JPS58143652A - Secret protecting system of multi-address communication - Google Patents

Abstract

PURPOSE:To assure security and the function of confirmation for a multi-address communication, by providing a means to a cipher key growing device to grow and distribute an individual cipher key of each transmitting/receiving station and a cipher master key to a normal gathering of receiving stations. CONSTITUTION:A switchboard 100 contains a multi-address function like a relaying satellite, etc. A transmitting station U0 obtains a master key corresponding to the address gathering from an open file. The station U0 gives multiple ciphering to a sentence to be transmitted and perfoms a multi-address communication. While each receiving station Ui individualizes the telegrams and then have decoding by means of a secret decoding key to obtain a normal sentence.

Description

DETAILED DESCRIPTION OF THE INVENTION (1) Description of the field to which the invention pertains The present invention relates to a broadcast communication system in which a message with the same content is transmitted from a transmitting station to a plurality of receiving stations. The present invention relates to a security protection system for broadcast communications using encrypted communications that can be decoded.

(11) Description of the prior art and its problems In satellite broadcast communications, information can be easily intercepted even by receiving stations that are not included in the destination set, and secrecy is not good. As a countermeasure against this, a code that can be decrypted only by the receiving station of the destination set is generally used. However, if a conventional public-key encryption system based on individual keys (in which the encryption key and decryption key are different) is applied to broadcast communication, each receiving station in the destination set copies the straw encryption key. We had no choice but to adopt a copy key management method that maintains the

On the other hand, the R8A method (Rivest, Shamir and
Adleman'A Method for Obta
ining Digital Signature
andPublic-Key Cryptosyst
ems' CACM vol, 21.

N12, Feo, 1978), the inventor Ha1
It Clarifies the existence conditions and derivation method of a master key in the narrow sense that can commonly substitute a part of another key (power index key) Koyama "Master key of R8A method public key cryptography" IEICE Technical Report A
L81-51.19811, and proposed a device for it (Japanese Patent Application No. 105217/1982). The present invention is based on this.

Therefore, first, the basic principle of the R8A method will be explained, then an example of a copy key management system based on individual keys will be shown, and finally, the principle of deriving a master key in a narrow sense will be explained.

First, the cryptographic principle based on individual keys of the R8A method will be explained. Encryption individual key is 1Kei, decryption individual key is IKd
Let it be I. IKei is a set of (Kei, ni), and the corresponding IKdi is a set of (Kdi, old). Kei
.

In the old version, it was registered in a public file, and Kdi was a private key known only to user Ui. If the plaintext is P and the ciphertext is C, the encryption and decryption algorithms are C= E (P) == PKei (mod ni)
1liP = D (C) 3CKdi(m
od ni ) i21. P and C are integers between 0 and old-1. Encryption and decryption in the R8A method are one-to-one mapping upwards. That is, if we represent P and C by M, then E (D (M) ) = D (E (M) ) = M
+3+ is established. Specifically, the following holds true. Regarding the individual key generation method, the encryption individual key and the decryption individual key are set so that the following conditional expression is satisfied.

”! = pi ' qi
151Kei - Kdi = l (mod Li)
161Li = LCM((pi-1),
(q * - 1) ) m However, pl and Qi are two different large prime numbers, and LCM represents the least common multiple. Next, based on the individual keys of the R8A method described above, copy key management for circular communication is performed. A case in which this method is used will be explained.

In Figure 1, there is one transmitting station, three receiving stations, and four destination sets.
This is an example of a case where different types exist. The transmitting station is Uo5, the receiving station is Ul, U2. Let U3 be the destination set A=(Ul.

U2 e U3), B = (Ul, U2), C (Ul
t U3) and D=(U2.U3). Uo holds the encryption individual keys KeA+KeB+KeCs KeD, and U1, U2 . U3 sends the decryption individual key KdA to Ul
+ U2 is the decryption individual key KdB, Ul, U3 are the decryption individual key KdC, U2 + U3 is the decryption individual key KdD
are held respectively. Therefore, U, is the key KdA +
KdB −Kac, U2 is the key KdA, KdB
.

KdD, U3 is the key I (aA I Kdc e Kdn
will be retained respectively.

In this way, when the copy key management method is applied to general circular secret communication where there are multiple destination sets, keys are distributed many times within the system, and each receiver included in multiple different destination sets is Even at the central office, it takes time and effort to manage multiple keys and use them properly, so key management is complicated.

