Patent Grant
10355856
The present invention relates to an application of an information security technology, and especially relates to a key exchange technology by which a plurality of users forming a group share a common key.
Key exchange technologies by which a plurality of users forming a group share a common key have been conventionally proposed (see Non-patent Literatures 1 and 2, for example). Non-patent Literature 1 describes an architecture of an information system for realizing such key exchange technology. Non-patent Literature 2 describes an algorithm of such key exchange technology.
In the related-art technologies described in Non-patent Literatures 1 and 2, users who share a common key need to be registered in advance, so that it is impossible for a plurality of users to share the common key while permitting dynamic member change. Further, since the whole computational complexity required for key exchange is O(log n) when the number of users is denoted as n, there is a problem in that the computational complexity for the key exchange is increased along with increase of the number of users.
In the light of such point, an object of the present invention is to provide a key exchange technology which enables a plurality of users to share a common key while permitting dynamic member change and enables reduction in computational complexity required for key exchange.
In order to solve the above-mentioned problems, in a key exchange method according to the present invention, n denotes an integer which is 2 or larger, i denotes respective integers from 1 to n inclusive, j denotes respective integers from 2 to n inclusive, S denotes a key distribution device, Ui denotes n pieces of communication devices, U1 denotes one piece of representative communication device which is selected from then pieces of communication devices Ui, Uj denotes n−1 pieces of general communication devices obtained by excluding the representative communication device U1 from the n pieces of communication devices Ui, ∥ denotes a concatenation operator, α and β denote integers defined by the following formulas:
a secret key skS and secret strings stS and st′S for public key encryption of the key distribution device S are stored in a storage of the key distribution device S, and a secret key ski and secret strings sti and st′i for public key encryption of the communication devices Ui are stored in a storage of the communication devices Ui. The key exchange method includes: a first key generation step in which the communication devices Ui generate ri, ki, and si by using the secret strings sti and st′i based on a twisted pseudo-random function, compute Ri=gri and ci=gkihsi, and transmit (Ri, ci) to the key distribution device S; a session ID generation step in which the key distribution device S generates sid by using c1, . . . , cn based on a target-collision resistant hash function and transmits (sid, Rα, Rβ) to the communication devices Ui with respect to each i; a representative second key generation step in which the representative communication device U1 generates K1l by using (sid, Rnr1) based on a pseudo-random function, computes T1 by an exclusive OR of K11 and k1∥s1, and transmits T1 to the key distribution device S; a general second key generation step in which the general communication devices Ui generate Kjl by using (sid, Rαrj) based on the pseudo-random function, generate Kjr by using (sid, Rβrj) based on the pseudo-random function, compute Tj by an exclusive OR of Kjl and Kjr, and transmit (kj, sj, Tj) to the key distribution device S; a third key generation step in which the key distribution device S generates ks by using the secret strings stS and st′S based on the twisted pseudo-random function, computes k′ by an exclusive OR of k2, . . . , kn, ks, computes T′j by an exclusive OR of T1, . . . , Tj−1 with respect to each j, transmits k′ to the representative communication device U1, and transmits (k′, T′j, T1) to the general communication devices Uj; a first session key generation step in which the general communication devices Uj compute Kjl by an exclusive OR of T′j and Kjr and compute k1∥s1 by an exclusive OR of T1 and Kjl; and a second session key generation step in which the communication devices Ui generate a common key K2 by using sid and an exclusive OR of k′ and k1 based on the pseudo-random function.
According to the present invention, a plurality of users can share a common key while permitting dynamic member change. Computational complexity required for key exchange is the predetermined number of times which is the number of users, that is, O(1), thus being reduced more than the related art.
Prior to the description of an embodiment, the notation in this specification will be described.
To select an element in at random from Set which is a certain set is expressed as m∈RSet.
