JP2009267470A - Disclosure restriction processing apparatus, data processing system, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To achieve a system which dispenses with data retransmission, and can restrict disclosure of an optional part when the restriction part is disclosed after a part of data is once restricted for disclosure. <P>SOLUTION: A masking device 102 inputs original data 105, a signature 106, and an initial value 107 from a signature device 101, divides the original data 105 into n blocks, generates n keys from the initial value 107 by a unidirectional operation, enciphers optional blocks using the n keys, and makes masked data 109, and outputs the masked data 109, the signature 106, and intermediate values 110 for enciphering of unencrypted blocks to a verification device 103. The verification device 103 generates keys from the intermediate values 110 by the unidirectional operation, makes all n blocks in an enciphered state using the generated keys, and compares them with data obtained from the signature 106. When disclosing the enciphered blocks, the masking device 102 outputs the intermediate values which can generates decoding keys of the enciphered blocks to the verification device 103. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a technique for guaranteeing the authenticity of data while restricting the disclosure of at least a part of digital data.

As a technique for guaranteeing the authenticity of digital data, an electronic signature technique is conventionally known (for example, Non-Patent Document 1).
In the case of a general electronic signature technique, if even one bit of original digital data is altered, it is regarded as tampering.

However, some data may require appropriate changes.
For example, when an administrative organization such as the national government publishes a document based on a request for information disclosure from the public, it is necessary to conceal the contents related to national secrets, defense secrets, or privacy, but this is appropriate. Change and should not be considered tampering.
Therefore, as an electronic signature technique that allows such an appropriate change, a technique that enables partial concealment of digital data, that is, a sanitization technique has been developed (for example, Patent Document 1 and Patent Document 2).

In Patent Document 1, digital data can be sanitized by the method described below.
The signer divides the digital data into several blocks in advance (each divided block is called a data block), assigns a random number to each block, and then the hash value of the combined data of the random number and the data block Is calculated for each block, and an electronic signature is issued for the combined data of all hash values.
When the sanitizer receives the digital data, the random number, and the electronic signature from the signer, the sanitizer replaces the data and random number of the block to be sanitized with a hash value to create sanitized data, and passes it along with the electronic signature to the verifier.
The verifier calculates a hash value of a block that is not painted, obtains combined data of all hash values, and verifies the electronic signature using the calculated combined data.
If tampering other than sanitization has not been performed, the combined data calculated by the verifier matches the combined data in the electronic signature, and therefore, it is verified that there has been no tampering.
As described above, in Patent Document 1, sanitization is realized by replacing data with a hash value.

In Patent Document 2, it is possible to sanitize digital data by the method described below.
The signer first prepares one-way functions arranged in series in the same number as the bit length of the digital data.
Then, the seed is input thereto, and the digital data is encrypted by calculating the exclusive OR of the obtained hard core bits of the respective stages and the digital data.
Then, an electronic signature is issued for data obtained by combining the encrypted digital data and the final output of the one-way function.
When the sanitizer receives the digital data, seed, and electronic signature from the signer, it creates partially encrypted digital data by encrypting the first halfway through the digital data using a one-way function, just like the signer. To do.
Then, an intermediate value of the one-way function necessary for encrypting the remaining part is obtained and passed to the verifier together with the partially encrypted digital data and the electronic signature. The verifier encrypts the remaining portion using the received intermediate value to create encrypted digital data, and verifies the electronic signature using the encrypted digital data.
If no tampering other than sanitization has been performed, the encrypted digital data calculated by the verifier matches the encrypted digital data in the electronic signature, and therefore, it is verified that there has been no tampering.
As described above, in Patent Document 2, sanitization is realized by encrypting data.
JP 2005-51734 A JP 2007-158984 A A. Menezes, P.M. van Oorschot, S.V. Vanstone, "Handbook of applied cryptography", CRC Press, pp. 425-488, 1996.

In the sanitization signature method of Patent Document 1, sanitization is realized by replacing data with a hash value as described above.
For this reason, once sanitized, that portion cannot be restored to the original data. When the sanitizer sends the sanitized data to the verifier and discloses the sanitized portion, the data of the corresponding portion must be re-sent again.
Therefore, there is a problem that the communication band is occupied by re-sending data, particularly when using narrow-band communication such as a mobile phone or satellite communication.

Further, in Patent Document 2, partial encrypted data encrypted from the beginning to the middle is generated, and there is a problem that only a continuous area from the beginning can be painted.
That is, there is a problem that an arbitrary area of digital data cannot be painted.

One of the main objects of the present invention is to solve the above-mentioned problems, and provides a method that does not require re-sending of data when disclosing a sanitized portion and that can sanitize an arbitrary region. One of the purposes is to do.
Furthermore, it is an object of the present invention to provide a method capable of controlling the possibility of subsequent disclosure of a sanitized portion.

The disclosure restriction processing apparatus according to the present invention is:
Disclosure restriction processing for restricting disclosure in digital data between a signature device that generates an electronic signature for the digital data and a verification device that verifies the digital signature for the digital data and displays the digital data that has been successfully verified. A device,
Digital data that can be divided into n (n ≧ 2) parts managed by the signature device, an initial value generated by the signature device, and a one-way calculation performed by the signature device according to a predetermined calculation procedure. The digital signature generated for the n parts of the digital data encrypted using the n keys generated from the initial value and the terminal value obtained after performing the unidirectional calculation a prescribed number of times are input. A data input section;
A key generation unit that generates n keys in order by performing a one-way operation on the input initial value in the same operation procedure as the signature device;
The digital data is ordered and divided into n parts, one or more parts of the n parts are designated as target parts, and the corresponding order of the n keys generated by the key generation unit A disclosure restriction digital data generation unit that performs encryption processing or decryption processing on each target part using a key and generates disclosure restriction digital data in which one or more parts are encrypted;
The verification device encrypts unencrypted parts that are not encrypted among the parts of the disclosure-restricted digital data from among a plurality of intermediate values derived in the process of generating n keys by the key generation unit. An intermediate value extraction unit that extracts an intermediate value used as a cryptographic intermediate value based on a calculation procedure in the signature device;
A data output unit that outputs the disclosure-restricted digital data, the electronic signature, and the encryption intermediate value.

  According to the present invention, n keys obtained by performing a one-way operation in the same calculation procedure as the signature device from the initial value generated by the signature device are used, and therefore any part of the n parts of the digital data is used. It is sufficient to send an intermediate value necessary for decryption when the restriction on the encrypted parts is released, and it is not necessary to send the digital data itself.

Embodiment 1 FIG.
FIG. 1 is a diagram illustrating an outline of a system configuration example of a data processing system according to the present embodiment and an example of handled data.

In FIG. 1, a signature device 101 is a device that issues an electronic signature (hereinafter also simply referred to as a signature) and an initial value for digital data.
The sanitizing apparatus 102 performs sanitization (processing for restricting disclosure in digital data) on the digital data received from the signature apparatus 101, creates sanitized data, and updates the received initial value to an intermediate value. A device that generates values. The sanitizing apparatus 102 is an example of a disclosure restriction processing apparatus.
The verification device 103 is a device that verifies the signature for the sanitizing data using the sanitizing data, the signature, and the intermediate value received from the sanitizing device 102 and displays the digital data that has been successfully verified.
The network 104 is a communication network for transmitting and receiving data between the signature device 101, the sanitizing device 102, and the verification device 103.

