JPH11215118A - Method and device for proving plain text identity for plural cryptograms, and medium for recording program for performing plain text identity proof of plural cryptograms - Google Patents

Abstract

PROBLEM TO BE SOLVED: To safely and efficiently enable the plane text identity of plural cryptograms to be proved without disclosing secret information between a certifier and an identifier by having the certifier prepare an information sequence for proving the identity of the plane text with regard to the plural cryptograms and having the identifier confirm only the identity without knowing the plain text. SOLUTION: A certifier prepares special plain texts and prepares a cryptogram from public information for enciphering with regard to the plain texts respectively. Moreover, an information system for indicating the identity of the plain text is prepared without letting the identifier know the plain text and discloses the information to the identifier. The identifier uses the public information corresponding to the information sequence and the cryptogram, and confirms the identity of the text. That is, when the cryptogram a user A (204a) prepares is transmitted to a user B (204b) in this system, an enciphering key for the cryptogram is enciphered by public keys of the user B (204b) of a receiver and of a center A (203a) of the identifier respectively, and the identity of the plain text (the enciphering key) for the two cryptograms is proved.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to a key recovery system and an encryption system for encrypted electronic mail.

[0002]

2. Description of the Related Art Encryption technology is a computer technology for preventing eavesdropping, falsification, and impersonation of users. One of the effects of encrypting data is that access to (decryption of) information can be limited to a user having a decryption key. It can be said that data encryption is one of means for easily realizing access control of confidential information independent of the operation (on / offline) of the computer system and the platform (OS).

[0003] Regarding the storage of confidential information, for example, the following situation is assumed.

(1) Due to laws and organizational regulations, there is an obligation to store for a long time (on a yearly basis).

[0005] (2) Once stored, it is hardly accessed.

(3) It is necessary to securely submit (decrypt) at the time of external or internal audit.

[0007] In such a situation, if it is attempted to decrypt the data and the decryption cannot be performed, it is expected that the organization or the department in charge will be disadvantageous. The reason why the decryption cannot be performed may be not only that the confidential information that should have been stored is not found, but also that the key for decryption is lost or the location of the key is unknown due to a change of the person in charge.

In the current system, key management is often left to voluntary management by a person in charge of storing confidential information (person in charge of encryption). As encryption of confidential information becomes general, key management is performed. It is expected that troubles over will occur. If the decryption key can be managed by the user in advance by the system and can be taken out in an emergency, this can be a measure against the above-mentioned trouble.

[0009] The encryption technique for realizing this countermeasure is called a key recovery technique. One of the key recovery technologies is DRF (Data Recovery
There is a method called “Field) that attaches a tag to ciphertext.

The relationship between DRF and ciphertext will be described.

DRF ciphertext body [KS] KRCpub | [KS] Userpub | [m] KS KRCpub: public key of (key recovery) center Userpub: user's public key KS: session key m: data (plaintext) The user holds a private key Userpri corresponding to the public key Userpub.

2. The user causes the private key Userpri to act on the field [KS] Userpub.

3. The data m is decoded using the obtained KS.

As a solution to the problem that m cannot be decrypted at the time of trouble such as loss of the private key Userpri, the DRF is used as follows.

1. The system holds a secret key KRCpri corresponding to the public key KRCpub.

2. The system applies the secret key KRCpri to the DRF (field [KS] KRCpub).

3. The data m can be decoded using the obtained KS.

A well-known example of such a key recovery system is the Commercial Key Escrow of Balenson et al., The contents of which are disclosed in US Pat. No. 5,557,765.

[0019]

When the above-described key recovery system using the DRF is operated, there are the following security problems.

When a user creates a ciphertext, it is assumed that the user creates a DRF at the same time. for that reason,
A malicious user may interfere with the key recovery operation using the DRF. For example, there are the following attack methods.

(1) r | r '| [m] KS r, r': random number (2) [KS '] KRCpub | [KS] Userpub | [m] KS (3) [KS'] KRCpub | '] Userpub | [m] KS (1) is an attack that takes advantage of the fact that encrypted data and random numbers cannot be distinguished. In (2), the user is KS
, But cannot be decoded because the system is KS '. In (3), the content of the DRF matches the content of the user,
A key KS 'different from the actual decryption key KS is used.

The present invention proposes an effective verification protocol for the cases (1) and (2).

