JP2003216027A - System, method and program for verifying existence of each exponential coefficient of power-residue product of probability disclosure key cryptogram in section - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To verify that the value of each exponential coefficient of a power- residue product of a probability disclosure key cryptogram is present in a specified range while hiding the value of the exponential coefficient. <P>SOLUTION: An input part 201 inputs a probability disclosure key ciphering type disclosure key 205, a variable 206 for determining the upper limit value and lower limit value of a specified section, a cryptogram row 207, an exponential coefficient row 208, and a safe variable 209. An arithmetic processing part 202 generates a power-residue product 221 on the basis of the exponential coefficient row 208 of the cryptogram row 207 and verification sentences 222 to 225 for judging whether the values of respective exponential coefficients exist in the section specified by the variable 206 or not on the verification side without eliminating the difficulty of deciphering the value of the row 208 used for the generation of the product 221. An output part 203 outputs a verification message 204 containing the product 221 and the verification sentences 222 to 225. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a technique for verifying that each exponential coefficient of a modular exponentiation product of a stochastic public key ciphertext is within an interval while hiding the value of each exponential coefficient, and its verification technology. In particular, the present invention relates to a technique in which a private key is kept secret to a proving subject, and a verifying subject possesses the private key.

[0002]

2. Description of the Related Art Conventionally, as a technique for proving that a specific value is in a predetermined interval while hiding the value, there is, for example, a method by Fabrice Boudot. This is based on the literature “Efficient Proofs That Accompanied Number Rise In An Interval, Advance In Cryptology, Proceeding Of Eurocrypt 2000, LNC S1807, Springer Fairlag, 431-444, 2000.
hat a Committed Number Lies in an Interval, Advanc
e in Cryptology, Proceeding of Eurocrypt'2000, LNC
S1807, Springer-Verlag, pp. 431-444, 2000) ". Hereinafter, this method will be simply referred to as a conventional technique. In this conventional technique, a given value is committed by using a random number, and it is proved that the value is within a defined interval while hiding the value.

An outline of this conventional technique will be described below with reference to the drawings. FIG. 17 is a diagram for explaining a configuration of a proof sentence creating apparatus that creates a proof sentence for certifying that a specific numerical value is in a predetermined section in the related art while hiding the specific numerical value. It is a block diagram.

In FIG. 17, the upper half (63
1-1, 631-2) is omitted by the dotted line, but this is the lower half (631-4,
It can be derived in exactly the same way as the process of deriving 631-5).

The term "commit x" here means to publish the result of inputting x and possibly a random number into the one-way function, and this result is called commitment. Due to the nature of the one-way function, x cannot be obtained from the commitment of x, and it is difficult to obtain inputs other than x that give the same commitment.

It is assumed that the composite number n is the product of two (sufficiently large) prime numbers p and q that neither the prover nor the verifier knows. Let g and h be elements of the multiplicative group Z ^* _n , and neither the certifier nor the verifier know the discrete logarithm with bases of each other.

First, as shown by 611 in FIG. 17, the prover uses the comet number 601 (committed number) “x” and the random number 602 used for the commitment, “r”, the calculated value ^"g x ^{h r} mod ^n" the x
Calculated as the commitment 631-5. Create a proof sentence to prove that the value of x is within the specified interval [a, b] while keeping x secret.

Then, in 612 of FIG. 17, the difference xa (613), bx () between the commitment value x, the lower limit value a, which is a constant 604 that defines the specified section, and the upper limit value b and the end values of the section, Calculate the commitment of 614). Then, in 615 and 616 of FIG. 17, the variable T calculated from the size of the section defined as the safety variable 603.
Using, to multiply the two commitments 2 ^T, 2 ^T (x-
1) Calculate 2 ^T (bx) commitment.

Then, each committed value 2 ^T (x-1), 2
We prove that these values are larger than −2 ^T , respectively, while keeping ^T (bx) hidden (while keeping the decipherability). x, a,
Since b is an integer, this proof is that xa, bx is positive,
That is, it proves that x is in the interval [a, b]. In the following, we describe a method to prove to a verifier that the committed number is larger than −2 ^T , while keeping the number secret (while keeping the decryption difficult).

Hereafter, this secret number (that is, 2 ^T (x-1),
Let 2 be one value of ^T (bx) be X. Let v be the largest integer less than the square root of X and the integer z be Xv ² .

Here, v ² , u and X are committed. From these commitments, the verifier finds that each committed number satisfies the relationship v ² + u = X.

Then, in 621 of FIG. 17, a proof sentence 631-4 is generated to prove that the commitment of u is a commitment of which absolute value is smaller than 2 ^{T while} h is hidden. Further, in 622 of FIG. 17, a proof sentence 631-3 for proving that the commitment of v ^{2 is} the commitment of a square number while hiding v is generated.

[0013] and positive certain squares, X absolute value of the sum of 2 ^T smaller value is greater than -2 ^T. To prove that the absolute value of u is less than 2 ^T by hiding the value of u, u
The absolute value of must be much less than 2 ^T. Hide the value of X by choosing a sufficiently large T such that the sum of such small absolute values u and the square number can represent all integers in the interval [a, b]. Also, these proofs require the random numbers used to generate the commitment.

[0014]

However, the above-mentioned conventional technique has a problem in that the number of proofs that the proof is within the defined interval is limited to one by one proof. The following is an example in which solving this problem is important.

[Example] As an example, the personality of a questionnaire-type individual
Think of a trend diagnostic service. The organizer asks the user
And the user responds and sends it back to the organizer,
The organizer responds to the user about the tendency. User here
In order to protect the privacy of
Ketaka I want to keep the organizer from knowing. On the other hand,
In order to collect valid materials, the organizer
I want to prevent users from choosing answers other than the choices. Well
Also, in order to hide the organizer's know-how and the user
So that you don't know and answer the questionnaire
Does each item of the questionnaire have a positive effect on the tendency to be diagnosed?
Wants to make sure that the user does not work negatively. Sponsor
Respondents should enter 1 or 0 for each question item in the questionnaire.
Mitted (g ¹h^rmod n or g⁰h^reither mod n)
Give the user a column of elements that are. Each commitmen
Is a commitment of 1 or a commitment of 0
Ruka positively affects the tendency of corresponding question items to be diagnosed
Decide whether to work negatively or negatively. Random number r is for each commit
Use different ones for each
I don't know how many. User applies to himself
Commitment and random number corresponding to a question that seems to be
r ", choose those commitments and h^{r "}Lord seeking the product of
Send it back to the organizer. This product is g^{0 +,…, + 1}h^{r '+ ... + r + r "}mod
Ask questions about items that have a positive shape, such as n.
The number selected by the user is committed. Where each term
By sending the whole product instead of sending the answer to the eye
The organizer does not know which item the user has marked.
I am trying to stay.

[Problems in Example] In the above questionnaire,
The user can answer the specific item in duplicate. For example, if you put s values g ¹ h ^r committed by the organizer for the first question in the reply, (g ¹ h ^r ) ^s = g ^s h ^sr , so the answer to the first question is the final Will make a big contribution to your decision. If you allow such a reply, the collected data will be less reliable and may be of no value to the organizer. Therefore, the organizer wants the user to prove that all questions have been answered only once. Moreover,
If you prove it for each item, you can get a reply for each item, so I want to request proof for all items at once. In the prior art, such a request could not be answered because of the above problem.

The present invention has been made in view of the above problems, and an object of the present invention is to solve each of the above problems in the conventional technique so that a certifier can obtain a sequence of cipher texts from each string. Get the number of elements within the specified range,
A method of sending the product of all of them to the verifier, and the prover certifying that the number of any ciphertext in generating the product is within the specified range, that is, the power-of-residue of the probability public key ciphertext. A method of proof that each exponential coefficient of the product is in the interval, and a method of verification that this proof is correct, that is, each exponential coefficient of the modular exponentiation product of the probability public key ciphertext is in the interval. It is to provide a verification method of that.

[0018]

According to a first proof system of the present invention, each exponent of a modular exponentiation product of a sequence of exponential coefficients of a sequence of probabilistic public key cryptograms encrypted by the probabilistic public key cryptosystem. A proof sentence for proving that the value of the coefficient is within the specified interval is created, and it is verified based on the proof sentence that the value of each index coefficient is within the specified interval. In the proof system, the public key of the stochastic public key cryptosystem, the upper limit value and the lower limit value that define the specified section, the sequence of the probability public key ciphertext, and the sequence of the exponential coefficient are correctly verified. Based on the value of the safety variable that defines the probability, for determining whether the value of each exponential coefficient is within the specified interval without losing the decipherability of the value of each exponential coefficient. Certificate statement creating device for creating the certificate statement , The modular exponentiation product to be verified, the upper limit value and the lower limit value defining a specified range, the public key and the secret key of the stochastic public key cryptosystem, the safety variable, and the stochastic public key ciphertext. , A sequence of random numbers used for encryption of the sequence of the probabilistic public key ciphertext, and the proof text, the value of each exponential coefficient of the modular exponentiation product within the specified interval. And a verification device for verifying whether or not there is a probability above the probability defined by the safety variable.

In the second proof system of the present invention,
The proof sentence creating device is a column of a difference between a lower limit value which is a column obtained by subtracting the lower limit value from a value of each exponential coefficient of the exponential coefficient column, and each exponential coefficient of the exponential coefficient column from the upper limit value. Each of the difference column with the lower limit value and the difference column with the upper limit value for generating a difference column with the upper limit value which is a column with the value of An expansion unit that multiplies the element value by a first value determined by a value that defines a safety variable and an interval, and generates a sequence of differences between the expanded lower limit value and a sequence of differences between the expanded upper limit value. , The maximum square number smaller than that value for each element of the difference row with the expanded lower limit value and the difference row with the expanded upper limit value, and the corresponding value from the value of each element. By calculating the difference value by subtracting the square number, the difference column with the expanded lower limit value and the expanded A division unit that divides the sequence of the difference from the upper limit into the sequence of the square numbers and the sequence of the difference values, and the sequence of the square numbers corresponding to the lower limit of the probability public key ciphertext sequence. The first exponentiation remainder product and the second exponentiation remainder product by the sequence of the square numbers corresponding to the upper limit value of the sequence of the probability public key ciphertext are obtained, and the first and second exponentiation products are obtained. A square number proof section that generates a proof statement that the sequence of exponential coefficients of the remainder product is a square number and that the square root does not exceed a second value defined by the safety variable and a constant that defines the interval. , A third exponentiation remainder product by the sequence of the difference values corresponding to the lower limit value of the sequence of the probability public key ciphertext, and the difference corresponding to the upper limit value of the sequence of the probability public key ciphertext. The fourth exponentiation remainder product is obtained from the sequence of values, and the absolute value of the value of each exponential coefficient of the third and fourth exponentiation remainder product is And a size of the proof of the absolute value to generate a proof text that serial smaller than the first value.

In the third proof system of the present invention, the verification device obtains a value obtained by multiplying the product of all elements of the sequence of the stochastic public key ciphertext by the lower limit value, and with this value, the verification target The modular exponentiation product is divided by the element of the public key, and a value obtained by expanding the modular exponentiation product by using the first value is obtained. It is confirmed that it is equal to the product of the modular exponentiation, and the product of all the elements of the sequence of the stochastic public key ciphertext is multiplied by the upper limit value to obtain a value, and this value is the power of the verification target. Divide the remainder product by the modulus which is the public key, and obtain the expanded value using the first value,
It is confirmed that this value is equal to the product of the second exponentiation remainder product and the fourth exponentiation remainder product, and if the two confirmations can be made, a division verification unit that outputs verification acceptance of division, and First
The value of each exponential coefficient of the modular exponentiation of is a square number, and
It is verified that the square root does not exceed the second value, and that the value of each exponential coefficient of the second power residue product is a square number, and that the square root exceeds the second value. If the two verifications are possible, the verification unit for the square number that outputs the verification acceptance of the square number and the value of each exponential coefficient of the third power residue product do not exceed the first value. It is verified that the value of each exponential coefficient of the fourth power-residue product does not exceed the first value, and if the two verifications are successful, the verification of the magnitude of the absolute value is accepted. It also includes a verification unit for the magnitude of the absolute value to be output.

