JP2010020189A - Batch verification device and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To achieve a batch verification which combines both high security and high efficiency even when there is much number of signatures to be verified. <P>SOLUTION: A plurality of signature data transmitted from a signature device 110 are collectively verified by a verification device 130. The verification device 130 performs batch verification of the plurality of signature data according to whether the value calculated by double scalar multiplication corresponds to the value calculated by multiplex scalar multiplication, performs Frobenius expansion to the scalar value of the multiplex scalar multiplication to calculate an expanded value, and performs calculation by binding common factors in the expanded value. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a technique for verifying signature data collectively.

  In the digital signature technology, the signer generates signature data for the electronic data to be signed by using a signature key that is kept secret by the signer, and the signature verifier uses the public verification key. By decrypting the signature data and comparing it with the electronic data to be signed, it is possible to detect the authenticity of the signer and the presence / absence of alteration of the electronic data.

  In such a digital signature technique, heavy processing (mathematical calculation) must be repeatedly performed at the time of verification. For example, in the technique described in Non-Patent Document 1, a plurality of digital signatures are collectively processed. By verifying, the efficiency of digital signature verification processing is improved.

  For example, in normal signature verification, for digital signatures corresponding to each i (i is a natural number satisfying 1 ≦ i ≦ u (u: a natural number of 2 or more), i is an index indicating an order), the following ( 1) Verify separately whether each expression is satisfied.

However, for each i (i = 1,..., U), x _i and y _i satisfy the following expressions (2) and (3), respectively.

Here, G is a finite cyclic group whose order is n (n is a large prime number), and g is a generation source of the group G. Further, (x _i , y _i ) is a set (batch instance) for verifying whether or not the expression (1) is satisfied.

  In such a digital signature technique, heavy processing (mathematical calculation) must be repeatedly performed for verification. For example, in the Random Subset Test described in Non-Patent Document 1, the following equation (4) is used. And by verifying whether or not the expression (5) is satisfied, it is possible to verify the digital signature efficiently by verifying a plurality of digital signatures at once (by performing heavy processing only once). I can do it.

Here, as shown in the equation (5), 0 or 1 is randomly selected for s _i for each i (i = 1,..., U).

  In addition, in the Small Exponents Test described in Non-Patent Document 1, it is possible to efficiently verify a digital signature by verifying whether or not the following expressions (6) and (7) are satisfied. Yes.

Here, s _i is an integer randomly selected from 0 or 2m−1. Note that m (m is a positive integer selected arbitrarily) is a security level, and the security level is determined by this m.

  The efficiency in the batch verification described in Non-Patent Document 1 depends on the number n of batch instances and the security level m.

  In batch verification in a signature scheme based on an elliptic curve, a process of performing multiple scalar multiplication occupies most of the entire process. Therefore, Non-Patent Document 2 and Non-Patent Document 3 describe techniques for performing efficient collective verification using Frobenius expansion.

M. Bellare, J. Garay, and T. Rabin, "Fast Batch Verification for Modular Exponentiation and Digital Signatures", Advances in Cryptology-EUROCRYPT 1998, LNCS 1403, pp. 236-250, 1998. J. Cheon and D. Lee, "Use of Sparse and / or Complex Exponents in Batch Verification of Exponentiation", IEEE. T. on Computers, Vol.55, No.12, 2006. J. Cheon and J. Yi, "Fast Batch Verification of Multiple Signature", PKC'07, LNCS 4450, Springer-Verlag, pp. 442-457, 2007.

  As described above, the collective verification processing technique described in Non-Patent Document 1 can improve the efficiency as compared with the normal signature verification processing, but it is applied to a signature scheme based on an elliptic curve. Is not described, and it seems that the signature scheme based on the elliptic curve cannot exhibit sufficient efficiency.

  Further, in the batch verification methods described in Non-Patent Document 2 and Non-Patent Document 3, if the number of signatures to be verified increases, an intermediate value of multiple scalar multiplication frequently occurs. It is a bottleneck in processing performance and it is difficult to achieve sufficient processing performance. Furthermore, in order to avoid such an update of the intermediate value, there is a method of storing all the results of the intermediate value in the storage area. In this case, since a large storage area is required, there are various methods in the actual system. In an environment where an application is executed, the processing time of the application is greatly affected.

  Therefore, an object of the present invention is to realize collective verification that combines high security and high efficiency even when the number of signatures to be verified is large.

  In order to solve the above problems, the present invention reduces the number of multiplications by creating a common factor in a value obtained by expanding a scalar value into a Frobinius.

  For example, according to the present invention, a plurality of signature data generated by a signature scheme based on an elliptic curve corresponds to a value calculated by double scalar multiplication and a value calculated by multiple scalar multiplication. A batch verification apparatus that collectively verifies whether or not, and performing a Frobinius expansion on the scalar value of the multiple scalar multiplication to calculate the expansion value, the expansion value, the common factor as a coefficient A process of decomposing into a first addition value consisting of a first value of the value to be processed and a second value of the other values, and combining the first addition value with a common factor in the first value. However, it is characterized by comprising a control unit that performs a process of obtaining the second added value and a process of performing the multiple scalar multiplication using the second added value.

  As described above, according to the present invention, even when the number of signatures to be verified is large, collective verification having both high security and high efficiency can be realized.

  FIG. 1 is a schematic diagram of a signature batch verification system 100 according to the first embodiment of the present invention.

  As shown in the figure, the signature batch verification system 100 includes a signature device 110 and a verification device 130, and these signature device 110 and verification device 130 can transmit and receive information to and from each other via a network 150. It has been made possible.

  In the signature batch verification system 100 according to this embodiment, the signature device 110 generates a signature S for the message M, and the verification device 130 performs batch verification of the signature S.

  FIG. 2 is a schematic diagram of the signature device 110.

Here, the ECDSA signature or the ECDSA ^* signature is used as the signature method in the present embodiment, but the present invention is not limited to such a mode.