[0023]

Means for Solving the Problems One of the concrete realizing methods for solving the above problems is as follows. As the encryption process, the prover publishes public information e = 3, N <N _i ∈Z (i = 1, 2), and
In M = N ₁ N ₂ , a ciphertext for plaintext K∈Z

[0024]

[Equation 65]

Calculating the ciphertext y _i (i =
To prove the identity of K from 1,2),

[0026]

[Equation 66]

And a step of disclosing y ₁ , y ₂ , and x to a confirmer, provided that gcd
(N _i , N _j ) = 1 (i ≠ j), and gcd (a, b)
Represents the greatest common divisor of the integers a and b, and Z represents an integer ring. ) 2. As a confirmation process, the confirmer sets the following protocol as i =
, T, and j = 1, 2,..., K. (1) The prover has r _{1, i} ∈Z and 0 <r _{2, j} <N
/ 2 and N / 2 randomly selected _{<r 2, j + K <} N becomes r _{2, j,}

[0028]

[Equation 67]

Calculating (2) and publishing u _{1, i} , u _{2, j} to the verifier, (2) The verifier verifies that v _{1, i} ∈Z (0
<V _{1, i} <e) and randomly selecting v _{2, j} {0,1} and exposing v _{1, i} , v _{2, j} to the prover, and (3) the prover ,

[0030]

[Equation 68]

Calculating the following, and exposing w _{1, i} , w _{2, j} to the confirmer, (4) the confirmer

[0032]

[Equation 69]

And when v _{2, j} = 0,

[0034]

[Equation 70]

It is confirmed that when v _{2, j} = 1,

[0036]

[Equation 71]

(Where φ is
By Chinese remainder theorem

[0038]

[Equation 72]

Represents a ring isomorphism Perform each step in this order.

These will be specifically described with reference to an embodiment.

[0041]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS First, symbols used in the embodiments of the present invention will be described. Z represents an integer ring, gcd
(A, b) represents the greatest common divisor of the integers a and b, and E (K:
P) and D (K: P) represent the results of encrypting and decrypting the plaintext P with the key K (by the secret key cryptosystem), respectively.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

FIG. 1 is a schematic diagram showing the outline of the present invention.

FIG. 2 is a configuration diagram of a system according to an embodiment of the present invention.

Reference numeral 200 denotes a communication network such as the Internet or Intranet; 201, a router; and 202, a firewall. 203a and 203b are machines such as a key recovery center in the key recovery system described in the related art and a management center in an in-house LAN, and 204a, 204b,..., 204z are user machines such as PCs. Reference numeral 205 denotes a file server used by the centers (203a, 203b) and users (204a, 204b,..., 204z). 206 is a public key server that manages public keys. Center machine (203a, 203b), user machine (204
a, 204b,..., 204z), the file server (205), and the public key server (206) are connected to the communication network (200) and communicate with each other.

FIG. 3 is a diagram showing an apparatus configuration on the prover side and an apparatus configuration on the confirmer side.

FIG. 3 is a diagram showing a device of a prover (ciphertext creator) and a confirmer. The user machine (204a, 204b,..., 204z) and the router (201) shown in FIG. ) Is a device used when a prover or a confirmer is used.

Reference numeral 301 denotes a random number generator, which generates a random number used in the creation of a cipher text, confirmation processing, and the like. Reference numeral 302 denotes an input device for inputting public information and key data necessary for calculation.
An arithmetic unit 303 performs operations such as encryption / decryption of data, creation of proof data, and verification of proof data. 304
Denotes a storage device, which stores input data from the input device (302), a calculation result of the calculation device (303), and the like. A communication device 305 is connected to the communication network (200),
Send and receive data.

In the following first to fourth embodiments, the center A (203) is used by using the system example shown in FIG.
The ciphertext created by the user A (204a) is stored in a database in the file server (205), or the plaintext of a plurality of ciphertexts when performing cipher communication with another user, taking the key recovery according to a) as an example. The identity certifying method will be described.

That is, there is a case where the center (203a) wants to legally decrypt the encrypted data flowing in the communication network (200) for the purpose of auditing, criminal investigation and the like. At this time, the ciphertext created by the user (204a, 204b,..., 204z) needs to be encrypted so that the center (203a) can also be decrypted, and is an illegal ciphertext that cannot be decrypted by the center (203a). Is to be detected.

[Embodiment 1] In the first embodiment, a method will be described in which RSA encryption is used as a public key encryption method and proof of identity of a plurality of ciphertexts is performed on up to two ciphertexts. Specifically, when transmitting the ciphertext created by the user A (204a) to the user B (204b), the encryption key of the ciphertext is transmitted to the user B (204b) as the receiver and the center A as the confirmer. Each is encrypted with the public key of (203a), and it is proved that the plaintext (encryption key) of the two ciphertexts is the same. At this time, anyone can perform the confirmation processing. In the first embodiment, the router (201) in the middle of the communication path performs the confirmation processing instead of the center A by the prover (user A (204
a)) will be described interactively.

FIG. 4 is a flowchart showing the processing of the prover and the confirmer according to the first embodiment of the present invention.

1. As a preparation process, the prover (user A
(204a)) and the confirmer (router (201)) previously determine the public key (N _i , e _i ) (i = 1,
2), N <N ₁ , N ₂ , M = N ₁ N _2, and the number of repetitions t, k of the confirmation process performed between the prover and the verifier are stored in the storage device (304) using the input device (302). ).
(Alternatively, the public information may be managed by the public key server (206) and may be obtained by communication from the public key server (206) as necessary.) Here, (N ₁ , e ₁ ), a public key, private key of the user B (204b) to d _1, public key (N _2, e _2), the d ₂ center a (203a), and a secret key.