In the fourth proof system of the present invention, the square number proof section includes an encryption section for generating the first and second exponentiation remainders, and a first random number corresponding to the lower limit value. A random number generation unit for generating a sequence and a second random number sequence corresponding to the upper limit value, a square root of each element of the sequence of square numbers corresponding to the lower limit value, and a first random number sequence corresponding to the lower limit value And a fifth exponentiation remainder product, which is the exponentiation remainder product of the sequence of the stochastic public key ciphertext, and each element of the sequence of square numbers corresponding to the upper limit value. Square root of and the second
A modular exponentiation product generating unit for generating a sixth exponentiation modular exponentiation, which is a modular exponentiation modular exponentiation of the sequence of the probability public key ciphertext, by a sequence obtained by multiplying each element of the random number sequence of It corresponds to the upper limit value and the seventh exponentiation remainder product which is the exponentiation remainder product of the sequence of the stochastic public key ciphertext by the square sequence of each element of the first random number sequence corresponding to the lower limit value. A random exponentiation residue product generation unit that generates an exponentiation exponentiation residue product that is an exponentiation exponentiation product of the sequence of the stochastic public key ciphertext by a squared sequence of elements of the second random number sequence; , The public key, the sequence of the probabilistic public key ciphertexts, and a first challenge value corresponding to a lower limit value that is an output of a hash function including the first, fifth, and seventh exponentiation modulo products as inputs, An output of a hash function including the public key, the sequence of the probabilistic public key ciphertext, and the second, sixth, and eighth exponentiation modulo products as inputs. A challenge value generation unit for generating a second challenge value corresponding to an upper limit value, each element of the first random number sequence corresponding to the lower limit value, and each element of the square number sequence corresponding to the lower limit value The first response corresponding to the lower limit, which is the sum column, of the square root of and the product column of the first challenge value, and each element and the upper limit value of the second random number sequence corresponding to the upper limit value. A response generation unit that generates a second response corresponding to an upper limit value that is a sum column of the square root of each element of the corresponding square number column and the product column of the first challenge value; All of the elements of the first response are not within the first interval defined by the safety variable, the size of the interval and the constant determined from the first challenge value, or all of the elements of the second response are safe. If it is not in the second interval defined by the variable, the size of the interval, and the constant determined by the second challenge value, the square number And a size confirmation section to restart the light from the beginning.

In the fifth proof system of the present invention, the square number verification unit includes a challenge value generation unit that generates the first challenge value and the second challenge value, and the first and second challenge values. , Fifth,
A decryption unit configured to generate first, second, fifth, sixth, seventh, and eighth plaintexts, which are plaintexts of the sixth, seventh, and eighth exponentiation remainder products, by the secret key; and The first, second, fifth, sixth, seventh and eighth random numbers used to generate the first, second, fifth, sixth, seventh and eighth exponentiation remainder products, respectively. A random number generator for generating a random number with a secret key, whether all the elements of the first response are in the first section, and all the elements of the second response are in the second section. The first challenge corresponding to the lower limit is made by using a size confirmation unit for confirming a heel, a plaintext of the sequence of the probability public key ciphertext, and a random number used for generating the probability public key ciphertext. Of value
The first verification equation using the quadratic equation and the quadratic equation of the first response is satisfied, and the second challenge value corresponding to the upper limit value.
It includes a quadratic equation and a quadratic equation verification unit that confirms that a second verification equation using the quadratic equation of the second response holds.

In the sixth proof system of the present invention, the proof part for the magnitude of the absolute value is an encryption part for generating third and fourth power-residue products, and a third part corresponding to the lower limit value. Of random number sequence and a fourth random number sequence corresponding to the upper limit value, and a power-of-residue product of the sequence of the probability public key ciphertext by the third random number sequence corresponding to the lower limit value. There is the ninth
Exponentiation remainder for generating a exponentiation remainder product and a tenth exponentiation remainder product that is the exponentiation remainder product of the sequence of the probability public key ciphertext by the fourth random number sequence corresponding to the upper limit value. A product generator, the public key, a sequence of the probability public key ciphertexts, the third
And a ninth challenge-value corresponding to the lower limit which is the output of the hash function including the ninth exponentiation remainder product, the public key, the sequence of the probabilistic public key ciphertexts, the fourth and tenth values.
And a modular exponentiation product, the fourth challenge value corresponding to the upper limit value being the output of the hash function, and each element of the third random number sequence corresponding to the lower limit value. A third response corresponding to a lower limit value which is a sum column of a column of a difference between the square number corresponding to a lower limit value and a column of a product of the third challenge values corresponding to a lower limit value, and an upper limit A sequence of sums of a sequence of differences between each element of the fourth random number sequence corresponding to a value and the square number corresponding to the upper limit and a sequence of products of the fourth challenge values corresponding to the upper limit And a response generation unit that generates a fourth response corresponding to an upper limit value, and all elements of the third response are defined by a safety variable, a size of the section, and a constant determined from the third challenge value. If it is not in the third interval, or if all the elements of the fourth response are based on the safety variable, the size of the interval, and the fourth challenge value. The defined by a constant is because 4
If it is not within the section of, the size confirmation unit is provided to restart the absolute value size verification process from the beginning.

In the seventh proof system of the present invention, the absolute value magnitude verification unit includes the third challenge value and the fourth challenge value.
And a challenge value generation unit for generating a challenge value and a plain text of each of the third, fourth, ninth and tenth exponentiation remainder products. A decryption unit that generates a secret key and the third, fourth, and ninth units that are used to generate the third, fourth, ninth, and tenth modular exponentiation products.
And a random number generator for generating a tenth random number with a secret key, whether all the elements of the third response are in the third section, and all the elements of the fourth response are the fourth section. And a third verification equation using the linear expression of the third challenge value and the linear expression of the third response, which correspond to the lower limit value. And a linear expression of the fourth challenge value corresponding to the upper limit value and 1 of the fourth response
Confirm that the fourth verification equation using the following equation holds 1
It includes a verification unit according to the following formula.

[0025]

BEST MODE FOR CARRYING OUT THE INVENTION Referring to FIG. 1, an embodiment of a proof system that each exponent coefficient of a modular exponentiation product of a stochastic public key ciphertext of the present invention is in an interval is a verifier terminal 10
1 and a prover terminal 102, both of which can communicate with each other through a public line network, a dedicated line network, or a network 103 such as the Internet.

The prover terminal 102 is a terminal used by the prover who proves that each exponential coefficient of the modular exponentiation of the stochastic public key ciphertext is within the section. The verifier terminal 101 is the probability public key. This terminal is used by the verifier who verifies that each exponential coefficient of the power-of-residue product of the ciphertext is within the section. The prover terminal 102 can be realized by an information processing device such as a personal computer or a mobile information terminal. The verifier terminal 101 can be realized by an information processing device such as a personal computer or a workstation.

The prover terminal 102 stores, from the verifier terminal 101, data storage means 111 for storing a data string to be used as a string of exponential coefficients of the power-of-residue product of the probability public key ciphertext, and information necessary for the proof process. Probability of having the form of a modular exponentiation from the public information storage unit 112 that stores the public information, and the public information stored in the public information storage unit 112 and the data stored in the data storage unit 111. Probability public key ciphertext that is a public key ciphertext and uses the data string stored in the data storage unit 111 as the exponential coefficient string, and the value of each exponential coefficient of the modular exponentiation of this probability public key ciphertext And a proof sentence creating apparatus 113 for generating a proof sentence indicating that is in the designated section and transmitting it to the verifier terminal 101 via the network 103, and the network 103.
Display of the processing result receiving device 114 for receiving the processing result sent from the verifier terminal 101, the input device such as the keyboard for inputting the instruction and the data from the user, and the response content from the verifier terminal 101. And an output device 115 provided with an output device for performing output.

The verifier terminal 101 generates various kinds of information required for certification and verification prior to the operation of the system, among which information to be disclosed is disclosed to the verifier terminal 102 as public information, and secret information is disclosed. The information setting disclosure means 121 to be stored together with the information on the verifier terminal 101 side, the information storage means 122 for storing the secret information and the disclosure information generated by the information setting disclosure means 121, and the form of the modular exponentiation The probabilistic public key ciphertext that it has and the proof text that the value of each exponential coefficient of the power-of-residue product of this probabilistic public key ciphertext is in the specified section are received from the prover terminal 102, and the proof text and information A verification device 123 for verifying that the value of each exponential coefficient of the exponentiation modular exponentiation of the received probability public key ciphertext is in the specified section based on the information stored in the storage means 122; A processing device 124 that executes a predetermined process based on the content of the plaintext obtained by decrypting the probability public key cryptogram verified by the verification device 123, and notifies the prover terminal 102 of the result via the network 103. It is configured to include.

The recording medium 151 and the recording medium 152 are computer-readable recording media such as a magnetic disk device, a semiconductor memory, and a CD-ROM, in which a verifier terminal program and a prover terminal program are recorded, respectively. The verifier terminal program recorded in the recording medium 151 is
By being read by the computer that constitutes the verifier terminal 101 and controlling the operation of the computer, the verifying device 123 and the processing device 12 are installed on the computer.
4 is realized. Further, the certifier terminal program recorded in the recording medium 152 is read by a computer that constitutes the certifier terminal 102, and the operation of the computer is controlled, so that the certifying sentence creating apparatus 113 and the processing result are executed on the computer. The receiver 114 is realized.

Next, the operation of this embodiment will be described with reference to the flowchart of FIG.

Prior to the operation of the system, the verifier terminal 10
The information setting publicizing means 121 of No. 1 generates predetermined public information and secret information required for certification and verification, discloses the public information to the prover terminal 102 via the network 103, and stores the secret information together with the public information in the information storage. It is stored in the means 122 (step S101). The prover terminal 102 receives the public information and stores it in the public information storage unit 112 (step S).
201). The certification sentence creating apparatus 113 of the prover terminal 102 executes the certification sentence creating process using the public information stored in the public information storage unit 112, and the verification apparatus 123 of the verifier terminal 101 is stored in the information storage unit 122. The verification process is performed using the public information and the confidential information that have been obtained. Steps S202 to S204 and S102 to S106 in FIG. 2 show the flow of processing when one proof sentence is sent from the prover terminal 102 to the verifier terminal 101. Prover terminal 102
For example, the user creates the proof sentence in
The process is started when the data string in the data storage unit 111 is designated from 15 and creation is instructed.

First, the proof text creating device 113 of the prover terminal 102 generates a probability public key cipher text using a data string stored in the data storage means 111 as a string of exponentiation modulo products. It is generated (step S202). Next, a proof statement that the value of each exponential coefficient of the power-of-residue product of the generated probability public key ciphertext is in the specified section is generated (step S203). Specifically, it defines the public key of the stochastic public key cryptosystem, the upper and lower limits that define the specified section, the sequence of the probability public key ciphertext, the sequence of exponential coefficients, and the probability of correct verification. A proof sentence for determining whether or not the value of each exponential coefficient is within the specified section without losing the decipherability of the value of each exponential coefficient is created based on the value of the safety variable. Then, the generated probability public key ciphertext and prooftext are transmitted to the verifier terminal 101 via the network 103 (step S204).

