JPS63107667A - Code key joint-ownership system and apparatus - Google Patents

Abstract

(57) [Abstract] This bulletin contains application data before electronic filing, so abstract data is not recorded.

Description

[Detailed Description of the Invention] (1) Description of the field to which the invention pertains The present invention relates to message confidentiality, authentication,
In communication using ciphertext, which is essential for authentication of communication partners, etc., communication between communicating entities (persons, devices, software, and sets of these) is performed prior to message communication. This relates to a method for sharing encryption keys for communication.

The security achieved through ciphertext communication is that only the entities involved in the communication have the same cryptographic key.
A secure and efficient cryptographic key sharing method is desired because it strongly depends on no entity other than the parties having the cryptographic key. (Please refer to document [11 below).

)■ Description of the Prior Art Conventionally, the following two types of encryption key sharing methods have been devised. (References [2], [3], [
4], [5]. ) (i) A method in which each entity individually shares an encryption key with all possible communication partners by cryptographic means or physical means.

(ii) Each entity creates public information based on its own confidential information, registers it in a public file that can be freely read but strictly controlled from including 1% or erasing it, and when communicating, A method that calculates and obtains a shared encryption key from the secret information of the other party and the public information of the other party.

The method (i) has the disadvantage that it requires a lot of effort when the number of expected communication partners is large, and is unsuitable for encrypted communication with an unspecified number of people.

In addition, in method (ii), encryption keys can be shared with any entity by referring to the public file as necessary during communication, so it can be applied to encrypted communication with an unspecified number of parties. is a public file or its equivalent,
A public information management mechanism is necessary.

Furthermore, the effort required for each entity to refer to the other party's public information cannot be ignored.

(3) Purpose of the Invention The purpose of the present invention is to solve the shortcomings of the above-mentioned methods, and to enable the sharing of encryption keys by simply using the identifier (name, address, etc.) of the communication partner, without referring to public files, etc. The purpose is to provide a method that is simple, efficient and safe.

(・1) Overview of the invention In order to achieve the above object, the present invention provides
A simple encryption key sharing method is realized by distributing to each entity a secret algorithm that converts the identifier of the communicating entity using a center algorithm known only to the center. .

Note that there are various entities such as humans, devices, machines, programs, and systems that are made up of these elements, and the CPU chip and RO using this method
Communication between M chips, communication between IC cards, communication between IC cards, terminals, bank centers and humans, communication between mobile communication devices, communication between personal radios, communication between telephones, and humans. communication, communication between the host computer, terminal, and database, parallel meter w, communication between internal processes, C
Communications between ATV broadcast stations and subscribers, satellite broadcasting, etc. are all within the scope of the present invention.

In addition, the term "algorithm" refers to a method of calculation written in a specified language, and in the usual sense, the term "algorithm" refers to a calculation method written in a specified language. Programs, data, logic circuits, graphs, chaining (TuriBH! machines, Petri nets, LSI patterns, etc.) are all types of algorithms in the present invention.

The present invention will be explained in more detail below.

1. Introduction In a network, there is a ball 1'Lll- entity (
Encrypted communication with entities (users, subscribers), especially in large-scale networks, has traditionally been troublesome and time-consuming for both common-key and public-key methods due to the problem of key distribution (sharing). It was necessary. Furthermore, it is difficult to easily realize multiple communications using codes to an unspecified number of parties, such as letters sent by regular mail.

Recently, the present inventors have developed a key sharing method that can easily realize these encrypted communications:
tion system and filed an application for its details (Japanese Patent Application No. 178,652/1981).

The present application is a continuation of these, and is based on the previously proposed linear algebra.
This is an expanded version of SysLem with improved safety.

2.Key Pro redistribution
System InventionKey Preclist
The circulation system consists of (reliable) centers (S is a positive integer, center 1, center 2, etc.)
・Represented as center S) and a number of entities that communicate with each other (n is a positive integer, entity 1, entity 2
．． ..., entity n), a group consisting of a plurality of arbitrary entities in the network shares the same key as follows.

Step (1) Creating the center algorithm (1) is an operation that is necessary only when starting up or updating the system, and each center (center p) uses a special algorithm that only center p can keep secret. This refers to generating the center algorithm Gp to be retained. however,
The method of generating Gp shall be agreed upon among all entities or their representatives.

(2) is an operation performed by the center and the entity when each entity joins the network. An identifier (name, name,
Each center (referred to as center p) applies cp to 1clentity)yi such as an address to create an algorithm Xpi=Gp(yi) dedicated to each entity. Algorithm X for entity i +:+X 2! +...
, Xsi individually or combined by an appropriate method and distributed only to entity i (for example, in an IC card or the like). Entity i secretly stores the received set of algorithms or their combination. This is called the secret algorithm of entity i
Represented by i.