Finally, the principle of deriving a master key in the narrow sense of the R8A method, which is a basic part of the present invention and has been clarified in the past, will be explained. That is, the broad key IKe i = (Ke i .

ni ) and IKdi = (Kdi, ni), the narrow key Kei and the master key KeM of Kdi,
We will summarize how to obtain KdM. nl remains an individual key.

If an individual key that satisfies the existence condition of a master key in the narrow sense is given, then the master keys in the narrow sense of the encryption key and the decryption key can be found completely independently and in the same way. In the following, for simplicity, Ke
i and Kdl, subscript e of KeM and KdM.

d is omitted and expressed as Ki and KM, respectively. The condition for the existence of a master key in a narrow sense for m individual keys is that the following equation holds true.

MKM=MKi (mod ni) (1<i<m)
+s+ 0(M(n4 1 i.e. Ki=Kj(mod gij) gij
=GCD(Li=Lj1 The following equation is obtained from equation (8).

KM=1 (nod U4) (1<i<m)
The derivation of +9+KM corresponds to solving the simultaneous congruence equation of equation (9), and a systematic solution algorithm will be shown.

For convenience, the partial master key in a narrow sense for the individual keys from 1st to 6th is expressed as KM, i. Of course KM,
r==Kl and KM, m=KM.

Below, we will generally explain the main principles of the algorithm for determining KM, l from KM, (i - 1).

generally holds true. Tazoshi, It I-L CM (L 1 * L 2 + ・・
・, Li 1. From the formula Q (1, Q◇, KM,
By eliminating i, we get. Parable, ti-1+ tI
is an integer. Here, Li-1+ Li r Ki
+ KM, (i-1) is known, so equation (2) is Zl
It becomes a two-dimensional linear indeterminate equation regarding -1t ti.

This equation is extended to KM using Euclidean algorithm,
If you go from 2 to KM to m, you will finally reach K.
Find M.

As described above, the method for deriving master keys KeM and KdM in a narrow sense has been known in the past.

The master key in a broad sense, including the master key of

011) Purpose of the Invention The purpose of the present invention is to develop the conventional master key system in a narrow sense, to guarantee security protection and authentication functions in broadcast communication, and to simplify key management.

Qψ Detailed Description of the Invention First, a method for deriving the master key nM regarding the law key n4 will be described, and multiple encryption using a master key in the broad sense that combines the conventional master keys KeM, KaM) and nM in the narrow sense will be explained.

The master key in a broad sense and the master key in a narrow sense KeM and KdM have the following properties.

MKeM"'dM=M (modn+)(1(i(
m) αBuBy the way, nl is the product of prime number p and ql, so 2〇] is MKeM”'dM = M (nod p・)(1(
It can be decomposed as i (, m) α MKeM−KdM = M (mod (J). Since the formula σ holds true for all 1,
Prime number p1 + Ql r p2 + q2 +...t
Obtain 2m simultaneous congruences modulo pm' qm. Next, among these simultaneous congruences, only congruences modulo different prime numbers are collected to find one equivalent simultaneous congruence.

Let nM be the product of these different prime numbers. That is,'
M = LCM ('1 + 12 + "' + n
l'n) '□, then from the Chinese Remainder Theorem, MKeM ``dM= M (mod nM)
Get %. 2α・From the power exponent master key K
When using eM +KdM, each individual key ni(1<
As an alternative to i (m), IIM can be used to encrypt and
Even after decryption, the original plaintext is obtained. This ny m II
The modulus of I 'it'2s... is called the master key for nm. And rKeM= (KeM+ nM), I
KaM=(KdM, nM) are respectively called a broad-sense encryption master key and a broad-sense decryption master key of the R8A method.

Encryption using multiple encryption IKeM multiple encryption M E , lK
If decoding using dM is referred to as multiple decoding MD, each is expressed as follows.

M E (M) −MKeM (mod nM)
Q7) MD (, M ) = MKdM
(mod ny, ) % Furthermore, the operation of dividing an arbitrary integer Z by the modulus individual key ni and obtaining the remainder is called individuation (■), and is expressed as follows.