  As illustrated, the signature device 110 includes a storage unit 111, a control unit 114, an input unit 117, an output unit 118, and a communication unit 119.

  The storage unit 111 includes a signature key storage area 112 and a data storage area 113.

  In the signature key storage area 112, information for specifying a signature key, which is key information for performing a signature, is stored.

Here, the signature key d in the ECDSA signature (or ECDSA ^* signature) is an integer represented by the following equation (8).

  The data storage area 113 stores information for identifying a message that is data to be signed.

  The control unit 114 includes a signature generation processing unit 115 and a mathematical function calculation unit 116.

  The signature generation processing unit 115 controls processing for generating signature data for the message M that is data to be signed.

  For example, in this embodiment, the signature generation processing unit 115 generates input data by inputting a message M, which is data to be signed, into a predetermined hash function H.

  Then, the signature generation processing unit 115 acquires the signature key stored in the signature key storage area 112 and inputs it to the mathematical function calculation unit 116 together with the input data.

  The signature generation processing unit 115 acquires the signature S generated by the mathematical function calculation unit 116, and transmits the signature S and the message M as signature data to the verification device 130 via the communication unit 119.

  The mathematical function calculation unit 116 encrypts the input data input from the signature generation processing unit 115 with a predetermined algorithm using the signature key input from the signature generation processing unit 115, and signs the signature. Generate.

For example, in the ECDSA signature, the signature S _i for the message M _i (i = 1,..., U) using the signature key d is expressed by the following formulas (9), (10), and (11): And (12).

Here, H means a cryptographic hash function. X (R _i ) represents the x coordinate of the point R _i on the elliptic curve E (F _q ^e ).

K _i is a random number generated at the time of signature generation and satisfies the following expression (13).

The system parameters in the ECDSA signature (or ECDSA ^* signature) are as follows.

E / F _q : An elliptic curve defined on the finite field F _q .

#E (F _q ) = n × h (where h is a small integer and n is a large prime number).

q: prime bit size of n is more than 160 p powers of (q = ^{p r).}

P: A point on E (F _q ) such that the order is n.

  These system parameters are exposed on the network.

  Then, the mathematical function calculation unit 116 outputs the signature generated in this way to the signature generation processing unit 115.

  The input unit 117 receives information input.

  The output unit 118 outputs information.

  The communication unit 119 transmits and receives information via the network 150.

  The signature device 110 described above includes, for example, a CPU (Central Processing Unit) 901, a memory 902, and an external storage device 903 such as an HDD (Hard Disk Drive) as shown in FIG. 3 (schematic diagram of the computer 900). A reading device 905 for reading / writing information from / to a portable storage medium 904 such as a CD-ROM (Compact Disk Read Only Memory) or a DVD-ROM (Digital Versatile Disk Read Only Memory), a keyboard, a mouse, etc. This can be realized by a general computer 900 including an input device 906, an output device 907 such as a display, and a communication device 908 such as a NIC (Network Interface Card) for connecting to a communication network.

  For example, the storage unit 111 can be realized by the CPU 901 using the memory 902 or the external storage device 903, and the control unit 114 loads a predetermined program stored in the external storage device 903 into the memory 902. The input unit 117 can be realized by using the input device 906 by the CPU 901, and the output unit 118 can be realized by using the output device 907 by the CPU 901. The communication unit 119 can be realized by the CPU 901 using the communication device 908.

  The predetermined program is downloaded from the storage medium 904 via the reading device 905 or from the network via the communication device 908 to the external storage device 903, and then loaded onto the memory 902 and executed by the CPU 901. You may do it. Alternatively, the program may be directly loaded on the memory 902 from the storage medium 904 via the reading device 905 or from the network via the communication device 908 and executed by the CPU 901.

  FIG. 4 is a schematic diagram of the verification device 130.

  As illustrated, the verification device 130 includes a storage unit 131, a control unit 134, an input unit 137, an output unit 138, and a communication unit 139.

  The storage unit 131 includes a verification key storage area 132 and a signature data storage area 133.

  The verification key storage area 132 stores information for specifying a verification key, which is key information for decrypting and verifying the signature included in the signature data transmitted from the signature device 110.

  In the signature data storage area 133, information for identifying the signature data transmitted from the signature device 110 is stored.

  The control unit 134 includes a signature batch verification processing unit 135 and a mathematical function calculation unit 136.

  The signature batch verification processing unit 135 controls processing for collectively verifying signature data transmitted from the signature device 110.

  For example, in the present embodiment, the signature batch verification processing unit 135 acquires the verification key stored in the verification key storage region 132 and the signature data stored in the signature data storage region 133 from the storage unit 131, Input to the function calculation unit 136.

  The signature batch verification processing unit 135 acquires the result of the batch verification from the mathematical function calculation unit 136 and stores the result in the storage unit 131 or outputs the verification result via the output unit 138 or the communication unit 139. To do.

  The mathematical function calculation unit 136 uses a verification key input from the signature batch verification unit 135 for a signature included in the signature data input from the signature batch verification unit 135 to sign a signature based on a predetermined algorithm. To verify the validity of the signature.

  For example, in the present embodiment, the mathematical function calculation unit 136 includes a batch instance generation unit 136a and a multiple scalar multiplication calculation unit 136b.

  The batch instance generation unit 136a generates a batch instance from the signature included in the signature data input from the signature batch verification unit 135.

  Here, the batch instance generation method depends on the signature method used in the signature device 110 and the verification device 130. If the signature generated by the signature method used in the signature device 110 and the verification device 130 is a batch instance, the mathematical function calculation unit 136 does not need to include the batch instance generation unit 136a.

  For example, since the signature generated by the ECDSA signature method needs to be modified so that the batch verification method can be applied, the batch instance generation unit 136a of the mathematical function calculation unit 136 batches the signature acquired from the signature device 110. Transform into an instance.

