JPH11252065A - Cryptographic key generation device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a generation device which can easily generate a cryptographic key against an opposite party belonging to the same group. SOLUTION: A center 11 successively calculates initial value data GA, GB, GC, GZ of users 12 to 15 by means of secret random numbers which are stored in a memory 22 against ID information IDA, IDB, IDC, IDZ that are proper to the users 12 to 15 respectively. Then the center 11 stores these calculated initial value data in the memories 24, 26, 28 and 30 respectively. The initial value GT is previously generated and sent to the users 12 to 14 for calculating the cryptographic key that is used for a group T19. That is, the initial data GT is calculated against the ID information IDT which is proper to the group T19 by means of the same secret random number that is stored in the memory 22.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method for inputting data such as text, voice, image, and program list as a message and encrypting the message to obtain a ciphertext. The present invention relates to generation of an encryption key used as an encryption key and / or a decryption key in outputting the above-mentioned message.

[0002]

2. Description of the Related Art Conventionally, an ID-based encryption method for sharing secret information (for example, a session key used in secret key encryption) by designating a mail address or a name of a partner has been studied. IDNIKS as the method
(Identity-Based Non-Interactive Key Sharing)
Hatsuichi Tanaka, “Identity-Based Non-Interactive Key Sha
ring Using the Difficulty of Solving The Homogeneo
us Simultaneous Equations over GF (P) ”,“ Proceedings of the 20th Symposium on Information Theory and Its Applications ”(SITA9
7), Information Theory and its Application Society, (1997-12)
2), pp. 61-64. In particular,
A final description will be given using mathematical expressions. For example, when starting encrypted communication, secret information is shared based on its own ID information and the ID information of the communication partner. Each individual has a different matrix of n rows and m columns, selects elements of the matrix for each communication partner, and can share secret information between two communication parties by sum and product.

FIG. 9 is an explanatory diagram of a conventional encryption key generation system. In the figure, 101 is a first encryption key generation unit, 102 is a second encryption key generation unit, and 103 is a user unique data creation algorithm. The first encryption key generation unit 101 determines that the user A
The second encryption key generation unit 102 is provided on the user B side, and shows a case where encrypted communication or the like is performed between the user A and the user B. The first encryption key generation unit 101 receives the first data and the ID information ID _B of the user B, generates an encryption key K _AB ^(A) of the user A by an encryption key creation algorithm, and generates a second encryption key. The generation unit 102 receives the second data and the ID information ID _A of the user A, and generates an encryption key K _AB ^(B) of the user B by an encryption key creation algorithm.

[0004] The first data is ID information ID of user A.
The second data is generated by the same user-specific data creation algorithm 103 based on the ID information ID _B of the user _B and the same random number, and is generated by the first user-specific data creation algorithm 103 based on _A and the random number, respectively. These are input to the encryption key generation unit 101 and the second encryption key generation unit 102. User A's encryption key K _AB
^(A) is the same as the encryption key K _AB ^{(B) of the} user B.

[0005] User-specific data creation algorithm 103
Publishing has no effect on security, and keeps the value of the random number secret. Encryption key K _AB ^(A) , K shared between users
_The encryption key generation algorithm for calculating _AB ^(B) is common to the first and second encryption key generation units 101 and 102. The user-specific data creation algorithm 103 is an operation algorithm including operation data excluding secret random numbers and ID information of each of the users A and B. Similarly, the encryption key creation algorithm, ID information ID _A of the person you wish to communicate with the first or second data, refers to the arithmetic algorithm comprising operational data except ID _B. Each of the users A and B has the first
Alternatively, only the second data (parameter value) is kept secret. User A has a first data and a partner to communicate with,
For example, by entering the ID information ID _B of the user B to the encryption key generation algorithm, to obtain sharing of an encryption key for the encryption communication as the user A of the encryption key K _AB ^(A). Similarly, user B
Inputs the second data and the other party to communicate with, for example, the ID information ID _A of the user A to the encryption key creation algorithm, and obtains the shared encryption key as the encryption key K _AB ^(B) of the user B.

First and second encryption key generation units 101 and 102
Can cause a computer to execute an encryption key creation algorithm for generating first and second encryption keys based on first and second data and second and first ID information. The program for this is recorded on a computer-readable recording medium, for example, a memory such as an optical disk, a hard disk, and a ROM. In particular, if the above-described program and the first data are stored in the memory of an IC card having a CPU and a memory, the CPU of the IC card can perform calculations only by inputting the second ID information into the IC card. By doing so, only the encryption key can be output from the IC card, and the confidentiality of the first and second data and the encryption key creation algorithm can be easily maintained.

[0007] In a user-specific data creation algorithm described later using mathematical formulas, a secret random number R having an m-dimensional element and three secret random numbers X, Y and Z having an n-dimensional element are calculated for each user A and B. ID information ID _A , ID _B
And outputs an initial value of a matrix having n × m elements. m and n are determined by the maximum number of users.

FIG. 10 is an explanatory diagram when each user joins a network system in the prior art.
In the figure, 11 is a center, 12 is a user A, 13 is a user B, and 14 is a user C. Center 11 and each user 1
2 to 14 and a network for performing communication between the users 12 to 14 are configured. Each user 12-14 unique ID information, for example address, date of birth, ID information ID _A, such as e-mail address, ID _B, centers ID _C 1
At the same time as registering to 1, it is made available to other users so that other users can use it during communication.

FIG. 11 is an explanatory diagram when a center delivers an initial value to a user in the prior art. In the figure,
The same parts as those in FIG. 10 are denoted by the same reference numerals, and description thereof will be omitted. The center 11 has a center algorithm 21 corresponding to the user-specific data creation algorithm 103 shown in FIG. 9, and creates and distributes an initial value for the users 12 to 14 to calculate an encryption key in advance. Each user 12-1
4 unique ID information ID _A, ID _B, with respect to ID _C, using a secret random number stored in the memory 22, respectively,
The initial value data G _A , G _B , G _C ,
.. Are sequentially calculated and distributed to the users 12 to 14 via a sufficiently secure communication channel.
4, 26, 28. Alternatively, the initial value data may be input to a physically protected and storable and readable device such as an IC card, or a device having more computing power, and the device may be distributed to the users 12 to 14. 23, 25 and 27 are user algorithms owned by the user.

In the case where an algorithm described later using mathematical formulas is used, the center 11 stores m + 3n words (the word is the bit length of the numerical values of R, X, Y and Z) for storing random numbers R, X, Y and Z. A memory 22 having a capacity equal to or larger than the capacity is provided. Of course, ID information ID _A , I unique to each user 12 to 14
D _B, may be stored the ID _C in the memory 22. In addition, the capacity of the above-mentioned IC card only needs to have a capacity of n × m words.

FIG. 12 is an explanatory diagram when performing communication in the prior art. In the figure, the same parts as those in FIGS. 10 and 11 are denoted by the same reference numerals, and the description is omitted. User A shares the shared key with user B, and performs cryptographic communication between the two.

[0012] The user A12 is a common user algorithm 23 to each user, the person you want to communicate, is stored in the memory 24 obtained by the public file such as the ID information ID _B in this case is the user B, the initial value data G _A is input to user algorithm 23 together with _A , and shared encryption key K _AB ^(A)
Create Further, the user B13 also transmits the ID information I of the communication partner user A to the user algorithm 25 common to each user.
Obtained from public file D _B is stored in the memory 26, the user algorithm 25 together with the initial value data G _B
To create a shared encryption key K _AB ^(B) . Then, the encryption unit 31 converts the plaintext into an encrypted text using the encryption key K _AB ^(A) and transmits it to the user B13. The decryption unit 32 converts the encrypted text into the plaintext using the encryption key K _AB ^(B). .

In the above description, an example has been shown in which plaintext is converted into ciphertext and communication is performed, but the encryption key K _AB ^(A) and the encryption key K _AB
^(B) may be used as the master key, and the work key may be encrypted and sent to the other party instead of the plaintext to share a common work key. In the illustrated example, the ciphertext is transmitted from the user A12 to the user B13. Conversely, the encryption unit 31 is provided on the user B13 side and the decryption unit 32 is provided on the user A12 side, or the encryption unit 31 is provided on both sides. And a decoding unit 32 may be provided.

In the above description, only communication between two parties has been described. Next, a case in which three or more parties perform group communication will be described. FIG. 13 is a first explanatory diagram of group communication in the related art. In the figure, the same parts as those in FIG. 10 are denoted by the same reference numerals, and description thereof will be omitted. When performing encrypted communication in a group, the ID information of the group is, for example, I
Decided D _B, user B is a representative of the group, performs group communication this representative as a relay. In the illustrated example, the user A12 has his own initial value data G _A and user B1.
Generates an encryption key K _AB based on the third ID information ID _B, user B13 is, ID of his initial data G _B and the user A
An encryption key K _AB is generated based on the information ID _A. Then, the plaintext from the user A is encrypted with the encryption key K _AB and transmitted to the user B, and the user B13 temporarily returns the plaintext with the encryption key K _AB . The user B13 also has his own initial value data G
And _B, generates an encryption key K _BC based on ID information ID _C of the user C, User C14 generates an encryption key K _BC based on ID information ID _B of their initial value data G _C and user B. Then, the plaintext received from the user A is converted into the encryption key K _BC
Is transmitted to the user C14, and the user C14
_Return to plaintext with encryption key KBC.

