JPH04129441A - Key delivery method with verification function - Google Patents

Abstract

PURPOSE:To reduce number of times for key delivery and to save quantity of calculation for obtaining a common key by generating the common key according to a power based on a certificate sent from an opposite party and fixed secret information between both terminal equipments and according to a root residual of a random number generated from both the terminal equipments. CONSTITUTION:Terminal equipments 1, 2 generate random numbers r1, r2 respectively and send them to the terminal equipments 2,1 together with their own certificates Cert1, Cert2. Then the two terminal equipments 1,2 use an open inverse variable (h) to obtain root residuals y1, y2 of the opposite terminal equipments from the certificates Cert1, Cert2 sent from the opposite terminal equipments, calculate root residual operators S12, S21 of the root residuals y1, y2 of the opposite terminal equipments by using own secret information x1, x2 as a power, apply a prescribed calculation by using random numbers r1, r2 of both the terminal equipments 1,2 to generate common keys K12, K21 through the use of the root residuals S12, S21 as the power. Thus, the key delivery with a verification function is implemented with less number of times of communication and less calculation quantity to obtain the common key.

Description

[Detailed Description of the Invention] Industrial Application Field The present invention uses a certificate that has been signed in advance by a center at the center of communication for public information generated by each terminal, so that the public information generated by each terminal can be verified by a party that the terminal recognizes. This invention relates to a key distribution method with an authentication function that allows the same key to be shared only with users.

2. Description of the Related Art In a communication network to which a plurality of terminals are connected, there is a desire to perform communication between specific terminals in a secret manner from other terminals.

Such a request applies not only to two-way communication but also to one-way communication such as e-mail.

As a method to meet the above request, two terminals wishing to communicate secretly have a common key, the sender uses this key to lock and transmit information, and the receiver uses the common key to unlock the received information. There is a way to lock it.

In this case, the key shared between the two terminals must be secret from other terminals. One method that allows such private keys to be shared between two terminals is the public key distribution method.
There is a method called n5yste++:PKDS).

In this method, users of a communication network share a private key using a public key. When applying private key cryptography, the private key itself cannot be delivered via an insecure communication channel, and it is necessary to share the private key with the other party in advance by some secure means (for example, by secret mail or registered mail). There is. However, using the public key distribution method is not secure (
A shared secret key can be generated via a communication channel (even if it is eavesdropped). In the public key distribution method, communication partners exchange public keys and calculate a random secret key value known only to both parties, which is then used as a shared secret key.

Note that, at the same time as key distribution, it is also required to properly authenticate the party with whom the key is shared. This is because unless this authentication is performed, it cannot be confirmed whether the party sharing the key is the same party with whom the secret communication is truly desired.

Therefore, a public key distribution method incorporating an authentication function will be described here.

As a public key distribution method, Diffie and B
There is a DH key distribution method proposed by et 1man. This is based on the fact that the discrete logarithm problem on the finite field CF (p) is difficult. In order to incorporate an authentication function into this, a method using a certificate issued by a trusted center has been proposed.

(For convenience of explanation, this method is also referred to as the DH key distribution method.) Below, the procedure of the DH key distribution method will be explained by dividing it into the phase of certificate issuance by the center and the phase of key distribution between terminal 1 and terminal 2. .

[Certificate issuance phase]

(1) When constructing the system, determine the modulus p and the primitive element g of GF (p) and publish it to each terminal.

(2) Terminal 1 generates secret information x1, and y1=g”m
Calculate odp. ...(1) Here, "X raodp" indicates the remainder when the value X is divided by p.

(3) Terminal 1 transmits yl, name, address, and other information that can identify itself (referred to as identification information or ID information) IDI to a transfer center and requests a certificate.

(4) The center checks the validity of the terminal operator, generates a certificate Certl using a secret conversion f known only to the center, stores it in a magnetic card, for example, and distributes it to the terminal 1.