I(Z)=Z (modnll
Ql By the way, regarding encryption or decryption, the result of once performing an operation with the law's master key nM is the result of individualizing it with the law's personal key n, and the result of performing the operation with the law's personal key ni from the beginning. The results match. That is, M.K.
If an arbitrary integer such as eM or MKdM is represented by a, the following equation holds true.

(a (mod ny) ) (mod nI)=a
(mod nl) Therefore, we obtain the following equation.

I (ME (M)) = E (M)
@1) I(MD(M))=D(M)
(a) In particular, E and D using the key Ki are expressed as Ei and Di.

Furthermore, from formula (3), which is the basic property of the R8A method, and the above 2〇〇, D
(E) E (I (MD(M) ) ) =M
(c) I (ME(D(M))) -M
(c) I (MD (E (M)) )
=M (a) is obtained.

Next, by using the properties of multiple encryption (multiple decryption) and individualization using the broad master key shown above, we will protect confidentiality in networks with broadcast communication functions (broadcast secret communication).
and authentication (circular digital signature).

Circular secret communicationReturn secret communication can be achieved by applying members. That is, the transmitting station calculates the multiple encrypted ME (M) and broadcasts the result Z. The receiving station of the destination set receives the information Z and performs individualization (2) and decoding D1. (
KeM is public, and 1Kdi (1 < 1(, m) is kept secret only by user Ui, so any user can become a transmitting station, and the destination set is a regular receiver set. Broadcast confidential communication is possible.

FIG. 2 shows an overview of circular secret communication using a master key in a broad sense. In the figure, 100 is an exchange equipped with a broadcast function, and if it is tilted up, it may include a relay satellite or a distributor on a common line, but \ and \ assume a relay satellite. The procedure for broadcast secret communication is described below.

(b) The transmitting station Uo uses the master key Ke corresponding to the destination set.
M+”M is obtained from the public file.

(0) The transmitting station UO sends Ke
Multi-encrypt using M and nM, obtain Z and broadcast, Z + - PIKeM (mod nM) (c) Each receiving station Ui (1 < i (m) is individualized for the message Z .

C44-Z (mod nH)) Each receiving station Ut (t<i<m) uses a secret decryption key Kdi
(1<i (m) to decrypt and obtain plaintext P.

, Kdi P 4-C, (mod ni) Broadcast digital signature Broadcast digital signature can be achieved by applying the formula @ and , and broadcasts the result Z.

The receiving station of the destination set receives the information Z, performs individualization I, decryption, and encryption Eo. IKeM and 1Keo are public, and 1Kdi (0<i<m) is user Ui
Any user can become a transmitting station, and a broadcast digital signature authenticating the transmitting station can be sent to a set of destinations, which is a set of legitimate recipients.

FIG. 3 shows an overview of broadcast digital signature using a master key in a broad sense. The procedure for this broadcast digital signature will be described below.

(b) Any user Uo not necessarily covered by the master key becomes the transmitting station, and the date? A meaningful message P containing a user ID is decrypted using a secret decryption key Kdo known only to the UO.

c, pKdo (mod no) (0') The transmitting station Uo further performs multiple encryption using [KeM, obtains Z, and broadcasts it.

Z 4- CKeM (mod nM) (c) Each receiving station U* (1<, i<m) is the telegram Z
Individualize against.

C14-Z (mod nH)) Each receiving station Ui (1<i<m) has a secret decryption key Kdi
(1(i(m)) to obtain C.

C←CKd' (mod nl) ■) Each receiving station O1 (1 (i (m) is the public encryption key [
Ke.

to obtain P.

p + - CKeo (mod nQ) (to) Each receiving station Ui (1<i(m) identifies that P is a meaningful message and authenticates that it was indeed transmitted from Uo.

Next, a key management system in circular secret communication based on the master key of the above R8A method will be explained.

Figure 4 shows an example where there is one transmitting station, three receiving stations, and four types of destination sets, which are the same conditions as described in the conventional copy management system. . Now let's assume that the transmitting station is Uo, the receiving station is Ul + 02 + U3, and the destination set is A"" (
Ul * C2 + U3), S = (Uo, C2), C
-(Ul, U3), D=MoU2. U3). Also, U
Kd1+Kdz for each individual decryption key of l, C2, and U3
+ Kd3, and the encryption master key for each destination set is Ke MA+KeMB I KeMC+ KeMD. In this case, Uo is KeMA.