FIG. 14 is a second explanatory diagram of group communication in the prior art. In the figure, the same parts as those in FIG. 10 are denoted by the same reference numerals, and description thereof will be omitted. This example is a method of sharing a work key common to a group. In this case, as shown in FIG.
The, first, the encryption communication and share a shared key K _AB of AB, then the same work key KW and cryptographic communication shared key K _BC of BC, easily group common work key KW be transferred one after another Can be made. As shown in FIG. 14B, in the encrypted communication mode, group communication can be performed using the above-described work key KW.

[0016] The conventional encryption key generation method and apparatus are configured as described above. Therefore, LAN
(Local Area Network), wireless systems, etc., to apply to broadcast group communication, define a group representative and perform group communication with this representative as a relay,
Alternatively, the work key KW common to the group is encrypted and shared with the shared key K between the two parties, and then the same work key KW is encrypted and communicated with the shared key K between the other parties, and one after another. Had to be transferred. In the latter case, a communication procedure is required for all members belonging to the group to have a work key common to the group, and more time is required for executing the communication procedure. In addition, when a third party who does not belong to the group broadcasts all members belonging to the group at the same time, the third party generates a shared key between all members belonging to the group and the two, and belongs to the group. You had to create and send a ciphertext for every individual member you did.

[0017]

SUMMARY OF THE INVENTION The present invention has been made in order to solve the above-mentioned problems, and a user is provided with an encryption key between a user belonging to the same group and a user belonging to the group. It is an object of the present invention to provide an encryption key generation device capable of easily generating an encryption key between a user and a user who does not belong to a group. As a result, if applied to group communication, simultaneous group communication and simultaneous broadcasting from a third party to all members of the group can be easily performed.

[0018]

According to the first aspect of the present invention, at least two users among a plurality of users belong to a group having at least first group ID information. , Any two of the plurality of users may use user-specific data generated based on their own user ID information and an encryption key generation algorithm common to the plurality of users, or Using the user encryption key generation algorithm generated based on the ID information, the encryption key generation method of the user belonging to the group in the encryption key generation method for generating the same encryption key between the two based on the other party's user ID information A generation device, comprising: a storage unit and an encryption key generation unit, wherein the storage unit stores user-specific data and the user ID information of the own device. Instead of the group-specific data generated based on the first group ID information, or the user encryption key generation algorithm generated based on the user ID information of the user and the first user ID information instead of the user ID information of the user itself A group encryption key generation algorithm generated based on group ID information is stored, and the encryption key generation unit stores the user unique data stored in the storage unit and an encryption key generation algorithm common to the plurality of users. Using, or using the user encryption key generation algorithm, generating the same encryption key between the two based on the user ID information of the other party, and storing the group unique data and the plurality of Use a common encryption key generation algorithm for the user, or use the group encryption key generation algorithm User ID of the other party
The same encryption key is generated between the two based on the first group ID information or the second group ID information of the group instead of the information, and the group unique data stored in the storage unit is Either use a common encryption key generation algorithm for the plurality of users, or use the group
Generating the same encryption key between the two based on the D information;
Using the user-specific data stored in the storage unit and an encryption key generation algorithm common to the plurality of users, or using the user encryption key generation algorithm and replacing the user ID information of the other party with the second The same encryption key is generated between the two based on one group ID information. Therefore, the user can generate an encryption key from the standpoint of an individual and treating the other party as an individual, as in the related art. Further, it is possible to easily generate an encryption key from the standpoint of a group member and when the other party is also treated as a group member. Furthermore, it is possible to easily generate an encryption key when the other party is treated as an individual as a member of the group and when the other party is treated as a member of the group. As a result, a group encryption key with a partner user belonging to the same group or a group encryption key with a third party not belonging to the same group can be easily generated. Regarding the other users belonging to the same group, only one group encryption key need be generated regardless of the number of users in the same group.

According to the invention described in claim 2, at least two users among the plurality of users belong to a group having at least the first group ID information, and any two users among the plurality of users are Own user I
Using the user-specific data generated based on the D information and an encryption key generation algorithm common to the plurality of users, or using the user encryption key generation algorithm generated based on the own user ID information, An apparatus for generating an encryption key of a user belonging to the group in an encryption key generation method for generating the same encryption key between both based on user ID information, comprising: a storage unit and an encryption key generation unit; The storage unit stores group-specific data generated based on the first group ID information instead of the user ID information of the user, or the user ID of the user.
A group encryption key generation algorithm generated based on the first group ID information is stored in place of the information, and the encryption key generation unit stores the group unique data and the plurality of users stored in the storage unit. Using a common encryption key generation algorithm, or using the group encryption key generation algorithm, and replacing the user ID information of the other party with the first group ID information or the second group ID information of the group. The same encryption key is generated between the two on the basis of the above. Therefore, the user can easily generate an encryption key from the standpoint of a group member and when the other party is treated as a group member. As a result, it is possible to easily generate a group encryption key with a partner user belonging to the same group. Regarding the other users belonging to the same group, only one group encryption key need be generated regardless of the number of users.

[0020] In the invention according to claim 3, at least two of the plurality of users belong to a group having at least the first group ID information, and any two of the plurality of users have Own user I
Using the user-specific data generated based on the D information and an encryption key generation algorithm common to the plurality of users, or using the user encryption key generation algorithm generated based on the own user ID information, An apparatus for generating an encryption key of a user belonging to the group in an encryption key generation method for generating the same encryption key between both based on user ID information, comprising: a storage unit and an encryption key generation unit; The storage unit stores group-specific data generated based on the first group ID information instead of the user ID information of the user, or the user ID of the user.
A group encryption key generation algorithm generated based on the first group ID information is stored in place of the information, and the encryption key generation unit stores the group unique data and the plurality of users stored in the storage unit. Or the same encryption key is generated between the two based on the other party's user ID information using the common encryption key generation algorithm or the group encryption key generation algorithm. Therefore, the user can easily generate an encryption key when the user is a member of the group and treats the other party as an individual. As a result, a group encryption key with a third party who does not belong to the group can be easily generated.

In the invention described in claim 4, at least two users among the plurality of users belong to a group having at least the first group ID information, and any two users among the plurality of users are Own user I
Using the user-specific data generated based on the D information and an encryption key generation algorithm common to the plurality of users, or using the user encryption key generation algorithm generated based on the own user ID information, An apparatus for generating an encryption key of a user who does not belong to the group in an encryption key generation method for generating the same encryption key between both based on user ID information, comprising: a storage unit and an encryption key generation unit; A storage unit stores the user-specific data or the user encryption key generation algorithm, and the encryption key generation unit stores the user-specific data and an encryption key generation algorithm common to the plurality of users, stored in the storage unit. Or the same encryption between the two parties based on the user ID information of the other party using the user encryption key generation algorithm. Generates, stored in said storage unit, the user-specific data and whether to use a common encryption key generation algorithm to the plurality of users, or, using the user encryption key generation algorithm, a user I of the counterpart
The same encryption key is generated between the two based on the first group ID information instead of the D information. Therefore, the user can generate the encryption key from the standpoint of an individual and treating the other party as an individual, similarly to the related art. Further, it is possible to easily generate an encryption key from the standpoint of an individual and when the other party is treated as a member of a group to which this user does not belong. As a result, it is possible to easily generate a group encryption key with a partner user of a group to which this user does not belong. No matter how many users are in this group, it is only necessary to generate one group encryption key.

In the invention described in claim 5, at least two of the plurality of users belong to a group having at least the first group ID information, and any two of the plurality of users are Own user I
Using the user-specific data generated based on the D information and an encryption key generation algorithm common to the plurality of users, or using the user encryption key generation algorithm generated based on the own user ID information, An apparatus for generating an encryption key of a user who does not belong to the group in an encryption key generation method for generating the same encryption key between both based on user ID information, comprising: a storage unit and an encryption key generation unit; The storage unit stores user-specific data generated based on the own user ID information, or a user encryption key generation algorithm generated based on the own user ID information, and the encryption key generation unit includes: The user-specific data stored in the storage unit and a common encryption key generation algorithm for the plurality of users are used, or Using the encryption key generation algorithm, and generates the same encryption key between the two based on the first group ID information instead of the user ID information of the other party. Therefore, the user can easily generate an encryption key when handling the other party as a member of a group to which the user does not belong from an individual standpoint. As a result, it is possible to easily generate a group encryption key with a partner user of a group to which this user does not belong. No matter how many users are in this group,
It is only necessary to generate one group encryption key.

In the invention described in claim 6, a plurality of users belong to a group having at least the first group ID information, and any two users among the plurality of users have the same encryption key between them. An encryption key generation device for the user in an encryption key generation method for generating a key, comprising a storage unit and an encryption key generation unit, wherein the storage unit
And a group encryption key generation algorithm generated based on the first group ID information or the group unique data generated based on the group ID information. Using the common key generation algorithm common to the group-specific data and the plurality of users, or using the group encryption key generation algorithm
D information or a second group ID of the group
The same encryption key is generated between the two based on information. Therefore, the user can easily generate an encryption key between members of the group. Regardless of the number of users, it is only necessary to generate one group encryption key.

