JPH10282881A - Secret key decentralization managing method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To restore a secret key by gathering a certain number of pieces of decentralized registration information for a prime factor factorization system open key cipher. SOLUTION: A key generator K100 sends an open key N and information providing that N is the product of two prime numbers to an administrator Ti (i=1...n) 200, and T sends a prime number (p) and elements (g) and (h) whose order is N to K; and K generates random numbers (x) and r1 , r2 , and r3 , calculates a=BCE (x, r1 ), b=BC (x, r2 ), and c=BCb (x<2> mod N, r3 ) with a bit commitment function BC and sends them to Ti , and K prove that (a) and (b) made a bit commitment to the same (x) and (b) and (c) made a bit commitment to the same x<2> mod N by exchanging with T+i, sends (y) satisfying y<2> =(mod N) (y/N)=-1 to Ti , disperses 8x) to s1 ...sn and sends si to corresponding Ti , thereby sending pieces of information E1 ...Ek-1 providing that si is a correct value.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION The present invention relates to a technique for distributing and registering a private key of a public key cryptosystem, and when a lost or lost private key needs to be restored for some other reason, a certain number or more of the The present invention relates to a secret key distribution management method for restoring a secret key by collecting distribution registration information.

[0002]

2. Description of the Related Art Conventionally, a method for simply distributing and managing information and restoring information is based on Sharmir's polynomial interpolation method (“Howto Share a Secret”).
”, Comm. Assoc. Comput. Mach., Vol. 22, no. 11, pp.
612-613 (Nov. 1979)), but since there is no means to prove that the shared information is correct information, it cannot be used as it is as a means for distributing and registering a secret key. As a method to prove that distributed information is correct, Peders
There is a method called VSS by en (“Non-Interact
ive and Information-Theoretic Secure Verifiable Se
cret Sharing ”, Proc. of Crypto'91, LNCS 576, Sprin
ger-Verlag, pp. 129-140 (1992)). However, this method can be applied to the public key cryptosystem of the discrete logarithm problem such as the ElGamal method, but cannot be applied to the public key cryptosystem of the prime factorization system such as the RSA method.

On the other hand, Micali (“Fair Public-Key
Cryptosystems ", Proc. Of Crypto'92, LNCS, Springe
r-Verlag, pp.113-138 (1993)) A secret key distribution management / restoration method applicable to the RSA method or the like has been proposed. However, the secret key cannot be restored unless all administrators cooperate. But if you don't cooperate, you can't recover your private key.)

[0004]

SUMMARY OF THE INVENTION It is an object of the present invention to disperse and register a secret key with respect to a public key cryptosystem of a prime factorization system, and to collect secret registration information of a certain number or more to obtain a secret key. It is to implement a method for restoring a key.

[0005]

According to the present invention, a secret key or secret information equivalent to a secret key is encrypted by, for example, a method called bit commitment, and it is proved that the encrypted secret information is correct information. Developed an efficient way to Once the bit commitment obtained by encrypting the correct secret information is obtained, it is possible to prove that the shared information is the correct information by using the above-mentioned Pedersen's method.

In the first aspect, y is made public and x ⁴ ≡y ^{2 is used} as secret information for factorizing the public key N.
Use x such that (mod N). In claim 2, R
The secret key d of the SA encryption is subjected to bit commitment.

[0007]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment of the present invention will be described below. FIG. 1 shows the overall configuration of the present invention. The apparatus of key generator (key generation device) 100, the administrator T _i device (management device) 200i (i = 1,2, ... ,
n) are connected to each other via a communication path 300i. FIG. 2 shows an example of a communication sequence according to the present invention.
Hereinafter, FIG. 3 shows an example of the functional configuration of the key generation device 100, and FIG. 4 shows an example of the functional configuration of the management device 200i.

A procedure for registering shared information and recovering a secret key will be described below. 1. The key generator generates a secret key (P, Q) and a public key N = PQ using the key generator 101 in the key generation device 100,
Management device 200i of administrators T _i the N (i = 1, ..., n)
Send to Here, it is assumed that the value of the Jacobi symbol is (−1 / N) = 1. This is a condition under which N can be decomposed into prime factors P and Q.

[0009] 2. Remainder arithmetic unit 102 of key generation device 100
Is used to generate information proving that N is the product of two prime numbers, and sends it to the management device 200i. The method of creating such information is based on Micali's method (“Fair Public-Key
Cryptosystems ”, Proc.ofCyrpto'92, LNCS, Springer
-Verlag, pp.113-138 (1993)). 3. The management device 200i uses the parameter generator 201 alone or jointly to determine the prime numbers p and the elements g and h whose order is N, and sends them to the key generation device 100. Here, the bit commitment function BC is defined as follows.

[0010] BC_g(X, r) = g^xh^rmod p4. key
The generator 100 uses the random number generator 103 to generate a random number x
A suitable value r ₁, r_Two, r_ThreeAnd the remainder arithmetic unit 104
To calculate the following a, b, and c, and send them to the management device 200i.
You. a = BC_g(X, r₁) B = BC_a(X, r_Two) = BC_g(X^Two mod N, r₁ x
+ R_Twomod N) c = BC_b(X^Two mod N, r_Three) = BC_g(X^Four mod N, r₁x_Three
+ R_Twox^Two+ R_Three mod N) 5. Next, the key generation device 100 determines that a = BC_g(X, r₁)
And b = BC_a(X, r _Two) Bit-commits the same x
The following procedure will be used to prove that this is the case.

