheme. The Sign-then-Encrypt scheme is a scheme for encrypting a set of a message and a signature value after adding an electronic signature to the message. On the other hand, the Encrypt-the-Sign method is a method of adding an electronic signature to the ciphertext after encrypting the message with public key cryptography.

  The security of signed encryption is evaluated from two aspects: confidentiality and authenticity. Concerning confidentiality, the dynamic multi-user model has an indistinguishability against adaptive selection ciphertext attacks from insiders (dM-IND-iCCA: INDistinguisability agins inside Chosen Ciphertext Attack in the Multi-user Multi-user model) Is desired). In addition, as for authenticity, it has a strong forgery against selected document attacks from insiders in a dynamic multi-user model (dM-sUF-iCMA: called Strong UnForgeability aginstinder Chosen Message Attack-in-the-Mind Safety standards) are desired. It is considered desirable for a secure signed encryption scheme to satisfy these two security requirements simultaneously.

  The above-mentioned Sign-then-Encrypt scheme has an indistinguishability against an adaptive selection ciphertext attack, but it has been found that a strong forgery against a selected document attack is not guaranteed. In addition, it is known that the Encrypt-then-Sign method has strong forgery against a selected document attack, but cannot guarantee unidentification against an adaptive selected ciphertext attack.

  There is a method described in Non-Patent Document 1 as an encryption method with a signature that has both of the above two security features. This method realizes a signed encryption method by combining a tag-based key encapsulation mechanism (commonly known as TBKEM), an electronic signature method, and a common key encryption. It is shown that when the component components TBKEM, electronic signature, and common key encryption satisfy certain security standards, a signed cryptographic method combining them satisfies the above two security standards.

Daiki Chiba, Takahiro Matsuda, Jacob C.N.Schuldt, Kanta Matsuura, '' Efficient Generic Constructions in Sci.

  There are many fields where confidentiality and authenticity are required simultaneously. For example, when sending stock trading orders from a securities company system to a stock exchange system, it is important to ensure confidentiality in order to prevent other parties other than the exchange from knowing the contents of the order. Authenticity must be ensured to prevent tampering and interception of the contents of the order. In fields such as sensor networks and mobile computing, confidentiality is required to prevent communication interception, and authenticity is required to authenticate the message source.

  In the above fields, there are unique restrictions on processing performance as well as ensuring safety. In the case of securities trading, it is required to process a large number of orders in real time without delay during busy periods when requests are concentrated on the exchange. Further, in the latter field, since the calculation capability of each device is not so high and the power saving performance of the device is desired, the calculation processing required for the device is required to be simple.

  While the method described in Non-Patent Document 1 guarantees high security as described above, it uses a digital signature method internally, and therefore includes problems related to real-time communication and computational complexity. .

  The present invention has been made in view of such a background, and the present invention makes it possible to apply a signed encryption method to highly real-time communication by suppressing a decrease in communication speed at the time of message transmission and reception, It is an object of the present invention to realize a signed encryption method even by a processor with insufficient capability by reducing the calculation required for message transmission / reception.

  A typical example of the present invention is as follows. A transmission-side apparatus that generates a signed ciphertext from a message and transmits it to the reception-side apparatus includes a storage device that stores the signature private key and verification public key of the sender, and a control device. The control device generates a key pair for a one-time signature and generates a first time signature for the one-time signature by using a one-time signature key generation unit that stores the key pair for the one-time signature and the sender's signature private key. Generating a first signature value for the key of the key and temporarily storing it in the storage device, and for the common key encryption from the input public key of the receiver of the message and the verification public key of the sender A key capsule generation unit that generates a key and encrypted data of the key and stores the key in the storage device, the second key for the one-time signature, the public key of the recipient of the message, and the key for the common key encryption A one-time signature generation unit for generating a second signature value from the encrypted data and the input transmission target message, the key for the common key encryption, the first key for the one-time signature, the first Signature value of the second signature value, And a common key encryption unit that generates a ciphertext with a signature from the message to be transmitted, and a transmission unit that transmits encrypted data of the key for the common key encryption and the ciphertext with the signature to the reception-side apparatus. It is characterized by that.

  In addition, the receiving device that decrypts the message from the signed ciphertext received from the transmitting device includes a storage device that stores the decryption private key and the encryption public key of the receiver, and a control device. The control device includes: a receiving unit that receives the encrypted data of the common key encryption key and the signed ciphertext from the transmission side device; the receiver's encryption private key; and the input sender's verification release A key capsule decrypting unit for decrypting a common key encryption key from the encrypted data of the key and the common key encryption key, and the ciphertext with the signature using the common key encryption key. A verification key, a first signature value, a second signature value, a common key decryption unit that decrypts the message, the verification key for the one-time signature as a verification target message, and the first signature value as a verification target signature And a first signature verification unit that performs signature verification using the sender's verification public key, encryption of the receiver's encryption public key, and the common key encryption key received by the receiver Data and the common key decryption unit A second signature verification unit configured to use the decrypted message as a verification target message, the second signature value as a verification target signature value, and verify the signature using the verification key of the one-time signature; and the key capsule When the common key encryption key is decrypted by the decryption unit, and the verification results of the first signature verification unit and the second signature verification unit indicate successful verification, the decrypted by the common key decryption unit And an output unit for outputting a message.

  According to the present invention, not only high security is provided, but also pre-computation is possible for most of the signed encryption processing. As a result, a highly secure signed encryption method can be applied even to a system that requires real-time performance and a processor with insufficient capability.

3 is a diagram for describing a configuration example of a transmission side device and a transmission side key generation device according to Embodiment 1. FIG. FIG. 3 is a diagram for describing a configuration example of a reception side device and a reception side key generation device according to the first embodiment. FIG. 3 is a hardware configuration diagram of each device (client device, gateway device, and data management device) according to the first and second embodiments. FIG. 10 is a sequence diagram illustrating an overall flow of a signed ciphertext transmission / reception process performed by a transmission-side apparatus and a reception-side apparatus according to the first and second embodiments. 6 is a flowchart illustrating a flow of a decoding process with verification in the reception-side apparatus according to the first embodiment. FIG. 10 is a diagram for describing a configuration example of a transmission side device and a transmission side key generation device according to a second embodiment. FIG. 10 is a diagram for describing a configuration example of a reception side device and a reception side key generation device according to a second embodiment. 10 is a flowchart illustrating a flow of a decoding process with verification in the reception-side apparatus according to the second embodiment.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. Note that the present invention is not limited thereby.

  FIG. 1 is a functional block diagram illustrating a configuration example of the transmission side device 100 and the transmission side key generation device 150 according to the present embodiment.

