JP2006352254A - Distributed electronic signature system, and distributed electronic signature calculation apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a distributed electronic signature system obtaining an electronic signature without the need for communication with all apparatuses for distributingly calculating the electronic signature. <P>SOLUTION: A distributed electronic signature calculation apparatus (10) in the system includes: a distributed electronic signature key storage section; a power residue calculation section for calculating the distributed electronic signature; and a transmission section for transmitting the distributed electronic signature to a representative distributed electronic signature calculation apparatus. The representative distributed electronic signature calculation apparatus (13) includes: a distributed electronic signature key storage section; a power residue calculation section for calculating the distributed electronic signature; a reception section for receiving the distributed electronic signature calculated by each of the distributed electronic signature calculation apparatuses; and a multiplier section that calculates an electronic signature with respect to a message by multiplying the distributed electronic signature calculated by the representative distributed electronic signature calculation apparatus with the distributed electronic signature calculated by one or two or more of the distributed electronic signature calculation apparatuses. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a distributed electronic signature device and a distributed electronic signature system that distribute and process an electronic signature with a plurality of devices connected via a communication path.

  Currently, there is known a distributed electronic signature system that distributes and calculates an electronic signature using public key cryptography by a plurality of devices connected to each other via a communication path (for example, see Patent Document 1).

  The distributed electronic signature system includes a plurality of devices, and each of the devices has a distributed electronic signature key in which the original signature key is secretly distributed, and communicates with all other devices. The distributed electronic signature is calculated using the distributed electronic signature key of.

  When requesting an electronic signature, the threshold secret sharing method, a broadcast-type communication path, a secret communication path that can communicate with each device in the system, etc. are used to perform fraud below a predetermined threshold. Even if a device exists, it is possible to generate an electronic signature, or to identify an unauthorized device even if an electronic signature cannot be generated.

JP-A-8-204697 Okamoto Tatsuaki and Yamamoto Hiroshi, “Contemporary Cryptography”, Industrial Books, p. 175-176

  However, in order to obtain an electronic signature, since it is necessary to perform secret communication with all the devices that perform calculation in a distributed manner, there is a problem that communication becomes complicated and communication cost becomes enormous. In particular, when the communication channel is a wireless channel and the distributed calculation device is battery-powered, there is a problem that the battery life is shortened because a large amount of power is taken for transmission and reception of wireless communication. .

  The present invention has been made in view of the above problems, and an object of the present invention is a novel and capable of obtaining an electronic signature without communicating with all the devices that perform the calculation by distributing the electronic signature. It is to provide an improved distributed electronic signature system.

  In order to solve the above problems, according to the first aspect of the present invention, an electronic signature is calculated based on one or more distributed electronic signature calculation devices and the result of distributed processing by each of the distributed electronic signature calculation devices. A distributed electronic signature system including a representative distributed electronic signature calculation apparatus is provided. The distributed electronic signature calculation apparatus in the distributed electronic signature system includes: a distributed electronic signature key holding unit that holds any one of distributed electronic signature keys in which an electronic signature key for calculating an electronic signature is secretly distributed in plural; A power to calculate a distributed electronic signature used as a whole or a part of the electronic signature based on the message to be the target of the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit; A remainder calculation unit; and a transmission unit that transmits the distributed electronic signature to the representative distributed electronic signature calculation apparatus. The representative distributed electronic signature calculation apparatus includes a plurality of electronic signature keys for calculating the electronic signature. A distributed electronic signature key holding unit that holds any one of the distributed electronic signature keys secretly distributed to each other; a message that is a target of the electronic signature, and a memory that is stored in the distributed electronic signature key holding unit Based on the distributed electronic signature key obtained, a remainder calculation unit for calculating a distributed electronic signature used as a part of the electronic signature; and a distributed electron calculated by each of one or more distributed electronic signature calculation devices A receiver for receiving the signature; and an electronic signature for the message by multiplying the distributed electronic signature calculated by the representative distributed electronic signature calculation apparatus and the distributed electronic signature calculated by the one or more distributed electronic signature calculation apparatuses. And a multiplication unit for calculating a signature. The distributed electronic signature key may be, for example, a case where the electronic signature key is divided into a plurality of parts.

  In order to solve the above problems, according to another aspect of the present invention, a distributed electronic signature calculation apparatus is provided. The distributed electronic signature calculation apparatus includes: a distributed electronic signature key holding unit that holds any one of distributed electronic signature keys in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed; Based on the message and the distributed electronic signature key stored in the distributed electronic signature key holding unit, the modular multiplication unit to calculate the distributed electronic signature to be used as a whole or a part to calculate the electronic signature And a transmitting unit that transmits the distributed electronic signature to an external device. The distributed electronic signature calculation apparatus corresponds to, for example, a node.

  In order to solve the above problems, according to another aspect of the present invention, a distributed electronic signature calculation apparatus is provided. The distributed electronic signature calculation apparatus includes: a distributed electronic signature key holding unit that holds any one of distributed electronic signature keys obtained by secretly distributing a plurality of electronic signature keys for calculating an electronic signature; Based on the target message and the distributed electronic signature key stored in the distributed electronic signature key holding unit, a remainder calculation unit for calculating a first distributed electronic signature used as a part of the electronic signature; A receiver for receiving a second distributed electronic signature calculated by each of one or more external devices; and multiplying the first distributed electronic signature by the one or more second distributed electronic signatures; And a multiplier for calculating an electronic signature for the message. The distributed electronic signature calculation apparatus corresponds to, for example, a representative node.

  The distributed signature calculation apparatus may further include a signature verification unit that verifies the electronic signature calculated by the multiplication unit.

  In order to solve the above-described problems, according to another aspect of the present invention, an electronic signature is calculated based on one or more distributed electronic signature calculation devices and the result of distributed processing by each of the distributed electronic signature calculation devices. A distributed electronic signature system including a representative distributed electronic signature calculation apparatus is provided. In the distributed electronic signature system, the distributed electronic signature calculation apparatus includes: a distributed electronic signature key holding unit that holds a distributed electronic signature key in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed; A first distributed electronic signature used as a whole or a part for calculating the electronic signature is calculated based on the message to be processed and the distributed electronic signature key stored in the distributed electronic signature key holding unit. A power-residue calculating unit; a receiving unit that receives a second distributed electronic signature calculated by one or more external devices; and the first distributed electronic signature and the receiving calculated by the power-residue calculating unit A multiplication unit that calculates a third distributed electronic signature by multiplying the second distributed electronic signature received by the unit; and a transmission unit that transmits the third distributed electronic signature, representative A distributed electronic signature calculation apparatus includes: a distributed electronic signature key holding unit that holds any one of distributed electronic signature keys in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed; And a remainder calculation unit that should calculate a first distributed electronic signature used as a part of the electronic signature based on the message and the distributed electronic signature key stored in the distributed electronic signature key holding unit; A receiving unit for receiving a second distributed electronic signature calculated by each of one or more external devices; and multiplying the first distributed electronic signature by the one or more second distributed electronic signatures In this manner, the distributed electronic signature calculation apparatus and the representative distributed electronic signature calculation apparatus constitute a tree-type multi-hop network.

  In the distributed electronic signature system, the representative distributed electronic signature calculation apparatus may be configured to exist at least in a route in the tree-type multihop network.

  In order to solve the above problems, according to another aspect of the present invention, a distributed electronic signature key holding unit that holds a distributed electronic signature key in which an electronic signature key for calculating an electronic signature is secretly distributed in a plurality of ways; A first distributed electronic signature used as a whole or a part for calculating the electronic signature based on a message to be an electronic signature and a distributed electronic signature key stored in the distributed electronic signature key holding unit. A power-residue calculating unit that calculates the power; a receiving unit that receives a second distributed electronic signature calculated by one or more external devices; and the first distributed electronic signature calculated by the power-residue calculating unit A multiplication unit that calculates a third distributed electronic signature by multiplying the second distributed electronic signature received by the receiving unit; and a transmission unit that transmits the third distributed electronic signature Distributed electrons characterized by Name computing device is provided. The distributed electronic signature calculation apparatus corresponds to, for example, a node.

  A distributed electronic signature key holding unit that holds a distributed electronic signature key in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed; a message that is a target of the electronic signature; and a distributed electronic signature key holding unit Based on the stored distributed electronic signature key, a modular remainder calculation unit for calculating a distributed electronic signature used as a whole or a part for calculating the electronic signature; a random number generating unit for generating a random number; and the random number A distributed electronic signature key updating unit that calculates a distributed electronic signature key using the key and updates the calculated distributed electronic signature key to the calculated distributed electronic signature key; and a transmitting unit that transmits the distributed electronic signature and / or the random number. A distributed electronic signature calculation apparatus is provided. The distributed electronic signature calculation apparatus corresponds to, for example, a node.

  In order to solve the above problems, according to another aspect of the present invention, a distributed electronic signature key holding unit that holds a distributed electronic signature key in which an electronic signature key for calculating an electronic signature is secretly distributed in a plurality of ways; First distributed electrons used as a whole or a part for calculating the electronic signature based on the message to be subjected to the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit A modular multiplication unit for calculating a signature; a receiving unit for receiving a second distributed electronic signature calculated by one or more external devices and / or a random number generated by one or more external devices; A multiplication unit that calculates an electronic signature by multiplying the first distributed electronic signature calculated by the power-residue calculation unit and a second distributed electronic signature obtained from the reception unit; obtained from the reception unit; Distributed electronic station using the random number Calculating a key feature a dispersed electronic signature computing device that includes a distributed electronic signature key updating unit that updates the distributed electronic signature key issued the calculated is provided. The distributed electronic signature calculation apparatus corresponds to, for example, a representative node.

  The distributed signature calculation apparatus may further include a signature verification unit that verifies the electronic signature calculated by the multiplication unit.

  In order to solve the above-described problems, according to another aspect of the present invention, an electronic signature is calculated based on one or more distributed electronic signature calculation devices and the result of distributed processing by each of the distributed electronic signature calculation devices. A distributed electronic signature system including a representative distributed electronic signature calculation apparatus is provided. In the distributed electronic signature system, the distributed electronic signature calculation apparatus includes: a distributed electronic signature key holding unit that holds a distributed electronic signature key in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed; Based on the message to be processed and the distributed electronic signature key stored in the distributed electronic signature key holding unit, the remainder to calculate the distributed electronic signature used as a whole or a part for calculating the electronic signature A calculation unit; a random number generation unit that generates a random number; a distributed electronic signature key update unit that calculates a distributed electronic signature key using the random number and updates the calculated distributed electronic signature key; and the distributed electronic signature and And / or a transmission unit that transmits the random number, wherein the representative distributed electronic signature calculation apparatus includes a distributed electronic signature key that holds a distributed electronic signature key in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed. In order to calculate the electronic signature based on the signature key holding unit; the message to be the target of the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit. A power residue calculation unit for calculating the first distributed electronic signature to be used; and one or more second distributed electronic signatures calculated by the distributed electronic signature calculation device and / or generated by the distributed electronic signature calculation device A receiving unit that receives a random number; a multiplying unit that calculates an electronic signature by multiplying the first distributed electronic signature calculated by the power-residue calculating unit and the second distributed electronic signature obtained from the receiving unit And a distributed electronic signature key update unit that calculates a distributed electronic signature key using a random number obtained from the receiving unit and updates the calculated distributed electronic signature key.