To output y based on ALG, which is a certain algorithm, with respect to an input x and a random number r is expressed as y←ALG(x;r). Here, in the case where ALG is a deterministic algorithm, the random number r is nil.
|⋅| denotes the bit length of a value.
κ denotes a security parameter.
F={Fκ: Domκ×FSκ→Rngκ}κ is a family of functions including a definition range {Domκ}κ, a key space {FSκ}κ, and a value range {Rngκ}κ. In this case, if a function Fκ and a true random function RFκ: Domκ→Rngκ cannot be distinguished with respect to a person D to be identified at arbitrary polynomial time, F={Fκ}κ is called a family of pseudo-random functions. A specific example of the pseudo-random function is described in Reference Literature 1 below, for example.
H={Hκ: Domκ→Rngκ}κ is a family of hash functions including the definition range {Domκ}κ and the value range {Rngκ}κ. In this case, if x′ (≠x) which satisfies Hκ(x)=Hκ(x′) when x∈RDomκ is provided cannot be found with respect to an attacker A at arbitrary polynomial time, H={Hκ}κ is called a family of target-collision resistant hash functions. A specific example of the target-collision resistant hash function is described in Reference Literature 2 below, for example.
Public key encryption algorithms are defined as (Gen, Enc, Dec). In a key generation algorithm Gen, a security parameter κ is an input and a public key pk and a secret key sk are outputs. In an encryption algorithm Enc, the public key pk and a plaintext in are inputs and a cipher text CT is an output. In the decryption algorithm Dec, the secret key sk and the cipher text CT are inputs and the plaintext in is an output. A specific example of the public key encryption algorithm is described in Reference Literature 2 mentioned above, for example.
Message authentication code algorithms are defined as (MGen, Tag, Ver). In a MAC key generation algorithm MGen, the security parameter κ is an input and a MAC key ink is an output. In the tag generation algorithm Tag, the MAC key ink and the plaintext m are inputs and an authentication tag a is an output. In a verification algorithm Ver, the MAC key ink, the plaintext in, and the authentication tag σ are inputs, and 1 is outputted when the authentication tag σ is correct, while 0 is outputted when the authentication tag σ is incorrect. A specific example of the message authentication code algorithm is described in Reference Literature 2 mentioned above, for example.
Functional encryption algorithms are defied as (Setup, Der, FEnc, FDec). In a setup algorithm Setup, the security parameter κ is an input and a master secret key msk and a public parameter Params are outputs. In a key derivation algorithm Der, the public parameter Params, the master secret key msk, and attribution A are inputs and a user secret key usk is an output. In an encryption algorithm FEnc, the public parameter Params, an access structure P, and the plaintext in are inputs and the cipher text CT is an output. In a decryption algorithm FDec, the user secret key usk and the cipher text CT are inputs and the plaintext in is outputted if the attribution A satisfies the access structure P. A specific example of the functional encryption algorithm is described in Reference Literature 3 below, for example.
A function tPRF: {0, 1}κ×FSκ×{0, 1}κ×FSκ→Rngκ is called a twisted pseudo-random function, and
tPRF(a,a′,b,b′):=Fκ(a,b)⊕Fκ(b′,a′)
is defined by using the pseudo-random function Fκ. Here, a, b′∈{0, 1}κ and a′, b∈FSκ hold. A specific example of the twisted pseudo-random function is described in Reference Literature 4 below, for example.
An embodiment of the present invention will be detailed below. Here, components having identical functions in the drawings will be denoted by identical reference characters and duplicate description thereof will be omitted.
As illustrated in
The key distribution device 1 includes a storage 100, a setup unit 101, a public key generation unit 102, a secret string generation unit 103, a user key transmission unit 111, a session ID generation unit 113, an authentication tag verification unit 114, a third key generation unit 115, and an authentication tag generation unit 116, as illustrated in
The key distribution device 1 and the communication devices 21, . . . , 2N are special devices which are configured such that a special program is read into well-known or dedicated computers including a central processing unit (CPU), a main storage device (random access memory: RAM), and the like. Each device executes processing under the control of the central processing unit, for example. Data inputted into each device and data obtained through each processing are stored in the main storage device, for example, and the data stored in the main storage device is read onto the central processing unit as appropriate to be used for other processing. At least part of processing units included in each device may be composed of hardware such as an integrated circuit.