  As illustrated in FIG. 1, the transmission-side apparatus 100 includes a one-time signature key generation unit 101, a temporary storage unit 102, a storage unit 103, a signature generation unit 104, a temporary storage unit 105, a transmission destination designation unit 106, and a key capsule generation unit. 107, a temporary storage unit 108, an input unit 109, a one-time signature generation unit 110, a common key encryption unit 111, and a transmission unit 112. The transmission side key generation device 150 includes a signature key generation unit 151.

  The signature generation unit 104, the signature key generation unit 151, and a signature verification unit 206 described later are functional units based on the same electronic signature algorithm. That is, the digital signature generation algorithm implemented by the signature generation unit 104, the signature key generation algorithm implemented by the signature key generation unit 151, and the signature verification algorithm implemented by the signature verification unit 206 are algorithms belonging to the same electronic signature scheme. is there. Therefore, of the signature key pair (skS, pkS) output from the signature key generation unit 151, skS can be used as a signature private key required when the signature generation unit 104 generates a signature, and pkS is a signature key. It can be used as a signature verification key required when the verification unit 206 verifies the signature.

  Similarly, the one-time signature generation unit 110, the one-time signature key generation unit 101, and the one-time signature verification unit 207 described later are functional units based on the same one-time signature scheme. That is, the one-time signature generation algorithm implemented by the one-time signature generation unit 110, the one-time signature key generation algorithm implemented by the one-time signature key generation unit 101, and the one-time signature verification algorithm implemented by the one-time signature verification unit 207 Are algorithms that belong to the same one-time signature scheme. Therefore, out of the one-time signature key pair (osk, ovk) output from the one-time signature key generation unit 101, the osk can be used as a signature private key required when the one-time signature generation unit 110 generates a signature. Ovk can be used as a verification key required when the one-time signature verification unit 207 verifies the signature.

  Further, the key capsule generation unit 107, an encryption key generation unit 251 described later, and a key capsule decryption unit 204 described later are functional units based on the same tagged key encapsulation (TBKEM) method. That is, the tagged key capsule generation algorithm implemented by the key capsule generation unit 107, the encryption key generation algorithm implemented by the encryption key generation unit 251 and the key capsule decryption algorithm implemented by the key capsule decryption unit 204 are the same TBKEM method. It belongs to the algorithm. Therefore, of the encryption key pair (skR, pkR) output from the encryption key generation unit 251, pkR is used as the encryption public key required when the key capsule generation unit 107 generates the key K and its encapsulation C1. The skR can be used as a decryption secret key required when the key capsule decryption unit 204 obtains K from C1.

  The key K generated by the key capsule generation unit 107 can be used as an encryption key when the common key encryption unit 111 performs an encryption process.

  The one-time signature key generation unit 101 is a functional unit that implements a one-time signature key generation algorithm, and outputs a one-time signature key pair (osk, ovk). The key pair (osk, ovk) is used as an input to the temporary storage unit 102.

  The temporary storage unit 102 receives the one-time signature key pair (osk, ovk) as input and temporarily stores them until consumed by another processing unit. The secret key osk is used later as an input to the one-time signature generation unit 110. The public key ovk is used later as an input to the signature generation unit 104 and the common key encryption unit 111. The osk needs to be stored in a secure storage area so that it is not known to anyone other than the sender. For example, a product such as HSM (Hardware Security Module) may be used. The temporary storage unit 102 can store a plurality of key pairs. The stored osk and ovk are managed in association with a character string that can uniquely identify the key pair in the temporary storage unit 102, for example, an identifier such as a sequence number. Hereinafter, the character string is referred to as a label for the sake of simplicity.

  The storage unit 103 stores the sender's signature private key skS and the verification public key pkS generated by the transmission side key generation device 150. The sender's signature private key skS needs to be stored in a secure storage area so that it is not known to anyone other than the sender. For example, a product such as HSM (Hardware Security Module) may be used. On the other hand, the sender's verification public key pkS needs to be widely disclosed to the receiver and other persons who verify the signature using a public repository or any communication means.

  The signature generation unit 104 is a functional unit that implements an electronic signature generation algorithm. The sender's signature private key skS is input as the signature key, the one-time signature verification key ovk is input as the signature target message, and the signature value s1 is output as the processing result. The signature value s1 is used as an input to the temporary storage unit 105.

  The temporary storage unit 105 receives the signature value s1 as input and temporarily stores it until it is consumed by another processing unit. The stored signature value s1 is used later as an input to the common key encryption unit 111. The temporary storage unit 105 can store a plurality of signature values. The stored signature value s 1 is given a label that can uniquely identify the signature value in the temporary storage unit 105.

  The destination designation unit 106 is a functional unit that receives and temporarily stores the encryption public key pkR of the recipient after the sender has determined the message destination, that is, the recipient. The encryption public key pkR is used as an input to the key capsule generation unit 107 and the one-time signature generation unit 110.

  The key capsule generation unit 107 is a functional unit that implements a tagged key encapsulation algorithm. The receiver's encryption public key pkR is input as a key for encapsulation, and the sender's verification public key pkS is input as a tag (auxiliary input). As a result of the processing, a common key encryption key K and A key capsule C1 encapsulating (encrypting) the key is output. The key K and the key capsule C1 are used as inputs to the temporary storage unit 108.

  The temporary storage unit 108 receives a key K for common key encryption and a key capsule C1 encapsulating (encrypting) the key, and stores them temporarily until consumed by another processing unit. The key capsule C1 is used later as an input to the one-time signature generation unit 110 and the transmission unit 112. The key K is used later as an input to the common key encryption unit 111. The key K needs to be stored in a secure storage area so that it is not known to anyone other than the sender. For example, a product such as HSM (Hardware Security Module) may be used. The temporary storage unit 108 can store a plurality of keys and key capsules. The stored key and key capsule pair (K, C1) is given a label that can uniquely identify the pair in the temporary storage unit 108.

  The input unit 109 is a functional unit that inputs the message m after the sender has determined the message to be transmitted. The message m is used as an input to the one-time signature generation unit 110 and the common key encryption unit 111.

  The one-time signature generation unit 110 receives the signature private key osk for the one-time signature as a signature key, and inputs the recipient's encryption public key pkR, key capsule C1, and message m as a signature target message. The signature value s2 is output as a result of the processing. The signature value s2 is used as an input to the common key encryption unit 111.

  The common key encryption unit 111 receives a key K as an encryption key, and receives a one-time signature verification key ovk, a signature value s1, a signature value s2, and a message m as an encryption target message. As a result, the ciphertext C2 is output. The ciphertext C2 is used as an input of the transmission unit 112.