  In order to solve the above problems, according to another aspect of the present invention, a distributed electronic signature key holding unit that holds a distributed electronic signature key in which an electronic signature key for calculating an electronic signature is secretly distributed in a plurality of ways; First distributed electrons used as a whole or a part for calculating the electronic signature based on the message to be subjected to the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit A modular remainder calculation unit for calculating a signature; a random number generation unit for generating a first random number; a distribution for calculating a distributed electronic signature key using the first random number and updating the calculated distributed electronic signature key An electronic signature key updating unit; a receiving unit that receives a second distributed electronic signature calculated by one or more external devices and / or a second random number generated by the external device; and the power residue The first distributed electronic station calculated by the calculation unit And a multiplication unit that calculates a third distributed electronic signature by multiplying the second distributed electronic signature obtained from the receiving unit; and the first random number and the first obtained from the receiving unit. A distribution unit comprising: an addition unit that generates a third random number by adding two random numbers; and a transmission unit that transmits the third distributed electronic signature and / or the third random number An electronic signature calculation device is provided. The distributed electronic signature calculation apparatus corresponds to, for example, a node.

  In order to solve the above-described problems, according to another aspect of the present invention, an electronic signature is calculated based on one or more distributed electronic signature calculation devices and the result of distributed processing by each of the distributed electronic signature calculation devices. A distributed electronic signature system including a representative distributed electronic signature calculation apparatus is provided. In the distributed electronic signature system, the distributed electronic signature calculation apparatus includes: a distributed electronic signature key holding unit that holds a distributed electronic signature key in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed; A first distributed electronic signature used as a whole or a part for calculating the electronic signature is calculated based on the message to be processed and the distributed electronic signature key stored in the distributed electronic signature key holding unit. A modular remainder calculation unit to be performed; a random number generation unit that generates a first random number; a distributed electronic signature key that calculates a distributed electronic signature key using the first random number and updates the calculated distributed electronic signature key An updating unit; a receiving unit that receives a second distributed electronic signature calculated by one or more external devices and / or a second random number generated by the external device; and a power residue calculation unit The calculated first A multiplication unit that calculates a third distributed electronic signature by multiplying the distributed electronic signature and the second distributed electronic signature obtained from the receiving unit; and obtained from the first random number and the receiving unit. An addition unit that generates a third random number by adding the second random number; and a transmission unit that transmits the third distributed electronic signature and / or the third random number. The representative distributed electronic signature calculation apparatus includes: a distributed electronic signature key holding unit that holds a distributed electronic signature key in which a plurality of electronic signature keys for calculating the electronic signature are secretly distributed; a message that is a target of the electronic signature; , A remainder calculation unit for calculating a first distributed electronic signature used as a whole or a part of the electronic signature based on the distributed electronic signature key stored in the distributed electronic signature key holding unit; One or more external devices A receiving unit that receives the calculated second distributed electronic signature and / or a random number generated by one or more external devices; the first distributed electronic signature calculated by the power-residue calculating unit and the reception A multiplication unit that calculates a signature by multiplying the second distributed electronic signature obtained from the unit; a distributed electronic signature key is calculated using a random number obtained from the receiving unit, and the calculated distributed electron A distributed electronic signature key updating unit for updating the signature key, and the distributed electronic signature system is configured by a tree-type multi-hop network.

  In the distributed electronic signature system, the representative distributed electronic signature calculation apparatus may be configured to exist at least in a route in the tree-type multihop network.

  As described above, according to the present invention, the electronic device can be electronically calculated by a representative device collectively based on the distributed electronic signature calculated by each device without communicating with each device existing in the system. Since the signature can be obtained, communication traffic can be greatly reduced, and power consumption for the apparatus can be suppressed.

  DESCRIPTION OF EXEMPLARY EMBODIMENTS Hereinafter, preferred embodiments of the invention will be described in detail with reference to the accompanying drawings. In the following description and the accompanying drawings, components having substantially the same functions and configurations are denoted by the same reference numerals, and redundant description is omitted.

  First, the RSA signature used in this embodiment will be described. Assuming that the signature key (or private key) is d, the verification key (or public key) is e and n, and the message to be signed is m, the RSA signature s (or electronic signature s) is expressed as shown in Equation 1 below. Do the following calculations. The relationship between e and n is ed = 1 (mod λ (n)). In the embodiment described below, the case where the signature key is a secret key and the verification key is a public key will be described as an example. However, the present invention is not limited to this example.

s = h (m) ^d (mod n) (Formula 1)

  Here, h () is a function called a one-way hash function, and it is practically impossible to obtain the original value from the hash value calculated by this hash function. The hash value is not the same. That is, the hash function is a function in which it is difficult to obtain x and y such that h (x) = h (y), (x ≠ y).

  Also, λ (n) is a Carmichael function (Carmichael function) of n. The Carmichael function is defined as shown in Equations 2 to 4 below.

The Carmichael _{^{function, n = 2 e0 p 1 e1}} p 2 e2 ... p r er (p 1, p 2, ..., p r are different odd prime) when,
λ (n) = LCM (λ (2 ^e0 ), φ (p ₁ ^e1 ),..., φ (p _r ^er )) (Formula 2)
_{^{φ (p i ei) = p}} i (ei-1) (p i -1) (i = 1, ..., r) ... ( Equation 3)
λ (2 ^t ) = 2 ^(t−1) (t <3), λ (2 ^t ) = 2 ^(t−2) (t ≧ 3) (Equation 4)
It is defined as

  In the RSA signature, since the case where n is a product of a prime number p of 2 and a prime number q of 2 is described as an example, the following equation 5 is obtained.

  λ (n) = LCM (p−1, q−1) (Formula 5)

  When the message m and the electronic signature s are received, the electronic signature can be verified based on the electronic signature s and the message m. Hereinafter, the distributed electronic signature according to the present embodiment will be described in detail based on the electronic signature.

(About the first embodiment)
In the distributed electronic signature system according to the first embodiment, first, a plurality of devices (hereinafter referred to as nodes) hold secret keys d in a distributed manner and calculate electronic signatures in a distributed manner. Without communicating with all the other nodes except the node itself, each node first generates an electronic signature (or distributed electronic signature) that is distributed in a scattered manner.

  An electronic signature can be obtained by transmitting the distributed electronic signature to a node (hereinafter referred to as a representative node) that calculates a final electronic signature based on the distributed electronic signature generated at each of the nodes. it can.

  Here, the distributed electronic signature system according to the first embodiment will be described with reference to FIG. FIG. 1 is an explanatory diagram showing an outline of a distributed electronic signature system according to the first embodiment.

As shown in FIG. 1, the distributed electronic signature system 800 according to the first embodiment includes one or two or more nodes 10 (10-1 to 10-5) such as nodes U ₁ to U _5. ) And a representative node 13 which is a representative device for calculating a final electronic signature.

Although the distributed electronic signature system 800 shows a case where five nodes 10-1 to 10-5 are provided in FIG. 1, it is possible even when N nodes 10 (N ≧ 1) are provided. Incidentally, each note _{U 1} node of the node 10-1 node 10-5, the node _{U 2,} ..., and represented by a node _{U N.}

Although denote the representative node 13 with node _{U 0,} the node _{U 0,} the node _{U 1,} node _{U 2,} ..., node _{U N} calculation resources towards the primary node _{U 0} than (computing power, memory capacity, For example, a server device or the like can be exemplified, but the present invention is not limited to such an example.

  The node 10 can be implemented by any device as long as it has a communication function capable of transmitting / receiving data to / from at least another node 10 or the representative node 13 and a calculation function for calculating a distributed electronic signature. However, the node 10 has a low power consumption and can reduce the size of the device as much as possible.

  The representative node 13 has a communication function capable of data communication with each node 10 as with the node 10, and a calculation function for obtaining an electronic signature based on a distributed electronic signature from the node 10, for example, An example is a server device.

  The communication network for mutual data communication between the node 10 or the representative node 13 may be wired wireless such as a coaxial cable or twisted pair cable based on Ethernet (registered trademark) or wireless based on IEEE802.11b.

  As described above, in the distributed electronic signature system according to the first embodiment, the private key of the electronic signature (or RSA signature) is d, the public key is e and n (ed = 1 (mod λ ( n))).

In addition, the node U ₁ , the node U ₂ ,..., The node U _N , and the representative node U ₀ are distributed secret keys d ₁ , distributed secret keys obtained by secretly distributing (or secret sharing) the original secret key d. d ₂ ,..., a distributed secret key d _N , and a distributed secret key d ₀ are held. In this embodiment, secret sharing refers to, for example, a technique for encoding secret information into a plurality of pieces of shared information, or a technique for distributing and managing secret keys. Further, the distributed secret key d _i (i = 0, 1, 2, 3,...) Is a secret key d that is secretly distributed. However, the secret key d may be simply divided. .

Furthermore, the relationship between each of the distributed secret key d ₁ , the distributed secret key d ₂ ,..., The distributed secret key d _N and the original secret key d is as shown in Equation 6 below.

d = d ₀ + d ₁ + d ₂ +... + d _N (mod λ (n)) (Expression 6)

The size of the value of the distributed secret key, such as the bit length of the distributed secret key, is adjusted according to the performance (calculation capability, etc.) of the node U ₁ , node U ₂ ,..., Node U _N , and representative node U ₀ Is possible.

Assuming that the message to be subjected to the electronic signature is m, the node U ₁ , the node U ₂ ,..., The node _UN have the distributed electronic signature s _i (i = 1) obtained by executing the calculation shown in the following Expression 7. , ..., to send N) to the representative node _{U 0.}

s _i = h (m) ^di (mod n) (i = 1,..., N) (Expression 7)

First, the representative node U ₀ executes the calculation shown in the following equation 8 to obtain the distributed electronic signature s ₀ of itself (representative node U ₀ ).

s ₀ = h (m) ^d0 (mod n) (Formula 8)

When the distributed electronic signature s ₀ is obtained, the representative node U ₀ further multiplies the distributed electronic signature s ₁ , distributed electronic signature s ₂ ,..., Distributed electronic signature s _N received from the node 10, and further represents the representative node U _0. By multiplying the distributed electronic signature s ₀ generated by itself as shown in Expression 9, the representative node U ₀ can obtain the final electronic signature s.

s = s ₀ s ₁ s ₂ ... s _N (mod n) (Expression 9)

(About node 10)
Next, with reference to FIG. 2, the distributed electronic signature that executes the calculation related to the distributed electronic signature provided in the node 10 (node U _i (i = 1, 2,..., N)) according to the first embodiment. The calculation unit 100 will be described. FIG. 2 is a block diagram illustrating a schematic configuration of the distributed electronic signature calculation unit 100 included in the node 10 according to the first embodiment.