KeMB * KeMCe holds KeMD, Ul holds only Kdl, U2 only holds Kd2, and U3 holds only Kd3.

Figure 5 shows the users Ui(Okui(m)
), an explanatory diagram of a key held secretly by a key generator MM, and a public key. In particular, even if the encrypted master key KeM and the encrypted individual key Kei are set to the same value, the performance and security are not impaired. In FIG. 5, the double frame represents the public key, and the -1 frame represents the private key. In other words, “M+ ni (0<i<, m
), KeM+ KeO is made public, Kdi is kept secret by Ui, and KdM is kept secret by MM.

(■) Description of Embodiment FIG. 6 is a block diagram of an embodiment of a master key generation device in a broad sense. This device is used only by cryptographic key generators who know the secret information of each individual key. The outline of the operation shown in FIG. 6 is as follows: When m groups of basic constants pi + qi are manually input to the data reading circuit 11 from the line 10 to the individual key, the 2 adder 12 and the multiplier are The arithmetic unit 15 consisting of the divider 13 and the divider 14 is used to derive the master key in a broad sense, and the data storage memory 7
The data write circuit 18 outputs the results while storing intermediate variables in the data write circuit 18.

Details of the program storage memory 6, data storage memory 7, and arithmetic unit 15 in FIG. 6 are shown in FIG.

When the individual key Ki is input through the line 26, it is stored in the data storage memo IJ 17 as is. From line 21 pt qi
When inputted manually, the least common multiple derivation program in the program storage memory 16 is activated, Ll of equation (7) is obtained using the arithmetic unit 15, and is stored in the data storage memory 7. When the storage of m pairs of Ll, pl, and 91 is completed, the comparator A is used to check the existence condition of the master key. Then, if it exists, start the least common multiple derivation program in the program storage memory 6, calculate Ll and nM,
The data is stored in the data storage memory 7. Next, start the program for solving two-dimensional linear indefinite equations in the program storage memory 16, and calculate KM, i sequentially from 1 to m.
Finally, KM (=KM, ml is obtained), and KM and nM are output using the data writing circuit 18.

FIG. 8 shows an embodiment of a transmitting/receiving device that implements the security system of the present invention. This device can be applied to both broadcast secret communications and broadcast digital signatures.

First, the operation as a transmitter will be explained. Parameter a of the transmission method is input via line 4o. Assume that a-00 is a broadcast secret communication and a=10 is a broadcast digital signature. In the case of a-00, the key KeM is further added from line 40.
Input tnM and plaintext P.

In the case of a-10, the key Kdo, no is further transmitted from line 40.

Input KeM, nM and plaintext P.

First, the operation in case of a-00 will be explained in detail.

Through the data reading circuit 41 and the line 50, P is stored in the multiplicand storage register 42, nM is stored in the divisor storage register 44, and 2 KeM is stored in the final value storage register 47 (2 KeM).

Next, the multiplier 43 multiplies the data P sent via the line 51 and the content P of the register 42, and sends the result to the line 52.
A divider 45 performs an operation of dividing the resulting value by the content nM of the register 44. The remainder obtained by the divider 45 is sent to the remainder storage register 46 (=.Next, the counter of the counter control circuit 48 is incremented by 1, and the result is sent to the final value storage register 4.
Compare whether it matches the contents of 7. If they match, the contents of the remainder storage register 46 are output to the line 57 via the data write circuit 49. If they do not match, the contents of the remainder storage register 46 and the contents of the multiplicand storage register 42 are multiplied by the multiplier 43, and the result is displayed on the line 52.
(= Output. By repeating the above operations until the counter matches the final value, the predetermined circular secret communication data Z
get.

Next, the case where a=10 will be explained. The broadcast digital signature consists of a first stage using the transmitting station's individual key and a second stage using the receiving station's master key. Data reading circuit 41 and line 5
0 to the multiplicand storage register 42, nowo to the divisor storage register 44, and Kdo to the final value storage register 47.
Store each. Multiplication and division are repeated in the same manner as when a=00, and the contents of the remainder storage register 46 when the counter of the counter control circuit 48 matches the final value correspond to the message C to which the signature has been applied. This content C゛ is line 5
8 to the register 42, and further updates the contents of the register 44 to nyi2 and the contents of the register 47 to KeM.

