JPS6352536A - Distribution system for shared cryptography key - Google Patents

Abstract

PURPOSE:To reduce the processing time required for the distribution of a cryptographic key by generating and erasing the cryptographic key and a decoding key of a discrete power function cryptographic device at each one distribution of a shared cryptographic key. CONSTITUTION:The shared cryptographic key, the key for encrypting the discrete power function cryptographic device 1, the decoding key, the key for a unidirectional function arithmetic unit cryptographic device 11, and a verification data or the like are generated by a random number generator in a processing unit 51. A couple of nodes use a value of modules (represented as N) used for the discrete power function cryptographic device 1 in common before the start of the delivery procedure of the shared cryptographic key and each node stores the value N into a storage device 52. Each node calculates a function G(N) defined by the explanation of the discrete power function cryptographic device together with the value N and stores the value G(N) in a storage discrete form. Thus, the processing time required for the key distribution in a communication equipment is decreased remarkably by the distribution system for the shared cryptographic key using the encryption method of the discrete power function.

Description

Detailed Description of the Invention (Technical Field to Which the Invention Pertains) The present invention relates to a plurality of communication devices (
A communication device is a device having a communication function, and means, for example, a terminal device, a communication processing device, a communication control device, a switch, or a computer.Hereafter, for the sake of simplicity,
Communication data (data communicated between communication devices) is transmitted between communication devices (sometimes referred to as nodes) using conventional encryption (an encryption method in which the encryption key and decryption key are the same). Shared cipher a in encrypted communication for encrypted communication
The present invention relates to a delivery and authentication method for (cipher a) shared by a plurality of communication devices and used for encryption and decryption of communication data.

(Prior Art) In encrypted communication, a shared encryption key is one of the important issues. An encryption key is sometimes simply called a "key." The distribution of shared encryption keys is sometimes simply referred to as "key distribution."

Conventionally, as methods for distributing shared encryption keys, methods using conventional encryption and methods using public cryptography have been proposed.

The disadvantage of the conventional encryption method is that the secret key for encrypting and decoding the shared encryption key must be delivered manually when the shared encryption key is delivered, which poses problems in operability and security. It is a certain thing.

The disadvantage of public-key cryptography is that methods that use public-key cryptography only for key distribution (for example, the MIX method (Personal Communication (Supervised): Research on Data Protection and Encryption, Nihon Keizai Shimbun, Inc.).

(1983), pages 153 to 163), the processing time is long.

R8A encryption (Rivest, R
,E.

etal, “A, Method for Obtai
ning Digital Signatures an
dPublic-Key Cryptosystem
s”.

Communications of the ACM
, Vol., 21+ No., 2+ PP.

120-126. (1978)), the code can be decrypted by decomposing the modulus value of a discrete power function, which is one parameter of the public information, into prime factors. So about 10
Large integers (0-digit prime numbers) need to be multiplied by
For example, it is an integer of about 200 digits in decimal notation), so the processing time for encryption and decryption becomes long.

Mr. Diffie's shared key generation method (rDiffie, f
il, and) 1ellam, H,: “New D
irections in Cryptography
”.

IEEE Transactions, IT-22,N
o, 11. pp. 644-654 (1976), p. 649), an adversary of the target system (a person attempting to gain unauthorized access to the target system) can solve the encryption by solving the discrete logarithm. Since it can be decrypted, the value of the modulus of the discrete power function, which is one parameter of the public information, needs to be, for example, a large prime number, which increases the processing time for encryption and decryption.

(The solution for discrete logarithms is 1. For example, rPohlig, S,
C.

and Helleman, M.E., “An Im
Proved Algorithm for Compute
ting Logarithms over GF(p
) and ItsCryptographic 5
1gn1ficance", IEEE Transa
tions Vol, IT-24, No. 1. pp,
106-110. (1978)” is shown.
) Mr. Shamir (rKohnheim, A, G.

“CRYPTOGRAPHY:A Primer”
S1lley-Interscience.

New York (1981), 345-346
Page) is used to exchange secret information (such as a shared encryption key) between two parties using a discrete power function encryption whose modulus is a prime number.
However, this method does not indicate a method for authenticating the other party's communication device during key distribution.

5halIIir's method is that when the adversary of the target system knows the old plaintext (i.e., secret information) and its ciphertext pair, the adversary can learn the secret information by solving the discrete logarithm. Therefore, the modulus value of the discrete power function, which is one parameter of the public information, needs to be a large prime number, which increases the processing time for encryption and decryption.

The present invention was devised with reference to Mr. Shamir's method, and is based on the conventional key distribution method using a discrete power function, the MIX method using R3A encryption, and the Diffis method.
It is possible to realize a faster key distribution function than Mr. Shamir's shared key generation method and Mr. Shamir's method, and it is also possible to authenticate the other party's communication device.

(Objective of the Invention) The object of the present invention is to use discrete power function cryptography to distribute a shared cryptographic key that needs to be shared among multiple nodes in order to encrypt and communicate communication data using a conventional cryptography. In addition, the public information of each node is reduced, and the encryption key and decryption key of the discrete power function cryptographic device are generated and deleted each time the shared encryption key is distributed (i.e., , disposable), the value of the modulus used in the discrete power function can be reduced without compromising security, and the processing time can be reduced compared to other methods that use the discrete power function for key distribution. Authentication of the validity of the other party's node when delivering the encryption key is performed using authentication data and a one-way function calculation device, or by using a password.
By making it possible to perform this together with the delivery of the shared encryption key, there is no compromise in operability and security, less processing time is required for the delivery of the encryption key, and it is possible to recognize the legitimacy of the other party's node. The objective is to provide a shared encryption key distribution method.

(Example) The total number of nodes in the communication system (that is, the nodes and the communication network that interconnects the nodes) targeted in the example of the present invention is n+1 (n≧1), and the identification name of the node is , node 0, node 1, . . . node n.

The shared cryptographic key distribution method of the present invention is based on the logical configuration of a communication network, such as point-to-point communication (i.e.,
communication between two nodes) and point-to-multipoint communication (e.g. broadcast communication between three or more nodes)
Applicable to

Note that the physical configuration of the communication network (eg, leased line, switched circuit, private network, etc.), interface, and communication protocol are arbitrary.

An example of the configuration of a discrete power function cryptographic device (a cryptographic device using a discrete power function) will be described.