When the verification device 123 of the prover terminal 101 receives the probabilistic public key cryptogram and the prooftext from the certifier terminal 102 (step S102), the received prooftext and the disclosure stored in the information storage means 122. Based on the information and the secret information, verify that the value of each exponential coefficient of the exponentiation modular exponentiation of the received probability public key ciphertext is in the specified section with a probability higher than that specified by the safety variable ( Step S
103). Then, when the validity is verified (YES in step S104), the processing device 124 executes a predetermined process based on the content of the plaintext obtained by decrypting the probability public key ciphertext, and the result thereof is obtained by the network 103. The certifier terminal 102 is notified via this (step S105). On the other hand, when the authenticity is not verified by the verification device 123, the processing device 124 sends a message rejecting the request for the processing based on the probability public key ciphertext transmitted by the prover terminal 102 this time via the network 103. The terminal 102 is notified (step S106).

Processing result receiver 11 of prover terminal 102
4 receives the processing result or the rejection message transmitted from the verifier terminal 101, and outputs it to the input / output device 115 (step S205).

As described above, the proof text creating apparatus 113 according to the present embodiment is a probability public key cipher text having the form of a modular exponentiation and is a data string stored in the data storage means 111 as a string of its exponential coefficient. Probabilistic public key ciphertext using is generated, and the proof sentence that proves that the value of each exponential coefficient of the modular exponentiation product of this probabilistic public key ciphertext is in the specified interval while hiding the exponential coefficient value. And sends it to the verifier terminal 101. Therefore, it is possible to certify a plurality of data (a plurality of elements forming a data string) at one time.

Various concrete examples of the use of the certification system of this embodiment are conceivable. For example, the questionnaire type personal character tendency diagnosis service described in the section “Problems to be solved by the invention” is one example of its use. In this case, the data string stored in the data storage unit 111 corresponds to the user's answer to the question in the questionnaire, and the processing of the processing device 124 is the processing of diagnosing the tendency of the personality of the individual.

Next, the embodiments of the proof sentence creating apparatus and the verification apparatus used in the proof system of the present embodiment will be described in detail.

(1) Embodiment of Proof Text Creating Apparatus First, embodiment of proof text creating apparatus for certifying that each exponential coefficient of the modular exponentiation product of a stochastic public key cryptogram falls within a specified section. Will be described.

FIG. 3 is a block diagram showing an example of a proof sentence creating apparatus for creating a proof sentence that proves that each exponential coefficient of the power-of-residue product of a stochastic public key cryptogram is within a specified section. FIG. 4, FIG. 5, and FIG. 6 are flowcharts for explaining the proof sentence creation processing by this proof sentence creation apparatus.

The method of proof that each exponent coefficient of the modular exponentiation product of the stochastic public key cryptogram of the present embodiment is within the specified interval is defined by the secret key between the plaintext and the random number used for encryption. A ciphertext based on a probability public key cryptosystem that can obtain both is used. In the following description, the plaintext to be encrypted is numerical data, and the ciphertext obtained by encrypting this is also numerical data.

Referring to FIG. 3, the proof text creating apparatus according to the present embodiment has an input unit 201 for manually inputting various data used for creating a proof text, and an operation based on the input data to perform a proof text. The calculation processing unit 202 to be created and the output unit 203 to output the created proof sentence 204 are provided. The proof sentence 204 according to the present embodiment is the proof sentence 223, 22 of the exponentiation remainder product 221 and the square number which are the proof objects.
5 and proof sentences 222 and 224 having the magnitude of the absolute value.

Further, the arithmetic processing unit 202 includes an exponentiation remainder product generating unit 211 and a proof sentence generating unit 212. The proof sentence generating unit 212 includes a generating unit 231 for a sequence of differences between both end values and an expanding unit. 232, a decomposition unit 233, and a square number proof unit 234.
And a proof section 235 of the magnitude of the absolute value. Further, the square number proof unit 234 includes an encryption unit 241, a power exponentiation surplus product generation unit 242, and a random power exponentiation surplus product generation unit 243.
It has a challenge value generation unit 244, a response generation unit 245, a size confirmation unit 246, and a random number generation unit 247.
In addition, the absolute value proving unit 235 is
1, a modular exponentiation product generation unit 252, and a challenge value generation unit 253
And a response generation unit 254, a size confirmation unit 255, and a random number generation unit 256.

Referring to FIG. 4, in the proof sentence creation processing of this embodiment, first, the input unit 201 outputs n and g, which are public keys 205 of the stochastic public key cryptosystem, as various information necessary for proof. , The upper limit value a and the lower limit value b, which are variables 206 that define the specified section, and the sequence 20 of the probability public key ciphertext.
E _i (i = 1, ..., M) that is 7 and the index coefficient column 20
8 and w _i (i = 1, ..., M) and the safety variable 209 that defines the probability of correct verification are input (step S301).

Next, the modular exponentiation product generation unit 211 of the arithmetic processing unit 202 uses the probability public key encryption method public key 205, the probability public key ciphertext column 207, and the exponential coefficient column 208 to calculate the probability public key encryption. Exponential coefficient column 208 of sentence column 207
Produced as modular exponentiation product ^{_{e = Π i = 1 m e}} ^ {w i} mod n 2 of the certification target modular exponentiation product 221 by (step S30
2). Next, the proof statement generation unit 212 proves that the value of each exponential coefficient of the power-and-residue product of the proof is within the interval specified by the variable 206 that defines the interval.
To 225 are created (step S303). Then, the output unit 203 outputs the exponentiation remainder product 221 and the proof sentence 2 of the proof object.
The proof sentence 204 including 22 to 225 is output (step S304).

In the present embodiment, the proof sentence exponentiation residual product 221 is generated by the proof sentence creating device. However, when the proof subject exponentiation residual product is created in another part, it is generated. do not have to. In addition, in the present embodiment, the proof sentence 20
Although 4 has included the power-of-residue product 221 to be proved, it does not necessarily have to be included.

Details of step S303 in which the proof sentence generation unit 212 generates a proof sentence are shown in step S303 of FIG.

Referring to the flow chart in step S303 of FIG. 4, first, the generation unit 231 of the sequence of the difference between the both end values
Is a sequence w _i -a; (i = 1, ..., M) of the difference between the index coefficient column 208 and the lower limit value a indicated by the variable 206 defining the section, and the index coefficient column 208 and the section upper limit value b. Sequence of difference with bw _i ; (i = 1, ..., m)
And are generated (step S311).

Next, the expansion unit 232 multiplies these difference columns by the value U defined by the safety variable 209 and the values a and b that define the interval, and outputs the difference column U (w _i ) with the expanded lower limit value. -a),
A sequence U (bw _i ) of the difference from the expanded upper limit value is generated (step S312).

Next, the decomposing unit 233 outputs, for each of the expanded difference columns, a maximum square number sequence w [i1] ² , w '[i1] ² ; (i = 1, which is smaller than that value. , M) are obtained, and the difference columns between the respective expanded difference columns and the corresponding square numbers are obtained (step S313). w [i2] = U (w _i -a) -w [i1] ² , w '[i2] = U (bw _i ) -w' [i1] ² ; (i =
1, ..., m)

[0050] Next squares certification unit 234, modular exponentiation product e [1] by squares column w [i1] ² corresponding to the lower limit value a column e _i of the probability public key cipher text = [pi _{i = 1} ^m e _i ^ {w [i1] ² } modn ² and the square number sequence w'corresponding to the upper limit b of the sequence e _i of the probability public key ciphertext
Exponentiation remainder product by [i1] ² e '[1] = Π _{i = 1} ^m e _i ^ {w' [i1] ² } modn ²
Is calculated, and the coefficient w [i1] that generated both powers of remainders e [1] and e '[1]
² , w '[i1] ² ; (i = 1, ..., m) is a square number, and its square root w [i1], w' [i1] is a value defined by a safety variable and a constant that determines the interval. Proof of square number 2 with not exceeding V 2
23 and 225 are generated (step S314). The above exponentiation remainder product e [1] becomes one element of the square number proof sentence 223, and the above exponentiation remainder product e ′ [1] becomes the square number proof sentence 225.
It becomes one element of.

Next, the proof part 235 of the magnitude of the absolute value causes the modular exponentiation product e [by the sequence w [i2] of the difference from the square number corresponding to the lower limit value a of the sequence e _i of the probability public key ciphertext. 2] = Π _{i = 1} ^m e _i ^ {w [i2]} mo
The exponentiation remainder product e '[2] = Π _{i = 1} ^m by the sequence w' [i2] of the difference between dn ² and the square number corresponding to the upper limit b of the sequence e _i of the stochastic public key ciphertext
e _i ^ {w '[i2]} modn ² is obtained, and both powers modular exponentiation e [2], e [' [2]
The absolute value of the coefficients w [i2], w '[i2]; (i = 1, ..., M) that generated the constant U determined by the safety variable 209 and the width of the section.
Proof sentence 222, 2 of magnitude of absolute value of being smaller
24 is generated (step S315). The above modular exponentiation product e [2] becomes one element of the proof sentence 222 of the magnitude of the absolute value, and the above modular exponentiation product e '[2] of the proof sentence 224 of the absolute value is It becomes one element.

Step S3 which is a proof step of the square number
Details of 14 will be described with reference to the flowchart of FIG.

First, the encryption section 241 generates the above-mentioned modular exponentiation products e [1] and e '[1] which are also ciphertexts (step S40).
1).

Next, the random number generator 247 generates a random number sequence v [i1]; (i = 1, ..., M) corresponding to the lower limit value a and a random number sequence v '[i1] corresponding to the upper limit value b. , The modular exponentiation generator 242 causes the square root w [i1] of each element of the sequence of square numbers corresponding to the lower limit value a.
And a sequence 2v [i1] w obtained by multiplying each element of the random number sequence v [i1] by 2
[i1]; (i = 1, ..., m), the modular exponentiation product e [11] = Π _{i = 1} ^m e _i ^ {2v [i1] w [i1]} of the ciphertext sequence e _i modn ² and upper limit b
The square root w '[i1] of each element of the sequence of square numbers corresponding to and each element of the random number sequence v' [i1] is multiplied by 2 to obtain a sequence 2v '[i1] w' [i
1]; (i = 1, ..., M), the power-residue product e ′ [11] = Π _{i = 1} ^m e _i ^ {2v '[i1] w' [i1 of the sequence e _i of the ciphertext ]} modn ² is generated (step S402). The modular exponentiation product e [1 generated here
1] becomes one element of the proof sentence 223 of square number, and the modular exponentiation e '[12] becomes one element of the proof sentence 225 of square number.

Next, the random exponentiation remainder product generation unit 243 causes the square sequence v [i1] ² ; (i = 1, ..., m of each element of the random number sequence v [i1] corresponding to the lower limit value a. According to), the power of column e _i of the ciphertext multiplication remainder product _{e [12] = Π i =} 1 m e i ^ {v [i1] 2} and modn ^2, wherein the random number sequence corresponding to the upper limit value b v ' Square sequence v '[i1] of each element of [i1]
² ; (i = 1, ..., m) raised to the power of the ciphertext sequence e _{i
e '[12] = Π i} = 1 m e i ^ {v' [i1] 2} produces the modn ² (step S403). The modular exponentiation product e [12] generated here becomes one element of the proof sentence 223 of the square number, and the modular exponentiation product e '[12]
Is an element of the proof sentence 225 of square number.

Next, the challenge value generator 244 uses the public keys n, g,
The lower limit value a which is the output of the hash function including the ciphertext sequence e _i , the exponentiation remainder product e [1], the exponentiation remainder product e [11], and the exponentiation remainder product e [12] as inputs. The challenge value c [1] corresponding to
Public keys n and g, the ciphertext sequence e _I , and the modular exponentiation e ′
[1], the modular exponentiation product e ′ [11] and the modular exponentiation product e ′ [1
2] and the challenge value c ′ [1] corresponding to the upper limit value b, which is the output of the hash function, is generated (step S40).
4).