  As shown in FIG. 2, the distributed electronic signature calculation unit 100 provided in the node 10 includes a distributed secret key holding unit 101 that stores a distributed secret key, a power residue calculation unit 102, and a distributed electronic signature that is transmitted to an external node. 10 or the representative node 13 is provided.

The distributed secret key holding unit 101 is a storage device that stores the distributed secret key d _i (i = 1, 2,..., N) of the node U _i . For example, in the case of the node U ₁ , the distributed secret key holding unit 101 stores the distributed secret key d ₁ .

The power-residue calculating unit 102 inputs the message m to be digitally signed and the distributed secret key d _i (i = 1, 2,..., N) stored in the distributed secret key holding unit 101, and the distributed electron shown in the above equation 7 The signature s _i is calculated and output to the transmission unit 103.

Note that the message m according to the present embodiment may be received via a communication path such as the Internet, or stored in a storage device such as the distributed secret key holding unit 101 provided in the node 10 in advance. It may be a thing. However, it is assumed that the message m can be obtained by each node U _i (i = 1, 2,..., N) and the representative node U ₀ by a method agreed in advance by the distributed electronic signature system 800.

The transmission unit 103 receives the distributed electronic signature s _i that is the calculation result from the power-residue calculation unit 102 and transmits it to the representative node U ₀ . The communication path at this time can be transmitted directly to the representative node (arrow (1) shown in FIG. 1), and data is transmitted via another node 10 like a multi-hop communication path. It is possible even in the case of such a form.

Incidentally, the above multi-hop communication path, for example, the case of FIG. 1, when the send distributed digital signature s ₁ to the representative node U ₀ from node U _1, first sends to the node U _4, further nodes U ₄ The configuration is such that it is transferred to the representative node U ₀ (two arrows in (2) shown in FIG. 1).

  Next, the distributed electronic signature calculation unit 200 that executes the calculation related to the distributed electronic signature provided in the representative node 13 according to the first embodiment will be described with reference to FIG. FIG. 3 is a block diagram illustrating a schematic configuration of the distributed electronic signature calculation unit 200 included in the representative node 13 according to the first embodiment.

  As shown in FIG. 2, the distributed electronic signature calculation unit 200 provided in the representative node 13 includes a distributed secret key holding unit 201, a power residue calculation unit 202, a multiplication unit 203, and a reception unit 204. Yes.

The distributed secret key holding unit 201 is a storage device that stores the distributed secret key d ₀ of the representative node 103 (node U ₀ ). For example, the distributed secret key holding unit 201 can exemplify a memory such as an EEPROM or a RAM, but is not limited to such an example.

The modular exponentiation calculation unit 202 inputs the distributed secret key d ₀ stored as the message m to the distributed secret key storage unit 201 to be an electronic signature, and calculating the variance digital signature s ₀ shown in the expression 8, multiplying The data is output to the unit 203.

Note that, as described above, the message m is the node U _1, node U _2, ..., as in the case of the node U _N, may be those received through a communication path, provided in advance representative node 103 dispersion The message m may be stored in a storage device such as the secret key holding unit 201, but the message m is sent to each node U _i (i = 1, 2,...) By a method agreed in advance by the distributed electronic signature system 800. , N) and the representative node U ₀ can be acquired.

The multiplication unit 203 receives the distributed electronic signature s ₀ as the calculation result from the power-residue calculating unit 202, and further receives the distributed electronic signature s _i (i = 1, 2,..., N) received from the node 10 by the receiving unit 204. ), The multiplication shown in the above equation 9 is executed, and the electronic signature s as the result is output.

The receiving unit 204 receives the distributed electronic signature s _i (i = 1, 2,..., N) from each node U _i and receives the received distributed electronic signature s _i (i = 1, 2,..., N). Is output to the multiplier 203. The electronic signature s output from the multiplication unit 203 is transmitted to an authentication unit (not shown) that authenticates the message.

(About operation of distributed electronic signature)
Next, the operation of the node 10 that executes the calculation related to the distributed electronic signature according to the first embodiment will be described with reference to FIG. FIG. 4 is a flowchart showing an outline of the operation of the node 10 that executes the calculation related to the distributed electronic signature according to the first embodiment.

As shown in FIG. 4, first, each node U _i (i = 1, 2,..., N) receives a distributed secret key d _i (i = 1) held by each node 10 itself for a message m to be digitally signed. , 2,..., N), a distributed electronic signature s _i is generated as shown in Equation 7 (S301).

The generation of the distributed electronic signature s _i shown in FIG. 4 (S301) is an operation performed by the modular exponentiation calculation unit 102, as shown in FIG.

Next, the transmission unit 103 included in the node 10 transmits the distributed electronic signature s _i generated by the power residue calculation unit 102 to the representative node U ₀ (S302).

Next, the operation of the representative node U ₀ that executes the distributed electronic signature of the first embodiment will be described with reference to FIG. FIG. 5 is a flowchart showing an outline of the operation of the representative node 13 that executes the calculation related to the distributed electronic signature according to the first embodiment.

As shown in FIG. 5, first, the representative node U ₀ uses the distributed secret key d ₀ held by the representative node U ₀ itself for the message m to be digitally signed, and sets the distributed electronic signature s ₀ to Equation 8 above. Obtained as shown (S401).

The processing of generating a distributed digital signature s ₀ using distributed secret key d ₀ as shown in FIG. 5 (S401), as described above, operation of the modular exponentiation computation unit 202 included in the representative node 13 shown in FIG. 3 It is.

Further, as shown in FIG. 5, in parallel with the process of generating the distributed electronic signature s ₀ (S401), the distributed electronic signature s _i is received from each node U _i (i = 1, 2,..., N). (S402).

The process of receiving the distributed electronic signature s _i from each node 10 (S402) is an operation by the receiving unit 204 shown in FIG.

  As shown in FIG. 5, the processes of step S401 and step S402 are illustrated as being executed substantially simultaneously in parallel, but are not necessarily limited to simultaneous progress. For example, the present invention can be implemented even when step S402 is executed after step S401 is completed, or when step S401 is executed after step S402 is completed.

When the above steps S401 and step S402 is completed, the dispersion digital signature _{s 0} obtained in step S401, the dispersion was received in step S402 the electronic signature _{s i (i = 1,2, ...} , N) and And an electronic signature s is generated as shown in the above equation 9 (S403).

  The processing for generating the electronic signature s (S403) is an operation by the multiplication unit 203 provided in the representative node 103 shown in FIG.

Although the description of the distributed electronic signature system 800 according to the first embodiment has been completed, the distributed electronic signature system 800 has the following excellent effects.
(1) Each node 10 that performs distributed calculation is distributed to other nodes by holding the secret key secretly distributed at each node 10 such as the distributed electronic signature key d ₁ to the distributed electronic signature key d _N. 10 generates a distributed electronic signature without communicating with each other, and transmits these distributed electronic signatures to the representative node 13 so that a malicious unauthorized node temporarily exists and a false distributed electronic signature is transmitted to the representative node 13 Even so, the representative node 13 cannot generate a genuine signature, and as a result, can determine that the signature is an illegal electronic signature. That is, it is possible to prevent a false digital signature from being created by an unauthorized person essential for security.
(2) Although it is not possible to determine where the illegal node exists, it is not necessary to at least communicate between all the nodes 10 while ensuring the minimum security. The amount of communication with 13 can be significantly reduced.
(3) Further, while maintaining the relationship between the distributed secret key d _i (i = 1, 2,..., N) and the original secret key d as shown in Equation 6 above, for example, as shown in Equation 10 below, the node If the value (or bit length) of the distributed secret key d _i held by U _i (i = 1, 2,..., N) is made smaller than the distributed secret key d ₀ of the node U ₀ , the node having low computing power Even with 10, it is possible to generate a distributed electronic signature quickly and accurately. Therefore, by holding a distributed secret key having a size corresponding to the capability of the node 10, it is possible to generate a distributed electronic signature quickly even in the node 10 having a low processing performance.
(4) Since each node holds the secret key d in a distributed manner, even if a small number of nodes are decomposed and analyzed and the secret key (distributed secret key) held is stolen, It is impossible to generate a correct signature.

d ₁ , d ₂ ,..., d _N << d ₀ (Formula 10)

(About the second embodiment)
In the first embodiment, each node that performs a distributed electronic signature transmits a distributed electronic signature to the representative node. However, in the second embodiment, it is assumed that the network is a multi-hop communication path having a tree structure. In addition, since the routing node is in charge of distributed electronic signature processing, the network traffic can be reduced.

  In the following description, the distributed electronic signature system 800 according to the first embodiment is compared with the distributed electronic signature system 801 according to the second embodiment, and particularly different points will be described in detail. Regarding other points, unless otherwise specified, the configuration is almost the same, and a detailed description thereof will be omitted.

  First, the distributed electronic signature system according to the first embodiment will be described with reference to FIG. FIG. 6 is an explanatory diagram showing an outline of a distributed electronic signature system according to the second embodiment.

  In the distributed electronic signature system 800 according to the first embodiment, the transmission of the distributed electronic signature from each node 11 to the representative node 14 may follow any route, but the second embodiment In the distributed electronic signature system 801 according to, distributed electronic signatures are transmitted in a multi-hop network having a tree structure, which is one form of multi-hop communication.

  As shown in FIG. 6, a distributed electronic signature system 801 according to the second embodiment is a system that performs distributed calculation of electronic signatures (or RSA signatures) as in the first embodiment. The node 11 described above and a representative node 14 for calculating a final electronic signature are provided.

The node 11 can exist in N units (N ≧ 1) in the distributed electronic signature system 801, and each node 11 (10-1, 10-2,..., As in the first embodiment). 10-N) of the node _{U 1,} node _{U 2,} ..., and represented by a node _{U N.}

Further, representative of the representative node 14 with node _{U 0.} As shown in FIG. 6, the tree-structured multi-hop network is a network in which each node of the tree-structure graph corresponds to each node 11 and its branch corresponds to a communication path. In the case of the second embodiment, the root of the tree corresponds to the representative node 14 and the other nodes 11 correspond to the respective nodes.