Certl=f (y 111 IDI) where 1
1 indicates connection. It is assumed that the inverse transformation of the secret transformation f is made public in the system. Therefore, Cert
Any terminal that has obtained l can obtain public information y1 of IDI guaranteed by the center by calculating h(Cert l ).

[Key distribution phase]

(1) Terminal 1 sends its own certificate Cert 1 to terminal 2,
The terminals 2 each deliver their own certificate Cert2.

(2) Terminal 1 is h (Cert2) ='/211
Calculate ID D2 and use your own secret information xl, K12=y2" modp = g"xx2mo
Find dp.

(3) On the other hand, terminal 2 has h (Certl) ='/1
11 I Calculate Dl and use your own secret information x2, K12y2” modp = g Sum IX
X”Hodp is found. Note that K12=21 is the shared key between terminals 1 and 2.

By the way, it is desirable to change the key used in communication from time to time for security reasons. In the DH key distribution method described above, in order to change the shared key, it is necessary to request the center again to issue a certificate, which is very time-consuming.

Therefore, several methods have been proposed for changing the shared key without changing the certificate.

Two conventionally proposed methods will be described below.

[Method 1 (First Conventional Example)] Method 1 is based on ``Yamamoto and Akita's A Data Encryption Device Incoherent Fast B-Keep Yes''
device 1ncorporation fas
tPKDS”, GIobalCom, , 32.2
．． 1-32.2.6 (Dec, 1983) j.

The certificate issuance phase is the same as the DH key distribution method.

FIG. 3 shows the procedure of the key distribution phase.

1 is a terminal that holds secret information x1. 2 is a terminal that holds secret information x2
This is the terminal 2 that holds the . The operation is shown below.

(1) Terminal 1 sends its own certificate Certl to terminal 2.

(2) The terminal 2 calculates h (Cert 1 ) and obtains the terminal worker's regular public information y1.

Further, the user generates the delivery information 221 as follows, and sends this and his/her own certificate Cert2 to the terminal 1.

(a) Generate random number r2.

(b) Z 2 1 = 3' 1 xz"
” modp - (2) (3) Terminal 1 is
h (Cert2) to obtain the regular public information y2 of the terminal 2.

Furthermore, the delivery information 212 is generated in the following manner and sent to the terminal 2.

(a) Generate a random number rl.

(b) Z 1 2 = )' 2 ""'
modp - (3) Then, using the delivery information Z21 from the terminal 2, 12 is generated as a shared key.

Kl 2=221'' modp (4) Terminal 2 generates 21 in shared 11 using delivery information Z12 from terminal 1.

K21=212"5 odp Note that the shared key Kt2 in the terminal 1 and the shared key 21 in the terminal 2 are the same from equations (1) to (3).

K 12 = Z 21 ” a+odp = y 1
“””” modp= gxlxx2xrlxr!
,0dpK21=Z12”modp=y2x+xrIXr2+10
dp=gXIXX2xrlX'll, OdpBy the way, since this method requires the other party's certificate in order to generate delivery information, three-bus (one-way) communication is required.

[Method 2 (Second Conventional Example)] Method 2 is the method proposed in "Kaihon Nakamura, "A Study of Public Key Distribution Methods," 1981 National Conference of the Institute of Electronics and Communication Engineers, 15."

The certificate issuance phase is the same as the DH key distribution method.

FIG. 4 shows the procedure of the key distribution phase.

The operation between terminals 1 and 2 is shown below.

(1) Terminal 1 generates delivery information 212 as follows, and sends this and its own certificate Certl to terminal 2.

(a) Generate random number r1.

(b) Z 12 = 'j 1 '' modp
・=(4)(2) Terminal 2 receives delivery information Z2 as follows.
1 and send it and its own certificate Cert2 to terminal 1.

(a) Generate random number r2.

(b) Z 21 = y 2 rza+odp
(51) Also, using the information sent from terminal 1, 21 is generated as a shared key as follows.

(a) From Certl, h, (Certl)
=3' 1 l l Obtain ID1.