In the invention according to claim 7, at least one of a plurality of users belonging to a group having at least the first group ID information and another user who does not belong to the group. An apparatus for generating an encryption key of the group user in an encryption key generation method for generating the same encryption key in between, comprising a storage unit and an encryption key generation unit, wherein the storage unit is configured to store the first group ID. Storing group-specific data generated based on the information or a group encryption key generation algorithm generated based on the first group ID information;
The encryption key generation unit uses an encryption key generation algorithm stored in the storage unit and common to the group-specific data and a plurality of users, or uses the group encryption key generation algorithm, User ID
The same encryption key is generated between the two based on information. Therefore, the user can easily generate an encryption key with a partner who does not belong to the group.
As a result, it is possible to easily generate a group encryption key with a partner who does not belong to the group.

According to the invention described in claim 8, at least one group user among a plurality of users belonging to a group having at least the first group ID information and another user who does not belong to the group. An encryption key generation device for the other user in an encryption key generation method for generating the same encryption key in between, comprising a storage unit and an encryption key generation unit, wherein the storage unit is provided for the other user. User-specific data generated based on user ID information or a user encryption key generation algorithm generated based on the other user's user ID information is stored, and the encryption key generation unit is stored in the storage unit. Done,
Using the user-specific data and an encryption key generation algorithm common to a plurality of users, or using the user encryption key generation algorithm to generate the same encryption key between the two based on the first group ID information Is what you do. Therefore, the user can easily generate an encryption key for a member of a group to which the user does not belong. As a result, it is possible to easily generate a group encryption key for a group to which this user does not belong. No matter how many users are in this group,
It is only necessary to generate one group encryption key.

[0026]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, a first embodiment of the present invention will be described. FIG. 1 is an explanatory diagram when each user subscribes to a network system in the first embodiment of the present invention. In the figure, the same parts as those in FIG. 10 are denoted by the same reference numerals, and description thereof will be omitted. Reference numeral 15 denotes a user Z, and reference numeral 19 denotes a group T in which the users 12 to 14 form a group. A network for communication between the center 11 and each of the users 12 to 15 and between each of the users 12 to 15 is configured. Each of the users 12 to 15 has unique ID information, for example, ID information I such as an address, a date of birth, and an e-mail address.
The D _A , ID _B , ID _C , and ID _Z are registered in the center 11 and simultaneously made available to other users so that other users can use them during communication.

[0027] In addition, the unique ID information of the group T19, for example the group name, and the ID information ID _T, such as e-mail address of the group, unique virtual I of the group T19
D information, for example the group name, and at the same time to register the ID information ID _V, such as e-mail address of the group to the center 11, ID _T is also open to all other users, ID _V to the user 12 to 14 belonging to the group T19 Publish and make available to each user during communication.

FIG. 2 is an explanatory diagram when the center delivers an initial value to a user in the first embodiment of the present invention. In the figure, the same parts as those in FIG. 10 and FIG. In FIG. 2, reference numeral 21 denotes a center algorithm for previously creating initial values for calculating encryption keys of users 12 to 15 and group T;
5, 27 and 29 are user algorithms possessed by the respective users 12 to 15, 22 is a memory in which the center 11 records secret random numbers, and 24, 26, 28 and 30 are each user 1
2 to 15 are memories held.

The center 11 prepares and distributes initial values for users 12 to 15 to calculate encryption keys in advance.
Each user 12-15 unique ID information ID _A, ID _B,
Using the secret random numbers stored in the memory 22 with respect to ID _C and ID _Z , initial value data G _A , G _B , G _C , G _Z ,. Distributed to each user 12-15 via a secure communication channel,
Memory 24, 26, 28, 30 for each user 12-15
To memorize. Further, the center 11 has a group T1
User 12 to 14 belonging to 9 is also pre-made and to deliver initial value G _T for calculating the key of encryption for the group T19.

[0030] That is, the group T19 to unique ID information ID _T, using the same secret random number stored in the memory 22, calculates the initial value data G _T groups T19, through adequate secure channel Distributed to the users 12 to 14 belonging to the group T19, and stored in the memories 24, 26, 28 of the users 12 to 14. Initial value data is I
This device may be input to a physically protected and storable and readable device, such as a C-card, or a device having more computing power, and the device may be distributed to the users 12 to 15.

In the case where an algorithm described later is used by using mathematical formulas, the center 11 stores m + 3n words (the word is the bit length of the numerical values of R, X, Y and Z) storing random numbers R, X, Y and Z. A memory 22 having a capacity equal to or larger than the capacity is provided. Of course, ID information ID _A , I unique to each user 12 to 15
_{D B, ID C, ID Z} , ID T, the ID _V Memory 22
May be stored. Further, the capacity of the above-mentioned IC card is n × m word capacity for the user 15,
The users 12 to 14 only need to have a capacity of n × m × 2 words.

FIG. 3 is an explanatory diagram when a user A, a user B, and a user C share a shared key with each other and perform encrypted communication in a group among the three users in the first embodiment of the present invention. It is. In the figure, the same parts as those in FIG. 10, FIG. 1 and FIG. In FIG.
Reference numeral 31 denotes an encryption unit that converts a plaintext into a ciphertext, and 32 denotes a decryption unit that converts a ciphertext into a plaintext.

The virtual ID information ID _V of the group T is also stored in the memory 24 in advance. The user A12 is a common user algorithm 23 to each user, the person you want to communicate, in this case extracts the virtual ID information ID _V group T from the memory 24, and input to the user algorithm 23 together with the initial value data G _T, the shared Create an encryption key K _TV ^(T) . The user B13 also, the ID information of the communication partner to each user common user algorithm 25, in this case taken from memory 24 which has stored the virtual ID information ID _V group T, user algorithm 25 together with the initial value data G _T Enter the shared encryption key K _TV ^(T)
Create Similarly, the user C14 also shares the encryption key K _TV
Create ^(T) . Then, the encryption unit 31 of the user A12
In step ⁽¹⁾ , the plaintext is converted into an encrypted text by using the encryption key K _TV ^(T), and is transmitted to the users B13 and C14 belonging to the group T at the same time.

In the user B 13, the cipher text is converted into a plain text by the decryption unit 32 using the encryption key K _TV ^(T) . The user C14 also converts this ciphertext into the decryption unit 3
In 2, it is converted into plain text by the encryption key K _TV ^(T) . At the head of the ciphertext, information for identifying that the transmission source and the destination as the communication partner are the group T is attached as plaintext, and the users 12 to 14 that have received the ciphertext are:
Recognizing the ID information of the communication partner based on the information of the transmission source,
ID _V can be selected instead of D _A or the like. Further, the information of the destination, rather than the personal mail, recognizes that it is addressed to a group T, the initial value data G instead _B, and selects the initial value data G _T. As described above, if one group encryption key is generated within a group, group communication can be performed by using a representative as a relay or all members belonging to the group can be shared by the group in order to perform simultaneous group communication. A communication procedure for owning the work key is unnecessary.

In the above description, an example is shown in which plaintext is converted to ciphertext and communication is performed. However, an encryption key K _TV ^(T) is used as a master key, and a work key is encrypted and sent to the other party instead of plaintext. A common work key can be shared. In the illustrated example, the ciphertext is transmitted from the user A12 to the user B13 and the user C14. In addition, the decryption unit 32 is provided on the user A12 side, and the encryption unit 31 is provided on the user B13 and the user C14. Simultaneous transmission of ciphertext from user B13 to user A12 and user C14,
The ciphertext may be simultaneously transmitted from 14 to the user A12 and the user B13.

Means for obtaining the shared encryption key K _TV ^(T) by using a mathematical expression can be achieved by a method described later, as briefly mentioned in the conventional example. This method reduces the security to the difficulty of solving a multivariable simultaneous system of equations on a finite field in a method in which a key used for cryptographic communication or storage is created based on ID information, which is personal unique information. This is the encryption key distribution method. Even if multiple users collude, an unknown number remains, and the expression that gives the shared key cannot be solved. The user algorithm is common to all users and has a simple configuration. Initial value data is calculated by the center algorithm.
Since the data is generated in advance using random numbers for user ID information and group ID information, it is easy for each user to generate an encryption key. Furthermore, if at least only the initial value data is kept secret, the encryption key can be generated in a secret state, so that the memory area to be kept secret can be greatly reduced, and the secret key management of the encryption key is easy. Becomes

In the above description, each user stores the virtual ID information ID _V of the group T19 in the memories 24, 26, 2
Removed from the 8, and input to the user algorithm 23, 25, 27 with the initial value data G _T, shared encryption key K _TV
^(T) had been created. Instead, the memories 24, 2
Taking out the ID information ID _T of the group T19 from 6, 28, the user algorithm 23 together with the initial value data G _T
, And the same effect is obtained even if the shared encryption key K _TT ^(T) is created. Virtual ID information ID _V Group T19 may be several sets, the same I each user from among them
What is necessary is just to select and use D information.

Each of the users 12 to 14 also stores the initial value data in the memories 24, 26 and 28 in the same manner as in the prior art. For example, in the user A12, the initial value data G _A is also stored in the memory 24. Therefore, each user belongs to the group T19, but can use his own initial value data as an individual. Further, even if the other user belongs to the same group T19, the other user ID information can be used. That is, the generation of the encryption key can be performed in exactly the same manner as in the related art. The virtual ID information ID _V of the group T19 or the group T19
As a general rule, the ID information ID _{T of the} 19
Although it is different from the D information, it can be set to the same as one of the individual user ID information.