(3) is an operation performed by a group that wants to share the encryption key after the preparations in (1) and (2) have been completed.

Each entity belonging to a group shares the same cryptographic key by inputting the identifiers of all other entities belonging to the group into its secret algorithm. For example, if entity A and entity B want to share the cipher flk, each write k as follows.
Calculate: = X 2' (ysL k =
L 1= X a (yc+ yALl” Xc (V
AN ye) Each calculates p as follows. Here! eIX+ represents the secret algorithm of entity i used when key sharing is performed in a group consisting of e entities.

Next, the key recognition
We will discuss the safety of the system in general.

K ey Prescription S
system, when distributing the secret algorithm,
It is necessary to pass the secret algorithm.b It is necessary to correctly authenticate (identify) the entity, but since the main premise of all cryptographic methods is that entity authentication (identification) is performed properly, the problem of entity authentication is Ke
y Prescription S yst
This is not a problem unique to em.

K ey Prescription S
The keys shared by each group using system are unique to each group and remain unchanged unless the center algorithm is updated. Therefore, K ey P rec
The iistribution system can be said to be a method for sharing a so-called master key. Even if the master key is leaked outside the group, it cannot be replaced with a new master key. Therefore, it is desirable to update the center algorithm after an appropriate period of time. but,
For example, for key sharing between a group of two entities,
If a secret algorithm Xi for key sharing for a group of three entities is used, a specific key can be shared between two entities each time by exchanging appropriate random numbers. For example, entity A and entity B can share a key as shown below using a random number r that is different from the identifier of any entity.

Now, K ey P redistribution
System: Since information regarding the center algorithm is distributed to each entity in the form of a secret algorithm Xi, if a single entity or multiple entities working together spend an appropriate amount of ft, the center algorithm can be solved. Alternatively, the secret algorithm Xt for an entity other than the cooperating entity or a part thereof can always be obtained.

If a secret algorithm is embedded in some device that is physically protected and has computing power (e.g., an IC card) and devised so that each entity can execute it without knowing its own secret algorithm, the center algorithm or No other entity's secret algorithm Xt or any part thereof will be revealed. Therefore, in an environment where physical security is completely maintained, any KEY P redisjribuLi.

It can be said that the n system is also safe. but,
In reality, it is difficult to expect complete physical security (the physical security of current IC cards, etc. cannot be said to be perfect), so unless many entities collude (cooperate), the center algorithm or Xt or its The key is to take measures that either cannot obtain enough information to determine a part, or even if sufficient information is obtained, the amount of calculation required to determine the center algorithm or Xt or a part thereof is large. Prescription S
system is considered to be required. The former is the so-called unconditional 5equurity, and the latter is the computational 5ecurit.
It can be said that it corresponds to y.

Proving unconditional 5ecurity is generally not difficult, but computational
5ecurity cannot currently be successfully demonstrated without assuming the difficulty of solving appropriate problems such as elementary factorization.

In 3, it is unconventional in the sense that it is safe as long as a certain number of entities do not collude.
ally 5ecure key reclis
Tribution S ystea as vector 1
Construct using next-independence.

K ey P redistribution system
An example of the application of stem is shown in Figure 1. As shown in the same figure, K e
yP redistribution System
By using m, mail communication like regular mail, that is, one-way encrypted communication can be easily realized. Even when there are two or more destinations, mail communication can be performed while performing so-called "broadcast authentication." It goes without saying that the present invention can also be applied to interactive communications such as telephone calls.

Here, using linear algebra, K ey P red'
5tribution system. Note that this method has already been disclosed in a prior application when there is only one center.

Definition of 3゜1 method The method defined below is named a linear scheme.

Let q be a prime power, l+s, and h be a positive integer. Q=
Let G F (q) be expressed, and the vector space formed by all m-dimensional horizontal vectors on Q is expressed as Ql.6 Identifier of each entity (assumed to be entity i) 31
1 is an element of the set ■, and if i≠j, then yi≠yj.

Also, let R be an algorithm expressing the injection from ■ to 01.

Each center (center I]+l]=1,2+...I S
) are six m-dimensional symmetric matrices on Q G pll G +)2
+ ”・+ G ph is randomly and uniformly selected independently of other entities to generate the center algorithm Gp. G is the algorithm X pi for each yield.
(ξ)=xpiR(ξ)T. However, xpi
is an hXm matrix on Q defined by , and T means transpose.

