JP2024116943A - ID generation device, ID generation method, and ID generation program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an ID generation device, an ID generation method, and an ID generation program that can generate IDs that are also secure against attacks using quantum computers.

SOLUTION: A user terminal 1 includes: an ID holding unit 10 that holds a subscriber ID for mobile communication; a first encryption processing unit 21 that encrypts a first value, which is at least a part of the subscriber ID, using a quantum public key resistant cryptosystem to generate first cipher data; a second encryption processing unit 22 that encrypts a second value using another public key cryptosystem to generate second cipher data; a synthesis processing unit 23 that uses the first and second cipher data as input and generates an encrypted ID by AONT; and an output unit 24 that outputs the encrypted ID as at least a part of user's identification information.

SELECTED DRAWING: Figure 1

COPYRIGHT: (C)2024,JPO&INPIT

Description

The present invention relates to a method for generating an encrypted ID used to identify a user in mobile communications.

Conventionally, the IMSI (International Mobile Subscriber Identity) or SUPI (Subscription Permanent Identifier) issued as a subscriber ID for a mobile phone is encrypted, with the MSIN (Mobile Subscriber Identification Number) being a part of it, and used as the SUCI (Subscription Concealed Identifier) to identify the communication user, in order to protect privacy (see, for example, Non-Patent Document 1).

3GPP (registered trademark) TS 23.501, System architecture for the 5G system

However, in conventional technology, elliptic curve cryptography is used to generate SUCI, and there are concerns about its resistance to attacks using quantum computers.

The present invention aims to provide an ID generation device, an ID generation method, and an ID generation program that can generate IDs that are secure against attacks using quantum computers.

The ID generating device according to the present invention includes an ID holding unit that holds a mobile communication subscriber ID, a first encryption processing unit that encrypts a first value, which is at least a part of the subscriber ID, using a quantum-resistant public key cryptography to generate first encrypted data, a second encryption processing unit that encrypts a second value using a public key cryptography other than the quantum-resistant public key cryptography to generate second encrypted data, a synthesis processing unit that uses the first encrypted data and the second encrypted data as inputs and generates an encrypted ID using AONT (All-Or-Nothing Transformation), and an output unit that outputs the encrypted ID as at least a part of the user's identification information.

The second value may be a random number.

The second value may be common to the first value.

The synthesis processing unit may combine a predetermined bit string with either the first encrypted data or the second encrypted data to make the data the same in length.

The output unit may divide the encrypted ID and transmit it.

The output unit may also assign an electronic signature to the user's identification information using a quantum-resistant public key cryptography system.

The authentication system according to the present invention comprises a user terminal and a management server in which a mobile communication subscriber ID is registered. The user terminal comprises an ID storage unit that stores the subscriber ID, a first encryption processing unit that encrypts a first value, which is at least a part of the subscriber ID, using a quantum-resistant public key cryptography to generate first encrypted data, a second encryption processing unit that encrypts a second value using another public key cryptography different from the quantum-resistant public key cryptography to generate second encrypted data, a synthesis processing unit that uses the first encrypted data and the second encrypted data as inputs and generates an encrypted ID using AONT (All-Or-Nothing Transformation), and an output unit that outputs the encrypted ID as at least a part of the user's identification information. When the management server receives identification information including the encrypted ID transmitted from the user terminal, it decrypts the first encrypted data from the encrypted ID and authenticates the user by comparing it with the subscriber ID.

The second value may be common to the first value, and the management server may encrypt the first value decrypted from the encrypted ID using the other public key cryptography and compare it with the second value to verify the validity of the encrypted ID.

The ID generation program according to the present invention is for causing a computer to function as the ID generation device.

The present invention makes it possible to generate IDs that are secure against attacks using quantum computers.

FIG. 2 is a diagram illustrating a functional configuration related to ID generation provided in a user terminal in an embodiment. FIG. 2 is a diagram illustrating an example of a configuration of a subscriber ID in the embodiment. 11 is a diagram illustrating a processing procedure in which a user terminal 1 in an embodiment generates an encrypted ID using an AONT. 10 is a sequence diagram showing the flow of a process in which a user terminal registers its location in a mobile communication network using SUCI in an embodiment. FIG. FIG. 2 is a diagram showing a SUCI processing process in an embodiment.

An example of an embodiment of the present invention will now be described.
The ID generating device of this embodiment generates and outputs a SUCI as an encrypted subscriber ID to identify and authenticate a terminal user in a mobile communication network.
The SUCI is generated by encrypting the MSIN, which is part of the subscriber ID (IMSI or SUPI) written in the terminal or in the SIM (Subscriber Identity Module). In this embodiment, security against attacks using a quantum computer is ensured by a configuration described below that uses quantum-resistant public key cryptography (e.g., CRYSTALS-Kyber) and AONT (All-Or-Nothing Transform).

FIG. 1 is a diagram showing a functional configuration related to ID generation provided in a user terminal 1 (ID generating device) in this embodiment.
The user terminal 1 is a mobile terminal (computer) such as a mobile phone or smartphone that participates in a mobile communication network, and is equipped with an ID holding unit 10 (e.g., a SIM) in which a subscriber ID is written, a control unit 20 that executes an ID generation program for generating a SUCI based on this subscriber ID, and a memory unit 30 in which the ID generation program is stored.