2. As an encryption process, a prover (user A)
(204a)) uses a random number generator (301) to randomly generate a data encryption key K301Z, and uses an arithmetic unit (303) to convert the cipher text C of the transmission message P into C = E ( K: P).

Further, the prover uses the arithmetic unit (303) and the storage unit (304) to write the cipher text for the encryption key K using

[0056]

[Equation 73]

Is calculated by

Further, for the purpose of proving the identity of K from the ciphertexts y ₁ and y ₂ , using the arithmetic unit (303) and the storage unit (304),

[0059]

[Equation 74]

Then, the cipher text (C, y ₁ , y ₂ ) and the certification data 1 (Y, x) are transmitted to the user B (204b), which is the receiver, using the communication device (305). .

(However, gcd (N _i , N _j ) = 1 (i ≠
j). ) 3. As confirmation processing, the confirmer (router (201)) receives the cipher text (C, y ₁ , y ₂ ) and the certification data 1 (Y, x) using the communication device (305), and 304).

Further, the following protocol is used for i = 1, 2,.
.., t and j = 1, 2,..., K,
(1) The prover (user A (204a)) uses the random number generator (30
Using 1), r _{1, i} ∈Z and 0 <r _{2, j} <N / 2 a
_{nd N / 2 <r 2,} j + K < randomly generated N becomes r _{2, j,} computing device (303), using the storage device (304), as proof data 2,

[0063]

[Equation 75]

Is calculated, and the proof data 2 (u _{1, i} , u _{2, j} ) is verified by the verifier (router (20)
1)) to send.

(2) The confirmer (the router (201)) uses the communication device (305) to make the proof data 2 (u _{1, i} ,
u _{2, j} ) is received and stored in the storage device (304).

Further, the verifier uses the random number generator (301) to make v _{1, i} ∈Z (0 <v _{1, i} <e) and v _{2, j} ∈
{0, 1} is randomly generated, and v _{1, i} , v _{2, j} is transmitted to the prover (user A (204a)) using the communication device (305).

(3) The prover (user A (204a)) receives v _{1, i} , v _{2, j} using the communication device (305), stores it in the storage device (304), and (303), using the storage device (304) as proof data 3

[0068]

[Equation 76]

Is calculated, and the proof data 3 (w _{1, i} , w _{2, j} ) is verified by the verifier (router (20)
1)) to send.

(4) The confirmer (router (201)) uses the communication device (305) to output the certification data 3 (w _{1, i} ,
w _{2, j} ) is received and stored in the storage device (304), and using the arithmetic device (303) and the storage device (304),

[0071]

[Equation 77]

When v _{2, j} = 0,

[0073]

[Equation 78]

It is confirmed that when v _{2, j} = 1,

[0075]

[Expression 79]

Is confirmed.

(However, φ is the Chinese remainder theorem
by

[0078]

[Equation 80]

Is a ring isomorphism If the confirmation processing is not established, the certifier (user A (204a)) is notified that the transmission cannot be performed due to the illegal encryption data, and the transmission of the encryption data is stopped.

If both the t and k times are satisfied, the cipher text (C, y ₁ , y ₂ ) is distributed to the user B (204b).

User B, having received the ciphertext (C, y ₁ , y ₂ ), extracts the data encryption key K from y ₁ using his / her own secret key, and obtains the message P by P = D (K: C). Similarly, the center A (203a) can also decrypt the ciphertext in an emergency such as criminal investigation or audit.

[Embodiment 2] In a second embodiment, as a modification of the first embodiment, proof of identity of a plurality of cipher texts is
A method of non-interactively performing between the prover and the verifier using the published one-way functions f ₁ and f ₂ will be described.

FIG. 5 is a flowchart showing the processing of the prover and the confirmer according to the second embodiment of the present invention.

1. 1. As the preparation processing, the same preparation processing as in the first embodiment is performed. Prover (user A (204a)) as the encryption process
Is a data encryption key K 乱 数 using a random number generator (301).
Z is randomly generated, and the ciphertext C of the transmission message P, C = E (K: P) and the ciphertext of the encryption key K are generated using the arithmetic unit (303).

[0085]

[Equation 81]

Is calculated.

Further, the prover obtains K from the ciphertexts y ₁ and y _2.
For the purpose of proving the identity of
3), using the storage device (304)

[0088]

(Equation 82)

Then, the prover finds that i = 1,
2, ..., t and j = 1,2, ..., k, r
_1, i∈Z and 0 <r _{2, j} <N / 2 and N / 2 <r
_{2, j} + K <N-composed r _{2, j} using a random number generator (the 301), randomly generated, the arithmetic unit (303), storage device (3
04)

[0090]

[Equation 83]

Then, the cipher text (C, y ₁ , y ₂ ) and the proof data (Y, x, u _{1, i} , u _{2, j} , w _{1, i} , w _{2, j} ) are calculated.
Is transmitted to the user B (204b).

