US20070189517A1 - Pseudo public key encryption - Google Patents

Pseudo public key encryption Download PDF

Info

Publication number
US20070189517A1
US20070189517A1 US11/338,063 US33806306A US2007189517A1 US 20070189517 A1 US20070189517 A1 US 20070189517A1 US 33806306 A US33806306 A US 33806306A US 2007189517 A1 US2007189517 A1 US 2007189517A1
Authority
US
United States
Prior art keywords
key
section
user
inputted
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/338,063
Inventor
Akira Koseki
Takeshi Imamura
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: IMAMURA, TAKESHI, KOSEKI, AKIRA
Publication of US20070189517A1 publication Critical patent/US20070189517A1/en
Priority to US12/558,868 priority Critical patent/US8139766B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention relates to a method and system for a public key encryption, and in particular to a method and system for realizing a pseudo public key cryptosystem at a low cost.
  • Public key encryption methods which are especially important among today's encryption techniques, are widely used for encryption, signature and authentication.
  • An algorithm for realizing a public key cryptosystem generally requires a very high cost of calculation.
  • One of practical methods to realize a public key cryptosystem is an RSA cryptography.
  • the RSA cryptography requires an operation of raising a plaintext or a cipher text to the power of the number (an encryption exponent or a decryption exponent) obtained from a value of the Eulerian function of n, which is a product of two large prime numbers and then determining the residue of n, and the cost of this operation is very high.
  • the bit number of n is required to be large.
  • a sender decrypts it with the secret key of a third-party body, encrypts a message with the obtained secret key of the receiver and sends it.
  • the receiver decrypts it with his own secret key. Because encryption with the secret key of the third-party body, decryption with the secret key of the third-party body and encryption with the secret key of the receiver are performed in temper-proof hardware, security is ensured. In this method, however, the sender and the receiver have to use different hardware, and both of their secret keys are required to use the same hardware. This method is similar to an approach such as an ID-based cryptosystem, in which a public key is distributed not via a certification body, in that an ID is published.
  • a key generation body generates a user's private key from an unique ID of the user, and anyone can generate the user's public key from the user's ID.
  • This method is convenient with regard to distribution of a public key.
  • the nature of the trap-door one-way function in the RSA cryptography and the like is utilized for encryption-decryption of a message, and the cost required for the processing is as high as that of common public key cryptosystems.
  • Patent Document 1 Published Unexamined Patent Application No. 2004-70712
  • the present invention provides methods and systems for realizing a pseudo public key cryptosystem at a low cost.
  • the present invention provides methods and systems capable of more inexpensively realizing encrypted information communication and code-signed communication with the use of a public key.
  • the present invention provides methods and systems enabling information processing and communication to be performed with high security maintained, on a terminal such as a mobile terminal on which signature is frequently performed and for which instantaneous processing is required.
  • the present invention provides methods and systems for realizing a function which requires an expensive operation using pseudo operations.
  • a secret key cryptosystem and tamper-proof hardware are used to realize a pseudo public key cryptosystem at a low cost.
  • a trap-door one-way function which is considered essential for constitution of a public key cryptosystem generally, requires an “expensive” operation.
  • Such a function is substantially realized with the use of tamper-proof hardware.
  • Each user performs communication using equipment provided with hardware having the same capabilities described below.
  • Such hardware retains association between an ID and a key.
  • the hardware issues and stores an ID, and it can perform decryption and generation of a message authentication code (hereinafter referred to as a MAC) with a key associated with the ID.
  • a message authentication code hereinafter referred to as a MAC
  • this hardware can perform encryption and verification of a MAC with any given ID, it cannot perform decryption and generation of a MAC.
  • a user publishes his ID.
  • a message sender encrypts a message using the published ID of a message receiver and using hardware having the same capabilities as the receiver's hardware.
  • a person can perform decryption with the ID only by analyzing the mechanism in the hardware.
  • the hardware has a capability of destroying itself when such an act is attempted.
  • the present invention it is possible to realize encrypted information communication and code-signed communication with the use of a public key at a low cost.
  • FIG. 1 is a block diagram of hardware of the present invention
  • FIG. 2 is a diagram showing the details of an encryption-authentication section
  • FIG. 3 a diagram illustrating sending-receiving protocols of the present invention
  • FIG. 4 is a diagram illustrating other sending-receiving protocols of the present invention.
  • FIG. 5 shows an example of applying the present invention to an ID-based cryptosystem
  • FIG. 6 shows an example of applying the present invention to a mobile phone.
  • the present invention provides methods, apparatus and systems for realizing a pseudo public key cryptosystem at a low cost.
  • the invention also provides methods, apparatus and systems capable of more inexpensively realizing encrypted information communication and code-signed communication with the use of a public key.
  • the present invention provides methods, apparatus and systems for enabling information processing and communication to be performed with high security maintained, on a terminal such as a mobile terminal on which signature is frequently performed and for which instantaneous processing is required.
  • the present invention further provides methods, apparatus and systems for realizing a function which requires an expensive operation using pseudo operations.
  • a secret key cryptosystem and tamper-proof hardware are used to realize a pseudo public key cryptosystem at a low cost.
  • a trap-door one-way function which is considered essential for constitution of a public key cryptosystem generally, requires an “expensive” operation.
  • Such a function is substantially realized with the use of tamper-proof hardware.
  • Each user performs communication using equipment provided with hardware having the same capabilities described below.
  • Such hardware retains association between an ID and a key.
  • the hardware issues and stores an ID, and it can perform decryption and generation of a message authentication code (hereinafter referred to as a MAC) with a key associated with the ID.
  • a message authentication code hereinafter referred to as a MAC
  • this hardware can perform encryption and verification of a MAC with any given ID, it cannot perform decryption and generation of a MAC.
  • a user publishes his ID.
  • a message sender encrypts a message using the published ID of a message receiver and using hardware having the same capabilities as the receiver's hardware.
  • a person can perform decryption with the ID only by analyzing the mechanism in the hardware.
  • the hardware has a capability of destroying itself when such an act is attempted.
  • a public key cryptosystem can be constituted.
  • a function F of a secret key K by inexpensive calculation is prepared, and the capability of F is hidden in tamper-proof hardware.
  • the ID is published as a pseudo public key so that anyone can calculate G(ID) when performing encryption or verification of a MAC.
  • G(ID) when decryption or generation of a MAC is performed, only a valid owner of the ID can calculate G(ID).
  • a trap-door one-way function F realized by hardware is constructed, and a pseudo public key cryptosystem is realized.
  • an apparatus including tamper-proof hardware which comprises an encryption-authentication section for performing issuance of an ID, encryption and authentication in response to a request by a user and a tampering detection section for detecting voltage change or pressure change to electrically destroy the encryption-authentication section.
  • the encryption-authentication section of the apparatus comprises: an ID issuance-registration section for issuing an ID in response to a request by a user and storing the ID in a storage section; a key generation section for generating a key corresponding to the ID using a one-to-one function and outputting the ID; a first key acquisition section for, in response to a request by a user for decryption or generation of a message authentication code, comparing an inputted ID and the ID stored in the ID storage section and, if the IDs are corresponding to each other, handing over the ID to the key generation section to output a key generated by the key generation section; a second key acquisition section for, in response to a request by a user for encryption or verification of a message with a message authentication code attached thereto, handing over an inputted ID to the key generation section to output a key generated by the key generation section; a message authentication code generation section for handing over an inputted ID to the first key