(b) A shared key is calculated from the delivery information Z12 from the terminal 1 as follows.

K21= (Zl 2xy lrri ” modp(3
) Terminal 1 uses the delivery information from terminal 1 to set the shared key to 1.
Generate 2.

K12= (Z21Xy2”)”a+odpThe shared key for terminal 1 is 12, and the shared key for terminal 2 is 21.
is +4) (From formula 51, it becomes the same.

Kl 2= (Z21xy2”)” modp= (y
2 r! +rl) x1, 06p== g X I X
X R (r I 4 F ri modp-ni21) This method does not require the other party's certificate to generate delivery information, so key distribution can be performed with two communications. Since the secret information of the authorized terminal is required for generation, the key distribution method with indirect authentication is used in which only authorized terminal pairs can share the same key.However, in this method, each terminal cannot generate the distribution information. A total of three exponentiation remainder operations are required: once for each step and twice for generating the shared key.

Furthermore, in applications to one-way communication such as e-mail, it is necessary to perform key distribution with authentication in one-way communication. In this case, the network center manages the certificate issued by the center as a public list.
It is assumed that the sender will refer to this.

Next, a method for changing the shared key each time in one-way communication will be explained based on the DH key distribution method.

FIG. 5 shows the procedure of the key distribution phase.

The operation of terminal 1.2 will be described below.

(1) Terminal 1 generates a random number r1 and sends it and its own certificate Certl to terminal 2.

(2) Terminal 1 retrieves terminal 2's certificate Cer from the public list.
+2, h (Cert2) = Y 2111
Get D2.

Terminal 1 performs the following calculation to obtain a shared key with terminal 2.

S12 = y2”modp K12=F(r1, 512) Here, FO is a predetermined operation.

Therefore, for example, if F (x, y) = x + y modp, then K
l2=r1+S12modp.

(3) Terminal 2 is the terminal engineer's certificate C sent from terminal 1.
Get yl from ert 1.

Terminal 2 uses the random number r1 sent from terminal 1 to perform the following calculation and obtain a shared key with terminal 1.

S 21 = )' 1 "modp K21=F(r1, 521) = r 1 +S 21modp Note that since 312=321=g""" here, K
21 becomes 12=.

Problems to be Solved by the Invention As described above, in the first conventional example of the two-way communication version, the other party's certificate is used to generate delivery information, so at least 3
Pass (one-way) communication is required.

Furthermore, in the second conventional example, the amount of calculation required to obtain the shared key is large.

Furthermore, the conventional one-way communication version has the following problems. For example, in the case of F (x, y) = x + ymodp, once a third party asks for the shared key 12 in a certain session and the data r1 on the communication path at that time, the third party uses 512 = 12 - rlmodp. The person obtains a fixed shared key 312 between terminals 1 and 2. Then, by observing the data on the communication path in any session and using the obtained S12, it is possible to obtain any shared key between terminals 1 and 2. In other words, an important fixed shared secret key is required from a shared key that is valid only for that session and does not place much emphasis on confidentiality.

In view of the above-mentioned problems, the present invention aims to provide a key distribution method with an authentication function that reduces the number of communications between terminals during key distribution and reduces the amount of calculation required for key sharing in two-way communication. The first purpose.

A second object of the present invention is to provide a key distribution method with an authentication function in which it is difficult for a third party to obtain a fixed key from a session key in one-way communication, and in which the receiver authenticates the sender. It is to be.