For the sake of simplification, the power function W', that is, W raised to the t power, is expressed as exp(W, t) = W'.

Integer means a non-negative integer in embodiments of the invention. When A, B, and L are arbitrary integers, the fact that the remainder modulo L with respect to B is A is expressed as A = B (mad L).

At this time, 0≦A<L.

Also, when A, B, and L are arbitrary integers, A and B
are congruent modulo L, AmiB (nod
It is expressed as L).

When X, Y, and N are arbitrary integers, the discrete power function is
The remainder where N is the modulus of X to the power Y, that is, exp(X t
Y ) (mad N).

The plaintext in a discrete power function cryptographic device is M.

2. Enter the key for C9 encryption of the ciphertext. The decryption key is ZI, M, C, Z, ZI, and N are integers, Z and G (
N) are relatively prime, Q≦N<N O≦C<N, and the integer ZI is the inverse destination of the integer 2. There is the following relationship between 2 and ZI.

Z −ZIE 1 (mod G (N)) where 0<Z<G(N) 0<ZI<G(N). Then, the encryption and decryption, which are the cryptographic processing of the discrete power function cryptographic device, are CilEiexp(M, Z) (IIIod
N) M=exp(C,ZI) (mod N) (i.e., encryption and decryption are symmetric operations), G(N
) is, for example, Euler's function T(・
), then G(N)=T(N). (Euler's function for any natural number S (for example, pages 41-49 of Mitsuguharu Takagi's 'Lectures on Elementary Integer Rings, 2nd Edition', Kyoritsu Shuppan (1981)) is T(S)
, T(S) represents how many numbers coprime to S exist in the natural numbers 1.2..., S. S as “
S=(,H)” −(J2) R1−…−(
Jk) llk (where k≧1 and J
i, (1=LL...,k) are prime numbers, Ri, (C1
, 2,..., k) is an integer greater than or equal to 1), T(S)=S・(1-1/Jl)(1-1/J2)...
・(1-1/Jk), and especially when S is a prime number, T(S)=S −1.

Another way to configure G(N) is, for example, N=pl・R2...
・When pk, (k≧2) and Pl, R2,..., pk are all different prime numbers, G (N)-L CM (pi-1, R2-1,...
・, Pk-1).

Here, LCM(·,·······) represents the least common multiple of all numbers in parentheses. For example, the calculation method for the reverse calculation is described in ``Masao Iri et al. (W collection) ``Improving the efficiency of calculation and its limits''
, Mathematics Seminar Special Edition, Nihon Hyoronsha, Tokyo, (1980), pages 50-51, (or Rivest, R.
L., et al. “A Method forO
btaining Digital Signature
es and Public-KeyCrytosys
tems”, Communications of
the ACM, Vol.

21, No, 2. pp, 120-126. (1978
124), and can be determined, for example, by Euclid's algorithm of mutual division.

It can be seen that any two integers A and B are relatively prime because the result of calculating the greatest common divisor using Euclid's algorithm is 1.

A method for calculating a discrete power function is, for example, the above-mentioned Rive
It can be determined by the method described on page 123 of the literature by Mr. (or Masao Iri et al. (editors)
It can be determined by using together the exponentiation calculation method described on pages 128 to 129 of the literature and the nod calculation method (i.e., remainder calculation) described on pages 48 to 54. Or rKnuth D.

D.: ”The Art of Computer
Programming”, Vol, 1゜2, S
eIIlinumerical Algorithms
, Addison-Wesley4 (1969).”
It is also possible to use the calculation method on pages 233-245 of . ) In the discrete power function cryptography, the public information is the modulus of the discrete power function, and the secret information is the encryption IIZ and the decryption key ZI.

A discrete power function cryptographic device can be realized by hardware or a combination of hardware and software.

FIG. 1 shows an example of the configuration of a discrete power function cryptographic device.

The signal path 2 is a signal path for inputting input data to the discrete power function cryptographic device 1, and inputs arbitrary integer data.

The signal path 3 is a signal path for inputting a key, and inputs an encryption key or a decryption key.

The signal path 4 is a signal path for inputting the modulus value of the discrete power function, and inputs the modulus value.

The signal path 5 is a signal path for outputting Roka data,
The processing results of the discrete power function cryptographic device 1 are output.

Next, the communication data encryption device will be described.

Conventional encryption refers to an encryption method in which the encryption key and decryption key are the same.

This section describes the general notation for the operation of encrypted signals using conventional cryptography.

Let E(K;
), any information Y t! J! With the encryption method of , the key K
The value decoded using is D(K; E(K; X))=X.

Examples of cryptographic algorithms for conventional cryptography include:

DES encryption (”Data Encryption 5t
andard'''.

Federal Information Process
ssing 5andardsPublication
46. U.S.A. (1977)) and F.E.
AL cryptography (Shimizu, Tokohi, Ota: High-speed data encryption algorithm FEAL''', Institute of Electronics and Communication Engineers Technical Report, (Information Theory), Vol. 80, No. 113, IT86-33, p.
There are cryptographic algorithms such as P.p.1-6 (1986)).

The shared encryption key is a key used in the communication data encryption device.

Since the present invention can be constructed independently of the cryptographic algorithm for conventional signals, the cryptographic device for communication data (that is, the cryptographic device for conventional cryptography for encrypting and decoding user communication data) according to the present invention includes the following: A cryptographic device for communication data that can use any conventional cryptographic algorithm that is moderately secure (the degree depends on the target communication system) can be realized using hardware or a combination of hardware and software.

FIG. 2 is a configuration example of a communication data encryption device.

The shared encryption key is input from the signal path 8 to the communication data encryption device 6 . The input data input from the signal path 7 is plain text or cipher text, and is processed by the communication data encryption device 6.
The encrypted or decrypted output data is output from the signal path 9 as ciphertext or plaintext.

A control signal is inputted from the signal path 10 for distinguishing whether the communication data encryption device 6 operates in an encryption process or a decryption process.