  • An example of a method for performing pseudo public key encryption with the use of this apparatus includes the steps described below.
  • the method includes, in sending a message between a sending user and a receiving user having the apparatus A and the apparatus B, respectively, the steps of: the apparatus A selecting and storing a sending user ID, and then returning the sending user ID to the sending user, for publication of the sending user ID; the apparatus B selecting and storing a receiving user ID, and then returning the receiving user ID to the receiving user, for publication of the receiving user ID; the apparatus A acquiring a key corresponding to the sending user ID, generating a message authentication code and returning the message authentication code to the sending user; in response to a request by the sending user for encryption, the apparatus A acquiring a key corresponding to the receiving user ID, encrypting the message and the message authentication code and returning the encrypted message and message authentication code to the sending user; in response to a request by the receiving user for decryption of the encryption, the apparatus B acquiring a key corresponding to the receiving user ID, decrypting the received
  • Advantages of the invention include making it possible to realize encrypted information communication and code-signed communication with the use of a public key at a low cost.
  • FIG. 1 shows a block diagram of hardware of the present invention.
  • a system 100 is the entire system with an encryption-authentication section 101 and a tampering detection section 102 included therein.
  • the encryption-authentication section 101 performs services such as issuance of an ID, encryption and authentication in response to a request from a user.
  • the tampering detection section 102 detects voltage change or pressure change caused when a user attempts analysis of an internal circuit of the system 100 , and electrically destroys the encryption-authentication section 101 .
  • FIG. 2 is a diagram showing the details of the encryption-authentication section 101 in FIG. 1 .
  • An ID issuance-registration section 201 issues a unique ID in response to a request from a user, and stores it in an ID storage section 206 .
  • a key generation section 210 generates and outputs a key based on an inputted ID and a seed stored in a seed storage section 209 .
  • a first key acquisition section 207 compares an inputted ID with the ID stored in the ID storage section 206 . If the IDs are the same, the first key acquisition section 207 hands over the ID to the key generation section 210 , and outputs a key returned from the key generation section 210 .
  • a second key acquisition section 208 hands over an inputted ID to the key generation section 210 , and outputs a key returned from the key generation section 210 .
  • a MAC generation section 202 hands over the ID to the first key acquisition section 207 and acquires a key. If an error is not returned from the key acquisition section, the MAC generation section 202 calculates and outputs a MAC of the message. If an error is returned from the key acquisition section, the MAC generation section 202 returns an error to the user.
  • a MAC verification section 204 hands over the ID to the second key acquisition section 208 and acquires a key.
  • the MAC generation section 202 calculates and outputs a MAC of the message based on the key, and compares the obtained MAC with the inputted MAC. If the MACs are the same, information indicating that the verification has succeeded is returned to the user. Otherwise, information indicating that the verification has failed is returned to the user.
  • an encryption section 205 hands over the ID to the second key acquisition section 208 and acquires a key. The encryption section 205 encrypts the plaintext based on the key, and returns the result to the user.
  • a decryption section 203 hands over the ID to the first key acquisition section 207 and acquires a key. If an error is not returned from the key acquisition section, the decryption section 203 decrypts and outputs the ciphertext based on the key. If an error is returned from the key acquisition section, the decryption section 203 returns an error to the user.
  • the hardware of the present invention has a capability of performing encryption-decryption and generation-verification of a MAC with a particular key, and tamper-proofness against hacking operation.
  • the hardware is provided with the following interfaces:
  • An encrypted message is exchanged as described below.
  • a message receiver requests an apparatus in which the system 100 of FIG. 1 is incorporated to issue an ID.
  • the system 100 hands over an ID associated with a particular key to the user and registers the ID.
  • the receiver publishes the received ID.
  • a message sender uses the published ID to encrypt a message to be sent, through an apparatus in which a system 100 having the same capabilities is incorporated. Substantially, only the receiver can decrypt the message.
  • a message with a MAC attached thereto is exchanged as described below.
  • a message sender requests an apparatus in which the system 100 is incorporated to issue an ID.
  • the system 100 hands over an ID associated with a particular key to the user and registers the ID.
  • the sender generates a MAC for a message to be sent with the use of the received ID, through the same system 100 .
  • the sender sends the message, the MAC and the ID.
  • a receiver of the message verifies the received MAC for the received message with the use of the ID through an apparatus in which a system 100 having the same capabilities is incorporated.
  • a method for further enhancing the security of the present invention is as follows. In order that only a receiver can decrypt a message and only a sender can generate a MAC, it is desirable that the same ID should not be maliciously used, which is a common problem in public key cryptosystem. In order to achieve this, the following methods will be employed.
  • an ID When an ID is issued, it is encoded with higher entropy by including redundant information therein. Thereby, it is possible to significantly reduce the possibility of the same ID being handed over to users. Furthermore, coding algorithms are varied among apparatus to make inverse encoding difficult. This makes it very difficult for a malicious person to identify a published ID and the ID registered with his own system 100 to be the same. Furthermore, by considering an intentional failure of decryption to be a malicious act and then stopping the functionalities when such an act is detected, it is possible to substantially prevent a malicious person from performing decryption to check the sameness of an ID. For example, this mechanism can be realized by a method of padding a random value.
  • the space for an original ID is defined as X bits, and a Y-bit space is further added in order to dilute a key. In this additional space, a random Y-bit number is put when an original ID is issued.
  • the (X+Y)-bit information obtained in this way is shuffled to obtain an ID to be published. Though this shuffle may be a simple shuffle such as combination of shifts and exchanges, the algorithm is hidden in the tamper-proof system 100 . Thereby, the probability of the same keys being issued can be reduced to one 2 ⁇ Y-th of the probability in the case of using the X-bit key immediately.
  • the published (X+Y)-bit original key can be also simply implemented by implementing an inverse-operation algorithm in tamper-proof hardware and removing the redundantly added space.
  • An issued ID is validated by a certification body.
  • the certification body guaranteeing the uniqueness of the ID, invalid use of the ID is prevented.
  • the number of issuances is limited, or charge for issuance is imposed.
  • An ID of the present invention functions not as “an ID of an individual” but as “an ID of a key”. Therefore, generally, the present invention needs a certification body to publish an ID similarly to other (non-ID-based) public key cryptosystems. Meanwhile, since the object of an ID-based cryptosystem corresponds to the object of the present invention, it is also possible to use both systems in combination with each other.
  • a key generation body generates a user's private key so that the “ID of an individual” is adapted to be the “ID of a key”. This can be achieved, for example, by enabling only the key generation body to issue and register any given ID.
  • a public key can be known not via the certification body, and therefore, it is possible to construct a system enabling more inexpensive encryption.
  • the user A requests an ID from the hardware A ( 310 ).
  • the hardware A selects an ID (hereinafter referred to as ID-A) at random from an ID space ( 320 ), and returns the ID to the user A.