Specifically, batch instantiation portion 136a of the mathematical function computing unit 136, the signature _{S i} calculated in the above-mentioned (9), the above equation (10), (11) and (12) The batch instance shown in the following equation (14) is calculated by using the calculation.

  The multiple scalar multiplication calculation unit 136b performs a multiple scalar multiplication calculation process.

  Then, the multiple scalar multiplication calculation unit 136b performs verification based on whether or not the following expression (15) is satisfied.

That is, if the expression (15) is satisfied, the signature S _i is accepted as “valid”, and if the expression (15) is not satisfied, the signature S _i is rejected as “invalid”.

Here, L _i (i = 1,..., U) is a number randomly selected from the set SET that satisfies the following equation (16). The set SET satisfies the following expression (16).

  Here, #S is the number of elements in the set SET.

  The outline of the multiple scalar multiplication performed by the multiple scalar multiplication calculation unit 136b is as follows.

First, the multiple scalar multiplication calculation unit 136b performs a Frobenius expansion with a scalar value as a coefficient (0, ± 1, ± λ) on the complex number λ that is the root of x ² + 1 = 0. About this Frobenius development, since a well-known thing should just be used, detailed description is abbreviate | omitted.

  Next, the multiple scalar multiplication calculation unit 136b decomposes the Frobenius expanded value into an addition value of a value having λ as a coefficient and another value.

  For example, when the Frobenius expanded value is (1, λ, 0, −1, −λ), this value is (1, 0, 0, −1, 0) + (0, λ, 0, 0, -Λ).

  The multiple scalar multiplication calculation unit 136b can reduce the number of multiplications by using λ as a common factor in a value having λ as a coefficient.

  For example, the addition value (1, 0, 0, −1, 0) + (0, λ, 0, 0, −λ) is changed to (1, 0, 0, −1, 0) + λ (0, 1, Multiple scalar multiplication is performed as 0,0, -1).

  Note that a specific calculation method in the multiple scalar multiplication will be described in detail with reference to FIG.

  The input unit 117 receives information input.

  The output unit 118 outputs information.

  The communication unit 119 transmits and receives information via the network 150.

  The signature device 130 described above can also be realized by a general computer 900 as shown in FIG.

  For example, the storage unit 131 can be realized by the CPU 901 using the memory 902 or the external storage device 903, and the control unit 134 loads a predetermined program stored in the external storage device 903 into the memory 902. The input unit 137 can be realized by using the input device 906 by the CPU 901, and the output unit 138 can be realized by using the output device 907 by the CPU 901. The communication unit 139 can be realized by the CPU 901 using the communication device 908.

  The predetermined program is downloaded from the storage medium 904 via the reading device 905 or from the network via the communication device 908 to the external storage device 903, and then loaded onto the memory 902 and executed by the CPU 901. You may do it. Alternatively, the program may be directly loaded on the memory 902 from the storage medium 904 via the reading device 905 or from the network via the communication device 908 and executed by the CPU 901.

  FIG. 5 is a sequence diagram showing a signature generation process in the signature device 110.

  First, the signature generation processing unit 115 of the signature device 110 obtains the message M input via the input unit 117 or stored in the data storage area 113 of the storage unit 111 (S10). Here, the message M may be any digitized data, and may be any type of text, image, video, sound, or the like.

  Next, the signature generation processing unit 115 generates input data H (M) from the acquired message M (S11). The input data H (M) is, for example, a hash value of the message M and depends on the message M and the signature method used.

  Next, the signature generation processing unit 115 reads the signature key sk stored in the signature key storage area 112 of the storage unit 111 (S12).

  Then, the signature generation processing unit 115 inputs the read signature key sk and the input data H (M) generated in step S11 to the mathematical function calculation unit 116 (S13).

  The mathematical function calculation unit 116 calculates a signature S from the input signature key sk and the input data H (M) (S14). Here, the signature S is a value calculated depending on the signature scheme to be adopted.

  Then, the mathematical function calculation unit 116 outputs the calculated signature S to the signature generation processing unit 115 (S15).

  The signature generation processing unit 115 generates signature data including at least the received signature S and the message M, and transmits the signature data to the verification device 130 via the communication unit 119 (S16).

  Note that the acquisition timing of the signature key sk from the storage unit 111 in step S12 may be before the signature key sk is output to the mathematical function calculation unit 116, for example, before the message M is acquired (S10). May be.

  FIG. 6 is a sequence diagram showing a signature verification process in the verification apparatus 130.

  First, the signature batch verification processing unit 135 of the verification device 130 receives an arbitrary number of signature data input via the input unit 137 or the communication unit 139 or stored in the signature data storage area 133 of the storage unit 131. Obtain (S20).

  The signature batch verification processing unit 135 reads the verification key pk stored in the verification key storage area 132 of the storage unit 131 (S21).

  Then, the signature batch verification processing unit 135 inputs the acquired plurality of signature data and the read verification key pk to the mathematical function calculation unit 136 (S22).

  The mathematical function calculation unit 136 generates a batch instance S ′ from the signatures S included in the plurality of input signature data (S23). When the signature S is already a batch instance, it is not necessary to generate a batch instance.

  Then, the mathematical function calculation unit 136 performs predetermined batch verification from the input verification key pk and the batch instance S ′ (S24), and outputs the result to the signature batch verification processing unit 135 as a verification result. (S25). The signature verification process in the mathematical function calculation unit 136 will be described in detail with reference to FIG.

  The signature batch verification processing unit 135 that has acquired the verification result stores the verification result in the storage unit 131 or outputs the verification result (whether the signature data is valid) via the output unit 138 and the communication unit 139. (S26).

  Note that the reading of the verification key pk from the storage unit 131 (S21) may be performed before the batch verification is performed by the mathematical function calculation unit 136, for example, before the signature data is received in step S20.

  FIG. 7 is a flowchart showing the batch verification process in the mathematical function calculation unit 136 in the present embodiment.