Further, when the node 11 or the representative node 14 has a parent-child relationship, it may be described as a parent node or a child node. For example, node U ₁ and node U ₂ in FIG. 6 are child nodes of node U ₄ , and conversely, node U ₄ is a parent node of node U ₁ and node U ₂ . It is assumed that each node 11 or representative node 14 grasps both a child node and a parent node of the node itself.

  Similarly to the first embodiment, the private key of the electronic signature is represented as d, and the public key is represented as e and n (ed = 1 (mod λ (n))).

Each node U ₁ , node U ₂ ,..., Node U _N and representative node U ₀ secretly distributes the original secret key d, distributed secret key d ₁ , distributed secret key d ₂ ,. _N and the distributed secret key d ₀ are distributed and held, and the relationship between these distributed secret keys d ₁ , d ₂ ,..., D _N and the original secret key d is as shown in Equation 6 above. To do.

(About node 11)
Next, with reference to FIG. 7, a distributed electronic signature that executes a calculation related to the distributed electronic signature provided in the node 11 (node U _i (i = 1, 2,..., N)) according to the second embodiment. The calculation unit 500 will be described. FIG. 7 is a block diagram illustrating a schematic configuration of the distributed electronic signature calculation unit 100 included in the node 11 according to the second embodiment.

Further, the node 11 corresponding to the leaf of the tree structure graph has the same configuration as the distributed electronic signature calculation unit 100 (FIG. 2) in each node U _i (i = 1, 2,..., N) of the first embodiment. It may be the case. For example, as shown in FIG. 7, the distributed electronic signature calculation unit 500 included in the node 11-1, the node 11-2, and the node 11-3 is substantially the same as the distributed electronic signature calculation unit 100 shown in FIG. It may be.

  As shown in FIG. 7, the distributed electronic signature calculation unit 500 included in the node 11 includes at least a distributed secret key holding unit 501, a power residue calculation unit 502, a multiplication unit 503, a reception unit 504, and a transmission unit 505. Composed.

The distributed secret key holding unit 501 is a storage device that stores the distributed secret key d _i (i = 1, 2,..., N) of the node U _i .

Further, the power residue calculation unit 502 inputs the message m to be digitally signed and the distributed secret key d _i (i = 1, 2,..., N) stored in the distributed secret key holding unit 501, and The distributed electronic signature s ′ _{i shown} is calculated.

s ′ _i = h (m) ^di (mod n) (i = 1,..., N) (Expression 11)

The calculated distributed electronic signature s ′ _i is output to the multiplication unit 503. Note that, as in the first embodiment, the message m may be received via a communication path such as the Internet, or may be stored in advance in a storage device in the node 10. , It is assumed that each node U _i (i = 1, 2,..., N) and the representative node U ₀ can acquire the message m by a method agreed in advance by the distributed electronic signature system 801.

The multiplying unit 503 receives the distributed electronic signature s ′ _i calculated from the power-residue calculating unit 502 and also receives the distributed electronic signature s _j from the child node via the receiving unit 504 (where U _j is all of U _i ). And multiply them as shown in Equation 12 below. Note that the multiplication unit 503 does not perform the process of receiving the distributed electronic signature s _j from the reception unit 504 when the child node does not exist in the node 10 itself.

s _i = s ′ _i × Π s _j (mod n) (Formula 12)
Let U _{j be} all child nodes of U _i .

The distributed electronic signature s _i calculated by the multiplication unit 503 is output to the transmission unit 505.

The reception unit 504 receives the distributed electronic signature s _j (U _j is all child nodes of U _i ) from all the child nodes related to the node 10 itself, and outputs the received signature to the multiplication unit 503.

The transmitting unit 505 receives the distributed electronic signature s _i that is the calculation result from the multiplying unit 503 and transmits it to the parent node related to the node 10 itself. For example, as illustrated in FIG. 6, the transmission unit 505 included in the node 11-5 transmits the distributed electronic signature calculated by itself to the representative node 14 that is the parent node of the node 11-5 itself.

  Next, the distributed electronic signature calculation unit 600 that executes the calculation related to the distributed electronic signature provided in the representative node 14 according to the second embodiment will be described with reference to FIG. FIG. 8 is a block diagram illustrating a schematic configuration of the distributed electronic signature calculation unit 600 provided in the representative node 14 according to the second embodiment.

  As shown in FIG. 8, the distributed electronic signature calculation unit 600 included in the representative node 14 includes at least a distributed secret key holding unit 601, a power residue calculation unit 602, a multiplication unit 603, and a reception unit 604.

The distributed secret key holding unit 601 is a storage device that stores the distributed secret key d ₀ of the representative node 103 (node U ₀ ). For example, the distributed secret key holding unit 201 can exemplify a memory such as an EEPROM or a RAM, but is not limited to such an example.

The power residue calculation unit 602 receives the message m to be digitally signed and the distributed secret key d ₀ stored in the distributed secret key holding unit 601, calculates the distributed electronic signature s ₀ shown in the above equation 8, and multiplies To 603.

The multiplication unit 603 receives the distributed electronic signature s ₀ that is the calculation result from the power-residue calculating unit 602, and further receives the distributed electronic signature s _j (U _j is U U from the child node of the representative node 103 itself received by the receiving unit 604) ₀ (all child nodes) are received, the multiplication shown in the following equation 13 is executed, and the resulting electronic signature s is output.

s = s ₀ × Π s _j (mod n) (Formula 13)
Let U _{j be} all child nodes of U ₀ .

The receiving unit 604 receives the distributed electronic signature s _j (U _j is all the child nodes of U ₀ ) from each of its own child nodes U _j and outputs it to the multiplying unit 603.

(About operation of distributed electronic signature)
Next, the operation of the node 11 that executes the calculation related to the distributed electronic signature according to the second embodiment will be described with reference to the flowchart of FIG. FIG. 9 is a flowchart showing an outline of the operation of the node 11 that executes the calculation related to the distributed electronic signature according to the second embodiment. However, the node 11 corresponding to the leaf of the tree structure graph is the same as the operation of the distributed electronic signature calculation unit 100 of the node 10 in the first embodiment (see FIG. 4). to change the place to send distributed digital signature s _i to the node U ₀ to be sent to the parent node of the node 11 itself.

As shown in FIG. 9, first, each node U _i having a child node distributes the message m to be signed using the distributed secret key d _i held by each node 11 as shown in the above equation 11. The electronic signature s ′ _i is calculated (step S701).

Note that the processing (S701) for generating the distributed electronic signature s ′ _i shown in FIG. 9 is an operation performed by the power residue calculation unit 502 shown in FIG.

In parallel with step S701, the distributed electronic signature s _j is received from all the child nodes U _j (U _j is all the child nodes of U _i ) (step S702). This processing is an operation by the receiving unit 504 shown in FIG.

  In the present embodiment, steps S701 and S702 are illustrated to be executed substantially simultaneously in parallel, but are not necessarily limited to simultaneous progress. For example, the present invention can be implemented even when step S702 is executed after step S701 ends, or when step S701 is executed after step S702 ends.

When step S701 and step S702 are completed, the distributed electronic signature s ′ _i obtained in step S701 and the distributed electronic signature s _j (U _j is U U from the child node received in step S702). All the child nodes of _i ) are multiplied to generate a distributed electronic signature s _i as shown in the above equation 12 and transmitted to the parent node (step S703).

Next, the operation of the representative node U ₀ that executes the distributed electronic signature of the second embodiment will be described with reference to FIG. FIG. 10 is a flowchart showing an outline of the operation of the representative node 14 that executes the calculation related to the distributed electronic signature according to the second embodiment.

As shown in FIG. 10, the representative node U _0, to the message m to be signed, the dispersion digital signature s ₀ using distributed secret key d ₀ of the representative node U ₀ itself held as shown in the equation 8 Generate (step S801).

Note that the process of generating the distributed electronic signature s ₀ using the distributed secret key d ₀ shown in FIG. 10 (S401) is performed by the remainder calculation unit 602 that should be included in the representative node 14 shown in FIG. It is.

In parallel with step S801, the distributed electronic signature s _j is received from all child nodes U _j (U _j is all child nodes of U ₀ ) (step S802).

The process of receiving the distributed electronic signature s _i from each node 11 (S801) is an operation by the receiving unit 604 shown in FIG.

  As shown in FIG. 10, steps S801 and S802 are illustrated to be executed substantially simultaneously in parallel, but are not necessarily limited to simultaneous progress. For example, the present invention can be implemented even when step S802 is executed after step S801 ends, or when step S801 is executed after step S802 ends.

When the above step S801 and the step S802 is completed, the dispersion digital signature _{s 0} obtained in step S801, the dispersion electronic signature received from the step S802 child nodes _s j _{(U j} All _{U 0} And a digital signature s is generated as shown in the above equation 13 (S803).

  The processing for generating the electronic signature s (S403) is an operation by the multiplication unit 603 shown in FIG.

Although the description of the distributed electronic signature system 801 according to the second embodiment has been completed, the distributed electronic signature system 801 has the following excellent effects.
(1) As in the first embodiment, each node 11 generates a distributed electronic signature by securely distributing and holding the secret key in each node 11, and the distributed electronic signature is sent to the representative node 14. By transmitting, it is possible to prevent a false digital signature from being created by an unauthorized person who is indispensable for security.
(2) Although the presence of an illegal node cannot be grasped, the communication volume between nodes 11 can be significantly reduced. In particular, in the second embodiment, it is assumed that the network is a multi-hop communication channel having a tree structure, and the routing node 11 performs a predetermined process in the form of the above-described expression 12 on the way to the parent node. By transmitting, it becomes possible to reduce the communication amount of the entire network.
(3) Further, as in the first embodiment, while maintaining the relationship between the distributed secret key d _i (i = 1, 2,..., N) and the original secret key d (Equation 6), for example, As shown in Equation 10, while maintaining the relationship between the distributed secret key d _i (i = 1, 2,..., N) and the original secret key d, for example, the node U _i (i = 1, 2,..., N), if the value (or bit length) of the distributed secret key d _i is smaller than the distributed secret key d ₀ of the node U ₀ , the distributed electrons can be distributed even in the node 10 having a low computing capacity. The signature can be generated quickly and accurately.
(4) Since each node holds the secret key d in a distributed manner, even if a small number of nodes are decomposed and analyzed and the secret key (distributed secret key) held is stolen, It is impossible to generate a correct signature.

(About the third embodiment)
In the third embodiment, a function for updating the distributed secret key of each node is added to the first embodiment. In the following description, the distributed electronic signature system 800 according to the first embodiment is compared with the distributed electronic signature system 802 according to the third embodiment, and particularly different points will be described in detail. Regarding other points, unless otherwise specified, the configuration is almost the same, and a detailed description thereof will be omitted.