The group T of each user 12-14
As a group dedicated to group communication,
It is also possible to make it possible only to generate an encryption key as a group. Specifically, each user 12, 13, 14
Is the initial value data G _T and the virtual ID of the group T
The information ID _V or the ID information ID _T of the group T is stored in the memories 24, 26, and 28 so that the initial value data and the ID information of the individual cannot be input or stored. Although the above example is an extreme example, only the initial value data is stored in an individual, or only the other party's user ID information is stored in the memories 24, 26, and 28 with arbitrary user ID information. Can be used,
Partially, the same encryption key generation as that of the related art may be performed.

FIG. 4 shows a second embodiment of the present invention, in which a user who does not belong to a group shares a shared key with a user who belongs to the group, and performs encrypted communication between the outside of the group and the group. It is explanatory drawing at the time of performing. In the figure, FIG.
0, and the same parts as those in FIG. 1 and FIG. 31 is an encryption unit for converting plaintext into ciphertext,
Reference numeral 32 denotes a decryption unit that converts a cipher text into a plain text. The user Z15 does not belong to the group T19, but is in the group T19.
A12, user B13, user C1 belonging to
4 and a shared key, and performs encrypted communication with the group T19 from outside the group T19. Each user joins the network system in the same manner as in the first embodiment shown in FIG. When the center delivers the initial value to the user, it is the same as in the first embodiment shown in FIG.

The user Z15 is a common user algorithm 29 to each user, the person you want to communicate, is stored in the memory 30 and obtained by the public file such as the ID information ID _T in this case is a group T, the initial value data G Input to the user algorithm 29 together with _Z and the shared encryption key K _ZT
Create ^(Z) . Further, the user A12 also stores the user ID information I of the communication partner in the user algorithm 23 common to each user.
The D _Z are obtained from the public file may be stored in the memory 24, initial data G _T with user algorithm 23
To create a shared encryption key K _ZT ^(T) . Similarly to the user A12, the users B13 and C14 also generate a shared encryption key K _ZT ^(T) .

Then, in the encryption unit 31 of the user Z15, the plaintext is converted into an encrypted text by using the encryption key K _ZT ^(Z) .
The transmission is simultaneously performed to the users A12, B13, and C14 belonging to the group T. In the user A12,
The cipher text is converted into plain text by the decryption unit 32 using the encryption key K _ZT ^(T) , and the user B 13 and user C 14 also convert the cipher text into plain text by the decryption unit 32 using the encryption key K _ZT ^(T). . At the beginning of the ciphertext, information for identifying that the transmission source, which is the communication partner, is Group T and information for identifying that the destination is Group T are attached as plaintext. User 12
14 to 14 indicate the ID information of the communication partner according to the information of the transmission source,
Recognizing that it is addressed to group T based on the destination information,
Using the initial value data G _T and the user ID information ID _Z. As described above, if a group encryption key is generated,
A third party who does not belong to the group does not generate a shared key between all the members belonging to the group and the two parties,
One shared key common to the third party and all members belonging to the group is mutually generated, and simultaneous broadcasting can be easily performed using the generated shared key.

In the above description, an example in which plaintext is converted to ciphertext for communication has been described. However, the encryption keys K _ZT ^(Z) and K _ZT ^(T) are used as master keys, and work keys are encrypted instead of plaintext. And send it to the other party to share a common work key.
Means for obtaining the shared encryption keys K _ZT ^(Z) and K _ZT ^(T) by using mathematical formulas can be obtained by the method described later in the conventional example, as in the first embodiment.

As in the first embodiment described above, each of the users 12 to 14 and 15 stores the same initial value data in the memories 24, 26, 28 and 30 as in the prior art. Accordingly, each of the users 12 to 14 belongs to the group T19, but can use its own initial value data as an individual. Further, the user Z15 can treat the other party to the users 12 to 14 belonging to the group T19 as an individual and use the other party's user ID information. That is, the generation of the encryption key can be performed in exactly the same manner as in the related art. The ID information ID of the group T19
_T is, in principle, different from the individual user ID information, but can be set to the same as one of the individual user ID information.

The group T1 of each user 12-14
9 may be a group dedicated to group communication with the user Z15, and each of the users 12 to 14 may be able to generate only an encryption key as a group. Specifically, each user 12 to 14, the initial value data G _T, and the memory ID information ID _Z user Z15 24,2
6, 28, so that it is impossible to input or store initial value data as an individual and ID information of a partner user. Only the initial value data is stored in the personal data, and the user ID information of the other party is stored in the memories 24, 26, and 28 so that the user ID information can be used. The encryption key may be generated.

FIG. 5 is an explanatory diagram of a center according to the third embodiment of the present invention. In the figure, reference numeral 11 is conceptually similar to the center in FIG. 10, but specific processing performed internally is different. Center 11 is the center algorithm G
And keep it secret. In this embodiment, a method for creating secret information (encryption key) described in Japanese Patent Application Laid-Open No. 63-36634 is used. Description of a specific center algorithm G and a method of generating a secret algorithm will be omitted.

FIG. 6 is a configuration diagram when each user subscribes to the network system in the third embodiment of the present invention. In the figure, parts that are conceptually similar to those in FIGS. 10 and 1 are given the same reference numerals, and descriptions thereof are omitted. Center 11
And each user 12-15, and each user 12-15
A network for performing communication between them is configured. Each user 1
2 to 15 are unique ID information, for example, address, date of birth,
ID information ID _A , ID _B , ID such as e-mail address
_C and ID _Z are registered in the center 11. At the same time, it is made available to other users so that other users can use it during communication. Further, unique ID information of the group T19, such as the group name and the group e-mail address
And D information ID _T, group-specific virtual ID information of T19, for example the group name, to register the ID information ID _V, such as e-mail address of the group to the center 11. ID _T
Is disclosed to all other users, and the ID _V is disclosed to users 12 to 14 belonging to the group T19 so that each user can use it during communication.

The center 11 has secret algorithms X _A , X _B , X for users 11 to 15 and for group T.
_C, X _Z, the _{X T, X A = G (} ID A), X B = G (ID B), X C = G (I
D _C ), X _Z = G (ID _Z ), X _T = G (ID _T ), etc., using the center algorithm and ID information, X _A being only for user _A 12, X _B being for user B 13
Only, X _C is only the user C14, X _Z user Z1
Only to 5, the user X _T belongs to a group T19 1
An algorithm specific to each user or a secret algorithm specific to a group is distributed to each user, for example, only to 2 to 14. Each user keeps the secret algorithm received from the center 11 secret.

FIG. 7 is an explanatory diagram showing a state in which secret information is shared by calculation among users belonging to group T in the third embodiment of the present invention. In the figure, FIG.
0, parts that are conceptually similar to those in FIG. In the figure, when the user 12 to 14 belonging to the group T19 wants to share secret information K _TV, each user, respectively, K _TV = as in X _T (ID _V), unique virtual ID information ID _V Group T19
And, to calculate the secret information K _TV by using a secret algorithm X _T of the group T, which he is held. In the above description, each user is assigned the virtual ID information ID of the group T.
It had created the secret information K _TV by using a secret algorithm X _{T to V} and he is held. Alternatively, the same effect can be obtained by creating secret information K _TT using ID information ID _{T of} group T and secret algorithm X _T.

FIG. 8 shows a fourth embodiment of the present invention, in which a user who does not belong to a group shares a shared key with a user who belongs to the group, and performs encrypted communication between the outside of the group and the group. It is explanatory drawing at the time of performing. In the figure, FIG.
0, parts that are conceptually similar to those in FIG. Users belonging to the group share confidential information by calculation.

The center 11 of this embodiment is the same as the center shown in FIG. 5, and the center 11 generates a center algorithm G and keeps G secret. The secret information is shared by calculation between the users 12 to 14 belonging to the group T19. Each user joins the network system in the same manner as in the third embodiment shown in FIG. Therefore, each user 12-15
Registers the unique ID information ID _A , ID _B , ID _C , ID _Z to the center 11 and simultaneously discloses it to other users so that other users can use the information at the time of communication. Furthermore, at the same time that the unique ID information ID _T of the group T19 is registered in the center 11, the ID _T is also made available to all other users so that the users can use them during communication.

[0052] Center 11, a secret algorithm of the user 11 to 15 and for the group _{T X A, X B, X} C, X Z,
Let X _T be X _A = G (ID _A ), X _B = G (ID _B ), X _C = G (I
D _C ), X _Z = G (ID _Z ), X _T = G (ID _T ), etc., using the center algorithm and ID information, X _A being only for user _A 12, X _B being for user B 13
Only, X _C is only the user C14, X _Z user Z1
Only to 5, the user X _T belongs to a group T19 1
Distribute each user a secret algorithm specific to each user or a group-specific secret algorithm, for example, only 2-14. Each user keeps the secret algorithm received from the center 11 secret.

Returning to FIG. If the user Z15 not belonging to the user 12-14 and groups T19 belonging to the group T19 wants to share secret information K _ZT, respectively, as in the _{K ZT = X T (ID Z} ) K ZT = X Z (ID T), For the users 12 to 14, the ID of the user Z15
The secret information K _ZT is calculated using the information ID _Z and the secret algorithm X _T of the group T owned by the user Z.
In 15, it calculates secret information K _ZT by using a secret algorithm X _Z a unique ID information ID _T and his group T19 owns.