Next, the response generation unit 245 causes each element v [i1] of the random number sequence corresponding to the lower limit value a, the square root w [i1] of each element of the sequence of square numbers, and the challenge corresponding to the lower limit value. Response r [i1] = v corresponding to the lower bound that is the sum column with the product column of the value c [1]
[i1] + c [1] w [i1]; (i = 1, ..., m), each element v ′ [i1] of the random number sequence corresponding to the upper limit value, and each element of the sequence of square numbers The response r '[i1] = v' [i corresponding to the upper limit, which is the sum of the square root w '[i1] of the product and the column of the product of the challenge value c' [1] corresponding to the upper limit
1] + c ′ [1] w ′ [i1]; (i = 1, ..., M) are generated (step S405). The response r [i1] generated here is one element of the square number proof sentence 223, and the response r ′ [i1] is one element of the square number proof sentence 225.

Next, the size confirmation unit 246 causes the response r [i
1]; All the elements of (i = 1, ..., m) are within a certain interval R defined by a constant defined by the safety variable, interval size | ba |, and challenge value c [1] , The response r '[i1]; (i = 1,
, M) are not within a certain interval R'defined by a constant defined by the safe variable, interval size | ba |, and challenge value c '[1], the proof step of the square number S314
Control to restart from the beginning. Otherwise,
Complete the square number proof step.

Details of step S315, which is a step of proving the magnitude of the absolute value, will be described with reference to the flowchart of FIG.

First, the encryption unit 251 generates the above-mentioned modular exponentiation products e [2] and e '[2] which are also ciphertexts (step S50).
1). The generated modular exponentiation product e [2] becomes one element of the proof sentence 222 of the magnitude of the absolute value, and the modular exponentiation product e '[2]
Becomes one element of the proof sentence 224 of the magnitude of the absolute value.

Next, the random number generator 256 generates a random number sequence v [i2]; (i = 1, ..., M) corresponding to the lower limit value a and a random number sequence v '[i2] corresponding to the upper limit value b. , The random number sequence v corresponding to the lower limit value a
[i2]; (i = 1, ..., M), the exponentiation remainder product e [21] = Π _{i = 1} ^m e _i ^ {v [i2]} mod n ² of the sequence e _i of the ciphertext, Based on the random number sequence v '[i2]; (i = 1, ..., M) corresponding to the upper limit value b, the power-residue product e' [21] = Π _{i = 1} ^m e of the sequence e _i of the ciphertext. _i ^ {v '[i2]} modn ²
And are generated (step S502). The generated modular exponentiation product e [21] is 1 of the proof sentence 222 of the magnitude of the absolute value.
It becomes an element, and the modular exponentiation e '[21] becomes one element of the proof sentence 224 of the magnitude of the absolute value.

Next, the challenge value generator 253 uses the public keys n, g,
A challenge value c [2] corresponding to a lower limit value a which is an output of a hash function including the ciphertext sequence e _i , the power-and-residue product e [2], and the power-and-residue product e [21] as inputs. , The public keys n and g, the ciphertext sequence e _I , the exponentiation remainder product e ′ [2] and the exponentiation remainder product e ′ [21] are input to the upper limit value b which is the output of the hash function. The corresponding challenge value c '[2] is generated (step S5).
03).

Next, the response generation unit 254 causes the sequence w [i2] of differences between each element v [i2] of the random number sequence corresponding to the lower limit value a and the square number; (i = 1, ..., m). ) And the challenge value c [2] corresponding to the lower limit value a
Response r corresponding to the lower bound a that is the sum column with the product column of
[i2] = v [i2] + c [2] w [i2]; (i = 1, ..., m), each element v ′ [i2] of the random number sequence corresponding to the upper limit value b, and the square Number difference column w '[i2]; (i = 1, ..., m) and challenge value c'corresponding to the upper limit
Response corresponding to the upper bound that is the sum column with the product column of [2]
r '[i2] = v' [i2] + c '[2] w'[i2]; (i = 1, ..., M) are generated (step S504). This generated response r [i2] is
It becomes one element of the proof sentence 222 of the magnitude of the absolute value, and the response r '
[i2] becomes one element of the proof sentence 224 of the magnitude of the absolute value.

Next, the size confirmation unit 255 causes the response r [i
2]; All the elements of (i = 1, ..., m) are not in the interval S defined by the safety variable, the size of the interval | ba | and the challenge value c [2]. Response r '[i2]; (i = 1, ..., m)
Are all safe variables and interval size | ba |
If it is not within the section S ′ defined by the constant defined by c ′ [2], the proof step S315 of the magnitude of the absolute value is controlled to be restarted from the beginning. Otherwise,
Complete the absolute magnitude proof step.

(1) Embodiment of Verification Device Next, an embodiment of a verification device for verifying that each exponent coefficient of the modular exponentiation of the stochastic public key ciphertext is within the specified section will be described. .

FIG. 7 is a block diagram showing an example of a verification device for verifying that each exponential coefficient of the power-of-residue product of the stochastic public key ciphertext is within the specified section, and FIGS. 1
Reference numeral 0 is a flow chart for explaining the verification processing by this verification device.

Referring to FIG. 7, the verification apparatus according to the present embodiment has an input unit 301 for manually inputting various data required for verification, and an operation process for performing an operation based on the input data to create a proof sentence. Part 302 and the obtained verification result 3
An output unit 303 that outputs 04 is provided.

Further, the arithmetic processing section 302 comprises a verification section 311, and the verification section 311 has a division verification section 321, a square number verification section 322, an absolute value verification section 323, and a result grouping section 324. It is configured to include and. Further, the square number verification unit 322 includes a challenge value generation unit 331 and a decryption unit 3
32, a random number generation unit 333, a size confirmation unit 334,
The absolute value verification unit 323 including a quadratic verification unit 335 includes a challenge value generation unit 341 and a decoding unit 342.
A random number generation unit 343, a size confirmation unit 344, and a verification unit 345 based on a linear expression.

Referring to FIG. 8, in the verification processing of the present embodiment, first, the input unit 301 uses various information necessary for verification, the upper limit value b and the lower limit value a, which are variables 206 that define the section, and the probability disclosure. N, which is the public key 205 of the key cryptosystem,
g and λ, which is the secret key 305 of the stochastic public key cryptosystem,
A safe variable 209 and a sequence of m probability public key ciphertexts e _i = g ^
{α _i } g ^ {nβ _i } modn ² ; (i = 1, ..., m) which is a plaintext sequence 306 α _i ; (i = 1, ..., m) and the ciphertext sequence e _i ; (i = 1,
, I) which is a sequence 307 of random numbers used for encryption of β _i ; (i
= 1, ..., m) and the ciphertext sequence e _i = g ^ {α _i } g ^ {nβ _i } modn
² ; (i = 1, ..., M), the sequence of exponential coefficients of the sequence of ciphertexts w _i ;
(i = 1, ..., m) is a modular exponentiation product 221 e = Π _{i = 1} ^m e _i
^ {w _i } modn ² and a proof statement 222 that proves that each exponential coefficient of the power-residue product of this stochastic public-key cryptogram is within the interval.
And the certification sentence 204 including 225 (step S
601). Here, the proof sentences 222 to 225 are composed of the following elements. -Square number proof sentence 223; Ciphertext e [1], power of two exponentiation e [11], e [1
2], response r [i1] ○ proof text 225 of square number; ciphertext e '[1], two exponentiation remainder products e' [11], e '[1
2], response r '[i1] ○ Proof sentence 222 of magnitude of absolute value; ciphertext e [2], one power-and-residue product e [21], response r [i
2] ○ Proof sentence 224 of magnitude of absolute value; ciphertext e '[2], one exponentiation remainder product e' [21], response r '
[I2]

In the present embodiment, the proof sentence 204 includes the power residue 221 to be verified, but the power residue product 221 to be verified and its proof sentences 222 to 222.
25 may be divided so that the proof sentence 204 does not include the modular exponentiation product 221.

Next, the verification unit 311 of the arithmetic processing unit 302
Is a sequence of exponential coefficients w _i ; (i = 1, ..., Used to generate the exponentiation remainder product e to be verified based on the input information.
m) is between the lower limit value a of the section and the upper limit value b of the section [a, b], and if it is in the section, the proof acceptance detection result 304 is generated. The proof rejection acceptance detection result 304 is generated (step S602), and the output unit 303 outputs this detection result 304 (step S603).

Details of the verification step S602 of the verification unit 311 are shown in step S602 of FIG.

Referring to the flowchart in step S602 of FIG. 8, in the verification step, the division verification unit first performs the following division verification (step S611).
First, a value (Π _{i = 1} ^m e _i ) ^a = g ^ {aΣ _i obtained by multiplying the product of all the elements of the ciphertext sequence e _i ; (i = 1, ..., M) by the lower limit value a of the interval. _{= 1} ^m (α
_i + nβ _i )} mod n ² is obtained, and with this value, the modular exponentiation e is modulo
Value divided by n ² and expanded by a constant U determined by the size of the safety variable and interval E = e ^ U / (Π _{i = 1} ^m e _i ) ^ {aU}
= e ^ U / g ^ {UaΣ _{i = 1} ^m (α _i + nβ _i )} modn ² is calculated. And
This expanded value E is the lower limit value a included in the proof sentence 204.
The power-of-residue product e [1] and the lower limit a by the sequence of square numbers corresponding to
Check whether it is equal to the product of the modular exponentiation product e [2] by the sequence of the difference from the square number corresponding to.

A value (Π _{i = 1} ^m e _i ) ^b obtained by multiplying the product of all the elements of the ciphertext sequence e _i ; (i = 1, ..., M) by the upper limit value b of the interval.
= g ^ {bΣ _{i = 1} ^m (α _i + nβ _i )} modn ² and divide this value by the power modulo n ² element and divide it by the safe variable and the size of the interval. The value E '= expanded using the constant U defined
(Π _{i = 1} ^m e _i ) ^ {bU} / e ^ Ug ^ {UbΣ _{i = 1} ^m (α _i + nβ _i )} / e ^ Umodn ²
Ask for. The expanded value E ′ is the proof sentence 204.
The product of the modular exponentiation product e '[1] by the sequence of square numbers corresponding to the upper limit b and the modular exponentiation product e' [2] by the sequence of the square numbers corresponding to the upper limit b Check if is equal to.

If the above two confirmations can be made, the division verification unit 321 outputs the division verification acceptance.

Next, the square number verification unit 322 verifies the square number as follows (step S612). First, each element of the column w [i1] ² ; (i = 1, ..., m) that generated the power-residue product e [1] of the column of square numbers corresponding to the lower limit value a is a square number. Then, it is verified that the square root w [i1]; (i = 1, ..., M) does not exceed the value V defined by a safety variable and a constant defining an interval. In addition, each element of the column w '[i1] ² ; (i = 1, ..., m) that has generated a modular exponentiation product e' [1] by a column of square numbers corresponding to the upper limit value b is a square number. And its square root w '[i1]; (i =
Verify that 1, ..., M) do not exceed V above. And
If the above two verifications are successful, a square acceptance of verification is output.

Next, the absolute value magnitude verification unit 323 verifies the magnitude of the absolute value as follows (step S6).
13). First, a sequence w [i2]; (i = 1, ..., m) that generates a power-residue product e [2] by a sequence of the difference from the square number corresponding to the lower limit value a
Verify that each element of does not exceed U. Next, the modular exponentiation product e'by the sequence of the difference from the square number corresponding to the upper limit value b
It is verified that each element of the sequence w '[i2]; (i = 1, ..., M) that generated [2] does not exceed U. If you can verify these two,
Output the verification acceptance of the magnitude of the absolute value.

Step S6 which is the step of verifying the square number
Details of 12 will be described with reference to the flowchart of FIG.