Each entity entity i) obtains an algorithm Xpi from each center (center p), and creates a secret algorithm Xi exclusive to entity i as follows: Xi (ξ) = xiR (ξ) T.

xi=wall xpi pHI It is important that center p passes algorithm Xpi only to entity 1.

Note that it is also possible to automatically obtain the secret algorithm Xi using an IC card or the like.

For example, first, entity i obtains an IC card, anyone can write to it, but entity i can read it.
The IC card is initialized in a way that can only be done by , and handed over to the center side, and each center inputs xpi, and the sum is calculated one after another inside the IC card.Finally, when xi is created, the IC card is returned to entity i. One possible method is to receive it.

In any case, entity i ultimately has a secret algorithm X+.

When entity i and entity j want to share an encryption key, entity i calculates Xl(yj) and entity j calculates Xj(yi) as a key. X
1(yj) and Xj(yi) are both h-dimensional vertical vectors on Q, and it can be easily derived from the definitions of Xi and Xj that they match.

The above is a case where the group consists of two entities, but in general, in the case of a group of e entities (e>2), the same result can be obtained by using e multilinear mapping instead of G pi, that is, the bilinear mapping described above. The method is realized.

ShishiLtL- Next, consider the security of the linear scheme. As attacks against this method, it is necessary to consider both attacks by the center and attacks by the entity.

To completely break this method, Gj=ΣGpj (j=L L..., h)ρIl
l matrix GIIG21..., matrix G=f in which Gh is arranged
G,,G2. ..., Gh].

Therefore, unless all centers collude, G cannot be determined at all even if some centers collude. Therefore, it is not possible to determine the encryption key of the group that is being used.

Also, unless at least rankG entities collude, G cannot be completely determined [proof omitted 1゜ran
There is a high probability that kG will take m or a value close to m.

However, even if fewer than rankG entities collude, it is certain that as the number of colluding entities increases, more information about G, and therefore more information about each entity's secret algorithm, can be obtained.

Therefore, when we consider the extent to which colluding entities can determine the encryption keys between entities in the pond, we reach the following conclusion.

Let the set of all entities that have joined the system be E. Besides this, even if all the entities belonging to the subset E8 of E collude, any two entities belonging to E-EB can share In order to completely determine the encryption key J, it is necessary and sufficient that ``vector R(yi) for each ieE'-EB is linearly independent of the vector set (R(yj) I jCE al.'' [Proof omitted 1° Therefore, the problem of security against collusion of entities is the set of vectors U=iR(yi)I 1eEl A tangential connection arises.

In fact, the parity check matrix is a matrix formed by horizontally arranging the transposed vectors of all vectors belonging to U, and the code length n
, let C be a linear code with m number of check symbols, ``(Hamming) codeword of weight knowledge exists in C'' and keys between other entities can be determined by collusion of r(w-1) entities. ``The minimum (HalIlming) weight [minimum distance] of C is greater than or equal to b + 2'' means ``The collusion of any b entity can also cause arbitrary interference between other entities. This is a sufficient condition for "the key of the key cannot be determined at all."

Therefore, the algorithm R can be chosen based on algebraic/algebraic geometric coding theory. In this case, if yi is regarded as an appropriate vector, R(yi) becomes a list of monomials related to the components of yi. Therefore, the algorithm Xi becomes a term (tuple) or the like. Corresponding linear codes include (e)-G RM code, BCH code, R8 code,
The Goppa code or the like ([10]) will be used.

However, these evaluations (calculations) of R cannot be performed very efficiently when m is large.

However, in coding theory, G 1lbert-V a
rsharmov's theorem ([101) as K ey P
Translated into the language of redistribution systems, ``Given a prime power q, positive integers I and b, where ψ(x) = xlogq(q -1) - xlogqx
-(1-x)10gq(1-x) If the number of allowable colluding entities is greater than or equal to the number of allowable colluding entities, there exists a linear scheme in which the storage amount of the secret algorithm is hmlog2q [bit] + the total number of entities n.

Here, h is any positive integer. '', and it can also be derived from the results of coding theory that most linear schemes have parameters that satisfy (K).

Ru.

In this point, it differs from the usual algorithm for linear codes. In normal applications, codes that utilize some kind of structure are used in order to efficiently realize the decoding algorithm, but K e
y Prescription S yst
In the linear scheme for eIll, random codes can be used since there is no need to consider the efficiency of the algorithm corresponding to the decoding.

The results of the above discussion regarding the security of linear schemes are shown in Table 1.
I will summarize it in.

Table 1. Safety of Linear SchemesNext, we evaluate various storage and computational costs related to linear schemes.