The shared encryption key is denoted by KC, and KCij is the result of key distribution between node i and node j, (i≠j)
represents the KC shared by

In the embodiment of the present invention, KCij, which is a KC when communication data from node j to node j is encrypted or decrypted by a communication data encryption device, and communication data from node j to node 1 are used as communication data encryption device. Regarding KCji, which is KC when encrypted or decrypted by cryptographic device t, it is assumed that KCxj=KCJi. (However, for example, if each node generates a KC separately and executes the shared encryption key distribution method of the present invention, the encrypted communication from node i to node j and the encrypted communication from node j to node i , another shared encryption key can be used.As an example of another method, KCij distributed by the shared encryption key distribution method of the present invention can be used according to two fixed rules (for example, each By generating two values converted using the inversion operation of a specific bit of KCij whose bit positions differ from each other according to the rules and using them as a new shared encryption key, it is possible to generate a different value of the shared encryption key in each direction. ) Next, an example of the encrypted communication method will be described.

Encrypted communication refers to encrypting and communicating communication data that requires confidentiality. Encrypted communication using the shared encryption key distribution method of the present invention is performed, for example.

This can be done using either of the following methods (encrypted communication method 1 or encrypted communication method 2).

Encrypted communication method 1 is as follows. That is, the key for encryption and decryption by the communication data encryption device for user communication between nodes is called a data encryption key, and is expressed as KF.

A user of encrypted communication is, for example, a person, a device, or a computer program that uses a communication device. According to the shared encryption key distribution method of the present invention, the KF is distributed as a shared encryption key, and the KF is shared between nodes to be communicated with.

Next, the user on the sending side encrypts and transmits the communication data using the communication data encryption device using the KF as a key, and the user on the receiving side encrypts the communication data using the communication data encryption device using the KF as the key. Decrypt communication data and perform encrypted communication.

Encrypted communication method 2 is as follows. In other words, when a data encryption key is encrypted using a commonly used cipher and delivered, it is necessary to deliver the data encryption key and the encryption key (denoted as KN), which are the keys of the commonly used cipher at that time. In case,
The method of the present invention can be applied if KN is regarded as a shared encryption key. That is, KN is distributed as a shared encryption key using the shared encryption key distribution method of the present invention, and KN is shared between communication target nodes.

Next, the user on the sending side encrypts KF using KN as the key of the communication data encryption device and sends it, and the user on the receiving side encrypts the KF using KN as the key of the communication data encryption device and sends the encrypted KF. As a result, the KF can be shared between nodes.

Next, the user on the sending side encrypts and transmits the communication data using the KF as a key to the communication data encryption device, and the user on the receiving side encrypts the communication data using the KF as the key to the communication data encryption device. Decrypt communication data and perform encrypted communication.

The present invention provides a shared cryptographic key distribution method, and the cryptographic communication method that is the usage form of the shared cryptographic key is arbitrary.

Next, the authentication method of the other node when delivering the shared encryption key will be described.

When delivering a shared encryption key, each node needs to authenticate the validity of the other node. In the present invention, the authentication method for the other node when delivering a shared encryption key includes one of the following three methods. Either of these can be used. The authentication data used in these methods must be generated and set before starting the shared encryption key distribution procedure, but once the shared encryption key is set, the shared encryption key can be distributed an arbitrary number of times. Can be used commonly for procedures.

a) Authentication method 1 Authentication method 1 uses a unidirectional function calculation device (i.e., a calculation device that realizes a unidirectional function) as a device that inputs authentication data and converts the data (i.e., a data conversion device). In this method, authentication data, which is a secret parameter of one node, is converted by a one-way function and the value is used as public information for each node. Set it in the public groove that you own on the storage device. A secret parameter may be provided for the authenticating element (eg, the node or the user of the node).

In authentication method 1, it is not necessary to secretly deliver authentication data before key delivery, and only transfer public information and set it in a storage device. The one-way function is expressed as f(·).

A one-way function is a function in which it is easy to calculate f(θ) from θ, but it is extremely difficult to calculate O from f(θ) due to the large amount of calculation. That's true. The unidirectional function calculation device can be realized by hardware or a combination of hardware and software.

An example of the configuration of a device that can realize f(・) is shown below. For an appropriately selected cryptographic method (for example, DES encryption, FEAL encryption, etc.), if the key is K, the one-way function f(
θ) can be as follows.

f(θ)=E(K: Ofθ 22, e represents exclusive OR. for example.

XeY represents the exclusive OR of X and Y. The secret information in this case is θ, and the public information is the encryption function E(K:
The cryptographic algorithm of θ), the key K, and f(θ).

The encryption algorithm is arbitrary and may be the same as or different from the encryption algorithm of the communication data encryption device. The unidirectional function calculation device can be realized by hardware or a combination of hardware and software.

FIG. 3 is an elliptical example of a unidirectional function calculation device.

The one-way function operation device 11 includes a flow dividing device 12, a one-way function operation device encryption device 13, and an exclusive OR operation device 1.
4, and signal paths 15, 16, 17, 18, 19, 20.

From the signal path 2o, a cryptographic device 1 for a one-way function arithmetic device is connected.
Enter the key to 3. The cryptographic device 13 for one-way function calculation device always performs encryption processing. Input data is input from signal path 15.

The same data is outputted to the signal path 16 and the signal path 17 by the flow dividing device 12 for the data input from the signal path 15,
Data obtained by encrypting the input data is output to the signal path 18 . The data on the signal path 17 and the signal path 18 are subjected to an exclusive OR operation by the exclusive OR operation device 14, and are outputted to the signal path 19 as output data.

An example of the configuration of a public groove when providing authentication data to each node is shown below.

Let Qij be authentication data owned by node i and used by node j to authenticate the validity of node i when information is transferred from node i to node j.

The public information of the public groove that is stored individually in the storage device at each node before the start of the distribution procedure of the shared signal section is 1. For example, at node i, (i = 0.1... + n), f (
Qx, :+), (where j=o, 1-, n, and i≠
j). However, each node only needs to set the public channel for nodes that are potential communication partners.

A public groove can be referenced by all nodes and can only be updated by the node that owns it.

When information in a public channel is accessed between nodes, only public information is transferred between nodes, so there is no problem with security even if a suitable person eavesdrops on the communication line.

Before starting the shared cryptographic key distribution procedure, each node obtains information about its own node from the public channels of other nodes,
Save it to your own node's storage device. That is, the node is
By accessing the public channel of node j, which is a potential communication partner, or by notification from node j, f (Qji), (where j=LL'''+n and i≠j) is transferred to node i. Save it in the storage device. (Qji is authentication data different from Qij.) When delivering the shared encryption key from node i to node j,
An example of a method for node j to authenticate to node i will be described.

Node i encrypts Qij and KCij as authentication data using a discrete power function cryptographic device and transmits the encrypted data.