Similarly, multiplication and division are repeated, and the contents of the register 46 when the counter matches the final value become the broadcast digital signature data. This result is output to line 57 via data storage circuit 49.

Next, the operation as a receiving device will be explained. Parameter a of the reception method is input via line 40. Assume that a=01 is a case of a circular secret communication and a-11 is a case of a circular digital signature. In the case of a-01, the key Kdl is further added from line 40.
, ni and broadcast message Z. In the case of a-11, the key Kd++ni, KeO, no is further obtained from line 40.
and input the circular message Z.

First, the operation when a=01 will be explained. 1 at the receiving station
Perform surface separation and decoding. First, in order to perform individualization, ni is stored in the divisor storage register 44 via the data reading circuit 41 and line 50, and Z sent via line 59 is stored as ni.
The divider 45 performs the operation of dividing by .

As a result, the obtained remainder Ci is stored in the remainder storage register 46,
It is stored in the multiplicand storage register 42 via line 58, and the individualization is completed. Next, Kdi is stored in the final value storage register 47, leaving the contents of the divisor storage register material unchanged. Decoding is performed as follows. That is, the content C1 of the multiplicand storage register 42 and the content C of the remainder storage register 46
Multiply by 1 in multiplier 43 and send the result to line 52. The divider 45 performs an operation to divide the data sent from this line 52 by the contents of the divisor storage register 44, and the remainder is stored in the register 44.
6.

Next, the counter of the counter control circuit 48 is incremented by 1,
The result is compared to see if it matches the contents of the final value storage register 47. If there is a match, register 46
The contents of are output to line 57 via data filling circuit 49. If they do not match, multiplier 43 multiplies the contents of register 46 and register 42, and the result is applied to line 5.
Output to 2. By repeating the above operations until the counter matches the final value, the original plaintext P is obtained.

Next, the case where a=11 will be explained. The receiving station performs individualization, decryption using the receiving station's individual key, and encryption using the transmitting station's individual key. The individualization and decoding are exactly the same as in the case of a=Ol, and the result C is stored in the multiplicand storage register 42 and the remainder storage register 46.

Next, no is stored in the divisor storage register 44 and Kdi is stored in the final value storage register 47, and the final remainder P, that is, the original plaintext P, is obtained using the multiplier 43, the divider 45, and the counter controller 48.

(Explanation of Effects) As explained above, according to the present invention, security protection and authentication functions can be guaranteed in broadcast communication, and there is an advantage that any user can become a transmitting station.

Further, even if a plurality of fine-grained destination sets exist, each receiving station holds only one type of key, which has the advantage of simplifying key management. Furthermore, since satellite communication and daisy chain networks inherently have peer communication functions, the present invention can be easily implemented.

[Brief explanation of drawings]

FIG. 1 is an explanatory diagram of a conventional copy key management system, and FIG. 2 is a schematic diagram of circular secret communication using a master key in a broad sense of the present invention.
FIG. 3 is a schematic diagram of a broadcast digital signature using a master key in a broad sense of τ according to the present invention, FIG. 4 is an explanatory diagram of a key management system using a master key in a broad sense according to the present invention, and FIG. 5 is a diagram of use according to the present invention. FIG. 6 is a block diagram of an embodiment of the master key generation device in a broad sense of the present invention, FIG. 7 is a detailed diagram of FIG. 6, and FIG. FIG. 2 is a block diagram of an embodiment of a transmitting/receiving device that implements a security scheme. 11, 41... Data reading circuit, 12... Adder, 13°43... Multiplier, 14.45... Divider,
15... Arithmetic unit, 16... Program storage memory,
17... Data storage memory, 18. 49... Data writing circuit, 4... Comparator, 48... Counter controller, 42... Multiplicand storage register, 44... Divisor storage register, 47... Closing value storage register, 46... Remainder storage register. Agent Patent Attorney Suzuki -・,”,”;j-Ichigo-1-1)i

Claims (1)

[Claims] (1) In the security protection method 4 for a network equipped with a broadcast communication function, an encryption key generation device generates and distributes the encryption individual key of each transmitting and receiving station and the encryption master key for a set of authorized receiving stations (destination set). The transmitting station has a means for encrypting the message using the master key of the destination set and transmitting it, and among the plurality of receiving stations, only the receiving station of the destination set encrypts the encrypted communication message using the individual key. A security protection method for circular communications characterized by having a means that can be decoded by