  The transmission unit 112 transmits the key capsule C <b> 1 and the ciphertext C <b> 2 to the reception-side apparatus 200 after being input. A general-purpose protocol such as TCP / IP or HTTP can be used for communication.

  FIG. 2 is a functional block diagram illustrating a configuration example of the reception-side device 200 and the reception-side key generation device 250 according to the present embodiment.

  As illustrated in FIG. 2, the transmission-side apparatus 200 includes a transmission source designation unit 201, a reception unit 202, a storage unit 203, a key capsule decryption unit 204, a common key decryption unit 205, a signature verification unit 206, and a one-time signature verification unit 207. A determination unit 208 and an output unit 209. The receiving side key generation device 250 includes an encryption key generation unit 251.

  As described above, the signature verification unit 206, the signature generation unit 104, and the signature key generation unit 151 described above are functional units based on the same electronic signature algorithm. The one-time signature verification unit 207, the one-time signature generation unit 110, and the one-time signature key generation unit 101 described above are functional units based on the same one-time signature scheme. The encryption key generation unit 251 and the key capsule decryption unit 204, and the key capsule generation unit 107 described above are functional units based on the same tagged key encapsulation (TBKEM) method.

  The transmission source designating unit 201 is a functional unit that receives and temporarily stores the verification public key pkS of the sender after the receiver knows the transmission source of the message, that is, the sender (candidate). The verification public key pkS is used as an input to the key capsule decryption unit 204 and the signature verification unit 206.

  The reception unit 202 receives the key capsule C1 and the ciphertext C2 from the transmission-side apparatus 100, and then transfers them to each functional unit as necessary. A general-purpose protocol such as TCP / IP or HTTP can be used for reception.

  The storage unit 203 stores the recipient's decryption secret key skR and encryption public key pkR generated by the reception side key generation device 250. The receiver's decryption secret key skR needs to be stored in a secure storage area so that it is not known to anyone other than the receiver. For example, a product such as HSM (Hardware Security Module) may be used. On the other hand, the encryption public key pkR of the receiver needs to be widely disclosed to the sender and other persons who send messages to the receiver using a public repository or any communication means.

  The key capsule decryption unit 204 is a functional unit that implements a tagged key capsule decryption algorithm. The recipient's encryption private key skR is input as a key for capsule decryption, the sender's verification public key pkS is input as a tag (auxiliary input), and the decryption target key capsule C1 is input, and processing As a result, the common key encryption key K or the error code ERR is output. The key K or the error code ERR is used as an input to the common key decryption unit 205 and the determination unit 208.

  The common key decryption unit 205 receives the key K and the ciphertext C2, and outputs the verification key ovk, the signature value s1, the signature value s2, and the message m as a result of the processing. The verification key ovk is used as an input to the signature verification unit 206 and the one-time signature verification unit 207. The signature value s1 is used as an input to the signature verification unit 206. The message m and the signature value s2 are used as input to the one-time signature verification unit 207.

  The signature verification unit 206 is a functional unit that implements an electronic signature verification algorithm. The sender's verification public key pkS is input as the verification key, the verification key ovk of the one-time signature is input as the verification target message, s1 is input as the signature value, and the verification result v1 (verification success or verification) (Binary failure) is output. The verification result v1 is used as an input to the determination unit 208.

  The one-time signature verification unit 207 receives the verification key ovk of the one-time signature as a verification key, and receives the recipient's encryption public key pkR, the key capsule C1, and the message m as verification target messages. The verification result v2 (binary verification success or verification failure) is output as the processing result. The verification result v2 is used as an input of the determination unit 208.

  The determination unit 208 verifies whether the processing result of the key capsule decryption unit 204 is an error code ERR, the processing result v1 of the signature verification unit 206 is a verification failure, or the processing result v2 of the one-time signature verification unit 207 is verified. In the case of failure, in either case, the error code ERR is presented to the receiver via the output unit 210 to indicate that there is a problem with the received ciphertext (C1, C2). Otherwise, the message m decrypted by the common key decryption unit 205 is presented to the recipient via the output unit 209. In this case, it is guaranteed that the message m received by the recipient is certainly sent from the sender designated by the sender designation unit 201.

  The output unit 210 presents the message m or the error code ERR to the user (recipient) of the reception-side apparatus 200 based on the determination result of the determination unit 208.

  FIG. 3 is a hardware configuration diagram of each device (transmission side device 100, transmission side key generation device 150, reception side device 200, reception side key generation device 250) according to the present embodiment.

  As shown in FIG. 3, each device according to the present embodiment is realized by a general computer 300.

  The computer 300 includes a CPU 301, a memory 302, an external storage device 303 such as a hard disk, a transmission / reception device 304 such as a NIC (Network Interface Card) for connection to a communication network, an output device 305 such as a monitor, a keyboard and a mouse. And an input device 306 such as a CD-ROM and a DVD-ROM, and a reading device 307 that reads information from a portable storage medium 308 such as a CD-ROM.

  The storage area in the storage unit of each device can be realized by the CPU 301 using the memory 302 or the external storage device 303. Each control unit can be realized by the CPU 301 by loading a predetermined program stored in the external storage device 303 into the memory 302. The predetermined program may be acquired from the storage medium 308 via the reading device 307, or downloaded from the network to the external storage device 303 via the transmission / reception device 304, loaded into the memory 302, and executed by the CPU 301. You may do it. Alternatively, the program may be directly loaded into the memory 302 from the storage medium 308 via the reading device 307 or from the network via the transmission / reception device 304 and executed by the CPU 301.

  Next, referring to FIG. 4, a signed ciphertext transmission / reception process performed by each apparatus (transmission-side apparatus 100, transmission-side key generation apparatus 150, reception-side apparatus 200, reception-side key generation apparatus 250) according to this embodiment. Will be described.

  First, the transmission-side apparatus 100 generates a one-time signature key for use in subsequent signed encryption processing (step 401). Specifically, the one-time signature key generation unit 101 of the transmission-side apparatus 100 generates a one-time signature key pair (osk, ovk) based on the one-time signature key generation algorithm and stores it in the temporary storage unit 102. To do. At this time, a label that allows the key pair to be uniquely specified in the temporary storage unit 102 is assigned to osk and ovk. Since the one-time signature key generation process does not require the sender's key pair (skS, pkS), the recipient's public key pkR, or the message m, it can be calculated independently of other processes. It is. Utilizing this point, the one-time signature key generation process is calculated a plurality of times during the startup of the transmitting apparatus 100 or during the idle time, and the result (one-time signature key pair) is stored in the temporary storage unit 102. By doing so, it is possible to reduce the processing time required from step 402 onward.