  • the ID is also stored in an ID storage section.
  • the user A publishes the ID-A.
  • the user B has also performed the same processing as the user A. That is, the user B requests an ID from the hardware B ( 310 ).
  • the hardware B selects an ID (hereinafter referred to as ID-B) at random from an ID space, and returns the ID to the user B.
  • the ID is also stored in an ID storage section ( 330 ).
  • the user B publishes the ID-B. Suppose that the user A sends a message to the user B.
  • the message is given a MAC with the key of the user A, and then it is encrypted with the key of the user B.
  • Any MAC and any encryption algorithm can be selected without making any change in the configuration of this specification. For example, HMAC-SHA 1 or AES may be used.
  • the user A creates a message to be sent in the following procedure.
  • the user A hands over the message and the ID-A to the hardware A, and requests generation of a MAC.
  • the hardware A checks whether the ID-A is stored in the ID storage section ( 340 ). If the ID-A is stored, then the hardware A acquires a key corresponding to the ID-A from the key storage section ( 350 ), generates a MAC ( 360 ), and returns it to the user A. If the ID-A is not stored, then the hardware A returns an error to the user A.
  • the user A hands over the (message
  • the hardware A acquires a key corresponding to the ID-B from the key storage section, decrypts the (message
  • the user B processes the received message in the following procedure.
  • the user B hands over the received message and the ID-B to the hardware B and requests decryption.
  • the hardware B checks whether the ID-B is stored in the ID storage section ( 340 ). If the ID-B is stored, then the hardware B acquires a key corresponding to the ID-B from the key storage section ( 350 ), decrypts the received message ( 380 ), and returns it to the user B. If the ID-B is not stored, then the hardware B returns an error to the user B.
  • the user B hands over the message, the MAC and the ID-A to the hardware B, and requests verification of the MAC.
  • the hardware B acquires a key corresponding to the ID-A from the key storage section, verifies the MAC ( 390 ), and returns the result to the user B.
  • the procedure from the step where the users A and B request an ID and the hardware selects and stores an ID to the step where each user publishes his own ID is the same as that of the embodiment described above.
  • the user A sends a message to the user B.
  • the user A hands over the message and the ID-A to the hardware A and requests generation of a MAC.
  • the hardware A checks whether the ID-A is stored in the ID storage section ( 440 ). If the ID-A is stored, then the hardware A generates a key from the seed and the ID-A ( 450 ), generates a MAC ( 460 ), and returns it to the user A. If the ID-A is not stored, then the hardware A returns an error to the user A.
  • the user A hands over (message IMAC) and the ID-B to the hardware A, and requests encryption.
  • the hardware A generates a key from the seed and the ID-B, encrypts the (message
  • the procedure in which the user B processes a received message is as follows.
  • the user B hands over the received message and the ID-B to the hardware B and requests decryption.
  • the hardware B checks whether the ID-B is stored in the ID storage section ( 440 ). If the ID-B is stored, then the hardware B generates a key from the seed and the ID-B ( 450 ), decrypts the received message ( 480 ), and returns it to the user B. If the ID-B is not stored, then the hardware B returns an error to the user B.
  • the user B hands over the message, the MAC and the ID-A to the hardware B and requests verification of the MAC.
  • the hardware B generates a key from the seed and the ID-A, verifies the MAC ( 490 ), and returns the result to the user B.
  • the processing to be performed by the user A in advance is as follows.
  • the user A hands over the hardware A and the ID-A to an ID storage body 520 , and requests storage of the ID in the hardware ( 510 ).
  • the ID storage body hands over the ID-A to the hardware A, and requests storage of the ID.
  • the hardware A stores the ID-A in the ID storage section.
  • the processing to be performed by the user B in advance is the same. That is, the user B hands over the hardware B and the ID-B to the ID storage body 520 , and requests storage of the ID in the hardware ( 510 ).
  • the ID storage body hands over the ID-B to the hardware B, and requests storage of the ID.
  • the hardware B stores the ID-B in the ID storage section.
  • the procedure for the user A to create a message to be sent and the procedure for the user B to process a received message are the same as those in the embodiment 1 or the embodiment 2.
  • FIG. 6 A procedure enabling acquisition of an ID and handing over of equipment to be performed more efficiently is shown in FIG. 6 , taking a case of applying this to a mobile phone as an example.
  • the ID storage mechanism is realized by an equipment manufacturer consigning sale of equipment to a retailer while assuring that an ID is stored in the equipment only once, and the retailer acquiring an appropriate and unique ID by cooperation of the infrastructure, storing it in the equipment and handing over the equipment to a user.
  • a phone number is set as an ID.
  • the equipment manufacturer determines one one-to-one function f for acquiring a key from the ID (phone number).
  • f(ID) is included in a tamper-proof apparatus.
  • the equipment manufacturer prepares a write-once storage in the apparatus in advance.
  • the retailer writes the ID there to register it with the equipment so that it is to be input of f(ID).
  • decryption of a message and generation of a MAC with f(ID) is possible only on equipment with which the ID is registered.
  • decryption of a message with f(ID) is possible. Verification of a MAC is also possible.
  • a message is exchanged as follows.
  • the users A and B purchase a mobile phones and obtain unique phone numbers NA and NB, respectively.
  • the user A encrypts a message M with f (NB) as a key.
  • the user A sends the encrypted message E(M) to the user B.
  • the user B decrypts the E(M) with the use of f(NB). It is only the user B that can perform decryption with f(NB).
  • signature the user A generates a MAC of the message M with f(NA) as a key, and sends the M and the MAC to the user B. In this case, it is only the user A that can generate the MAC of the M with the use of f(NA).
  • the user B can verify the sent message M and MAC and check the signature by the user A.
  • a similar mechanism can be applied to apparatuses other than a mobile phone. For example, when an information appliance is connected to the Internet, an IP address or a host name can be used as an ID.
  • the present invention can be realized in hardware, software, or a combination of hardware and software. It may be implemented as a method having steps to implement one or more functions of the invention, and/or it may be implemented as an apparatus having components and/or means to implement one or more steps of a method of the invention described above and/or known to those skilled in the art.
  • a visualization tool according to the present invention can be realized in a centralized fashion in one computer system or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system—or other apparatus adapted for carrying out the methods and/or functions described herein—is suitable.
  • a typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.
  • the present invention can also be embedded in a computer program product, which comprises all the features enabling the implementation of the methods described herein, and which—when loaded in a computer system—is able to carry out these methods.
  • Methods of this invention may be implemented by an apparatus which provides the functions carrying out the steps of the methods.
  • Apparatus and/or systems of this invention may be implemented by a method that includes steps to produce the functions of the apparatus and/or systems.
  • Computer program means or computer program in the present context include any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after conversion to another language, code or notation, and/or after reproduction in a different material form.
  • the invention includes an article of manufacture which comprises a computer usable medium having computer readable program code means embodied therein for causing one or more functions described above.
  • the computer readable program code means in the article of manufacture comprises computer readable program code means for causing a computer to effect the steps of a method of this invention.
  • the present invention may be implemented as a computer program product comprising a computer usable medium having computer readable program code means embodied therein for causing a function described above.
  • the computer readable program code means in the computer program product comprising computer readable program code means for causing a computer to affect one or more functions of this invention.
  • the present invention may be implemented as a program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for causing one or more functions of this invention.