First, the mathematical function calculator 136 sends a message M _i (i = 1,..., U), a batch instance S _i ′ = (R _i , σ _i ) (i = 1,. The input of the key Q, the elliptic curve auxiliary information ξ, and the security parameter m is accepted (S30). Here, the elliptic curve auxiliary information ξ is an automorphism map on the elliptic curve, as will be described later.

Next, the mathematical function calculator 136 determines whether or not the following equations (17) and (18) hold for all i (i = 1,..., U) (S31). . Here, _{r i} satisfies the above expression (11).

  If the equations (17) and (18) are satisfied for all i (Yes in step S31), the process proceeds to step S32. If not (No in step S31), the process proceeds to step S36.

Then, the mathematical function computing unit 136, for each i, and computes a message _{M i} of the hash value H _{(M i),} and substitutes the result to _{m i} (S32).

Then, the mathematical function calculation unit 136 randomly selects L _i (i = 1,..., U) from the set SET (S33).

  Then, the mathematical function calculation unit 136 determines whether or not the following equation (19) holds (S34).

  If equation (19) holds (Yes in step S34), the process proceeds to step S35, and if equation (19) does not hold (No in step S34), the process proceeds to step S36.

  In step S35, the mathematical function calculator 136 determines that the input signature is valid.

  In step S36, the mathematical function calculation unit 136 determines that the input signature is invalid.

  Next, an overview of even multiple multiplication in the present embodiment will be described.

Here, in the present embodiment, E _a is an elliptic curve defined on the finite field F _{5 as} shown in the following equation (20).

Λ is an automorphism map on an elliptic curve E _a as shown in the following equation (21).

However, α is an element of a finite field F ₅ having an order of 4. FIG. 8 is a flowchart showing a calculation process of multiple scalar multiplication in the above-described equation (19).

First, the multiple scalar multiplication calculation unit 136b of the mathematical function calculation unit 136 of the control unit 134 of the verification apparatus 130 performs points P and Q on the elliptic curve E _a (Q = dP, d: secret key), R _i (i = 1,..., U), scalar values w _i , z _i , random numbers t _i shown in the following equation (22), random numbers t _ij shown in the following equation (23), and elliptic curve E _a The input of the automorphism map λ is accepted (S40).

Here, the scalar values w _i and z _i are respectively the P coefficient L _i σ _i−1 m _{i on} the right side of the equation (19) and the Q coefficient L _i σ _i−1 r on the right side of the equation (19). _i is represented.

Further, the set S _G (e, k, q) is a Frobenius expansion of e digits or less with coefficients of the elements of the set D _G as shown in the following equation (24), and its Hamming Weight Represents a set of all elements with k or less.

Note that the set SET in step S33 in FIG. 7 represents S _G (e, k, q) here.

Further, as described above for D _G, a set of the entire original to be digits deployment is called digit set (digit set).

Here, the random number t _i above, describes a method of deformed as shown in (25) below.

First, a self-homogeneous map called Frobenius map φ can be applied to points on the elliptic curve E. Applying the Frobenius map φ to the point (x ₁ , y ₁ ) means calculating the following equation (26).

  Further, it is known that the following equation (27) holds, and due to the property of the following equation (28), φ can be considered as a complex number satisfying the equation (28).

  Here, t is an integer called a trace of the elliptic curve E. It is known that not only the above-described Frobenius map φ but also all self-homomorphic maps can be considered as a complex number.

In the present embodiment, the value of λ in the elliptic curve E _a in the equation (20) is as shown in the following equation (29).

In the elliptic curve E _a in the equation (20), when a = 1, t in the equation (28) is known to be t = 2, and the Frobenius map φ is a complex number represented by the equation (30). The relational expression of φ and λ is shown in the equation (31).

When this relational expression is used, when t _i = 12, the above-described random number ti can be modified by modifying it as shown in Expression (32).

  Even when the above-described conversion is performed on general a, Frobenius expansion may be performed using a relational expression of φ and λ similar to the expression (31). Details of the above conversion are described in Reference 4 below.

Reference 4: TJ Park, MK Lee, and K. Park, "New Frobenius Expansions for Elliptic Curves with Efficient Endomorphisms," International Conference on Information Security and Cryptology-ICISC 2002, LNCS 2587, Springer-Verlag, pp.264-282, 2003.
Returning to the flowchart of FIG. 8, the multiple scalar multiplication calculation unit 136b calculates the double scalar multiplication on the right side of the above equation (19), and substitutes the result into G (S41).

  Next, the multiple scalar multiplication calculation unit 136b substitutes 1 for i, e-1 for j, infinity point 0 for A, and infinity point 0 for B (S42).

  Next, the multiple scalar multiplication calculation unit 136b determines whether i ≦ u is satisfied (S43).

  If i ≦ u is satisfied (Yes in step S43), the process proceeds to step S44. If i ≦ u is not satisfied (No in step S43), the process proceeds to step S49.

  In step S44, the multiple scalar multiplication calculation unit 136b determines whether j ≧ 0.

  If j ≧ 0 is satisfied (Yes in step S44), the process proceeds to step S45. If j ≧ 0 is not satisfied (No in step S44), the process proceeds to step S48.

  In step S45, the multiple scalar multiplication calculation unit 136b substitutes φ (B) for B.

The multi-scalar multiplication calculation portion 136b may _If a _{t ij} = ± 1, substitutes the B ± _{R i} to B (S46). If t _ij = ± 1 is not satisfied, step S46 is skipped.

  Next, the multiple scalar multiplication calculation unit 136b substitutes j−1 for j (S47), and returns to step S44 to repeat the processing.

  On the other hand, if j ≧ 0 is not satisfied in step S44 (No in step S44), the multiple scalar multiplication calculation unit 136b sets i + 1 to i, e-1 to j, A + B to A, and B to B. The infinite point 0 is substituted (S48), and the process returns to step S43 to repeat the process.