  First, similarly to the first embodiment and the second embodiment, the system of the third embodiment that performs distributed calculation of RSA signatures that are electronic signatures has one or more nodes and a final signature. It consists of a device called a representative node to calculate.

Assume that there are N nodes (N ≧ 1), and that each node 10 is represented by U ₁ , U ₂ ,..., U _N. Further, representative of the representative node 13 at _{U 0.} As in the first and second embodiments, the RSA signature private key that is an electronic signature is represented as d, and the public key is represented as e, n (ed = 1 (mod λ (n))). To.

Each of the node U ₁ , the node U ₂ ,..., The node U _N , and the representative node U ₀ is a distributed secret key d ₁ , a distributed secret key d ₂ ,. d _N and the distributed secret key d ₀ are held, and the relationship between the distributed secret key d ₁ , the distributed secret key d ₂ ,..., the distributed secret key d _N and the original secret key d is given by Shall be shown.

Here, briefly explained distributed digital signature as in the first embodiment, the execution when a message to be signed is m, the node U _1, U 2, _..., the U _N is calculated as shown in Equation 7 below The distributed electronic signature s _i (i = 1,..., N) obtained by doing so is transmitted to the representative node U ₀ .

s _i = h (m) ^di (mod n) (i = 1,..., N) (Expression 7)
First, the representative node U ₀ executes the calculation shown in the following equation 8 to obtain the distributed electronic signature s ₀ of itself (representative node U ₀ ).

s ₀ = h (m) ^d0 (mod n) (Formula 8)
When the distributed electronic signature s ₀ is obtained, the representative node U ₀ further multiplies the distributed electronic signature s ₁ , distributed electronic signature s ₂ ,..., Distributed electronic signature s _N received from the node 10, and further represents the representative node U _0. By multiplying the distributed electronic signature s ₀ generated by itself as shown in Expression 9, the representative node U ₀ can obtain the final electronic signature s.

s = s ₀ s ₁ s ₂ ... s _N (mod n) (Expression 9)

Here, in the third embodiment, the distributed electronic signature calculation as described above is performed, and at the same time, the distributed secret key d _i (i = 1,..., N) held by each node 10 and the representative node The distributed secret key d ₀ held by 13 is updated.

  The reason for updating the distributed secret key held by the node 10 and the representative node 13 is that, in the case of the same distributed secret key for a predetermined time, there is an increased risk that the distributed secret key will be detected by a malicious node.

The amount of change between the distributed secret key d _i (i = 1,..., N) of each node 10 and the updated distributed secret key d ′ _i (i = 1,..., N) is expressed as the distributed secret key Δd _i. When expressed as (i = 1,..., N), the distributed secret key d ₀ possessed by the representative node 13 is updated to a distributed secret key d ′ ₀ as shown in the following equations 14 and 15.

d ′ ₀ = d ₀ − (Δd ₁ + Δd ₂ +... + Δd _N ) (Expression 14)
d ′ _i = d _i + Δd _i (i = 1,..., N) (Equation 15)

Next, a distributed electronic signature calculation unit 900 that performs distributed electronic signature calculation in the node U _i (i = 1, 2,..., N) according to the third embodiment will be described with reference to FIG. FIG. 11 is a block diagram illustrating a schematic configuration of the distributed electronic signature calculation unit 900 included in the node 10 according to the third embodiment.

  A distributed electronic signature calculation unit 900 shown in FIG. 11 has a configuration in which a distributed secret key update unit 904 and a random number generation unit 905 are added to the distributed electronic signature calculation unit 100 shown in FIG. The electronic signature calculation unit 900 includes a distributed secret key holding unit 901, a power residue calculation unit 102, a transmission unit 903, a distributed secret key update unit 904, and a random number generation unit 905.

The distributed secret key holding unit 901 is similar to the distributed secret key holding unit 101 of the distributed electronic signature calculation unit 100 shown in FIG. 2, and the distributed secret key d _i (i = 1, 2,..., N) of the node U _i. However, it receives the updated distributed secret key d ′ _i output from the distributed secret key update unit 904 and replaces it with the pre-update distributed secret key d _i .

Incidentally, the distributed secret key d _'i is replaced by the distributed secret key d _i, but distributed secret key d _i that has been replaced, for example, in addition to being discarded, heavily encrypted by another private key It can be implemented even when stored.

  The power residue calculation unit 102 is the same as the power residue calculation unit 102 of the distributed electronic signature calculation unit 100 shown in FIG.

Similar to the transmission unit 103 of the distributed electronic signature calculation unit 100 shown in FIG. 2, the transmission unit 903 receives the distributed electronic signature s _i that is a calculation result by the power-residue calculation unit 102 and transmits it to the representative node U ₀ . To do. Further, the transmission unit 903 receives the distributed secret key Δd _i which is the amount of change between the distributed secret key d _i and the distributed secret key d ′ _i output from the random number generation unit 905 and transmits it to the representative node U ₀ as well. To do. In the present embodiment, the generated random number is described as the distributed secret key Δd, but the random number and the distributed secret key Δd are almost synonymous.

The distributed secret key update unit 904 receives the distributed secret key Δd _i from the random number generation unit 905, updates the distributed secret key d _i as shown in the above equation 15, and updates the updated distributed secret key d ′ _i. Is output to the distributed secret key holding unit 901.

The random number generation unit 905 generates a random number, and outputs the generated random number as a distributed secret key Δd _i to the distributed secret key update unit 904 and the transmission unit 903, respectively. Note that the random number generated by the random number generation unit 905 can be implemented by any method as long as the random number is generated as long as it is not easily guessed.

Next, the distributed electronic signature calculation unit 1000 that executes the distributed electronic signature calculation provided in the representative node U _{0 according} to the third embodiment will be described with reference to FIG. FIG. 12 is a block diagram illustrating a schematic configuration of the distributed electronic signature calculation unit 1000 provided in the representative node 13 according to the third embodiment.

  As shown in FIG. 12, the distributed electronic signature calculation unit 1000 has a configuration in which a distributed secret key update unit 1005 is further added to the distributed electronic signature calculation unit 200 shown in FIG. Includes a distributed secret key holding unit 1001, a power residue calculation unit 202, a multiplication unit 203, a receiving unit 1004, and a distributed electronic signature update unit 1005.

The distributed secret key holding unit 1001 is a storage device that holds the distributed secret key d ₀ of the representative node U ₀ , similarly to the distributed secret key holding unit 201 of the distributed electronic signature calculation unit 200 shown in FIG. The distributed secret key d ′ ₀ output from the secret key update unit 1005 is received and replaced with the already-distributed distributed secret key d ₀ .

  The power residue calculation unit 202 and multiplication unit 203 are the same as the power residue calculation unit 202 and multiplication unit 203 of the distributed electronic signature calculation unit 200 shown in FIG.

The receiving unit 1004 receives the distributed electronic signature s _i and the distributed secret key Δd _i (i = 1, 2,..., N) indicating the amount of change before and after the update of the distributed secret key from each node U _i . The distributed electronic signature s _i is output to the multiplication unit 203, and the distributed secret key Δd _i is output to the distributed secret key update unit 1005.

The distributed secret key updating unit 1005 receives the distributed secret key Δd _i from the receiving unit 1004, updates the distributed secret key d ₀ as shown in the above equation 14, and uses the updated distributed secret key d ′ ₀ as the distributed secret. The data is output to the key holding unit 1001.

(About distributed secret key update operation)
Next, the operation of each node U _i (i = 1, 2,..., N) that updates the distributed secret key according to the third embodiment will be described with reference to FIG. FIG. 13 is a flowchart showing an outline of the operation of the node 10 for updating the distributed secret key according to the third embodiment.

As shown in FIG. 13, each node _U i first (i = 1,2, ..., N ) , to the signature want message m, distributed electronic signature using the distributed secret key _{d i} to each holds _{s i} Is generated as shown in Equation 7 above (S1101).

Note that the processing (S1101) for generating the distributed electronic signature s _i shown in FIG. 13 is an operation performed by the power residue calculation unit 102 shown in FIG. In parallel therewith, a distributed secret key Δd _i is obtained by generating a random number (S1102).

Note that the process of obtaining the distributed secret key Δd _i shown in FIG. 13 (S1102) is an operation by the random number generation unit 905.

  Moreover, although step S1101 and step S1102 are illustrated so as to be substantially parallel as shown in FIG. 13, the present invention is not necessarily limited to the case of simultaneous progress. Alternatively, the present invention can be implemented even when step S1101 is executed after step S1102.

When step S1101 and step S1102 are completed, the distributed electronic signature s _i and the distributed secret key Δd _i generated in step S1101 are transmitted to the representative node U ₀ (step S1103).

In parallel with step S1103, the distributed secret key d _i held by itself (node 10) is updated using the distributed secret key Δd _i as shown in Equation 15 (S1104).

The process of updating the distributed secret key d _i using the distributed secret key Δd _i shown in FIG. 13 (S1104) is an operation by the distributed secret key update unit 904 shown in FIG.

  In addition, although step S1103 and step S1104 shown in FIG. 13 are illustrated so as to be substantially parallel in parallel, they are not necessarily limited to simultaneous progress. For example, the present invention can be implemented even when step S1104 is executed after step S1103 ends, or when step S1103 is executed after step S1104 ends.

Next, the operation of the representative node U ₀ for updating the distributed secret key according to the third embodiment will be described with reference to FIG. FIG. 14 is a flowchart showing an outline of the operation of the representative node 13 for updating the distributed secret key according to the third embodiment.

As shown in FIG. 14, first, the representative node U ₀ uses the distributed secret key d ₀ held by the representative node 13 for the message m to be signed, and sets the distributed electronic signature s ₀ to the above equation 8. It is generated as shown (S1201).

The processing of generating a distributed digital signature _{s 0} shown in FIG. 14 (S1201) is an operation by modular exponentiation computation unit 202 shown in FIG. 12.

In parallel with step S1201, the distributed electronic signature s _i and the distributed secret key Δd _i are received from each node U _i (i = 1, 2,..., N) (S1202).

Note that the process (S1202) for receiving the distributed electronic signature and the distributed secret key Δd _i shown in FIG. 14 is an operation by the receiving unit 1004 shown in FIG.

  Further, although step S1201 and step S1202 are illustrated so as to proceed substantially simultaneously, the present invention is not necessarily limited to the case of simultaneous progression. For example, after step S1201 is completed, step S1202 is executed next, or Even if step S1201 is executed next after the completion of step S1202, this can be implemented.

Step S1201, and, after completion of step S1202, the next and distributed digital signature _{s 0} obtained in step S1201, distributed digital signature received in step _{S1202 s i (i = 1,2,} ..., N) and multiplied by In addition, an electronic signature s is generated as shown in Equation 9 (S1203).