The original data 105 is digital data to be signed. The original data 105 can be divided into n (n ≧ 2) parts. In this embodiment, an example in which digital data that can be divided into n blocks each having at least 1 bit is used as a part will be described.
The signature 106 is an electronic signature for the original data 105.
The initial value 107 is a value for generating a key group used for sanitization, and is preferably a random value.
The signature key 108 is a key used for issuing an electronic signature, and is a secret key in a public key cryptosystem.
The sanitizing data 109 is data obtained by performing a concealing process on a part or all of the area by the sanitizing apparatus 102 based on the original data 105. The sanitizing data 109 is an example of disclosure limited digital data.
The intermediate value 110 is a value created by updating the initial value 107 in the sanitizing apparatus 102. The intermediate value 110 includes an encryption intermediate value used for encryption, a decryption intermediate value used for decryption, an end value intermediate value for deriving an end value, and the like.
The verification key 111 is a key used for verifying an electronic signature, and is a public key in a public key cryptosystem. The signature key 108 and the verification key 111 are paired.

Although FIG. 1 shows a case where there is one sanitizing device 102, there may be a plurality of devices, or a signature device may also serve as the sanitizing device.
FIG. 1 shows an example in which the signature device 101, the sanitizing device 102, and the verification device 103 are all connected via the network 104, but only a part of them may be connected. It may not be connected at all.
For the unconnected portion, necessary data may be stored in a storage medium such as a memory card and carried.

  In the above description, the case where the signature key 108 and the verification key 111 are the secret key and the public key in the public key cryptosystem, respectively, has been described, but these may be a common key in the secret key cryptosystem. The electronic signature in this case is a so-called MAC (Message Authentication Code).

When the signature key 108 is a secret key in the public key cryptosystem, it is also desirable to store the signature key 108 in a tamper-resistant device in the signature apparatus 101, for example, to prevent leakage or tampering.
When the signature key 108 and the verification key 111 are common keys, it is also desirable to store both in the tamper-resistant device in the signature device 101 and the verification device 103, respectively.

FIG. 2 is a diagram illustrating an internal configuration example of the signature device 101.
In FIG. 2, the data input / output unit 201 inputs data to the signature device 101 and outputs data from the signature device 101.
The user input unit 202 receives an operation from a user (not shown).
The display unit 203 displays various information such as operation results to the user.
The initial value generation unit 204 generates a random value used to generate a key group used for sanitization. The signature generation unit 205 generates a signature for the digital data using the initial value generated by the initial value generation unit 204.
Although details will be described later, the signature generation unit 205 performs unidirectional calculation according to a predetermined calculation procedure and unidirectionality with n parts of the original data encrypted using n keys generated from initial values. An electronic signature is generated for the terminal value obtained after the calculation is performed a prescribed number of times.

FIG. 3 is a diagram illustrating an internal configuration example of the sanitizing apparatus 102.
The data input / output unit 211 inputs data to the sanitizing apparatus 102 and outputs data from the sanitizing apparatus 102.
More specifically, the data input / output unit 211 inputs the original data 105 managed by the signature device 101, the initial value 107 generated by the signature device 101, and the electronic signature 106 generated by the signature device 101.
Further, the data input / output unit 211 outputs the sanitizing data 109, the electronic signature 106, and the intermediate value 110.
The data input / output unit 211 is an example of a data input unit and a data output unit.

The user input unit 212 receives an operation from a user (not shown).
The display unit 213 displays various information such as operation results to the user.

The sanitizing unit 214 sanitizes the digital data received from the signature device 101 to create sanitized data, and updates the received initial value to generate an intermediate value.
More specifically, the sanitizing unit 214 performs one-way operation on the input initial value 107 by the same operation procedure as that of the signature device 101 to generate n keys in order.
In addition, the sanitizing unit 214 orders the input original data 105 into n blocks, designates one or more blocks among the n blocks as target blocks (target parts), and generates the generated n pieces The encryption process or the decryption process is performed on each target block using the keys in the corresponding order among the keys, and sanitization data 109 in which one or more blocks are encrypted is generated.
Further, the verification device 103 encrypts an unencrypted block (unencrypted part) that is not encrypted among the blocks of the sanitized data 109 from among a plurality of intermediate values derived in the generation process of n keys. An intermediate value used for conversion is extracted as an intermediate value for encryption based on a calculation procedure in the signature device 101. The sanitizing unit 214 extracts an intermediate value that can generate an encryption key for encrypting an unencrypted block by performing a one-way operation by the verification device 103 in the same operation procedure as the signature device 101 as an intermediate value for encryption. To do.
In addition, the sanitizing unit 214, after the data input / output unit 211 outputs the sanitized data 109, the encrypted block whose disclosure restriction is removed from among the encrypted blocks included in the sanitized data 109 Is specified as a restriction release block (restriction release part).
In addition, the sanitizing unit 214 uses the intermediate value used when the verification device 103 decrypts the restriction release block from among a plurality of intermediate values derived in the process of generating n keys as the calculation procedure in the signature device 101. Based on this, an intermediate value for decoding is extracted. The sanitizing unit 214 extracts an intermediate value that can generate a decryption key for decrypting the restriction release block by the verification apparatus 103 performing a one-way operation in the same calculation procedure as the signature apparatus 101 as the intermediate value for decryption.
The sanitizing unit 214 is an example of a key generation unit, a disclosure restriction digital data generation unit, an intermediate value extraction unit, and a restriction release part designation unit.

  The intermediate value storage unit 215 stores the intermediate value group calculated by the sanitizing unit 214.

FIG. 4 is a diagram illustrating an internal configuration example of the verification apparatus 103.
The data input / output unit 221 inputs data to the verification device 103 and outputs data from the verification device 103.
The user input unit 222 receives an operation from a user (not shown).
The display unit 223 displays various information such as operation results to the user.
The signature verification unit 224 verifies the signature for the sanitizing data using the sanitizing data, the signature, and the intermediate value received from the sanitizing apparatus 102.

2 to 4, each of the signature device 101, the sanitizing device 102, and the verification device 103 includes a user input unit and a display unit. However, these components may be omitted.
For example, when an operation such as a signature or sanitization is performed automatically, no user operation is required, and these components may be omitted.
The initial value 107 is preferably a random value, and therefore the initial value generator 204 is preferably a pseudo-random number generator.

  FIG. 5 is a diagram showing a method for generating a key group used for sanitization and a terminal value used for signature generation based on the initial value 107 in the signature device 101 and the sanitizing device 102.

In FIG. 5, a unidirectional function f301 and a unidirectional function g302 are functions that make it easy to obtain an output from an input but extremely difficult to obtain an input from the output.
The key K ₀ 303 is a key used for verification when the data of all the blocks is painted.
Key K ₁ 304... Key K _n 305 is a key used for sanitizing blocks.
The end value G306 is a value enclosed in the electronic signature in order to prevent replacement of the original data by the sanitizer.
The key group 307 is a general term for a key K ₀ 303, a key K ₁ 304, and a key K _n 305.
The intermediate value group 308 is a generic term for intermediate values between the initial value S107 and the key group, and includes the key group itself.

Note that the one-way function f301 and the one-way function g302 in FIG. 5 are interchangeable.
That is, when f is applied a times and g is applied b times to a certain input x, the same output is obtained regardless of the application order.
The output at this time is expressed as f ^(a) g ^(b) (x).
Specific examples of functions of f and g include two encryption functions f (x) = x ^e1 mod N and g (x) = x ^e2 mod N in RSA (registered trademark) public key cryptography.
Here, e ₁ and e ₂ are different public keys, preferably public keys that are not disjoint.
However, the function is not limited to this, and may be any one-way function having commutability as described above.

FIG. 6 is a diagram showing a method for issuing an electronic signature to the original data 105 in the signature apparatus 101.
As shown in FIG. 6, in the signature device 101, the original data 105 is divided into several blocks (here, n pieces from M ₁ to M _n ), and the keys in the order corresponding to the order of the blocks. Is applied to encrypt all the blocks into C ₁ to C _n encrypted blocks, add the termination value G to the n encrypted blocks to form the signature target data 401, and add the signature key to the signature target data 401. 108 is applied to obtain a signature 106.