  Next, the transmission-side key generation device 150 generates a sender's signature key pair (skS, pkS) using the signature key generation unit 151 (step 402). The generated key pair (skS, pkS) is stored in the storage unit 103.

  Next, the transmitting-side apparatus 100 gives the signature value s1 to the one-time signature verification key ovk (step 403). Specifically, the signature generation unit 104 of the transmission-side apparatus 100 receives the sender's private key skS stored in the storage unit 103 as a signature key and also stores the one-time signature stored in the temporary storage unit 102. When the verification key ovk is input as a signature target message, the signature value s1 is output based on the signature generation algorithm. The output signature value s1 is stored in the temporary storage unit 105 with the same identifier as the label of the input verification key ovk. Since the signature generation process does not require either the recipient's public key pkR or the message m, it can be pre-calculated independently of the process from step 404 onward. Taking advantage of this point, the one-time signature key stored in the temporary storage unit 101 during the idle time during device activation after the signature key pair (skS, pkS) is generated by the transmission side key generation device 150 By applying a signature to the pair group and storing the result (signature value assigned to the one-time signature key pair) in the temporary storage unit 105, it is possible to reduce the processing time from step 404 onward. is there.

  Next, the transmission-side apparatus 100 determines a message transmission destination according to the input from the sender (step 404). Specifically, the sender obtains the receiver's public key pkR using a public repository or any communication means, and inputs it to the transmission destination designating unit 106 of the transmission-side apparatus 100.

  Next, the transmission-side apparatus 100 generates a key capsule (step 405). Specifically, the key capsule generation unit 107 of the transmission-side apparatus 100 receives the public key pkR of the transmission destination (recipient) acquired by the transmission destination designation unit 106 as an encryption key and stores it in the storage unit 103. By inputting the sender's public key pkS as a tag, a key K for common key encryption and a key capsule C1 encapsulating the key are output based on a tagged key capsule generation algorithm. The output (K, C1) is stored in the temporary storage unit 108. At this time, K and C1 are stored with a label uniquely identifying the pair.

  Next, the transmission-side apparatus 100 determines a message to be transmitted according to the input from the sender (step 406). Specifically, the sender inputs a message m to be transmitted to the input unit 109 of the transmission side device 100.

  Next, the transmission side apparatus 100 generates a one-time signature (step 407). Specifically, the one-time signature generation unit 110 of the transmission-side apparatus 100 receives the one-time signature private key osk stored in the temporary storage unit 102 as a signature key and is acquired by the transmission destination designation unit 106. The recipient's public key pkR, the key capsule C1 stored in the temporary storage unit 108, and the message m acquired by the input unit 107 are input as a transmission target document, thereby generating a one-time signature. The algorithm is executed and the signature value s2 is output.

  Next, the transmission-side apparatus 100 generates a ciphertext (Step 408). Specifically, the common key encryption unit 111 of the transmission-side apparatus 100 selects a key K having the same label as the key capsule C1 used in step 407 from the keys stored in the temporary storage unit 108, and the encryption key Use as Also, among the verification keys stored in the temporary storage unit 102, the verification key ovk having the same label as the private key osk used in step 407, the signature value s1 stored in the temporary storage unit 105, and one-time signature generation The signature value s2 generated by the unit 110 and the message m acquired by the input unit 109 are input as encryption target messages to execute the common key encryption algorithm and output the ciphertext C2.

  Finally, the transmission unit 112 of the transmission-side apparatus 100 generates a signed ciphertext (C1, C2) composed of the key capsule C1 used in step 407 and the ciphertext C2 output by the common key encryption unit 111. Then, the data is transmitted to the receiving apparatus 200 via the network (step 409). After sending the message, the key pair (osk, ovk), signature value s1, and key and key capsule (K, C1) used between step 401 and step 409 are deleted from the temporary storage units 102, 105, and 108, respectively. Is done.

  The above is a specific flow of the signed encryption process executed by the transmission-side apparatus 100.

  Next, a specific flow of the decryption process with verification executed by the reception-side apparatus 200 will be described. When receiving the signed ciphertext (C1, C2) transmitted by the transmitting device 100, the receiving device 200 first identifies the sender of the signed ciphertext (the user of the transmitting device 100), The sender's public key pkS is input to the transmission source designation unit 201 of the reception side device 200 (step 410). The public key pkS can be transmitted from the sender together with the signed ciphertext, or can be acquired from a public repository.

  Next, the receiving-side apparatus 200 executes a decryption process with verification of the received signed ciphertext (C1, C2) based on the identified sender public key pkS (step 411).

  Here, a specific flow of the decryption process with verification will be described with reference to FIG.

  First, the key capsule decryption unit 204 of the receiving-side apparatus 200 receives the recipient's private key skR stored in the storage unit 203 as a decryption key and the pkS acquired by the transmission source designation unit 201 as a tag. C1 received by the receiving unit 202 is input as a decryption target key capsule. The key capsule decryption unit 204 executes the key capsule decryption algorithm. If the decryption is successful, the key capsule decryption unit 204 outputs the key K. If the decryption fails, the key capsule decryption unit 204 outputs a code ERR indicating a decryption error (step 501).

  Next, the common key decryption unit 205 of the reception-side apparatus 200 receives the key K output from the key capsule decryption unit 204 as a decryption key, and the ciphertext C2 received by the reception unit 202 is decrypted. Entered as a sentence. The common key decryption unit 205 executes a common key decryption algorithm, and outputs a decryption result (ovk, s1, s2, m) if the decryption is successful, and outputs a code ERR indicating an error if the decryption fails ( Step 502).

  Next, the signature verification unit 206 of the reception-side apparatus 200 receives the sender's public key pkS stored in the transmission source designation unit 201 as a verification key and verifies the ovk output by the common key decryption unit 205. The signature value s1 input as a target message and output by the common key decryption unit 205 is input as a verification target signature value. The signature verification unit 206 executes the signature verification algorithm, and outputs 1 if the verification is successful and 0 if it fails (step 503).

  Next, the one-time signature verification unit 207 of the reception-side apparatus 200 receives the ovk received by the reception unit 202 as a verification key, and also includes the recipient's public key pkR stored in the storage unit 203 and the reception unit 202. And the message m output from the common key decryption unit 205 is input as a document to be verified, and the signature value s2 output from the common key decryption unit 205 is input as a signature value to be verified. Is done. The one-time signature verification unit 207 executes a one-time signature verification algorithm, and outputs 1 if the verification is successful and 0 if it fails (step 504).