(A) The key generation device 100 includes a random number generator 10
3 to generate v, w, w ', and the remainder arithmetic unit 1
Then, u = BC _g (v, w) and u ′ = BC _a (v, w ′) are generated using (S05), and (u, u ′) is sent to the management device 200i. (B) The management device 200i uses the random number generator 202 to
And sends it to the key generation device 100.

(C) The key generation device 100 includes a remainder operation unit 10
6, z = v + xR mod N, t = w + r ₁ R mod N, t ′ =
Calculate w ′ + r ₂ R mod N and send (z, t, t ′) to the management device 200i. (D) The management device 200i verifies whether or not the following expression holds using the remainder arithmetic unit 203 and the comparator 204.

BC _g (z, t) = ua ^R mod p, BC
_a (z, t ') = u'b ^R mod p Similarly, the key generation device 100 is obtained by bit-committing x ² mod N where b = BC _g (x ² mod N, r ₁ x + r ₂ mod N) and c = BC _b (x ² mod N, r ₃ ). Prove that in the same way as above.

7. The key generation device 100 includes a remainder operation unit 107
Is used to calculate y that satisfies y ² ≡x ⁴ (mod N) and the value of the Jacobi symbol (y / N) = − 1, and
Send to i. Here, y has been proved to have a relationship of x and y ² = x ⁴ (mod N) by both the proofs of the fifth step and the sixth step, and (y / N) = − 1, x, y
Is a condition that can be decomposed into prime factors P and Q.

[8] The key generation device 100 converts x into n values s using the remainder arithmetic unit 108 by Sharmir's polynomial interpolation method.
_1, ..., distributed to s _n, the management apparatus of management's T _i a s _i 2
00i. Further, using the value of a = BC _g (x, r ₁ ), information E ₁ ,..., Which proves that s _i is a correctly distributed value using the remainder operator 108 according to Pedersen's method. Send E _k-1 . k-1 is the lowest order of the polynomial used in the polynomial interpolation, and k ≦ n.

9. The management device 200i is a remainder arithmetic unit 205
And their validity using comparator 206,
Receive and store them if correct. 10. When it is necessary to recover the secret key (P, Q), k of the n managers cooperate to bring in the shared information s _i of each manager and use them to generate the remainder arithmetic unit 109 by Shamir's method. To restore the value of x. In addition, GCD
Using the arithmetic unit 110 and the GCD arithmetic unit 110, x
^When the greatest common divisor of ^2- y and N is obtained, P or Q is obtained. From this, both P and Q can be obtained. That is, now m = x ² (mod N) and the value of the Jacobi symbol is (m /
N) = 1, then m ² = y ² = x ⁴ (mod N),
And (1 / N) = - 1 , (y / N) = - 1 if the condition is of, (z-y), i.e. (x ² -y) It is mathematically known divisible by prime factor of N Have been. Therefore x ²
If one finds the greatest common divisor of -y and N, one prime factor of N will be obtained.

Next, a second embodiment of the present invention will be described. FIG. 5 shows an example of a communication sequence according to the present invention. FIG. 6 shows an example of the configuration of the key generation device 100, and FIG. 7 shows an example of the configuration of the management device 200i. Hereinafter, a procedure for registering the shared information and recovering the secret key will be described. 1. The key generation device 100 uses the key generator 101 to
A secret key d and a public key (N, e) of the A cipher are generated, and (N,
e) the management device 200 of the administrator T _i (i = 1,..., n)
Send to i.

2. The management device 200i determines the prime numbers (p, q) and the elements g and h of order q using the parameter generator 201 alone or jointly, and sends them to the key generation device 100. Note that q | p-1 (q is a divisor of p-1).
Here, the bit commitment function BC is defined as follows. _{BC g (x, r) =} g x h r mod p In addition management apparatus 200i by using a random number generator 202 X
Is generated, and G = X ^e mod N is calculated using the remainder arithmetic unit 203.

The management device 200i stores X and (p, q,
g, h) to the key generator. Here, BC _g (s, r)
= And ^{g s h r mod p, BC} G (s) = G s mod N. 3. The key generation device 100 determines an appropriate value r ₁ using the random number generator 103, calculates a = BC _g (d, r ₁ ) using the remainder operation unit 102, and b = BC _G (d) = X And

4. Next, the key generation device 100 determines that a = BC _g
The following procedure will prove that (d, r ₁ ) and b = BC _G (d) = X are the same d's bit-committed. (A) The key generation device 100 generates v and w using the random number generator 103, and further generates u = BC _g (v, w) and u ′ = BC _G (v) using the remainder arithmetic unit 104 Then, (u, u ') is sent to the management device 200i. Note that G used for calculating u 'is calculated using X, e, and N.