As described above, in the third and fourth embodiments, each of the users 12 to 14 generated by the center 11
And the method of generating an encryption key for each user are significantly different. However, if attention is paid to the fact that the relationship between the own ID information and the other party's ID information is similar, a common method can be applied as a method for obtaining a group encryption key using the group ID information.

As in the first and second embodiments described above, each of the users 12 to 14 and 15 also has the same secret algorithm as the conventional one. Therefore, each user 12-
14 belongs to the group T19, but can use its own initial value data as an individual. The user Z15 includes the users 12 to 12 belonging to the group T.
14, the other party is treated as an individual, and the other party's I
As the D information, individual user ID information can be used. That is, the generation of the encryption key can be performed in exactly the same manner as in the related art. Note that the ID information ID _T of the group T19
Is different from the individual user ID information in principle, but it is also possible to set the same as one of the individual user ID information.

The group T1 of each of the users 12 to 14
9 may be a group dedicated to group communication with the user Z15, and each of the users 12 to 14 may be able to generate only an encryption key as a group. Specifically, each user 12 to 14, the initial value data G _T, and a memory 24 the ID information ID _Z user Z,
28, so that the initial value data as an individual and the ID information of the partner user cannot be input or stored. Only the initial value data is stored as personal data, and as for the other party's user ID, the user ID information of any user is stored in the memories 24, 26, and 28, and the data can be used. The same encryption key generation as described above may be performed.

Finally, regarding the method of generating an encryption key mentioned in the description of the prior art, means for obtaining shared encryption keys K _AB ^(A) and K _AB ^(B) using mathematical expressions will be described in detail. In the following example, in a method in which a key used for cryptographic communication or storage is created based on ID information that is personal unique information, the security is reduced to the difficulty of solving multivariable simultaneous equations on a finite field. This is the method of delivering the encrypted key. Even if multiple users collude, an unknown number remains, and the expression that gives the shared key cannot be solved.

First, the center 11 shown in FIG. 10 receives the initial value data G _l (l = A, B,
(C,...) Will be described. Let P be a large prime number. Let _{IDl be} information unique to each user. However, the suffix l (lowercase letter L) indicates a user with l = A, B, C,. Here, f (ID _l ) and h (ID _l ) represent two (binary) m-dimensional and n-dimensional vectors v _l ^(f) and v _l ^(h) generated from ID _l , respectively. Let it be a hash function. ^Let Hamming weights W _H of v _l ^(f) and v _l ^(h) be d and e, respectively.

That is,

(Equation 1) here,

(Equation 2) It is. Similarly,

(Equation 3) here,

(Equation 4) Here, gcd {e, P-1} = 1, that is, e and P−
1 is relatively prime. gcd represents the greatest common divisor.

A vector having a constant Hamming weight e is described in the literature.
Masao Kasahara, Hatsuichi Tanaka, "Digital Communication Engineering", Shokodo p. It can be easily created by applying the Shalkwijk algorithm described in detail in 53-56. FIG. 15 is an explanatory diagram showing a simple example of the Shalkwijk algorithm. A pattern 00101 is shown when the code length N = 5 and the Hamming weight is 2. Here, the hash function and the hash value (H) are a function for compressing a long ID such as a name or a telephone number and digitally expressing the ID and a function value thereof, and a compression process for converting the ID to a constant value and the value. . From that number,
In order to convert them into patterns of v _l ^(f) and v _l ^(h) , m-bit and n-bit, respectively, for example, the algorithm of Shalkwijk is used.

First, the hash value (H) itself is different for each user. Since there is a case where the same value is taken with very little probability, the center checks the numerical value and monitors it so that it does not collide, and if it becomes the same, corrects the ID and takes another hash. This hash value (H)
Is set as a value called a pass count value or a pointer value of the algorithm of Shalkwijk. Then e
Is determined so that gcd {e, P-1} = 1. The value of e is made public. Also decide d appropriately and make it public. Where d,
Since e is related to the number of IDs, it is necessary to take a sufficiently large value. The relationship between m, n, and the number of IDs will be described later.

2 having an appropriate hash value (H), that is, a pointer value, and having hamming weights d and e, respectively.
A method of determining the original vector patterns v _l ^(f) and v _l ^(h) will be described with reference to FIG. 15 with respect to v _l ^(h) , where e = 2 and hash value (H) = 8. From FIG. 15, it can be seen that there are ten patterns with length N = 5 and weight w = 2. With this number 10 as a starting point, the numbers (pascal triangular numbers) in the table are considered as addresses. Follow the arrows to determine the pattern. When the hash value (H), that is, the pointer value is selected to be 8, the value 6 at the upper right is inversely subtracted from the pointer value 8 from the address 10 having the weight w = 2.
If the remainder is positive, move left; if negative, move right. When moving up to the left, the pointer value decreases by the value at the top right.

In this case, since it is 8-6 = 2, it goes up to the left, the address becomes 4, and the pointer value becomes 8-6 = 2. Subtracting the upper right 3 from this pointer value 2 gives 2-
Since 3 = −1, which is negative, the address goes up to the upper right and becomes address 3. At this time, the pointer value does not change. Subtract the right upper 2 from the pointer value 2. Since it is not positive when 2-2 = 0, it rises to the right and rises to the top. Then, a binary vector pattern = 0, 0, 1, 0, 1 is obtained. This is the required v _l ^(h) . For details, see the above-mentioned document. v _l ^(f) is similarly obtained. The above is the basic system for determining the binary vector patterns v _l ^(f) and v _l ^(h) .

The value of e has a restriction of gcd {e, P-1} = 1, but d has no such restriction. Therefore, as a modified system, regarding v _l ^(f) , the hash value (H) may not be converted by the Shalkwijk algorithm, but may be directly developed into a binary number, and this may be used as a binary vector pattern as it is. If it is expanded to a binary number and its weight becomes dl, then for the binary vector pattern of v _l ^(f) , _m C
_{From d} ways, it becomes 2 ^{m in} the case of the deformation system.
Therefore, a large number of user IDs can be obtained.
Number UN of users with different user ID, when the base system, from _{UN = n C d × n C} e, the UN = 2 ^m × _n C _e in the case of deformation system. Note that d _l does not need to be made public.

FIG. 16 is a diagram showing a specific example of m and n, the memory capacity M, and the number of users UN. As is apparent from this figure, when d is improved to d _l , the memory capacity M =
Even if n × m is the same, the number UN of users that can be taken increases. 2
From the original constant weight vectors v _l ^(f) and v _l ^(h) , two index sets J _l ^(f) and J _l ^(h) are defined as follows.

(Equation 5)

(Equation 6)

Here, one m-dimensional random number R such as
And three n-dimensional random numbers X, Y and Z are introduced.

(Equation 7)

(Equation 8)

(Equation 9)

(Equation 10)

Then, at the center, the following equations (3),
(4), (5), and (6) are calculated.

[Equation 11]

(Equation 12)

(Equation 13)

[Equation 14]

Here, for R _l , Y _l , and Z _l , m
od P, but for X _l , mod (P
-1) is calculated. Since X _l is a power number, X _l
Since it is necessary to remove = 0, it is reduced by one.
From the above equations (3), (4), (5), and (6), n × m initial values g _l (j, k) are obtained as in the following equations.

(Equation 15) Here, e ^-1 indicates the reciprocal of e in mod P. That is, e · e ⁻¹ = 1 (mod P). When represented by an n × m matrix, the following expression is obtained.

(Equation 16) Ultimately, the trusted center will provide public information,
｛P, f, h, e, d, IDl (l = A, B, C,
…) Publish｝ in a public file. Also, each user l =
A, B, C .... through a secure communication path or IC
_Gl is distributed by a recording medium such as a card.

Next, calculation on the side of the users 12 and 13 will be described. Consider a case where the user A12 shares the shared key K _AB with the user B13. First, the user A calculates f (ID _B ) and h (ID _B ) shown in the following equations using the ID _{B of} the user B obtained from the public file and the two one-way functions f and h.

[Equation 17]

(Equation 18) Here, b _k ^(f) and b _j ^(h) ＧＦ GF (2). Then, those index sets shown in the following equation are obtained.

[Equation 19]

(Equation 20)

Then, the user A12 can share the shared key K _AB ^(A) with the user B by the following operation.

(Equation 21) From the third expression of the aforementioned (9) to the fourth equation, the Z _A (e-1) th power multiplication X _j of Y _A, the y _j X
_A power of each (e-number) the result of multiplying each other for, respectively Z _A, multiply X _B of Y _A, guided by the multiplication X _A of Y _B.

Similarly, the user B sets the ID _A to the one-way ha
The following equation is calculated by inputting to the sh functions f and h.

(Equation 22)

(Equation 23) By f (ID _A ) and h (ID _A ) described above,
J _A ^(f) and J _A ^(h) are obtained. Therefore, the user B13
Can be calculated in exactly the same way by calculating the following equation.

(Equation 24) Therefore, K _AB ^(B) = K _AB ^(A) , and a shared key K _AB between A and B is generated.

