JP2006203660A - Device method and program for forming digital signature information - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a digital signature forming device which creates digital signature information in which a manager is unnecessary, it has signer's anonymity, denial by a user other than the signer is possible, and verification can be carried out offline. <P>SOLUTION: A signature forming terminal uses a document of a signature target and a signer's secret key, forms a 1st component which makes the denial of a user other than the signer possible, forms a 2nd component which guarantees that 1st information is created using the secret key using all or a part of public keys of users other than the signer and the private key, and outputs digital signature information including the 1st component and the 2nd component. A signature verification terminal can carry out verification offline, and the specification or the denial of the signer is carried out between the signature forming terminal and the signature verification terminal online. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a digital signature information generation apparatus, a digital signature information generation method, and a program for generating digital signature information.

  With the development of the information society, the form of communication in which data is digitized and exchanged over a network is increasing. Digital data (hereinafter, “data” refers to digital data) can be easily created, copied, or altered by a third party, so if the authenticity of the data is important, the data is reliable. Digital signature (electronic signature) technology is used to provide a digital signature.

  In basic digital signatures, for example, the signer side obtains a hash value by applying a hash function to the data to be signed, and converts the hash value with the signer's private key to generate digital signature information. The digital signature information is added to the signature target data to obtain data with a digital signature. On the other hand, on the verifier side, for example, the first data obtained by applying the hash function to the data portion of the digital signature data to be verified and the digital signature information added to the data to be verified are signed. It verifies by comparing with the 2nd data obtained by carrying out reverse conversion with the public key of the person said to be.

  Since it is difficult to forge digital signature information and decrypt the private key, the fact that the user who is the signer has digitally certified the data through verification using the digital signature information (definitely the data and the signature (The fact that the digital signature was generated using the private key of the person).

  In this specification, the operations for explaining the group manager, the signer, the verifier, the certificate authority, etc. basically mean the operations of the devices related to them.

  By the way, with the diversification of services on the network, various functions are required for digital signatures. For example, a digital signature having anonymity has been developed in order to realize privacy protection of an individual signer in electronic payment, electronic voting, and the like. In a digital signature having anonymity, a user who uses the signature belongs to a group to which a plurality of users join. Then, the user who becomes the signer applies a digital signature that can be verified with the public key corresponding to the group or a digital signature that can be verified with the public key of all users belonging to the group. Generated using the user's own private key. A digital signature that guarantees anonymity can verify the fact that one of the members of the group generated the digital signature, but identifies the signer who actually generated the digital signature I can't do it.

  Conventional signature methods that guarantee anonymity are roughly classified into two types. One is a group signature (see, for example, Non-Patent Document 1), and the other is a ring signature (see, for example, Patent Document 1). The conventional group signature and ring signature will be briefly described below.

  In the group signature, the signer communicates with the group manager to generate a signature key. The group manager generates a public key corresponding to the group and registers it with the certificate authority. At this time, the public key corresponding to the group is determined in advance and the signing key of each signer is generated, and the public key is updated each time the signer receives participation in the group and generation of the signing key. There is a method of re-registering with the certificate authority. The signature is performed using a certifier's signature key, and the verification is performed using a public key corresponding to the group.

  In the conventional group signature, the signer can be identified by the group manager, so the signer is identified without the intention of the signer, and the anonymity is discarded, that is, the information related to privacy is disclosed. There was a possibility. In addition, the signer must communicate with the group administrator to generate the signing key. In addition to the inefficiency of key generation, the secret information is concentrated on the group administrator. There was a problem that it had to be done strictly.

In addition, a group signature method that does not require a group administrator has been proposed. However, because verification requires a large number of online communications between the verifier and the signer, the efficiency of the verification process In addition to being bad, it was necessary to use anonymous communication technology to guarantee anonymity.

  In other words, the conventional group signature does not require an administrator, has anonymity of the signer, can be denied by a user other than the signer (assuming that he is not a true signer), and verified. Could not be implemented offline.

  On the other hand, in the ring signature, the signature is performed by using a plurality of other users 'public keys and signers' signature keys which are dynamically selected and obtained from the certificate authority (hereinafter, the other keys for which the public key is selected). The user is referred to as a dummy signer with respect to the true signer), and verification is performed using the public key of the signer and dummy signer.

Even in the conventional ring signature, there is no one that does not require an administrator, has anonymity of the signer, can be denied by a user other than the signer, and can be verified offline.
JP 2004-229137 A “Suga, Ichimura,“ Ring Signature with Denial Function ”, Symposium on Cryptography and Information Security 2003

  Conventional digital signatures do not require an administrator, have anonymity of the signer, can be denied by a user other than the signer, and have not been verified offline.

  The present invention has been made in consideration of the above circumstances, and requires a digital signature that does not require an administrator, has anonymity of the signer, can be denied by a user other than the signer, and can be verified offline. An object of the present invention is to provide a digital signature information generation apparatus, a digital signature information generation method, and a program for generating information.

  The present invention provides an input means for inputting data to be signed, a storage means for storing a secret key of a first user who is a signer of the data, and a public key of a second user other than the first user First information that allows the individual second user to be denied the signer of the data using the acquisition means for acquiring all or part of the data and the data and the secret key A first generation means for generating the second information for ensuring that the first information is generated using the secret key by using all or a part of the public key and the secret key. A second generation means for generating information, and an output means for outputting digital signature information including the first information and the second information are provided.