  FIG. 7 is a flowchart showing an example of a procedure for generating an electronic signature for original data.

  Next, a procedure for generating a digital signature that can be painted in block units in the signature apparatus 101 will be described with reference to FIGS. 1 to 7.

When generating an electronic signature for the original data 105, the signature generation unit 205, the original data several blocks (here, the n-number of from M ₁ to M _n) is first divided (step 501).
The block may be of any size and may be different for each block.
Next, the initial value generation unit 204 generates an initial value S107 (step 502).
Next, the signature generation unit 205, starting from the initial value S107, a one-way function as shown in FIG. 5 f301 and a one-way function g302 the applied key group _{K 0, K} 1 ... _{K n} and termination value G306 is calculated (step 503).
Here, the key K ₀ is f ⁽ⁿ⁾ (S), the key K ₁ is f ⁽ⁿ⁻¹⁾ g ⁽¹⁾ (S)..., And the key K _n is g ⁽ⁿ⁾ (S). f ⁽ⁿ⁾ g ⁽ⁿ⁾ (S).
Next, the signature generation unit 205 uses the key group K ₁ ... K _n excluding K ₀ to sanitize all the blocks M ₁ ... M _n of the original data, and combines the terminal value G 306 to obtain the signature target data 401. Generate (step 504).
A specific method of the sanitization is encryption by common key encryption such as block encryption or stream encryption.
That is, M _i is encrypted into C _i by C _i = E _Ki (M _i ) using E as an encryption function and K _i as its key. Finally, the signature 106 is issued to the signature target data 401 using the signature key 108 (step 505).

  Here, the termination value G306 is included as signature target data in order to prevent replacement of the original data by the sanitizing apparatus 102, but details will be described later.

Next, a procedure for sanitizing digital data in units of blocks in the sanitizing apparatus 102 will be described with reference to FIGS. 1 to 6 and FIG. 8.
FIG. 8 is a flowchart showing an example of a procedure for sanitizing digital data.

When sanitizing digital data, the data input / output unit 211 first receives original data, a signature, and an initial value from the signature device 101 (step 601).
Next, sanitizing unit 214, starting from the initial value S, in the same manner as the signature device 101 calculates a key group _{K 0, K 1 ... K n} ( step 602).
Next, the sanitizing unit 214 sanitizes the original data using the key group K ₁ ... K _n excluding K ₀ (step 603).
Here, all the blocks of the original data were sanitized at the time of signature generation, but here, only the data block to be sanitized is sanitized, and other blocks are left unsanitized. deep.
Finally, the sanitizing unit 214 obtains an intermediate value for encryption necessary for sanitizing the disclosed block (non-encrypted block not sanitized) in the verification apparatus 103 (step 604).
For example, if only the first M ₁ of the n blocks is sanitized, the keys K ₂ to K _n are required to sanitize the remaining M ₂ to M _n , but g ⁽²⁾ ( since the key _{K 2} to key _{K n} if S) is known can be derived, the intermediate value for the required encryption is ^{g (2) (S).}
Further, from _{M 2} to _{M n-1} and sanitizing, the case of the disclosed block _{M 1} and _{M n,} the intermediate value for the required encryption is _{K 1} and _{K n.} In the case where all blocks were sanitizing shall choose K ₀ as an encryption for the intermediate values.

Incidentally, sanitizing unit 214 may store the intermediate value group obtained in the calculation of the key group K _0, K 1 _... K _n to the intermediate value storage unit 215, an intermediate corresponding from the intermediate value storage unit 215 The value may be extracted as the encryption intermediate value, or the encryption intermediate value may be newly calculated from the initial value.

Here, even if the disclosed area extends over a plurality of blocks, if it is a continuous area, the encryption intermediate value required for sanitizing the disclosed area is one as described above.
Therefore, when the area disclosed in the original data is divided into L as a whole, the number of encryption intermediate values required for sanitization is L regardless of which block the area covers. .

In FIG. 8, the initial value is received from the signature device 101 and derived on the sanitizing device 102 in order to obtain the key group and the intermediate value group. Instead, the initial value, intermediate value group, key A group may be received from the signature device 101.
In this case, only necessary ones are extracted from the received intermediate value group and key group and used. The initial value may not be received.
When the initial value, the intermediate value group, and the key group are received from the signature device 101 in this way, the communication amount between the signature device 101 and the sanitizing device 102 increases. Since there is no need to perform computation, there is an advantage that even a device with low computing ability can be painted.

In FIG. 8, the original data is received from the signature device 101 and the portion to be sanitized is encrypted. Instead, the sanitized data in which all blocks are sanitized is received and the portion to be disclosed is decrypted. It is good also as composition to do.
When a large amount of data is expected to be inked at the stage of signature generation in the inking apparatus 102, the amount of calculation in the inking apparatus 102 can be reduced by such a configuration.

  Next, a procedure for verifying sanitized data in the verification apparatus 103 will be described with reference to FIGS. 1 to 6 and FIGS. 9 to 10.

  FIG. 9 is a flowchart showing an example of a procedure for verifying sanitizing data.

FIG. 10 is a diagram showing how the verification target data is derived from the sanitizing data.
As shown in FIG. 10, in the verification apparatus 103, unencrypted blocks in the sanitized data 109 in which some blocks are encrypted are arranged in the order of the unencrypted blocks. By applying the corresponding sequence of keys, all the blocks are encrypted, and the terminal block G is added to the encrypted blocks C ₁ to C _n to obtain the verification target data 801. The verification target data 801 and the signature Verification is performed according to 106.

When the sanitizing data is verified, the data input / output unit 221 first receives sanitizing data, a signature, and an intermediate value from the sanitizing device 102 (step 701).
Next, the signature verification unit 224 calculates a key group and a termination value G necessary for sanitizing the disclosed block in the sanitized data from the received intermediate value (step 702).
Next, the signature verification unit 224 creates the verification target data 801 by sanitizing the disclosed block and combining it with the terminal value G (step 703).
Finally, the signature verification unit 224 extracts signature target data from the signature using the verification key and compares it with the verification target data.
If they match, it can be verified that no tampering other than sanitization has occurred.

  In addition, it is good also as a structure which does not compare signature object data and verification object data, but compares each hash value.

Here, the reason why the termination value G is included as signature target data and verification target data will be described.
If the terminal value G is not included, the sanitizing apparatus 102 can replace the original data created by the signature apparatus 101 with other data so that it is not detected by the verification apparatus 103 as follows.
First, the sanitizing apparatus 102 sanitizes the original data based on the initial value S given from the signature apparatus 101 in the same manner as the signature apparatus 101 to obtain sanitized data C ₁ , C ₂ ... C _n .
Next, 'independently generates, key group K _1' different initial value S as an initial value S, to derive the K _{2 '...} K _n'. Then, using these key groups, the sanitized data C ₁ , C ₂ ... C _n is decrypted to obtain data M ₁ ′, M ₂ ′... M _n ′ different from the original original data.
The sanitizing apparatus 102 performs the sanitization using the key groups K ₁ ′, K ₂ ′,... K _n ′, and sends it to the verification apparatus 103 together with the signature, _assuming that this is the original original data.
In the verification device 103, correct sanitization data C ₁ , C ₂ ... C _n is obtained by the verification procedure, and therefore it is determined that there is no tampering other than sanitization.
In this way, the original data can be replaced.
In order to prevent this, the termination value G is included as signature target data and verification target data.
Since the end value G can be uniquely derived from any intermediate value, it can be derived by the verification device 103 regardless of the way of sanitizing by the sanitizing device 102, and the replacement can be detected using this.