  If i ≦ u is not satisfied in step S43 (No in step S43), the multiple scalar multiplication calculation unit 136b substitutes 1 for i (S49).

  Then, the multiple scalar multiplication calculation unit 136b determines whether i ≦ u is satisfied (S50).

  If i ≦ u is satisfied (Yes in step S50), the process proceeds to step S51. If i ≦ u is not satisfied (No in step S50), the process proceeds to step S56.

  In step S51, the multiple scalar multiplication calculation unit 136b determines whether j ≧ 0.

  If j ≧ 0 is satisfied (Yes in step S51), the process proceeds to step S52. If j ≧ 0 is not satisfied (No in step S51), the process proceeds to step S55.

  In step S52, the multiple scalar multiplication calculation unit 136b substitutes φ (B) for B.

Then, the multiple scalar multiplication calculation unit 136b substitutes B ± R _i for B if t _ij = ± λ (S53). _In the case _{where t ij} = ± lambda is not satisfied, step S53 is skipped.

  Next, the multiple scalar multiplication calculation unit 136b substitutes j−1 for j (S54), and returns to Step S51 to repeat the processing.

  On the other hand, if j ≧ 0 is not satisfied in step S51 (No in step S51), the multiple scalar multiplication calculation unit 136b substitutes i + 1 for i and e-1 for j (S55), respectively. The process returns to step S50 and is repeated.

  If i ≦ u is not satisfied in step S50 (No in step S50), the multiple scalar multiplication calculation unit 136b substitutes λ (B) for B and A + B for A (S56). Exit.

  The calculation method of the above-described multiple scalar multiplication (the left side of equation (19)) may be the above-described multiple scalar multiplication method of FIG. 8, or may be calculated by other methods.

  The reason why the multiple scalar multiplication calculation method described above is more efficient than Non-Patent Document 1, Non-Patent Document 2, and Non-Patent Document 3 (the number of updates of intermediate values can be greatly reduced) is as follows. It is as follows.

  In the signature collective verification described in Non-Patent Document 1, Non-Patent Document 2, and Non-Patent Document 3, since the digit set of signed binary expansion or Frobenius expansion is large, (number of elements in the digit set) × The intermediate value needs to be updated as many times as the number of signatures to be verified. For this reason, when the number of signatures to be verified is large, the number of intermediate value updates increases, resulting in a bottleneck in processing performance.

On the other hand, in the present embodiment, when the elliptic curve E _{a of the} equation (20) and the Frobenius expansion of the equation (24) are used, the digit set is small, and the above-mentioned automorphism map λ is the equation (21). As described in (1), it can be implemented by one multiplication (α × y) and one code conversion (x → −x).

  Since the processing time for one code conversion is negligibly small as compared with one multiplication, the above-mentioned automorphism map λ can actually be calculated with the processing time for one multiplication.

  Furthermore, since the automorphism map satisfies the homomorphism of the group, as shown in the following equation (33), the sum of the points obtained by mapping λ to each point on the elliptic curve and each point on the elliptic curve The point where the map λ is given to the sum of is equal.

For example, when u = 2, L ₁ = λ−Φ + λΦ ² , and L ₁ = 1 + λΦ ² , the following equation (34) is obtained.

Thus, when the multiple scalar multiplication method shown in FIG. 8 is used, it is not necessary to update the intermediate values λR ₁ and λR ₂ , and all points where the coefficients are ± λ are added, and finally the automorphism is obtained. What is necessary is just to give map (lambda).

  In addition, integer multiplication on the elliptic curve also satisfies the above-mentioned group homomorphism. For example, 4P + 4Q = 4 (P + Q) may be calculated by calculating P + Q and finally performing quadruple calculation.

  However, unlike the above-mentioned automorphic map λ, it cannot be performed by a single multiplication, and a plurality of multiplications are required. Therefore, in the case of signature verification described in Non-Patent Document 1, Non-Patent Document 2, and Non-Patent Document 3, the intermediate value is updated by the number of times of (number of elements in digit set) × (number of signatures to be verified). There is a need to. On the other hand, when the multiple scalar multiplication method shown in FIG. 8 is used, the number of updates of the intermediate value is greatly reduced as compared with Non-Patent Document 1, Non-Patent Document 2, and Non-Patent Document 3. it can.

  Further, when the above-described method for calculating the intermediate value in advance is used, a large amount of storage area is required to hold a pre-calculation table (scalar multiple point with the element of the digit set as a scalar value), whereas FIG. When the multiple scalar multiplication calculation method described in (1) is used, a storage area for holding the pre-calculation result is unnecessary, and the amount of memory to be used can be reduced.

  The reason why the signature batch verification described in the first embodiment has high security is as follows.

  As described above, it is known that the number of elements #S of the set S must satisfy the equation (16) in order to set the security level of collective verification to m.

In general, the Frobenius expansion can be easily understood that the same value exists even if the expression method is different (for example, two Frobenius expansions φ ² + q, tφ from the equation (28) called an elliptic curve characteristic polynomial). Is the same value, although the representation is different). That is, when using a Frobenius expansion (related to a certain digit set) as a set SET, it is necessary to accurately obtain the original number of the Frobenius expansion (or to obtain an upper limit and a lower limit of the original number of the Frobenius expansion). If not, the security level m for batch verification cannot be set accurately. Therefore, when Frobenius expansion is used as the set SET, it is desirable to use a digit set that can accurately determine the original number (or determine the upper and lower limits of the original number of Frobenius expansion). The set S _G (e, k, q) described in this embodiment can prove that the Frobenius expansion is unique.

Since the Frobenius expansion is unique, the representation method is different and the values are not the same. _Furthermore, it is possible to S G (e, k, q) number of elements _#S G of (e, k, q) is ascertained also satisfy the equation (35) below.

ここで、_ｅＣ_ｉは組合せの個数を表す記号であり、異なるｅ個からｉ個を選択する場合の組合せの総数を表す。

Here, _e C _i is a symbol representing the number of combinations, and represents the total number of combinations when i is selected from different e.

Therefore, (e, k, q) may be determined so that the value of the expression (35) becomes 2 ^m . Specifically, in the first embodiment, q = 5, and e is a bit length (160-bit, 192-bit, 256-bit, etc.) indicating the safety of the elliptic curve to be used is 5 ^e . What is necessary is just to set so that it may become comparable. Then, the determined e and q are substituted into the equation (35), and k may be determined so as to be approximately equal to 2 ^m .

  In this embodiment, a case has been described in which a plurality of signatures (or batch instances) signed by a signer are collectively verified. However, a plurality of signatures (or batch instances) each signed by a plurality of signers are collectively recorded. It is also possible to verify.

For example, at least one or more users A _i (1) having a set (sk _i = d _i , pk _i = Q _i ) (where Q _i = d _i P) of a signature generation key sk _i and a signature verification key pk _i ≦ i ≦ r) respectively generated batch instances (R _i ^(j) , σ _i ^(j) ) {1 ≦ i ≦ r, 1 ≦ j ≦ n (i)} are collectively verified by the following (36) Verification is performed based on whether the expression is satisfied.

Further, although the ECDSA signature method is used in the batch verification method described above, an ECDSA ^* signature can be used instead of the ECDSA signature.

In the ECDSA ^* signature, since the batch instance calculated by the above equation (14) is a signature (since it is calculated by the signature device 110), it is not necessary to generate a batch instance in the verification device 130.

The ECDSA ^* signature is described in Reference 5 below, and its security is equivalent to the ECDSA signature.

Reference 5: A. Antipa, D. Brown, R. Gallant, R. Lambert, R. Struik, and S. Vanstone, "Accelerated Verification of ECDSA Signatures", Selected Areas in Cryptography-SAC 2005, LNCS 3897, pp.307 -318, 2006.
In this embodiment, the ECDSA signature and the batch verification method for the ECDSA ^* signature have been described. The elliptic Schnorr signature obtained by extending the Schnorr signature described in Document 6 below to a signature scheme based on the discrete logarithm problem on an elliptic curve. It is also known that application to the above is possible.

Reference 6: CP Schnorr, "Efficient Signature Generation by Smart Cards", Journal of Cryptology 4 (3), pp.161-174, 1991.
Next, signature verification using an elliptic curve different from the first embodiment will be described as a second embodiment.

  Similarly to the first embodiment, the signature batch verification system according to the second embodiment of the present invention includes a signature device 110 and a verification device 130. These signature device 110 and verification device 130 are connected to a network 150. It is possible to send and receive information to and from each other.

  The signature device 110 is configured in the same manner as in the first embodiment.

  The verification device 130 is also configured in the same manner as in the first embodiment, but since the signature verification processing in the mathematical function calculation unit 136 of the control unit 134 is different, items related to this different point will be described below. Will be described.

  The outline of the multiple scalar multiplication of this embodiment is as follows.

In the second embodiment, a curve different from the elliptic curve used in the first embodiment is used. Hereinafter, in the present embodiment, E _b is an elliptic curve defined on the finite field F ₇ as expressed by the following equation (37).

Here, ω is an automorphism map on the elliptic curve _Eb expressed by the following equation (38).

However, β is an element of a finite field F ₇ having an order of 3.

Then, the multiple scalar multiplication calculation unit 136b performs a Frobenius expansion with the scalar value as a coefficient for (0, ± 1, ± ω, ± ω ² ) for the complex number ω that is the root of x ² + x + 1 = 0. . About this Frobenius development, since a well-known thing should just be used, detailed description is abbreviate | omitted.

Next, the multiple scalar multiplication calculation unit 136b decomposes the Frobenius expanded value into an addition value of a value having ω as a coefficient, a value having ω ² as a coefficient, and another value.

For example, if the Frobenius expanded value is (1, ω, 0, −1, −ω ² ), this value is (1, 0, 0, −1, 0) + (0, ω, 0, 0). , 0) + (0, 0, 0, 0, −ω ² ).

The multiple scalar multiplication calculation unit 136b can reduce the number of multiplications by using ω or ω ² as a common factor in a value having ω or ω ² as a coefficient.

For example, the added value (1, 0, 0, −1, 0) + (0, ω, 0, 0, 0) + (0, 0, 0, 0, −ω ² ) is changed to (1, 0, Multiple scalar multiplication is performed as 0, -1,0) + ω (0,1,0,0,0) + ω ² (0,0,0,0, -1).

  FIG. 9 and FIG. 10 are flowcharts showing the calculation processing of multiple scalar multiplication in the above-described equation (19).

First, the multiple scalar multiplication calculation unit 136b of the mathematical function calculation unit 136 of the control unit 134 of the verification apparatus 130 performs points P and Q on the elliptic curve _Eb (Q = dP, d: secret key), R _i (i = 1,..., U), scalar values w _i , z _i , random number t _i shown in the following equation (39), random number t _ij shown in the following equation (40), and elliptic curve E _b The input of the automorphism map ω is accepted (S60).

Here, the scalar values w _i and z _i are respectively the P coefficient L _i σ _i−1 m _{i on} the right side of the equation (19) and the Q coefficient L _i σ _i−1 r on the right side of the equation (19). _i is represented.

Further, the set S _E (e, k, q) is a Frobenius expansion of e digits or less with the element of the set D _E as a coefficient, as shown in the following equation (41), and its Hamming Weight Represents a set of all elements with k or less.

Note that the set SET in step S33 in FIG. 7 represents S _E (e, k, q) here.

Here, the random number t _i described above, the method of deformed as shown in (42) below will be described.

In the present embodiment, the value of ω in the elliptic curve _Eb of the equation (37) is as shown in the following equation (43).

In the elliptic curve _Eb of the equation (37), when b = 1, t in the equation (43) is known to be t = 5, and the Frobenius map φ is a complex number represented by the equation (44). The relational expression of φ and λ is shown in the equation (45).

When this relational expression is used, when t _i = 16φ−10, the above-described random number t _i can be modified by modifying it as shown in the equation (46).

  Even when the above-described conversion is performed on general b, Frobenius expansion may be performed using a relational expression of φ and ω similar to the expression (45). Details of the conversion are described in Document 4 above.

  Returning to the flowchart of FIG. 9, the multiple scalar multiplication calculation unit 136b calculates the double scalar multiplication on the right side of the above equation (19), and substitutes the result for G (S61).

  Next, the multiple scalar multiplication calculation unit 136b substitutes 1 for i, e-1 for j, infinity point 0 for A, and infinity point 0 for B (S62).

  Next, the multiple scalar multiplication calculation unit 136b determines whether i ≦ u is satisfied (S63).

  If i ≦ u is satisfied (Yes in step S63), the process proceeds to step S64. If i ≦ u is not satisfied (No in step S63), the process proceeds to step S69.

  In step S64, the multiple scalar multiplication calculation unit 136b determines whether j ≧ 0.

  If j ≧ 0 is satisfied (Yes in step S64), the process proceeds to step S65. If j ≧ 0 is not satisfied (No in step S64), the process proceeds to step S68.

  In step S65, the multiple scalar multiplication calculation unit 136b substitutes φ (B) for B.

Then, the multiple scalar multiplication calculation unit 136b substitutes B ± R _i for B if t _ij = ± 1 (S66). If t _ij = ± 1 is not satisfied, step S66 is skipped.

  Next, the multiple scalar multiplication calculation unit 136b substitutes j−1 for j (S67), and returns to step S64 to repeat the processing.

  On the other hand, if j ≧ 0 is not satisfied in step S64 (No in step S64), the multiple scalar multiplication calculation unit 136b sets i + 1 to i, e-1 to j, A + B to A, and B to B. The infinity point 0 is substituted (S68), and the process returns to step S63 to repeat the process.

  If i ≦ u is not satisfied in step S63 (No in step S63), the multiple scalar multiplication calculation unit 136b substitutes 1 for i (S69).

  Then, the multiple scalar multiplication calculation unit 136b determines whether i ≦ u is satisfied (S70).

  If i ≦ u is satisfied (Yes in step S70), the process proceeds to step S71. If i ≦ u is not satisfied (No in step S70), the process proceeds to step S76.

  In step S71, the multiple scalar multiplication calculation unit 136b determines whether j ≧ 0.

  If j ≧ 0 is satisfied (Yes in step S71), the process proceeds to step S72. If j ≧ 0 is not satisfied (No in step S71), the process proceeds to step S75.

  In step S72, the multiple scalar multiplication calculation unit 136b substitutes φ (B) for B.

The multi-scalar multiplication calculation portion 136b may _If a _{t ij} = ± _ω, substituting B ± _{R i} to B (S73). If t _ij = ± ω is not satisfied, step S73 is skipped.

  Next, the multiple scalar multiplication calculation unit 136b substitutes j−1 for j (S74), and returns to Step S71 to repeat the processing.

  On the other hand, if j ≧ 0 is not satisfied in step S71 (No in step S71), the multiple scalar multiplication calculation unit 136b substitutes i + 1 for i and e-1 for j (S75). The process returns to step S70 and is repeated.

  If i ≦ u is not satisfied in step S70 (No in step S70), the multiple scalar multiplication calculation unit 136b sets ω (B) to B, A + B to A, 1 to i, B 0 is substituted into (S76), and the process proceeds to step S77 in FIG.

  In step S77, the multiple scalar multiplication calculation unit 136b determines whether i ≦ u.

  If i ≦ u is satisfied (Yes in step S77), the process proceeds to step S78. If i ≦ u is not satisfied (No in step S77), the process proceeds to step S83.

  In step S78, the multiple scalar multiplication calculation unit 136b determines whether j ≧ 0.

  If j ≧ 0 is satisfied (Yes in step S78), the process proceeds to step S79. If j ≧ 0 is not satisfied (No in step S78), the process proceeds to step S82.

  In step S79, the multiple scalar multiplication calculation unit 136b substitutes φ (B) for B.

Then, the multiple scalar multiplication calculation unit 136b substitutes B ± R _i for B if t _ij = ± ω ² (S80). If t _ij = ± ω is not satisfied, step S80 is skipped.

  Next, the multiple scalar multiplication calculation unit 136b substitutes j−1 for j (S81), and returns to Step S78 to repeat the processing.

  On the other hand, if j ≧ 0 is not satisfied in step S78 (No in step S78), the multiple scalar multiplication calculation unit 136b substitutes i + 1 for i and e-1 for j (S82), respectively. The process returns to step S77 and is repeated.

If i ≦ u is not satisfied in step S77 (No in step S77), the multiple scalar multiplication calculation unit 136b substitutes ω ² (B) for B and A + B for A (S83). The process is terminated.

In addition, the calculation method of the above-mentioned multiple scalar multiplication may be the above-described multiple scalar multiplication calculation method of FIGS. 9 and 10, or may be calculated by other methods. For example, it is possible to avoid multiplication of ω ² by factoring a portion having ω and ω ² as coefficients with ω.

  The reason why the multiple scalar multiplication calculation method in the second embodiment can significantly reduce the number of times of updating the intermediate value compared with Non-Patent Document 1, Non-Patent Document 2, and Non-Patent Document 3 is the same as in the first embodiment. It is the same.

  In addition, when using the method of calculating the intermediate value in advance, the second implementation requires a large amount of storage area to hold the pre-calculation table (scalar multiple with the element of the digit set as a scalar value). When the multiple scalar multiplication method in the embodiment is used, a storage area for holding the pre-calculation result is unnecessary, and the amount of memory to be used can be reduced as in the first embodiment.

The reason why the signature batch verification described in the second embodiment has high security is the same as that in the first embodiment. That is, the set S _E (e, k, q) can prove that its Frobenius expansion is unique.

Furthermore, it can be confirmed that the number of elements #SE (e, k, q) of S _E (e, k, q) satisfies the following expression (47).

Therefore, (e, k, q) may be determined so that the value of Formula 47 is 2 ^m . Specifically, in the second embodiment, a q = 7, e-bit length indicating the safety of the elliptic curve to be used (160-bit, 192-bit , 256-bit , etc.) ^{7 e} same What is necessary is just to set so that it may become. Then, the determined e and q are substituted into Equation 47, and k may be determined so as to be approximately equal to 2 ^m .

  In each of the above embodiments, the signature generation processing unit 115 and the signature batch verification processing unit 135 are described as being realized by software, but may be realized by using dedicated hardware. Further, the mathematical function calculation units 116 and 136 may be realized by dedicated hardware.

Schematic diagram of signature batch verification system. Schematic diagram of a signature device. Schematic diagram of a computer. Schematic of a verification apparatus. The sequence diagram which shows the signature production | generation process in a signature apparatus. The sequence diagram which shows the collective verification process of the signature in a verification apparatus. The flowchart which shows the batch verification process in a mathematical function calculation part. The flowchart which shows the calculation process of multiple scalar multiplication. The flowchart which shows the calculation process of multiple scalar multiplication. The flowchart which shows the calculation process of multiple scalar multiplication.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Signature batch verification system 111 Storage part 112 Signature key storage area 113 Data storage area 114 Control part 115 Signature generation process part 116 Mathematical function calculation part 117 Input part 118 Output part 119 Communication part 130 Verification apparatus 131 Storage part 132 Verification key storage area 133 Signature data storage area 134 Control unit 135 Signature batch verification processing unit 136 Mathematical function calculation unit 137 Input unit 138 Output unit 139 Communication unit

Claims (10)

Multiple signature data generated by a signature method based on an elliptic curve are collectively determined by whether or not the value calculated by double scalar multiplication and the value calculated by multiple scalar multiplication are compatible. A collective verification device for verification,
A process of performing Frobenius expansion on the scalar value of the multiple scalar multiplication and calculating the expansion value;
A process of decomposing the expanded value into a first addition value consisting of a first value having a common factor as a coefficient and a second value of the other values;
The first addition value is a process in which a common factor is repeated in the first value to obtain a second addition value;
A control unit for performing the multiple scalar multiplication by the second addition value,
A batch verification device characterized by The collective verification device according to claim 1,
The Frobenius expansion is a Frobenius expansion using (0, ± 1, ± λ) as a coefficient for a complex number λ that is the root of x ² + 1 = 0.
The control unit performs the process of setting the first addition value as λ as a common factor in the first value and making the second addition value,
A batch verification device characterized by The collective verification device according to claim 1,
The Frobenius expansion is a Frobenius expansion in which (0, ± 1, ± ω, ± ω ² ) is a coefficient with respect to a complex number ω that is a root of x ² + x + 1 = 0.
Wherein the control unit, the first additional value, out tying the ² omega and omega in said first value as a common factor, performing the processing of said second addition value,
A batch verification device characterized by The collective verification device according to claim 2,
The elliptic curve is E _a {y ² = x ³ + ax (a ≠ 0 is an element of the finite field F ₅ )}
The λ is an automorphism map λ (E _a {(x, y) → (−x, α y)}) in the elliptic curve E _a , where α is an element of a finite field F ₅ having an order of 4) Being
A batch verification device characterized by The collective verification device according to claim 3,
The elliptic curve is E _b {y ² = x ³ + b (b ≠ 0 is an element of the finite field F ₇ )},
The ω is an automorphism map ω (E _b {(x, y) → (βx, y)} in the elliptic curve E _b , where β is an element of a finite field F ₇ having order 3). There is,
A batch verification device characterized by The computer determines whether a plurality of signature data generated by a signature method based on an elliptic curve corresponds to a value calculated by double scalar multiplication and a value calculated by multiple scalar multiplication. It is a program that functions as a batch verification device that performs batch verification,
The computer,
A process of performing Frobenius expansion with a coefficient of (0, ± 1, ± α) on the scalar value of the multiple scalar multiplication, and calculating the expansion value;
A process of decomposing the expansion value into a first addition value composed of a first value having a coefficient of α and a second value of the other values;
The first addition value is processed with α as a common factor in the first value, and the second addition value,
Functioning as a control means for performing the multiple scalar multiplication by the second addition value,
A program characterized by The program according to claim 6,
The Frobenius expansion is a Frobenius expansion using (0, ± 1, ± λ) as a coefficient for a complex number λ that is the root of x ² + 1 = 0.
Causing the control means to process the first addition value as λ in the first value as a common factor and to make the second addition value;
A program characterized by The program according to claim 6,
The Frobenius expansion is a Frobenius expansion in which (0, ± 1, ± ω, ± ω ² ) is a coefficient with respect to a complex number ω that is a root of x ² + x + 1 = 0.
Wherein the control means, the first sum value, out tying the ² omega and omega in said first value as a common factor, to carry out the process according to the second sum value,
A program characterized by The program according to claim 7,
The elliptic curve is E _a {y ² = x ³ + ax (a ≠ 0 is an element of the finite field F ₅ )}
The λ is an automorphism map λ (E _a {(x, y) → (−x, α y)}) in the elliptic curve E _a , where α is an element of a finite field F ₅ having an order of 4) Being
A program characterized by The program according to claim 8, wherein
The elliptic curve is E _b {y ² = x ³ + b (b ≠ 0 is an element of the finite field F ₇ )},
The ω is an automorphism map ω (E _b {(x, y) → (βx, y)} in the elliptic curve E _b , where β is an element of a finite field F ₇ having order 3). There is,
A program characterized by

Images