  Digital signature information is added to the data to be signed, and the data is passed as signed data. The signed data may be passed between the digital signature information generation device and the signature verification device via a communication medium or may be passed via a recording medium.

  The signature verification apparatus can perform verification (offline) using the data to be signed, the digital signature information added to the data, and the public keys of the signer and the dummy signer. When it is necessary to specify whether or not a specific signer has generated a signature, the digital signature information generation device is inquired from the signature verification device (by online dialogue), and the user of the device It is verified that the signature information has been generated or that the digital signature information has not been generated.

The present invention relating to the apparatus is also established as an invention relating to a method, and the present invention relating to a method is also established as an invention relating to an apparatus.
Further, the present invention relating to an apparatus or a method has a function for causing a computer to execute a procedure corresponding to the invention (or for causing a computer to function as a means corresponding to the invention, or for a computer to have a function corresponding to the invention. It can also be realized as a program (for realizing the program), and can also be realized as a computer-readable recording medium on which the program is recorded.

  According to the present invention, a digital signature information generating apparatus that generates digital signature information that does not require an administrator, has anonymity of a signer, can be denied by a user other than the signer, and can be verified offline. A digital signature information generation method and program can be provided.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  Here, prior to describing the digital signature according to the present embodiment, the digital signature disclosed in Non-Patent Document 1 will be referred to.

In Non-Patent Document 1, the number of signers is L, and each signer P _i (i∈ {0,..., L−1}) is public information ( _pi , q _i , g _i , y _i , H _i ) is open to the public. However, p _i and q _i are sufficiently large prime numbers such that q _i divides p _i −1. g _i is a generator of the multiplicative group G in Z / p _i Z = {0, 1,..., p _i −1} where the order is q _i . y _i is a value calculated from y _i = g ^xi mod p _i for secret information x _i εZ / q _i Z = {0, 1,..., q _i −1} secretly held by the signer. It is. H _i is a hash function that copies an arbitrary bit length value to G. Also, let H be a hash function used in common by all signers, such as copying an arbitrary bit length value to an l ₁ bit value.

In Non-Patent Document 1, the signer _Pk generates two types of signatures using the public keys of other signers. The first is a signature for a component Rep for asserting that a user other than the document M and the signer does not generate a signature. The second is a hash value H (Rep of the documents M and Rep. ).

  The calculation of the first signature component is as follows.

The signer P _k randomly selects a′∈Z / q _k Z, and T ′ _k = g _k ^{a ′} mod p _k and c ′ _{k + 1} = H _k (M, Rep, T ′ _k ). calculate.

Next, the signer P _k is, j = k + 1, ... , L-1,0 (= L), ..., for k-1, s' and _j ∈Z / q _j Z is selected randomly, the P _j Using public information (p _j , q _j , g _j , y _j , H _j ), T ′ _j = g _j ^s′j y _j ^c′j mod p _j and c ′ _{j + 1} = H _j (M , Rep, T ′ _j ).

Finally, the signer P _k calculates s ′ _k = a′−x _k c ′ _k mod q _k and R ₁ = (H (Rep), c ′ ₀ , s ′ ₀ ,..., C ′ _{L −1} , s ′ _L−1 ) is the first signature component.

  The calculation of the second signature component is as follows.

The signer P _k calculates a ″ = H (R ₁ ) and sets a = a ′ + a ″ mod q _k, and T _k = g _k ^a mod p _k and c _{k + 1} = H _k ( M, H (Rep), T _k ) are calculated.

Then, the signer P _k is, j = k + 1, ... , L-1,0 (= L), ..., for the k-1, to select at random s _j ∈Z / q _j Z, the public of P _j Using information (p _j , q _j , g _j , y _j , H _j ), T _j = g _j ^sj y _j ^cj mod p _j and c _{j + 1} = H _j (M, H (Rep), T _j ) is calculated.

Finally, the signer P _k calculates s _k = a−x _k c _k mod q _k and R ₂ = (c ₀ , s ₀ ,..., C _L−1 , s _L−1 ) The signature component of the eye.

At this time, as disclosed in Non-Patent Document 1, there is no means for guaranteeing that a = a ′ + H (R ₁ ) mod q _k is correctly generated in the calculation of the second signature component. A user other than the signer can insist that "I have not generated a signature" only when the user has generated a.

  Next, in Non-Patent Document 1, it will be described that when a signer generates a signature without a false sign, the signer can be identified from the signature.

Public information of the signer P _i ( _pi , q _i , g _i , y _i , H _i ), document M, Rep, signature R ₁ = (H (Rep), c ′ ₀ , s ′ ₀ ,..., C ' _L-1 , s' _L-1 ) and signature R ₂ = (c ₀ , s ₀ ,..., C _L-1 , s _L-1 ) are publicly available. At this time, from the signature generation means of the signer P _k , g _k ^sk y _k ^ck = ^ga-xkck y _k ^ck = g _k ^a mod p _k and g _k ^s′ky _k ^c′k = ^{ga′− xkc′k} y _k ^c′k = g _k ^{a ′} modp _k holds. Here, the one trying to identify the signer (one trying to break the anonymity of the method disclosed in Non-Patent Document ₁ ) calculates a ″ = H (R ₁ ), and g _i ^si y _i the ^{_{ci ≡g i s'i y i c'i g}} i a '' (mod p i) and becomes i is determined by exhaustive search. Since i = k is a = a ′ + a ″ mod q _k , the above congruence formula holds. On the other hand, for i ≠ k, since c _i and c ′ _i are outputs of the hash function, the possibility of satisfying the above congruence is low. For this reason, it is possible to specify that _Pi is a signer with respect to i determined by the above congruence formula.