  Next, a method for disclosing a part or all of the sanitized portion after the sanitizing device 102 transmits the sanitizing data to the verification device 103 will be described with reference to FIGS. 5 and 11.

  FIG. 11 is a flowchart showing an example of a procedure for disclosing a part or all of the sanitized portion after the sanitizing device 102 transmits the sanitized data to the verification device 103.

In order to disclose a part or all of the sanitizing part, first, the sanitizing unit 214 specifies the restriction releasing block to be disclosed in the sanitizing data and decodes the restriction releasing block. The intermediate value for decoding necessary for the calculation is calculated (step 901).
The restriction release block may be specified, for example, by the sanitizing unit 214 based on the block specification from the user input by the user input unit 212, or data specifying a block from a recording device (not shown). A block specified in the read data may be specified.
For example, all blocks from M ₁ to M _n have been sanitized, to disclose these from M _1, except for M _n up to M _n-1, the sanitizing unit 214, as the decoding intermediate value from 5 f ⁽¹⁾ g ⁽¹⁾ (S) is calculated.
Next, the data input / output unit 211 sends this decryption intermediate value to the verification device 103 (step 902).
In the verification device 103, the data input / output unit 221 first receives the decoding intermediate value from the sanitizing device 102 (step 903).
Next, the signature verification unit 224 derives the key group and the termination value G from the decryption intermediate value (step 904).
Next, the signature verification unit 224 verifies the termination value G (step 905).
This is done by examining whether the end value G obtained in step 904 matches the end value G calculated when the initial sanitization data is verified.
If they do not match, it is understood that a key group different from that used at the time of signing is used, and the processing is stopped. Finally, the sanitized block is decrypted using the obtained key group (step 906).

In the above description, the sanitizing device 102 is configured to disclose the sanitized portion, but may be configured to be performed by the signature device 101.
In the above description, in the sanitizing apparatus 102, the sanitizing unit 214 calculates the intermediate value for decoding. However, the intermediate value group generated in the sanitizing data generation stage is stored in the intermediate value storage unit 215. Alternatively, the corresponding intermediate value may be extracted from the intermediate value storage unit 215 as the decoding intermediate value.

Finally, a method for controlling the possibility of subsequent disclosure of the sanitized portion will be described.
Here, a case where there are a plurality of sanitizing apparatuses will be described, and a method of controlling whether or not subsequent disclosure is possible when the sanitizing apparatus A sends sanitizing data to the sanitizing apparatus B will be described.

The sanitizing apparatus A receives the original data, the initial value, and the signature from the signature apparatus 101, sanitizes the data block M ₁ ... M _n−1 to C ₁ ... C _n−1 , and discloses M _n. And
The sanitizing data, intermediate value on that disables the disclosure of post C _1, signatures shall be passed to the sanitizing device B.
In this case, as an intermediate value, K _n must be derived for sanitization at the time of verification, and K ₂ ... K _n−1 must be derived for subsequent disclosure.
It must be such that K ₁ cannot be derived to prevent subsequent disclosure of C ₁ .
From the above, the sanitizing apparatus A selects g ⁽²⁾ (S) as the intermediate value. Then, it is sent to the sanitizing device B together with the original data and the signature.

As described above, according to the present embodiment, it is possible to realize an electronic signature scheme that divides digital data into blocks of an arbitrary size and enables sanitization for each block and subsequent disclosure. .
In particular, in the case of subsequent disclosure, since it can be realized only by sending an intermediate value without sending the data itself, the amount of communication between the sanitizing device and the verification device can be reduced compared to the conventional technology, Further, the memory usage can be suppressed.

  In addition, according to the present embodiment, it is possible to realize an electronic signature method that can control whether or not subsequent disclosure of the sanitized portion is possible.

  In addition, according to the present embodiment, when the area to be disclosed in the original data is divided into L as a whole, it is sent from the sanitizer to the verification apparatus regardless of which block the area covers. The number of intermediate values to be performed can be L, the amount of communication between the sanitizing device and the verification device can be reduced, and the amount of memory used can be suppressed.

Although not explicitly shown in the above-described method of Patent Document 2, when the verifier requests disclosure of the sanitized portion, the sanitizer decodes the corresponding portion instead of the data itself. It is also possible to pass an intermediate value of the one-way function necessary for the above. In this case, the verifier can restore the original data by decrypting the partially encrypted digital data using the received intermediate value.
The reason why ink can be removed in this way is that data is encrypted instead of being replaced with a hash value at the time of ink.
However, as described above, Patent Document 2 generates partially encrypted data that is encrypted from the beginning to the middle, and there is a problem that only a continuous area from the beginning can be painted.
That is, there is a problem that an arbitrary area of digital data cannot be painted.
In this regard, according to the present embodiment, as described above, an arbitrary block among n blocks of digital data can be painted.

  As described above, in the present embodiment, it has been described that two commutative one-way functions are combined and data is encrypted using the output as a key in order to enable the sanitization / removal of black of an arbitrary block. did.

Embodiment 2. FIG.
In the first embodiment described above, digital data is divided into blocks and can be sanitized in units of blocks. Next, an embodiment in which sanitization can be performed for each bit without the need to divide the data into blocks. Show.
That is, in the first embodiment, the case where the digital data is divided into arbitrary blocks as an example of the parts has been described, but in this embodiment, the case where the digital data is divided for each bit is described as an example of the parts.

  In the present embodiment, the internal configuration of the signature device, the sanitizing device, and the verification device, and the method for deriving the key group and the termination value from the initial values are the same as in the first embodiment.

  FIG. 12 is a diagram showing a method for issuing a signature to the original data 1001 in the signature apparatus 101 according to the present embodiment.

In FIG. 12, original data 1001 is digital data composed of n bits from m ₁ to _mn .
k ₁ 1002 is a hard core bit of the key K ₁ 304. Here, when it is difficult to estimate the output of the 1-bit output function B (x) from the one-way function F (x), B (x) is referred to as the F (x) hard core bit.
For example, the least significant bit of x in the RSA (registered trademark) function F (x) = x ^e mod N is a hard core bit.
k ₂ 1003 is a hard core bit of the key K ₂ .
k _n 1004 is a hard core bit of the key K _n 305.

As shown in FIG. 12, in the signature device 101, for each bit of the original data 105, the hard core bits of the key in the order corresponding to the order of each bit are applied, and all the bits are encrypted from c ₁ and encryption bit c _n, adds the termination value G306 to n pieces of encrypted bits and the signature object data 1005, by applying a signature key 108 on the signature target data 1005 and signature 1006.

FIG. 13 is a flowchart showing an example of a procedure for generating an electronic signature for digital data in the present embodiment.
FIG. 14 is a flowchart showing an example of a procedure for sanitizing digital data with respect to the present embodiment.
FIG. 15 is a flowchart showing an example of a procedure for verifying the signature of sanitized data regarding the present embodiment.

  Next, a signature generation method, sanitization method, and verification method according to the present embodiment will be described with reference to FIGS. 5 and 12 to 15.

When the signature apparatus 101 generates an electronic signature for n-bit original data 1001, first, the initial value generation unit 204 generates an initial value S107 (step 1101).
Next, the signature generation unit 205, starting from the initial value S107, a one-way function as shown in FIG. 5 f301 and a one-way function g302 the applied key group _{K 0, K} 1 ... _{K n} and termination value G306 is calculated (step 1102).
Next, exclusive of signature generation unit 205, a bit sequence _{m 1, m} 2 ... _{m n} of the original data, a sequence _{k 1, k} 2 ... _{k n} hardcore bit key group _{K 1, K} 2 ... _{K n} sanitizing the original data by ORing _{c 1, c 2 ... c n} ( step 1103).
Then, the signature generation unit 205, and the signature object data 1005 by combining the termination value G from _{c 1} to _{c n.}
Finally, the signature generation unit 205 issues a signature 1006 to the signature target data 1005 using the signature key 108 (step 1104).