The storage 100 included in the key distribution device 1 and the storage 200 included in the communication devices 21, . . . , 2N may be composed of a main storage device such as a random access memory (RAM), an auxiliary storage device composed of a hard disk, an optical disk, or a semiconductor memory element such as a flash memory, or middleware such as a relational database and a key value store, for example. Since each storage stores secret information, each storage is preferably a storage device having tamper resistance (a SIM card, for example).
A processing procedure for system setup in the key exchange method according to the embodiment will be described with reference to
In the following description, symbols will be defined as the following. S denotes the key distribution device 1 and Ui (i∈{1, . . . , N}) denotes N pieces of communication devices 21, . . . , 2N. G denotes a multiplication cyclic group of a prime number order p of κ bits. Each of g and h denotes a generation source of the group G. H: {0, 1}*→{0, 1}κ denotes a target-collision resistant hash function. tPRF: {0, 1}κ×FSκ{0, 1}κ×FSκ→Zp and tPRF′: {0, 1}κ×FSκ×{0, 1}κ×FSκ→FSκ denote twisted pseudo-random functions. F: {0, 1}κ×G→Zp2, F′: {0, 1}κ×Zp→FSκ, and F″: {0, 1}κ×FSκ→{0, 1}κ denote pseudo-random functions.
In step S101, the setup unit 101 of the key distribution device S generates the public parameter Params and the master secret key msk based on the setup algorithm Setup for functional encryption. The setup unit 101 transmits the public parameter Params to each of the communication devices U1, . . . , UN. The master secret key msk is stored in the storage 100.
In step S102, the public key generation unit 102 of the key distribution device S generates a combination of the public key pkS and the secret key skS of the key distribution device S based on the key generation algorithm Gen for public key encryption. The public key pkS of the key distribution device S is made public by using a public key infrastructure or the like, for example. The secret key skS of the key distribution device S is stored in the storage 100.
In step S202, the public key generation unit 202 of the communication devices Ui generates a combination of the public key pki and the secret key ski of the communication devices Ui based on the key generation algorithm Gen for public key encryption. The public key pki of the communication devices Ui is made public by using a public key infrastructure or the like, for example. The secret key ski of the communication devices Ui is stored in the storage 200.
In step S103, the secret string generation unit 103 of the key distribution device S generates secret strings (stS, st′S) used in the twisted pseudo-random function as stS∈RFSκ and st′S∈{0, 1}κ. The secret strings (stS, st′S) are stored in the storage 100.
In step S203, the secret string generation unit 203 of the communication devices Ui generates secret strings (sti, st′i) used in the twisted pseudo-random function as sti∈RFSκ and st′i∈{0, 1}κ. The secret strings (sti, st′i) are stored in the storage 200.
In step S104, the key distribution device S acquires public keys pk1, . . . , pkN of respective communication devices U1, . . . , UN from a public key infrastructure or the like, for example, so as to store the public keys pk1, . . . , pkN in the storage 100.
In step S204, the communication devices Ui acquire the public key pkS of the key distribution device S from a public key infrastructure or the like, for example, so as to store the public key pkS in the storage 200. Further, the public parameter Params which is received from the key distribution device S is stored in the storage 200.
A processing procedure for session key distribution in the key exchange method according to the embodiment will be described with reference to
It is assumed below that arbitrary n (≤N) pieces of communication devices Ui (i∈{1, . . . , n}) among N pieces of communication devices 21, . . . , 2N share a session key SK. Further, in the case where S and Ui are inputs of each algorithm, S and Ui are identifiers for uniquely specifying respective devices.