First, the challenge value generator 331 uses the public keys n, g,
A challenge corresponding to the lower limit value a, which is the output of the hash function that includes the ciphertext sequence e _i , the power residue product e [1], the power residue product e [11], and the power residue product e [12] The value c [1], the public keys n, g, the ciphertext sequence e _i , the power remainder product e '[1], the power remainder product e' [11], and the power remainder product e '[12] Two challenge values including the challenge value c ′ [1] corresponding to the upper limit value b which is the output of the hash function included in the input are generated (step S701).

Next, the decryption unit 332 causes the modular exponentiation products e [1] and e '[1], which are also ciphertexts, and the modular exponentiation product e [11], which is also a ciphertext.
And e '[11], and the modular exponentiation products e [12] and e' [12] that are also ciphertexts
Plaintext x [11], x '[11], x [1
2], x '[12], x [13], x' [13] are generated with the secret key λ (step S702).

Next, the random number generation unit 333 causes the modular exponentiation e [1]
And e '[1], power residue product e [11] and e' [11], power residue product e [12]
And the random numbers s [11], s' [11], s [12], s' [12], s used to generate each of the three ciphertexts of e '[12]
[13], s' [13] (three kinds of random numbers) are generated with the secret key λ (step S703).

Next, the size confirmation unit 334 determines that all the elements of the response r [i1]; (i = 1, ..., M) included in the proof sentence are safe variables, the size of the interval | ba |, and the challenge value. Being in the interval R defined by a constant defined by c [1], and the response r '[i
1]; All the elements of (i = 1, ..., m) are in the interval R'defined by a constant defined by the safety variable, interval size | ba |, and challenge value c '[1] This is confirmed (step S704).

[0083] Then the verification unit 335 according to a quadratic equation, by using the random number beta _i was used to generate the plain text alpha _i and the ciphertext e _i of e _i, challenge value c [1 corresponding to the lower limit value a ] Quadratic equation and response r [i1]
Verification equation using the quadratic equation of x [11] c [1] ² + x [12] c [1] + x [13] = Σ _{i = 1} ^m α _i r [i1] ² (modn) s [11] ^ {c [1] ² } s [12] ^ {c [1]} s [13] = g ^ {Σ _{i = 1} ^m β _i r [i1] ² }
(modn) holds and the verification formula x '[11] c' [1] using the quadratic formula of the challenge value c '[1] and the quadratic formula of the response r' [i1] corresponding to the upper limit value. ² + x '[12] c' [1] + x '[13] = Σ _{i = 1} ^m α _i r' [i1] ² (m
odn) s '[11] ^ {c' [1] ² } s '[12] ^ {c' [1]} s '[13] = g ^ {Σ _{i = 1} ^m β _i r'
It is confirmed that [i1] ² } (modn) holds (step S705).

Details of step S613, which is the step of verifying the magnitude of the absolute value, will be described with reference to the flowchart of FIG.

First, the challenge value generation unit 341 uses the public keys n, g,
The sequence of ciphertexts e _i , exponentiation remainder product e [2], and exponentiation remainder product e
The challenge value c [2] corresponding to the lower limit value a which is the output of the hash function including [21] as an input, the public keys n and g, the ciphertext sequence e _i ,
Challenge value c'corresponding to the upper limit value b which is the output of the hash function including the exponentiation remainder product e '[2] and the exponentiation remainder product e' [21]
Two challenge values with [2] are generated (step S80).
1).

Next, the decryption unit 342 causes the modular exponentiation products e [2] and e '[2], which are also ciphertexts, and the modular exponentiation product e [21], which is also a ciphertext.
And the plaintext x [21] of the two ciphertexts of e '[21],
x '[21], x [22], x' [22] are generated with the secret key λ (step S802).

Next, the random number generator 343 causes the modular exponentiation e [2]
And e '[2], and the respective random numbers s [21] and s' [2 used to generate the two ciphertexts of the modular exponentiation products e [21] and e' [21].
1], s [22], s' [22] (two types of random numbers) are generated with the secret key λ (step S803).

Next, the size confirmation unit 344 causes the response r [i
2]; All the elements of (i = 1, ..., m) are in the interval S defined by the safety variable, the size of the interval | ba |, and the constant determined by the challenge value c [2]. , The response r '[i2]; (i =
All elements (1, ..., m) are safe variables and interval size | ba |
And within the section S'determined by a constant determined by the challenge value c '[2] (step S8).
04).

Next, the verification unit 345 based on the linear expression uses the linear expression of the challenge value c [2] corresponding to the lower limit value a and the linear expression of the response r [i2], x [21]. c [2] + x [22] = Σ _{i = 1} ^m α _i r [i2] (modn) s [21] ^ {c [2]} s [22] = g ^ {Σ _{i = 1} ^m β _i r [i2]} (modn) holds, and the challenge value c '[2] corresponding to the upper limit is 1
A verification formula using the following formula and a linear formula of the response r '[i2], x' [21] c '[2] + x' [22] = Σ _{i = 1} ^m α _i r '[i2] (modn ) It is confirmed that s '[21] ^ {c' [2]} s '[22] = g ^ {Σ _{i = 1} ^m β _i r' [i2]} (modn) holds (step S805). .

(3) Embodiment of Proof Text Creating Device and Verification Device Next, a proof text creating device for certifying that the value of each exponential coefficient of the modular exponentiation product of the probability public key ciphertext is within the specified range. An embodiment of the verification device will be described in detail. The following embodiment will be described in line with an example using the Paillier encryption method.

[Preparation] Prepare the safety variables t, t ', and s. t is t
-log₂The relation t> t 'is satisfied. In this verification method,
Even if the value of the exponential coefficient is not in the specified section,
It is recognized that the value of the index coefficient is in the prescribed section on the proof
2 chances of losing^{-t '}It is the following. In this certification method,
Even though the value of the exponential coefficient is in the defined section, the
2 chances of failing^1-sIt becomes the following. Consider these probabilities
Carefully select the safety variables t'and s. In addition, the minimum value of the interval is a,
Let b be the maximum value. T = 2 (t + s + 1) + | b-a | , The public key n = pq described later is 2^{2T + 1}Choose so that <n.
Here, | b-a | is the number of bits of b-a. √ {2^T(b-
Let D be the largest integer that does not exceed a)}. Also, x ^ a is x^a
Let x be the power of a. Let p and q be two prime numbers
Let the secret key λ be the greatest common multiple of p-1 and q-1. n = pq
It g is (g^λmodn²-1} / n and n are chosen to be relatively prime
Suppose Let n = pq and g be the public key 205. Plaintext x
Ciphertext e with random number r, e = g^xrⁿmod n² And Ciphertext sequence e_i(i = 1, ..., m) α_i∈ Z_n β_i∈_RZ_λ Using, e_i= g ^ {α_i} g ^ {nβ_i} mod n²(i = 1, ..., m) And Where β_iIs chosen randomly from within the domain, but α_i
The distribution of may be biased. Row α_i, Β_i(i = 1, ..., m)
Hereinafter, the ciphertext string generation source string is referred to.

First, a method of proving that each exponent coefficient of the modular exponentiation product of the stochastic public key ciphertext of the present invention is within the section will be described with reference to the drawings. 11, 12 and 13 are diagrams for explaining the proof method of this embodiment.

<Input Step S301> In FIG.
A lower limit value a and an upper limit value b, which are constants 206 that determine the interval, t and s that are safety variables 209, and w _j that is an exponential coefficient sequence 208
Ε [a, b] (j = 1, ..., M) and the ciphertext sequence 207 e _i (i =
1, ..., M) and the public keys 205 n, g are input.

<Step S302 for Obtaining Exponentiation Remainder Product> In 406 of FIG. 11, w _j ε which is the exponential coefficient sequence 208.
[a, b] (j = 1, ..., M) and the ciphertext sequence 207 e _i (i = 1,
, M) and the public key 205, n, from the power of remainder e =
Calculate Π _{i = 1} ^m e _i ^ {w _i } modn ² . This is output to the proof sentence 204 as the exponentiation remainder product 221 to be verified.

<Step S303><Generation of Sequence of Differences from Both Ends Step S311> In 408 of FIG. 11, each exponential coefficient sequence w _j and the lower limit value a and the upper limit value b that determine the section.
And a difference (407) between each of them is generated as follows. w _i -a (i = 1, ..., m) bw _i (i = 1, ..., m)

<Enlargement Step S312> In 420 of FIG. 11, T = 2 (t + s + 1) + | ba | is obtained from the safety variables t and s and the variables a and b that define the section, and 2 ^T Is used as an expansion coefficient, and the differences obtained in step S303 are expanded as follows. 2 ^T (w _i -a) (i = 1, ..., m) 2 ^T (bw _i ) (i = 1, ..., m)

<Decomposition step S313> In 409 of FIG. 11, the respective numerical values (differences) enlarged in step S312 do not exceed 2 ^T (w _i -a) for all i = 1, ..., M. Divide into the maximum square number w [i1] ² and w [i2] = 2 ^T (w _i -a) -w [i1] ^2, and the maximum square number that does not exceed 2 ^T (bw _i ). w '[i
1] ² 113 and w '[i2] = 2 ^T (bw _i ) -w' [i1] ² .

<Square Number Proof Step S314> The square number proof step will be described with reference to FIG. <Encryption Step S401> In 421 of FIG. 12, ciphertext e [1] = Π _{i = 1} ^m e _i ^ {w [i1] ² } modn ² e '[1] = Π _{i = 1} ^m e _i ^ Generate {w '[i1] ² } modn ² . In the square number proof step, the ciphertext e [1],
We prove that the coefficients w [i1] ² , w [i1] ' ² that generated e' [1] are all square numbers, and the square root of this plaintext does not exceed 2 ^{t + s} D. However, D is the maximum integer that does not exceed the square root of 2 ^T (ba). Since the proof method for e [1] and e '[1] is the same, only the proof for e [1] is described below.
The e [1] finally becomes the ciphertext 420.

<Generation of modular exponentiation products S402, S
403> In 422 of FIG. 12, the random number sequence v [i1] ∈ _R [0,2
^{t + s} D] (i = 1, ..., m) is generated. Next, in FIG.
At 1, 432, the following two exponentiation remainder products are calculated. e [11] = Π _{i = 1} ^m e _i ^ {2v [i1] w [i1]} modn ² e [12] = Π _{i = 1} ^m e _i ^ {v [i1] ² } modn ² .

<Challenge Value Generation Step S404> At 425 in FIG. 12, the challenge value c [1] = Hash (n, g, e _i , e [1], e [11], e [12]) mod2 ^t To calculate.

<Response Generation Step S405> 4 in FIG.
At 26, the response r [i1] = v [i1] + c [1] w [i1] is calculated for i = 1, ..., M.

<Size Confirmation Step S406> In r 427 of FIG. 12, if r [i1] ε [c [1] D, 2 ^{t + s} D] (i = 1, ..., M), then e [ 11], e [12], r [i1] are proof sentences of square numbers, and if not, the proof step of square numbers is restarted from the beginning. If w [i1] ∈ [0, D] (i = 1, ..., m),
The probability of redoing is less than 2 ^-s .

<Absolute Value Proof Step S315>
The step of proving the magnitude of the absolute value will be described with reference to FIG. <Encryption Step S501> In 451 of FIG. 13, the following ciphertext is generated. e [2] = Π _{i = 1} ^m e _i ^ {w [i2]} modn ² e '[2] = Π _{i = 1} ^m e _i ^ {w' [i2]} modn ²

In the proof step of the magnitude of the absolute value, all the absolute values of the coefficients w [i2] and w '[i2] that generate the ciphertexts e [2] and e' [2] do not exceed 2 ^T. Prove. Since the proof method for e [2] and e '[2] is the same, only the proof for e [2] will be described below.