  As described above, in the technology disclosed in Non-Patent Document 1, whether or not “a component other than a signer can prove that he / she has not generated a signature (two types of signatures)” is truly generated. Since there is no means for confirmation, verification is successful by generating fake digital signature information, but there is a problem that the signer himself can generate a signature that can deny the fact of signature creation. There is a problem that the verifier can easily identify the signer from the digital signature.

  On the other hand, according to the present embodiment, the signer can “provide that a user other than the signer has not generated the digital signature information (the user is not the signer)” first component Is generated without using another user's public key. In addition, the signer generates digital signature information that the signer falsely passes and passes the verification formula to calculate the second component that “guarantees that the signer is correctly generating the first component”. It is impossible. Therefore, the above problem does not occur.

  Hereinafter, the digital signature of this embodiment will be described in detail.

  In the following description, the object of the digital signature is called a document, but the document may be any data.

  The digital signature information generating apparatus for generating digital signature information (hereinafter also simply referred to as a signature) according to the present embodiment realizes a digital signature having an undeniable offline verification type anonymity without assuming an administrator. Also, the signer who has signed the digital signature or the denial of the digital signature of a user other than the signer can be denied by the verifier communicating with the signer or another user other than the signer.

  First, components that enable identification or denial of a signer generated by the signature generation processing according to the present embodiment will be described.

  The components that enable the identification or denial of the signer and the method of identification or denial are zero-knowledge non-repudiation signatures (eg “D. Chaum,“ Zero-Knowledge Undeniable Signature, ”in Proceedings of EUROCRYPT '90”, etc.) Can be used.

  In this embodiment, the non-repudiation signature improved by Okamoto et al. (“T. Okamoto and D. Pointcheval,“, ”in Proceedings of CT-RSA 2001”) (hereinafter referred to as Document A A case where the above is used) will be described as an example.

  Here, the method disclosed in Document A will be described.

  Note that Document A has no anonymity and requires online for verification, but this embodiment has anonymity and can be verified offline.

Each user who becomes an administrator or signer of the system publishes p, q, g, A, and F. Here, p is a 1-bit prime, q is an l _1- bit prime that divides p−1, g is a generator of the multiplicative group A of order q, and G is an arbitrary bit length from A to A A collision-resistant one-way hash function, F is a collision-resistant one-way hash function from an arbitrary length number to a number of l ₂ bits. Here, collision resistance means that it is difficult to find a and b satisfying G (a) = G (b), and unidirectionality means that G (a) = when c is given. This means that it is difficult to find a that satisfies c.

  First, a process from generation of a non-repudiation signature key to generation of a non-repudiation signature will be described.

  FIG. 7 shows a procedure for generating a non-repudiation signature key (signer signing and signature generation). FIG. 8 shows a procedure for generating a non-repudiation signature.

The signer user selects s∈Z / qZ = {0, 1,..., Q−1} at random and sets it as a secret key (step S101K), and calculates k = g ^s mod p (step S102K), it is made public as a public key or registered with a certificate authority (step S103K).

After accepting the digital signature target document M (step S101S), the signer calculates w = G (M) (step S102S), calculates S = w ^s mod p (step S103S), and (M , S) is published as a signed document (step S104S).

  On the other hand, the verifier indicates that (M, S) is a correctly signed document or is not correct (the signer has correctly signed M or has not signed M correctly) and the signer. Communication is performed and verification is performed by executing a confirmation protocol (Confirmation Protocol) or a denial protocol (Disavowal Protocol) described below. In each protocol, the verifier performs K processing with the signer repeatedly, and accepts confirmation or denial when all processing passes.

  FIG. 9 shows a verification procedure for a non-repudiation signature in the verification apparatus (signature verification apparatus). FIG. 10 shows a verification procedure for a non-repudiation signature in the signature device (digital signature information generation device).

  The verifier sends the signed document (M, S) to a specific user (for example, a user who is to be verified as a signer or a user who is to be verified as not being a signer). Inquire (step S101Vv) and wait (step S102Vv).

After receiving this inquiry (step S101Vs), this specific user calculates w = G (M) (step S102Vs), checks whether S = w ^s mod p holds (step S103Vs), If the check expression holds, the verifier is informed that (M, S) is a correctly signed document (step S104Vs), and if not, (M, S) is correct. The verifier is informed that the non-signed document is to be executed (step S105Vs) and waits (step S106Vs).

(Confirmation protocol)
FIG. 11 shows a confirmation procedure of a non-repudiation signature in the verification device (signature verification device). FIG. 12 shows a procedure for confirming a non-repudiation signature in the signature device (digital signature information generation device).

  When the verifier receives a communication for executing the confirmation protocol from the specific user (step S101Cv), the verifier sets cnt = 0 as the counter (step S102Cv) and calculates w = G (M) (step S103Cv). ).

Then, the verifier sends a, a b∈Z / qZ randomly select (step S104Cv), by calculating ^{c = w a g b mod p} ( step S105Cv), to a particular user of the (Step S106Cv) and wait (step S107Cv).

After receiving c from the verifier (step S101Cs), the specific user described above randomly selects rεZ / qZ (step S102Cs), and sets t = cg ^r mod p and u = t ^s mod p. Calculate (step S103Cs), transmit to the verifier (step S104Cs), and wait (step S105Cs).