When the sanitizing device 102 sanitizes the digital data, the data input / output unit 211 first receives the original data, the signature, and the initial value from the signature device 101 (step 1201).
Next, sanitizing unit 214, starting from the initial value S, in the same manner as the signature device 101 calculates a key group _{K 0, K 1 ... K n} ( step 1202).
Next, sanitizing unit 214, the original data sanitizing using the hard core bit _{k 1, k} 2 ... _{k n} of the key group _{K 1, K 2 ... K n} ( step 1203).
Here, in the case of signature generation, all the bits of the original data are sanitized, but here, only the bits to be sanitized are sanitized, and the other bits are left unsanitized. Finally, the sanitizing unit 214 obtains an intermediate value necessary for sanitizing the disclosed bits (unencrypted bits that are not sanitized) (step 1204).

When the verification device 103 verifies the sanitization data, the data input / output unit 221 first receives sanitization data, a signature, and an intermediate value from the sanitization device 102 (step 1301).
Next, the signature verification unit 224 calculates a key group and a termination value G necessary for sanitizing the disclosed bits in the sanitized data from the received intermediate value (step 1302).
Next, the signature verification unit 224 generates the verification target data by sanitizing the disclosed bit and combining it with the terminal value G (step 1303).
Finally, the signature verification unit 224 extracts signature target data from the signature using the verification key and compares it with the verification target data. If they match, it can be verified that no tampering other than sanitization has occurred.

  As described above, according to the present embodiment, digital data can be sanitized bit by bit without being divided into blocks.

  Similarly to the first embodiment, after the sanitizing apparatus transmits the sanitizing data to the verification apparatus, it is possible to disclose a part or all of the sanitizing part only by sending the intermediate value.

  Further, in the same manner as in the first embodiment, an electronic signature scheme that can control whether or not to disclose information about the sanitized portion can be realized in the present embodiment.

  As described above, in the present embodiment, it has been described that not only the ink for each block but also the ink for each bit is possible.

Embodiment 3 FIG.
In the first and second embodiments described above, two commutative one-way functions are used for generating a key group used for sanitization. Next, such commutative one-way functions are used. The embodiment in the case where there is not is shown.

  FIG. 16 is a diagram illustrating an example of a key group and termination value generation process in the present embodiment.

In FIG. 16, initial value S1401, key group 1402, and termination value G1403 correspond to initial value S107, key group 307, and termination value G306 in FIG. 5, respectively.
The intermediate value group 1404 is a generic term for intermediate values from the initial value S1401 to the terminal value G1403, and does not include the initial value but includes the terminal value.

The key group and termination value generation process in this embodiment is as follows.
Two types of one-way functions are applied to the initial value S1401, and the outputs are a ₁ and a ₂ , respectively.
Next, two types of one-way functions are similarly applied to each of a ₁ and a ₂ , and the outputs are set to a ₁₁ , a ₁₂ and a ₂₁ , a ₂₂ , respectively.
Repeating this generates a key group _{K 1, K 2 ... K n} .
Here, n is the number of blocks.
Next, by applying key group _{K 1, K} 2 ... a one-way function with respect to _{K n respectively,} obtaining _{b 1, b 2 ... b n} . Next, data obtained by combining b ₁ and b ₂ is input to a one-way function to obtain b ₁₂ . This is repeated to finally obtain a termination value G1403.

  Examples of the one-way function include a hash function SHA-1, a Rabin function, or a pseudo random number generator.

Here, in the above description, two types of one-way functions are applied for derivation of the key group. However, one type of one-way function may be applied to partially change the input.
For example, when one type of hash function H is used as the one-way function, when a ₁ and a ₂ are derived from the initial values, a ₁ = H (0 || S), a ₂ = H (1 | | S). Here, the symbol || represents a combination of data.

Or it is good also as a structure which applies one type of one-way function and divides | segments an output. For example, a pseudo random number generator may be used as a one-way function to output a length twice as long as the input, and the first half of the output may be a ₁ and the second half may be a ₂ .

Further, as described above, in FIG. 16, a binary tree is formed. However, the number of branches may be any number, and may be different for each branch.
In that case, the maximum number of branches is set to N, N types of unidirectional functions are prepared, the input is changed in a maximum of N ways, or the output is made a maximum N times as long as the input.
If it is known at the time of signing that there is a high possibility that a plurality of blocks will be sanitized or disclosed at a time, the intermediate value to be sent from the sanitizer to the verification device by setting the number of branches as the number of blocks It will be understood from the following description that the number of the above can be reduced.

  The signing method in the present embodiment is almost the same as in the first embodiment, and is performed according to the procedure described below.

When generating an electronic signature for the original data 105, the signature generation unit 205 in the signature device 101, the original data several blocks (here, the n-number of from M ₁ to M _n) is first divided into.
Next, the initial value generation unit 204 generates an initial value S107.
Next, the signature generation unit 205, starting from the initial value S107, and calculates the key group _{K 1, K} 2 ... _{K n} and termination value G306 by applying the one-way function, as shown in FIG. 16.
Next, the signature generation unit 205 uses the key group K ₁ ... K _n to black out all the original data blocks M _{1 to} M _n to generate the signature target data 401.
A specific method of the sanitization is encryption by common key encryption such as block encryption or stream encryption. That is, M _i is encrypted into C _i by C _i = E _Ki (M _i ) using E as an encryption function and K _i as its key.
Then, the signature generation unit 205 combines C ₁ to C _n and the termination value G 306 into the signature target data 401.
Finally, the signature 106 is issued to the signature target data 401 using the signature key 108.

The sanitizing method is as follows.
Here, as an example, a case where the original data is 8 blocks from M ₁ to M ₈ and the _first block M ₁ is painted will be described.
First, in the sanitizing apparatus 102, the data input / output unit 211 receives original data, a signature, and an initial value from the signature apparatus 101.
Next, the sanitizing unit 214 starts from the initial value S and calculates the key groups K ₁ , K ₂ ... K ₈ in the same manner as the signature device 101.
Next, the sanitizing unit 214 sanitizes M ₁ using the key K ₁ .
Finally, the sanitizing unit 214 obtains the encryption intermediate value necessary for sanitizing the disclosed block and the terminal value intermediate value necessary for deriving the terminal value.
K ₂ ... K ₈ is required for sanitizing the disclosed block.
However, K ₃ and K ₄ can be derived from a ₁₂ , and K ₅ to K ₈ can be derived from a ₂ .
Therefore, the encryption intermediate values necessary for sanitizing the disclosed block are K ₂ , a _12, and a ₂ .
On the other hand, b ₁ may be used to derive the terminal value. This is because b ₂ , b ₃₄ , and b ₅₈ can be derived from K ₂ , a ₁₂ , and a ₂ , respectively, and the terminal value G can be derived therefrom.
As described above, the intermediate values necessary for sanitizing the disclosed block and deriving the terminal value are K ₂ , a ₁₂ , a ₂ , and b ₁ .
Note that the intermediate value is the termination value G when all blocks are painted.

Here, in the case of the first embodiment, when the disclosed area is divided into L pieces in the entire original data, the intermediate value necessary for sanitization regardless of which block the area covers. Although the number of L is L, in the present embodiment, it is generally L or more.
Therefore, the number of intermediate values to be sent from the sanitizing device to the verification device is increased as compared with the first embodiment.