The control unit 20 is a part that controls the entire user terminal 1, and realizes each function in this embodiment by appropriately reading and executing various programs stored in the storage unit 30. The control unit 20 may be a CPU, but may also be implemented as a dedicated hardware circuit that realizes each function.
The control unit 20 includes a first encryption processing unit 21 , a second encryption processing unit 22 , a synthesis processing unit 23 , and an output unit 24 .

The storage unit 30 is a storage area for various programs and various data for causing the hardware group to function as the user terminal 1, and may be a ROM, RAM, flash memory, etc.

The first encryption processing unit 21 encrypts at least a portion of the subscriber ID (first value) using a quantum-resistant public key cryptography method to generate first encrypted data.

FIG. 2 is a diagram illustrating an example of the configuration of a subscriber ID in this embodiment.
The subscriber ID, IMSI or SUPI, includes a Mobile Country Code (MCC), a Mobile Network Code (MNC), and an MSIN.
In conventional processing, the MSIN out of these pieces of information is encrypted with the public key of the home network, and is used as SUCI for communication together with the MCC and MNC.

In this embodiment, the MSIN is encrypted as the first value, as in the conventional method, but this is not limited to this. For example, the entire IMSI or SUPI including the MSIN may be encrypted.

The second encryption processing unit 22 encrypts the second value using a public key cryptosystem other than the post-quantum public key cryptosystem used by the first encryption processing unit 21 to generate second encrypted data.
Here, the second value to be encrypted may be, for example, a random number, or may be common to the first value so as to be compared and verified with the decrypted first value.
The second encrypted data may be calculated by a predetermined calculation (hash calculation) following encryption by public key cryptography.

The public key cryptosystem used by the second encryption processing unit 22 is not limited to the post-quantum public key cryptosystem, and may be a conventional public key cryptosystem. The second encryption processing unit 22 may generate multiple pieces of second encrypted data using multiple cryptosystems.

The synthesis processing unit 23 receives the first encrypted data and the second encrypted data and generates an encrypted ID by the AONT.
If it is required that multiple input data to the AONT be of the same size, the synthesis processing unit 23 may combine a specified bit string with either the first encrypted data or the second encrypted data (for example, by adding "10000..." to the end) to make the length uniform.

FIG. 3 is a diagram illustrating a processing procedure in which the user terminal 1 in this embodiment generates an encrypted ID using the AONT.
Here, the first encrypted data is a ciphertext generated by a quantum-resistant public key cryptography method (e.g., an MSIN encrypted with algorithm A, several thousand bits long), and the second encrypted data is the result of a hash calculation (e.g., a hash value of the MSIN encrypted with algorithm B, 256 bits long).

The first encrypted data and the second encrypted data are input to the AONT, and the first encrypted data is masked (e.g., XORed) by the second encrypted data padded (expansion function) with "0" or the like, and becomes the upper bit (A) of the output.
The second encrypted data is masked (for example, by XOR operation) with the hash value of (A) to become the lower order bits (B) of the output.
In the case of post-quantum public key cryptography, the size of the ciphertext is larger than in the past, and at least the most significant bit (A) of the output has a length of several thousand bits.

The output unit 24 outputs the encrypted ID generated by the synthesis processing unit 23 as at least a part of the user identification information (SUCI).
Specifically, a data string including the plaintext MCC and MNC and the generated encrypted ID may be output as SUCI.
At this time, as described above, since the size of the encrypted ID generated using the post-quantum public key cryptography is large, the output unit 24 divides the SUCI including the encrypted ID and transmits it.

FIG. 4 is a sequence diagram showing the flow of a process in which the user equipment 1 in this embodiment registers its location in a mobile communication network using SUCI.
The authentication system 100, which constitutes a mobile communication network, is configured with a group of servers that perform access and mobility management functions (AMF), authentication server functions (AUSF), and unified data management (UDM) via a base station (gNB) that communicates with a user terminal 1 (MS).

The management server 2, which handles the UDM, has registered therein the mobile communication subscriber ID (IMSI or SUPI). When the management server 2 receives identification information (SUCI) including the encrypted ID transmitted from the user terminal 1, it decrypts the first encrypted data from the encrypted ID and authenticates the user by comparing the restored identification information (IMSI or SUPI) with the registered subscriber ID.

Specifically, the user equipment 1 encrypts the SUPI to generate a SUCI (step S1), and then transmits the SUCI to the AMF via the base station to request location registration (step S2).
Then, the AMF transmits the SUCI to the management server 2 via the AUSF to request authentication of the user (step S3). The management server 2 decrypts the SUCI to restore the SUPI (step S4), compares it with the registered SUPI, and responds with the authentication result (step S5).

FIG. 5 is a diagram showing the SUCI processing process in this embodiment.
The user terminal 1 encrypts the MSIN included in the IMSI (or SUPI) using the public key of the home network, and combines it with the MCC and MNC to generate a SUCI.
At this time, a digital signature may be added using the private key of the user terminal 1 .
In addition, the quantum-resistant public key cryptography may also be adopted as the public key cryptography used for the electronic signature for the user identification information (SUCI).