(However, gcd (N _i , N _j ) = 1 (i ≠
j). ) 2. As confirmation processing, the confirmer (router (201)) uses the new communication device (305) to generate the cipher text (C, y ₁ , y ₂ ),
Proof data (Y, x, u1 _{, i} , u2 _{, j} , w1 _{, i} , w
_{2, j} ) is received and stored in the storage device (304).
.., t and j = 1, 2,.

[0093]

[Equation 84]

Is calculated,

[0095]

[Equation 85]

When v _{2, j} = 0,

[0097]

[Equation 86]

It is confirmed that when v _{2, j} = 1,

[0099]

[Equation 87]

Check the following.

(However, φ is the Chinese remainder theorem
by

[0102]

[Equation 88]

Represents a ring isomorphism If the confirmation processing is not established, the certifier (user A (204a)) is notified that the transmission cannot be performed due to the illegal encryption data, and the transmission of the encryption data is stopped.

When all the confirmation processes are established, the cipher text (C, y ₁ , y ₂ ) is delivered to the user B (204b).

(In the first and second embodiments, when the public keys are all the same (e ₁ = e ₂ ), the prover must prove the identity of K from the ciphertexts y ₁ and y _2. For the purpose

[0106]

[Equation 89]

The process of calculating the value can be omitted. Third Embodiment) In a third embodiment, as another example of the first embodiment, a method of certifying plaintext identity of a plurality of ciphertexts for up to four ciphertexts will be described. Specifically, user A (204a)
The encrypted text created by user B (204b) and user C (204
c) when transmitting to two persons, the encryption key of the ciphertext is transmitted to the user B (204b) and the user C (204c),
Each is encrypted with the public key of the center A (203a), which is the confirmer, and it is proved that the plaintext (encryption key) of each ciphertext is the same. At this time, the confirmation process can be performed by anyone, and in the third embodiment, the router (201) on the communication path performs the confirmation process instead of the center A (203a) by the prover (user A (204a)). ) Will be described.

FIG. 6 is a flowchart showing the processing of the prover and the confirmer according to the third embodiment of the present invention.

1. As a preparation process, the prover (user A
(204a)) and the confirmer (the router (201)) previously determine the public key (N _i , e _i ) (i = 1, 2,
3), N <N ₁ , N ₂ , N ₃ , M = N ₁ N ₂ N _3, and the number of repetitions t, k of the confirmation process performed between the prover and the verifier using the input device (302). , And stored in the storage device (304). (Alternatively, the public information may be managed by the public key server (206), and may be obtained by communication from the public key server (206) as needed.) Here, (N ₁ , e ₁ ), public key of d ₁ user B (204b), a private key, public key (N _2, e _2), the d ₂ user C (204b),
The secret key, (N ₃ , e ₃ ), d ₃ is used as the public key and secret key of the center A (203a).

[0110] 2. As an encryption process, a prover (user A)
(204a)) uses a random number generator (301) to randomly generate a data encryption key K301Z, and uses an arithmetic unit (303) to convert the cipher text C of the transmission message P into C = E ( K: P).

Further, the prover uses the arithmetic unit (303) and the storage unit (304) to convert the cipher text for the encryption key K into

[0112]

[Equation 90]

Is calculated.

Further, for the purpose of proving the identity of K from the ciphertexts y ₁ , y ₂ , y ₃ , using the arithmetic unit (303) and the storage unit (304),

[0115]

[Equation 91]

Is calculated, and the ciphertext (C, y ₁ , y ₂ , y ₃ ) and proof data 1 (Y ₁ ,
Y ₂ , Y ₃ , and x) are transmitted to the recipients, user B (204b) and user C (204c).

(However, gcd (N _i , N _j ) = 1 (i ≠
j). ) 3. As confirmation process, confirmer (router (201)), using the communication device (305), the ciphertext _{(C, y 1, y 2} , y 3)
And proof data 1 (Y ₁ , Y ₂ , Y ₃ , x) are received and stored in the storage device (304).
, T and j = 1, 2,..., K. (1) The prover (user A (204a)) uses the random number generator (301) to obtain r _{1, i} ∈Z _{and, 0 <r 2, j <} N
/ 2 and N / 2 <r _{2, j} + K <N r _{2, j} is randomly generated, and as the proof data 2 using the arithmetic unit (303) and the storage unit (304),

[0118]

(Equation 92)

Is calculated, and the proof data 2 (u _{1, i} , u _{2, j} ) is verified by the verifier (router (20)
1)) to send.

(2) The confirmer (router (201)) uses the communication device (305) to make the proof data 2 (u _{1, i} ,
u _{2, j} ) is received and stored in the storage device (304).

Further, the verifier uses the random number generator (301) to make v _{1, i} ∈Z (0 <v _{1, i} <e) and v _{2, j} ∈
{0, 1} is randomly generated, and v _{1, i} , v _{2, j} is transmitted to the prover (user A (204a)) using the communication device (305).

(3) The prover (user A (204a)) receives v _{1, i} , v _{2, j} using the communication device (305), stores it in the storage device (304), and (303), using the storage device (304) as proof data 3

[0123]

[Equation 93]

Is calculated, and the proof data 3 (w _{1, i} , w _{2, j} ) is verified by the verifier (router (20)
1)) to send.