In step S111, in the case where a session is started by the communication devices Ui and the session is the first session in a time frame TF of the communication devices Ui, the user key transmission unit 111 of the key distribution device S generates a user secret key uski←Der(Params, msk, Ai) of the communication devices Ui based on the key derivation algorithm Der for functional encryption with current time and attribution respectively set as time and Ai=(Ui, time). Further, a MAC key mki←MGen of the communication devices Ui is generated based on the key generation algorithm MGen for a message authentication code. Then, the user secret key uski and the MAC key mki are encrypted by using the public key pki of the communication devices Ui based on the encryption algorithm Enc for public key encryption so as to generate the cipher text CTi←Encpki(uski, mki). The user key transmission unit 111 transmits the cipher text CTi to each of the communication devices Ui.
In step S211, the user key reception unit 211 of the communication devices Ui decrypts the cipher text CTi, which is received from the key distribution device S, by using the secret key ski of the communication devices Ui based on the decryption algorithm Dec for public key encryption so as to obtain a user secret key and a MAC key (uski, mki)←Decski(CTi). The user key reception unit 211 stores the user secret key uski and the MAC key mki in the storage 200.
In step S212, the first key generation unit 212 of the communication devices Ui generates ˜ri∈R{0, 1}κ, ˜r′i∈RFSκ, ˜ki∈R{0, 1}κ, ˜k′i∈RFSκ, ˜si∈R{0, 1}κ, and ˜s′i∈RFSκ and computes ri=tPRF(˜ri, ˜r′i, sti, st′i), ki=tPRF(˜ki, ˜k′i, sti, st′i) and si=tPRF(˜si, ˜s′i, sti, st′i) based on the twisted pseudo-random function tPRF. Further, Ri=gri and ci=gkihsi are computed. Then, the first key generation unit 212 transmits (Ri, ci) to the key distribution device S.
In step S112, the key distribution device S receives (Ri, ci) from the communication devices Ui. At this time, the key distribution device S stands by until the key distribution device S receives (R1, c1), (Rn, cn) respectively from all of the communication devices U1, . . . , Un.
In step S113, the session ID generation unit 113 of the key distribution device S generates sid=H(c1, cn) by using c1, . . . , cn, which are respectively received from the communication devices U1, . . . , Un, based on the target-collision resistant hash function H. Further, one piece of communication device is selected as a representative from n pieces of communication devices U1, . . . , Un. A method for selecting a representative is arbitrary. For example, a predetermined communication device with the highest priority or a communication device which has started a session most recently may be selected. It is assumed that the communication device U1 is selected, and U1 is called a representative communication device, here. Further, n−1 pieces of communication devices Uj (j∈{2, . . . , n}) other than the representative communication device Ui are called general communication devices. The session ID generation unit 113 computes α and β as the following formulas and transmits (sid, Rα, Rβ) to each of the communication devices Ui.
In step S213, each of the communication devices Ui receives (sid, Rα, Rβ) from the key distribution device S. The communication devices Ui execute the following processing as soon as the communication devices Ui receive (sid, Rα, Rβ). In the case where i=2, . . . , n holds, that is, the case where the communication devices Ui are the communication devices Uj (i=j), the processing is progressed to step S214j. In the case where i=1 holds, that is, the case where the communication device Ui is the representative communication device U1, the processing is progressed to step S2141.
In step S214j, the second key generation unit 214 of the general communication devices Uj generates Kjl by using (sid, Rαrj) based on the pseudo-random function F and generates Kjr by using (sid, Rβrj) based on the pseudo-random function F so as to compute Tj by an exclusive OR of Kjl and Kjr, as the following formulas.