When the user terminal 1 is registered in the mobile communication network, the SUCI is decrypted and verified using the private key of the home network held by the management server (UDM) and the public key of the user terminal 1, and the IMSI (or SUPI) is restored.

Here, the first encrypted data and the second encrypted data input to the AONT are generated from a first value (MSIN) and a second value, respectively, but the second value may be common to the first value.
In this case, the management server 2 re-encrypts and hashs the first value (MSIN) decrypted from the encrypted ID using algorithm A using the public key cryptography method (algorithm B) used to generate the second encrypted data, and compares the result with the second value, thereby verifying the validity of the encrypted ID.

According to this embodiment, the user terminal 1 generates an encrypted ID using the AONT by inputting first encrypted data generated by encrypting a first value (e.g., MSIN), which is at least a part of the subscriber ID, using a quantum-resistant public key cryptography method, and second encrypted data generated by encrypting the second value using another public key cryptography method.
By making this encrypted ID at least part of the user's identification information, the user terminal 1 can generate an ID that is secure against attacks using quantum computers, in addition to the quantum-resistant public key cryptography method, which is expected to be more secure than conventional methods, because encrypted data from multiple cryptography methods is combined by the AONT.

The user terminal 1 may align the length of each encrypted data for multiple inputs to the AONT by combining a specific bit string, thereby reducing the processing load on the AONT.

By using the quantum-resistant public key cryptography method, the user terminal 1 uses identification information that includes an encrypted ID that is longer than that of conventional methods, but by dividing and transmitting this, it can be used as an identifier in the same way as before.

The user terminal 1 can further improve security by adding a quantum-resistant public key cryptography digital signature to the user's identification information.

The second encryption data to be combined with the first encryption data by the user terminal 1 may be a calculated value based on a random number (for example, a hash value of the ciphertext), thereby simplifying the ID generation process.
In addition, the user terminal 1 may make the second value, which is the source of the second encrypted data, common to the first value (MSIN). This allows the user terminal 1 to compare and verify the decrypted first value by encrypting it in the same way as the second value, and to determine whether or not it has been tampered with. As a result, it becomes possible to omit the electronic signature.

In addition, according to this embodiment, for example, privacy risks in mobile communications are reduced, making it possible to contribute to Goal 9 of the United Nations-led Sustainable Development Goals (SDGs), which is to "build resilient infrastructure, promote sustainable industrialization and foster innovation."

Although the embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments. Furthermore, the effects described in the above-described embodiments are merely a list of the most favorable effects resulting from the present invention, and the effects of the present invention are not limited to those described in the embodiments.

1. User terminal (ID generating device)
2 Management server 10 ID storage unit 20 Control unit 21 First encryption processing unit 22 Second encryption processing unit 23 Combining processing unit 24 Output unit 30 Storage unit 100 Authentication system

Claims (9)

an ID storage unit that stores a mobile communication subscriber ID;
a first encryption processing unit that encrypts a first value, which is at least a part of the subscriber ID, by a post-quantum public key cryptography to generate first encrypted data;
a second encryption processing unit that encrypts a second value by using another public key cryptosystem different from the post-quantum public key cryptosystem to generate second encrypted data;
a synthesis processing unit that receives the first encrypted data and the second encrypted data and generates an encrypted ID by an all-or-nothing transformation (AONT);
and an output unit that outputs the encrypted ID as at least a part of a user's identification information. The ID generating device according to claim 1, wherein the second value is a random number. The ID generating device according to claim 1, wherein the second value is common to the first value. The ID generating device according to claim 1, wherein the synthesis processing unit combines a predetermined bit string with either the first encrypted data or the second encrypted data to make the data the same in length. The ID generating device according to claim 1, wherein the output unit divides the encrypted ID and transmits it. The ID generating device according to claim 1, wherein the output unit assigns an electronic signature to the user's identification information using a quantum-resistant public key cryptography method. An authentication system comprising a user terminal and a management server in which a mobile communication subscriber ID is registered,
The user terminal,
an ID storage unit for storing the subscriber ID;
a first encryption processing unit that encrypts a first value, which is at least a part of the subscriber ID, by a post-quantum public key cryptography to generate first encrypted data;
a second encryption processing unit that encrypts a second value by using another public key cryptosystem different from the post-quantum public key cryptosystem to generate second encrypted data;
a synthesis processing unit that receives the first encrypted data and the second encrypted data and generates an encrypted ID by an all-or-nothing transformation (AONT);
an output unit that outputs the encrypted ID as at least a part of the user's identification information;
The management server includes:
When identification information including the encrypted ID transmitted from the user terminal is received, the authentication system decrypts the first encrypted data from the encrypted ID and collates it with the subscriber ID to authenticate the user. the second value is common to the first value;
The authentication system described in claim 7, wherein the management server verifies the legitimacy of the encrypted ID by encrypting the first value decrypted from the encrypted ID using the other public key cryptography method and comparing it with the second value. An ID generation program for causing a computer to function as an ID generation device according to any one of claims 1 to 6.

Images