The verification method is as follows.
First, in the verification device 103, the data input / output unit 221 receives sanitized data, a signature, and an intermediate value from the sanitizing device 102.
Next, the signature verification unit 224 calculates a key group and a termination value G necessary for sanitizing the disclosed block in the sanitized data from the received intermediate value.
Next, the signature verification unit 224 creates the verification target data by sanitizing the disclosed block and combining it with the terminal value G.
Finally, the signature target data is extracted from the signature using the verification key and compared with the verification target data. If they match, it can be verified that no tampering other than sanitization has occurred.

Next, a method for disclosing a part or all of the sanitized portion after the sanitizing device 102 transmits the sanitized data to the verification device 103 will be described.
Here, an example in which M ₁ ... M ₄ is disclosed from a state in which all the blocks are painted out will be described with reference to FIG.
In this case, a ₁ is required to derive the key group K ₁ ... K ₄ and b ₅₈ is required to derive the terminal value G. ₁ and b ₅₈ may be sent.
Upon receipt of a ₁ and b ₅₈ , the verification device 103 derives a key group K ₁ ,..., K ₄ and a termination value G.
Next, the termination value G is verified.
If the termination value G is different from the termination value G calculated when the initial sanitization data is verified, it is understood that a key group different from that used at the time of signature is used, and the processing is stopped.
If they match, to restore the M ₁ ... M ₄ to remove the ink with the end of the key group K ₁ ... K _4.

Finally, a method for controlling the possibility of subsequent disclosure of the sanitized portion will be described.
Here, a case where there are a plurality of sanitizing apparatuses will be described, and a method of controlling whether or not subsequent disclosure is possible when the sanitizing apparatus A sends sanitizing data to the sanitizing apparatus B will be described.
Further, the original data is assumed to be 8 blocks of M ₁ ... M ₈ and signed with the key group and the termination value in FIG.

The sanitizing apparatus A receives the original data, the initial value, and the signature from the signature apparatus 101, sanitizes the data blocks M ₁ ... M ₇ to C ₁ ... C ₇ , and discloses M ₈ .
The sanitizing data, intermediate value on that disables the disclosure of post C _1, signatures shall be passed to the sanitizing device B.
In this case, as an intermediate value, K ₈ must be derived for sanitization at the time of verification, and K ₂ ... K ₇ must be derived for subsequent disclosure.
It must be such that K ₁ cannot be derived to prevent subsequent disclosure of C ₁ .
From the above, the sanitizing apparatus A selects b ₁ , K ₂ , a ₁₂ , and a ₂ as intermediate values.

As described above, according to the present embodiment, it is possible to realize an electronic signature scheme that divides digital data into blocks of an arbitrary size and enables sanitization for each block and subsequent disclosure. .
In particular, in the case of subsequent disclosure, since it can be realized only by sending an intermediate value without sending the data itself, the amount of communication between the sanitizing device and the verification device can be reduced as compared with the conventional technique.

  In addition, according to the present embodiment, it is possible to realize an electronic signature method that can control whether or not subsequent disclosure of the sanitized portion is possible.

  In addition, according to the present embodiment, it is possible to realize the electronic signature method without using two commutative one-way functions.

  As described above, in the present embodiment, it has been described that the tree structure is formed using the one-way function in order to enable the sanitization / removal of the black of any block.

Although the present invention has been described with reference to various embodiments, those skilled in the art will understand that the spirit and scope of the present invention are not limited to the specific description in the present specification. Needless to say.
Therefore, for example, it is possible to combine black ink for each block and black ink for each bit, divide a certain area of digital data into blocks, and apply black ink for each area. .
Alternatively, in the system of the third embodiment, it is possible to sanitize each bit by taking the hard core bit of the key.

Finally, a hardware configuration example of the signature device 101, the sanitizing device 102, and the verification device 103 described in the first to third embodiments will be described.
FIG. 17 is a diagram illustrating an example of hardware resources of the signature device 101, the sanitizing device 102, and the verification device 103 described in the first to third embodiments.
Note that the configuration in FIG. 17 is merely an example of the hardware configuration of the signature device 101, the sanitizing device 102, and the verification device 103. The hardware configuration of the signature device 101, the sanitizing device 102, and the verification device 103 is as follows. It is not limited to the configuration shown in FIG.

In FIG. 17, the signature device 101, the sanitizing device 102, and the verification device 103 include a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing device, an arithmetic device, a microprocessor, a microcomputer, and a processor) that executes a program. ing.
The CPU 911 is connected to, for example, a ROM (Read Only Memory) 913, a RAM (Random Access Memory) 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903, and a magnetic disk device 920 via a bus 912. Control hardware devices.
Further, the CPU 911 may be connected to an FDD 904 (Flexible Disk Drive), a compact disk device 905 (CDD), a printer device 906, and a scanner device 907. Further, instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card (registered trademark) read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device.
A communication board 915, a keyboard 902, a mouse 903, a scanner device 907, an FDD 904, and the like are examples of input devices.
The communication board 915, the display device 901, the printer device 906, and the like are examples of output devices.

  As shown in FIG. 1, the communication board 915 is connected to a network. For example, the communication board 915 may be connected to a LAN (local area network), the Internet, a WAN (wide area network), or the like.

The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924.
The programs in the program group 923 are executed by the CPU 911 using the operating system 921 and the window system 922.

The RAM 914 temporarily stores at least part of the operating system 921 program and application programs to be executed by the CPU 911.
The RAM 914 stores various data necessary for processing by the CPU 911.

The ROM 913 stores a BIOS (Basic Input Output System) program, and the magnetic disk device 920 stores a boot program.
When the signature device 101, the sanitizing device 102, and the verification device 103 are activated, the BIOS program in the ROM 913 and the boot program in the magnetic disk device 920 are executed, and the operating system 921 is activated by the BIOS program and the boot program.

  The program group 923 stores a program for executing the function described as “˜unit” in the description of the first to third embodiments. The program is read and executed by the CPU 911.

In the description of the first to third embodiments, the file group 924 includes “determination of”, “calculation of”, “calculation of”, “generation of”, “comparison of”, and “evaluation of”. ”,“ Update of ”,“ setting of ”,“ registration of ”,“ selection of ”, etc. It is stored as each item of "~ file" and "~ database".
The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, editing, output, printing, and display.
Information, data, signal values, variable values, and parameters are stored in the main memory, registers, cache memory, and buffers during the CPU operations of extraction, search, reference, comparison, calculation, processing, editing, output, printing, and display. It is temporarily stored in a memory or the like.
In addition, arrows in the flowcharts described in the first to third embodiments mainly indicate input / output of data and signals, and the data and signal values are the memory of the RAM 914, the flexible disk of the FDD904, the compact disk of the CDD905, and the magnetic field. Recording is performed on a recording medium such as a magnetic disk of the disk device 920, other optical disks, mini disks, DVDs, and the like. Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In addition, what is described as “˜unit” in the description of the first to third embodiments may be “˜circuit”, “˜device”, “˜device”, and “˜step”, It may be “˜procedure” or “˜processing”. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, only hardware such as elements, devices, substrates, wirings, etc., or a combination of software and hardware, and further a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part” in the first to third embodiments. Alternatively, the computer executes the procedure and method of “to part” in the first to third embodiments.

  As described above, the signature device 101, the sanitizing device 102, and the verification device 103 described in the first to third embodiments are a CPU as a processing device, a memory as a storage device, a magnetic disk, etc., a keyboard as an input device, a mouse, a communication board, and the like. , A computer including a display device, a communication board, and the like as an output device, and as described above, the functions indicated as "-units" are realized using these processing devices, storage devices, input devices, and output devices. .