  The processing for generating the electronic signature s (S1203) is an operation by the multiplication unit 203 shown in FIG.

In parallel with step S1203, the distributed secret key _{d 0,} distributed secret key received _{Δd i (i = 1,2, ...} , N) is updated as shown in Equation 14 by using (S1204).

  The process of updating the distributed secret key (S1204) is an operation by the distributed secret key update unit 1005 shown in FIG.

  Steps S1203 and S1204 are illustrated as proceeding substantially simultaneously, but are not necessarily limited to the case where they proceed simultaneously. For example, after step S1203, step S1204 is executed next, or step S1204 is performed. Even if step S1203 is executed next after the completion of S1204, it can be implemented.

Note that the update of the distributed secret key performed in the distributed electronic signature system 802 according to the third exemplary embodiment requires each of the distributed secret keys Δd _i (i = 1,..., N) to be obtained by each node 10. Although the case where the representative node 13 updates the distributed secret key d ′ ₀ by being transmitted to the representative node 13 has been described as an example, the present invention is not limited to this example. For example, by first generating a random number by the representative node 13, the representative node 13 generates the distributed secret key [Delta] d _0, the distributed secret key d ₀ on the basis of the distributed secret key [Delta] d ₀ to distributed secret key d _'0 Update. Further, the representative node 13 transmits the distributed secret key Δd ₀ to each node 10, so that each node 10 has its own distributed secret key Δd _i (i = 1) based on the distributed secret key Δd _0. ,..., N), and each node 10 can update the distributed secret key d _i (i = 1,..., N) to the key d ′ _i (i = 1,..., N). In order for each node 10 to obtain its own distributed secret key Δd _i (i = 1,..., N) based on the distributed secret key Δd ₀ , for example, each node 10 has its own distributed secret key Δd _i. Although (i = 1,..., N) is determined in advance, it can be implemented, but is not limited to such an example.

Although the description of the distributed electronic signature system 802 according to the third embodiment has been completed, the distributed electronic signature system 802 has the following excellent effects.
(1) The distributed secret key held by each node 10 or representative node 13 can be easily updated. With this update, the security level can be significantly improved over the long-term generation of a distributed digital signature with the same distributed secret key, and the risk of the distributed secret key being leaked or detected through external attacks is reduced. Can be made.

(About the fourth embodiment)
In the fourth embodiment, the distributed secret key of each node 11 or representative node 14 is updated in the second embodiment. In the following description, the distributed electronic signature system 801 according to the second embodiment is compared with the distributed electronic signature system 803 according to the fourth embodiment, and particularly different points will be described in detail. Regarding other points, unless otherwise specified, the configuration is almost the same, and a detailed description thereof will be omitted.

  Similar to the second embodiment, a tree-structured multi-hop network is used in the fourth embodiment.

  As in the second embodiment, the distributed electronic signature system 803 that calculates electronic signatures (or RSA signatures) in a distributed manner includes one or more nodes 11 and a representative node 14 that calculates a final signature. And.

Node 11 is set to N number is (N ≧ 1), representing each node _{U 1,} node _{U 2,} ..., the node _{U N.} Further, representative of the representative node with _{U 0.}

  As shown in FIG. 6, the tree-structured multi-hop network is a network in which each node of the tree-structure graph corresponds to each node and its branch corresponds to a communication path. The root of the tree corresponds to the representative node, and the other nodes correspond to each section.

  Similarly to the second embodiment, the private key of the electronic signature (or RSA signature) is represented as d, the public key is represented as e, and n (ed = 1 (mod λ (n))).

Each of the nodes U ₁ , U ₂ ,..., The node U _N , and the representative node U ₀ has a distributed secret key d ₁ , a distributed secret key d ₂ ,. The secret key d _N and the distributed secret key d ₀ are held, and the relationship between the distributed secret key d ₁ , the distributed secret key d ₂ ,..., The distributed secret key d _N and the original secret key d is It is represented by the above formula 6.

Furthermore, in the fourth embodiment, the distributed electronic signature calculation as in the second embodiment is performed, and at the same time, the distributed secret key d _i (i = 1,..., N) held by each node 11 and the representative node performs the update of the distributed secret key d ₀ to be held.

The amount of change of the updated distributed secret key d ′ _i (i = 1,..., N) from the distributed secret key d _i (i = 1,..., N) held by each node 11 is expressed as Δd ′ _i (i = 1). ,..., N), the distributed secret key d ₀ held by the representative node is updated to a distributed secret key d ′ ₀ as shown in the following equation 16.

d ′ ₀ = d ₀ −Σ Δd _j (Expression 16)
U _j is all child nodes of U ₀ d ′ _i = d _i + Δd ′ _i (i = 1,..., N) (Expression 17)
Δd _i = Δd ′ _i + ΣΔd _j (i = 1,..., N) (Expression 18)
U _j is all child nodes of U _i

Next, a distributed electronic signature calculation unit 1300 that performs distributed electronic signature calculation included in a node U _i (i = 1, 2,..., N) according to the fourth embodiment will be described with reference to FIG. FIG. 15 is a block diagram illustrating a schematic configuration of the distributed electronic signature calculation unit 1300 provided in the node 11 according to the fourth embodiment. However, the node corresponding to the leaf of the tree-structured graph can be implemented with the same configuration as the distributed electronic signature calculation unit 900 (see FIG. 11) included in the node 10 according to the third embodiment.

  The distributed electronic signature calculation unit 1300 is configured such that a distributed secret key update unit 1306, a random number generation unit 1307, and an addition unit 1308 are added to the distributed electronic signature calculation unit 500 shown in FIG. The distributed electronic signature calculation unit 1300 includes a distributed secret key holding unit 1301, a power residue calculation unit 502, a multiplication unit 503, a reception unit 1304, a transmission unit 1305, a distributed secret key update unit 1306, a random number generation unit 1307, and an addition unit 1308. At least.

The distributed secret key holding unit 1301 is a storage device that holds the distributed secret key d _i (i = 1, 2,..., N) of the node U _i , but the distributed secret output from the distributed secret key update unit 1306. It also receives the key d ′ _i and replaces it with the already held distributed secret key d _i .

  The power residue calculation unit 502 is the same as the power residue calculation unit 502 of the distributed electronic signature calculation unit 500 shown in FIG.

The power-residue calculating unit 502 inputs the message m to be signed and the distributed secret key d _i (i = 1, 2,..., N) in the distributed secret key holding unit 501, and the distributed electronic signature s ′ shown in the above equation 11 _i is calculated.

The calculated distributed electronic signature s ′ _i is output to the multiplication unit 503. As in the first to third embodiments, the message m may be received through a communication path or may be stored in advance in a storage device in the node, but distributed in advance. It is assumed that each node U _i (i = 1, 2,..., N) and the representative node U ₀ can acquire the message m by a method agreed by the electronic signature system.

The multiplication unit 503 receives the distributed electronic signature s ′ _i calculated from the power-residue calculating unit 502, and also receives the distributed electronic signature s _j (U _j is U _i) received from the child node from the receiving unit 1304. All child nodes) and multiply them as shown in Equation 12 above. The calculated distributed electronic signature s _i is output to the transmission unit 1305.

The receiving unit 1304 receives the distributed electronic signature s _j and the distributed secret key Δd _j (U _j is all the child nodes of U _i ) from all the child nodes of the node 11 itself. In step 503, the distributed secret key Δd _j is output to the adding unit 1308.

The transmission unit 1305 receives the distributed electronic signature s _i which is the calculation result by the multiplication unit 503 and the distributed secret key Δd _i which is the calculation result by the addition unit 1308 and transmits it to the parent node.

The distributed secret key update unit 1306 receives the distributed secret key Δd ′ _i output from the random number generation unit 1307 and obtained from the random number, updates the distributed secret key d _i as shown in the equation 17, and is updated. The distributed secret key d ′ _i is output to the distributed secret key holding unit 1301.

The random number generation unit 1307 determines the generated random number as the distributed secret key Δd ′ _i that is the amount of change of the distributed secret key, and outputs it to the distributed secret key update unit 1306 and the addition unit 1308.

The adding unit 1308 receives the distributed secret key Δd _j (U _j is all child nodes of U _i ) from the receiving unit 1304 and the distributed secret key Δd ′ _i from the random number generating unit 1307, and adds them as shown in Equation 18 above. The distributed secret key Δd _i which is the calculation result is output to the transmission unit 1305.

Next, a distributed electronic signature calculation unit 1400 that executes the distributed electronic signature calculation provided in the representative node U _{0 according} to the fourth embodiment will be described with reference to FIG. FIG. 16 is a block diagram illustrating a schematic configuration of the distributed electronic signature calculation unit 1400 provided in the representative node according to the fourth embodiment.

  As shown in FIG. 16, the distributed electronic signature calculation unit 1400 has a configuration in which a distributed secret key update unit 1405 is further added to the distributed electronic signature calculation unit 600 shown in FIG. The unit 1400 includes a distributed secret key holding unit 1401, a power residue calculation unit 602, a multiplication unit 603, a receiving unit 1404, and a distributed secret key update unit 1405.

The distributed secret key holding unit 1401 is a storage device that holds the distributed secret key d ₀ of the representative node U ₀ , similarly to the distributed secret key holding unit 601 of the distributed electronic signature calculation unit 600 shown in FIG. An operation of receiving the distributed secret key d ′ ₀ output from the secret key update unit 1405 and replacing it with the already stored distributed secret key d ₀ is also executed.

  The power residue calculation unit 602 and the multiplication unit 603 are substantially the same as the power residue calculation unit 602 and the multiplication unit 603 of the distributed electronic signature calculation unit 600 shown in FIG. To do.

The receiving unit 1404, each child node U and distributed digital signature s _j from _j, distributed secret key [Delta] d j _{(U j} dispersing a variation of a secret key defined by the generated random number to all child nodes of U ₀ ) And the distributed electronic signature s _j is output to the multiplication unit 603 and the distributed secret key Δd _j is output to the distributed secret key update unit 1405.

The distributed secret key update unit 1005 receives the distributed secret key Δd _j from the receiving unit 1004, updates the distributed secret key d ₀ as expressed by the above equation 16, and obtains the updated distributed secret key d ′ ₀ . Output to the distributed secret key holding unit 1401.

(About distributed secret key update operation)
Next, the operation of each node U _i (i = 1, 2,..., N) that updates the distributed secret key according to the fourth embodiment will be described with reference to FIG. FIG. 17 is a flowchart showing an outline of the operation of the node 10 for updating the distributed secret key according to the fourth embodiment. However, the node corresponding to the leaf of the tree-structured graph is the same as the operation of the distributed electronic signature calculation unit 900 of the node of the third embodiment (FIG. 13), but in step S1103, the representative node U ₀ To send the distributed electronic signature s _i to the parent node.