  After receiving t and u from the specific user (step S108Cv), the verifier transmits a and b to the specific user (step S109Cv) and waits (step S110Cv).

The specific user (step S106Cs) after accepting a, b from the ^{verifier, c = w a g b mod} p is whether checks whether established (step S107Cs). If the inspection passes, r is sent to the verifier (step S108Cs), and if the inspection fails, (for example, it is determined that the verifier has performed an illegal process or an error has occurred on the communication path). Then, the process is stopped (step S109Cs).

After receiving r from the specific user (step S111Cv), the verifier checks whether t = cg ^r mod p and u = S ^a k ^{b + r} mod p are satisfied (step S112Cv). If the inspection fails, the process is stopped (determined that the specific user has performed an illegal process or an error has occurred on the communication path) (step S117Cv).

  When the inspection is passed, cnt = cnt + 1 is set (step S113Cv), and whether cnt = K is checked (step S114Cv). If the inspection fails, the process returns to step S104Cv (step S115Cv). If the inspection passes, (M, S) is accepted as a correctly signed document (step S116Cv).

(Denial protocol)
FIG. 13 shows a procedure for rejecting a non-repudiation signature in the verification device (signature verification device). FIG. 14 shows a non-repudiation signature non-repudiation procedure in the signature device (digital signature information generation device).

  On the other hand, when the verifier receives a notification to execute the denial protocol from the specific user (step S101Dv), the verifier sets cnt = 0 as the counter (step S102Dv) and calculates w = G (M) ( Step S103 Dv).

Then, the verifier, a∈ {0, ..., max } of the b∈Z / qZ randomly select (step ^{_{S104Dv), c 1 = w a}} g b mod p and c ₂ = S ^a k ^b Mod p is calculated (step S105Dv), transmitted to the specific user (step S106Dv), and waited (step S107Dv). The max in step S103Dv is set as a small number such that a can be found later by exhaustive search.

After receiving c ₁ and c ₂ from the verifier (step S101Ds), the specific user searches for a satisfying (c ₁ ^s / c ₂ ) = (w / S) ^a mod p (step S102Ds). ), RεZ / qZ is selected at random (step S103Ds), t = F (r, a) is calculated (step S104Ds), transmitted to the verifier (step S105Ds), and waited (step S106Ds). ).

  After receiving t from the specific user (step S108Dv), the verifier transmits b to the specific user (step S109Dv) and waits (step S110Dv).

The specific user, after receiving the b from the verifier (step ^{_{S107Ds), c 1 = w a}} g b mod p and _{^{c 2 = S a k b mod}} p is whether checks whether established (step S108Ds) . If the inspection passes, r is sent to the verifier (step S109Ds). If the inspection fails, it is determined that the verifier has performed an illegal process or an error has occurred on the communication path. The process is stopped (step S110Ds).

  After accepting r from the specific user (step S111Dv), the verifier checks whether t = F (r, a) holds (step S112Dv). If the inspection fails, the processing is stopped (when it is determined that the specific user has performed an illegal process or an error has occurred on the communication path) (step S117Dv).

  When the inspection is passed, cnt = cnt + 1 is set (step S113Dv), and whether cnt = K is checked (step S114Dv). If the inspection fails, the process returns to step S104Dv (step S115Dv). If the inspection is passed, the denial of (M, S) by the specific user is accepted (step S116Dv).

  Now, a configuration example of a signature method having anonymity of non-repudible offline verification that does not assume an administrator using the non-repudiation signature as described above will be shown below.

(First configuration example)
First, a first configuration example will be described.

  Note that the signed document itself in which the digital signature information is added to the signature target document may be passed between the digital signature information generation apparatus and the signature verification apparatus via a communication medium or via a recording medium. May be handed over.

(Preparation of common parameters)
Hereinafter, functions used to configure the digital signature information generation apparatus and signature verification apparatus according to this configuration example and the lengths of input / output data of these functions will be described.

In describing a configuration example of a secure signature exchange system, the security parameters l, l ₁ and l ₂ are selected as follows. l is a bit length 1024 at which the discrete logarithm problem is difficult to calculate, l ₁ is an order 1023 at that time, l ₂ is a bit length 80 at which it is difficult to perform a round-robin search, and the like. At this time, it is assumed that the multiplicative group A of l _1- bit primes q and order q, which divides the 1-bit primes p and p-1, and the generation source g thereof are disclosed by the certificate authority. Also, a hash function G that maps an arbitrary bit length value to A, a hash function H that maps an arbitrary bit length value to Z / qZ, and an arbitrary bit length value of l ₂ bits Assume that a hash function F that maps to, and a not-so-large value max used in the denial protocol are disclosed. The hash functions G, H, and F are hash functions such as SHA (for example, “M. Bellare and P. Rogaway,“ Optimal Asymmetric Encryption—How to encrypt with RSA ”Advances in Cryptology—EUROCRYPT'94 LNCS, Springer -Verlag, 1995 ", etc.).

(Digital signature information generator)
FIG. 1 shows an example of a block diagram of a digital signature information generation apparatus according to this configuration example.

  The arithmetic unit 201 is a part that executes a multiple-length operation. Specifically, the arithmetic unit 201 performs exclusive OR calculation, bit concatenation / division, bit comparison, and the like.

  The random number generation unit 202 is a part that generates a random number necessary for generating a signature.