Node j obtains KCij and Qjj by decoding,
Qji is obtained, Qij is encrypted, and then transmitted.

Node j obtains KCij and Qij by decoding.

f (Qij) calculated from Qij is already on the other side (
That is.

The validity of node i is authenticated by confirming that the information obtained from the public channel of node i) is equal to the information held by node j (ie, f (Qij)).

After the node j confirms the delivered Qij and completes it,
Erase immediately. Furthermore, in this case node i is node j
An example of a method for authenticating is that node j encrypts Qji using a communication data encryption device using KCij sent from node i as a key and sends it to node i, and node i transmits the encrypted Qji to KCji. Decrypt it using a communication data encryption device as a key to obtain Qji, and then
By checking that f (Qji) calculated from j is equal to the information (i.e., f (Qji)) already obtained from the public channel of the other party (i.e., node j) and held at node i, Authenticate node j. Node i immediately deletes the delivered Qji after completing the authentication process.

If authentication method 1 is performed in one direction (for example, transmission from node i to node j), it will be one-way authentication, and if it is performed in both directions, it will be two-way authentication.

In addition, regarding the public groove, a public groove in which all node public information is set is set in the storage device of a specific node, and other nodes obtain the public information necessary for authentication processing from the public groove of that specific node. This is also possible as another embodiment.

b) Authentication method 2 Authentication method 2, which is an alternative method to authentication method 1, uses a password as authentication data to authenticate the other party's node during key distribution.

In authentication method 2, a data conversion device for authentication data is not used, and a password as authentication data is secretly shared in each direction between a pair of nodes. A password can be provided for an authenticating element (eg, a node or a user of a node).

The password must be generated and held by one of the nodes before the shared encryption key distribution procedure begins, and must be kept secret by both nodes performing encrypted communication.

A method for node j to authenticate node i when a shared encryption key is distributed from node i to node j will be described.

Node j uses Pi to authenticate node i.
Let it be j. Node i uses Pjj as authentication data for K
It is encrypted together with Cij using a discrete power function cryptographic device and transmitted.

Node j obtains cij and Pjj by decoding,
The information that the receiving Pjj has already secretly obtained from the other party (i.e., node j) and is secretly held at node J (i.e.,
Pij) by checking that node i
certify the validity of

Node j must immediately delete the received Pjj after completing the authentication process. (In addition, PiJ kept secret is kept as is.) An example of a method for node i to authenticate node J in this case is that node j uses the KCij delivered by node i as a key to encrypt the communication data. The device encrypts PJi, which is a password for node i to authenticate node j, and sends it to node i,
Node i decrypts the encrypted Pji and returns Pj
The legitimacy of node j is authenticated by obtaining i and confirming that the received Pji is equal to the information held secretly by node i (ie, Pji).

Node i immediately deletes the received Pji after completing the authentication process. (In addition, the Pjj kept secret is
Save it as is. ) Here, Pji is a different password from Pjj.

If authentication method 2 is performed in one direction, it will be one-way authentication, and if it is performed in both directions, it will be two-way authentication.

C) Omission of authentication of the legitimacy of the other party node when delivering the shared encryption key In the shared encryption key delivery method of the present invention, the authentication processing described in authentication method 1 and authentication method 2 is performed when the shared encryption key is delivered. Even if ``is omitted'', the shared encryption key can still be distributed.

This can be applied, for example, to a communication system where it is sufficient to confirm the validity of the other party's node when connecting a line.

Note that in the embodiment of the present invention, a case is described in which nodes mutually authenticate the validity of the other party's node, but in order to mutually authenticate the validity of the other party's user between the users of each node, In the shared encryption key distribution method of the present invention, by providing authentication data to a user who requires authentication,
It is possible to authenticate the validity of the user of the other node.

A random number generator generates a shared cryptographic key, an encryption key and a decryption key for a discrete power function cryptographic device, a key for a cryptographic device for a one-way function arithmetic device, authentication data, and the like.

For example, how to generate random numbers in a random number generator.

rKnuth, D.E., Masaaki Shibuya (translator) “Th
e Art of Computer Progra
mming 3rd volume quasi-numerical calculation method 3rd counting method can be used.

However, the random number generator used in the present invention only needs to allow each node to generate data unknown to other nodes as pseudo-random numbers. The data generated from
It can also be used as a random number. The random number generator can be implemented using hardware or a combination of hardware and software.

FIG. 4 is an example of a logical configuration of the communication device 50.

In order to realize the method of the present invention, the communication device 50 includes a processing device 51, a storage device 52, a line control device 53, a communication line 61, a discrete power function cryptographic device 1, a communication data cryptographic device 6, a one-way Functional operation device 11, and.

It has signal paths 41 and 42. The processing unit performs various calculations and controls. However, the signal path 41 is the signal path 2, 3, 4, 5, 7, 8, in FIG. 1, FIG. 2, and FIG.
9, 10, 15, 19, and 20 are collectively shown. The random number generator includes a processing unit. Authentication method 2 (i.e., a method that uses a password as authentication data)
When using or omitting authentication, the one-way function calculation device 11 is not necessary. The internal physical configuration of the communication device is arbitrary, and it is also possible to integrate two or more individual devices inside the communication device.

Next, four examples of the shared encryption key distribution procedure are shown in Step 1, Step 2, Step 3, and Step 4 below.

First, common points regarding two or more procedures will be described.

The shared encryption key distribution procedure starts with one node first,
The other nodes start the delivery procedure by receiving a telegram (ie, a unit of information communicated over the communication line) from the node that started the delivery procedure first.

In one procedure, the logical configuration of each node is the same, and one step (Stsρ) describes an operation closed to one node, so the device numbers at each node are not distinguished in the following procedure. .

Perform each step in numerical order.

When an abnormality occurs during the execution of each procedure (for example, when a message that should be received cannot be received, or when the authentication data of the other node is incorrect as a result of authentication, etc.), the shared encryption is used. The processing of the key distribution procedure ends abnormally in all nodes related to the processing.

Before starting the shared encryption key distribution procedure, the pair of nodes share the value of the modulus (denoted as N) used in the discrete power function cryptographic device, and each node stores the value of N in its storage device. . Each node calculates G(N) along with N, which is defined in the description of the discrete power function cryptographic device, and stores the value of G(N) in the memory discrete form.