(4) The confirmer (the router (201)) uses the communication device (305) to make the verification data 3 (w _{1, i} ,
w _{2, j} ) is received and stored in the storage device (304), and using the arithmetic device (303) and the storage device (304),

[0126]

[Equation 94]

And when v _{2, j} = 0,

[0128]

[Equation 95]

It is confirmed that when v _{2, j} = 1,

[0130]

[Equation 96]

Is confirmed.

(However, φ is the Chinese remainder theorem
by

[0133]

(97)

This is a ring isomorphism. If the confirmation processing is not established, the certifier (user A (204a)) is notified that the transmission cannot be performed due to the illegal encryption data, and the transmission of the encryption data is stopped.

If both the t and k times are satisfied, the cipher text (C, y ₁ , y ₂ , y ₃ ) is distributed to the user B (204b) and the user C (204c).

The user B (204b) and the user C (204c) having received the cipher text (C, y ₁ , y ₂ , y ₃ ) use their own private keys to encrypt the data from y ₁ and y ₂ respectively. The encryption key K is taken out, and the message P can be decrypted by P = D (K: C). Similarly, the center A (203a) can decrypt the ciphertext in an emergency such as criminal investigation or audit. Become.

[Fourth Embodiment] In the fourth embodiment, as a modification of the third embodiment, proof of identity of a plurality of ciphertexts is defined as follows.
A method of non-interactively performing between the prover and the verifier using the published one-way functions f ₁ and f ₂ will be described.

FIG. 7 is a flowchart showing the processing of the prover and the confirmer according to the fourth embodiment of the present invention.

[0139] 1. 1. As the preparation processing, the same preparation processing as in the third embodiment is performed. Prover (user A (204a)) as the encryption process
Is a data encryption key K 乱 数 using a random number generator (301).
Z is randomly generated, and the ciphertext C of the transmission message P, C = E (K: P) and the ciphertext of the encryption key K are generated using the arithmetic unit (303).

[0140]

[Equation 98]

Is calculated by

Further, the prover can use the ciphertexts y ₁ , y ₂ , y ₃
For the purpose of proving the identity of K from, using an arithmetic unit (303) and a storage unit (304),

[0143]

[Equation 99]

Then, the prover finds that i = 1,
2, ..., t and j = 1,2, ..., k, r
_1, i∈Z and 0 <r _{2, j} <N / 2 and N / 2 <r
_{2, j} + K <N-composed r _{2, j} using a random number generator (the 301), randomly generated, the arithmetic unit (303), storage device (3
04)

[0145]

[Equation 100]

Is calculated, and the ciphertext (C, y ₁ , y ₂ , y ₃ )
And proof data (Y ₁ , Y ₂ , Y ₃ , x, u _{1, i} ,
u _{2, j} , w _{1, i} , w _{2, j} ) are transmitted to the user B (204b) and the user C (204c).

(However, gcd (N _i , N _j ) = 1 (i ≠
j). ) 2. As a confirmation process, the confirmer (router (201)) uses the new communication device (305) to execute the cipher text (C, y ₁ , y ₂ , y ₃ ).
And proof data (Y ₁ , Y ₂ , Y ₃ , x, u _{1, i} ,
u _{2, j} , w _{1, i} , w _{2, j} ), and stores them in the storage device (304).
, And the verifier confirms that i = 1, 2,..., T and j =
In 1,2, ..., k

[0148]

[Equation 101]

Is calculated,

[0150]

[Equation 102]

And when v _{2, j} = 0,

[0152]

[Equation 103]

It is confirmed that when v _{2, j} = 1,

[0154]

[Equation 104]

Is confirmed.

(However, φ is the Chinese remainder theorem
by

[0157]

[Equation 105]

Represents a ring isomorphism If the confirmation processing is not established, the certifier (user A (204a)) is notified that the transmission cannot be performed due to the illegal encryption data, and the transmission of the encryption data is stopped.

When all the confirmation processes are established, the cipher text (C, y ₁ , y ₂ , y ₃ ) is transmitted to the user B (204b) and
The data is distributed to the user C (204c).

(In the third and fourth embodiments, when all public keys are the same (e ₁ = e ₂ = e ₃ ),
The prover aims to prove the identity of K from the ciphertexts y ₁ , y ₂ , y ₃

[0161]

[Equation 106]

It is possible to omit the process of calculating. )

[0163]

According to the plaintext identity proving method of the present invention, (1) who disclose the secret information of the prover (ciphertext creator) and the plaintext identity of a plurality of ciphertexts without disclosing any plaintext Can be verified. For this reason,
It is possible to verify plaintext identity not only by the encryption / decryption apparatus but also by a router or firewall on the communication path.

(2) The plaintext identity of a plurality of ciphertexts can be verified non-interactively between the prover and the verifier, and the communication processing load due to the verification processing is small. Further, it is possible for a third party to periodically verify the identity of the plaintext of the ciphertext stored in the database or the like.