Abstract

According to the present invention, a secret key cryptosystem and tamper-proof hardware are used to realize a pseudo public key cryptosystem at a low cost. A trap-door one-way function is substantially realized with the use of tamper-proof hardware. Each user performs communication using equipment provided with hardware having the same capabilities described below. Such hardware retains association between an ID and a key. In response to a request from a user, the hardware issues and stores an ID, and it can perform decryption and generation of a MAC (message authentication code) with a key associated with the ID. A user publishes his ID. When performing encryption, a message sender encrypts a message using the published ID. A third person can perform decryption with the ID only by analyzing the mechanism in the hardware. However, the hardware has a capability of destroying itself when such an act is attempted.

Description

    FIELD OF THE INVENTION
  • The present invention relates to a method and system for a public key encryption, and in particular to a method and system for realizing a pseudo public key cryptosystem at a low cost.
  • BACKGROUND ART
  • Public key encryption methods, which are especially important among today's encryption techniques, are widely used for encryption, signature and authentication. An algorithm for realizing a public key cryptosystem generally requires a very high cost of calculation. One of practical methods to realize a public key cryptosystem is an RSA cryptography. The RSA cryptography requires an operation of raising a plaintext or a cipher text to the power of the number (an encryption exponent or a decryption exponent) obtained from a value of the Eulerian function of n, which is a product of two large prime numbers and then determining the residue of n, and the cost of this operation is very high. In order to enhance the security of a key, the bit number of n is required to be large. However, the cost of calculation required for RSA cryptography with a large bit number is very high. Though measures such as performing such an operation with dedicated hardware may be taken to seek a high speed, this may impose a development and manufacture cost burden or affect product flexibility. Because of such a situation, the cost of a cryptosystem using a public key is high, and it is difficult to incorporate it in an apparatus which is inexpensively mass-produced.
  • Also known is elliptic-curve cryptography with a smaller bit number and an equivalent strength in comparison with an RSA cryptography. However, though the cost of operations required for encryption (scalar multiplication of a point on an elliptic curve defined on a finite body, and the like) is lower in comparison with that of modulo exponentiation, the cryptography similarly requires expensive operations, and therefore, it is still difficult to incorporate it in an apparatus which is inexpensively mass-produced. Furthermore, there is also proposed a method for realizing a public key cryptosystem with the use of a secret key cryptosystem and tamper-free hardware. In this method, a receiver encrypts his own secret key with a secret key of a third-party body and publishes it. A sender decrypts it with the secret key of a third-party body, encrypts a message with the obtained secret key of the receiver and sends it. The receiver decrypts it with his own secret key. Because encryption with the secret key of the third-party body, decryption with the secret key of the third-party body and encryption with the secret key of the receiver are performed in temper-proof hardware, security is ensured. In this method, however, the sender and the receiver have to use different hardware, and both of their secret keys are required to use the same hardware. This method is similar to an approach such as an ID-based cryptosystem, in which a public key is distributed not via a certification body, in that an ID is published. In this method, a key generation body generates a user's private key from an unique ID of the user, and anyone can generate the user's public key from the user's ID. This method is convenient with regard to distribution of a public key. However, the nature of the trap-door one-way function in the RSA cryptography and the like is utilized for encryption-decryption of a message, and the cost required for the processing is as high as that of common public key cryptosystems.
  • Patent Document 1 Published Unexamined Patent Application No. 2004-70712
  • SUMMARY OF THE INVENTION
  • In a first aspect, the present invention provides methods and systems for realizing a pseudo public key cryptosystem at a low cost.
  • In another aspect, the present invention provides methods and systems capable of more inexpensively realizing encrypted information communication and code-signed communication with the use of a public key.
  • In another aspect, the present invention provides methods and systems enabling information processing and communication to be performed with high security maintained, on a terminal such as a mobile terminal on which signature is frequently performed and for which instantaneous processing is required.
  • In another aspect, the present invention provides methods and systems for realizing a function which requires an expensive operation using pseudo operations.
  • According to the present invention, a secret key cryptosystem and tamper-proof hardware are used to realize a pseudo public key cryptosystem at a low cost. A trap-door one-way function, which is considered essential for constitution of a public key cryptosystem generally, requires an “expensive” operation. Such a function is substantially realized with the use of tamper-proof hardware. Each user performs communication using equipment provided with hardware having the same capabilities described below. Such hardware retains association between an ID and a key. In response to a request from a user, the hardware issues and stores an ID, and it can perform decryption and generation of a message authentication code (hereinafter referred to as a MAC) with a key associated with the ID. Though this hardware can perform encryption and verification of a MAC with any given ID, it cannot perform decryption and generation of a MAC. A user publishes his ID. When performing encryption, a message sender encrypts a message using the published ID of a message receiver and using hardware having the same capabilities as the receiver's hardware. A person can perform decryption with the ID only by analyzing the mechanism in the hardware. However, the hardware has a capability of destroying itself when such an act is attempted.
  • Thus, according to the present invention, it is possible to realize encrypted information communication and code-signed communication with the use of a public key at a low cost. By realizing the present invention on a mobile terminal which has recently been used for more and more various purposes, especially on an inexpensive and mass-produced terminal on which signing is frequently performed and from which processing immediacy is required, it is possible to enable information processing and communication requiring high-level security management even on such a terminal.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • These, and further, aspects, advantages, and features of the invention will be more apparent from the following detailed description of a preferred embodiment and the appended drawings, wherein:
  • FIG. 1 is a block diagram of hardware of the present invention;
  • FIG. 2 is a diagram showing the details of an encryption-authentication section;
  • FIG. 3 a diagram illustrating sending-receiving protocols of the present invention;
  • FIG. 4 is a diagram illustrating other sending-receiving protocols of the present invention;
  • FIG. 5 shows an example of applying the present invention to an ID-based cryptosystem; and
  • FIG. 6 shows an example of applying the present invention to a mobile phone.
  • DESCRIPTION OF SYMBOLS
      • 100 . . . System
      • 101 . . . Encryption-authentication section
      • 102 . . . Tampering detection section
      • 201 . . . ID issuance-registration section
      • 206 . . . ID storage section
      • 210 . . . Key generation section
      • 209 . . . Seed storage section
      • 207 . . . First key acquisition section
      • 208 . . . Second key acquisition section
      • 202 . . . Generation section
      • 204 . . . Verification section
      • 205 . . . Encryption section
      • 203 . . . Decryption section
      • 520 . . . ID storage body
    DETAILED DESCRIPTION OF THE INVENTION
  • The present invention provides methods, apparatus and systems for realizing a pseudo public key cryptosystem at a low cost. The invention also provides methods, apparatus and systems capable of more inexpensively realizing encrypted information communication and code-signed communication with the use of a public key.
  • The present invention provides methods, apparatus and systems for enabling information processing and communication to be performed with high security maintained, on a terminal such as a mobile terminal on which signature is frequently performed and for which instantaneous processing is required. The present invention further provides methods, apparatus and systems for realizing a function which requires an expensive operation using pseudo operations.
  • In an example embodiment of the present invention, a secret key cryptosystem and tamper-proof hardware are used to realize a pseudo public key cryptosystem at a low cost. A trap-door one-way function, which is considered essential for constitution of a public key cryptosystem generally, requires an “expensive” operation. Such a function is substantially realized with the use of tamper-proof hardware. Each user performs communication using equipment provided with hardware having the same capabilities described below. Such hardware retains association between an ID and a key. In response to a request from a user, the hardware issues and stores an ID, and it can perform decryption and generation of a message authentication code (hereinafter referred to as a MAC) with a key associated with the ID. Though this hardware can perform encryption and verification of a MAC with any given ID, it cannot perform decryption and generation of a MAC. A user publishes his ID. When performing encryption, a message sender encrypts a message using the published ID of a message receiver and using hardware having the same capabilities as the receiver's hardware. A person can perform decryption with the ID only by analyzing the mechanism in the hardware. However, the hardware has a capability of destroying itself when such an act is attempted.
  • When a symmetric function is used, it is basically difficult to derive K2 from K1, when plaintext is denoted by P, a ciphertext by C, a public key by K1, and a private key by K2.
    C=F(P)=H(P,K1)
    P=F −1(C)=H(C,K2)
  • As for the function F satisfying the above, if it is virtually impossible for one who does not know K2 to calculate F−1, then a public key cryptosystem can be constituted. In the present invention, a function F of a secret key K by inexpensive calculation is prepared, and the capability of F is hidden in tamper-proof hardware. Meanwhile, K=G(ID), a one-to-one function hidden in hardware, is prepared so that the following are satisfied, where ID is an identifier of the secret key.
    C=F(P)=H(P,G(ID))
    P=F −1(C)=H(C,G(Id))
  • In this case, the ID is published as a pseudo public key so that anyone can calculate G(ID) when performing encryption or verification of a MAC. On the other hand, when decryption or generation of a MAC is performed, only a valid owner of the ID can calculate G(ID). Thereby, a trap-door one-way function F realized by hardware is constructed, and a pseudo public key cryptosystem is realized.
  • As an advantageous apparatus of the present invention, there is used an apparatus including tamper-proof hardware which comprises an encryption-authentication section for performing issuance of an ID, encryption and authentication in response to a request by a user and a tampering detection section for detecting voltage change or pressure change to electrically destroy the encryption-authentication section.