The value of the modulus is public information for each node, and if it is set to -degree, it can be commonly used for any number of shared encryption key distribution procedures.

The symbol ■ represents concatenation (combining two values as they are), and for arbitrary integers X and Y, X■Y (
nod N) is (X (mod N))■(Y (I
lodN)).

The key for converting into a discrete power function cryptographic device at node i is represented by zi, and the key for decryption is represented by zI (the same applies to other nodes).

Since procedures 1 and 2 use authentication method 1, the information related to the authentication data described in the explanation of authentication method 1 must be set before procedure 1 or procedure 2 is started.

That is, the function of the one-way function calculation device is expressed as the one-way function f(
), for node i, the secret information is Qi
j, the public information in the public rA register is f (Qij), and the information obtained from the public information in the public groove of other nodes (ie, node j) and held for authentication is f (Qji).

For node j, the secret information Qjj, the public information in the public groove is f (Qji), and the information obtained from the public groove of other nodes (i.e., node i) and held for authentication is f (Qij
). The logical specifications of the one-way functional arithmetic device (i.e., all elements for determining the relationship between input data and output data (password algorithm, internal structure, key value, etc.)) are defined by node i and node j. Common.

When a node secretly stores data in a storage device, the means for ensuring ``secrecy'' (for example, encryption) is arbitrary, as long as it prevents information from leaking outside the notebook.

In the shared cryptographic key distribution means of the present invention, for example, if both nodes start the key distribution means almost simultaneously, the key distribution procedures will conflict; in such a case,
For example, conflicts can be avoided by comparing the identification names of nodes numerically and giving priority to the procedure of the larger node.

In the shared encryption key delivery procedure, if the shared encryption key (or the shared encryption key concatenated with authentication data) exceeds the encryption block length determined by the modulus of the discrete power function cryptographic device, the shared encryption key is Split the encryption key into multiple parts,
Each part can be set to multiple blocks, and each block can be subjected to the processing shown in the shared encryption key distribution procedure.

In this case, when using authentication method 1 or authentication method 2, authentication data of the same value is added to blocks in which individual parts of the divided shared encryption key are set.

By linking additional information to the shared encryption key in the shared encryption key delivery procedure, any additional information (for example, time, date, notification information, etc.) can be transferred when the shared encryption key is delivered, if necessary. Authentication data is also a type of additional information.

In this case, if the data to be encrypted for additional information exceeds the cipher block length of the discrete power function cryptographic device, create the necessary number of blocks containing only additional information according to the additional information, and This problem can be dealt with by performing processing such as encryption and decryption on the block using a discrete power function cryptographic device as shown in the shared encryption key distribution procedure.

In this case, when using authentication method 1 or authentication method 2, authentication data having the same value is added to each divided block. Additional information can have a length of zero (ie, be omitted) when it is not needed.

(Procedure 1) Procedure 1 is an example of a shared encryption key distribution procedure using authentication method 1 in point-to-point communication between node i and node j.

FIG. 5 shows the relationship of messages in step 1.

Step (stop) 1: Node i uses a random number generator to select node i and node j.
A shared encryption key KC1j for communication between the parties is generated and secretly stored in a storage device.

Next, using a random number generator, generate 1lZi for encryption of the discrete power function cryptographic device of node i such that Zi and G(N) are mutually prime, and secretly store it in the storage device. .

Furthermore, by using a discrete power function cryptographic device, A I =
exp (KCij■Qxj+Zi) (mod N)
is calculated, and a message 101 containing AI is sent to node j.

Furthermore, let ZIi be the inverse destination of Zi modulo G(N).

ZIi−Zi=1 (IIIod G (N)), and node i calculates ZIi and secretly stores it in the storage device.

5tep2: Upon receiving the message 101, node j uses a random number generator to generate I! for encryption by the discrete power function cryptographic device of node j. Zj is generated such that Zj and G (N) are disjoint and secretly stored in a storage device.

Furthermore, A2=exp(
AI, Zj) (mad N), that is, A2 = exp (KCij■O1j, Zi-Zj
)(+od N), and the message 102 including A2 is
Send to node i.

Furthermore, if ZIj is the inverse destination of the modulus Zj, then Z
Ii ・Zj=1 (nod G (N)),
Node j calculates ZIj and secretly stores it in storage.

5tep3: When the node i receives the message 102, the discrete power function cryptographic device calculates A3=exp(A2.ZIi) (mad N), that is, A3=exp(KCij■Qij+Zi)(I
IIod N) and sends the message 103 containing A3 to the node.

5tep4: When node j receives the message 103,
A4=exp(A3.ZIj)(nod N) is calculated using a discrete power function cryptographic device to obtain A4=KCij[share]Qij, and further, using a unidirectional arithmetic device, A5=f
(Qij), A5 is obtained from the public groove of node i and node j
The validity of node i is authenticated by confirming that it is equal to f (Qij) owned by node i.

When the authenticity can be verified, KCij is stored secretly in the storage device.@Qij is deleted after verification. Furthermore, Z
Delete j and ZIj.

5tep5: Node j calculates A6=E (Kcij : Qji) using the communication data encryption device, and
6 is sent to node i.

5tep6: When node i receives the message 104,
A communication data encryption device calculates A7 = D (xcij: A6) = Qji, and a one-way function calculation device calculates A8
= f (Qji), A8 obtains from the public groove of node j and
The legitimacy of node i is authenticated by confirming that it is equal to f (Qji) owned by node i.

Qji is deleted after authentication.

5step7: Node i deletes Zi and ZIi.

(End of step 1) (Step 2) As a form of point-to-multipoint communication, for example, add the function of delivering a shared encryption key in broadcast encrypted communication (encrypted communication in broadcast communication) to step 1. The procedure is referred to as step 2.

Broadcast cryptographic communication requires the functions of broadcast secret communication and individual secret communication.

Broadcast secret communication is realized by encrypting and decrypting communication data using a shared cryptographic key (denoted as Cg) common to the nodes that make up the broadcast communication group, while individual secret communication is
This is achieved by encrypting and decrypting communication data using an individual shared encryption key KC.

FIG. 6 is an example of the interrelationship of five nodes.

Since each node is interconnected by a communication line 61, for example, broadcast encrypted communication from node O to node 1, node 2, node 3, and node 4 is possible.

Node i and node j among n+1 nodes.

Between (1+j=0+L...'t n, and i≠j),
A procedure (procedure 2) including the procedure for delivering KCg in procedure 1 is shown below.