  The random number memory 203 stores the random number generated by the random number generation unit 202.

  The secret key memory 204 is a memory for storing a secret key related to the public key cryptosystem of the user P of the apparatus.

  The signature generation unit 205 reads the secret key stored in the secret key memory 204 when performing the signature generation process or the confirmation / denial protocol.

  The input / output unit 206 transmits the generated digital signature information of the user P of the apparatus. The input / output unit 206 also performs input / output of other data exchanged between the own apparatus and the outside.

  The function calculation units 207, 208, and 209 perform calculations using random functions G, H, and F, respectively. In the generation, confirmation, and denial protocol of the digital signature information of the user P of the apparatus, a random function stored in the function calculation units 207, 208, and 209 is used. The random function may be stored in advance, or a function determined for each signer may be obtained and stored via the input / output unit 206.

  The control unit 211 controls the entire apparatus.

  The memory 212 stores various data.

  The digital signature information generation device functionally generates a functional part that performs processing related to a key, a functional part that generates a first component of digital signature information described later, and a second component of digital signature information. And a functional part.

  Further, the digital signature information generation device has a function of transmitting a signed document obtained by adding digital signature information to a signature target document to the signature verification device or another device via a network, or (signature verification device or other device). A function of writing to a recording medium (for transfer to and from).

(Preparation of public and private keys)
Each user who becomes a signer uses the digital signature information generating apparatus shown in FIG. For p, q, A, and g published by the certificate authority, each user P _j (j = 1,..., L) randomly selects s _j εZ / qZ and stores it in the secret key memory 204. Then, public key k _j = g ^sj mod p is calculated and made public.

(Signature generation procedure)
The following describes the signer P _i by the signature generation processing.

  FIG. 2 shows an example of a signature generation processing procedure according to this configuration example.

For simplicity of explanation in the following examples, among the L who has registered the public key, for example a method of selecting the L-1 users except user P _i as a signer as a dummy signer explain. In addition to this method, for example, the signer P _i selects any L ′ dummy signers that satisfy L ′ ≦ L−1 at the time of signature generation, and the user (the user who is the signer, the selected dummy) A method of dynamically determining a subscript (i or j shown in the following example) for specifying a user who is a signer or a user who has not been selected is also possible (a method of fixing L ′ is also possible) It is possible, and a method of dynamically determining L ′ is also possible).

Here, by using the first component S of the digital signature information calculated in steps S301 to S303, the signer P _i has generated the first component S according to the confirmation and denial protocol shown below. The user P _j other than the signer can prove the fact that the first component S has not been generated.

On the other hand, the second component (y, b, c ₁ , d ₁ ,..., C _L , d _L ) of the digital signature information calculated in steps S304 to S311 is the first component S is the user P ₁ ,. , P _L public key k ₁ ,..., K _L is a non-interactive zero knowledge proof that proves that it has the same exponent (secret key s _i ) as any component.

The signer P _i receives the signature target document M (step S301), calculates w = G (M) (step S302), and confirms or denies the first component S = w ^si. mod p is calculated (step S303).

Next, the signer P _i calculates the second component.

That is, b′∈Z / qZ is selected at random (step S304), and y = w ^{b ′} mod p is calculated (step S305).

For j = 1,..., i−1, i + 1,..., L, c _j and d _j εZ / qZ are selected at random, and a _j = g ^cj k _j ^dj mod p, b _j = w ^cj S ^dj mod p is calculated (step S306).

e′εZ / qZ is selected at random (step S307), and a _i = ge ^{e ′} mod p and b _i = we ^′ mod p are calculated (step S308).

After the calculation of a ₁ , b ₁ ,..., a _L , b _L is completed, d = H (M, w, S, y, k ₁ ,..., k _L , a ₁ , b _{1 ,.} , B _L ) (step S309), d _i = d− (d ₁ +... + D _i−1 + d _{i + 1} +... + D _L ) mod q and c _i = e′−d _i s _i mod q Is calculated (step S310).

Then, b = b ′ + ds _i mod q is calculated (step S311).

Finally, the signer P _i publishes (M, S, y, b, c ₁ , d ₁ ,..., C _L , d _L , k ₁ ,..., K _L ) as a signed document (step S312). ).

In (M, S, y, b, c ₁ , d ₁ ,..., C _L , d _L , k ₁ ,..., K _L ), M is a signature target document, S is a first component, ( y, b, c ₁ , d ₁ ,..., c _L , d _L ) are the second components.

In _{addition, k 1, ..., k L} each user _P 1, ..., it is a public key of P _L. The user P ₁ to the digital signature _information, ..., instead of including a public key of P _L, may be include information that allows identify them.

(Signature verification device)
FIG. 3 shows an example of a block diagram of the signature verification apparatus according to the present embodiment.

  The arithmetic unit 401 is a part that executes a multiple-length operation. Specifically, the arithmetic unit 401 performs exclusive OR calculation, bit concatenation / division, bit comparison, and the like.

The input / output unit 406 receives a signed document (M, S, y, b, c ₁ , d ₁ ,..., C _L , d _L , k ₁ ,..., K _L ) generated by the digital signature information generating apparatus. Accept. The input / output unit 406 also inputs / outputs other data exchanged between the own apparatus and the outside.

The determination unit 413 determines the digital signature information received from the input / output unit 406 from (M, S, y, b, c ₁ , d ₁ ,..., C _L , d _L , k ₁ ,..., K _L ). Check whether it is configured.