  • Pseudo public key encryption is performed by means of this apparatus. The encryption-authentication section of the apparatus comprises: an ID issuance-registration section for issuing an ID in response to a request by a user and storing the ID in a storage section; a key generation section for generating a key corresponding to the ID using a one-to-one function and outputting the ID; a first key acquisition section for, in response to a request by a user for decryption or generation of a message authentication code, comparing an inputted ID and the ID stored in the ID storage section and, if the IDs are corresponding to each other, handing over the ID to the key generation section to output a key generated by the key generation section; a second key acquisition section for, in response to a request by a user for encryption or verification of a message with a message authentication code attached thereto, handing over an inputted ID to the key generation section to output a key generated by the key generation section; a message authentication code generation section for handing over an inputted ID to the first key acquisition section and, with the use of a key outputted from the first key acquisition section, calculating and outputting a message authentication code of an inputted message; a message authentication code verification section for handing over an inputted ID to the second key acquisition section, calculating a message authentication code of an inputted message with the use of a key outputted from the second key acquisition section, comparing the obtained message authentication code and an inputted message authentication code, and, if the message authentication codes are corresponding to each other, returning information indicating that the verification has succeeded to the user; an encryption section for handing over an inputted ID to the second key acquisition section, encrypting inputted plaintext with the use of a key outputted from the second key accuisition section and returning the result to a user; and a decryption section for handing over an inputted ID to the first acquisition section and, with the use of a key outputted from the first key acquisition section, decrypting and outputting inputted encrypted text.
  • An example of a method for performing pseudo public key encryption with the use of this apparatus includes the steps described below. The method includes, in sending a message between a sending user and a receiving user having the apparatus A and the apparatus B, respectively, the steps of: the apparatus A selecting and storing a sending user ID, and then returning the sending user ID to the sending user, for publication of the sending user ID; the apparatus B selecting and storing a receiving user ID, and then returning the receiving user ID to the receiving user, for publication of the receiving user ID; the apparatus A acquiring a key corresponding to the sending user ID, generating a message authentication code and returning the message authentication code to the sending user; in response to a request by the sending user for encryption, the apparatus A acquiring a key corresponding to the receiving user ID, encrypting the message and the message authentication code and returning the encrypted message and message authentication code to the sending user; in response to a request by the receiving user for decryption of the encryption, the apparatus B acquiring a key corresponding to the receiving user ID, decrypting the received message and returning the decrypted message to the receiving user; and in response to a request by the receiving user for verification of the message authentication code, the apparatus B acquiring a key corresponding to the sending ID, verifying the message authentication code and returning the result to the receiving user. The above summary of the present invention does not enumerate all the necessary characteristics of the present invention, and a sub-combination of these characteristics may be the invention.
  • Advantages of the invention include making it possible to realize encrypted information communication and code-signed communication with the use of a public key at a low cost. By realizing the present invention on a mobile terminal which has recently been used for more and more various purposes, especially on an inexpensive and mass-produced terminal on which signing is frequently performed and from which processing immediacy is required, it is possible to enable information processing and communication requiring high-level security management even on such a terminal.
  • FIG. 1 shows a block diagram of hardware of the present invention. A system 100 is the entire system with an encryption-authentication section 101 and a tampering detection section 102 included therein. The encryption-authentication section 101 performs services such as issuance of an ID, encryption and authentication in response to a request from a user. The tampering detection section 102 detects voltage change or pressure change caused when a user attempts analysis of an internal circuit of the system 100, and electrically destroys the encryption-authentication section 101.
  • FIG. 2 is a diagram showing the details of the encryption-authentication section 101 in FIG. 1. An ID issuance-registration section 201 issues a unique ID in response to a request from a user, and stores it in an ID storage section 206. A key generation section 210 generates and outputs a key based on an inputted ID and a seed stored in a seed storage section 209. When a user attempts decryption or generation of a MAC, a first key acquisition section 207 compares an inputted ID with the ID stored in the ID storage section 206. If the IDs are the same, the first key acquisition section 207 hands over the ID to the key generation section 210, and outputs a key returned from the key generation section 210. If the IDs are not the same, an error is returned. When a user attempts encryption or verification of a MAC-attached message, a second key acquisition section 208 hands over an inputted ID to the key generation section 210, and outputs a key returned from the key generation section 210. With a message and an ID as input, a MAC generation section 202 hands over the ID to the first key acquisition section 207 and acquires a key. If an error is not returned from the key acquisition section, the MAC generation section 202 calculates and outputs a MAC of the message. If an error is returned from the key acquisition section, the MAC generation section 202 returns an error to the user. With the message, the MAC and the ID as input, a MAC verification section 204 hands over the ID to the second key acquisition section 208 and acquires a key. The MAC generation section 202 calculates and outputs a MAC of the message based on the key, and compares the obtained MAC with the inputted MAC. If the MACs are the same, information indicating that the verification has succeeded is returned to the user. Otherwise, information indicating that the verification has failed is returned to the user. With plain text and the ID as input, an encryption section 205 hands over the ID to the second key acquisition section 208 and acquires a key. The encryption section 205 encrypts the plaintext based on the key, and returns the result to the user. With the ciphertext and the ID as input, a decryption section 203 hands over the ID to the first key acquisition section 207 and acquires a key. If an error is not returned from the key acquisition section, the decryption section 203 decrypts and outputs the ciphertext based on the key. If an error is returned from the key acquisition section, the decryption section 203 returns an error to the user.
  • As understood from the above description, the hardware of the present invention has a capability of performing encryption-decryption and generation-verification of a MAC with a particular key, and tamper-proofness against hacking operation. The hardware is provided with the following interfaces:
      • an interface for issuing and registering an ID associated with a key in response to a request from a user;
      • an interface for decrypting a message with a given ID only when the ID is registered;
      • an interface for generating a MAC from a decrypted message;
      • an interface for encrypting a message with a given ID; and
      • an interface for verifying the MAC of a message.
  • Next, a method for exchanging information in the present invention will be described. An encrypted message is exchanged as described below. First, a message receiver requests an apparatus in which the system 100 of FIG. 1 is incorporated to issue an ID. The system 100 hands over an ID associated with a particular key to the user and registers the ID. The receiver publishes the received ID. A message sender uses the published ID to encrypt a message to be sent, through an apparatus in which a system 100 having the same capabilities is incorporated. Substantially, only the receiver can decrypt the message.
  • A message with a MAC attached thereto is exchanged as described below. First, a message sender requests an apparatus in which the system 100 is incorporated to issue an ID. The system 100 hands over an ID associated with a particular key to the user and registers the ID. The sender generates a MAC for a message to be sent with the use of the received ID, through the same system 100. Substantially, only the sender can generate the MAC. The sender sends the message, the MAC and the ID. A receiver of the message verifies the received MAC for the received message with the use of the ID through an apparatus in which a system 100 having the same capabilities is incorporated.
  • A method for further enhancing the security of the present invention is as follows. In order that only a receiver can decrypt a message and only a sender can generate a MAC, it is desirable that the same ID should not be maliciously used, which is a common problem in public key cryptosystem. In order to achieve this, the following methods will be employed.
  • Key Dilution by Secondary Coding
  • When an ID is issued, it is encoded with higher entropy by including redundant information therein. Thereby, it is possible to significantly reduce the possibility of the same ID being handed over to users. Furthermore, coding algorithms are varied among apparatus to make inverse encoding difficult. This makes it very difficult for a malicious person to identify a published ID and the ID registered with his own system 100 to be the same. Furthermore, by considering an intentional failure of decryption to be a malicious act and then stopping the functionalities when such an act is detected, it is possible to substantially prevent a malicious person from performing decryption to check the sameness of an ID. For example, this mechanism can be realized by a method of padding a random value. The space for an original ID is defined as X bits, and a Y-bit space is further added in order to dilute a key. In this additional space, a random Y-bit number is put when an original ID is issued. The (X+Y)-bit information obtained in this way is shuffled to obtain an ID to be published. Though this shuffle may be a simple shuffle such as combination of shifts and exchanges, the algorithm is hidden in the tamper-proof system 100. Thereby, the probability of the same keys being issued can be reduced to one 2ˆY-th of the probability in the case of using the X-bit key immediately. The published (X+Y)-bit original key can be also simply implemented by implementing an inverse-operation algorithm in tamper-proof hardware and removing the redundantly added space.
  • Registration of ID
  • An issued ID is validated by a certification body. By the certification body guaranteeing the uniqueness of the ID, invalid use of the ID is prevented.
  • Restriction of Issuance of ID
  • As means for preventing issuance of the same ID, the number of issuances is limited, or charge for issuance is imposed.
  • In order to prevent equipment for which an ID has been issued once from being used by other users, user authentication is required to use the equipment.
  • A method for realizing the present invention in combination with an ID-based cryptosystem will be described. An ID of the present invention functions not as “an ID of an individual” but as “an ID of a key”. Therefore, generally, the present invention needs a certification body to publish an ID similarly to other (non-ID-based) public key cryptosystems. Meanwhile, since the object of an ID-based cryptosystem corresponds to the object of the present invention, it is also possible to use both systems in combination with each other. In this case, a key generation body generates a user's private key so that the “ID of an individual” is adapted to be the “ID of a key”. This can be achieved, for example, by enabling only the key generation body to issue and register any given ID. In this case, a public key can be known not via the certification body, and therefore, it is possible to construct a system enabling more inexpensive encryption.