<Step S502 of Generating Exponentiation Residue Product> FIG.
In 3 of the 452, the random number sequence _{v [i2] ∈ R [0,2} T] (i = 1,
, M) is generated, and at 455, the following modular exponentiation product is calculated. e [21] = Π _{i = 1} ^m e _i ^ {v [i2]} modn ²

<Challenge Value Generation Step S503> In 456 of FIG. 13, the following challenge value is calculated. c [2] = Hash (n, g, e _i , e [2], e [21]) mod2 ^t

<Response Generation Step S504> 4 in FIG.
At 57, calculate the following response for i = 1, ..., M: r [i2] = v [i2] + c [2] w [i2]

[0108] In 458 <size of confirmation step S505> FIG 13, r [i2] ∈ [ c [2] 2 T / 2 + 1 √ {ba}, 2 T] (i = 1, ..., m) If so, use e [21] and r [i2] as proof sentences for absolute values, and if not, repeat the proof step for absolute values from the beginning.
If w [i2] ∈ [0, √ {ba}] (i = 1, ..., m), the probability of redoing is 2 ^−s or less.

<Proof text output step 304> As the proof text that each exponent coefficient of the power-of-residue product e of the stochastic public key cryptogram is within the section, the cipher texts e [1], e '[1] and All the coefficients w [i1] ² and w '[i1] ² that generated these are square numbers, and the proof that the square root of this plaintext does not exceed 2 ^{t + s} D 22
3, 225, the ciphertexts e [2], e '[2], and the coefficients w [i2] ² , w' [i2] ² that generate them proof statement 222 that the absolute values of all do not exceed 2 ^T. , 224 are output.

Next, an embodiment of a method of verifying that each exponent coefficient of the power-of-residue product of the probabilistic public key ciphertext is within the designated section will be described with reference to the drawings. 14 and 15 and FIG.
FIG. 6 is a diagram for explaining a verification process of this embodiment.

<Input Step S601> In FIG.
Α _i , β _i (i = 1, ..., M) that is the generation sequence 500 of the ciphertext sequence
And the proof sentence 204 and the like that each exponent coefficient of the exponentiation remainder product e of the probability public key ciphertext including the exponentiation remainder product e (221) is within the section. Then, a verification step S611 for division and a verification step S61 for square number, which will be described below.
2 and if the proof is accepted in all of the absolute value magnitude verification step S613, it is accepted that each exponential coefficient of the modular exponentiation product of the public key ciphertext is within the specified section. In other cases, it will not be accepted.

<Verification Step S611 of Division> 5 in FIG.
In 01, first, E = e ^ {2 ^T } / g ^ {2 ^{T a} Σ _{i = 1} ^m (α _i + nβ _i )} mod n ² E '= g ^ {2 ^T b Σ _{i = 1} ^m (α _i Calculate + nβ _i )} / e ^ {2 ^T } modn ² . Then, if you confirm that e [2] e [1] = E e '[2] e' [1] = E ', then accept it.

<Square Number Verification Step S612> The square number verification step will be described with reference to FIG. In the square number verification step, it is verified that the plaintext of the ciphertext e [1] (420) and e '[1] is a square number, and the square root of this plaintext does not exceed 2 ^{t + s} D (FIG. 14). 502). Since the verification methods for e [1] and e '[1] are the same, only the verification for e [1] will be described below.

<Challenge value generation step S701> In 520 of FIG. 15, the public keys 205 are n and g, the ciphertext sequence is e _i , the ciphertext 420 is e [1], and two powers are used. The surplus products 423 and 424, e [11], e [12], and safety variable 20
Use t, which is 9, to calculate the challenge value below. c [1] = Hash (n, g, e _i , e [1], e [11], e [12]) mod2 ^t

<Decryption Step S702, Random Number Generation Step S703> In 511 of FIG. 15, the ciphertext e [1]
From (420), the plaintext x [11] of the ciphertext e [1] is obtained as x [11] = {(e [1] ^λ modn ² ) -1} / {(g ^λ modn ² ) -1}. Further, at 513, a random number s [11] (502) for encryption is obtained using the secret key λ as follows. s [11] = (e [1] g ^{-x [11]} ) ^ (n ^-1 mod λ) modn

Further, in 511 of FIG. 15, the plaintext x [12] of the ciphertext e [11] is calculated from the e [11] which is the element 423 of the prooftext.
As x [12] = {(e [11] ^λ modn ² ) -1} / {(g ^λ modn ² ) -1}, and at 513, keep a secret random number s [12] for encryption. The following is obtained using the key λ. s [12] = (e [11] g ^{-x [12]} ) ^ (n ^-1 mod λ) modn

Further, in 511 of FIG. 15, the plaintext x [13] of the ciphertext e [12] is calculated from e [12] which is the element 424 of the prooftext.
As x [13] = {(e [12] ^λ modn ² ) -1} / {(g ^λ modn ² ) -1}, and at 513, the random number s [13] for encryption is secret. The following is obtained using the key λ. s [13] = (e [12] g ^{-x [13]} ) ^ (n ^-1 mod λ) modn

<Size Confirmation Step S704> In 519 of FIG. 15, the size is confirmed by r [i1] ε [c [1] D, 2 ^{t + s} D] (i = 1, ..., M). Then, if it is confirmed that the following verification equation using the square of c [1] that is the challenge value 430 is satisfied using α _i and β _i that are the generator columns 500, the verification of the square number is accepted. x [11] c [1] ² + x [12] c [1] + x [13] = Σ _{i = 1} ^m α _i r [i1] ² (modn) s [11] ^ {c [1] ² } s [12] ^ c [1] s [13] = g ^ {Σ _{i = 1} ^m β _i r [i1] ² } (m
odn) If the plaintext of e [1] is not a square number, or if its square root is not less than the square root of n / 2, then the probability of false acceptance is less than 2 ^{-t '} .

<Absolute Value Verification Step S613>
The step of verifying the magnitude of the absolute value will be described with reference to FIG. In the step of verifying the magnitude of the absolute value, it is verified that the absolute value of the plaintext of the ciphertext 450, e [2] and e ′ [2], does not exceed 2 ^T. Since the verification methods for e [2] and e '[2] are the same, only the verification for e [2] will be described below.

<Challenge value generation step S801> In 530 of FIG. 16, the public key 205 is n, g, the ciphertext sequence is e _i , the ciphertext 450 is e [2], and the modular exponentiation 454.
Using e [21], which is t, and t, which is the safe variable 209,
c [2] = Hash (n, g, e _i , e [2], e [21]) mod2 ^t is calculated.

<Decryption Step S802, Step S803 for Generating Two Kinds of Random Numbers> At 532 in FIG. 16, the ciphertext e
From [2], the plaintext x [21] of the ciphertext e [2] is obtained as x [21] = {(e [2] ^λ modn ² ) -1} / {(g ^λ modn ² ) -1}, Further, in 534, a random number 533 for encryption, s [21], is obtained using the secret key λ as follows. s [21] = (e [2] g ^{-x [21]} ) ^ (n ^-1 mod λ) modn

In 532 of FIG. 16, the plaintext x [22] of the ciphertext e [21] is calculated from the e [21] that is the element 454 of the prooftext.
(535) is obtained as x [22] = {(e [21] ^λ modn ² ) -1} / {(g ^λ modn ² ) -1}, and s is a random number 536 for encryption.
[22] is calculated as follows using the secret key λ. s [22] = (e [21] g ^{-x [22]} ) ^ (n ^-1 mod λ) modn

[0123] In 537 <size of confirmation step S804> FIG 16, r [i2] ∈ [ c [2] 2 T / 2 + 1 √ {ba}, 2 T] (i = 1, ..., m) The size is confirmed by the
If it is confirmed that the following verification equation, which is the first order of the challenge value c [2] (461), is satisfied using _i and β _i , the verification of the absolute value is accepted. x [21] c + x [22] = Σ _{i = 1} ^m α _i r [i2] (modn) s [21] ^c s [22] = g ^ {Σ _{i = 1} ^m β _i r [i2]} If the absolute value of the plaintext of (modn) e [2] is not smaller than 2 ^T , the probability of false acceptance is 2 ^{-t '} or less.

[Validity (1)] The validity of the square number proof step and the square number verification step in this embodiment will be described. Let W [i], Z [i], V [i] be e [1] = Π _{i = 1} ^m e _i ^[i] mod n ^ 2 e [11] = Π _{i = 1} ^m e _i ^{Z [i ]} mod n ^ 2 e [12] = Π _{i = 1} ^m e _i ^{V [i]} mod n ^ 2 is satisfied, and the person who generated e [1], e [11], e [12] knows Value. The expression r [i1] ² = c [1] ² W [i] + c [1] Z [i] + V [i] mod n, other than r [i1] such that x [11] c [1] ² + x [12] c [1] + x [13] = Σ _{i = 1} ^m α _i r [i1] ² mod
n s [11] ^ {c [1] ² } s [12] ^ c [1] s [13] = g ^ {Σ _{i = 1} ^m β _i r [i1] ² }
The probability of generating r [i1] that satisfies both mod n is at most 2 ^-t
Is. At this time, for non-square W [i], r [i1] ² = c [1] ² W [i] + c [1] Z [i] + V [i] mod n square root r The probability that [i1] exists is at most {1 + t
log 2} / 2 ^ ^{t + 1} . This is negligibly small, so W [i] must be square for the verification to be accepted. If w [i1] ∈ [-2 ^{t + s} D, 2 ^{t + s} D], then the expression r [i1] ∈ [c [1] D, 2 ^{t + s} D] (i = 1 ,. The probability that .., m) will be satisfied is at most 2 ^ {-t}. This is negligibly small, so the square of W [i] must be in the range [ ^{-2 t + s} D, 2 ^{t + s} D] for the verification to be accepted.
From this step, the verifier asks Σ _{i = 1} ^m α _i w [i1] ² mod n, Σ _{i = 1} ^m α _i v [i1] ² mod n, g ^ {Σ _{i = 1} ^m β _i w [ i1] ² } mod n, g ^ {Σ _{i = 1} ^m β _i v [i1] ² } mod n only leaks.

[Justification (2)] The justification of the proof step of the magnitude of the absolute value and the verification step of the magnitude of the absolute value in this embodiment will be described. In addition to r [i1] represented by the equation r [i2] = v [i2] + c [2] w [i2], x [21] c + x [22] = Σ _{i = 1} ^m α _i r [i2] mod ns [21] ^c s [22] = g ^ {Σ _{i = 1} ^m β _i r [i2]} The probability of generating r [i1] satisfying both mod n is at most 2 ^
It is {-t}. This is negligibly small, so this condition must be met for the verification to be accepted. Then, if w [i2] ∈ [-2 ^T , 2 ^T ] (i = 1, ..., m), then r [i2] ∈ [c [2] 2 ^{T / 2 + 1} √ {ba} , 2 ^T ] (i = 1, ..., m) is at most 2 ^ {-t}. This is negligibly small, so this condition must be met for verification to be accepted. From this step, the verifier asks Σ _{i = 1} ^m α _i w [i2] mod n, g ^ {Σ _{i = 1} ^m β _i w [i2]} m
Only the value of od n is leaked.

[Validity (3)] According to the present invention, "a method for proving that each exponent coefficient of a power-residue product of a public-key cryptogram is within an interval,
The verification method for verifying that each exponential coefficient of the modular exponentiation of the public key ciphertext is within the section "is described. .W (i1], w [i2], shown by legitimacy (1), legitimacy (2),
From the conditions imposed on w '[i1], w' [i2], we can see that w _i exists within the specified interval.

Although the present invention has been described with reference to the preferred embodiments and examples, the present invention is not limited to the above-described embodiments and examples, and various modifications can be made within the scope of the technical idea thereof. It can be modified and implemented.