In the above-described method, the center algorithm 21 is made public even if it is made public without affecting the security.
Since the center 11 only keeps the set of random numbers R, X, Y, Z secret, it is possible to greatly reduce the area of the design and the memory 22 that needs to keep secret. . On the other hand, each of the users 12 to 14 has a user algorithm 23, 25, 2 for calculating a shared key between the users.
7 has the advantage of being common. Here, the center algorithm is an arithmetic algorithm represented by the equations (1) to (7) and including arithmetic data excluding a secret random number of the center 11 and ID information of each user. Similarly, the user algorithm is an arithmetic algorithm represented by the formulas (1), (2), (9) and the like, including initial value data distributed from the center 11 and arithmetic data excluding ID information of a partner to communicate with. Say. Each user 12-14 initial value data (parameter values) that are distributed in preparation for system holds G _l only secret. Each user inputs his / her ID information and the ID information of a partner who wants to communicate with the user algorithm to obtain a shared key for encrypted communication.

In the conventional example, no matter how many users collude, it is impossible to solve algebraically because the number of independent equations for obtaining a key does not exceed the number of unknowns. If solved numerically, all variables have GF (p) (the original number is p
There is a method to check whether the equation is satisfied by sequentially entering all possible values of (which represents Galois fields). However, to do this, (1/2) P） 3n +
A calculation amount of about m｝ times is required. The bit size of P is desirably large enough to make this calculation impossible.
In practice, about 30 bits is sufficient.

It is considered that one of the users and another user's shared key are illegally obtained from the above equation (7). R in equation (7)
_{k, x j, y j,} R from z _j, X, Y, index set Jα Mr and Mr Newsletter Z alpha beta ^(f) , Jα ^(h) , Jβ
^(f) , Jβ Consider obtaining a shared key using ^(h) . Set r _k of the formula (7) by a user of the collusion, x _j, y
It depends on whether it can be solved at _j and z _j . The next (1
1) Consider solving the equation.

(Equation 25) c _j (k, s) is a certain because it is known values described above in order to obtain a relational expression of z _j (j the considered fixed) and _{r k (0 ≦ k ≦ m} -1) (11) Equation solve. In equation (11), the number of unknowns is (m + 1). But c
_j (k, s) = c _j (k, 0) c _j (0, s) (mod
P) and c _j (0, s) = c _j (s, 0) ⁻¹ (m
od P), the number of independent equations is m-1. Therefore, these independent equations are given by the following equation (12).

(Equation 26) (12) equation, do not solve the z _j and r _k, it can not be obtained relationship between the two unknowns. J in equation (11)
If is a variable, more independent equations are available, but as the number of independent equations increases, the number of unknowns also increases.

First, the following equation (13) is obtained using the equation (11).

[Equation 27] c _s ^* (j, t) is a known number. Here, by a similar argument as discussed above, an independent equation is

[Equation 28] It is. Thus, the number of independent equations is m + n-2. However, the number of unknowns is m + n. Therefore (11)
Formula is to not be solved even for r _k also for z _j, can not be obtained relationship of any two of the unknowns.

As another method, consider solving equations (9) and (10) in association with user α. These equations are a typical system of simultaneous equations on a finite field, and nx
m unknowns gα (J, k). To reduce the unknowns to solve this, it is necessary to solve a high-order equation whose coefficients include some unknowns, such as the following equation, which is extremely difficult.

(Equation 29)

A simplified system in which the random numbers X, Y, Z, and R of the center are omitted and X and Y are removed, for example, is considered. The shared key between A and B is K _AB = Z _A * Z _B (mod P). If A and B collude and attempt to provide keys for user s and user t,

[Equation 30] Thus, a shared key for the users s and t is generated.

The equations such as (7), (9) and (10) are called simultaneous simultaneous equations. The unknowns are r _k , x _j ,
y _j and z _j . Since the equations (7), (9), and (10) have complicated shapes, examples of simple simultaneous simultaneous equations are shown. C ₁ = X ₁ X ₂ X ₃ + X ₁ X ₃ X ₄ + X ₁ X ₅ X ₆ + X ₂ X ₄ X ₆ + X ₁ X ₃ X ₆ + X ₃ X ₄ X ₆ C ₂ = X ₂ X ₃ X ₄ + X _{2 X 4 X 5 + X 2 X} 5 X 6 + X 1 X 3 X 5 + X 2 X 4 X 5 + X 3 X 5 X 6 C 3 = X 3 X 4 X 5 + X 3 X 5 X 6 + X 1 X 3 X 5 + X _{1 X 2 X 6 + X 2} X 3 X 6 + X 2 X 5 X 6 C 4 = X 4 X 5 X 6 + X 1 X 3 X 5 + X 2 X 4 X 6 + X 2 X 3 X 5 + X 3 X 5 X 6 _{+ X 2 X 4 X 5 C} 5 = X 1 X 5 X 6 + X 2 X 5 X 6 + X 3 X 5 X 6 + X 2 X 4 X 6 + X 2 X 5 X 6 + X 3 X 4 X 6 C 6 = X 4 _{X 5 X 6 + X 3 X} 4 X 6 + X 2 X 3 X 6 + X 2 X 5 X 6 + X 1 X 3 X 5 + X 2 X 4 X 5

[0079] This _{equation, C 1, C 2, ···} , C 6 is _{known, X 1, X 2, ···} , X 6 is unknown, the number of equations 6
This is called a homogeneous equation in which the order of the unknown is 3. This can be solved algebraically, but not as an algorithm.
For _{example, X 1, X 2, ···} , solve and checks established by sequentially substituting all possible values in the X _6. But,
It takes astronomical numbers. Even if the attacker assembles the equations from the information obtained by unauthorized means, if it all comes down to the problem of solving such a simultaneous system of equations, if the security of cryptography is a system of simultaneous systems using multivariate polynomials, It is based on the difficulty of solving.

Here, each user 12, 1 is sent from the center 11.
The relationship between m and n and the number of users of G _l (i, j), which is the initial value data distributed to No. 3, is obtained. If e is not fixed in the system, the system cannot be established. To make the key different for each communication partner, J _l ^(f) and J _l ^(h)
Must be different. The same key is generated for the partner whose value matches, and must be avoided.

When m, n, e, and d are fixed, how many different keys can be generated is calculated. The combination taking d from m is as follows.

(Equation 31) The combination that takes e from n is

(Equation 32) The number T of communication partners having different numbers is a multiplication value of the value of Expression (11) and the value of Expression (12), and

[Equation 33] By applying specific numerical values, m = 16, n = 16, d
= 8, e = 8, resulting in approximately 165 million users.

In the above description, an encryption key is used as an encryption key and / or a decryption key in a security maintaining mechanism using encryption. However, the above-described encryption key can also be used as a message generation key for messages and a message inspection key for messages in an authentication mechanism using encryption. In addition, the present invention is not limited to a confidentiality mechanism and an authentication mechanism in communication, but can be used in a confidentiality mechanism or an authentication mechanism for storing a message in a recording medium such as an optical disk, a hard disk, or a semiconductor memory. With the above-mentioned shared encryption keys K _AB ^(A) and K _AB ^(B) , it is easy to generate an encryption key and manage confidentiality, and it is also easy to centrally manage data that is the basis of the shared encryption key. is there. The shared encryption key (shared key) refers to a key that the user wants to share, and the key itself may be a common key or a public key. In other words, a common key system such as DES encryption means a common key, and a public key system such as RSA encryption means a secret key (a secret decryption key, and in the case of authentication, a secret message inspection key). I do. In the public key method, it can be said that the encryption key and the message generation key are already shared by the public file.

[0083]

According to the present invention, as is apparent from the above description, a group encryption key between a partner belonging to the same group and a group encryption key between a user belonging to the group and a user not belonging to the group are provided. Can be generated. The above-described group encryption key is not generated by a special method, but is generated by the same method as the encryption key in the related art, so that the generation is easy. As a result, if applied to group communication, simultaneous group communication and simultaneous broadcasting from a third party to all members of the group can be easily performed.

[Brief description of the drawings]

FIG. 1 is an explanatory diagram when each user subscribes to a network system in a first embodiment of the present invention.

FIG. 2 is an explanatory diagram when a center delivers an initial value to a user in the first embodiment of the present invention.

FIG. 3 is an explanatory diagram of a case where a plurality of users share a shared key with each other and perform encrypted communication in a group among the users in the first embodiment of the present invention.

FIG. 4 is a diagram illustrating a second embodiment of the present invention when performing encrypted communication between a group outside and a group.

FIG. 5 is an explanatory diagram of a center in a third embodiment of the present invention.

FIG. 6 is a configuration diagram when each user joins a network system in a third embodiment of the present invention.

FIG. 7 is an explanatory diagram of a state in which secret information is shared by calculation among users belonging to a group in the third embodiment of the present invention.

FIG. 8 is a diagram illustrating a fourth embodiment of the present invention when performing encrypted communication between a group outside and a group.

FIG. 9 is an explanatory diagram of an encryption key generation method according to the related art.

FIG. 10 is an explanatory diagram when each user subscribes to a network system in the prior art.

FIG. 11 is an explanatory diagram when a center delivers an initial value to a user in the related art.

FIG. 12 is an explanatory diagram when performing communication in the related art.

FIG. 13 is a first explanatory diagram of group communication in the related art.

FIG. 14 is a second explanatory diagram of group communication in the related art.

FIG. 15 is an explanatory diagram showing a simple example of the Shalkwijk algorithm.

FIG. 16 is a diagram showing a specific example of m and n, a memory capacity M, and the number of users UN.

