With the development and popularization of a technique concerned with a calculator and a network, an opportunity, in which important data is exchanged via a wireless communication network, an internet, etc., increases. Because tapping, fabricating, or spoofing on a communication path is comparatively easy in a wireless communication network and an internet, the demand for authentication of a communication partner and a cryptographic communication technique that protects a communication content on the basis of the authentication increases in order to maintain security. A widely used cryptographic communication technique includes a Transport Layer Security (TLS) to which various public key cryptographic techniques are applied.
As one example of such a public key cryptographic technique, there is known a cryptographic technique (hereinafter, may be referred to as “identity-based cryptographic technique” or “ID-based cryptographic technique”) based on an identifier. In the identity-based cryptographic technique, it is sufficient that a public key thereof is an arbitrary identifier (ID), and thus a certificate is not needed. As an identifier, anything can be used, far example, an Internet Protocol address (IP address), a host name, a device number, a telephone number, a name decided according to an application, etc.
In a public key cryptographic technique such as RSA, a public key is some kind of number that is mathematically made regardless of an identifier, and thus a certificate is often used in order to associate a public key with an identifier that can be recognized by a user. On the other hand, in an identity-based cryptographic technique, an identifier is a public key, and thus, if an identifier of a communication target is given, cryptography processing can be executed without a certificate. Recently, a key sharing process (hereinafter, may be referred to as “MB method”) in a key sharing protocol by McCullagh-Barreto is used as a key sharing protocol between two people with a mutual authentication function by ID.
Patent Literature 1: Japanese Laid-open Patent Publication No. 2006-309068
Patent Literature 2: Japanese Laid-open Patent Publication No. 2009-080344
Patent Literature 3: Japanese Laid-open Patent Publication No. 2010-066510
However, the calculation cost of a key sharing process using the MB method is large, and thus a processing delay may occur. In an Internet of Things system (IoT system) that includes a device whose gateway, sensor, or the like is low-performance, a processing delay is more likely to occur because of its calculation cost.
For example, in a process of key sharing between two people in the MB method, an exponentiation is executed, and then a bilinear map (hereinafter, may be referred to as “pairing function”; on an elliptic curve is executed. However, respective calculations are executed by using a multiplication or a squaring, and thus the calculation cost is large. When a presently-greatly-used Barreto-Naehrig curve (BN curve) (256 bits) is used, in the case of a Miller algorithm and a final exponentiation in the pairing function, the executed count of the squaring is 318 and that of the multiplication is 193 in total, and thus the calculation cost is large.