(3) In a key recovery system which is considered to be important in the future, Balenson et al.
In a conventional method known as ey Escrow, a DRF obtained by encrypting the same data encryption key is attached to a ciphertext using a public key of a key recovery center and a user's public key. In this case, the user can perform fraud such as passing a false data encryption key to the center. On the other hand, in the present system, it is possible to prevent the key recovery operation using the DRF from being disturbed.

[Brief description of the drawings]

FIG. 1 is a schematic diagram showing an outline of the present invention.

FIG. 2 is a configuration diagram of a system according to an embodiment of the present invention.

FIG. 3 is a diagram showing an apparatus configuration on the prover side and an apparatus configuration on the confirmer side.

FIG. 4 is a flowchart showing processing of a prover and a confirmer according to the first embodiment of the present invention.

FIG. 5 is a flowchart showing processing of a prover and a confirmer according to a second embodiment of the present invention.

FIG. 6 is a flowchart showing processing of a prover and a confirmer according to a third embodiment of the present invention.

FIG. 7 is a flowchart showing processing of a prover and a confirmer according to a fourth embodiment of the present invention.

Claims (15)

[Claims] 1. A method in which a prover proves the identity of each plaintext to a verifier for a plurality of ciphertexts, wherein the prover creates a plaintext P having a special form, Further, public information PKi for encryption is added to the plaintext P.
The ciphertext Ci (i> 1) is created from (i> 1), and an information sequence S indicating the identity of the plaintext is created without informing the confirmer of the plaintext P. The information S is made public, and the verifier confirms the public information PK corresponding to the information sequence S and the ciphertext.
A plaintext identity proving method for a plurality of ciphertexts, wherein the identity of the plaintext is confirmed using i (i> 1). 2. The method according to claim 1, wherein the confirmer randomly selects a plurality of ciphertexts from the plurality of ciphertexts, and the prover shows the identity of the plaintext to the confirmer by the method of claim 1. A plaintext identity proving method for a plurality of ciphertexts, characterized by 3. A method in which a prover certifies the identity of each plaintext to a confirmer with respect to a plurality of ciphertexts, wherein the prover uses a plurality of information Pj (j > 2), and public information PKi (i> 1) for encryption is added to the plaintext P.
From the public information PKd, the information Pj (j> 2) is encrypted for some public information PKd (in this case, Cd is not generated), and the plaintexts P and Pj ( j> 2), without informing the confirmer, an information sequence S indicating the identity of the plaintext P is created, and the information S is made public to the confirmer. Corresponding public information PK
A plaintext identity proving method for a plurality of ciphertexts, wherein the identity of the plaintext P is confirmed using i (i> 1). 4. A method of proving to a verifier only the identity of a plaintext of a plurality of ciphertexts created by a prover while keeping the plaintext of the ciphertext secret, As the encryption process, the prover decides that the public information e = 3, N <N _i ∈Z (i = 1, 2) and
In M = N ₁ N ₂ , a ciphertext for plaintext K∈Z And for the purpose of proving the identity of K from the ciphertext y _i (i = 1,2), And the step of exposing y ₁ , y ₂ , and x to a confirmer, where gcd (N _i , N _j )
= 1 (i ≠ j), and gcd (a, b) is an integer a, b
And Z represents an integer ring. ) 2. As the confirmation process, the confirmer sets the following protocol as i = 1, 2,..., T and j = 1,
2, ..., repeated until k, (1) _prover, r _{1, i} ∈Z _{and, 0 <r 2, j <} N / 2 and N / 2 <r 2, j + K <N becomes r _{2, j} Is selected at random, and , And u _{1, i} , u _{2, j} are disclosed to the verifier. (2) The verifier verifies v _{1, i} ∈Z (0 <v _{1, i} <e) and v _{2 , j} ∈ ｛0,
1｝ is randomly selected, and v _{1, i} , v _{2, j} is disclosed to the prover. (3) The prover has the following formula: And w _{, i} , w2 _{, j} are disclosed to the checker, and (4) the checker obtains And when v _{2, j} = 0, And when v _{2, j} = 1, (Where φ is Chinese rema
by inder theorem The ring isomorphism A plaintext identity proving method for a plurality of ciphertexts, wherein each step is executed in this order. 5. An apparatus for certifying the identity of a plurality of ciphertexts in plaintext according to claim 4, wherein: As the encryption process, the prover decides that the public information e = 3, N <N _i ∈Z (i = 1, 2) and