Klj=F(sid,Rr
Krj=F(sid,Rr
Tj=Klj⊕Krj
In step S2151 the authentication tag generation unit 215 of the general communication devices Uj generates an authentication tag σj=Tagmkj(Rj, cj, Rα, Rβ, kj, sj, Tj, Uj, sid) by using the MAC key mkj based on the tag generation algorithm Tag for a message authentication code. The authentication tag generation unit 215 transmits (kj, sj, Tj, σj) to the key distribution device S.
In step S2141, the second key generation unit 214 of the representative communication device U1 generates K1l by using (sid, Rnr1) based on the pseudo-random function F so as to compute T1 by an exclusive OR of K1l and k1∥s1, as the following formulas. Here, ∥ denotes a concatenation operator.
K1l=F(sid,Rnr
T1=K1l⊕k1∥s1
In step S2151, the authentication tag generation unit 215 of the representative communication device Ui generates an authentication tag σ1=Tagmk1(R1, c1, Rn, R2, T1, U1, sid) by using the MAC key mk1 based on the tag generation algorithm Tag for a message authentication code. The authentication tag generation unit 215 transmits (T1, σ1) to the key distribution device S.
In step S114j, the authentication tag verification unit 114 of the key distribution device S receives (kj, sj, Tj, σj) from the general communication devices Uj with respect to j=2, n and verifies Vermkj(Rj, cj, Rα, Rβ, kj, sj, Tj, Uj, sid, σj) by using the MAC key mkj of the general communication devices Uj based on the verification algorithm Ver for a message authentication code. When the authentication tag σj is invalid, the session of the general communication devices Uj is ended. Further, whether or not cj=gkjhsj is satisfied with respect to j=2, . . . , n is verified. When cj=gkjhsj is not satisfied, the session of the general communication devices Uj is ended.
In step S1141, the authentication tag verification unit 114 of the key distribution device S receives (T1, σ1) from the representative communication device U1 and verifies Vermk1(R1, c1, Rn, R2, T1, U1, sid, σ1) by using the MAC key mk1 of the representative communication device U1 based on the verification algorithm Ver for a message authentication code. When the authentication tag σ1 is invalid, the session of the representative communication device U1 is ended.
In step S115a, the third key generation unit 115 of the key distribution device S generates ˜kS∈R{0, 1}κ, ˜k′S∈RFSκ, ˜K1∈R{0, 1}κ, and ˜K′1∈RFSκ so as to compute kS=tPRF(˜kS, ˜k′S, stS, st′S) and K1=tPRF(˜K1, ˜K′1, stS, st′S) based on the twisted pseudo-random function tPRF. Further, k′ is computed by the following formula.
k′=(⊕2≤j≤nkj)⊕kS
In step S115b, the third key generation unit 115 of the key distribution device S computes T′j with respect to j=2, . . . , n by the following formula.
T′j=α1≤i≤j−1Ti
In step S115c, the third key generation unit 115 of the key distribution device S encrypts a common key K1 with respect to i=1, . . . , n based on the encryption algorithm FEnc for functional encryption with the access structure Pi=(ID=Ui)∧(time∈TF) so as to generate a cipher text CT′i=FEnc(Params, Pi, K1). Here, ID is a predicate variable representing a communication device and TF is a predicate variable representing a time frame of the communication device.
In step S116i, the authentication tag generation unit 116 of the key distribution device S generates an authentication tag σ′j=Tagmkj(Rj, cj, Rα, Rβ, kj, sj, Tj, Uj, sid, c1, k′, T′j, T1, CT′j) with respect to j=2, n by using the MAC key mkj of the general communication devices Uj based on the tag generation algorithm Tag for a message authentication code. The authentication tag generation unit 116 transmits (c1, k′, T′j, T1, CT′j, σ′j) to the general communication devices Uj.
In step S1161, the authentication tag generation unit 116 of the key distribution device S generates an authentication tag σ′1=Tagmk1(R1, c1, Rn, R2, T1, U1, sid, k′, CT′1) by using the MAC key mk1 of the representative communication device Ui based on the tag generation algorithm Tag for a message authentication code. The authentication tag generation unit 116 transmits (k′, CT′1, σ′1) to the representative communication device U1.