As shown in FIG. 17, each node U _i having a child node first distributes the message m to be signed using the distributed secret key d _i held by its own node 11 as shown in the above equation 11. The electronic signature s ′ _i is calculated (S1501).

The process of calculating the distributed electronic signature s ′ _i (S1501) is an operation performed by the modular exponentiation calculation unit 502 shown in FIG.

In parallel with step S1501, a distributed secret key Δd ′ _i indicating the amount of change when the distributed secret key is updated is generated (S1502).

The process of generating the distributed secret key Δd ′ _i (S1502) is an operation performed by the random number generation unit 1307 shown in FIG.

In parallel with steps S1501 and S1502, the distributed electronic signature s _j and the distributed secret key Δd _j are received from all child nodes U _j (U _j is all child nodes of U _i ) ( S1503).

The process of receiving the distributed electronic signature s _j and the distributed secret key Δd _j (S1503) is an operation by the receiving unit 1304 shown in FIG.

  Step S1501, step S1502, and step S1503 are depicted as proceeding substantially simultaneously as shown in FIG. 17, but are not necessarily limited to simultaneous progress. For example, after step S1501 is finished, The present invention can also be implemented when step S1502 and step S1503 are executed, or when step S1501 and step S1503 are executed next after the completion of step S1502.

Next, after the completion of step S1501, step S1502, and step S1503, the distributed secret key d _i to be held is updated as shown in Equation 17 using the distributed secret key Δd ′ _i obtained in step S1502. (S1504).

The process of updating using the distributed secret key Δd ′ _i as shown in Equation 17 (S1504) is an operation by the distributed secret key update unit 1306 shown in FIG.

In parallel with step S1504, the distributed secret key Δd ′ _i obtained in step S1502 and the distributed secret key Δd _j from the child node received in step S1503 (U _j is all child nodes of U _i). ) To generate a distributed secret key Δd _i as shown in Equation 18 above (S1505).

The process of generating the distributed secret key Δd _i (S1505) is an operation by the adding unit 1308 shown in FIG.

In parallel with the above steps S1504 and S1505, the distributed electronic signature s ′ _i obtained in step S1501 and the distributed electronic signature s _j received from the child node in step S1503 (U _j is all of U _i ). The distributed electronic signature s _i is generated as shown in the above equation 12 (S1506).

  This is the operation of the multiplication unit 503 shown in FIG. Although step S1504, step S1505, and step S1506 are drawn so as to proceed substantially simultaneously, they may not necessarily proceed simultaneously. For example, after step S1504 is completed, next, step S1505 and step S1506 are executed. Alternatively, the present invention can be performed even when step S1504 and step S1506 are executed next after the completion of step S1505.

Next, after the completion of step S1504, step S1505, and step S1506, the distributed secret key Δd _i obtained in step S1505 and the distributed electronic signature s _i obtained in step S1506 are transmitted to the parent node (S1507). .

Next, the operation of the representative node U ₀ that executes the distributed electronic signature according to the fourth embodiment will be described with reference to FIG. FIG. 18 is a flowchart showing an outline of the operation of the representative node 14 for updating the distributed secret key according to the fourth embodiment.

As shown in FIG. 18, the representative node U ₀ generates a distributed electronic signature s ₀ for the message m to be signed using the distributed secret key d ₀ held by the representative node U ₀ as shown in the above equation 8 (S1601). ).

The processing of generating a distributed digital signature _{s 0} with the distributed secret key _{d 0} (S1601) is an operation by modular exponentiation computation unit 602 shown in FIG. 16.

Further, in parallel with step S1601, the distributed electronic signature s _j from all the child nodes U _j (U _j is all the child nodes of U ₀ ) and the amount of change of the distributed secret key from all the child nodes. The distributed secret key Δd _j is received (step S1602).

  This is an operation by the receiving unit 1404 in FIG. Although step S1601 and step S1602 are illustrated as proceeding substantially simultaneously, they may not necessarily proceed simultaneously. For example, when step S1602 is executed next after step S1601 is completed, This can be implemented even when step S1601 is executed next after the completion.

Then, after completion of step S1601 and step S1602, the distributed digital signature _{s 0} obtained in step S1601, distributed electronic signature received from the step S1602 child node _s j _{(U j} all child nodes of _{U 0)} And an electronic signature s is generated as shown in Equation 13 (S1603). This is the operation of the multiplication unit 603 shown in FIG.

In parallel with step S1603, the distributed secret key _{d 0,} the received distributed secret key Δd _{j (U j} all child nodes of _{U 0)} is updated as shown in Equation 16 by using (S1604) . This is the operation of the distributed secret key update unit 1405 shown in FIG.

  Note that steps S1603 and S1604 are illustrated as proceeding substantially simultaneously, but the present invention is not necessarily limited to simultaneous progress. For example, when step S1604 is executed next after the end of step S1603, or The present invention can also be performed when step S1603 is executed next after step S1604 is completed.

Although the description of the distributed electronic signature system 803 according to the fourth embodiment has been completed, the distributed electronic signature system 803 has the following excellent effects.
(1) In the fourth embodiment, the same effect as in the second embodiment can be obtained, but the distributed secret key possessed by each node can be easily updated. Therefore, rather than continuing to sign with the same distributed secret key for a long time, it is possible to reduce the risk of the secret key being guessed and leaked.

  In the first to fourth embodiments, the representative node finally calculates the electronic signature s. However, as shown in FIGS. 19 to 22, whether or not the electronic signature is correct is calculated. A configuration of a representative node further including a signature verification unit 1706 is also conceivable (the distributed electronic signature calculation unit 1700 to the distributed electronic signature calculation unit 2000 shown in FIGS. 19 to 22).

  When the distributed electronic signature calculation unit 1700 to the distributed electronic signature calculation unit 2000 includes the signature verification unit 1706, if there is a node that cannot execute the distributed electronic signature due to a failure or theft of the node, Can be detected (however, it is not possible to specify which node it is).

  The signature verification unit 1706 receives the calculated electronic signature s, the electronic signature public key e, and the electronically signed message m, performs a calculation as shown in the following equation 19, and performs one-way operation on the calculated message m ′ and the message m. When h (m) subjected to the sex hash function is compared and determined to be equal, a verification result indicating that the electronic signature is correctly calculated is output.

m ′ = s ^e (mod n) (Equation 19)

  On the other hand, if the signature verification unit 1706 determines that the calculated values of the messages m ′ and h (m) are different, the signature verification unit 1706 outputs a verification result indicating that the electronic signature is not correctly calculated.

  The series of processes described above can be performed by hardware including a dedicated circuit element or the like, or can be performed by software. When a series of processing is performed by software, a program constituting the software is installed in an information processing apparatus such as a general-purpose computer or microcomputer, and the information processing apparatus is connected to the node 10 (or node 11) / representative node. 13 (or representative node 14).

  The program can be recorded in advance on a hard disk, EEPROM, ROM, or the like as a recording medium built in the computer.

  Alternatively, the program is not limited to a hard disk drive, but is a removable recording medium such as a flexible disk, a CD-ROM (Compact Disc Read Only Memory), a MO (Magneto Optical) disk, a DVD (Digital Versatile Disc), a magnetic disk, and a semiconductor memory. Can be stored (recorded) temporarily or permanently.

  The program is installed on the computer from the removable recording medium as described above, and is transferred from the download site to the computer wirelessly via a digital satellite broadcasting artificial satellite, or a LAN (Local Area Network) or the Internet. Such a program can be transferred to a computer via a network, and the computer can receive the program transferred in this way and install it on a built-in hard disk or the like.

  Here, in this specification, the processing steps for describing a program for causing a computer to perform various processes do not necessarily have to be processed in time series in the order described in the flowchart, but in parallel or individually. This includes processing to be executed (for example, parallel processing or processing by an object).

  The program may be processed by one computer, or may be distributedly processed by a plurality of computers.

  In the present embodiment, calculation is performed in a distributed manner by omitting the function that can generate an electronic signature even when there is a fraudulent device (node) and the function that identifies the fraudulent device (node). It is not always necessary for all nodes to communicate with each other, and each node can hold a distributed secret key of an appropriate size so that distributed calculation can be performed according to the performance of the node.

  As mentioned above, although preferred embodiment of this invention was described referring an accompanying drawing, this invention is not limited to this example. It is obvious for a person skilled in the art that various changes or modifications can be envisaged within the scope of the technical idea described in the claims, and these are naturally within the technical scope of the present invention. It is understood that it belongs.

It is explanatory drawing which shows the outline of the distributed electronic signature system which concerns on 1st Embodiment. It is a block diagram which shows the schematic structure of the distributed electronic signature calculation part with which the node concerning 1st Embodiment is equipped. It is a block diagram which shows the schematic structure of the distributed electronic signature calculation part with which the representative node concerning 1st Embodiment is equipped. It is a flowchart which shows the outline of operation | movement of the node which performs the calculation regarding the distributed electronic signature concerning 1st Embodiment. It is a flowchart which shows the outline | summary of operation | movement of the representative node which performs the calculation regarding the distributed electronic signature concerning 1st Embodiment. It is explanatory drawing which shows the outline of the distributed electronic signature system which concerns on 2nd Embodiment. It is a block diagram which shows the schematic structure of the distributed electronic signature calculation part with which the node concerning 2nd Embodiment is equipped. It is a block diagram which shows the schematic structure of the distributed electronic signature calculation part with which the representative node concerning 2nd Embodiment is equipped. It is a flowchart which shows the outline | summary of operation | movement of the node which performs the calculation regarding the distributed electronic signature concerning 2nd Embodiment. It is a flowchart which shows the outline of operation | movement of the representative node which performs the calculation regarding the distributed electronic signature concerning 2nd Embodiment. It is a block diagram which shows the schematic structure of the distributed electronic signature calculation part with which the node concerning 3rd Embodiment is equipped. It is a block diagram which shows the schematic structure of the distributed electronic signature calculation part with which the representative node concerning 3rd Embodiment is equipped. It is a flowchart which shows the outline | summary of operation | movement of the node which updates the distributed secret key concerning 3rd Embodiment. It is a flowchart which shows the outline of operation | movement of the representative node which updates the distributed secret key concerning 3rd Embodiment. It is a block diagram which shows the schematic structure of the distributed electronic signature calculation part with which the node concerning 4th Embodiment is equipped. It is a block diagram which shows the schematic structure of the distributed electronic signature calculation part with which the representative node concerning 4th Embodiment is equipped. It is a flowchart which shows the outline of operation | movement of the node which updates the distributed secret key concerning 4th Embodiment. It is a flowchart which shows the outline of operation | movement of the representative node which updates the distributed secret key concerning 4th Embodiment. It is a block diagram which shows the schematic structure of the representative node concerning 1st Embodiment. It is a block diagram which shows the schematic structure of the representative node concerning 2nd Embodiment. It is a block diagram which shows the schematic structure of the representative node concerning 3rd Embodiment. It is a block diagram which shows the schematic structure of the representative node concerning 4th Embodiment.