The signature verification unit 407, the user _P 1, ..., public key k ₁ of the P _L, ..., using the k _L to verify the digital signature information.

  The function calculation units 407, 408, and 409 perform calculations using random functions G, H, and F, respectively. In the signature verification, confirmation, or denial protocol, a random function stored in the function calculation units 408, 409, and 410 is used. The random function may be stored in advance, or a function determined for each signer may be obtained and stored via the input / output unit 406.

  The control unit 411 controls the entire apparatus.

  The memory 412 stores various data.

  Functionally, the signature verification apparatus functionally performs a function related to processing related to a key, a function related to processing related to off-line data authenticity verification, and processing related to identification or denial of a signer online. And a functional part.

  In addition, the signature verification apparatus has a function of receiving a signed document obtained by adding digital signature information to a signature target document from a digital signature information generating apparatus or another apparatus via a network, and a recording medium on which the signed document is recorded. The function to read from may be included.

(Signature verification procedure)
Hereinafter, a method for verifying the digital signature information generated by the digital signature information generation apparatus according to this configuration example will be described.

  FIG. 4 shows an example of a signature verification processing procedure according to this configuration example.

After the verifier receives the signed document (M, S, y, b, c ₁ , d ₁ ,..., C _L , d _L , k ₁ ,..., K _L ) (step S501), w = G (M) is calculated (step S502).

Next, the verifier calculates a _j = g ^cj k _j ^dj mod p and b _j = w ^cj S ^dj mod p for j = 1,..., L (step S503), and d = H (M, _{w, S, y, k 1} , ..., k L, a 1, b 1, ..., a L, b L) to calculate the (step S504).

Finally, the verifier checks whether yS ^d = w ^b mod p and d = d ₁ +... + D _L mod q holds (step S505), and if the check passes, accepts the signature (step S506). If it fails, the signature is rejected (step S507).

(Confirmation and denial protocol)
The confirmation and denial protocol in this configuration example can be executed by the same processing as the confirmation and denial protocol of Document A described above using (M, S).

  In the first configuration example described above, the example using the discrete logarithm problem on the multiplicative group of the finite field is shown, but the same protocol can be realized for the additive group formed by the points of the elliptic curve. More specifically, for example, a point P on the elliptic curve E defined on the field of the characteristic p and an additive group A of the order q generated at the point P may be used. Further, P may be used instead of g in this configuration example, and the power-residue calculation in the multiplicative group may be replaced with scalar multiplication on the elliptic curve, and the modular multiplication in the multiplicative group may be replaced with addition on the elliptic curve.

  The public key only needs to be acquired as necessary, and a configuration without using a certificate authority is also possible.

  According to this configuration example, at the time of signature verification, it is not necessary to communicate with the signer. For the identification of the signer or the denial of the user other than the signer, a digital signature that requires communication with the target user is used. Can be realized.

  In addition, according to this configuration example, a group manager is unnecessary, and each signer can generate a public key and a secret key by itself, so that the key generation efficiency is high and the secret information of all the signers is concentrated. This makes it easy to manage. In addition, if a suspicion is made with a signature that is not a signer, the fact that the signature has not been generated by the first component that can identify or deny the signer generated by the signature generation process. I can prove it. In addition, to identify the signer, all dummy signers except the signer need to communicate with the signer unless denial, and anonymity is discarded where the signer does not intend, that is, information related to privacy Exposure is less likely to occur. Further, since communication between the verifier and the signer is not required in the verification process, the efficiency of the verification process is high, and an anonymous communication technique is not required.

(Second configuration example)
Next, a second configuration example will be described.

  In this configuration example, in order to guarantee a higher level of security, the signer generates a random number R in the signature generation process of the non-repudiation signature (non-repudiation signature of document A) used in the first configuration example. W is calculated by G (M, R), and M, R, and S are disclosed as signed documents.

  Below, it demonstrates focusing on the point which is different from the 1st example of composition.

(Preparation of common parameters)
The functions used to configure the digital signature information generation apparatus and signature verification apparatus according to this configuration example and the length of input / output data of these functions are the same as those in the first configuration example.

(Digital signature information generator)
The digital signature information generation apparatus in this configuration example may be the same as that in the first configuration example (FIG. 1). However, the random functions G and H of the function calculation units 207 and 208 have the random number R as a parameter.

(Preparation of public and private keys)
The public key and secret key generation method in this configuration example is the same as in the first configuration example.

(Signature generation procedure)
Since the signature generation procedure in this configuration example is substantially the same as that in the first configuration example (FIG. 2), differences from this will be described.

User P _i as the signer, after receiving the document M to be signed (step S301), generates a random number R, and calculates a w = G (M, R) (step S302), to step S308 Performs the same processing as the signature generation procedure in the first configuration example.

After the calculation of a ₁ , b ₁ ,..., a _L , b _L is completed, the signer P _i has d = H (M, R, w, S, y, k ₁ ,..., k _L , a _1. , B ₁ ,..., A _L , b _L ) (step S309), the same processing as the signature generation procedure in the first configuration example up to step S311 is performed, and (M, R, S, y, b, c) are performed. _{1, d 1, ..., c} L, d L, k 1, ..., k L) to publish a signed document (step S312).

(Signature verification device)
The signature verification apparatus in this configuration example is the same as that in the first configuration example (FIG. 3). However, the random functions G and H of the function calculation units 407 and 408 have the random number R as a parameter.