Each center has algorithm R and h symmetric matrices G pl
r G112+..., Gpl+ is memorized, and when each entity joins, R(yi) is calculated and further R(
Since xpi is obtained by multiplying yi) by Gppt Gl+21..., Gph, the amount of storage and calculation as shown in Table 2 is required.

Furthermore, each entity stores the algorithm R and the matrix xi, listens to R(yi) at the time of key sharing, and calculates R(yj
)"l:xi to obtain the encryption key, the amount of storage and calculation shown in Table 2 is required.

Furthermore, when m and b are given, G 1lbert-V
n determined from the arsharmov bound is
When ``-1r' is small, it can be approximated as #cormorant2r.

Table 3 shows numerical examples when Q=2 and h=64.

From Table 3, for example, if m = 2'', b = 2'', the linear scheme in which each center stores about 4 [G bitl and each entity stores about 512 [K bitl] will break the entire system. requires collusion of all centers or collusion of approximately 8192 or more entities, and 25
Even if 6 or fewer entities collude, the key between two other entities cannot be determined at all, and it is approximately 240 (=lQ1
2) It can be seen that there are entities that can share a key of 64 [bitl] between any two of the entities. On the other hand, if we take the primitive method of sharing keys with all entities in advance, each entity would have to store approximately 64 [T bitl]. (1[T bitl= 1024[G
bitl) Table 3. =2. Example of values of various quantities when h=64 K ey P redistribuLion
In order to investigate the characteristics of SysLem, let's summarize other methods.

Conventionally, methods such as (1) and (II) in FIG. 2 have been used to perform encrypted communication.

On the other hand, K ey P redistributi
The on system based method is positioned as shown in (I) of FIG.

Table 4 summarizes the comparison of the above-mentioned systems in terms of storage capacity, calculation capacity, communication capacity, presence or absence of a center, possibility of mail communication, basis of security, etc. From Table 4, overall, the Key
P redistribution SysLem
It can be seen that method (I) based on is superior.

(Blank below) 5. Conclusion In the above, Key P redistribuLio
A linear scheme for n S ystell has been described in detail.

Also, Key P redistribution S
Methods for realizing ysLem may exist other than the linear scheme6. For example, it is conceivable to configure the center algorithm as an obscure algorithm using an algorithm synthesis method. ○bscure+
For details on the algorithm synthesis method, see the following document [6]
, [71, [8], [9].

(5) Effects of the Invention As detailed above, according to the present invention, you can easily and easily exchange a common encryption key with a person you have never met (or communicated with) by simply inputting that person's identifier. By performing secure calculations, it becomes possible to easily communicate in ciphertext between arbitrary parties.

Literature [11 Hideki Imai, Tsutomu Matsumoto, “Cryptography”, Television:) Journal of the Young Society, V of, 39. No, 12. PP,
1140-1147. December 1985.

[21 N.G. Konheim, “Cryptography Near Primer,” Wiley, New York, 19
81 years.

(A, G, Konheim, Cryptog
raphy: A Primer, W 1ley,
Neuh York 198], ) [3] C. H. Mayer, Nis M. Matthias, 'Cryptography', Wiley, New York, 1982.

(Please, H, Meyer+ and S, M6M
atyas+“Cryptography+”W 1l
E. E. E. Denning, “Cryptography and Data Security,” Addison-Wesley, Reading, 1982.

(D, E, D enning+Cry
Ptography and Data S e
Curity, ″ A cldison-Wesley
+Reading* f982. ) [51 D.G. Debbies, D.B., "Security) or Computer Networks", Wiley, Chichester, 1984.

(D, W, Davies, and W, L,
Pr1ce.

“Security for Coa+puter
N etu+orks+”Wileys Chiehe
ster* 1984. ) [61 Tsutomu Matsumoto, Hideki Imai, Hiroshi Harashima, Hiroshi Miyayoshi, “Asymmetric cryptosystems using nontrivial representations of encryption transformations,” Proceedings of the 1981 IEICE Information Systems Division National Conference PP, 1-469 ~1-4
70. No. S 8-5, September 1983.

[71 Tsutomu Matsumoto, Hiroshi Harashima, Shu Imai8 (, “Construction theory of multivariate polynomial tuple asymmetric cryptosystems”, 1986 Cryptography and Information Security Symposium 0E2. Cryptography and Information Security Study Group, Institute of Electronics and Communication Engineers Information Security Timed Research Special Committee, February 7, 1986.

[81 Tsutomu Matsumoto, Hideki Imai, Hiroshi Harashima, Hiroshi Miyayoshi, “Cryptographically Useful Theorem On the Connection Between Uni and Multivariants, The Transactions of the I.E.
C.E. of Japan, Volume E68. number 3,1
Pages 39 to 146, March 1985.