Explanation of symbols

10, 11 Node 13, 14 Representative node 100 Distributed electronic signature calculation unit 101 Distributed secret key holding unit 102 Power residue calculation unit 103 Transmission unit

Claims (12)

In a distributed electronic signature system comprising one or more distributed electronic signature calculation devices and a representative distributed electronic signature calculation device that calculates an electronic signature based on the result of distributed processing in each of the distributed electronic signature calculation devices:
The distributed electronic signature calculation apparatus includes a distributed electronic signature key holding unit that holds any one of distributed electronic signature keys in which a plurality of electronic signature keys for calculating the electronic signature are secretly distributed;
Based on the message targeted for the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit, the remainder to calculate the distributed electronic signature used as all or part of the electronic signature With the calculation part;
A transmission unit for transmitting the distributed electronic signature to the representative distributed electronic signature calculation device,
The representative distributed electronic signature calculation apparatus includes a distributed electronic signature key holding unit that holds any one of distributed electronic signature keys in which a plurality of electronic signature keys for calculating the electronic signature are secretly distributed;
Based on the message to be the target of the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit, the modular multiplication unit to calculate the distributed electronic signature used as a part of the electronic signature When;
A receiving unit that receives a distributed electronic signature calculated by each of the one or more distributed electronic signature calculation devices;
A multiplication unit that calculates an electronic signature for the message by multiplying the distributed electronic signature calculated by the representative distributed electronic signature calculation device and the distributed electronic signature calculated by the one or more distributed electronic signature calculation devices; A distributed electronic signature calculation apparatus comprising: A distributed electronic signature key holding unit that holds any one of distributed electronic signature keys in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed;
Based on the message to be the target of the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit, a distributed electronic signature used as a whole or a part for calculating the electronic signature is calculated. A modular multiplication section to be performed;
A transmission unit for transmitting the distributed electronic signature to an external device;
A distributed electronic signature calculation apparatus comprising: A distributed electronic signature key holding unit that holds any one of distributed electronic signature keys in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed;
A power to calculate a first distributed electronic signature used as a part of the electronic signature based on the message to be the target of the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit A remainder calculation unit;
A receiving unit for receiving a second distributed electronic signature calculated by each of the one or more external devices;
A multiplication unit that calculates an electronic signature for the message by multiplying the first distributed electronic signature and the one or more second distributed electronic signatures;
A distributed electronic signature calculation apparatus comprising: 4. The distributed electronic signature calculation apparatus according to claim 3, further comprising a signature verification unit that verifies the electronic signature calculated by the multiplication unit. In a distributed electronic signature system comprising one or more distributed electronic signature calculation devices and a representative distributed electronic signature calculation device that calculates an electronic signature based on the result of distributed processing in each of the distributed electronic signature calculation devices:
A distributed electronic signature key holding unit for holding a distributed electronic signature key in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed;
First distributed electrons used in whole or in part to calculate the electronic signature based on the message to be the target of the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit A modular exponentiation unit for calculating a signature;
A receiving unit for receiving a second distributed electronic signature calculated by one or more external devices;
A multiplier for calculating a third distributed electronic signature by multiplying the first distributed electronic signature calculated by the power-residue calculating unit and the second distributed electronic signature received by the receiving unit;
A transmission unit for transmitting the third distributed electronic signature,
The representative distributed electronic signature calculation apparatus includes: a distributed electronic signature key holding unit that holds any one of distributed electronic signature keys obtained by secretly distributing a plurality of electronic signature keys for calculating an electronic signature;
A power to calculate a first distributed electronic signature used as a part of the electronic signature based on the message to be the target of the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit A remainder calculation unit;
A receiving unit for receiving a second distributed electronic signature calculated by each of the one or more external devices;
A multiplication unit that calculates an electronic signature for the message by multiplying the first distributed electronic signature and the one or more second distributed electronic signatures;
The distributed electronic signature calculation system, wherein the distributed electronic signature calculation apparatus and the representative distributed electronic signature calculation apparatus constitute a tree-type multi-hop network. A distributed electronic signature key holding unit for holding a distributed electronic signature key in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed;
First distributed electrons used in whole or in part to calculate the electronic signature based on the message to be the target of the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit A modular exponentiation unit for calculating a signature;
A receiving unit for receiving a second distributed electronic signature calculated by one or more external devices;
A multiplier for calculating a third distributed electronic signature by multiplying the first distributed electronic signature calculated by the power-residue calculating unit and the second distributed electronic signature received by the receiving unit;
A distributed electronic signature calculation apparatus comprising: a transmission unit that transmits the third distributed electronic signature. A distributed electronic signature key holding unit for holding a distributed electronic signature key in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed;
Based on the message to be the target of the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit, a distributed electronic signature used as a whole or a part for calculating the electronic signature is calculated. A modular multiplication section to be performed;
A random number generator for generating random numbers;
A distributed electronic signature key update unit that calculates a distributed electronic signature key using the random number, and updates the calculated distributed electronic signature key;
A distributed electronic signature calculation apparatus, comprising: a transmission unit that transmits the distributed electronic signature and / or the random number. A distributed electronic signature key holding unit for holding a distributed electronic signature key in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed;
First distributed electrons used as a whole or a part for calculating the electronic signature based on the message to be subjected to the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit A modular exponentiation unit for calculating a signature;
A receiving unit for receiving a second distributed electronic signature calculated by one or more external devices and / or a random number generated by one or more external devices;
A multiplying unit that calculates an electronic signature by multiplying the first distributed electronic signature calculated by the power-residue calculating unit and the second distributed electronic signature obtained from the receiving unit;
A distributed electronic signature calculation apparatus comprising: a distributed electronic signature key update unit that calculates a distributed electronic signature key using a random number obtained from the receiving unit and updates the calculated distributed electronic signature key. . The distributed electronic signature calculation apparatus according to claim 8, further comprising a signature verification unit that verifies the electronic signature calculated by the multiplication unit. In a distributed electronic signature system comprising one or more distributed electronic signature calculation devices and a representative distributed electronic signature calculation device that calculates an electronic signature based on the result of distributed processing in each of the distributed electronic signature calculation devices:
A distributed electronic signature key holding unit for holding a distributed electronic signature key in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed;
Based on the message to be the target of the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit, a distributed electronic signature used as a whole or a part for calculating the electronic signature is calculated. A modular multiplication section to be performed;
A random number generator for generating random numbers;
A distributed electronic signature key update unit that calculates a distributed electronic signature key using the random number, and updates the calculated distributed electronic signature key;
A transmission unit for transmitting the distributed electronic signature and / or the random number,
The representative distributed electronic signature calculation device includes a distributed electronic signature key holding unit for holding a distributed electronic signature key in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed;
First distributed electrons used in whole or in part to calculate the electronic signature based on the message to be the target of the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit A modular exponentiation unit for calculating a signature;
A receiving unit for receiving one or more of the distributed electronic signature calculation devices and a second distributed electronic signature calculated by the distributed electronic signature calculation device and / or a random number generated by the distributed electronic signature calculation device;
A multiplying unit that calculates an electronic signature by multiplying the first distributed electronic signature calculated by the power-residue calculating unit and the second distributed electronic signature obtained from the receiving unit;
A distributed electronic signature system, comprising: a distributed electronic signature key update section that calculates a distributed electronic signature key using a random number obtained from the receiving section and updates the calculated distributed electronic signature key. A distributed electronic signature key holding unit for holding a distributed electronic signature key in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed;
First distributed electrons used as a whole or a part for calculating the electronic signature based on the message to be subjected to the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit A modular exponentiation unit for calculating a signature;
A random number generator for generating a first random number;
A distributed electronic signature key update unit that calculates a distributed electronic signature key using the first random number, and updates the calculated distributed electronic signature key;
A receiving unit for receiving a second distributed electronic signature calculated by one or more external devices and / or a second random number generated by the external devices;
A multiplication unit that calculates a third distributed electronic signature by multiplying the first distributed electronic signature calculated by the power-residue calculating unit and the second distributed electronic signature obtained from the receiving unit; ;
An adding unit that generates a third random number by adding the first random number and the second random number obtained from the receiving unit;
A transmission unit for transmitting the third distributed electronic signature and / or the third random number;
A distributed electronic signature calculation apparatus comprising: In a distributed electronic signature system comprising one or more distributed electronic signature calculation devices and a representative distributed electronic signature calculation device that calculates an electronic signature based on the result of distributed processing in each of the distributed electronic signature calculation devices:
A distributed electronic signature key holding unit for holding a distributed electronic signature key in which a plurality of electronic signature keys for calculating an electronic signature are secretly distributed;
First distributed electrons used in whole or in part to calculate the electronic signature based on the message to be the target of the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit A modular exponentiation unit for calculating a signature;
A random number generator for generating a first random number;
A distributed electronic signature key update unit that calculates a distributed electronic signature key using the first random number and updates the distributed electronic signature key to the calculated distributed electronic signature key;
A receiving unit for receiving a second distributed electronic signature calculated by one or more external devices and / or a second random number generated by the external devices;
A multiplier that calculates a third distributed electronic signature by multiplying the first distributed electronic signature calculated by the power-residue calculating unit and the second distributed electronic signature obtained from the receiving unit; ;
An adding unit that generates a third random number by adding the first random number and the second random number obtained from the receiving unit;
A transmission unit for transmitting the third distributed electronic signature and / or the third random number,
The representative distributed electronic signature calculation apparatus includes a distributed electronic signature key holding unit that holds a distributed electronic signature key in which a plurality of electronic signature keys for calculating the electronic signature are secretly distributed;
First distributed electrons used in whole or in part to calculate the electronic signature based on the message to be the target of the electronic signature and the distributed electronic signature key stored in the distributed electronic signature key holding unit A modular exponentiation unit for calculating a signature;
A receiving unit for receiving a second distributed electronic signature calculated by one or more external devices and / or a random number generated by one or more external devices;
A multiplying unit that calculates an electronic signature by multiplying the first distributed electronic signature calculated by the power-residue calculating unit and the second distributed electronic signature obtained from the receiving unit;
A distributed electronic signature key update unit that calculates a distributed electronic signature key using a random number obtained from the receiving unit and updates the calculated distributed electronic signature key;
The distributed electronic signature calculation system is configured by a tree-type multi-hop network.

Images