In step S216j, the authentication tag verification unit 216 of the general communication devices Uj receives (c1, k′, T′j, T1, CT′j, σ′j) from the key distribution device S and verifies Vermkj(Rj, cj, Rα, Rβ, kj, sj, Tj, Uj, sid, c1, k′, T′j, T1, CT′j, σ′j) by using the MAC key mkj of the general communication devices Uj based on the verification algorithm Ver for a message authentication code. When the authentication tag σ′j is invalid, the session of the general communication devices Uj is ended. Further, Kjl is computed by an exclusive OR of T′j and Kjr and k1∥s1 is computed by an exclusive OR of T1 and Kjl as the following formulas.
K1l=T′j⊕Kjl,
k1∥s1=T1⊕K1l
Then, whether or not c1=gk1hs1 is satisfied is verified. When c1=gk1hs1 is not satisfied, the session of the general communication devices Uj is ended.
In step S2161, the authentication tag verification unit 216 of the representative communication device U1 receives (k′, CT′1, σ′1) from the key distribution device S and verifies Vermk1(R1, c1, Rn, R2, T1, U1, sid, k′, CT′1, σ′1) by using the MAC key mk1 of the representative communication device U1 based on the verification algorithm Ver for a message authentication code. When the authentication tag σ′1 is invalid, the session of the representative communication device U1 is ended.
In step S217, the session key generation unit 217 of the communication devices Ui decrypts the common key K1←FDecuski(CT′i, Pi) by using the user secret key uski of the communication devices Ui based on the decryption algorithm FDec for functional encryption. Further, a common key K2 is computed based on the pseudo-random function F′ as the following formula.
K2=F′(sid,k′⊕k1)
Then, a session key SK is computed based on a pseudo-random function F″ as the following formula.
SK=F″(sid,K1)⊕F″(sid,K2)
According to the key exchange technology of the present invention, the above-described configuration makes it unnecessary to preliminarily register information of users who perform key exchange as the related art, thus enabling a plurality of users to share a common key while permitting dynamic member change. Further, the whole computational complexity required for the key exchange has been O(log n) when the number of users is set as n in the related art, but according to the present invention, the whole computational complexity is the predetermined number of times which is the number of users, that is, O(1), enabling key exchange with smaller computational complexity than the related art.
It is obvious that the present invention is not limited to the above-described embodiment and alterations can be made as appropriate within a scope of the idea of the present invention. Various types of processing which are described in the above embodiment may be executed in time series in accordance with the described order and may be executed in parallel or individually in accordance with the processing capacity of the device performing the processing or in accordance with the need.
[Program and Recording Medium]
When various types of processing functions in the devices described in the above embodiment are implemented on a computer, the contents of processing function to be contained in each device is written by a program. With this program executed on the computer, various types of processing functions in the above-described devices are implemented on the computer.
This program in which the contents of processing are written can be recorded in a computer-readable recording medium. The computer-readable recording medium may be any medium such as a magnetic recording device, an optical disc, a magneto-optical recording medium, and a semiconductor memory.
Distribution of this program is implemented by sales, transfer, rental, and other transactions of a portable recording medium such as a DVD and a CD-ROM on which the program is recorded, for example. Furthermore, this program may be stored in a storage unit of a server computer and transferred from the server computer to other computers via a network so as to be distributed.
A computer which executes such program first stores the program recorded in a portable recording medium or transferred from a server computer once in a storage unit thereof, for example. When the processing is performed, the computer reads out the program stored in the recording medium thereof and performs processing in accordance with the program thus read out. As another execution form of this program, the computer may directly read out the program from a portable recording medium and perform processing in accordance with the program. Furthermore, each time the program is transferred to the computer from the server computer, the computer may sequentially perform processing in accordance with the received program. Alternatively, a configuration may be adopted in which the transfer of a program to the computer from the server computer is not performed and the above-described processing is executed by so-called application service provider (ASP)-type service by which the processing functions are implemented only by an instruction for execution thereof and result acquisition. It should be noted that a program according to the present embodiment includes information which is provided for processing performed by electronic calculation equipment and which is equivalent to a program (such as data which is not a direct instruction to the computer but has a property specifying the processing performed by the computer).