Although the modulus value N of the discrete power function cryptographic device is public information common to all nodes in step 2, it is also possible to use a different value of N for each node pair.

FIG. 7 shows the relationship of messages in step 2.

5tepl: Node i uses a random number generator to create a shared cipher for one individual communication @KCij, F=O+1+”' n,
i #j) and a shared cipher @KCg for broadcast communication are generated and secretly stored in a storage device.

Next, a random number generator is used to generate an encryption key Zi for the discrete power function cryptographic device of node i such that zi and G(N) are mutually prime, and it is secretly stored in a storage device. do.

Furthermore, each node j,
For (j = 0.1...n and i≠j), B
11j=sxp(KCij■Qij)■exp(KC
g■QIjIZj) (nodN), and B11j
The message 201 including
・n, and i#j). Furthermore, if ZIi is the backlighting of Zi modulo G (N), then ZIi−
Zi=1 (nod G (N)), and node i calculates ZIi and secretly stores it in the storage device.

Sta, p2: Node j, F=Otlt''' n, and i≠j) receives the message 201 and uses a random number generator to generate the encryption key Zi of the discrete power function cryptographic device of node j. is generated such that Zj and G(N) are disjoint and secretly stored in a storage device.

Furthermore, by using a discrete power function cryptographic device, B21j=e
xp(Kcij■Qij, Zi-Zj)■exp (
KCg■Qij, Zi-Zj) (IIIod N) is calculated, and the message 202 including B21j is sent to node i. Furthermore, if ZIj is the backlighting of Zj modulo G (N), then ZIj - Zj = 1 (+od G (N)), and node j calculates ZIj and secretly stores it in the storage device. .

5tep3: Node i connects each node j, (j=0,1
．． ...n, and i # j ), the discrete power function cryptographic device executes the following:
Zj−ZIi)■exp (KCg■Qij, Zi−
Zj−ZIi) (Ilod N), that is, B51j =exp (to Cij■QijtZj)■e
xp(KCg■Qij + Zj) (n.

dN) and transmits a message 203 including B51j to each node j, (j=0, 1...n, and i≠j).

5tep4: Upon receiving the message 203, the node j, F=O+1+"・n, and i#j) uses the discrete power function cryptographic device to execute B4ij = axp (KCij■Qij, Zj
-ZIj)■exp (KCg■Qij, Zj-ZI
j) (n+od N), that is, B4ij = (KCij■Qij)■(KCg■Qi
j), and further, by a one-way function calculation device, B
51j = f (Qij), B51j obtains from the public groove of node i and
By confirming that f (Qij) owned by node j is equal to f (Qij), the validity of node j and KCg are secretly stored in the storage device.

Furthermore, Zj and ZIj are deleted.

5tep5: Node j, F ``Otl+''' n, and i≠j) uses the communication data encryption device to write B6ij = E(KCij; Qji)■E(KC
g ; Qji) and create message 20 containing B6ij.
4 to node i.

5tep6: Node i, each node j, F ”O+1+
”・n, and i#j), the communication data encryption device executes B7ij=D(KCij : E(KCij ; Qj
i)) That is, B7ij = Qij and B8j i =D(KCg; E(KCg; Qji
)) That is, calculate B8ij = Qij, and calculate B9ij = f (Qji) for Qji of B7ij and B8ij, respectively, using the one-way function arithmetic device, and B9ij obtains from the public groove of node j and By checking that f (Qji) owned by each node j, (J=O+1+...n
, and i#j). Qji is deleted after authentication is completed. Node i has all counterpart nodes (i.e., nodes j, (j = 0.1...n, and i
#j)) When the validity verification in 5step 6 is completed, the process moves to 5step 7.

5step7: Node i deletes Zi and ZIi.

(End of Step 2) (Step 3) Step 3 is an example of a shared encryption key distribution procedure using authentication method 2 in point-to-point communication of node j. Let Plj be the password used by node j to authenticate node i. node i is node j
Let Pjl be the password for authenticating. node i
and node j keep both Pij and Pjj secret before the start of step 3.

FIG. 8 shows the relationship of messages in step 3.

5tepl: Using a random number generator, node i generates a shared encryption key KCij for communication between node i and node j, and stores it in the storage device.

Next, using a random number generator, generate an encryption key Zi for the discrete power function cryptographic device of node i such that Zi and G(N) are mutually prime, and store it in the storage device. .

Furthermore, using a discrete power function cryptographic device, CI = e
xp(KCij■Pij,Zi) (mod N) is calculated, and the message 301 including C1 is transmitted to node i. Furthermore, if ZIi is a cousin of Zi with mod G(N), then ZIi-Zimi1 (mod G(N)),
Node i calculates ZIi and stores it secretly in storage.

5tep2: Upon receiving the message 301, node j uses a random number generator to generate the encryption key Zj of the discrete power function cryptographic device of node j so that Zj and G (N) are mutually prime. generated and secretly stored in a storage device. Furthermore, by an m-defective power function cryptographic device.

C2=exp(C1,Zj)(nod N), that is, C2=exp(KCij■Pij, Zi-Zj)(
mad N) and sends a message 302 including C2 to node i. Furthermore, Z with ZIj modulo G(N)
If it is a cousin of j, then ZIj−Zj=1 (mod G (N)),
Node j calculates ZIj and stores it secretly in storage.

5tep3: When the node i receives the message 302, the discrete power function cryptographic device calculates C3=exp(C2, ZIi) (mad N), that is, C3=exp(KCij("1Pij, Zj) (m
od N) and sends the message 303 including C3 to node j
Send to.

5tep4: When node j receives the message 303,
By calculating C4=exp(C3,ZIj) (nod N), that is, C4=KCij■Pij using a discrete power function cryptographic device, and confirming that Pij is equal to Pij owned by node j, node i certify the validity of When the authenticity is confirmed, the received Pij is deleted and the KCij is secretly stored in the storage device.

Furthermore, Zj and ZIj are deleted.

5tep5: Node j creates C6=E (KCij; Pji) using the communication data encryption device, and
6 is sent to node i.

5tep6: When node i receives the message 304, the communication data encryption device calculates C7=D (KCij; C6), that is, C7=Pji, and -Pji is equal to Pjj owned by node i%.
By confirming that N, the validity of node j is authenticated, and if authentication is successful, the received Pji is deleted.