FIG. 3 is a diagram illustrating an example of a system configuration according to the first embodiment. FIG. 3 is a diagram illustrating a configuration example of a signature device according to the first embodiment. 1 is a diagram illustrating a configuration example of a sanitizing apparatus according to Embodiment 1. FIG. FIG. 3 shows a configuration example of a verification apparatus according to the first embodiment. FIG. 6 is a diagram showing an example of generating an intermediate value group, a key group, and a termination value from initial values according to the first embodiment. FIG. 3 is a diagram illustrating a procedure for generating an electronic signature according to the first embodiment. FIG. 3 is a flowchart showing a procedure for generating an electronic signature according to the first embodiment. FIG. 3 is a flowchart showing a procedure for generating sanitization data according to the first embodiment. FIG. 3 is a flowchart showing a procedure for performing verification on sanitized data according to the first embodiment. FIG. 4 is a diagram showing a procedure for deriving verification target data from sanitized data according to the first embodiment. FIG. 3 is a flowchart showing a procedure for disclosing a sanitized portion according to the first embodiment. FIG. 9 is a flowchart showing a procedure for generating an electronic signature according to the second embodiment. FIG. 9 is a flowchart showing a procedure for generating an electronic signature according to the second embodiment. FIG. 9 is a flowchart showing a procedure for generating sanitization data according to the second embodiment. FIG. 9 is a flowchart showing a procedure for verifying sanitized data according to the second embodiment. FIG. 10 is a flowchart showing a tree structure of an intermediate value group according to the third embodiment. The figure which shows the hardware structural example of the signature apparatus, sanitizing apparatus, and verification apparatus which concern on Embodiment 1-3.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 101 Signature apparatus, 102 Blacking apparatus, 103 Verification apparatus, 104 Network, 105 Original data, 106 Signature, 107 Initial value, 108 Signature key, 109 Blacking data, 110 Intermediate value, 111 Verification key, 201 Data input / output part 202 User input unit, 203 display unit, 204 initial value generation unit, 205 signature generation unit, 211 data input / output unit, 212 user input unit, 213 display unit, 214 sanitizing unit, 215 intermediate value storage unit, 221 data input / output Part, 222 user input part, 223 display part, 224 signature verification part.

Claims (20)