(Matsu II loto + 'r, l Imai
+ H, l Harashima, H,, and M
iyakau+a, H,+”Acryptogra
physically useful theorem o
nthe connection between u
ni and multivariate polyn
omials, “The transacLion
of The I ECE of Japan,
Vol.

E68. No, 3. PP, 139-146. M
arch 1985,) [9] Hideki Imai, Tsutomu Matsumoto, “Algebraic Menz 7 O Constructing Asymmetric Cryptosystems, Third International Conference on Applied Algebra,
Algepreik Algorithms and Symbolic Computing, Error Correcting Korg (July 15-19, 1985, Grenople, France), Spring -7 Airlarc.

(Ia+ai+H,, and Matsumo
jo, T, +“A Igebraic meth
ods for constructiBasymlI
rhetoric cryptosystems,”3rd
TnLernational Conference
on Applied A Igebra, A Ige
braic A Igoritt+ms and Sym
bolic Computation, Error
CorrectingCodes (July 15
-IL 1985+Grenoble, Fran
ce)+S primer Verlag,) [10] Takashio et al., Coding Theory, Corona Publishing, 1975
゜[111 Tsutomu Matsumoto, Hideki Imai, “Third key sharing method”,
1986 Cryptography and Information Security Tsukushi 3rd Lecture Proceedings, PP, 39-41. W CI S 86-i
o, i*Hama, Aug, 2L 1986゜ [121 Tsutomu Matsumoto, Hideki Imai, 'Simple Encryption Key Sharing Method'', Institute of Electronics and Communication Engineers Technical Research Report, IT86-54. Kyoto, Sep, 18.1986゜

[Brief explanation of the drawing]

FIG. 1 is a schematic diagram showing an embodiment of the present invention, and FIG. 2 is a conceptual diagram showing various cryptographic communication systems. Patent applicant Advance Co., Ltd. Figure 1 C Entity B Co.

Claims (1)

[Claims] (1) In a network consisting of a plurality of communicating entities and a plurality of centers, each center generates a special algorithm, that is, a center algorithm that is kept secret only by each center, and each After preparing to create a secret algorithm exclusive to each entity by applying the center algorithm to each entity's identifier, which is unique to the entity and used in a semi-permanent manner and published, , in a group of arbitrary entities in a network, each entity in the group can enter the identifiers of all entities in the group other than itself into its own secret algorithm. A cryptographic key sharing method characterized in that the same cryptographic key can be calculated between each entity. (2) When the center delivers a secret algorithm to an entity, it embeds the secret algorithm in a physically protected device with storage and/or computing power, distributes this device to the entities, and each entity uses this device. The encryption key sharing method according to claim 1, characterized in that the encryption key is shared by the two parties. (3) The cryptographic key sharing system according to claims (1) and (2), characterized in that the secret algorithm uses a center algorithm configured by an algorithm synthesis method. (4) In a network consisting of a plurality of communicating entities and a plurality of centers, each center has (a) a means for maintaining a center algorithm that is secretly held only by itself, and (b) In a group consisting of multiple arbitrary entities in a network, each entity in the group inputs the identifiers of all entities other than itself in the group into its own secret algorithm, which is distributed only to that entity from the center in advance. In order to be able to calculate the same encryption key between the two entities, the center algorithm is applied to the identifier of each entity, which is unique to each entity, is made public, and is semi-fixed, and the secret algorithm dedicated to each entity is generated. An apparatus for an encryption key sharing system according to claims (1) to (3), characterized in that it has means for creating an encryption key. (5) The center further comprises means for incorporating the secret algorithm distributed to each entity into a device having storage and/or computing capabilities. The described device for the cryptographic key sharing method. (6) further characterized in that said center has means for embedding said secret algorithm distributed to each entity in a device having a physically protected form and having storage and/or computing capabilities; Claims (
4) The device for cryptographic key sharing method described in items (5). (7) The encryption system according to any one of claims (4) to (6), further characterized in that the center has means for generating a center algorithm that creates the secret algorithm by an algorithm synthesis method. Device for key sharing method. (8) The cryptography according to claims (1) to (3), characterized in that the secret algorithm distributed to each entity is incorporated in a device having storage and/or calculation capabilities. Device for key sharing method. (9) The device is a device in which the secret algorithm distributed to each entity is embedded, has a physically protected form, and has storage and/or computing capabilities. The cryptographic key sharing system device described in (8). (10) Claims (8) to (9) characterized in that the secret algorithm created by a center algorithm using an algorithm synthesis method is incorporated.
) The device for the cryptographic key sharing method described in paragraph 1.