  Next, the determination unit 208 of the reception-side apparatus 200 determines whether processing can be continued based on the output of the key capsule decryption unit 204, the output of the signature verification unit 206, and the output of the one-time signature verification unit 207. (Step 505). Specifically, the key capsule decryption unit 204 succeeds in outputting the key K, the verification result by the signature verification unit 206 is 1 (acceptance), and the verification result by the one-time signature verification unit 207 is 1 (acceptance). Only when there is a message m, the message m is output to the receiver via the output unit 210 (step 506). Otherwise, a code ERR indicating a verification error is output to the receiver via the output unit 210 (step 507). ).

  The above is a specific flow of the decryption process with verification executed by the reception-side apparatus 200.

  As described above, according to the transmission-side apparatus 100 according to the present embodiment, it is possible to pre-calculate a one-time signature key generation process at any time independently of other processes. In addition, if the sender's signature key pair (skS, pkS) is determined, the signature generation process is performed even before the message destination (recipient) and the content of the message to be transmitted are determined. Can be pre-calculated. Further, after the destination recipient's public key pkR is determined, the key capsule generation process can be pre-calculated even before the content of the message to be transmitted is determined. By pre-calculating signature generation processing and key capsule generation processing with high calculation costs, processing after the message m to be transmitted is determined can be realized only by processing with low calculation costs such as common key encryption and one-time signature. Therefore, it is possible to reduce the time required from message determination to transmission.

  FIG. 6 is a functional block diagram illustrating a configuration example of the transmission side device 600 and the transmission side key generation device 650 according to the present embodiment.

  As illustrated in FIG. 6, the transmission-side apparatus 600 includes a one-time signature key generation unit 601, a temporary storage unit 602, a storage unit 603, a signature generation unit 604, a temporary storage unit 605, a transmission destination designation unit 606, and a key capsule generation unit. 607, a temporary storage unit 608, an input unit 609, a one-time signature generation unit 610, a common key encryption unit 611, and a transmission unit 612. The transmission side key generation device 650 includes a signature key generation unit 651.

  A signature generation unit 604, a signature key generation unit 651, and a signature verification unit 705 described later are functional units based on the same electronic signature algorithm. That is, the digital signature generation algorithm implemented by the signature generation unit 604, the signature key generation algorithm implemented by the signature key generation unit 651, and the signature verification algorithm implemented by the signature verification unit 705 are algorithms belonging to the same electronic signature scheme. is there. Therefore, among the signature key pair (skS, pkS) output by the signature key generation unit 651, skS can be used as a signature private key required when the signature generation unit 604 generates a signature, and pkS is a signature key. It can be used as a signature verification key required when the verification unit 705 verifies the signature.

  Similarly, the one-time signature generation unit 610, the one-time signature key generation unit 601, and the one-time signature verification unit 708 described later are functional units based on the same one-time signature scheme. That is, the one-time signature generation algorithm implemented by the one-time signature generation unit 610, the one-time signature key generation algorithm implemented by the one-time signature key generation unit 601 and the one-time signature verification algorithm implemented by the one-time signature verification unit 708 Are algorithms that belong to the same one-time signature scheme. Therefore, out of the one-time signature key pair (osk, ovk) output from the one-time signature key generation unit 601, osk can be used as a signature private key necessary when the one-time signature generation unit 610 generates a signature. Ovk can be used as a verification key required when the one-time signature verification unit 708 verifies the signature.

  A key capsule generation unit 607, an encryption key generation unit 751 described later, and a key capsule decryption unit 704 described later are functional units based on the same tagged key encapsulation (TBKEM) method. That is, the tagged key capsule generation algorithm implemented by the key capsule generation unit 607, the encryption key generation algorithm implemented by the encryption key generation unit 751, and the key capsule decryption algorithm implemented by the key capsule decryption unit 704 are the same TBKEM method. It belongs to the algorithm. Therefore, of the encryption key pair (skR, pkR) output from the encryption key generation unit 751, pkR is used as a public key for encryption necessary when the key capsule generation unit 607 generates the key K and its encapsulation C1. The skR can be used as a secret key for decryption necessary when the key capsule decryption unit 704 obtains K from C1.

  The key K generated by the key capsule generation unit 607 can be used as an encryption key when the common key encryption unit 611 performs encryption processing.

  Hereinafter, the one-time signature key generation unit 601, the storage unit 603, the signature generation unit 604, the transmission destination designation unit 606, the temporary storage unit 608, the input unit 609, the transmission side key generation device 650, and the signature key generation unit 651 will be described. The one-time signature key generation unit 101, the storage unit 103, the signature generation unit 104, the transmission destination designation unit 106, the temporary storage unit 108, the input unit 109, the transmission side key generation device 150, the signature key generation unit 151, Therefore, detailed description thereof is omitted.

  The temporary storage unit 602 receives the one-time signature key pair (osk, ovk) as input and stores them temporarily until consumed by another processing unit. The secret key osk is used later as an input to the one-time signature generation unit 610. The verification key ovk is used later as an input to the signature generation unit 604, the key capsule generation unit 607, and the transmission unit 612. The osk needs to be stored in a secure storage area so that it is not known to anyone other than the sender. For example, a product such as HSM (Hardware Security Module) may be used. The temporary storage unit 602 can store a plurality of key pairs. The stored osk and ovk are managed in association with a character string that allows the key pair to be uniquely specified in the temporary storage unit 602, for example, an identifier such as a sequence number. Hereinafter, for simplicity, the character string is simply referred to as a label.

  The temporary storage unit 605 takes the signature value s1 as input, and temporarily stores it until it is consumed by another processing unit. The stored signature value s1 is used later as an input to the key capsule generation unit 607, the one-time signature generation unit 610, and the transmission unit 612. The temporary storage unit 605 can store a plurality of signature values. The stored signature value s 1 is given a label that can uniquely identify the signature value in the temporary storage unit 605.

  The key capsule generation unit 607 is a functional unit that implements a tagged key encapsulation algorithm. The recipient's encryption public key pkR is input as a key for encapsulation, and the verification key ovk of the one-time signature, the signature value s1, and the sender's verification public key pkS as tags (auxiliary input) , And a key capsule C1 obtained by encapsulating (encrypting) the key K and the key as a result of the processing. The key K and the key capsule C1 are used as inputs to the temporary storage unit 608.

  The one-time signature generation unit 610 receives a signature private key osk for a one-time signature as a signature key, and also, as a signature target message, a signature value s1, a recipient encryption public key pkR, a key capsule C1, The message m is input, and the signature value s2 is output as a result of the processing. The signature value s2 is used as an input to the common key encryption unit 611.

  The common key encryption unit 611 receives the key K as the encryption key, receives the signature value s2 and the message m as the encryption target message, and outputs the ciphertext C2 as a result of the processing. The ciphertext C2 is used as an input of the transmission unit 612.