At M = N ₁ N ₂ , a ciphertext for plaintext K∈Z And for the purpose of proving the identity of K from the ciphertext y _i (i = 1, 2), And a means for disclosing y ₁ , y ₂ , and x to the confirmer, where gcd (N _i , N _j ) = 1
(I ≠ j), gcd (a, b) represents the greatest common divisor of the integers a and b, and Z represents an integer ring. ) 2. As the confirmation process, the confirmer sets the following protocol as i = 1, 2,..., T and j = 1,
2, ..., repeated until k, (1) _prover, r _{1, i} ∈Z _{and, 0 <r 2, j <} N / 2 and N / 2 <r 2, j + K <N becomes r _{2, j} Means for randomly generating , And means for disclosing u _{1, i} , u _{2, j} to the checker, and (2) the checker determines that v _{1, i} ∈Z (0 <v _{1, i} <e ) And v _{2, j} ∈ ｛0,
Means for randomly generating _{1 and} means for disclosing v _{1, i} , v _{2, j} to the prover, and (3) the prover has: And a means for disclosing w _{1, i} , w _{2, j} to a confirmer, and (4) the confirmer obtains And when v _{2, j} = 0, , When v _{2, j} = 1, (However, φ is Chinese remainde
(16) by r theorem The ring isomorphism A plaintext identity certifying device for a plurality of ciphertexts. 6. A recording medium storing a program for performing a process of certifying plaintext identity of a plurality of ciphertexts according to claim 4 and claim 5. 7. A series of confirmation processes performed between the prover and the confirmer according to claim 4 by using published one-way functions f ₁ and f ₂ . As the encryption process, the prover decides that the public information e = 3, N <N _i ∈Z (i = 1, 2) and
At M = N ₁ N ₂ , the ciphertext for the plaintext K∈Z And for the purpose of proving the identity of K from the ciphertext y _i (i = 1,2), , And further, the prover finds that i = 1, 2,..., T and j = 1, 2, 2,
..., in _k, r _{1, i} ∈Z _{and, 0 <r 2, j <} N / 2 and N / 2 randomly selected _{<r 2, j + K <} N becomes r _{2, j,} [number 19] , Y ₁ , y ₂ , x, u _{1, i} , u _{2, j} , w _{1, i} ,
w _{, j} is disclosed to the reviewer,
gcd (N _i , N _j ) = 1 (i ≠ j), and gcd
(A, b) represents the greatest common divisor of the integers a and b, and Z represents an integer ring. ) 2. As the confirmation processing, the confirmer has i = 1, 2,..., T and j = 1, 2, 2,
.., K, Is calculated, and And when v _{2, j} = 0, And when v _{2, j} = 1, (Where φ is Chinese rema
[Expression 24] by inder theorem The ring isomorphism A) plaintext identity proving method for a plurality of ciphertexts, wherein each step is sequentially performed non-interactively; 8. A device for certifying the identity of a plurality of ciphertexts in plaintext according to claim 7, wherein: As the encryption processing, the prover publishes public information e = 3, N <N _i ∈Z (i = 1, 2), and
In M = N ₁ N ₂ , a ciphertext for plaintext K∈Z And for the purpose of proving the identity of K from the ciphertext y _i (i = 1, 2), .., T, and j = 1, 2, 2,
..., in k, r _{1, i} ∈ Z _{and, 0 <r 2, j <} N / 2 and N / 2 < a means for generating a random r _2, j + K <N becomes r _{2, j,} Equation 27] And means for disclosing y ₁ , y ₂ , x, u _{1, i} , u _{2, j} , w _{1, i} , w _{2, j} to the verifier, provided that gcd (N _i ,
N _j ) = 1 (i ≠ j), gcd (a, b) represents the greatest common divisor of integers a, b, and Z represents an integer ring. ) 2. As the confirmation processing, the confirmer confirms that i = 1, 2,..., T and j = 1, 2, 2,
.., K, Calculating means for calculating And when v _{2, j} = 0, When v _{2, j} = 1, (However, φ is Chinese remainde
[Equation 32] by r theorem The ring isomorphism 3.) A plaintext identity proving method for a plurality of ciphertexts, wherein each step is executed in this order. 9. A recording medium storing a program for performing a process of certifying plaintext identity of a plurality of ciphertexts according to claim 7 and claim 8. 10. A method of proving to a verifier only the identity of a plaintext of a plurality of ciphertexts created by a prover, while keeping the plaintext of the ciphertext secret. As the encryption processing, the prover publishes public information e = 5, N <N _i ∈Z (i = 1, 2,..., M | m <
5), at M = N ₁ N ₂ ... N _m , the ciphertext for the plaintext K∈Z In order to prove the identity of K from the ciphertext y _i (i = 1, 2,..., M), , And a step of opening y _i , x (i = 1, 2,..., M) to the confirmer.
d (N _i , N _j ) = 1 (i ≠ j), and gcd (a,
b) represents the greatest common divisor of the integers a and b, and Z represents an integer ring. ) 2. As the confirmation process, the confirmer sets the following protocol as i = 1, 2,..., T and j = 1,