  • Embodiment 1
  • Description will be made on an embodiment in the case where a sufficient number of keys can be stored in the system 100 (including each interface and sending-receiving protocols) with the use of FIG. 3. It is assumed that a user A and a user B communicate with each other using the system 100 in FIG. 1 (hardware A and hardware B). It is also assumed that a sufficient number of keys are stored in the system 100, each of which is given an ID specific thereto. If the pieces of hardware are the same, mapping of the ID and the key is also the same.
  • The user A requests an ID from the hardware A (310). The hardware A selects an ID (hereinafter referred to as ID-A) at random from an ID space (320), and returns the ID to the user A. The ID is also stored in an ID storage section. The user A publishes the ID-A. Meanwhile, the user B has also performed the same processing as the user A. That is, the user B requests an ID from the hardware B (310). The hardware B selects an ID (hereinafter referred to as ID-B) at random from an ID space, and returns the ID to the user B. The ID is also stored in an ID storage section (330). The user B publishes the ID-B. Suppose that the user A sends a message to the user B. First, the message is given a MAC with the key of the user A, and then it is encrypted with the key of the user B. Any MAC and any encryption algorithm can be selected without making any change in the configuration of this specification. For example, HMAC-SHA1 or AES may be used.
  • The user A creates a message to be sent in the following procedure. The user A hands over the message and the ID-A to the hardware A, and requests generation of a MAC. The hardware A checks whether the ID-A is stored in the ID storage section (340). If the ID-A is stored, then the hardware A acquires a key corresponding to the ID-A from the key storage section (350), generates a MAC (360), and returns it to the user A. If the ID-A is not stored, then the hardware A returns an error to the user A. The user A hands over the (message|MAC) and the ID-B to the hardware A and requests encryption. The hardware A acquires a key corresponding to the ID-B from the key storage section, decrypts the (message|MAC) (370), and returns it to the user A.
  • Meanwhile, the user B processes the received message in the following procedure. The user B hands over the received message and the ID-B to the hardware B and requests decryption. The hardware B checks whether the ID-B is stored in the ID storage section (340). If the ID-B is stored, then the hardware B acquires a key corresponding to the ID-B from the key storage section (350), decrypts the received message (380), and returns it to the user B. If the ID-B is not stored, then the hardware B returns an error to the user B. The user B hands over the message, the MAC and the ID-A to the hardware B, and requests verification of the MAC. The hardware B acquires a key corresponding to the ID-A from the key storage section, verifies the MAC (390), and returns the result to the user B.
  • Embodiment 2
  • Actually, it is often impossible to a storage capacity enough to store a sufficient number of key. Description will be made on an embodiment in the case where a sufficient number of keys cannot be stored in the system 100 with the use of FIG. 4. Only one value (hereinafter referred to as a seed) is stored in the system 100 so that a key is generated from the seed and an ID as appropriate. Any hash algorithm (for example, SHA-1) is used so that a hash value of (ID|seed) is used as a key. In this case, the procedure for the user A to create a message to be sent is as follows.
  • The procedure from the step where the users A and B request an ID and the hardware selects and stores an ID to the step where each user publishes his own ID is the same as that of the embodiment described above. Suppose that the user A sends a message to the user B. When creating a message to be sent, the user A hands over the message and the ID-A to the hardware A and requests generation of a MAC. The hardware A checks whether the ID-A is stored in the ID storage section (440). If the ID-A is stored, then the hardware A generates a key from the seed and the ID-A (450), generates a MAC (460), and returns it to the user A. If the ID-A is not stored, then the hardware A returns an error to the user A. The user A hands over (message IMAC) and the ID-B to the hardware A, and requests encryption. The hardware A generates a key from the seed and the ID-B, encrypts the (message|MAC) (470), and returns it to the user A.
  • On the other hand, the procedure in which the user B processes a received message is as follows. The user B hands over the received message and the ID-B to the hardware B and requests decryption. The hardware B checks whether the ID-B is stored in the ID storage section (440). If the ID-B is stored, then the hardware B generates a key from the seed and the ID-B (450), decrypts the received message (480), and returns it to the user B. If the ID-B is not stored, then the hardware B returns an error to the user B. The user B hands over the message, the MAC and the ID-A to the hardware B and requests verification of the MAC. The hardware B generates a key from the seed and the ID-A, verifies the MAC (490), and returns the result to the user B.
  • Embodiment 3
  • In the two embodiments described above, there is shown a case where an ID is selected at random. Next, an example of applying the present invention to an ID-based cryptosystem with the use of FIG. 5. In this case, the processing to be performed by the user A in advance is as follows. The user A hands over the hardware A and the ID-A to an ID storage body 520, and requests storage of the ID in the hardware (510). The ID storage body hands over the ID-A to the hardware A, and requests storage of the ID. The hardware A stores the ID-A in the ID storage section. The processing to be performed by the user B in advance is the same. That is, the user B hands over the hardware B and the ID-B to the ID storage body 520, and requests storage of the ID in the hardware (510). The ID storage body hands over the ID-B to the hardware B, and requests storage of the ID. The hardware B stores the ID-B in the ID storage section. The procedure for the user A to create a message to be sent and the procedure for the user B to process a received message are the same as those in the embodiment 1 or the embodiment 2.
  • Embodiment 4
  • In the embodiment 3, a common procedure in an ID-based cryptosystem has been shown. A procedure enabling acquisition of an ID and handing over of equipment to be performed more efficiently is shown in FIG. 6, taking a case of applying this to a mobile phone as an example. Here, the ID storage mechanism is realized by an equipment manufacturer consigning sale of equipment to a retailer while assuring that an ID is stored in the equipment only once, and the retailer acquiring an appropriate and unique ID by cooperation of the infrastructure, storing it in the equipment and handing over the equipment to a user. Specifically, a phone number is set as an ID. At step 610, the equipment manufacturer determines one one-to-one function f for acquiring a key from the ID (phone number). Next, at step 620, f(ID) is included in a tamper-proof apparatus. The equipment manufacturer prepares a write-once storage in the apparatus in advance. Finally, at step 630, the retailer writes the ID there to register it with the equipment so that it is to be input of f(ID). Here, the same as shown in the embodiment 1 or the embodiment 2, decryption of a message and generation of a MAC with f(ID) is possible only on equipment with which the ID is registered. On the other hand, on equipment with which the ID is not registered, decryption of a message with f(ID) is possible. Verification of a MAC is also possible.
  • A message is exchanged as follows. The users A and B purchase a mobile phones and obtain unique phone numbers NA and NB, respectively. In the case of encryption, the user A encrypts a message M with f (NB) as a key. The user A sends the encrypted message E(M) to the user B. The user B decrypts the E(M) with the use of f(NB). It is only the user B that can perform decryption with f(NB). In the case of signature, the user A generates a MAC of the message M with f(NA) as a key, and sends the M and the MAC to the user B. In this case, it is only the user A that can generate the MAC of the M with the use of f(NA). The user B can verify the sent message M and MAC and check the signature by the user A. A similar mechanism can be applied to apparatuses other than a mobile phone. For example, when an information appliance is connected to the Internet, an IP address or a host name can be used as an ID.
  • The present invention can be realized in hardware, software, or a combination of hardware and software. It may be implemented as a method having steps to implement one or more functions of the invention, and/or it may be implemented as an apparatus having components and/or means to implement one or more steps of a method of the invention described above and/or known to those skilled in the art. A visualization tool according to the present invention can be realized in a centralized fashion in one computer system or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system—or other apparatus adapted for carrying out the methods and/or functions described herein—is suitable. A typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein. The present invention can also be embedded in a computer program product, which comprises all the features enabling the implementation of the methods described herein, and which—when loaded in a computer system—is able to carry out these methods. Methods of this invention may be implemented by an apparatus which provides the functions carrying out the steps of the methods. Apparatus and/or systems of this invention may be implemented by a method that includes steps to produce the functions of the apparatus and/or systems.
  • Computer program means or computer program in the present context include any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after conversion to another language, code or notation, and/or after reproduction in a different material form.
  • Thus the invention includes an article of manufacture which comprises a computer usable medium having computer readable program code means embodied therein for causing one or more functions described above. The computer readable program code means in the article of manufacture comprises computer readable program code means for causing a computer to effect the steps of a method of this invention. Similarly, the present invention may be implemented as a computer program product comprising a computer usable medium having computer readable program code means embodied therein for causing a function described above. The computer readable program code means in the computer program product comprising computer readable program code means for causing a computer to affect one or more functions of this invention. Furthermore, the present invention may be implemented as a program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for causing one or more functions of this invention.
  • It is noted that the foregoing has outlined some of the more pertinent objects and embodiments of the present invention. This invention may be used for many applications. Thus, although the description is made for particular arrangements and methods, the intent and concept of the invention is suitable and applicable to other arrangements and applications. It will be clear to those skilled in the art that modifications to the disclosed embodiments can be effected without departing from the spirit and scope of the invention. The described embodiments ought to be construed to be merely illustrative of some of the more prominent features and applications of the invention. Other beneficial results can be realized by applying the disclosed invention in a different manner or modifying the invention in ways known to those familiar with the art.