[Explanation of symbols]

11 centers, 12-15 users A, B, C, Z,
21 Center algorithm, 22, 24, 26, 2
8, 30 memory, 23, 25, 27, 29 user algorithm, 31 encryption unit, 32 decryption unit, 101
A first encryption key generation unit, 102 a second encryption key generation unit,
103 User-specific data creation algorithm

────────────────────────────────────────────────── ───

[Procedure amendment]

[Submission date] March 29, 1999

[Procedure amendment 1]

[Document name to be amended] Statement

[Correction target item name] Claims

[Correction method] Change

[Correction contents]

[Claims]

[Procedure amendment 2]

[Document name to be amended] Statement

[Correction target item name] 0018

[Correction method] Change

[Correction contents]

[0018]

In order to solve the above-mentioned problems, according to the first aspect of the present invention, a center is provided.
, Each published user ID for multiple users
Information, a group composed of a part of the plurality of users
Public first group ID information for
And a second group that is only disclosed within said group
ID information is registered, and based on the ID information and a secret random number.
Data creation algorithm that generates secret unique data
Using rhythm, the user ID information and the first group
ID information as the ID information, respectively.
Generates existence data and group-specific data, and
Distribution of the data to the user having the user ID information.
And transmits the group-specific data to the group.
To each of the users belonging to the group,
In each case, the user ID information of the other user
Information, the first group ID information, the second group
User specific data based on any of the ID information
Alternatively, the first group-specific data and the plurality of users
Using the common encryption key generation algorithm on THE, ID-based encryption key generation method for generating an identical encryption key between them a generator of cryptographic key of the user to be used for, the storage unit and the encryption key has a generation unit, the storage unit, the user <br/> the specific data, and stores the group-specific data, the encryption key generating unit, position of the members of the group
And treat the other party as a member of the group
When generating the same encryption key between parties,
Based on the second group ID information that is disclosed only inside the
There are, stored in said storage unit, it said have use the group-specific data and the previous SL encryption key generation algorithm, generates the same encryption key between the two, the encryption key generating unit, the Group
With the user outside the group as a member of the group
When generating the same encryption key between the
Based on the user ID information of the user outside the group,
Wherein stored in the storage unit, the have use the group-specific data before and <br/> Symbol encryption key generation algorithm, and generates the same encryption key between the two. Therefore, user-specific
Because the data is stored, the user can continue to use
In addition to being able to generate an encryption key when treating individuals as individuals and as individuals , unprecedented groups
Because the unique data is stored, it is only available within the group.
Based on the opened second group ID information, it is possible to easily generate an encryption key for a member of a group and for a partner to be treated as a member of the group. Also,
Since the group-specific data is stored, it is possible to generate an encryption key from the standpoint of a member of the group and treating the other party as an individual outside the group . In this case,
Hand encrypts using the first group ID information that is disclosed
Generate a key. Before the secrets that need to be generated in the center
The number of the group-specific data may be one as in the related art. As a result, a group encryption key with a partner user belonging to the same group or a group encryption key with a third party not belonging to the same group can be easily generated.

[Procedure amendment 3]

[Document name to be amended] Statement

[Correction target item name] 0019

[Correction method] Change

[Correction contents]

[0019] In the invention described in claim 2, claim
2. The encryption key generating apparatus according to claim 1 , wherein the second group
Group ID information is registered in the center.
And the other party is also a member of the group
The same cipher between the two
This is selected and used when generating a key . Therefore, as a member of the group and the other party,
When handling as a member of a loop, multiple types of encryption keys
Can be generated.

[Procedure amendment 4]

[Document name to be amended] Statement

[Correction target item name] 0020

[Correction method] Deleted

[Procedure amendment 5]

[Document name to be amended] Statement

[Correction target item name] 0021

[Correction method] Deleted

[Procedure amendment 6]

[Document name to be amended] Statement

[Correction target item name] 0022

[Correction method] Deleted

[Procedure amendment 7]

[Document name to be amended] Statement

[Correction target item name] 0023

[Correction method] Deleted

[Procedure amendment 8]

[Document name to be amended] Statement

[Correction target item name] 0024

[Correction method] Deleted

[Procedure amendment 9]

[Document name to be amended] Statement

[Correction target item name] 0025

[Correction method] Deleted

[Procedure amendment 10]

[Document name to be amended] Statement

[Correction target item name] 0037

[Correction method] Change

[Correction contents]

In the above description, each user stores the virtual ID information ID _V of the group T19 in the memories 24, 26, 2
Removed from the 8, and input to the user algorithm 23, 25, 27 with the initial value data G _T, shared encryption key K _TV
^(T) had been created. Instead, the memories 24, 2
Taking out the ID information ID _T of the group T19 from 6, 28, the user algorithm 23 together with the initial value data G _T
To create a shared encryption key K _TT ^(T).
You. Virtual ID information ID _V Group T19 may be several sets, each user may be used to select the same ID information from among them.

[Procedure amendment 11]

[Document name to be amended] Statement

[Correction target item name] 0038

[Correction method] Change

[Correction contents]

Each of the users 12 to 14 also stores the initial value data in the memories 24, 26 and 28 in the same manner as in the prior art. For example, in the user A12, the initial value data G _A is also stored in the memory 24. Therefore, each user belongs to the group T19, but can use his own initial value data as an individual. Further, even if the other user belongs to the same group T19, the other user ID information can be used. That is, the generation of the encryption key can be performed in exactly the same manner as in the related art. The virtual ID information ID _V of the group T19 or the group T19
ID information ID _T of 19, you different from the individuals of the user ID information.

[Procedure amendment 12]

[Document name to be amended] Statement

[Correction target item name] 0046

[Correction method] Change

[Correction contents]

FIG. 5 shows a group using the group ID information .
FIG. 21 is an explanatory diagram of a center in another method of obtaining a cryptographic key . In the figure, reference numeral 11 is conceptually similar to the center in FIG. 10, but specific processing performed internally is different. Center 1
1 generates a center algorithm G and keeps it secret. In this embodiment, a method for creating secret information (encryption key) described in Japanese Patent Application Laid-Open No. 63-36634 is used. Description of a specific center algorithm G and a method of generating a secret algorithm will be omitted.

[Procedure amendment 13]

[Document name to be amended] Statement

[Correction target item name] 0047

[Correction method] Change

[Correction contents]

FIG. 6 shows a group using the group ID information .
FIG. 13 is a configuration diagram when each user joins a network system in another method for obtaining a cryptographic key . In the figure, parts that are conceptually similar to those in FIGS. 10 and 1 are given the same reference numerals, and descriptions thereof are omitted. Center 11 and each user 12-15
A network for performing communication between users and between the users 12 to 15 is configured. Each user 12-15 has a unique I
D information, for example, ID information ID _A , ID _B , ID _C , ID _Z such as an address, a date of birth, and an e-mail address are registered in the center 11. At the same time, it is made available to other users so that other users can use it during communication. In addition, unique ID information of the group T19, for example the group name, and the ID information ID _T, such as e-mail address of the group, unique virtual ID information of the group T19, for example the group name,
To register the ID information ID _V, such as e-mail address of the group to the center 11. ID _T is open to all other users, and ID _V is the users 12 to 14 belonging to the group T19.
And make it available to each user during communication.

[Procedure amendment 14]

[Document name to be amended] Statement

[Correction target item name] 0049

[Correction method] Change

[Correction contents]

FIG. 7 shows a group using the group ID information .
FIG. 21 is an explanatory diagram showing a state in which secret information is shared by calculation among users belonging to a group T in another method for obtaining a cryptographic key . In the figure, parts that are conceptually similar to those in FIGS. 10 and 1 are given the same reference numerals, and descriptions thereof are omitted. In the figure, when the user 12 to 14 belonging to the group T19 wants to share secret information K _TV, each user, respectively, K _TV = as in X _T (ID _V), unique virtual ID information ID _V Group T19
And, to calculate the secret information K _TV by using a secret algorithm X _T of the group T, which he is held. In the above description, each user is assigned the virtual ID information ID of the group T.
It had created the secret information K _TV by using a secret algorithm X _{T to V} and he is held. Alternatively, the same effect can be obtained by creating secret information K _TT using ID information ID _{T of} group T and secret algorithm X _T.

[Procedure amendment 15]

[Document name to be amended] Statement

[Correction target item name] 0050

[Correction method] Change

[Correction contents]

FIG. 8 shows a group using the group ID information .
FIG. 21 is an explanatory diagram of another method of obtaining a cryptographic key when a user who does not belong to a group shares a shared key with a user who belongs to the group and performs cryptographic communication between the outside of the group and the group. In the figure, parts that are conceptually similar to those in FIGS. 10 and 1 are given the same reference numerals, and descriptions thereof are omitted. Users belonging to the group share confidential information by calculation.

[Procedure amendment 16]

[Document name to be amended] Statement

[Correction target item name] 0051

[Correction method] Change

[Correction contents]

[0051] This Center 11 is the same as the center as shown in FIG. 5, the center 11 generates a center algorithm G, keep the G in secret. The secret information is shared by calculation between the users 12 to 14 belonging to the group T19. Each user, when to join the network system is similar to the case shown in FIG. Therefore, each of the users 12 to 15 has a unique ID information ID _A , I
D _B, ID _C, also published in the same time another user by registering the ID _Z to the center 11, other users to be available at the time of communication. Further, the unique ID of the group T19
When the information ID _T is registered in the center 11, the ID _T
Is open to all other users so that they can use it when communicating.