(Signature verification procedure)
Since the signature generation procedure in this configuration example is substantially the same as that in the first configuration example (FIG. 4), differences from this will be described.

After the verifier receives the signed document (M, R, S, y, b, c ₁ , d ₁ ,..., C _L , d _L , k ₁ ,..., K _L ) (step S501), w = G (M, R) is calculated (step S502). Thereafter, the verifier calculates a _j = g ^cj k _j ^dj mod p, b _j = w ^cj S ^dj mod p for j = 1,..., L in the same manner as in the first configuration example (step S503). , D = H (M, R, w, S, y, k ₁ ,..., K _L , a ₁ , b ₁ ,..., A _L , b _L ) are calculated (step S504).

  Finally, the verifier performs step S405 and accepts the signature or rejects the signature according to the inspection result (steps S506 and S507).

(Confirmation and denial protocol)
The confirmation and denial protocol in this configuration example is almost the same as the confirmation and denial protocol used in the first configuration example (the confirmation and denial protocol in document A), but the difference is that w is G (M). Without calculating w = G (M, R) (step S102S, step S102Vs, step S102Cv, step S102Dv), and a signed document (M, R, S) instead of (M, S) ( Step S104S, Step S101Vv, Step S104Vs, Step S105Vs, Step S116Cv, Step S117Cv, Step S116Dv, Step S117Dv).

  The public key only needs to be acquired as necessary, and a configuration without using a certificate authority is also possible.

  According to this configuration example, in addition to the effects of the first configuration example, a higher level of safety can be ensured by using a random number.

(Third configuration example)
In the third configuration example, a system using the first configuration example or the second configuration example will be described.

  In the following, a case where the first configuration example is used is illustrated as a specific example.

  FIG. 5 shows an example of a digital signature system according to this configuration example.

The digital signature system includes a certificate authority 601, a signature generation terminal (digital signature information generation apparatus according to the first or second configuration example) 602 _{1 to} 602 _L , and a signature verification terminal 603. These can communicate via the network 600.

  As the signature generation terminal, the digital signature information generation apparatus according to the first or second configuration example is used. As the signature verification terminal, the signature verification apparatus (corresponding to the signature generation terminal) according to the first or second configuration example is used.

  There may be a plurality of certificate authorities. There may be a plurality of signature verification terminals. Further, there may be a terminal that has both the function of the signature generation terminal and the function of the signature verification apparatus.

  Each certificate authority and terminal each have a unique identification information ID.

(Preparation of common parameters)
First, in accordance with the “common parameter setting” in the first or second configuration example, the certificate authority 601 includes a multiplicative group A of l _1- bit primes q and orders q that divide the l-bit primes p and p−1. A generator g, a hash function G that maps an arbitrary bit length value to A, a hash function H that maps an arbitrary bit length value to Z / qZ, and an arbitrary bit length value l F that maps to a _2- bit value and the lesser value max used in the denial protocol are disclosed.

(Preparation and registration of public and private keys)
Next, the signature generation terminal i (i represents any one of 1 to L) obtains the common parameter through the network 600 and stores it in its own terminal, and the “public key” of the first or second configuration example And private key preparation ", the private key s _i and the public key k _i are generated in the terminal, the private key s _i is kept secret, and the public key k _i is identified through the network 600. The information ID _i is transmitted to the certificate authority 601.

The certificate authority 601 receives the identification information ID _i and the public key k _i from the signature generation terminal i, and after checking whether the signature generation terminal i has been illegally processed in the past as necessary. The identification information ID _i and the public key k _i are stored as a table as shown in FIG.

(Signature generation procedure)
A document M to be signed is input from the user to the signature generation terminal i.

At this time, the signature generation terminal i makes an inquiry to the certificate authority 601 as necessary, and the public key k _j of the other signature generation terminal via the network 600 (j is an index other than i from 1 to L). Acquire a number of When the public keys of other signature generation terminals are stored in the signature generation terminal i, it is not necessary to make the above inquiry.

Thereafter, the first using the document M to be signed, the public key of another signature generation terminal, the private key s _i stored in the signature generation terminal i and the common parameter, and the random number component generated internally by the signature generation terminal i. Alternatively, signature generation is performed based on the “signature generation means” in the second configuration example, and (M, S, y, b, c ₁ , d ₁ ,..., C _L , d _L , k _{1 ,.} ) On the network 600 as a signed document.

Incidentally, the public key k ₁ included in the signed document, ..., instead of k _L, identification information ID ₁ of the corresponding signature generation terminal, ..., it is also possible to attach the ID _L. Alternatively, both a public key and identification information may be added.

(Signature verification procedure)
The signature verification terminal 603 obtains a signed document (M, S, y, b, c ₁ , d ₁ ,..., C _L , d _L , k ₁ ,..., K _L ) through the network 600.

Signature verification terminals 603, queries the authentication poles 601, public key k _1, ..., identification information ID ₁ of the signature generation terminal corresponding to k _L, ..., to obtain the ID _L. Alternatively, when identification information ID ₁ ,..., ID _L is added to the signed document instead of the public keys k ₁ ,..., K _L , an inquiry is made to the authentication pole 601 and the identification information ID ₁ ,. , ID _L corresponding to the public key k ₁ ,..., K _L of the signature generation terminal.