Claims (20)

1) An apparatus comprising tamper-proof hardware, the hardware comprising an encryption-authentication section for performing issuance of an ID, encryption, and authentication, in response to a request by a user, and a tampering detection section for detecting one of voltage change and pressure change, to electrically destroy the encryption-authentication section, the encryption-authentication section comprising:
an ID issuance-registration section for issuing an ID in response to a request by a user, and storing the ID in a storage section;
a key generation section for generating a key corresponding to the ID using a one-to-one function, and outputting the key;
a first key acquisition section for, in response to a request by a user for decryption or generation of a message authentication code, comparing an inputted ID and the ID stored in the ID storage section, and, if the IDs are corresponding to each other, handing over the ID to the key generation section to output a key generated by the key generation section;
a second key acquisition section for, in response to a request by a user for encryption or verification of a message with a message authentication code attached thereto, handing over an inputted ID to the key generation section to output a key generated by the key generation section;
a message authentication code generation section for handing over an inputted ID to the first key acquisition section, and, with the use of a key outputted from the first key acquisition section, calculating and outputting a message authentication code of an inputted message;
a message authentication code verification section for handing over an inputted ID to the second key acquisition section, calculating a message authentication code of an inputted message with the use of a key outputted from the second key acquisition section, comparing the obtained message authentication code and an inputted message authentication code, and, if the message authentication codes are corresponding to each other, returning information indicating that the verification has succeeded to the user;
an encryption section for handing over an inputted ID to the second key acquisition section, encrypting inputted plaintext with the use of a key outputted from the second key acquisition section, and returning the result to a user; and
a decryption section for handing over an inputted ID to the first acquisition section and, with the use of a key outputted from the first key acquisition section, decrypting and outputting inputted encrypted text.
2) The apparatus according to claim 1, wherein the encryption-authentication section has a seed storage section, and the key generation section generates a key, based on a seed stored in the seed storage section and the ID stored in the ID storage section, and outputs the key.
3) The apparatus according to claim 1, wherein the ID issuance-registration section includes redundant information in an ID when issuing the ID.
4) The apparatus according to claim 1, wherein the encryption-authentication section further has a write-once storage area so that registration of the ID is enabled by writing the ID in the write-once storage area.
5) The apparatus according to claim 1, where in issuance-registration of the ID is performed only by a key generation body.
6) A method for performing pseudo public key encryption and digital signaling with the use of an apparatus including tamper-proof hardware which comprises an encryption-authentication section for performing issuance of an ID, encryption, and authentication, in response to a request by a user, and a tampering detection section for detecting voltage change or pressure change to electrically destroy the encryption-authentication section, the encryption-authentication section of the apparatus comprising:
an ID issuance-registration section for issuing an ID in response to a request by a user, and storing the ID in a storage section;
a key generation section for generating a key corresponding to the ID using a one-to-one function, and outputting the key;
a first key acquisition section for, in response to a request by a user for decryption, or generation of a message authentication code, comparing an inputted ID and the ID stored in the ID storage section, and, if the IDs are corresponding to each other, handing over the ID to the key generation section to output a key generated by the key generation section;
a second key acquisition section for, in response to a request by a user for encryption, or verification of a message with a message authentication code attached thereto, handing over an inputted ID to the key generation section to output a key generated by the key generation section;
a message authentication code generation section for handing over an inputted ID to the first key acquisition section, and, with the use of a key outputted from the first key acquisition section, calculating and outputting a message authentication code of an inputted message;
a message authentication code verification section for handing over an inputted ID to the second key acquisition section, calculating a message authentication code of an inputted message with the use of a key outputted from the second key acquisition section, comparing the obtained message authentication code and an inputted message authentication code, and, if the message authentication codes are corresponding to each other, returning information indicating that the verification has succeeded to the user;
an encryption section for handing over an inputted ID to the second key acquisition section, encrypting inputted plaintext with the use of a key outputted from the second key acquisition section, and returning the result to a user; and
a decryption section for handing over an inputted ID to the first acquisition section, and, with the use of a key outputted from the first key acquisition section, decrypting and outputting inputted encrypted text; and
the method comprising, in sending a message between a sending user and a receiving user, having the apparatus A and the apparatus B, respectively, the steps of:
the apparatus A selecting and storing a sending user ID, and then returning the sending user ID to the sending user, for publication of the sending user ID;
the apparatus B selecting and storing a receiving user ID, and then returning the receiving user ID to the receiving user, for publication of the receiving user ID;
the apparatus A acquiring a key corresponding to the sending user ID, generating a message authentication code, and returning the message authentication code to the sending user;
in response to a request by the sending user for encryption, the apparatus A acquiring a key corresponding to the receiving user ID, encrypting the message and the message authentication code, and returning the encrypted message and message authentication code to the sending user;
in response to a request by the receiving user for decryption of the encryption, the apparatus B acquiring a key corresponding to the receiving user ID, decrypting the received message, and returning the decrypted message to the receiving user; and
in response to a request by the receiving user for verification of the message authentication code, the apparatus B acquiring a key corresponding to the sending ID, verifying the message authentication code, and returning the result to the receiving user.
7) The method according to claim 6, wherein the encryption-authentication section has a seed storage section, and the key generation section generates a key based on a seed stored in the seed storage section and the ID stored in the ID storage section, and outputs the key.
8) The method according to claim 6, wherein the ID issuance-registration section includes redundant information in an ID when issuing the ID.
9) The method according to claim 6, wherein the encryption-authentication section further has a write-once storage area so that registration of the ID is enabled by writing the ID in the write-once storage area.
10) The method according to claim 6, wherein issuance-registration of the ID is performed only by a key generation body.
11) A method comprising:
providing tamper-proof hardware having capabilities to perform issuance of an ID, encryption, and authentication, in response to a request by a user;
detecting one of voltage change and pressure change, and electrically destroying at least one of said capabilities;
issuing and storing a first ID in response to a request by a user;
generating a first key corresponding to the first ID using a one-to-one function, and outputting the first key;
in response to a request by the user for one of decryption of a message authentication code and generation of a message authentication code, comparing an inputted ID and the first ID, and if the inputted ID and the first ID correspond to each other, handing over the first ID and outputting the first key;
in response to a request by the user for encryption or verification of a message with a message authentication code attached thereto, handing over the inputted ID and outputting a second key;
handing over the inputted ID to the first key acquisition section, and with the use of the first key calculating and outputting a message authentication code of an inputted message;
a message authentication code verification section for handing over the inputted ID to the second key acquisition section, calculating a message authentication code of the inputted message with the use of the second key, comparing the obtained message authentication code and an inputted message authentication code, and, if the message authentication codes correspond to each other, returning information to the user indicating that the verification has succeeded;
handing over the inputted ID, encrypting inputted plaintext with the use of the second key, and returning the result to a user; and
handing over the inputted ID, and with the use of the first key, decrypting and outputting inputted encrypted text.
12) The method according to claim 11, wherein at least one key is based on a stored seed.
13) The method according to claim 11, further comprising including redundant information in each issued ID.
14) The method according to claim 11, further comprising enabling a write-once storage such that registration of the ID occurs by writing the ID in a write-once storage area.
15) The method according to claim 11, wherein issuance-registration of the ID is performed only by a key generation body.
16) An article of manufacture comprising a computer usable medium having computer readable program code means embodied therein for causing encryption functions, the computer readable program code means in said article of manufacture comprising computer readable program code means for causing a computer to effect the steps of claim 11.
17) A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for encryption functions, said method steps comprising the steps of claim 11.
18) An article of manufacture comprising a computer usable medium having computer readable program code means embodied therein for causing encryption functions, the computer readable program code means in said article of manufacture comprising computer readable program code means for causing a computer to effect the steps of claim 6.
19) A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for encryption functions, said method steps comprising the steps of claim 6.
20) A computer program product comprising a computer usable medium having computer readable program code means embodied therein for causing encryption functions, the computer readable program code means in said computer program product comprising computer readable program code means for causing a computer to effect the functions of claim 1.
US11/338,063 2004-12-20 2006-01-23 Pseudo public key encryption Abandoned US20070189517A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/558,868 US8139766B2 (en) 2004-12-20 2009-09-14 Pseudo public key encryption

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2004367676A JP4130653B2 (en) 2004-12-20 2004-12-20 Pseudo public key encryption method and system
JP2004-367676 2004-12-20

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US12/558,868 Continuation US8139766B2 (en) 2004-12-20 2009-09-14 Pseudo public key encryption

Publications (1)

Publication Number Publication Date
US20070189517A1 true US20070189517A1 (en) 2007-08-16

Family

ID=36674583

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/338,063 Abandoned US20070189517A1 (en) 2004-12-20 2006-01-23 Pseudo public key encryption
US12/558,868 Expired - Fee Related US8139766B2 (en) 2004-12-20 2009-09-14 Pseudo public key encryption

Family Applications After (1)

Application Number Title Priority Date Filing Date
US12/558,868 Expired - Fee Related US8139766B2 (en) 2004-12-20 2009-09-14 Pseudo public key encryption

Country Status (3)

Country Link
US (2) US20070189517A1 (en)
JP (1) JP4130653B2 (en)
CN (1) CN100559751C (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060259579A1 (en) * 2005-05-11 2006-11-16 Bigfoot Networks, Inc. Distributed processing system and method
US20070060373A1 (en) * 2005-09-12 2007-03-15 Bigfoot Networks, Inc. Data communication system and methods
US20070078929A1 (en) * 2005-09-30 2007-04-05 Bigfoot Networks, Inc. Distributed processing system and method
US20080016236A1 (en) * 2006-07-17 2008-01-17 Bigfoot Networks, Inc. Data buffering and notification system and methods thereof
US20080016166A1 (en) * 2006-07-17 2008-01-17 Bigfoot Networks, Inc. Host posing network device and method thereof
US20080031446A1 (en) * 2006-08-04 2008-02-07 Canon Kabushiki Kaisha Information processing apparatus, data processing apparatus, and methods thereof
US20080183861A1 (en) * 2007-01-26 2008-07-31 Bigfoot Networks, Inc. Communication Socket State Monitoring System and Methods Thereof
US20080235713A1 (en) * 2007-03-23 2008-09-25 Bigfoot Networks, Inc. Distributed Processing System and Method
US20090024872A1 (en) * 2007-07-20 2009-01-22 Bigfoot Networks, Inc. Remote access diagnostic device and methods thereof
US20090025073A1 (en) * 2007-07-20 2009-01-22 Bigfoot Networks, Inc. Client authentication device and methods thereof
US20090141713A1 (en) * 2007-11-29 2009-06-04 Bigfoot Networks, Inc. Remote Message Routing Device and Methods Thereof
US20090183001A1 (en) * 2008-01-16 2009-07-16 Feitian Technologies Co., Ltd. Method for offline drm authentication and a system thereof
US20090182890A1 (en) * 2008-01-15 2009-07-16 Adobe Systems Incorporated Information Communication
US8082320B1 (en) * 2008-04-09 2011-12-20 Adobe Systems Incorporated Communicating supplemental information over a block erasure channel
US8370648B1 (en) * 2010-03-15 2013-02-05 Emc International Company Writing and reading encrypted data using time-based encryption keys
US8687487B2 (en) 2007-03-26 2014-04-01 Qualcomm Incorporated Method and system for communication between nodes
CN105787298A (en) * 2007-11-23 2016-07-20 法国电信公司 Authentication method and system, portable object, verifier device, and reader
CN105897731A (en) * 2016-05-12 2016-08-24 深圳市文鼎创数据科技有限公司 Authentication method and authentication apparatus
WO2020048289A1 (en) * 2018-09-05 2020-03-12 深圳市红砖坊技术有限公司 System and method for processing user information

