Recently, a driving support system has been studied in which road-vehicle broadcast communication and vehicle-vehicle broadcast communication are used to transmit from a roadside device placed by the roadside and an in-vehicle device mounted in the vehicle to another in-vehicle device, information such as information related to traffic jams and traffic-signals, traveling condition information such as a vehicle's speed and position, information of approaching emergency vehicles such as an ambulance, and control information of vehicles traveling in-file (hereinafter, these are collectively called distribution information), which thereby are utilized for safe driving and efficient driving.
As an example of a security measure for the driving support system, a road-vehicle communication system is disclosed in Patent Document 1 in which a digital signature of a public key cryptography algorithm is used.
In the road-vehicle communication system described above, it is also necessary to address an attack (replay attack) in which communication data including the distribution information is retransmitted. A countermeasure against the attack is to verify the freshness of the communication data. In the freshness verification, a series of operations are performed; that is, a vehicle stores communication data having been received, compares newly received communication data with the stored reception communication data and determines whether they agree; and then, if they agree, the vehicle does not accept the newly received data because it is recognized as the communication data having been received; or if they do not agree, the vehicle accepts the newly received data because it is recognized as communication data never having been received. However, this method requires a memory area corresponding to the size of the received communication data. To address this problem, there is a method in which a hash function is used for reducing a memory area necessary for freshness verification. In the method, with respect to the received communication data, a hash value is calculated through the hash function, to be stored; and then, when new communication data is received, a hash value is calculated with respect to the new communication data, and whether the hash value agrees with the stored hash value with respect to the prior received communication data is checked; and, if they agree, the newly received data is not accepted because it is recognized as communication data having been received; or if they do not agree, the newly received data is accepted because it is recognized as communication data never having been received. By using the hash function as described above, it is not necessary to store all communication data having been received; by storing the hash values, the problem can be addressed.
Furthermore, it is general that processing of the hash function is included in generation and verification of the digital signature. In a case of signature generation, calculation or the like is performed, using a secret key of a public key cryptography, with respect to a hash value of data to be digitally signed; in a case of signature verification, calculation or the like is performed, using a public key of the public key cryptography, with respect to the hash value of data to be digitally signed.