[Procedure amendment 17]

[Document name to be amended] Statement

[Correction target item name] 0054

[Correction method] Deleted

[Procedure amendment 18]

[Document name to be amended] Statement

[Correction target item name] 0055

[Correction method] Change

[Correction contents]

As in the first and second embodiments described above.
In addition, each of the users 12 to 14, 15 has the same secret
It also has algorithm. Therefore, each user 12-
14 belongs to the group T19 but is an individual
To use its own initial value data. Also, Yu
The user Z15 belonging to the group T
14, the other party is treated as an individual, and the other party's I
It is also possible to use personal user ID information as D information.
Wear. In other words, the generation of the encryption key
You can also. The ID information ID of the group T19_T
Is an individualIt shall be different from the user ID information of a person.You.

[Procedure amendment 19]

[Document name to be amended] Statement

[Correction target item name] Fig. 5

[Correction method] Change

[Correction contents]

FIG. 5 obtains a group encryption key using group ID information .
FIG. 10 is an explanatory view of a center in another method .

[Procedure amendment 20]

[Document name to be amended] Statement

[Correction target item name] Fig. 6

[Correction method] Change

[Correction contents]

FIG. 6 obtains a group encryption key using group ID information .
FIG. 13 is a configuration diagram when each user subscribes to a network system in another method .

[Procedure amendment 21]

[Document name to be amended] Statement

[Correction target item name] Fig. 7

[Correction method] Change

[Correction contents]

FIG. 7 obtains a group encryption key using group ID information .
FIG. 13 is an explanatory diagram of a state in which secret information is shared by calculation among users belonging to a group in another method .

[Procedure amendment 22]

[Document name to be amended] Statement

[Correction target item name] Fig. 8

[Correction method] Change

[Correction contents]

FIG. 8 obtains a group encryption key using group ID information .
FIG. 21 is an explanatory diagram when performing encrypted communication between the outside of the group and the group in another method .

──────────────────────────────────────────────────続 き Continuation of the front page (51) Int.Cl. ⁶ Identification code FI H04L 9/00 641 (72) Inventor Toru Inoue 3-20-3 Shin-Yokohama, Kohoku-ku, Yokohama-shi, Kanagawa 8 Advanced Mobile Communication Security Technology Co., Ltd. Within the research institute (72) Inventor Shinji Kurihashi 3-20, Shin-Yokohama, Kohoku-ku, Yokohama-shi, Kanagawa 8-8 Within Advanced Mobile Communication Security Technology Research Institute, Inc.

Claims (8)

[Claims] At least two users among a plurality of users belong to a group having at least a first group ID information, and any two users among the plurality of users are respectively based on their own user ID information. Using the generated user-specific data and an encryption key generation algorithm common to the plurality of users, or using a user encryption key generation algorithm generated based on own user ID information, based on the other party's user ID information A device for generating an encryption key for a user belonging to the group in an encryption key generation method for generating the same encryption key between the two devices, comprising: a storage unit and an encryption key generation unit; Group unique data generated based on the first group ID information instead of the unique data and the own user ID information; Storing a user encryption key generation algorithm generated based on said own user ID information and a group encryption key generation algorithm generated based on first group ID information instead of said own user ID information; The encryption key generation unit uses an encryption key generation algorithm common to the user-specific data and the plurality of users stored in the storage unit, or uses the user encryption key generation algorithm to generate user ID information of the other party. The same encryption key is generated between the two based on the encryption key generation algorithm stored in the storage unit, using a common encryption key generation algorithm for the group-specific data and the plurality of users, or the group encryption key generation Using an algorithm, the first group ID information or the group The same encryption key is generated between the two based on the second group ID information having the same, and the group-specific data stored in the storage unit and an encryption key generation algorithm common to the plurality of users are used; Alternatively, the same encryption key is generated between the two users based on the user ID information of the other party using the group encryption key generation algorithm, and is shared by the user-specific data and the plurality of users stored in the storage unit. Or the same encryption key is generated between the two parties based on the first group ID information instead of the other party's user ID information using the encryption key generation algorithm of An apparatus for generating an encryption key, characterized in that: 2. At least two users among a plurality of users belong to a group having at least a first group ID information, and any two users among the plurality of users are respectively based on their own user ID information. Using the generated user-specific data and an encryption key generation algorithm common to the plurality of users, or using a user encryption key generation algorithm generated based on own user ID information, based on the other party's user ID information A cryptographic key generation method for a user belonging to the group in a cryptographic key generation method for generating the same cryptographic key between them, comprising: a storage unit and a cryptographic key generation unit; Group-specific data generated based on the first group ID information instead of the own user ID information, or the own user ID A group encryption key generation algorithm generated based on the first group ID information is stored instead of the information. The encryption key generation unit stores the group unique data and the plurality of users stored in the storage unit. Using a common encryption key generation algorithm, or using the group encryption key generation algorithm, and replacing the user ID information of the other party with the first group ID information or the second group ID information of the group. An encryption key generation device, wherein the same encryption key is generated between the two based on the information. 3. At least two users among the plurality of users belong to a group having at least the first group ID information, and any two users among the plurality of users are each based on their own user ID information. Using the generated user-specific data and an encryption key generation algorithm common to the plurality of users, or using a user encryption key generation algorithm generated based on own user ID information, based on the other party's user ID information A cryptographic key generation method for a user belonging to the group in a cryptographic key generation method for generating the same cryptographic key between them, comprising: a storage unit and a cryptographic key generation unit; Group-specific data generated based on the first group ID information instead of the own user ID information, or the own user ID A group encryption key generation algorithm generated based on the first group ID information is stored instead of the information. The encryption key generation unit stores the group unique data and the plurality of users stored in the storage unit. A common encryption key generation algorithm, or using the group encryption key generation algorithm, and generating the same encryption key between the two based on the other party's user ID information. Generator. 4. At least two users among the plurality of users belong to a group having at least the first group ID information, and any two users among the plurality of users are each based on their own user ID information. Using the generated user-specific data and an encryption key generation algorithm common to the plurality of users, or using a user encryption key generation algorithm generated based on own user ID information, based on the other party's user ID information A cryptographic key generation device for a user who does not belong to the group in a cryptographic key generation method for generating the same cryptographic key between both parties, comprising: a storage unit and a cryptographic key generation unit; Storing user-specific data or the user encryption key generation algorithm, wherein the encryption key generation unit stores the user stored in the storage unit; Using the unique data and an encryption key generation algorithm common to the plurality of users, or using the user encryption key generation algorithm, generating the same encryption key between the two based on the other party's user ID information, Using a common encryption key generation algorithm for the user-specific data and the plurality of users stored in a storage unit, or using the user encryption key generation algorithm and replacing the user ID information of the other party with the first A cryptographic key generation device that generates the same cryptographic key between the two based on the group ID information. 5. At least two users among a plurality of users belong to a group having at least the first group ID information, and any two users among the plurality of users are respectively based on their own user ID information. Using the generated user-specific data and an encryption key generation algorithm common to the plurality of users, or using a user encryption key generation algorithm generated based on own user ID information, based on the other party's user ID information A cryptographic key generation device for a user who does not belong to the group in a cryptographic key generation method for generating the same cryptographic key between both parties, comprising: a storage unit and a cryptographic key generation unit; User-specific data generated based on the user ID information of the user, or user secret data generated based on the user ID information of the user. Storing a key generation algorithm, wherein the encryption key generation unit uses an encryption key generation algorithm stored in the storage unit and common to the user-specific data and the plurality of users, or the user encryption key generation algorithm And generating the same encryption key between the two based on the first group ID information instead of the user ID information of the other party. 6. An encryption key generation method in which a plurality of users belong to a group having at least first group ID information, and any two of the plurality of users generate the same encryption key between them. An apparatus for generating an encryption key of the user according to the above, further comprising a storage unit and an encryption key generation unit, wherein the storage unit is configured to generate group-specific data based on the first group ID information, or And storing a group encryption key generation algorithm generated based on the group ID information of the first group, wherein the encryption key generation unit generates an encryption key common to the group-specific data and the plurality of users stored in the storage unit The first group ID information or the second group I of the group using an algorithm or the group encryption key generation algorithm. An encryption key generation device, wherein the same encryption key is generated between the two based on D information. 7. The same encryption key is generated between at least one group user among a plurality of users belonging to a group having at least first group ID information and another user not belonging to the group. An apparatus for generating an encryption key of the group user in an encryption key generation method, comprising: a storage unit and an encryption key generation unit, wherein the storage unit generates a group generated based on the first group ID information. Storing unique data or a group encryption key generation algorithm generated based on the first group ID information, wherein the encryption key generation unit stores the group unique data and a plurality of users stored in the storage unit; Using a common encryption key generation algorithm for the other user, or using the group encryption key generation algorithm, ID
An encryption key generation device, wherein the same encryption key is generated between the two based on information. 8. The same encryption key is generated between at least one group user among a plurality of users belonging to a group having at least first group ID information and another user not belonging to the group. An encryption key generation device for the other user in an encryption key generation method, comprising: a storage unit and an encryption key generation unit, wherein the storage unit is generated based on user ID information of the other user. User-specific data, or a user encryption key generation algorithm generated based on the user ID information of the other user, wherein the encryption key generation unit stores the user-specific data and the user-specific data stored in the storage unit. Using a common encryption key generation algorithm for a plurality of users, or using the user encryption key generation algorithm and selecting the first group ID An encryption key generation device, wherein the same encryption key is generated between the two based on information.