  The transmission unit 612 transmits the one-time signature verification key ovk, the signature value s 1, the key capsule C 1, and the ciphertext C 2, and then transmits them to the reception-side apparatus 700. A general-purpose protocol such as TCP / IP or HTTP can be used for communication.

  FIG. 7 is a functional block diagram illustrating a configuration example of the reception-side device 700 and the reception-side key generation device 750 according to the present embodiment.

  As illustrated in FIG. 7, the transmission-side device 700 includes a transmission source designation unit 701, a reception unit 702, a storage unit 703, a key capsule decryption unit 704, a signature verification unit 705, a first determination unit 706, a common key decryption unit 707, A one-time signature verification unit 708, a second determination unit 709, and an output unit 710 are included. The receiving side key generation device 750 includes an encryption key generation unit 751.

  As described above, the signature verification unit 705, the signature generation unit 604, and the signature key generation unit 651 are functional units based on the same electronic signature algorithm. The one-time signature verification unit 708, the one-time signature generation unit 610, and the one-time signature key generation unit 601 described above are functional units based on the same one-time signature scheme. Further, the encryption key generation unit 751 and the key capsule decryption unit 704 and the above-described key capsule generation unit 607 are functional units based on the same tagged key encapsulation (TBKEM) method.

  Hereinafter, with respect to the transmission source designation unit 701, the storage unit 703, the reception side key generation device 750, and the encryption key generation unit 751, the transmission source designation unit 201, the storage unit 203, the reception side key generation device 250 of Embodiment 1, Since the configuration is the same as that of the encryption key generation unit 251, detailed description thereof is omitted.

  The reception unit 702 receives the one-time signature verification key ovk, the signature value s1, the key capsule C1, and the ciphertext C2 from the transmission side device 600, and then transfers them to each functional unit as necessary. To do. A general-purpose protocol such as TCP / IP or HTTP can be used for reception.

  The key capsule decryption unit 704 is a functional unit that implements a tagged key capsule decryption algorithm. The recipient's encryption private key skR is input as a key for capsule decryption, and a one-time signature verification key ovk, a signature value s1, and a sender verification public key pkS as tags (auxiliary input), The key capsule C1 to be decrypted is input, and the key K for common key encryption or the error code ERR is output as a result of the processing. The key K or the error code ERR is used as an input to the first determination unit 706.

  The signature verification unit 705 is a functional unit that implements an electronic signature verification algorithm. The sender's verification public key pkS is input as the verification key, the verification key ovk of the one-time signature is input as the verification target message, s1 is input as the signature value, and the verification result v1 (verification success or verification) (Binary failure) is output. The verification result v1 is used as an input to the first determination unit 706.

  When the processing result of the key capsule decryption unit 704 is an error code ERR or the processing result v1 of the signature verification unit 705 is a verification failure, the first determination unit 706 sends an error code ERR via the output unit 710. To the recipient indicates that there is a problem with the received ciphertext (ovk, s1, C1, C2). Otherwise, the key K, which is the processing result of the key capsule decryption unit 704, is transferred to the common key decryption unit 707.

  The common key decryption unit 707 receives the key K and the ciphertext C2, and outputs a signature value s2 and a message m as a result of the processing. The signature value s2 and the message m are used as inputs to the one-time signature verification unit 207. The message m is also used as an input to the second determination unit 709.

  The one-time signature verification unit 708 receives the signature verification key ovk of the one-time signature as a verification key, and also includes a signature value s1 as a verification target message, a recipient's encryption public key pkR, a key capsule C1, and a message. m is input, and the verification result v2 (binary of verification success or verification failure) is output as the processing result. The verification result v2 is used as an input of the second determination unit 709.

  When the processing result v2 of the one-time signature verification unit 708 is verification failure, the second determination unit 709 presents the received encrypted text (ovk) by presenting the error code ERR to the receiver via the output unit 710. , S1, C1, C2). Otherwise, the message m decrypted by the common key decryption unit 707 is presented to the recipient via the output unit 710. In this case, it is guaranteed that the message m received by the recipient is certainly sent from the sender designated by the sender designation unit 701.

  The output unit 710 presents the message m or the error code ERR to the user (recipient) of the receiving-side apparatus 700 based on the determination results of the first determination unit 706 and the second determination unit 709.

  Each device according to the present embodiment (transmission-side device 600, transmission-side key generation device 650, reception-side device 700, reception-side key generation device 750) is similar to the first embodiment as shown in FIG. This is realized by the computer 300.

  Next, the signed ciphertext transmission / reception processing in this embodiment will be described with reference to FIG. 4 as in the first embodiment.

  Since Step 401 to Step 404 are the same as those in the first embodiment, detailed description thereof is omitted.

  In step 405, the transmitting device 600 generates a key capsule. Specifically, the key capsule generation unit 607 of the transmission side device 600 receives the public key pkR of the transmission destination (recipient) acquired by the transmission destination designation unit 606 as an encryption key and stores it in the temporary storage unit 602. The one-time signature verification key ovk, the signature value s1 having the same label as ovk among the signature values stored in the temporary storage unit 605, and the sender's public key pkS stored in the storage unit 603. By inputting the combination as a tag, a key K for common key encryption and a key capsule C1 encapsulating the key are output based on a tagged key capsule generation algorithm. The output (K, C1) is stored in the temporary storage unit 608. At this time, K and C1 are stored with the same label as the verification key ovk.

  Since step 406 is the same as that of the first embodiment, detailed description thereof is omitted.

  In step 407, the transmitting apparatus 600 generates a one-time signature. Specifically, the one-time signature generation unit 610 of the transmission-side apparatus 600 receives the one-time signature private key osk stored in the temporary storage unit 602 as a signature key and is stored by the temporary storage unit 605. The signature value s 1 having the same label as osk among the signature values, the recipient's public key pkR acquired by the transmission destination designation unit 606, and the same label as osk among the key capsules stored in the temporary storage unit 608 The one-time signature generation algorithm is executed by inputting the possessed key capsule C1 and the message m acquired by the input unit 607 as a document to be transmitted, and outputs a signature value s2.

  Next, the transmission side apparatus 600 generates a ciphertext (step 408). Specifically, the common key encryption unit 611 of the transmission-side apparatus 600 selects a key K having the same label as the key capsule C1 used in step 407 from the keys stored in the temporary storage unit 608, and the encryption key Use as Also, the signature value s2 generated by the one-time signature generation unit 610 and the message m acquired by the input unit 609 are input as encryption target messages, thereby executing the common key encryption algorithm and outputting the ciphertext C2.