Next, the signature verification terminal 603 verifies the validity of the signed document based on the “signature verification unit” of the first or second configuration example. When the inspection is passed, the signature is accepted on the assumption that the signed document has been generated by one of L signature generation terminals corresponding to the identification information ID ₁ ,..., ID _L. If the inspection fails, the signature will be rejected.

  The above signature verification process does not require communication with the signature generation terminal, and even when the signature verification process passes, it is difficult to specify which signature generation terminal has generated the signature.

(Confirmation and denial protocol)
A signature generation terminal (signature generation terminal i) having a signature verification terminal 603 is a signed document (M, S, y, b, c ₁ , d ₁ ,..., C _L , d _L , k ₁ ,..., K _L ). A method for confirming whether or not has been generated will be described.

  The signature verification terminal 603 transmits the confirmation and denial protocol execution request and (M, S) of the signed documents to the signature generation terminal i.

  Based on the “confirmation and denial protocol” in the first or second configuration example, the signature generation terminal i determines the confirmation protocol when (M, S) is a signature generated based on its own private key. Otherwise, a denial protocol is executed with the signature verification device 603.

  Note that the public key only needs to be acquired as necessary, and a configuration without using an authentication pole is also possible.

Each of the above functions can be realized as hardware, or can be realized by processing as a software and a computer having an appropriate mechanism.
The present embodiment can also be implemented as a program for causing a computer to execute a predetermined procedure, causing a computer to function as a predetermined means, or causing a computer to realize a predetermined function. In addition, the present invention can be implemented as a computer-readable recording medium on which the program is recorded.

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. In addition, various inventions can be formed by appropriately combining a plurality of components disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined.

The figure which shows the structural example of the digital signature information generation apparatus which concerns on one Embodiment of this invention. A flowchart showing an example of a signature generation processing procedure according to the embodiment FIG. 3 is a diagram showing a configuration example of a signature verification apparatus according to the embodiment. A flowchart showing an example of a signature verification processing procedure according to the embodiment FIG. 3 is a diagram illustrating a configuration example of a digital signature system according to the embodiment. A diagram showing a configuration example of a list of identification information and public keys stored and disclosed by the authentication pole according to the embodiment Flowchart showing the non-repudiation signature key generation procedure Flow chart showing the non-repudiation signature generation procedure The flowchart which shows the verification procedure of the non-repudiation signature in a verification apparatus (signature verification apparatus) The flowchart which shows the verification procedure of the non-repudiation signature in a signature apparatus (digital signature information generation apparatus) The flowchart which shows the confirmation procedure of the non-repudiation signature in a verification apparatus (signature verification apparatus) The flowchart which shows the confirmation procedure of the non-repudiation signature in a signature apparatus (digital signature information generation apparatus) Flowchart showing a non-repudiation signature non-repudiation procedure in the verification device (signature verification device) Flowchart showing a non-repudiation signature non-repudiation procedure in a signature device (digital signature information generation device)

Explanation of symbols

201, 401 ... arithmetic unit, 202 ... random number generator, 203 ... random number memory, 204 ... secret key memory, 205 ... signature generation unit, 206, 406 ... input / output unit, 207-209, 407-409 ... random function calculation unit , 211, 411 ... control unit, 212, 412 ... memory, 600 ... network, 601 ... certificate authority, 602 _{1 to} 602 _L ... signature generation terminal, 603 ... signature verification terminal

Claims (9)

An input means for inputting data to be signed;
Storage means for storing a secret key of a first user who is a signer of the data;
Obtaining means for obtaining all or part of public keys of second users other than the first user;
First generation means for generating first information using the data and the secret key to allow each of the second users to deny that the second user is a signer of the data;
Second generation means for generating second information for guaranteeing that the first information is generated using the secret key by using all or part of the public key and the secret key; ,
An apparatus for generating digital signature information, comprising: output means for outputting digital signature information including the first information and the second information.   The output means outputs the digital signature information including a public key used for generating the second information or third information including information that can identify them. The digital signature information generation apparatus according to claim 1.   3. The digital according to claim 1, wherein the first generation unit and the second generation unit also use random numbers for generation of the first information and the second information. Signature information generation device.   4. The digital signature information generation apparatus according to claim 1, wherein the data is verified using the first information and the second information. 5.   4. The digital signature information generation apparatus according to claim 1, wherein the second information is verified using a non-interactive zero knowledge proof. 5.   The second generation means generates the second information by using all of the public keys, a method of selecting and using a predetermined number from the public keys, or a public to be used. 4. The method according to claim 1, wherein the number of keys is determined, and any one of the methods of selecting and using the determined number of the public keys is used. 5. Digital signature information generation device.   7. The digital signature information generation apparatus according to claim 1, further comprising means for communicating with a signature verification apparatus that performs verification using the digital signature information. Entering the data to be signed,
It is possible to deny that each second user other than the first user is a signer of the data by using the data and a private key of the first user who is a signer of the data. Generating first information to:
Second to ensure that the first information is generated using the secret key by using all or part of the public key of the second user other than the first user and the secret key. Generating information for
And outputting digital signature information including the first information and the second information. In a program for causing a computer to function as a digital signature information generation device,
The program is
Entering the data to be signed,
It is possible to deny that each second user other than the first user is a signer of the data by using the data and a private key of the first user who is a signer of the data. Generating first information to:
Second to ensure that the first information is generated using the secret key by using all or part of the public key of the second user other than the first user and the secret key. Generating information for
A program for causing a computer to execute the step of outputting digital signature information including the first information and the second information.

Images