Means for Solving the Problems In order to achieve the first objective, the present invention provides a system for issuing a certificate by signing a plurality of terminals having unique identification information that is not duplicated and public information created by each terminal. In a system consisting of a center where each terminal uses the public number p and the primitive light g of the remainder ring modulo p, each terminal can obtain secret information XI+X! ... and the exponentiation remainder calculation value of g modulo the above p) +1. y2... and sending it to the center; the center performs a secret transformation f on the calculated value to generate certificates Cert 1, Cart 2...;
A step in which one of the two terminals desiring to have a common key sends the random number r1 and the certificate Certl that it generates to the other terminal, and the other terminal Generate random number r2 and certificate Cer
t2 to the one terminal, and the two terminals calculate the exponentiation remainder calculation value y1. Step of obtaining y2, exponentiation of own private information xi and x2, and exponentiation remainder calculation value S12 of said y2゜yl of the other terminal, where the number p of disclosure is modulo
, S21, and the random number rI of both terminals.
+r! A predetermined operation is performed using the common result r12. r
21; and the step of exponentiating the exponentiation remainder calculation value s12°S21 and modulo the public number p;
12. Execute the exponentiation remainder operation of r21 and use the common key on both terminals. 21.

In order to achieve the second objective, the present invention provides a system comprising a plurality of terminals having unique identification information that is not duplicated, and a center that issues certificates by signing public information created by each terminal. Each terminal uses the public number p and the primitive light g of the remainder ring modulo this p to exponentiate the secret information XI, ．． y2... and sends it to the center; the center applies conversion f to the calculated values to generate certificates Cert 1, Cert 2... and registers them in the public list; A step of exponentiating the generated random number r and calculating the exponentiation remainder calculation value Z1 of the g modulo the public number p; A step of performing inverse public transformation to obtain a modular exponentiation value y2 of the receiving terminal, and exponentiating the self-generated random number rl at the transmitting terminal, and a modular exponentiation value of y2 modulo the public number p. The step of calculating u1 and the self-generated secret information x1 at the sending terminal
a step of calculating a power remainder value SL2 of said y2 modulo the public number p, a step of generating a shared key with the receiving terminal using said u1 and 812, and making said shared key public. a one-way function to obtain an output v1, and a step of sending the certificate Cert 1 of the originating terminal, the Z1, and vl to the receiving terminal;
The receiving terminal performs public inverse transformation on the certificate Certl of the transmitting terminal to obtain the exponentiation remainder calculation value y1, and the receiving terminal exponentiates the private information x2 generated by itself and calculates the public number p. a step of calculating a power remainder value u2 of said Z1 modulo , and a step of calculating said secret information x1
a step of calculating a power remainder value S21 of said y1 modulo the public number p, a step of generating a shared key with the calling terminal using said u2 and 321, and making said shared key public. A step of inputting it into a one-way function to obtain an output v2;
This method is characterized by comprising the step of comparing the shared key with 1 and determining that the shared key generated at the receiving terminal is valid only when they match.

In the first aspect of the invention, the fixed secret information S12 is exponentiated between the other party's certificate and both terminals, and the remainder value of the random numbers generated by both terminals is used as the shared key. Therefore,
It is difficult to obtain the fixed secret information S12 of the exponent from the key. The distribution information is only the random numbers generated by itself, and each terminal only needs to perform one modular exponentiation operation to calculate the shared key, so the number of communications for key distribution and the calculation for key sharing are reduced. Both quantity will be reduced.

In the second invention, in order to prevent fraud in which a third party impersonates the sender and requests a fixed shared key from the session key,
1=Sender is authenticated by V2. Further, even if S12 is obtained, the session key cannot be obtained except by impersonating the sender by using data ul-u2 for each session that can be shared only by the sender and receiver of the shared key.

Embodiment FIG. 1 shows an embodiment of the key distribution method with authentication function of the present invention that performs bidirectional communication. 1 is a first terminal that holds secret information xi, and 2 is a second terminal that holds secret information x2. Note that in reality, the system consists of not only terminals 1 and 2 but also multiple terminals and centers connected to a communication line, but for the sake of simplicity, we will introduce two terminals that wish to have a common key. Only 1.2 is shown. Further, since the certificate issuance phase is the same as in the conventional example, the explanation will be omitted, and the key distribution phase will be explained step by step using diagrams.

Step (1): Terminal 1 generates a random number r1 and sends it to terminal 2 together with its own certificate Cert1.

Step (2): Terminal 2 generates a random number r2 and uses its own certificate Cer t2.
It is also transmitted to terminal 2.

Step (3): Terminal 1 obtains the certificate Cert2 sent from terminal 2, h (Cert2) = y 2 l I I D
2 and confirm that the other party is terminal 2.

Step (4): Next, using the above y2 and your secret information x1, 512=
Calculate 72”5odp.

Note that this S12 is fixed shared data between the terminals 1 and 2.

Step (5): Then, using the random number r2 sent from the terminal 2, the random number r1 generated by itself, and the above S12, 12 is calculated as the shared key with the terminal 2 in this session. At this time, S12
is used as the power part of the shared key.

K12-(rl+r2)”2 modp step (6)
: Terminal 2 receives the certificate Certl sent from terminal 1 \ h (Certl) ='/ 1 l l
Calculate the IDI and confirm that the other party is terminal 2.

Step (7): Next, using the above yl and your own secret information x2, perform S 2
1 = )' 1 '' Calculate modp.

Note that this S21 is fixed shared data between the terminals 1 and 2, and has the same value as S12 above.

S12=321=g"Xx2modp Step (8): Then, using the random number r1 sent from terminal 1, the random number r2 generated by itself, and the above 321, 21 is calculated as the shared key with terminal 2 in this session. At this time, S12
is used as the power part of the shared key.

K21= (rl+r2) s2' modp
From 512=S21, 21 holds true for KI2=.

As can be seen from this example, in order to obtain 512 (=321), the secret information of the authorized terminal is required. Therefore, only authorized terminals can obtain the common key.

Therefore, this embodiment can be said to be a key distribution method with indirect authentication.

Note that in order to reliably confirm the identity of the other party, it is sufficient to show that the common key has been calculated. For this purpose, for example, a one-way function fO is defined, and the output values when the common key obtained at each terminal is input to this are exchanged. That is, terminal 1 sends f(K12, IDI) to terminal 2, and terminal 2 compares this with f(K21, IDI). Further, terminal 2 sends f(K21, ID2) to terminal 1, and terminal 1 compares this with f(K12, ID2). Through this, each party authenticates the other party.

Furthermore, the session key is a power remainder value (a different value for each session) of a random number generated by the terminal 1.2 with p modulo the shared data (fixed value) of the terminal 1.2. Therefore, in order to find the secret shared data (fixed value) that is the power part from the session key and the data on the communication path, it is necessary to solve the discrete logarithm problem on GF (p), and p
By setting the number of bits to about 1000 bits, for example, the amount of calculation becomes safe.

In order to obtain the shared key, it is necessary to perform the exponentiation remainder calculation twice, once for calculating S12 and once for calculating the shared key.

In addition, in this example, the random number r1 generated at the terminal 1.2,
Although addition is used to obtain a different value for each session from r2, any calculation RO may be used as long as it is predetermined. However, addition or multiplication is suitable for reducing the total amount of calculation.

However, for example, R (x, y) = x + y tsodp
In this case, the following attacks may be possible.

(1) The third party terminal 3 eavesdrops on the communication between the authorized terminal 1 and the terminal 2.

(2) Terminal 1 transmits random number r1 and certificate Certl.

(3) The terminal 3 calculates r3 that satisfies rl+r3=1+++odp.

(4) Terminal 3 impersonates terminal 2 and sends r3 and Cert
Send 2. Note that Cert2 is obtained in advance by eavesdropping on the communication of terminal 2.

(5) Terminal 1 has r12=R(r1, r3)=IKl
2=r l 2"" modp=1 is calculated as a common key.

(6) Terminal 3 impersonates terminal 2 and shares this l' with terminal 1.

However, in order to make this attack difficult, it is sufficient to define a function RO that makes it difficult to solve the equation R(r1, r3)=cmodp when r3 is considered as a variable.

Next, FIG. 2 shows an embodiment of the key distribution method with an accommodation card function of the present invention, which performs one-way communication. In this embodiment as well, only two terminals 1.2 which wish to share a common key are shown for the sake of simplicity.

Terminal 1 is a sending terminal that holds secret information x1, and fake terminal 2 is a receiving terminal that holds secret information x2.The certificate issuance phase is the same as the conventional example, and the certificate is registered in the public list. Suppose that However, one one-way function f ('') is defined and made public in the system.One-way functions can be easily calculated for each output from the input, but the input (calculating 1 from the output value) This is a very difficult function.

The key distribution phase will be explained step by step using diagrams.

Step (1); Terminal 1 generates random number r1 and calculates delivery information Z1 using the following formula.

Z 1 = g” modp Step (2): Terminal 1 refers to the public list and obtains the certificate 1Cert of terminal 2.
2, and obtain y2 based on the following formula.

h (Cert2) ='/2 l l ID2 step (3): Perform the following calculation using y2 to obtain 12 as the shared key.

u 1-3' 2rImodp S 12='/2'' +aodp K 12- u 1 + S 12 modpStep (4): Terminal 1 inputs 12 as the shared key to the one-way function fO and receives the delivery information v1. demand.

vl=f (K12) Step (5): Terminal 1 delivers Cert1, Z1, and vl to terminal 2.

Step (6): Terminal 2 receives delivery data Cert 1 from terminal 1,
Get yl.

h (Certl) =)'1 l l IDI step (7): Perform the following calculation using yl to obtain 21 as the shared key.

u2=ZIXza+odp S 21 = )' 1 ” modpK21=u2+
S21 modp Step (8): The terminal 2 inputs the shared key 21 into the one-way number fO to obtain delivery information v2.

Step (9): Terminal 2 uses the v2 created above and the vl sent from terminal 1.
Compare and use this only if they match.

In addition, u 1 = y 2 ”5odp = g ””'
modp=Z 1” 1Iodp=u 2 S 1 2 − y 2” modp=
Since g""modp=yl"s+odp-321 holds true, K12=21.

In this one-way communication version example, the recipient needs to use his secret information to obtain the same value of u2 as the sender. Further, the sender side also needs its own secret information in order to obtain Si2. Therefore, the receiver inspects vl and authenticates the sender based on the fact that they share the same session key.

Here, even if the third terminal becomes terminal 1 and asks for the session key at that time, the third terminal and the authorized terminal 2
Since no key sharing is established between the parties 0 and 0, the session key is deleted on the recipient side and the attack fails.

Note that in this embodiment, U1=u2 differs for each session.
Although the shared key is generated using addition from the fixed secret key 512=321, any calculation may be used as long as it is predetermined. however,
Addition or multiplication may be used to reduce the total amount of calculation.

Effects of the Invention As is clear from the above explanation, the first invention reduces the number of communications by one pass compared to the first conventional example, and also reduces the amount of calculation to obtain the shared key by exponentiation modular calculation 3. The number of calculations required is one less than that of the second conventional example. Therefore, there is an effect that key distribution with an authentication function can be performed with a reduced number of communications and a reduced amount of calculation for obtaining a shared key.

According to the second invention, since a legitimate terminal cannot share a key with a third party who does not know the secret information, the legitimate terminal can detect fraud by the other party by checking the shared key. In addition, even if you are asked for the session key and the data on the communication path at that time, in order to obtain the secret shared key (fixed value), you will need to use the random number generated by the sender at that time or the data from the receiver. Need to know confidential information.

In addition, -1. Even if a secret shared key is obtained, it is not possible to obtain the shared key for the session from the data on the communication path between the authorized terminals 1 and 2.

Therefore, it can be said that the second invention is a safe method that provides multiple layers of protection against eavesdropping and spoofing attacks.

[Brief explanation of drawings]

Figure 1 is an explanatory diagram of the procedure for key distribution in an embodiment of the first invention (two-way communication version), and Figure 2 is a diagram explaining the procedure for key distribution in an embodiment of the second invention (one-way communication version). 3 is an explanatory diagram of the procedure at the time of key distribution in the first conventional example of the two-way communication version, FIG. 4 is an explanatory diagram of the procedure at the time of key distribution in the second conventional example of the two-way communication version, FIG. 5 is an explanatory diagram of the procedure at the time of key distribution in the conventional example of the one-way communication version. l...Terminal 1.2...Terminal 2゜

Claims (2)

[Claims] (1) In a system consisting of multiple terminals with unique, unique identification information and a center that issues certificates by signing the public information created by each terminal, each terminal has the number p of public information and this p Using the primitive element g of the remainder ring modulo , exponentiate the secret information x_1, x_2, etc. unique to each terminal, and calculate the exponentiation remainder calculation value y1 of g modulo the said p,
y2... and sending it to the center, and the center performs a secret transformation f on the calculated value to obtain a certificate Ce.
rt1, Cert2, etc. and distributing them to each terminal, and a step in which one of the two terminals desiring to have a common key sends the random number r_1 and certificate Cert1 generated by itself to the other terminal. , the other terminal generates its own random number r_2 and certificate C.
ert2 to the one terminal, and the two terminals use a public inverse transformation h to obtain the exponentiation remainder calculation values y1 and y2 of the other terminal from the certificates Cert1 and Cert2 sent from the other terminal. step, exponentiation of own secret information x1, x2 and exponentiation remainder calculation value S of the other terminal's said y2, y1, modulo the public number p.
12, a step of calculating S21, a step of performing a predetermined operation using the random numbers r_1, r_2 of both terminals to obtain common results r12, r21, exponentiating the exponentiation remainder calculation values S12, S21, and publishing the public A key distribution method with an authentication function for two-way communication, comprising the steps of: performing a power-residue operation on r12 and r21 modulo a number p to generate keys K12 and K21 common to both terminals. (2) In a system consisting of multiple terminals with unique identification information that does not overlap, and a center that issues certificates by signing the public information created by each terminal, each terminal has the number p of public information and this Using the primitive element g of the remainder ring modulo p, exponentiate the secret information x1, x2, etc. unique to each terminal, and calculate the exponentiation remainder calculation values y1, y2 of g modulo p.
... and sending it to the center, and the center converts the calculated value to the certificate Cert.
1. A step of generating Cert2... and registering it in the public list, and the transmitting terminal exponentiates the random number r_1 generated by itself and calculates the exponentiation value Z1 of the g modulo the public number p.
, and a step of performing a public inverse transformation h on the certificate Cert2 of a specific receiving terminal by referring to a public list at the transmitting terminal to obtain a modular exponentiation value y2 of the receiving terminal; The self-generated random number r_1 is raised to the power, and the power remainder value u1 of the above y2 is modulo the public number p.
and a step of calculating the exponentiation value S of the secret information x1 generated by the self-generated information x1 at the transmitting terminal and modulo the number of disclosures p.
12; a step of generating a shared key with the receiving terminal using the u1 and S12; and a step of inputting the shared key into a public one-way function to obtain an output v1; a step of sending the terminal's certificate Cert1, the Z1, and v1 to the receiving terminal; and a step of performing public inverse transformation h on the transmitting terminal's certificate Cert1 at the receiving terminal to obtain the exponentiation remainder calculation value y1. And, the private information x2 generated by the receiving terminal is raised to the power, and the exponentiation value u of the Z1 is modulo the number of disclosures p.
2; a step of exponentiating the secret information x1 and calculating a power remainder value S21 of the y1 modulo the public number p; a shared key with the calling terminal using the u2 and S21; inputting the shared key into a public one-way function to obtain an output v2; comparing the v2 with v1 sent from the transmitting terminal, and only when they match, the receiving terminal A key distribution method with an authentication function for one-way communication, comprising the step of determining that a shared key generated at a terminal is valid.