  Finally, the transmission unit 612 of the transmission side device 600 uses the ciphertext C2 output by the common key encryption unit 611, the key capsule C1 used in Step 407, and C1 of the verification keys stored in the primary storage unit 602. A signed ciphertext (ovk, s1, C1, C2) including a verification key ovk having the same label and a signature value s1 having the same label as C1 among signature values stored in the temporary storage unit 605 is obtained. Then, the data is transmitted to the receiving device 700 via the network (step 409). After sending the message, the key pair (osk, ovk), signature value s1, and key and key capsule (K, C1) used between step 401 and step 409 are deleted from the temporary storage units 602, 605, and 608, respectively. The

  The above is a specific flow of the encryption processing with a signature executed by the transmission-side apparatus 600.

  Next, a specific flow of the decryption process with verification executed by the reception-side apparatus 700 will be described. Upon receiving the signed ciphertext (ovk, s1, C1, C2) transmitted by the transmitting device 600, the receiving device 700 first transmits the signed ciphertext (user of the transmitting device 600). And the sender's public key pkS is input to the transmission source designating unit 701 of the receiving side device 700 (step 410). The public key pkS can be transmitted from the sender together with the signed ciphertext, or can be acquired from a public repository.

  Next, the receiving-side apparatus 700 executes a decryption process with verification of the received signed ciphertext (ovk, s1, C1, C2) based on the identified sender public key pkS (step 411).

  Here, a specific flow of the decryption process with verification will be described with reference to FIG.

  First, the key capsule decryption unit 704 of the receiving-side apparatus 700 receives the recipient's private key skR stored in the storage unit 703 as a decryption key, and receives the verification key ovk and signature value s1 received by the reception unit 702. A combination of pkS acquired by the transmission source designating unit 701 is input as a tag, and C1 received by the receiving unit 702 is input as a key capsule to be decrypted. The key capsule decryption unit 704 executes the key capsule decryption algorithm. If the decryption is successful, the key capsule decryption unit 704 outputs the key K. If the decryption fails, the key capsule decryption unit 704 outputs a code ERR indicating a decryption error (step 801).

  On the other hand, the signature verification unit 705 of the reception-side apparatus 700 receives the sender's public key pkS stored in the transmission source designation unit 701 as a verification key, and uses ovk received by the reception unit 702 as a verification target message. The signature value s1 that is input and also received by the receiving unit 702 is input as a signature value to be verified. The signature verification unit 705 executes the signature verification algorithm, and outputs 1 if the verification is successful, and 0 if it fails (step 802).

  The two processes described in steps 801 and 802 can be executed in parallel because there is no need to wait for the processing results of each other.

  Next, the first determination unit 706 of the receiving-side apparatus 700 determines whether or not processing can be continued based on the output of the key capsule decryption unit 704 and the output of the signature verification unit 705 (step 803). Specifically, the key K is transferred to the common key decryption unit 707 only when the key capsule decryption unit 704 succeeds in outputting the key K and the verification result by the signature verification unit 705 is 1 (acceptance), If not, the code ERR indicating the verification error is output to the receiver via the output unit 710, and the decryption process with verification is terminated (step 808).

  When the determination by the first determination unit 706 is successful, the common key decryption unit 707 of the reception-side device 700 receives the key K output by the first determination unit 706 as a decryption key and the reception unit 702 receives the key. The encrypted ciphertext C2 is input as a ciphertext to be decrypted. The common key decryption unit 707 executes the common key decryption algorithm. If the decryption is successful, the signature value s2 and the message m are output. If the decryption fails, the common key decryption unit 707 outputs a code ERR indicating an error (step 804).

  Next, the one-time signature verification unit 708 of the reception-side apparatus 700 receives the ovk received by the reception unit 702 as a verification key, and stores the signature value s1 received by the reception unit 702 and the storage unit 703. The recipient's public key pkR, the key capsule C1 received by the receiving unit 702, and the message m output by the common key decrypting unit 707 are input as a document to be verified, and output from the common key decrypting unit 707 The signature value s2 is input as a signature value to be verified. The one-time signature verification unit 708 executes a verification algorithm for the one-time signature, and outputs 1 if the verification is successful and 0 if it fails (step 805).

  Next, the second determination unit 709 of the reception-side apparatus 700 determines whether or not processing can be continued based on the outputs of the reception unit 702, the common key decryption unit 707, and the one-time signature verification unit 708 (step 806). Specifically, only when the verification result by the one-time signature verification unit 708 is 1 (acceptance), the message m is output to the recipient via the output unit 710 (step 807), otherwise verification is performed. A code ERR indicating an error is output to the recipient via the output unit 710 (step 808).

  The above is a specific flow of the decryption process with verification executed by the receiving-side apparatus 700.

  As described above, according to the transmission-side apparatus 600 according to the present embodiment, the one-time signature key generation process can be pre-calculated at any time independently of other processes. In addition, if the sender's signature key pair (skS, pkS) is determined, the signature generation process is performed even before the message destination (recipient) and the content of the message to be transmitted are determined. Can be pre-calculated. Further, after the destination recipient's public key pkR is determined, the key capsule generation process can be pre-calculated even before the content of the message to be transmitted is determined. By pre-calculating signature generation processing and key capsule generation processing with high calculation costs, processing after the message m to be transmitted is determined can be realized only by processing with low calculation costs such as common key encryption and one-time signature. Therefore, it is possible to reduce the time required from when the sender determines the message until the ciphertext is transmitted.

  In addition, according to the receiving-side apparatus 700 according to the present embodiment, it is possible to execute two processes of a key capsule decryption process and an electronic signature verification process in parallel. Thereby, when the receiving side apparatus 700 is configured by hardware capable of parallel calculation including a multiprocessor, the processing time can be shortened compared to the method described in Non-Patent Document 1. As a result, the time from when the ciphertext arrives at the recipient device until the recipient confirms the message content is shortened compared to the conventional method, for example, the method described in Non-Patent Document 1.