2, ..., repeated until k, (1) _prover, r _{1, i} ∈Z _{and, 0 <r 2, j <} N / 2 and N / 2 <r 2, j + K <N becomes r _{2, j} Is selected at random, and , And releasing u _{1, i} , u _{2, j} to a verifier, (2) the verifier verifies v _{1, i} ∈Z (0 <v _{1, i} <e) and v _{2 , j} ∈ ｛0,
1｝ is randomly selected and v _{1, i} , v _{2, j} is disclosed to the prover. (3) The prover has the following formula: , And w1 _{, i} , w2 _{, j} are disclosed to the confirmer, and (4) the confirmer obtains And when v _{2, j} = 0, And when v _{2, j} = 1, (Where φ is Chinese rema
by inder theorem The ring isomorphism 3.) A plaintext identity proving method for a plurality of ciphertexts, wherein each step is executed in this order. 11. A device for certifying the identity of plaintexts of a plurality of ciphertexts according to claim 10, wherein: As the encryption processing, the prover publishes public information e = 5, N <N _i ∈Z (i = 1, 2,..., M | m <
5), the _{M = N 1 N 2 ... N} m, the ciphertext [number 41] for plaintext K∈Z And for the purpose of proving the identity of K from the ciphertext y _i (i = 1, 2,..., M), , And means for disclosing y _i , x (i = 1, 2,..., M) to the confirmer, provided that gcd
(N _i , N _j ) = 1 (i ≠ j), and gcd (a, b)
Represents the greatest common divisor of the integers a and b, and Z represents an integer ring. ) 2. As the confirmation process, the confirmer sets the following protocol as i = 1, 2,..., T and j = 1,
2, ..., repeated until k, (1) _prover, r _{1, i} ∈Z _{and, 0 <r 2, j <} N / 2 and N / 2 <r 2, j + K <N becomes r _{2, j} Means for randomly generating , And means for disclosing u _{1, i} , u _{2, j} to the checker, and (2) the checker determines that v _{1, i} ∈Z (0 <v _{1, i} <e ) And v _{2, j} ∈ ｛0,
A means for randomly generating 1｝, and a means for publishing v _{1, i} , v _{2, j} to the prover, and (3) the prover has: And a means for disclosing w _{1, i} , w _{2, j} to a confirmer, and (4) the confirmer obtains And when v _{2, j} = 0, When v _{2, j} = 1, (However, φ is Chinese remainde
by r theorem The ring isomorphism A plaintext identity certifying device for a plurality of ciphertexts. 12. A recording medium storing a program for performing a process of certifying plaintext identity of a plurality of ciphertexts according to claim 10 and claim 11. 13. A series of confirmation processing between a prover and a confirmer according to claim 11 is performed by a public one-way function f _1.
And using f ₂ , As the encryption process, the prover makes public information e = 5, N <N _i ∈Z (i = 1, 2,..., M | m <
5), in M = N ₁ N ₂ ... N _m , a ciphertext for plaintext K∈Z And for the purpose of proving the identity of K from the ciphertext y _i (i = 1, 2,..., M), , And further, the prover finds that i = 1, 2,..., T and j = 1, 2, 2,
..., in k, r _{1, i} ∈ Z _{and, 0 <r 2, j <} N / 2 and N / 2 randomly selects _{<r 2, j + K <} N becomes r _{2, j,} Equation 51] , And y _d (d = 1, 2,..., M), x, u _{1, i} , u
_2, j, w _1, i, comprising the step of publishing the confirmer of w _{2, j,} (proviso that _{gcd (N i, N j)} = 1 (i ≠ j), gcd (a, b) Represents the greatest common divisor of integers a and b, and Z represents an integer ring.) As the confirmation processing, the confirmer confirms that i = 1, 2,..., T and j = 1, 2, 2,
.., K, Is calculated, and And when v _{2, j} = 0, And when v _{2, j} = 1, (Where φ is Chinese rema
by inder theorem The ring isomorphism A) plaintext identity proving method for a plurality of ciphertexts, wherein each step is sequentially performed non-interactively; 14. The apparatus according to claim 13, for certifying plaintext identity of a plurality of ciphertexts. As the encryption processing, the prover publishes public information e = 5, N <N _i ∈Z (i = 1, 2,..., M | m <
5), in M = N ₁ N ₂ ... N _m , a ciphertext for plaintext K∈Z And for the purpose of proving the identity of K from the ciphertext y _i (i = 1, 2,..., M), .., T, and j = 1, 2, 2,
..., in k, r _{1, i} ∈ Z _{and, 0 <r 2, j <} N / 2 and N / 2 < a means for generating a random r _2, j + K <N becomes r _{2, j,} Equation 59] And y _d (d = 1, 2,..., M), x,
There is provided means for disclosing u _{1, i} , u _{2, j} , w _{1, i} , w _{2, j} to the confirmer, provided that gcd (N _i , N _j ) = 1 (i ≠
j), gcd (a, b) represents the greatest common divisor of the integers a and b, and Z represents an integer ring. ) 2. As the confirmation processing, the confirmer confirms that i = 1, 2,..., T and j = 1, 2, 2,
.., K, Calculation means for calculating And when v _{2, j} = 0, When v _{2, j} = 1, (However, φ is Chinese remainde
(64) by r theorem The ring isomorphism A plaintext identity certifying device for a plurality of ciphertexts. 15. A recording medium storing a program for performing a process of certifying plaintext identity of a plurality of ciphertexts according to claim 13 and claim 14.