5step7: Node i deletes Zi and ZIi.

(End of step 3) (Step 4) In step 4, in point-to-point communication between node i and node j, when delivering the shared encryption key,
Shared encryption key distribution that eliminates authentication of the other party's node, and splits the shared encryption key into two blocks, which are then encrypted and decrypted using a discrete power function cryptographic device. This is an example of the procedure.

5tepl: Node i uses an argument generator to generate a shared encryption key KCij for communication between node i and node j, and divides KCij into two parts, KCl1j and KC
Divide into 2ij. That is, KCij = KCl1j■KC2ij.

Next, using a random number generator, generate aZi for encryption of the discrete power function cryptographic device of node i such that Zi and G (N) are mutually prime, and secretly store it in the storage device. do.

Furthermore, using a discrete power function cryptographic device, F1=exp
(KClij, Zi) ■ exp (KC2ij, Zi) (
nod N) and transmits a message 401 containing Fl to node j. Furthermore, if ZIi is converted to the Zik inverse modulo G (N), then ZIi − ZiE 1 (IIIod G (N)), and node i calculates ZIi and secretly stores it in the storage device. save.

5tep2: Upon receiving the message 401, node j uses a random number generator to encrypt ! of the discrete power function cryptographic device of node j. IZj is generated such that Zj and G(N) are disjoint and secretly stored in a storage device. Furthermore, using a discrete power function cryptographic device, F2=exp(K
Clij, Zi4j)■5xp(KC2ij, Zi-Z
j) (IIIodN), and the message 40 containing F2
2 to node i.

If ZIj is the inverse destination of Zj modulo G(N), then Z
Ij−Zj=1(mad G (N)), and node j calculates ZTj and secretly stores it in the storage device.

Step3: When the node i receives the message 402, the discrete power function cryptographic device uses the following formula: F3=exp(KClij, Zi-Zj-Zlj)0
”exp(KC2ij, Zi-Zj-ZIi))(m
od N), that is, F3=exp(KClij, Zj)■exp(KC2i
j, Zj) (mod N), and the message 4 containing F3
03 to node j.

5tep4: When node j receives message 403,
Using a discrete power function cryptographic device, F4=axp(KClij, Zj-ZIj)■axp
(KC2ij, ZJj-ZIj) (mad N), that is, calculate F4 = KCl1j KC2ij = KCij, and secretly store KCij in the storage device. Furthermore, Zi and ZIj are deleted.

Step 5: Node j transmits a message 404 indicating that KCij has been successfully received to the node.

5tep6: Node i receives the message 404 and sends the KC
It is learned that ij has been successfully received by node J.

5step7: Node i deletes Zi and ZIi.

(End of Step 4) In Steps 1, 2, and 3, the condition of the system to which the present invention is applied is that the authentication only requires node j to authenticate node j (for example, if node i
(e.g., when the authentication for node j has been completed by other means), in step 5, node j only needs to respond to node i with a notification of completion of the shared encryption key distribution process, and in step 5 The process of step 6 is only to confirm the completion of the process of the other party node upon reception of the message.

In addition, if node i only needs to authenticate node j, node i from 5tep 1 to 5tep 4
The authentication process related to the authentication data from node j (that is, Qij in steps 1 and 2, and PiJ in step 3) can be omitted.

(Effects of the Invention) In the shared cryptographic key distribution method of the present invention, the main influence on the processing time is the processing time of the discrete power function cryptographic device, but the public information in the discrete power function cryptographic device is The secret parameters (i.e., the encryption key and the decryption key Im) in the discrete power function cryptographic device are only the modulus of the form power function, and the secret parameters (i.e., the encryption key and the decryption Im) are Because it is disposable (i.e., generated and erased for each key distribution), even if an adversary learns of the plaintext and ciphertext using the old secret parameters of the discrete power function cryptographic device, it will not be possible to decrypt the discrete logarithm. , or decryption (knowing the latest secret parameters) by prime factorization is not possible, so the value of the modulus of the discrete power function is R
It can be made smaller than the key distribution method using 8A encryption, Mr. Diffie's shared key generation method, and Mr. Shamir's method.

For example, in the R3A encryption, the modulus value requires an integer of 200 decimal digits (approximately 600 bits), whereas in the shared encryption key distribution method of the present invention, the modulus value is several 10 decimal digits. (For example, when there are 30 digits in decimal, the number of bits is approximately 100 bits, and when there are 20 digits in decimal, the number of bits is approximately 66 bits.)
However, when determining the value of the law, it is necessary to take into account the conditions of application to the applicable communication system.)

Further, in the shared encryption key distribution method of the present invention, by using a plurality of blocks, it is possible to transfer secret information of any length.

The calculations of the discrete power function cryptographic device are the exponentiation of the discrete power function by the encryption key and the decryption key, and the remainder calculation by the modulus value, since the key length also depends on the modulus value. , the amount of calculation increases as the value of the modulus increases.

Although the amount of calculation by the discrete power function depends on the calculation method, for example, rRivest, R, L, et al.

“A Method for Obtaining D
Digital Signature and Public
ic-Key Cryptosystems” +Co
mmunications of the ACM, V
ol, 21. No, 2°pp, 120-126. (
1978), page 123, when M, t, and N are integers, M '' (m
od N ), that is, the calculation of the remainder where N is the modulus of M to the t power requires approximately 2.logz(t) multiplications and approximately 2.logz(t) times of multiplication and approximately 2.log
2(t) divisions are required.

For actual measurements of calculation time based on the value of the law of discrete power functions, see, for example, "Matsumoto, Miyoshi, Imai: Comparison of characteristics of asymmetric cryptosystems realized by microcomputers",
Institute of Electronics and Communication Engineers technical research report.

(Information Theory), Vol. 83. No, 34. I Ta
2-48, Pp, 49-58, (1981)” 52
The page shows the relationship between the message length (that is, the value of the modulus of a discrete power function) and the computation time, and as the message length increases, the computation time increases significantly.

Therefore, in the present invention, Diff
The processing time required for key distribution in a communication device can be significantly reduced compared to Mr. Ie's key distribution method using a discrete exponential function, the MIX method using R3A encryption, and Mr. Shamir's method.

Furthermore, the shared encryption key distribution method of the present invention can also authenticate the authenticity of the communication device on the other side.