DESCRIPTION OF SYMBOLS 100 ... Transmission-side apparatus 101 ... One-time signature key generation part 102 ... Temporary storage part 103 ... Storage part 104 ... Signature generation part 105 ... Temporary storage part 106 ... Transmission destination designation | designated part 107 ... Key capsule generation part 108 ... Temporary storage part 109 ... Input unit 110 ... One-time signature generation unit 111 ... Common key encryption unit 112 ... Transmission unit 150 ... Transmission side key generation device 151 ... Signature key generation unit 200 ... Reception side device 201 ... Transmission source designation unit 202 ... Reception unit 203 ... Storage unit 204 ... Key capsule decryption unit 205 ... Common key decryption unit 206 ... Signature verification unit 207 ... One-time signature verification unit 208 ... Determination unit 209 ... Output unit 250 ... Receiving side key generation device 251 ... Encryption key generation unit 600 ... Transmission Side apparatus 601... One-time signature key generation unit 602... Temporary storage unit 603... Storage unit 604 .. Signature generation unit 605. ... key capsule generation unit 608 ... temporary storage unit 609 ... input unit 610 ... one-time signature generation unit 611 ... common key encryption unit 612 ... transmission unit 650 ... transmission side key generation device 651 ... signature key generation unit 700 ... reception side device 701 ... transmission source designation unit 702 ... reception unit 703 ... storage unit 704 ... key capsule decryption unit 705 ... signature verification unit 706 ... first determination unit 707 ... common key decryption unit 708 ... one-time signature verification unit 709 ... second determination unit 710 ... Output unit 750 ... Reception side key generation device 751 ... Encryption key generation unit

Claims (9)

A sending device that generates a signed ciphertext from a message and sends it to the receiving device;
A storage device for storing the sender's private key for signature and public key for verification, and a control device;
The controller is
A one-time signature key generation unit that generates a key pair for one-time signature and stores the key pair in the storage device;
A signature generation unit that generates a first signature value for the first key for the one-time signature using the sender's signature private key, and temporarily stores the signature value in the storage device;
A key capsule generation unit that generates a common key encryption key and encrypted data of the key from the public key of the input recipient of the message and the verification public key of the sender, and stores the encrypted data in the storage device;
The one-time signature for generating the second signature value from the second key for the one-time signature, the public key of the recipient of the message, the encrypted data of the key for the common key encryption, and the input message to be transmitted A generator,
The common key encryption unit that generates a signed ciphertext from the common key encryption key, the first key for the one-time signature, the first signature value, the second signature value, and the transmission target message When,
A transmission unit that transmits the encrypted data of the key for the common key encryption and the ciphertext with the signature to the reception-side apparatus,
A transmission-side device characterized by the above. The first key for the one-time signature is a one-time signature verification key necessary for verifying the one-time signature, and the second key for the one-time signature is the one-time signature generation unit. A one-time signature private key necessary for generating the second signature value;
The transmission side apparatus according to claim 1, wherein: The key capsule generator generates the common key based on a tagged key capsule generation algorithm from the public key of the input recipient of the message and the verification public key of the sender acquired from the storage unit as a tag. Generating an encryption key and encrypted data of the key, and storing them in the storage device;
The transmitting apparatus according to claim 2, wherein The key capsule generation unit, from the combined data of the verification key for the one-time signature, the first signature value, and the public key for verification of the sender, from the public key of the recipient of the input message, Generate a key for common key encryption and encrypted data of the key,
The one-time signature generation unit includes the one-time signature private key, the first signature value, the public key of the input recipient of the message, the encrypted data of the common key encryption key, and the input Generate signed ciphertext from the message,
The common key encryption unit generates a signed ciphertext from the key for the common key encryption, the second signature value, and the input message,
The transmitting unit transmits the one-time signature verification key, the first signature value, the encrypted data of the common key encryption key, and the ciphertext with the signature to the receiving side device;
The transmitting apparatus according to claim 2, wherein A receiving device that decrypts a message from a signed ciphertext received from the sending device,
A storage device for storing the decryption secret key and the encryption public key of the receiver, and a control device;
The controller is
A receiving unit that receives the encrypted data of the common key encryption key and the signed ciphertext from the transmission side device;
A key capsule decrypting unit for decrypting the common key encryption key from the decryption private key of the receiver, the input public key for verification of the sender and the encrypted data of the common key encryption key;
A common key decryption unit for decrypting the verification key for the one-time signature, the first signature value, the second signature value, and the message from the ciphertext with the signature using the common key encryption key;
A verification key for the one-time signature as a verification target message, a first signature value as a verification target signature value, and a first signature verification unit that performs signature verification using the verification public key of the sender;
The receiver's encryption public key, the encrypted data of the common key encryption key received by the reception unit, and the message decrypted by the common key decryption unit as a verification target message, and the second signature value as A second signature verification unit that performs signature verification using the verification key of the one-time signature as a signature value to be verified;
When the common key encryption key is decrypted by the key capsule decryption unit, and the verification results of the first signature verification unit and the second signature verification unit each indicate a verification success, the common key decryption unit decrypts the key An output unit for outputting the received message,
A receiving-side device. The output unit, when the key capsule decryption unit fails to decrypt the common key encryption key, or when the verification result of the first signature verification unit indicates verification failure, or the second signature verification unit If the verification result of indicates a verification failure, an error code is output.
The receiving apparatus according to claim 5, wherein The key capsule decryption unit, based on the key capsule decryption algorithm, from the decryption private key of the receiver, the verification public key of the sender input as a tag, and the encrypted data of the common key encryption key, Decrypt the common key encryption key,
The receiving apparatus according to claim 6. A receiving device that decrypts a message from a signed ciphertext received from the sending device,
A storage device for storing the decryption secret key and the encryption public key of the receiver, and a control device;
The controller is
A receiving unit that receives a verification key for a one-time signature, a first signature value, encrypted data of a common key encryption key, and a signed ciphertext from the transmission side device;
The common key encryption key using the receiver decryption private key, the one-time signature verification key, the first signature value, and the input sender verification public key A key capsule decryption unit for decrypting the common key encryption key from the encrypted data of
A verification key for the one-time signature as a verification target message, a first signature value as a verification target signature value, and a first signature verification unit that performs signature verification using the verification public key of the sender;
If the key capsule decryption unit fails to decrypt the common key encryption key, or if the processing result of the first signature verification unit indicates verification failure, output an error code to the output unit, otherwise, A first determination unit that transfers the common key encryption key decrypted by the processing of the key capsule decryption unit to the common key decryption unit;
A common key decryption unit that decrypts a second signature value and a message from the signed ciphertext to be decrypted using the common key encryption key from the first determination unit;
The first signature value, the recipient's encryption public key, the encrypted data of the common key encryption key, and the message decrypted by the common key decryption unit are set as a verification target message, and the second signature value is set as the verification target message. A second signature verification unit that performs signature verification using the verification key of the one-time signature as a signature value to be verified;
If the processing result of the second signature verification unit indicates verification failure, output an error code to the output unit; otherwise, a second determination unit that outputs the message to the output unit;
An output unit that outputs the message or the error code to the output unit based on a determination result of the first determination unit or the second determination unit,
A receiving-side device. The key capsule decryption unit, the recipient's decryption private key, the verification key for the one-time signature input as a tag, the first signature value input as a tag, and the tag input Decrypting the common key encryption key from the encrypted data of the common key encryption key using the sender's verification public key,
The receiving apparatus according to claim 8, wherein

Images