MULTI-PARTY SECURE AUTHENTICATION SYSTEM, AUTHENTICATION SERVER, INTERMEDIATE SERVER, MULTI-PARTY SECURE AUTHENTICATION METHOD, AND PROGRAM

摘要

Even when an intermediate server exists, a plurality of servers simultaneously authenticates a user securely. A user apparatus disperses a password w′ and obtains a ciphertext EncUS_i([w′]i) by encrypting a dispersed value [w′]i. The intermediate server transmits the ciphertext EncUS_i([w′]i) to an authentication server. The authentication server decrypts the ciphertext EncUS_i([w′]i) to obtain the dispersed value [w′]i. The authentication server determines a verification value qa_i(W). The authentication server obtains a ciphertext EncWS_a_i(qa_i(W)). The intermediate server decrypts the ciphertext EncWS_a_i(qa_i(W)) to obtain the verification value qa_i(W). The intermediate server verifies whether a sum total of the verification values is equal to 0 or not. The authentication server determines a verification value qa_i(a_j). The authentication server obtains a ciphertext EncS_a_iS_a_j(qa_i(a_j)). The authentication server decrypts the ciphertext EncS_a_iS_a_j(qa_j(a_i)) to obtain the verification value qa_i(a_j). The authentication server verifies whether a sum total of the verification values is equal to 0 or not.

主权项

1: A multi-party secure authentication system comprising a user apparatus, an intermediate server and n authentication servers, wherein
n≧3 is satisfied; 2k−1≦n is satisfied; k≦m is satisfied; m≦n is satisfied; a1, . . . , am are m different integers each of which is equal to or larger than 1 and equal to or smaller than n; (k, n) secret sharing is secret sharing in which reconstruction is possible if there are k or more dispersed values among n dispersed values; [r(W)]1, . . . , [r(W)]n are such dispersed values by the (k, n) secret sharing that a random number r(W) is obtained when [r(W)]1, . . . , [r(W)]n are reconstructed; [r(i)]1, . . . , [r(i)]n (i=1, . . . , n) are such dispersed values by the (k, n) secret sharing that a random number r(i) is obtained when [r(i)]1, . . . , [r(i)]n are reconstructed; [0(W)]1, . . . , [0(W)]n are such dispersed values by the (k, n) secret sharing that 0 is obtained when [0(W)]1, . . . , [0(W)]n are reconstructed; and [0(a_i)]1, . . . , [0(a_i)]n (i=1, . . . , m) are such dispersed values by the (k, n) secret sharing that 0 is obtained when [0(a_i)]1, . . . , [0(a_i)]n are reconstructed; the user apparatus comprises: a password dispersing part dispersing an inputted password w′ into n dispersed values [w′]1, . . . , [w′]n; and a dispersed password value encrypting part obtaining a ciphertext EncUS_i([w′]i), which is obtained by encrypting a dispersed value [w′]i, using a common key between the user apparatus and an i-th one of the authentication servers, for i=1, . . . , n; the intermediate server comprises: a dispersed password value transferring part transmitting the ciphertext EncUS_i([w′]i) received from the user apparatus to the i-th authentication server, for i=1, . . . , n; an intermediate server's verification value decrypting part decrypting a ciphertext EncWS_a_i(qa_i(W)) received from an ai-th one of the authentication servers to obtain a verification value qa_i(W), using a common key between the intermediate server and the ai-th authentication server, for i=1, . . . , m; and an intermediate server's verifying part verifying whether a sum total of the verification values qa_i(W), . . . , qa_m(W) is equal to 0 or not; and the authentication server comprises: a dispersed value storing part storing the i-th dispersed value [w]i among dispersed values [w]1, . . . , [w]n obtained by dispersing a password w into n pieces, the i-th dispersed value [r(W)]i, and the respective i-th dispersed values [r(1)]i, . . . , [r(n)]i; a dispersed password value decrypting part decrypting the ciphertext EncUS_i([w′]i) received from the intermediate server to obtain the dispersed value [w′]i, using the common key between the user apparatus and the authentication server; an intermediate server's verification value generating part determining a verification value qa_i(W) by the following formula:
qai(W)=λai(W)[r(W)]ai([w]ai−[w′]ai)+{circumflex over (λ)}ai(W)[0(W)]ai  [Formula 36] wherein λa_i(W) (iε1, . . . , m) indicates a constant satisfying the following formula:[Formula32]r(W)w=∑i=1mλai(W)[r(W)]ai[w]ai ̂λa_i(W) (iε1, . . . , m) indicates a constant satisfying the following formula:0=∑i=1mλ^ai(W)[0(W)]ai[Formula33] λa_i(j)(iε1, . . . , m) indicates a constant satisfying the following formula:r(j)w=∑i=1mλai(j)[r(j)]ai[w]ai[Formula34] and ̂λa_i(j)(iε1, . . . , m) indicates a constant satisfying the following formula:0=∑i=1mλ^ai(j)[0(j)]ai[Formula35] an intermediate server's verification value encrypting part obtaining the ciphertext EncWS_a_i(qa_i(W)), which is obtained by encrypting the verification value qa_i(W), using a common key between the intermediate server and the authentication server; an authentication server's verification value generating part determining a verification value qa_i(a_j), for j=1, . . . , m, by the following formula:
qai(aj)=λai(aj)[r(aj)]ai([w]ai−[w′]ai)+{circumflex over (λ)}ai(aj)[0(aj)]ai  [Formula 37] an authentication server's verification value encrypting part obtaining a ciphertext EncS_a_iS_a_j(qa_i(a_j)), which is obtained by encrypting the verification value qa_i(a_j), using a common key between an aj-th one of the authentication servers and the authentication server, for j=1, . . . , m; an authentication server's verification value decrypting part decrypting the ciphertext EncS_a_iS_a_j(qa_j(a_i)) received from the aj-th authentication server to obtain the verification value qa_j(a_i), using the common key between the aj-th authentication server and the authentication server, for j=1, . . . , m; and an authentication server's verifying part verifying whether a sum total of the verification values qa_1(a_i), . . . ,qa_m(a_i) is equal to 0 or not.