A method used to check passwords (for example, Diffie, W,
and Hellman, l(,: “New Di
"reactions in Cryptography"
, IEEE Transactions, IT-22
゜No, 11. pp, 644-654 (1976) J
No. 49-650 Hesi) is known, but this method has the problem that the password must be distributed in advance.

Authentication method using the one-way function of the present invention (authentication method 1
) does not require human intervention to communicate confidential information, so it is safe and easy to operate.

Furthermore, depending on the conditions of the applied communication system, an authentication method using a password (authentication method 2) or omission of authentication can be selected.

[Brief Description of the Drawings] Figure 1 is an example of the configuration of a discrete power function cryptographic device, Figure 2 is an example of the configuration of a communication data cryptographic device, and Figure 3 is an example of the configuration of a unidirectional function calculation device. , FIG. 4 is an example of the configuration of a communication device, FIG. 5 is an explanatory diagram of the relationship between messages in step 1, FIG. 6 is an example of the relationship between communication devices, and FIG. 7 is an illustration of the relationship between messages in step 2. An explanatory diagram, FIG. 8, is an explanatory diagram of the relationship between messages in step 3. 1... Discrete power function cryptographic device, 2.3, 4.5... Signal path, 6... Communication data cryptographic device, 7.8, 9.10... Signal path, 11... - One-way function calculation device, 12... Diversion device, 13... Encryption device for one-way function conversion device, 14...
・Exclusive OR operation device, 15.16, 17, 18, 19.20... signal path, 4
1.42...Signal path, 50...Communication device, 51...Processing device, 52...Storage device, 53...Line control device, 61...Communication line, 101...A1 A message including 102...A2, 103...A3, 104...86, 201...B11j, 202...B21j, 203... A message including B51j, 204... A message including B6ij, 301... A message including C1. 302... A message including C2, 303... A message including C3, 304-... A message including C6. Here, A 1 = exp (KCji■Qij+Zi)(
nod N), A 2 = exp (KCij■Qi
j, Zi-Zj) (mod N), A3 = exp
(KCij■Qij, Zj) (modN), A6
=E (KCxj; Qji), B11j=exp(K
Cij■Qij,Zi)■exp(KCg■Qij,Z
i) (mod N), B21j=exp(KCij■Q
ij, Zi4j) (mod N), B51j=exp(
KCij■Qxj, Zx)■exp (KCg■Qij
, Zj) (nod N), B6ij=E(KCij;Q
ji)■E(KCg;Qji), C1=exp (KC
ij ■ pij, zi) (mod N), C2=exp
(KCij ■ Pxj, zl'ZU) (mod N), C
3=exp (KCi j ■ Pij, Zj) (nod
N), C6=E(KCij; Pji). Kaya 1 Plans and cleansing ('l1ltit agent, also listed on 11 1hi) Urupuku 2.3.4.5 -41η Figure 2 Daikuhoji Uba 7, 8.9. IO-4S 1st page 3rd figure 11--sa Igl affected ■ 叡邊饗p so-called 12° swei alliance 1 13-chi gradient 郺閘叛罎诽ρ 1 为片版東! 14-thread cut-off candle with seven peppers filling 1 +5.16. ＋7.18.19.20 No. 63 piece No. 4 Figure 4 41, 42... 50 Begaku No. rewards (chiρ1 51 Processing reward 1 52・° Ornamentation area 53° U edge control reward 1 61... Tonghua Circular Figure 5 Note ``1J)-do'' +or-AI S Old Mo1 < 102・A2 % Shamutun (+03-43! Shamu 41 Tomo+04・A64 Old Hiroya No. 6 Figure 2-Do 0 61 ・Tsu (8TfJ 7th figure 20+ -8111 @mukatsu ( 202-82jj @ 4ji: t Roasted 203°
83L1 MotoCtuntengo A-B6Lj Hair person 0 section Figure 8

Claims (4)

[Claims] (1) In communication among multiple communication devices, in order to distribute a shared encryption key, each communication device has a discrete power function cryptographic device, and before starting the shared encryption key distribution procedure,
The modulus value of the discrete power function used in the discrete power function cryptographic device has the same value for each pair of communication devices that communicate, and for each pair of communication devices, In the shared encryption key delivery procedure to the communication devices, the first communication device that starts the shared encryption key delivery procedure first generates and holds the shared encryption key, and each communication device uses a discrete power function cryptographic device. An encryption key and a decryption key for cryptographic processing are generated and held for each communication device when each communication device starts the shared encryption key distribution procedure, and the processing of each communication device is as follows: 1st
The communication device transmits encrypted data including the shared encryption key to the second communication device, the second communication device encrypts the received data and transmits it to the first communication device, and the second communication device encrypts the received data and transmits it to the first communication device. The communication device decrypts the received data and sends it to the second communication device, and the second communication device decrypts the received data and obtains the shared encryption key as a shared encryption key delivery procedure. At the end of the shared encryption key distribution procedure in each communication device, each communication device erases the encryption key and decryption key for cryptographic processing of the discrete power function cryptographic device, The encryption key and decryption key for cryptographic processing of the discrete power function cryptographic device in each communication device are generated and deleted in each communication device for each shared encryption key delivery procedure. This is a shared encryption key distribution method that is characterized by the fact that, in order to authenticate the validity of communication devices, each communication device must verify that the communication device on the receiving side of the message has received the message before starting the shared encryption key distribution procedure. It is possible to choose to retain authentication data to authenticate the validity of the transmitting communication device, and each communication device can convert the authentication data into data before starting the shared encryption key distribution procedure. The value can also be held in the other party's communication device, and in the procedure for delivering the shared encryption key, the sending communication device secretly transmits the authentication data as additional information to the shared encryption key, The receiving side converts the secretly received authentication data and compares it with the converted authentication data already held on the receiving side to verify the authenticity of the sending communication device. 1. A method for delivering a shared encryption key, characterized in that it is possible to authenticate the authenticity of a communication device at the time of delivery of the shared encryption key. (2) Claim No. 1 (1) characterized in that a one-way function calculation is used as the data conversion of the authentication data.
) Shared encryption key distribution method described in section 2. (3) Data conversion of authentication data is a non-conversion function that does not perform data conversion, and the shared encryption key described in claim (1) is characterized in that the password is used as the authentication data. Delivery method. (4) The shared encryption key delivery method according to claim (1), wherein authentication of the validity of the communication notification is omitted when the shared encryption key is delivered.