This invention relates to a key distribution system for distributing a cipher key between two subsystems via a communication channel by one-way communication.
Various key distribution systems are already known. By way of example, a key distribution system is disclosed in a paper which is contributed by W. Diffie and M. E. Hellman to the IEEE Transactions on Information Theory, Vol. IT-22, No. 6, pages 644-654, November issue, 1976, under the title of "New Directions in Cryptography". The key distribution system according to the Diffie et al paper is called the Diffie-Hellman public key distribution system. The Diffie-Hellman public key distribution system comprises a public file or directory in which public information for each of users or conversers is stored. It will be assumed that two conversers are named A and B. Let p be a large prime number of about 256 bits in binary representation, which is publicly known. Let .alpha. be a fixed primitive element of the finite field GP(p), i.e. an integer such that its successive powers modulo p (.alpha., .alpha..sup.2 (mod p), .alpha..sup.3 (mod p), . . . ) fill the finite field GP(p) except zero, where a (mod b) means a remainder of division of the number a by the number b. The public file stores public information Y.sub.A of the converser A and public information Y.sub.B of the converser B. The public information Y.sub.A and Y.sub.B are selected so as to be equal to .alpha..sup.X.sbsp.A (mod p) and .alpha..sup.X.sbsp.B (mod p), respectively, where X.sub.A and X.sub.B represent secret numbers of the conversers A and B that are chosen uniformly from the set of integers {1, 2, . . . , (p-1)}. Before the converser A sends enciphered messages to the converser B, the converser A prepares an enciphering key K.sub.A generated from the public information Y.sub.B and the secret information X.sub.A. The enciphering key K.sub.A represents a number obtained by calculating Y.sub.B.sup.X.sbsp.A (mod p). The converser B also prepares an enciphering key K.sub.B in accordance to Y.sub.A.sup.X.sbsp.B (mod p) in a similar manner. Inasmuch as the enciphering keys K.sub.A and K.sub.B are equal to each other, they will therefore be their common cipher key.
However, the Diffie-Hellman public key distribution system is disadvantageous in that a third party or an eavesdropper may possibly impersonate one of the conversers A and B by doctoring or tampering with the public information.
Another key distribution system is disclosed in U.S. Pat. No. 4,876,716 issued to Eiji Okamoto. The key distribution system according to Okamoto's U.S. Patent is referred to as an identity-based key distribution system. This is because a cipher key is generated by using each converser's identification information instead of the public file used in the Diffie-Hellman public key distribution system. The identification information may be any information such as a converser's name and address. There is no fear that tampering with the public information will occur. This is because the identification information is used as the public information.
The identity based key distribution system comprises a first subsystem, a second subsystem, and an insecure communication channel such as a telephone line which connects the first subsystem with the second subsystem. It is assumed that the first and the second subsystems are used by users or conversers A and B, respectively. Let n be a modulus of size at least 512 bits which is a product of two sufficiently large prime numbers p and q, let e and d be two exponents such that exd=1 (mod (p-1).times.(q-1)). Let .alpha. be an integer which is both a primitive element in the finite fields GP(p) and GP(q). It will also be assumed that conversers A and B are assigned with identification information ID.sub.A and ID.sub.B, respectively. In this event, the conversers A and B have or know secret integer numbers S.sub.A and S.sub.B which are defined as numbers obtainable from ID.sub.A.sup.d (mod n) and ID.sub.B (mod n), respectively.
When the conversers A and B wish to obtain a work or session cipher key K, i.e. a key which is randomly chosen at each communication, the first subsystem of the converser A generates a random number .gamma. and sends the second subsystem of the converser B a first key distribution code X.sub.A representative of a number obtained by computing S.sub.A x.alpha..sup..gamma. (mod n). The second subsystem of the converser B also generates a random number t and sends the first subsystem of the converser A a second distribution code X.sub.B representative of a number obtained by calculating S.sub.B x.alpha..sup.t (mod n). Then, the first subsystem of the converser A calculates (X.sub.B.sup.e /ID.sub.B).sup..gamma. (mod n) and keeps the resulting number as the work cipher key K. Similarly, the second subsystem of the converser B calculates (X.sub.A.sup.e /ID.sub.A).sup.t (mod n) and the resulting number as the work cipher key K.
As described above, the identity-based key distribution system must carry out mutual or two-way communication between the first and the second subsystems in order to distribute or exchange the work cipher key K. As a result, the identity-based key distribution system is defective in that communication overhead increases in a known electronic mail system which can transmit messages enciphered with the work cipher key K via the insecure communication channel.