Disclosure restriction processing for restricting disclosure in digital data between a signature device that generates an electronic signature for the digital data and a verification device that verifies the digital signature for the digital data and displays the digital data that has been successfully verified. A device,
Digital data that can be divided into n (n ≧ 2) parts managed by the signature device, an initial value generated by the signature device, and a one-way calculation performed by the signature device according to a predetermined calculation procedure. The digital signature generated for the n parts of the digital data encrypted using the n keys generated from the initial value and the terminal value obtained after performing the unidirectional calculation a prescribed number of times are input. A data input section;
A key generation unit that generates n keys in order by performing a one-way operation on the input initial value in the same operation procedure as the signature device;
The digital data is ordered and divided into n parts, one or more parts of the n parts are designated as target parts, and the corresponding order of the n keys generated by the key generation unit A disclosure restriction digital data generation unit that performs encryption processing or decryption processing on each target part using a key and generates disclosure restriction digital data in which one or more parts are encrypted;
The verification device encrypts unencrypted parts that are not encrypted among the parts of the disclosure-restricted digital data from among a plurality of intermediate values derived in the process of generating n keys by the key generation unit. An intermediate value extraction unit that extracts an intermediate value used as a cryptographic intermediate value based on a calculation procedure in the signature device;
A disclosure restriction processing apparatus comprising: a data output unit that outputs the disclosure restriction digital data, the electronic signature, and the encryption intermediate value. The intermediate value extraction unit
As the encryption intermediate value, the verification device extracts an intermediate value that can generate an encryption key for encrypting an unencrypted part by performing a one-way operation in the same operation procedure as the signature device. The disclosure restriction processing apparatus according to claim 1. The disclosure restriction processing device further includes:
After the disclosure restriction digital data is output by the data output unit, an encrypted part whose disclosure restriction is released is specified as a restriction release part among encrypted parts included in the disclosure restriction digital data. There is a restriction release part designation part,
The intermediate value extraction unit
Based on an arithmetic procedure in the signature device, an intermediate value used when the verification device decrypts the restriction release part from among a plurality of intermediate values derived in the generation process of n keys by the key generation unit. Extract as an intermediate value for decryption,
The data output unit includes:
The disclosure restriction processing apparatus according to claim 1, wherein the decoding intermediate value extracted by the intermediate value extraction unit is output. The intermediate value extraction unit
The intermediate value for extracting a decryption key for decrypting the restriction release part is extracted as the intermediate value for decryption by performing a one-way operation by the verification device in the same operation procedure as the signature device. Item 4. The disclosure restriction processing device according to Item 3. The data input unit includes:
The signing device combines two commutative one-way functions to perform a one-way operation and uses n keys generated from the initial value to encrypt n parts and two ones. Enter the generated electronic signature for the terminal value obtained after performing the specified number of one-way operations combined with the direction function,
The key generation unit
2. The n keys are generated by performing a one-way operation combining two one-way functions on the input initial value by the same calculation procedure as that of the signature device. The disclosure restriction processing device according to any one of? The key generation unit
6. The disclosure restriction processing apparatus according to claim 5, wherein n combinations of two unidirectional functions are stored, n-directional calculation is performed according to the n combinations, and n keys are generated. . The intermediate value extraction unit
Based on a calculation procedure in the signature device, an intermediate value necessary for the verification device to derive the terminal value out of a plurality of intermediate values derived in the generation process of n keys by the key generation unit. Extract as an intermediate value for the end value,
The data output unit includes:
5. The disclosure restriction processing apparatus according to claim 1, wherein the disclosure restriction digital data, the electronic signature, the encryption intermediate value, and the terminal value intermediate value are output. The disclosure restriction processing device further includes:
After the disclosure restriction digital data is output by the data output unit, an encrypted part whose disclosure restriction is released is specified as a restriction release part among encrypted parts included in the disclosure restriction digital data. There is a restriction release part designation part,
The intermediate value extraction unit
Based on a calculation procedure in the signature device, an intermediate value used when the verification device decrypts the restriction release part from among a plurality of intermediate values derived in the generation process of n keys by the key generation unit. An intermediate value that is extracted as an intermediate value for decryption and that is an intermediate value other than the intermediate value for decryption and that is necessary for the verification device to derive the end value is based on an arithmetic procedure in the signature device. As an intermediate value for
The data output unit includes:
8. The disclosure restriction processing apparatus according to claim 1, wherein the decoding intermediate value and the terminal value intermediate value extracted by the intermediate value extraction unit are output. Disclosure restriction processing for restricting disclosure in digital data between a signature device that generates an electronic signature for the digital data and a verification device that verifies the digital signature for the digital data and displays the digital data that has been successfully verified. A device,
Digital data that can be divided into n (n ≧ 2) parts managed by the signature device, and an ordered n number generated from an initial value by the signature device performing a one-way operation according to a predetermined calculation procedure Key, a plurality of intermediate values derived in the process of generating n keys, and n parts of digital data encrypted with n keys by the signing device and a one-way operation a specified number of times A data input unit for inputting the generated electronic signature with respect to the terminal value obtained after being performed;
The digital data is ordered and divided into n parts, one or more parts of the n parts are designated as target parts, and the corresponding order among the n keys input by the data input unit. A disclosure restriction digital data generation unit that performs encryption processing or decryption processing on each target part using a key and generates disclosure restriction digital data in which one or more parts are encrypted;
Among the plurality of intermediate values input by the data input unit, an intermediate value used when the verification device encrypts an unencrypted unencrypted part of the parts of the disclosure restricted digital data is the signature. An intermediate value extraction unit that extracts an intermediate value for encryption based on a calculation procedure in the apparatus;
A disclosure restriction processing apparatus comprising: a data output unit that outputs the disclosure restriction digital data, the electronic signature, and the encryption intermediate value. The disclosure restriction processing device further includes:
After the disclosure restriction digital data is output by the data output unit, an encrypted part whose disclosure restriction is released is specified as a restriction release part among encrypted parts included in the disclosure restriction digital data. There is a restriction release part designation part,
The intermediate value extraction unit
From among a plurality of intermediate values input by the data input unit, an intermediate value used when the verification device decrypts the restriction release part is extracted as a decoding intermediate value based on a calculation procedure in the signature device,
The data output unit includes:
The disclosure restriction processing apparatus according to claim 9, wherein the decoding intermediate value extracted by the intermediate value extraction unit is output. The data input unit includes:
N keys generated from the initial value by performing a one-way operation by combining two commutative one-way functions of the signing device, and a digital encrypted by the signing device using the n keys 10. A digital signature generated for a terminal value obtained after performing a one-way operation combining n parts of data and two one-way functions a prescribed number of times is input. Or the disclosure restriction processing device according to 10. The intermediate value extraction unit
Among a plurality of intermediate values derived in the process of generating n keys by the key generation unit, it is an intermediate value other than the encryption intermediate value and is necessary for the verification device to derive the terminal value An intermediate value is extracted as an intermediate value for the end value based on the calculation procedure in the signature device,
The data output unit includes:
The disclosure restriction processing apparatus according to claim 9 or 10, wherein the disclosure restriction digital data, the electronic signature, the encryption intermediate value, and the terminal value intermediate value are output. The data input unit includes:
Input digital data of 2n bits or more,
The disclosure restriction digital data generation unit
The disclosed restriction processing apparatus according to claim 1, wherein each of the digital data is divided into at least 1-bit n blocks. The data input unit includes:
Input n-bit digital data,
The disclosure restriction digital data generation unit
The disclosure restriction processing apparatus according to claim 1, wherein the digital data is divided into n pieces for each bit. The disclosure restriction digital data generation unit
One of the bits of the digital data is designated as a target bit and one or more bits are encrypted by performing encryption processing or decryption processing on each target bit using the hard core bits of the key in the corresponding order 15. The disclosure restriction processing apparatus according to claim 14, wherein the disclosure restriction digital data is generated. A signature device that generates a digital signature for digital data using a signature key;
A verification device for verifying an electronic signature for digital data using a verification key and displaying the digital data successfully verified;
A data processing system having a disclosure restriction processing device that performs processing for restricting disclosure in digital data,
The signing device is:
Digital data is ordered and divided into n (n ≧ 2) parts,
An initial value used for key generation is generated, a one-way operation is performed in accordance with a predetermined calculation procedure to generate n keys in order from the initial value, and a one-way operation is performed a specified number of times to obtain a termination value. Generate
Encrypting n parts of the digital data using keys in the order corresponding to each of them, generating an electronic signature using the signature key for the encrypted n parts and the terminal value,
Outputting the digital data, the initial value, and the electronic signature;
The disclosure restriction processing device includes:
Input the digital data output from the signature device, the initial value, and the electronic signature,
The input initial value is generated by ordering n keys by performing a one-way operation in the same operation procedure as the signature device,
The inputted digital data is ordered and divided into n parts, one or more parts of the n parts are designated as target parts, and the keys in the corresponding order among the generated n keys are used. Perform encryption processing or decryption processing on each target part to generate disclosure restricted digital data in which one or more parts are encrypted,
An intermediate value used when the verification device encrypts an unencrypted unencrypted part among the parts of the disclosure restricted digital data among a plurality of intermediate values derived in the generation process of n keys. Is extracted as an intermediate value for encryption based on a calculation procedure in the signature device,
Outputting the disclosure-restricted digital data, the electronic signature, and the encryption intermediate value;
The verification device includes:
Input the disclosure restriction digital data output from the disclosure restriction processing device, the electronic signature, and the encryption intermediate value,
Based on the calculation procedure in the signature device, the intermediate value for encryption is used to derive the terminal value, and the encryption key used for encryption of each non-encrypted part is derived,
Perform encryption processing of each non-encrypted part using the derived encryption key, and make all n parts of the disclosure restricted digital data encrypted,
Extracting n parts and termination values encrypted using the verification key for the electronic signature;
A data processing system that compares n encrypted parts and terminal values extracted from the electronic signature with the encrypted n parts and derived terminal values in the disclosure-restricted digital data. . The disclosure restriction processing device includes:
After outputting the disclosure restriction digital data, an encrypted part whose disclosure restriction is released among encrypted parts included in the disclosure restriction digital data is designated as a restriction release part,
From among a plurality of intermediate values derived in the generation process of n keys, an intermediate value used when the verification device decrypts the restriction release part is used as a decryption intermediate value based on a calculation procedure in the signature device. Extract and
Output the extracted intermediate value for decoding,
The verification device includes:
Input the intermediate value for decryption output from the disclosure restriction processing device,
Based on the calculation procedure in the signature device, the decryption intermediate value is used to derive a decryption key used for decryption of each restriction release part,
The data processing system according to claim 16, wherein each restriction releasing part is decrypted using the derived decryption key. The signing device is:
Combining two commutative one-way functions to perform a one-way operation to generate n keys from the initial value,
The disclosure restriction processing device includes:
The input initial value is subjected to a one-way operation in which two one-way functions are combined in the same calculation procedure as that of the signature device to generate n keys. The data processing system according to 17. The disclosure restriction processing device includes:
Among a plurality of intermediate values derived in the generation process of n keys, an intermediate value other than the encryption intermediate value, which is necessary for the verification device to derive the terminal value, Extracted as an intermediate value for the end value based on the calculation procedure in the signature device,
Outputting the disclosure-restricted digital data, the electronic signature, the encryption intermediate value, and the terminal value intermediate value;
The verification device includes:
Input the disclosure restriction digital data output from the disclosure restriction processing device, the electronic signature, the encryption intermediate value, and the terminal value intermediate value,
The data according to any one of claims 16 to 18, wherein the terminal value is derived using the intermediate value for encryption and the intermediate value for the terminal value based on a calculation procedure in the signature device. Processing system. A computer that performs processing for restricting disclosure in digital data between a signature device that generates an electronic signature for digital data and a verification device that verifies the electronic signature for digital data and displays the digital data that has been successfully verified,
Digital data that can be divided into n (n ≧ 2) parts managed by the signature device, an initial value generated by the signature device, and a one-way calculation performed by the signature device according to a predetermined calculation procedure. The digital signature generated for the n parts of the digital data encrypted using the n keys generated from the initial value and the terminal value obtained after performing the unidirectional calculation a prescribed number of times are input. Data entry processing,
A key generation process for generating n keys in order by performing a one-way operation on the input initial value in the same operation procedure as the signature device;
The digital data is ordered and divided into n parts, one or more parts of the n parts are designated as target parts, and the corresponding order of the n keys generated by the key generation process is A disclosure-restricted digital data generation process that performs an encryption process or a decryption process on each target part using a key to generate disclosure-restricted digital data in which one or more parts are encrypted;
The verification apparatus encrypts unencrypted parts that are not encrypted among the parts of the disclosure-restricted digital data from among a plurality of intermediate values derived in the generation process of n keys by the key generation process. An intermediate value extraction process for extracting an intermediate value to be used as an intermediate value for encryption based on a calculation procedure in the signature device;
A program for executing a data output process for outputting the disclosure-restricted digital data, the electronic signature, and the encryption intermediate value.

Images