[0128]

As described above, according to the present invention, a probabilistic public key ciphertext having the form of a modular exponentiation and a data string whose value is within a specified range as its exponential coefficient string With respect to the probability public key ciphertext using, it is possible to create a proof text that can at once prove that the value of each exponential coefficient is in the specified section, while hiding the value of the exponential coefficient, and that It is possible to verify that the value of each of the specified coefficients is within the specified range based on the proof sentence.

[Brief description of drawings]

FIG. 1 is a block diagram of an embodiment of the present invention.

FIG. 2 is a flowchart for explaining the process of one embodiment of the present invention.

FIG. 3 is a block diagram showing an example of a proof sentence creating apparatus of the present invention.

FIG. 4 is a flow chart for explaining a proof text creation process by the proof text creation device of the present invention.

FIG. 5 is a flow chart for explaining a proof sentence creating process by the proof sentence creating apparatus of the present invention.

FIG. 6 is a flow chart for explaining a proof sentence creating process by the proof sentence creating apparatus of the present invention.

FIG. 7 is a block diagram showing an example of a verification device of the present invention.

FIG. 8 is a flowchart for explaining a verification process by the verification device of the present invention.

FIG. 9 is a flowchart for explaining a verification process by the verification device of the present invention.

FIG. 10 is a flowchart for explaining a verification process by the verification device of the present invention.

FIG. 11 is a diagram for explaining the processing of the proof sentence creation device of the present invention.

FIG. 12 is a diagram for explaining the processing of the proof sentence creation device of the present invention.

FIG. 13 is a diagram for explaining the processing of the proof sentence creation device of the present invention.

FIG. 14 is a diagram for explaining the processing of the verification device of the present invention.

FIG. 15 is a diagram for explaining the processing of the verification device of the present invention.

FIG. 16 is a diagram for explaining the processing of the verification device of the present invention.

FIG. 17 is a diagram for explaining a conventional technique.

[Explanation of symbols]

101 ... Verifier terminal 102 ... Prover terminal 111 ... Data storage means 112 ... Public information storage means 113 ... Certificate producing device 114 ... Processing result receiving device 115 ... Input / output device 121 ... Information setting disclosure means 122 ... Information storage means 123 ... Verification device 124 ... Processing device

Claims (15)