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101067146B1 (en) * 2010-01-14 2011-09-22 주식회사 팬택 Method for processing encrypted message in portable terminal and portable terminal
JP2014175758A (en) * 2013-03-07 2014-09-22 Toppan Printing Co Ltd Ic card and processing method thereof
US9246978B2 (en) * 2013-11-11 2016-01-26 Mitsubishi Electric Research Laboratories, Inc. Method for determining hidden states of systems using privacy-preserving distributed data analytics
US8886964B1 (en) * 2014-04-24 2014-11-11 Flexera Software Llc Protecting remote asset against data exploits utilizing an embedded key generator
US9471810B2 (en) * 2015-03-09 2016-10-18 Mitsubishi Electric Research Laboratories, Inc. Method and system for determining hidden states of a machine using privacy-preserving distributed data analytics and a semi-trusted server and a third-party
US10638313B2 (en) * 2017-10-26 2020-04-28 Robert Bosch Gmbh Systems and methods for confirming a cryptographic key
IT201800005466A1 (en) * 2018-05-17 2019-11-17 METHOD AND DEVICE FOR WRITING SOFTWARE OBJECTS IN AN ELECTRONIC CONTROL UNIT OF AN INTERNAL COMBUSTION ENGINE

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2929738B2 (en) 1991-02-01 1999-08-03 ケイディディ株式会社 Encryption device
JP2004070712A (en) 2002-08-07 2004-03-04 Nippon Telegr & Teleph Corp <Ntt> Data delivery method, data delivery system, split delivery data receiving method, split delivery data receiving device and split delivery data receiving program

Cited By (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060259579A1 (en) * 2005-05-11 2006-11-16 Bigfoot Networks, Inc. Distributed processing system and method
US9426207B2 (en) 2005-05-11 2016-08-23 Qualcomm Incorporated Distributed processing system and method
US8167722B2 (en) 2005-05-11 2012-05-01 Qualcomm Atheros, Inc Distributed processing system and method
US20070060373A1 (en) * 2005-09-12 2007-03-15 Bigfoot Networks, Inc. Data communication system and methods
US20070078929A1 (en) * 2005-09-30 2007-04-05 Bigfoot Networks, Inc. Distributed processing system and method
US9455844B2 (en) 2005-09-30 2016-09-27 Qualcomm Incorporated Distributed processing system and method
US20080016166A1 (en) * 2006-07-17 2008-01-17 Bigfoot Networks, Inc. Host posing network device and method thereof
US20080016236A1 (en) * 2006-07-17 2008-01-17 Bigfoot Networks, Inc. Data buffering and notification system and methods thereof
US8874780B2 (en) 2006-07-17 2014-10-28 Qualcomm Incorporated Data buffering and notification system and methods thereof
US8683045B2 (en) 2006-07-17 2014-03-25 Qualcomm Incorporated Intermediate network device for host-client communication
US20080031446A1 (en) * 2006-08-04 2008-02-07 Canon Kabushiki Kaisha Information processing apparatus, data processing apparatus, and methods thereof
US8005213B2 (en) * 2006-08-04 2011-08-23 Canon Kabushiki Kaisha Method, apparatus, and computer program for generating session keys for encryption of image data
US20080183861A1 (en) * 2007-01-26 2008-07-31 Bigfoot Networks, Inc. Communication Socket State Monitoring System and Methods Thereof
US7908364B2 (en) 2007-01-26 2011-03-15 Bigfoot Networks, Inc. Method storing socket state information in application space for improving communication efficiency of an application program
US20080235713A1 (en) * 2007-03-23 2008-09-25 Bigfoot Networks, Inc. Distributed Processing System and Method
US8255919B2 (en) 2007-03-23 2012-08-28 Qualcomm Atheros, Inc. Distributed processing system and method
US8687487B2 (en) 2007-03-26 2014-04-01 Qualcomm Incorporated Method and system for communication between nodes
US20090024872A1 (en) * 2007-07-20 2009-01-22 Bigfoot Networks, Inc. Remote access diagnostic device and methods thereof
US20090025073A1 (en) * 2007-07-20 2009-01-22 Bigfoot Networks, Inc. Client authentication device and methods thereof
US8499169B2 (en) 2007-07-20 2013-07-30 Qualcomm Incorporated Client authentication device and methods thereof
US8543866B2 (en) 2007-07-20 2013-09-24 Qualcomm Incorporated Remote access diagnostic mechanism for communication devices
US8909978B2 (en) 2007-07-20 2014-12-09 Qualcomm Incorporated Remote access diagnostic mechanism for communication devices
CN105787298A (en) * 2007-11-23 2016-07-20 法国电信公司 Authentication method and system, portable object, verifier device, and reader
US9270570B2 (en) 2007-11-29 2016-02-23 Qualcomm Incorporated Remote message routing device and methods thereof
US20090141713A1 (en) * 2007-11-29 2009-06-04 Bigfoot Networks, Inc. Remote Message Routing Device and Methods Thereof
US20090182890A1 (en) * 2008-01-15 2009-07-16 Adobe Systems Incorporated Information Communication
US8161166B2 (en) 2008-01-15 2012-04-17 Adobe Systems Incorporated Information communication using numerical residuals
US9906509B2 (en) * 2008-01-16 2018-02-27 Feitian Technologies Co., Ltd. Method for offline DRM authentication and a system thereof
US20090183001A1 (en) * 2008-01-16 2009-07-16 Feitian Technologies Co., Ltd. Method for offline drm authentication and a system thereof
US8082320B1 (en) * 2008-04-09 2011-12-20 Adobe Systems Incorporated Communicating supplemental information over a block erasure channel
US9152814B1 (en) * 2010-03-15 2015-10-06 Emc International Company Writing and reading encrypted data using time-based encryption keys
US8370648B1 (en) * 2010-03-15 2013-02-05 Emc International Company Writing and reading encrypted data using time-based encryption keys
CN105897731A (en) * 2016-05-12 2016-08-24 深圳市文鼎创数据科技有限公司 Authentication method and authentication apparatus
WO2020048289A1 (en) * 2018-09-05 2020-03-12 深圳市红砖坊技术有限公司 System and method for processing user information

Also Published As

Publication number Publication date
JP4130653B2 (en) 2008-08-06
CN1794630A (en) 2006-06-28
JP2006174356A (en) 2006-06-29
US20090323935A1 (en) 2009-12-31
CN100559751C (en) 2009-11-11
US8139766B2 (en) 2012-03-20

Similar Documents

Publication Publication Date Title
US8139766B2 (en) Pseudo public key encryption
CA2652084C (en) A method and apparatus to provide authentication and privacy with low complexity devices
US7516321B2 (en) Method, system and device for enabling delegation of authority and access control methods based on delegated authority
US7574596B2 (en) Cryptographic method and apparatus
US11223486B2 (en) Digital signature method, device, and system
US20050005100A1 (en) Cryptographic method and system
US7894608B2 (en) Secure approach to send data from one system to another
WO2016136142A1 (en) Ciphertext collation system, method and recording medium
CN109951276B (en) Embedded equipment remote identity authentication method based on TPM
US20050021973A1 (en) Cryptographic method and apparatus
CN116346336B (en) Key distribution method based on multi-layer key generation center and related system
KR20040009766A (en) Apparatus and method for transmitting and receiving in encryption system
JP5171787B2 (en) Sign-encryption system and sign-encryption generation method
Barker Cryptographic Standards in the Federal Government: Cryptographic Mechanisms
Andreevich et al. On Using Mersenne Primes in Designing Cryptoschemes
KR20170087120A (en) Certificateless public key encryption system and receiving terminal
JPH07118709B2 (en) Confidential information communication method
EP4195590A1 (en) Secure data transmission
JP4000899B2 (en) Cryptographic method with authentication, decryption method and device with authentication, program, and computer-readable recording medium
US20040264702A1 (en) Method and apparatus for producing cryptographic keys
KR20060031845A (en) Method for encoding/decoding a message and associated device
JPH11202766A (en) Digital signature system, and information communication system and communication equipment using the same
KR20050028720A (en) Authentication using human memorable password and public key cryptsystem
GB2401007A (en) Cryptographic method and apparatus
JP2001177515A (en) Key depositing device

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KOSEKI, AKIRA;IMAMURA, TAKESHI;REEL/FRAME:017627/0369;SIGNING DATES FROM 20060502 TO 20060510

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE