JP2012018257A - Information sharing system, device, method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information sharing technique capable of securing the safety even if a master secret key z, and a short-term secrete key yof an information sharing device Uare leaked.SOLUTION: A shared value calculation unit 22 of an information sharing device Uperforms a process for calculating shared value σ=e(Z, QY) for each of i=1,..., n, and performs a process for calculating a shared value σ'=Yfor each of j=1,..., n'. A shared value calculation unit 32 of an information sharing device Uperforms a process for calculating a shared value σ=e(PY,DZ) for each of i=1,..., n, and performs a process for calculating a shared value σ'=e(P, Y)for each of j=1,..., n'.

Description

  The present invention relates to an application technology of information security technology, and particularly to a technology for sharing information such as a common key between two parties.

  As a conventional information sharing technique, a so-called SYL ID authentication key exchange technique described in Non-Patent Document 1 is known. Hereinafter, the ID authentication key exchange technique described in Non-Patent Document 1 will be described.

"Public parameters"
The k a predetermined integer, and cyclic groups G and G _T the number of prime number of k bits q, the g a generator of the group G, e: a G × G → G _T and pairing function, g _T = and e (g, g) the generator of the group _{G T,} the K a predetermined positive ^{integer, H: {0,1} * →} {0,1} K and _H 1: ^{{0,1} *} → Let G be a hash function.

The key generation device randomly selects a master secret key zεZ _q and publishes a master public key Z = g ^z εG corresponding to the master secret key.

"Key generation"
The key generation device generates secret key generation information Q _i = H ₁ (ID _i ) εG for the identifier ID _i ε {0,1} ^* of the information sharing U _i and uses the master secret key z. A process of generating a secret key D _i = Q _i ^z εG is performed for each of i = A and B.

"Key exchange"
And information sharing device _{U A} with identifier ID _A and secret key _D ^A _{= Q} A ^z ∈G, the information sharing apparatus _{U B} with identifier ID _B and secret key _D ^B _{= Q} B ^z ∈G, as follows The authentication key is exchanged and the shared key K is shared.

1. The information sharing device U _A randomly selects the short-term secret key y _A εZ _q , calculates the short-term public key Y _A = g ^yA , and sends (ID _A , ID _B , Y _A ) to the information sharing device U _B. .

2. The information sharing device U _B receives (ID _A , ID _B , Y _A ), randomly selects the short-term secret key y _B εZ _q , calculates the short-term public key Y _B = g ^yB , and (ID _A , Send ID _B, the _Y a, _{Y B)} information sharing apparatus _{U a.}

The information sharing apparatus U _B calculates the shared value σ ₁ = e (Q _A Y _A , D _B Z ^yB ) and the shared value σ ₂ = Y _A ^yB , and the shared key K = H (σ ₁ , σ ₂ , ID _A , ID _B , Y _A , Y _B ) are calculated.

3. The information sharing device U _A receives (ID _A , ID _B , Y _A , Y _B ), and shares a value σ ₁ = e (D _A Z ^yA , Q _B Y _B ), a shared value σ ₂ = Y _B ^yA. And the shared key K = H (σ ₁ , σ ₂ , ID _A , ID _B , Y _A , Y _B ) is calculated.

Shared values sigma ₁ of the information sharing apparatus _{U A} computing, sigma _2, and the shared values sigma ₁ of the information sharing apparatus _{U B} calculates, sigma ₂ are ^{_{both, σ 1 = G T z (}} log (QA) + yA) ( ^{log (QB) + yB)} , σ ₂ = g ^{yAyB and the} values are the same. The bottom of log is g. For this reason, the shared key K calculated by both coincides.

L.Chen, Z.Cheng, N.P.Smart, “Identity-based Key Agreement Protocols From Pairings”, Int.J.Inf.Sec. 6 (4), p.213-241, 2007

  However, in the information sharing technique of Non-Patent Document 1, only ID-based authentication is performed in which information is shared by identifying a partner using an ID, and the partner is identified using a PKI public key and secret key. Not combined with public key-based authentication to share information.

  An object of the present invention is to provide an information sharing system, apparatus, method, and program for sharing information by combining ID-based authentication and public key-based authentication.

In order to solve the above problems, the present invention further performs the sharing of information with the public key _{P A} and a secret key _{s A} for PKI information sharing apparatus _{U A} (Public Key Infrastructure).

  Information can be shared by combining ID-based authentication and public key-based authentication.

The functional block diagram of the example of an information sharing system and an apparatus. The figure which illustrates the flowchart of an information sharing method.

  Hereinafter, an embodiment of the present invention will be described in detail.

[First embodiment]
1, the information sharing system includes a key generation apparatus 1, the information sharing apparatus U _A and the information sharing apparatus U _B, for example. Information sharing apparatus _{U A} includes key generation unit 21, a shared value calculation unit 22, information generation unit 23 and the storage unit 24, for example. Information sharing apparatus _{U B} includes the key generation unit 31, a shared value calculation unit 32, information generation unit 33 and the storage unit 34, for example.

  The information sharing method includes the steps illustrated in FIG.

Information sharing system and method for sharing information between the information sharing apparatus U _A and the information sharing apparatus U _B. Therefore, the following public parameters are published in advance, also previously sent to the private key D _A and secret key D _B each information sharing apparatus U _A and the information sharing apparatus U _B key generation apparatus 1 has generated Suppose that

"Public parameters"
The k a predetermined integer, and cyclic groups G and G _T the number of prime number of k bits q, the g a generator of the group G, e: a G × G → G _T and pairing function, g _T = and e (g, g) the generator of the group _{G T,} the K a predetermined positive ^{integer, H: {0,1} * →} {0,1} K and _H 1: ^{{0,1} *} → Let G be a hash function.

Let n and n ′ be predetermined positive integers, and c _{i, L} εZ _q (i = 1,..., n, L = 1, 2, 3, 4) and c ′ _{j, M} εZ _q (j = 1,..., N ′, M = 1, 2) are predetermined constants. c _{i, L} and c ′ _{j, M} are calculated from predetermined constants or public parameters such as PKI public key P _A , identifier ID _B , short-term public key Y _A , Y _B , which will be described later. A value that can be For example, some hash values of these published parameters.

The key generation device 1 randomly selects the master secret key zεZ _q (step S1), and publishes the master public key Z = g ^z εG corresponding to the master secret key (step S2). The master secret key z is kept secret, but the master public key Z is disclosed as a public parameter.

"Key generation"
The key generation device 1 calculates secret key generation information Q _i = H ₁ (ID _i ) εG for the identifier ID _i ε {0,1} ^* of the information sharing device U _i , and sets the master secret key z A process for generating a secret key D _i = Q _i ^z εG using i = B is performed (step S3). Private key _{D B} is sent to the information sharing apparatus _{U B.}

"Key exchange"
And PKI secret key _{s A} ∈ Z _q private key in PKI information sharing apparatus _{U A} (Public Key Infrastructure). Corresponding to the PKI private key _{s A,} a PKI public key of the information sharing apparatus _{U A} and _P A ^{= g sA.}

Information sharing apparatus U _A and the information sharing apparatus U _B, under these conditions, sharing information K performs authentication and key exchange as described below.

The key generation unit 21 in the information sharing apparatus _{U A} selects the short-term private key _{y A} ∈Z _q. For example, one element is randomly selected from the set Z _q and set as the short-term secret key y _A (step A1).

Further, the key generation unit 21 of the information sharing apparatus _{U A} calculates a short-term public key _Y A ^{= g yA} using short-term private key _{y A} (step A2).

Information sharing apparatus _{U A,} it sends PKI public key _P A, ID identifier ID _B and short public key _Y set of information about the _{A (P A, ID B,} Y A) to the information sharing apparatus _{U B} (step A3). If the information sharing apparatus _{U B} already acquires information about the PKI public key _{P A} and ID identifier ID _B, the information sharing apparatus _{U A} information about the PKI public key _{P A} and ID identifier ID _B it may not send the information sharing apparatus U _B.

The information sharing apparatus U _B receives (P _A , ID _B , Y _A ) (step B1).

The key generation unit 31 of the information sharing apparatus _{U B} selects short-term private key _{y B} ∈ Z _q. For example, one element is randomly selected from the set Z _q and set as the short-term secret key y _B (step B2).

Further, the key generation unit 31 of the information sharing apparatus _{U B} calculates a short-term public key _Y B ^{= g yB} using short-term private key _{y B} (Step B3).

The information sharing apparatus _{U B,} PKI public key _P A, ID identifier ID _B, short public key _{Y A} and a set of information about the short-term public key _{Y B (P A, ID B} , Y A, Y B) information sharing send to device _{U a} (step B4). Since the information sharing apparatus _{U B} is PKI Public Key _P A, information about ID identifier ID _B and short public key _{Y A} already acquired, the information sharing apparatus _{U B} is short public key _{Y B} only information sharing apparatus U You may send it to _A.

The shared value calculation unit 32 of the information sharing apparatus U _B uses the shared value σ _i = e (P _A ^{ci, 1} Y _A ^{ci, 2} , D _B ^{ci, 3} Z ^{ci, 4yB} ).
^Is calculated for each of i = 1,..., N, and the shared value σ ′ _j = e (P _A ^{c′j, 1} , Y _A ^{c′j, 2} ) ^yB
Is calculated for each of j = 1,..., N ′ (step B5).

Information generating unit 33 of the information sharing apparatus U _B is a covalent value calculating unit 32 share values sigma ₁ calculated _by, ..., sigma _n, shared values σ _{'1, ...,} σ' and at least one argument of _{n '} Information K is generated using the function (step B6). For example, the shared value σ _1, ..., σ _n, shared values _{σ '1, ..., σ'} n ', PKI public key _P A, ID identifier ID _B, using a short-term public key _{Y A} and short public key _{Y B} , Information K = H (σ ₁ ,..., Σ _n , σ ′ ₁ ,..., Σ ′ _{n ′} , P _A , ID _B , Y _A , Y _B )
And

Information sharing apparatus _{U A receives} the _{(P A, ID B, Y} A, Y B) ( step A4).

Shared value calculation unit 22 of the information sharing apparatus _{U A} is a covalent values ^{_{σ i = e (Z ci,}} 1sA + ci, 2yA, Q B ci, 3 Y B ci, 4)
^Is calculated for each of i = 1,..., N, and the shared value σ ′ _j = Y _B ^{c′j, 1sA + c′j, 2yA}
Is calculated for each of j = 1,..., N ′ (step A5).

Information generating unit 23 of the information sharing apparatus U _A is a covalent value calculating unit share values sigma ₁ calculated by _22, ..., sigma _n, shared values σ _{'1, ...,} σ' and at least one argument of _{n '} Information K is generated using a function (step A6). And functions information generating unit 22 of the information sharing apparatus U _A is used, the information generating unit 32 uses the function of the information sharing apparatus U _B is the same. For example, the shared value σ _1, ..., σ _n, shared values _{σ '1, ..., σ'} n ', PKI public key _P A, ID identifier ID _B, using a short-term public key _{Y A} and short public key _{Y B} , Information K = H (σ ₁ ,..., Σ _n , σ ′ ₁ ,..., Σ ′ _{n ′} , P _A , ID _B , Y _A , Y _B )
And

Shared value sigma _i which the information sharing apparatus _{U A} calculates (i = 1, ..., n ) and the shared values _{σ 'j (j = 1,} ..., n') and, shared value information sharing apparatus _{U B} calculates sigma _{Both i} (i = 1,..., n) and shared value σ ′ _j (j = 1,..., n ′)
σ _i = g _T ^{z (ci, 1sA + ci, 2yA) (ci, 3log (QB) + ci, 4yB)}
σ ′ _j = g ^{(c′j, 1sA + c′j, 2yA) yB}
And the values are the same. The bottom of log is g. Therefore, the information generated by the information generation unit 23 and the information generation unit 33 based on the shared value σ _i (i = 1,..., N) and the shared value σ ′ _j (j = 1,..., N ′). K is also equal. Information K is used as a common key, for example.

Here, even if the master secret key z and the short-term secret key y _A are leaked, the attacker impersonates the information sharing device U _A and calculates ^, for example, the shared value σ ′ _j = Y _B ^{c′j, 1sA + c′j, 2yA} I can't do it. This is because the PKI secret key s _A is necessary to calculate the shared value σ ′ _j = Y _B ^{c′j, 1sA + c′j, 2yA} .

Thus, further by performing the sharing of information with PKI secret key s _A and PKI public key P _A of the information sharing apparatus U _A, the master secret key z and short private key y _A is also leaked safety Can be secured.

[Second Embodiment]
The information sharing system and method according to the second embodiment is a specific example of the information sharing system and method according to the first embodiment. In the information sharing system and method of the first embodiment, n = n ′ = 2 and c _1,1 = c _1,4 = c _2,2 = c _2,4 = c ′ _1,1 = c ′ _{2, 2} = 0 and c _1,2 = c _1,3 = c _2,1 = c _2,3 = c ' _1,2 = c' _2,1 = 1.

That is, in the second embodiment, the shared value calculation unit 32 of the information sharing apparatus U _B is
σ ₁ = e (Y _A , D _B ), σ ₂ = e (P _A , D _B ), σ ′ ₁ = Y _A ^yB , σ ′ ₂ = P _A ^yB
It was calculated, share value calculation unit 22 of the information sharing apparatus U _A is
σ ₁ = e (Z ^yA , Q _B ), σ ₂ = e (Z ^sA , Q _B ), σ ′ ₁ = Y _B ^yA , σ ′ ₂ = Y _B ^sA
Calculate

In this case, a shared value sigma ₁ of the information sharing apparatus U _{A computing,} sigma ₂ and share value σ _'1, σ' and _2, the shared values sigma ₁ of the information sharing apparatus U _{B calculates,} sigma ₂ and share value Both σ ' ₁ and σ' ₂ are
σ ₁ = g _T ^{zyAlog (QB)}
σ ₂ = g _T ^{zsAlog (QB)}
σ ′ ₁ = g ^yAyB
σ ′ ₂ = g ^sAyB
And the values are the same. The bottom of log is g. Therefore, the information K generated by the information generation unit 23 and the information generation unit 33 based on the shared values σ ₁ and σ ₂ and the shared values σ ′ ₁ and σ ′ ₂ is also equal.

  Since other parts are the same as those in the first embodiment, a duplicate description is omitted.

[Third embodiment]
The information sharing system and method according to the third embodiment is a specific example of the information sharing system and method according to the first embodiment. In the information sharing system and method of the first embodiment, n = n ′ = 2, c _2,2 = c _2,4 = c ′ _1,1 = c ′ _2,2 = 0, and c _1,1 = C _1,2 = c _1,3 = c _1,4 = c _2,1 = c _2,3 = c ' _1,2 = c' _2,1 = 1.

That is, in the third embodiment, the shared value calculation unit 32 of the information sharing apparatus U _B is
σ ₁ = e (P _A Y _A , D _B Z ^yB ), σ ₂ = e (P _A , D _B ), σ ′ ₁ = Y _A ^yB , σ ′ ₂ = P _A ^yB
It was calculated, share value calculation unit 22 of the information sharing apparatus U _A is
σ ₁ = e (Z ^{sA + yA} , Q _B Y _B ), σ ₂ = e (Z ^sA , Q _B ), σ ′ ₁ = Y _B ^yA , σ ′ ₂ = Y _B ^sA
Calculate

In this case, a shared value sigma ₁ of the information sharing apparatus U _{A computing,} sigma ₂ and share value σ _'1, σ' and _2, the shared values sigma ₁ of the information sharing apparatus U _{B calculates,} sigma ₂ and share value Both σ ' ₁ and σ' ₂ are
σ ₁ = g _T ^{z (sA + yA) (log (QB) + yB)}
σ ₂ = g _T ^{zsAlog (QB)}
σ ′ ₁ = g ^yAyB
σ ′ ₂ = g ^sAyB
And the values are the same. The bottom of log is g. Therefore, the information K generated by the information generation unit 23 and the information generation unit 33 based on the shared values σ ₁ and σ ₂ and the shared values σ ′ ₁ and σ ′ ₂ is also equal.

  Since other parts are the same as those in the first embodiment, a duplicate description is omitted.

[Modifications, etc.]
In the above embodiments, the shared value σ _{1, ...,} σ _n, shared values _{σ '1, ..., σ'} n ' of at least one information K generated based on the information sharing apparatus U _A and information sharing device Although the information is shared between U _B, without generating information K, the shared value σ _{1, ...,} σ _n, shared values _{σ '1, ..., σ'} n ' itself information sharing apparatus U it may be information that is shared between the _a and the information sharing apparatus U _B.

Although not described in the description of the above embodiment, each unit of the information sharing apparatus U _A performs the calculations through the storage unit 24. That is, each part of the information sharing apparatus U _A performs calculation reads the appropriate data from the storage unit 24, and stores the calculation result in the storage unit 24. Each part of the information sharing apparatus U _B also performs the calculations through the likewise memory unit 34.

Information sharing apparatus U _A and the information sharing apparatus U _B can be realized by a computer. In this case, each part of these devices is described by a program. And each part of these apparatuses is implement | achieved on a computer by running this program with a computer.

  This program can be recorded on a computer-readable recording medium. In this embodiment, these apparatuses are configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

  The present invention is not limited to the above-described embodiment, and can be modified as appropriate without departing from the spirit of the present invention.

1 key generation apparatus _{U A} information sharing device 21 key generator 22 share value calculating unit 23 information generating unit 24 storage unit _{U B} information sharing device 31 key generator 32 share value calculating unit 33 information generating unit 34 memory unit

Claims (8)

An information sharing system for sharing information between the information sharing apparatus U _A and the information sharing apparatus U _B,
The k a predetermined integer, and cyclic groups G and G _T the number of prime number of k bits q, the g a generator of the group G, e: a G × G → G _T and pairing function, g _T = e a (g, g) is a generator of the group _{G T,} and K is a predetermined positive _integer, H 1: ^{{0,1} *} a → G as a hash function, the master secret key and Z∈Z _q, The master public key corresponding to the master secret key is Z = g ^z εG, n and n ′ are predetermined positive integers, and c _{i, L} εZ _q (i = 1,..., N, L = 1) , 2,3,4) and _{c 'j, M ∈Z q (} i = 1, ..., n', M = 1,2) was used as a predetermined constant, a PKI private key of the information sharing apparatus _{U a} s is _a, the PKI public key of the information sharing apparatus _{U a} corresponding to the PKI private key _{s a} and _{P a,} the identifier of the information sharing apparatus _{U B} and ID _B, the private key generating information _B = a _H 1 (ID _B) ∈G, the private key of the information sharing apparatus _{U B} as _D ^B _{= Q} B ^z ∈G,
Short-term secret key y _A εZ _q is selected, short-term public key Y _A = g ^yA is calculated, calculated short-term public key Y _A is output, and shared value σ _i = e (Z ^{ci, 1sA + ci, 2yA} , Q _B ^{ci, 3} Y _B ^{ci, 4} ) is calculated for each of i = 1,..., N, and the shared value σ ′ _j = Y _B ^{c′j, 1sA + c′j, 2yA} is calculated. j = 1, ..., and information sharing device _{U a} performed for each of the n ',
The short-term secret key y _B ∈Z _q is selected, the short-term public key Y _B = g ^yB is calculated, the calculated short-term public key Y _B is output, and the shared value σ _i = e (P _A ^{ci, 1} Y _A ^{ci, 2} , D _B ^{ci, 3} Z ^{ci, 4yB} ) is performed for each of i = 1,..., n, and the shared value σ ′ _j = e (P _A ^{c′j, 1} , Y _A ^{c 'j, 2} ) ^An information sharing device U _B that performs a process of calculating ^yB for each of j = 1, ..., n';
Information sharing system. The information sharing system according to claim 1,
The information sharing apparatus _{U A} is the information sharing apparatus _{U A} the shared value is generated _{σ i (i = 1, ...} , n), shared values _{σ 'j (j = 1,} ..., n') at least one Further includes an information generation unit that calculates information using a function with an argument,
The information sharing apparatus _{U B} is the information sharing apparatus _U the shared _{value B} is generated _{σ i (i = 1, ...} , n), shared values _{σ 'j (j = 1,} ..., n') at least one Further includes an information generation unit that calculates information using a function with an argument,
And functions information generating unit of the information sharing apparatus U _A is used, the information generating unit uses a function of the information sharing apparatus U _B is the same,
An information sharing system characterized by this. In the information sharing system according to claim 1 or 2,
When n = n ′ = 2, c _1,1 = c _1,4 = c _2,2 = c _2,4 = c ′ _1,1 = c ′ _2,2 = 0, and c _{1, 2} = c _1,3 = c _2,1 = c _2,3 = c ' _1,2 = c' _2,1 = 1,
An information sharing system characterized by this. In the information sharing system according to claim 1 or 2,
Assuming that n = n ′ = 2, c _2,2 = c _2,4 = c ′ _1,1 = c ′ _2,2 = 0, and c _1,1 = c _1,2 = c _{1, 3} = c _1,4 = c _2,1 = c _2,3 = c ' _1,2 = c' _2,1 = 1,
An information sharing system characterized by this. In an information sharing apparatus of an information sharing system that shares information between an information sharing apparatus and another information sharing apparatus,
The k a predetermined integer, and cyclic groups G and G _T the number of prime number of k bits q, the g a generator of the group G, e: a G × G → G _T and pairing function, g _T = e a (g, g) is a generator of the group _{G T,} and K is a predetermined positive _integer, H 1: ^{{0,1} *} a → G as a hash function, the master secret key and Z∈Z _q, The master public key corresponding to the master secret key is Z = g ^z εG, n and n ′ are predetermined positive integers, and c _{i, L} εZ _q (i = 1,..., N, L = 1) , 2, 3, 4) and c ′ _{j, M} ∈ Z _q (i = 1,..., N ′, M = 1, 2) are predetermined constants, and the PKI secret key of the information sharing apparatus is s _A. the identifiers of other information sharing apparatus and ID _B, the private key generating information and _{Q B = H 1 (ID B} ) ∈G, the other information sharing device private key _D ^B _{= Q} B ^z ∈G of And, the short-term private key of the other information sharing apparatus as Y _B,
Short-term secret key y _A εZ _q is selected, short-term public key Y _A = g ^yA is calculated, calculated short-term public key Y _A is output, and shared value σ _i = e (Z ^{ci, 1sA + ci, 2yA} , Q _B ^{ci, 3} Y _B ^{ci, 4} ) is calculated for each of i = 1,..., N, and the shared value σ ′ _j = Y _B ^{c′j, 1sA + c′j, 2yA} is calculated. Information sharing apparatus for each of j = 1,..., n ′. In an information sharing apparatus of an information sharing system that shares information between an information sharing apparatus and another information sharing apparatus,
The k a predetermined integer, and cyclic groups G and G _T the number of prime number of k bits q, the g a generator of the group G, e: a G × G → G _T and pairing function, g _T = e a (g, g) is a generator of the group _{G T,} and K is a predetermined positive _integer, H 1: ^{{0,1} *} a → G as a hash function, the master secret key and Z∈Z _q, The master public key corresponding to the master secret key is Z = g ^z εG, n and n ′ are predetermined positive integers, and c _{i, L} εZ _q (i = 1,..., N, L = 1) , 2, 3, 4) and c ′ _{j, M} ∈Z _q (i = 1,..., N ′, M = 1, 2) are predetermined constants, and the PKI public key of the other information sharing apparatus is P is _a, the identifier of the information sharing apparatus and ID _B, the private key generating information and _{Q B = H 1 (ID B} ) ∈G, the private key of the information sharing apparatus and _D ^B _{= Q} B ^z ∈G The short-term private key of the other information sharing apparatus as Y _A,
The short-term secret key y _B ∈Z _q is selected, the short-term public key Y _B = g ^yB is calculated, the calculated short-term public key Y _B is output, and the shared value σ _i = e (P _A ^{ci, 1} Y _A ^{ci, 2} , D _B ^{ci, 3} Z ^{ci, 4yB} ) is performed for each of i = 1,..., n, and the shared value σ ′ _j = e (P _A ^{c′j, 1} , Y _A ^{c 'j, 2} ) ^An information sharing apparatus that performs the process of calculating ^yB for each of j = 1, ..., n'. An information sharing method for sharing information between the information sharing apparatus U _A and the information sharing apparatus U _B,
The k a predetermined integer, and cyclic groups G and G _T the number of prime number of k bits q, the g a generator of the group G, e: a G × G → G _T and pairing function, g _T = e a (g, g) is a generator of the group _{G T,} and K is a predetermined positive _integer, H 1: ^{{0,1} *} a → G as a hash function, the master secret key and Z∈Z _q, The master public key corresponding to the master secret key is Z = g ^z εG, n and n ′ are predetermined positive integers, and c _{i, L} εZ _q (i = 1,..., N, L = 1) , 2,3,4) and _{c 'j, M ∈Z q (} i = 1, ..., n', M = 1,2) was used as a predetermined constant, a PKI private key of the information sharing apparatus _{U a} s is _a, the PKI public key of the information sharing apparatus _{U a} corresponding to the PKI private key _{s a} and _{P a,} the identifier of the information sharing apparatus _{U B} and ID _B, the private key generating information _B = a _H 1 (ID _B) ∈G, the private key of the information sharing apparatus _{U B} as _D ^B _{= Q} B ^z ∈G,
The information sharing device U _A selects the short-term secret key y _A εZ _q , calculates the short-term public key Y _A = g ^yA , and outputs the calculated short-term public key Y _A ;
The information sharing device U _B selects the short-term secret key y _B εZ _q , calculates the short-term public key Y _B = g ^yB , and outputs the calculated short-term secret key Y _B ;
Information sharing device _{U A} is shared values ^{_{σ i = e (Z ci,}} 1sA + ci, 2yA, Q B ci, 3 Y B ci, 4) i = 1 the process of calculating, ..., performed for each n, shared ^{Performing the process} of calculating values σ ′ _j = Y _B ^{c′j, 1sA + c′j, 2yA} for each of j = 1,..., N ′;
A process in which the information sharing apparatus U _B calculates a shared value σ _i = e (P _A ^{ci, 1} Y _A ^{ci, 2} , D _B ^{ci, 3} Z ^{ci, 4yB} ) for each of i = 1 ^,. Performing a process of calculating a shared value σ ′ _j = e (P _A ^{c′j, 1} , Y _A ^{c′j, 2} ) ^yB for each of j = 1,..., N ′;
Information sharing method.   An information sharing program for causing a computer to function as each unit of the information sharing apparatus according to claim 5.

Images