[Claims] 1. The value of each exponential coefficient of the exponentiation remainder product by the sequence of exponential coefficients of the sequence of probabilistic public key ciphertexts encrypted by the probabilistic public key cryptosystem is within a specified interval. In a proof system that creates a proof sentence for proof and verifies that the value of each exponential coefficient is within the specified section based on the proof sentence, a public key of the stochastic public key cryptosystem and , An upper limit value and a lower limit value that define the specified section, a sequence of the probability public key ciphertext, a sequence of the exponential coefficient, and a value of a safety variable that defines a probability of correct verification, A proof sentence creating device for creating the proof sentence for determining whether or not the value of each exponential coefficient is within the specified section without losing the decipherability of the value of each exponential coefficient; And the modular exponentiation of The upper and lower limits, the public key and the secret key of the stochastic public key cryptosystem, the safety variable, the sequence of the stochastic public key ciphertext, and the sequence of the probabilistic public key ciphertext. Whether the value of each exponential coefficient of the modular exponentiation product is within the specified interval based on the sequence of random numbers used for A proof system including a verification device that verifies with the probability of. 2. The proof sentence creation device, wherein a difference column between a lower limit value, which is a column obtained by subtracting the lower limit value from the value of each exponential coefficient of the exponential coefficient column, and the upper limit value of the exponential coefficient. Of the difference column between the upper and lower limit values, which is a column obtained by subtracting the value of each exponential coefficient of the column, and the difference column between the lower limit value and the upper limit value. The value of each element of the difference column is multiplied by the first value determined by the value that defines the safety variable and the interval, and the difference column with the expanded lower limit value and the difference column with the expanded upper limit value are obtained. For each element of the expanding unit to generate, the column of the difference between the expanded lower limit value and the column of the difference between the expanded upper limit value, the maximum square number smaller than that value, and By calculating the difference value obtained by subtracting the corresponding square number from the value, the difference between the expanded lower limit value and the column And a division unit that divides the column of the difference between the expanded upper limit value and the column of the square number and the column of the difference value, and the division unit that corresponds to the lower limit value of the column of the probability public key ciphertext. A first exponentiation remainder product by a sequence of square numbers and a second exponentiation remainder product by the sequence of square numbers corresponding to the upper limit value of the sequence of the probability public key ciphertext are obtained, and the first and A square that generates a proof that the sequence of exponential coefficients of the second exponentiation remainder product is a square number and that the square root does not exceed the second value defined by the safety variable and a constant that defines the interval. A proof part of a number, a third power residue product by the sequence of the difference values corresponding to the lower limit value of the sequence of the probability public key ciphertext, and the upper limit value of the sequence of the probability public key cryptogram. A fourth exponentiation remainder product is obtained from the corresponding sequence of the difference values, and each exponent coefficient of the third and fourth exponentiation remainder product is calculated. Certification system according to claim 1, wherein the absolute value and a proof of the magnitude of the absolute value to generate a proof text for less than the first value of the values. 3. The verification device obtains a value obtained by multiplying the product of all the elements of the sequence of the probability public key ciphertext by the lower limit value, and by this value, the exponentiation remainder product of the verification target is obtained by the public key. Is divided by a modulo element to obtain an expanded value using the first value, and this value is equal to the product of the first exponentiation remainder product and the third exponentiation remainder product. And obtain a value obtained by multiplying the product of all the elements of the sequence of the probability public key ciphertext by the upper limit value, and by using this value, the exponentiation remainder product to be verified is a public key And divide it by the first value to find an expanded value, and confirm that this value is equal to the product of the second power residue product and the fourth power residue product. If the above two confirmations can be made, a division verification unit that outputs a verification acceptance of division, and the value of each exponential coefficient of the first exponentiation remainder product is a square number, It is verified that the square root does not exceed the second value, and that the value of each exponential coefficient of the second power residue product is a square number, and that the square root exceeds the second value. If the two verifications are possible, a verification unit for a square number that outputs a verification acceptance of a square number, and a value of each exponential coefficient of the third exponentiation remainder product does not exceed the first value. It is verified that the value of each exponential coefficient of the fourth power-residue product does not exceed the first value, and if the two verifications are successful, the verification of the magnitude of the absolute value is accepted. A verification unit for verifying the magnitude of the absolute value to be output.
Proof system described. 4. The square number proof section corresponds to the encryption section for generating the first and second power-residue products, the first random number sequence corresponding to the lower limit value, and the upper limit value. A random number generator for generating a second random number sequence, a square root of each element of the sequence of square numbers corresponding to the lower limit value, and each element of the first random number sequence corresponding to the lower limit value and 2 The fifth exponentiation remainder product, which is the exponentiation remainder product of the probability public key ciphertext sequence, and the square root of each element of the sequence of square numbers corresponding to the upper limit, and the second random number A power-residue product generation unit that generates a sixth power-residue product that is a power-residue product of the sequence of the stochastic public key ciphertext by a sequence obtained by multiplying each element of the sequence by 2 and the lower-limit value The seventh power which is the modular exponentiation of the sequence of the stochastic public key ciphertext by the squared sequence of each element of the first random number sequence corresponding to Generate an extra product and an eighth exponentiation remainder product, which is the exponentiation remainder product of the sequence of the stochastic public key ciphertext, by the squared sequence of each element of the second random number sequence corresponding to the upper limit value. A random exponentiation product generator, a lower limit value that is an output of a hash function including the public key, the sequence of the probabilistic public key ciphertext, and the first, fifth, and seventh exponentiation remainder products as inputs. To the upper limit value which is the output of the hash function including the public key, the sequence of the probabilistic public key ciphertexts, and the second, sixth, and eighth exponentiation modulo products corresponding to A challenge value generator that generates a corresponding second challenge value; a square root of each element of the first random number sequence corresponding to the lower limit value and a square root of each element of the square number sequence corresponding to the lower limit value; A first response corresponding to a lower bound, which is a column of sums, with a sequence of product of one challenge value, and the first response corresponding to the upper bound. Second response corresponding to an upper limit value which is a summation column of the square root of each element of the random number sequence corresponding to the upper limit and the square root of each element of the square number sequence and the first challenge value And a response generation unit that generates a value, and all of the elements of the first response are within a first interval defined by a safety variable, a size of the interval, and a constant determined from the first challenge value. If all the elements of the second response are not within the second interval defined by the safety variable, the size of the interval, and the constant determined by the second challenge value,
The proof system according to claim 2, further comprising a size confirmation unit for redoing the proof of the square number from the beginning. 5. The square number verification unit includes a challenge value generation unit that generates the first challenge value and the second challenge value, and the first, second, fifth, sixth, and sixth challenge values. The first, second, fifth, sixth, seventh, and plaintexts of the seventh and eighth exponentiation remainder products, respectively.
A decryption unit that generates an eighth plaintext using the secret key, and a random number that is used to generate each of the first, second, fifth, sixth, seventh, and eighth power remainder products. 1, second,
A random number generator for generating fifth, sixth, seventh, and eighth random numbers with a secret key; whether all elements of the first response are within the first interval; Using a size confirmation unit that confirms whether all the elements are in the second section, the plaintext of the sequence of the probability public key ciphertext, and the random number used for generating the probability public key ciphertext , A first verification equation using a quadratic expression of the first challenge value corresponding to the lower limit value and a quadratic expression of the first response, and a second challenge corresponding to the upper limit value. The proof system according to claim 4, further comprising: a quadratic verification unit that confirms that a second verification formula using a quadratic formula of a value and a quadratic formula of the second response holds. 6. The proof part of the magnitude of the absolute value corresponds to an encryption part for generating third and fourth exponentiation modulo products, and a third random number sequence corresponding to the lower limit and an upper limit. A ninth random exponentiation product which is a modular exponentiation product of the sequence of the stochastic public key ciphertext by the random number generation unit that generates the fourth random number sequence and the third random number sequence corresponding to the lower limit value. And the fourth random number sequence corresponding to the upper limit,
A power-residual-residue generating unit that generates a tenth power-residual-residue that is a power-residual-residual product of the sequence of probabilistic public-key ciphertexts; the public key, the sequence of probabilistic public-key ciphertexts, and the third; And a third challenge value corresponding to the lower limit value which is the output of the hash function including the input and the ninth exponentiation remainder product, and the public key,
A challenge value generation unit that generates a fourth challenge value corresponding to an upper limit value that is an output of a hash function including the sequence of the probabilistic public key ciphertext and the fourth and tenth modular exponentiation as inputs. , The sum of the sequence of the difference between each element of the third random number sequence corresponding to the lower limit and the square number corresponding to the lower limit and the sequence of the product of the third challenge values corresponding to the lower limit A third response corresponding to a lower limit which is a sequence, a sequence of differences between each element of the fourth random number sequence corresponding to the upper limit and the square number corresponding to the upper limit, and the above corresponding to the upper limit A response generation unit that generates a fourth product row of challenge values and a fourth response corresponding to an upper limit value that is a sum row, and all elements of the third response include a safety variable and an interval. Is not within the third interval defined by the magnitude and the constant defined by the third challenge value, or is all the elements of the fourth response , A size confirmation unit for redoing the absolute value size proof process from the beginning unless it is within the fourth interval defined by the safety variable, the interval size, and the constant defined by the fourth challenge value. The proof system according to claim 4. 7. An absolute value magnitude verification unit, a challenge value generation unit that generates the third challenge value and the fourth challenge value, and the third, fourth, ninth, and ninth challenge values. A decryption unit that generates the third, fourth, ninth, and tenth plaintexts, which are the plaintexts of the tenths modular exponentiation, with a secret key; and the third, fourth, ninth, and tenth powers. A random number generator for generating a third, fourth, ninth, and tenth random number used to generate a remainder product with a secret key; and all elements of the third response in the third section. And a size confirmation unit that confirms whether all the elements of the fourth response are in the fourth section, and a linear expression of the third challenge value corresponding to a lower limit value and the first Three
The third verification expression using the linear expression of the response of is satisfied, and the fourth linear expression of the fourth challenge value corresponding to the upper limit value and the fourth linear expression of the fourth response are used. 7. The proof system according to claim 6, further comprising: a verification unit based on a linear expression that confirms that the verification expression holds. 8. The value of each exponential coefficient of the modular exponentiation product of the sequence of exponential coefficients of the sequence of probabilistic public key ciphertext encrypted by the probabilistic public key cryptosystem is within a specified section. In a proof method for creating a proof sentence for proof and verifying that the value of each exponential coefficient is within the specified section based on the proof sentence, a public key of the stochastic public key cryptosystem and , An upper limit value and a lower limit value that define the specified section, a sequence of the probability public key ciphertext, a sequence of the exponential coefficient, and a value of a safety variable that defines a probability of correct verification, A proof statement creating step for creating the proof statement for determining whether or not the value of each exponential coefficient is within the specified section without losing the decipherability of the value of each exponential coefficient; And the modular exponentiation of The upper and lower limits, the public key and the secret key of the stochastic public key cryptosystem, the safety variable, the sequence of the stochastic public key ciphertext, and the sequence of the probabilistic public key ciphertext. Whether the value of each exponential coefficient of the modular exponentiation product is within the specified interval based on the sequence of random numbers used for And a verification step of verifying with the probability of. 9. The proof sentence creating step includes a column of a difference from a lower limit value, which is a column obtained by subtracting the lower limit value from a value of each exponential coefficient in the column of the exponential coefficient, and a column of the exponential coefficient from the upper limit value. A step of generating a difference column between both end values and a column of difference between the upper limit value which is a column obtained by subtracting the value of each exponential coefficient of the column, and a column of difference between the lower limit value and the upper limit value. The value of each element of the difference column is multiplied by the first value determined by the value that defines the safety variable and the interval, and the difference column with the expanded lower limit value and the difference column with the expanded upper limit value are obtained. For each element of the expanding step of generating and the row of the difference between the expanded lower limit value and the row of the difference between the expanded upper limit value, the maximum square number smaller than that value, and The expanded lower limit is calculated by calculating the difference value obtained by subtracting the corresponding square number from the value. A dividing step of dividing the difference column with the difference value column and the enlarged difference value column with the expanded upper limit value into the square number column and the difference value column, and the lower limit of the probability public key ciphertext column. A first exponentiation remainder product by the sequence of the square numbers corresponding to the value and a second exponentiation remainder product by the sequence of the square numbers corresponding to the upper limit value of the sequence of the probability public key ciphertext are obtained. , Proof that the sequence of exponential coefficients of the first and second exponentiation remainder products is a square number, and that the square root does not exceed a second value defined by the safety variable and a constant defining an interval. A proof step of a square number for generating a sentence, a third power residue product by a sequence of the difference values corresponding to the lower limit value of the sequence of the probability public key ciphertext, and a sequence of the probability public key ciphertext And a fourth power residue product of the sequence of the difference values corresponding to the upper limit value of Certification The method of claim 8, wherein the absolute value and a certificate step of the magnitude of the absolute value to generate a proof text for less than the first value of the fourth power of the value of each index coefficients of the remainder product. 10. The verification step obtains a value obtained by multiplying the product of all the elements of the sequence of the probability public key ciphertext by the lower limit value, and using this value, the exponentiation remainder product of the verification target is obtained by the public key. Is divided by a modulo element to obtain an expanded value using the first value, and this value is equal to the product of the first exponentiation remainder product and the third exponentiation remainder product. And obtain a value obtained by multiplying the product of all the elements of the sequence of the probability public key ciphertext by the upper limit value, and by using this value, the exponentiation remainder product to be verified is a public key And divide it by the first value to find an expanded value, and confirm that this value is equal to the product of the second power residue product and the fourth power residue product. If the above two confirmations are made, a division verification step of outputting a verification acceptance of division, and a value of each exponential coefficient of the first exponentiation remainder product is a square number That the square root does not exceed the second value, and that the value of each exponential coefficient of the second power residue product is a square number, and that the square root is the second value. Of the exponential coefficient of the third exponentiation remainder product, and the value of each exponential coefficient of the third exponentiation remainder product is verified as follows: It is verified that the value does not exceed the value, and that the value of each exponential coefficient of the fourth power residue product does not exceed the first value. If the above two verifications can be performed, the magnitude of the absolute value can be verified. 10. The proof method according to claim 9, further comprising the step of verifying the magnitude of the absolute value, which outputs the verification acceptance of. 11. The square number proof step corresponds to an encryption step for generating the first and second power-residue products, a first random number sequence corresponding to the lower limit value and the upper limit value. A random number generating step of generating a second random number sequence; multiplying a square root of each element of the sequence of square numbers corresponding to the lower limit value by each element of the first random number sequence corresponding to the lower limit value by 2; The fifth exponentiation remainder product, which is the exponentiation remainder product of the probability public key ciphertext sequence, and the square root of each element of the sequence of square numbers corresponding to the upper limit, and the second random number A modular exponentiation product generating step for generating a sixth exponentiation modular exponentiation which is a modular exponentiation modular exponentiation of the sequence of the stochastic public key ciphertext by a numerical sequence obtained by multiplying each element of the sequence by 2 and the lower limit value Of the probability public key ciphertext sequence by the squared sequence of each element of the first random number sequence corresponding to It is a modular exponentiation product of the sequence of the stochastic public key ciphertext by a seventh modular exponentiation product that is a modular exponentiation product and a sequence of squares of each element of the second random number sequence corresponding to the upper limit value. An exponentiation modular exponentiation step for generating an eighth exponentiation modular exponentiation, and inputting the public key, the sequence of the stochastic public key ciphertext, the first, fifth and seventh exponentiation modular exponentiation The first challenge value corresponding to the lower limit value which is the output of the hash function, the public key, the sequence of the stochastic public key ciphertexts, and the second, sixth, and eighth power modulo products are input. A challenge value generation step of generating a second challenge value corresponding to an upper limit value that is an output of the hash function including; each element of the first random number sequence corresponding to the lower limit value and the square corresponding to the lower limit value. The square root of each element of the number sequence and the product row of the first challenge value, which corresponds to the lower bound that is the sum column A response of 1 and a column of a product of the square root of each element of the second random number sequence corresponding to the upper limit value and each element of the sequence of square numbers corresponding to the upper limit value and the first challenge value, A response generation step of generating a second response corresponding to an upper limit value which is a sequence of sums; all elements of the first response are constants defined by a safety variable, an interval size, and the first challenge value. Or not all the elements of the second response are in the second interval defined by the safety variable, the size of the interval and the constant determined by the second challenge value. If
10. The proof method according to claim 9, further comprising a step of confirming the size of starting the proof of the square number from the beginning. 12. The square number verification step includes a challenge value generation step of generating the first challenge value and the second challenge value, and the first, second, fifth, sixth, and sixth challenge values. The first, second, fifth, sixth, seventh, and plaintexts of the seventh and eighth exponentiation remainder products, respectively.
A decryption step of generating an eighth plaintext using the secret key; and a random number used to generate each of the first, second, fifth, sixth, seventh, and eighth power remainder products. 1, second,
A random number generation step of generating fifth, sixth, seventh, and eighth random numbers with a secret key; whether all elements of the first response are within the first interval; Using a size confirmation step for confirming whether all the elements are in the second section, the plaintext of the sequence of the stochastic public key ciphertext, and the random number used for generating the stochastic public key ciphertext , A first verification equation using a quadratic expression of the first challenge value corresponding to the lower limit value and a quadratic expression of the first response, and a second challenge corresponding to the upper limit value. The proof system according to claim 11, further comprising a quadratic verification step for confirming that a second verification expression using a quadratic expression of a value and a quadratic expression of the second response holds. 13. The step of proving the magnitude of the absolute value corresponds to an encryption step for generating third and fourth power-residue products, and a third random number sequence corresponding to the lower limit value and an upper limit value. A random number generation step of generating a fourth random number sequence, and a ninth power residue product which is a power residue product of the sequence of the stochastic public key ciphertexts by the third random number sequence corresponding to the lower limit value. And the fourth random number sequence corresponding to the upper limit,
A power-residue product generating step of generating a tenth power-residue product which is a power-residue product of the sequence of the probabilistic public-key ciphertext, the public key, the sequence of the probabilistic public-key ciphertext, the third And a third challenge value corresponding to the lower limit value which is the output of the hash function including the input and the ninth exponentiation remainder product, and the public key,
A challenge value generation step of generating a fourth challenge value corresponding to an upper limit value which is an output of a hash function including the sequence of the probabilistic public key ciphertext and the fourth and tenth modular exponentiation as inputs; , The sum of the sequence of the difference between each element of the third random number sequence corresponding to the lower limit and the square number corresponding to the lower limit and the sequence of the product of the third challenge values corresponding to the lower limit A third response corresponding to a lower limit which is a sequence, a sequence of differences between each element of the fourth random number sequence corresponding to the upper limit and the square number corresponding to the upper limit, and the above corresponding to the upper limit A response generation step of generating a fourth product row of challenge values and a fourth response corresponding to an upper limit value which is a sum row, and all elements of the third response include a safety variable and an interval. Is it not within the third interval defined by the constant determined from the size and the third challenge value, or is it the fourth response value? If all of the elements are not in the fourth interval defined by the safety variable, the interval size, and the constant defined by the fourth challenge value, the size verification is performed in which the absolute value size verification process is restarted from the beginning. The proof method according to claim 11, further comprising a step. 14. The step of verifying the magnitude of the absolute value includes a challenge value generating step of generating the third challenge value and the fourth challenge value, and the third, fourth, ninth and tenth steps. A decryption step of generating the third, fourth, ninth and tenth plaintexts, which are the plaintexts of the tenth power remainders, with a secret key; and the third, fourth, ninth and tenth powers. A random number generation step of generating a third, fourth, ninth, and tenth random number used to generate a remainder product with a secret key; and all elements of the third response in the third interval. And a magnitude confirmation step for confirming whether all the elements of the fourth response are in the fourth interval, and a linear expression of the third challenge value corresponding to a lower limit value and the third equation. Three
The third verification expression using the linear expression of the response of is satisfied, and the fourth linear expression of the fourth challenge value corresponding to the upper limit value and the fourth linear expression of the fourth response are used. 14. The proof method according to claim 13, further comprising a verification step using a linear expression for confirming that the verification equation holds. 15. The value of each exponential coefficient of the exponentiation remainder product by the sequence of exponential coefficients of the sequence of probabilistic public key ciphertext encrypted by the probabilistic public key cryptosystem is within a specified section. A computer constituting a proof system for producing a proof sentence for proof and verifying that the value of each exponential coefficient is within the specified section based on the proof sentence, the stochastic public key cryptosystem Public key, an upper limit value and a lower limit value that define the specified section, a sequence of the probability public key ciphertext, a sequence of the exponential coefficient, and a value of a safety variable that defines the probability of correct verification. Based on the above, the proof sentence creating device for creating the proof sentence for determining whether or not the value of each exponential coefficient is within the specified section without losing the decipherability of the value of each exponential coefficient , The exponentiation remainder product to be verified , The upper limit value and the lower limit value defining a specified range, the public key and the secret key of the stochastic public key cryptosystem, the safety variable, the sequence of the stochastic public key cryptogram, and the stochastic public key cryptogram Whether the value of each exponential coefficient of the modular exponentiation product is within the specified interval based on the sequence of random numbers used for encryption of the sequence of A program that functions as a verification device that verifies with a probability higher than that specified in.