In the present embodiment, the present device is configured with a predetermined program executed on a computer. However, the present device may be configured with at least part of these processing contents realized in a hardware manner.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2015-116322 | Jun 2015 | JP | national |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/JP2016/062601 | 4/21/2016 | WO | 00 |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2016/199507 | 12/15/2016 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 5768389 | Ishii | Jun 1998 | A |
| 7260716 | Srivastava | Aug 2007 | B1 |
| 7434046 | Srivastava | Oct 2008 | B1 |
| 20050097317 | Trostle | May 2005 | A1 |
| 20060168446 | Ahonen | Jul 2006 | A1 |
| 20070297613 | Ghosh | Dec 2007 | A1 |
| 20080123856 | Won | May 2008 | A1 |
| 20090177894 | Orsini | Jul 2009 | A1 |
| 20100142704 | Camenisch | Jun 2010 | A1 |
| 20100278336 | Tahan | Nov 2010 | A1 |
| 20120002816 | Tian | Jan 2012 | A1 |
| 20120057697 | Holtmanns | Mar 2012 | A1 |
| 20120166818 | Orsini | Jun 2012 | A1 |
| 20130013931 | O'Hare | Jan 2013 | A1 |
| 20130054964 | Messerges | Feb 2013 | A1 |
| 20130083926 | Hughes | Apr 2013 | A1 |
| 20130305039 | Gauda | Nov 2013 | A1 |
| 20140140511 | Suh | May 2014 | A1 |
| 20140229731 | O'Hare | Aug 2014 | A1 |
| 20150222619 | Hughes | Aug 2015 | A1 |
| 20170187524 | Furukawa | Jun 2017 | A1 |
| Entry |
|---|
| Suvo Mittra, “Iolus: a Framework for Scalable Secure Multicasting”, SIGCOMM '97, 1997, (pp. 1-12). |
| International Search Report dated Jul. 19, 2016 in PCT/JP2016/062601 filed Apr. 21, 2016. |
| Suvo Mittra, “lolus: a Framework for Scalable Secure Multicasting”, SIGCOMM '97, 1997, (pp. 1-12). |
| A. Ballardie, “Scalable Multicast Key Distribution”, [online], [retrieved on Mar. 4, 2016], Internet URL:https://tools.ietf.org/html/rfc.1949, Network Working Group, RFC 1949, May 1996, (18 pages). |
| Oded Goldreich, “Modern Cryptography, Probabilistic Proofs and Pseudo-randomness”, Springer-Verlag Tokyo Inc., 2001, (3 pages) (with English translation). |
| Johannes A. Buchmann, “Introduction to Cryptography the original 3rd edition, Chapter 11 Cryptographic Hash Functions”, Maruzen Publishing Co. Ltd, 2007, (10 pages) (with English translation). |
| Dan Boneh, et al., “Functional Encryption: Definitions and Challenges,” TCC, Lecture Notes in Computer Science, vol. 6597, 2011, (24 pages). |
| Kazuki Yoneyama, “One-Round Authenticated Key Exchange with Strong Forward Secrecy in the Standard Model against Constrained Adversary”, IEICE Trans. Fundamentals, vol. E96-A, No. 6, Jun. 2013, (pp. 1124-1138). |
| International Search Report dated Jul. 19, 2016 in PCT/JP2016/062601 filed Apr. 21, 2016 Considered. |
| Number | Date | Country | |
|---|---|---|---|
| 20180183583 A1 | Jun 2018 | US |