(B) The management device 200i includes the random number generator 20
R is determined using 2 and sent to the key generation device 100. (C) The key generation device 100 calculates z = v + dR, t = w + r ₁ R mod q using the remainder arithmetic unit 105, and sends (z, t) to the management device 200i.

(D) The management device 200i determines whether or not the following equation is satisfied: the remainder arithmetic unit 204 and the comparator 205
Verify using. BC _g (z, t) = ua ^R mod p, BC _G (z) = u′b ^R
mod N Further, the comparator 205 is used to confirm that z is equal to or less than the number of bits determined by the size (number of bits) of v, R, and d.

5. The key generation device 100 converts the d into n values s ₁ , using the remainder arithmetic unit 106 by Shamir's polynomial interpolation method.
, S _n , and s _i is _{assigned to} the management device 200 of the administrator T _i.
Send to i. Further, using the value of a = BC _g (d, r ₁ ), information E which proves that s _i is a correctly distributed value using the remainder operator 106 according to Pedersen's method.
₁ , ..., E _k-1 are sent.

6. The management device 200 i
And their validity using comparator 207,
Receive and store them if correct. 7. When it is necessary to recover the secret key d, k of the n managers cooperate to bring in the shared information of each manager, and use the remainder operation unit 107 to calculate the value of d using the Shamir's method. Restore.

In the above description, a = F _g (x) mo
While using the g ^x h ^r mod p may be g ^x mod p as dp. Similarly, in the second embodiment, g ₌ mod p may be used as a = F _g (d) mod p.

[0026]

According to the first aspect of the present invention, secret information x relating to a secret key (P, Q) is distributed and registered in the RSA method or the Rabin method, which is a public key cryptosystem of a prime factorization system. In addition, each manager can confirm that the distributed information sent to himself is correct. Therefore, the secret key (P, Q) can always be restored if a certain number (k) of managers cooperate.
Similarly, in the invention of claim 2, the secret key d
, And the secret key d can always be restored if a certain number (k) of administrators cooperate.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a configuration of a system to which the present invention is applied.

FIG. 2 is a diagram showing a processing sequence performed between the key generation device and the management device according to the embodiment of the present invention.

FIG. 3 is a block diagram showing a functional configuration of a key generation device 100 in the embodiment of FIG. 2;

FIG. 4 is a block diagram showing a functional configuration of a management device 200i in the embodiment of FIG.

FIG. 5 is a diagram showing a processing sequence performed between the key generation device and the management device according to the embodiment of the second invention.

FIG. 6 is a block diagram showing a functional configuration of the key generation device 100 in the embodiment of FIG.

FIG. 7 is a block diagram showing a functional configuration of a management device 200i in the embodiment of FIG.

Claims (2)

[Claims] 1. A key generator of a key generator, and a manager T
_i (i = 1,..., n) is a secret key distribution management method in which a secret key of a public key cryptosystem based on the prime factorization problem is distributed to a plurality of devices, registered in the management device, and then restored. Then, the key generator generates a secret key (P, Q) and a public key N = PQ by the key generation device, and sets N as an administrator T _i (i = 1,..., N).
To the management device, and the management device alone or in combination
And an element g of order N is determined and sent to the key generator, the key generator sends y, a = F _g (x) mod p to the manager, and N is the product of two prime numbers; The key generation unit proves that x and y satisfy a certain relation to the administrator by exchanging information with the management unit while keeping the values of x, P, and Q secret. The key generation unit converts x into Shamir's polynomial interpolation method. Is distributed to _n values s ₁ ,..., S _n by using, and s _i is sent to the management device of the administrator T _i , and at the same time, information for proving that s _i is a correctly distributed value is sent The management device verifies their validity, receives and stores them if they are correct, and when there is a need to recover the private key (P, Q), k of the n administrators cooperate and The shared information of the administrator is supplied from the management device to the key generation device, and the key generation device obtains the value of x from the supplied shared information. And calculating the prime factors P and Q of N from the value of y and the value of y. 2. A key generation device of a key generator and an administrator T
_i (i = 1,..., n) is a secret key distribution management method in which a secret key of the RSA public key cryptosystem is distributed to a plurality of units and registered in the management unit, and restored later. Generates a secret key d and a public key (N, e) of the RSA public key cryptosystem by the key generation device, and sends (N, e) to the management device of the manager _Ti (i = 1,..., N). The administrator generates a random number X and calculates G = X ^e mod N by the management device alone or in combination, generates a prime number p and a parameter g, and sends X, p, g to the key generation device; The key generation device sends a = F _g (d) mod p to the management device, and the key generator determines that a and X = F ′ _G (d) mod N each encrypt the same d value of d. The secret is verified by exchanging information between the administrator key generation device and the management device, and the key generation device N values s ₁ with Polynomial interpolation, ..., dispersed in s _n, at the same time sends a s _i to the management device administrator T _i, prove s _i is correctly distributed values The management device verifies their validity, receives and stores them if they are correct, and when there is a need to recover the private key d, k of the n administrators cooperate and A secret key distribution management method comprising: supplying administrator's shared information from the management device to a key generation device; and the key generation device restoring the value of d from the supplied shared information.