JP2805493B2 - Authentication method and device used therefor - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION [Industrial Application Field] The present invention is an authentication method capable of implementing a communication protocol that can protect the privacy of consumers when performing electronic money transfer or the like in a telecommunications system.

[Background Art] Electronic fund transfer using a telecommunications system and settlement using an IC card have become widespread. In addition, research has been conducted on how to use a general-purpose prepaid card as an alternative to cash and how to use an electronic wallet. At this time, if the flow of funds is managed by a specific organization, personal information such as consumer consumption trends is accumulated in that organization, which poses a problem from the viewpoint of privacy protection.

As a solution to this problem, there is a secure fund transfer method that makes it impossible to track the transfer of funds using cryptography. For example, David Chaum: “Security without Identi ficati
on: Transaction systems to make Big Brother Obsolut
e ", Communication of the ACM, October 1985, Vol.28 N
o.10 The outline of the Chaum system is as follows.

The consumer (verified person: B) disturbs the document m containing the transaction contents such as the amount of money with random numbers to create a communication message z, and transmits z to the bank (certifier: A). After authenticating the validity of the consumer B, the bank A withdraws the amount from the consumer's account, applies a signature corresponding to the amount to z, and sends the signed message z 'back to the consumer B. Consumer B removes the influence of random numbers from z ', obtains m' as a signed value of m, and uses this as a means to replace cash with a store (verifier: C).
Pay to. Verifier C confirms that m 'is signed by Bank A and determines that m' is worth a certain amount. C later receives m 'by submitting m' to bank A. That is, m 'has a function as a cash voucher.

Here, since z is a random number added to m, banks and third parties cannot estimate m from z, and cannot know the correspondence between m 'and z even if a bank and a store collaborate. . Therefore, it is impossible to know who issued m '. From this, Chaum's method cannot estimate the issuer (consumer) of the voucher m '(ie, cannot be tracked),
It is possible to protect the privacy of consumers' consumption trends.

However, since this method is based on the RSA encryption having a large processing amount, there is a problem that the processing amount for obtaining z ′ from z is large (in this example, the processing amount of the bank A becomes large). Specifically, RSA encryption requires an average of 768 multiplications (including the remainder calculation) of 200-digit integers.

By the way, the amount of memory for holding secret information is small, communication efficiency is excellent, and extended Fi
There is the at-Shamir method (Ota, Okamoto: "Efficient authentication method using the difficulty of calculating k-Jone" (1988, Symposium on Cryptography and Information Security)).

In the extended Fiat-Shamir method, the processing amount is (5l +
2) / 2 multiplications (including remainder calculation in modulus N)
(The meaning of 1 will be described later). In particular, since it is recommended to select l = 20, in this case, the extended Fiat-Shamir
The number of multiplications by the method is 51 times, and the processing amount can be significantly reduced as compared with the signature method using the RSA encryption. Specifically, 51/768
Since it is 0.066, it can be realized with a processing amount of about 7% as compared with the RSA encryption.

 The outline of the extended Fiat-Shamir method is as follows.

A reliable center generates secret information s for a user who uses an ID as personal identification information in the following procedure. Here, N is public information, and N is calculated using secret prime numbers P and Q.
= P × Q. L is an integer and f is a one-way function, which is publicly available.

step1: Calculate x = f (ID) using the one-way function f.

Step 2: Calculate s satisfying s ^L = x (mod N) by using the prime factors P and Q of N for x (that is, s is L of x)
Square root).

step3: s is secretly issued to the user, and the one-way function f and the combined number N are disclosed.

The calculation of the Lth root in (mod N) can be performed only when the prime factors (P and Q) of N are known. For example, Rabin, MO: “Digitalized Signatures an
d Public−key Functions as Intractable as Factoriz
ation ", Tech.Rep.MIT/LCS/TR-212 MIT Lab.Comput.Sc
i.1979.

 The user authentication method is as follows.

The prover A proves to the verifier C that A is authentic by the following procedure.

step1: A sends ID to C.

step2: C calculates x = f (ID).

The following steps 3 to 6 are repeated t times. (T is a parameter that determines security and is a value of 1 or more).

step3: Generate a random number r, calculate x ′ = r ^L (mod N), and send it to C.

step4: C generates an integer e equal to or greater than 0 and less than L, and sends it to A.

step5: A generates a signature sentence z by z = r × s ^e (mod N) and sends it to C.

Step 6: C checks that x ′ = z ^L × x ^−e (mod N) holds. (X ^-1 is mon N
X of the inverse element) z than how to make ^{z L × x -e = r L} × in ^{(s L × x -1) e} = r L = x '
(Mod N), so if you pass the inspection in step 6,
Verifier C confirms that A is genuine. In this case, the verifier C is, establishment of occurrence of errors that the fake certificate's become recognized as genuine A is 1 / L ^t.

In the extended Fiat-Shamir method, one piece of secret information s and step
Even if the number of repetitions of 3 to 6 is 1, security can be ensured by appropriately selecting the integer L.

Although the user recognition method has been described above, the message recognition method can be realized by modifying the above procedure as follows.

F obtained by applying the one-way function f to the messages m and x '
The first l bits of (m, x ') are regarded as the binary representation of the integer e, and (ID, m, e, z) is transmitted to the verifier as a signed message as a signed message.

As described above, the extended Fiat-Shamir method is a high-speed authentication method that can reduce the amount of memory for holding secret information and has excellent communication efficiency. But so far enhanced Fi
An untraceable authentication method using the at-Shamir method has not been proposed.

[Problem to be Solved by the Invention] An object of the present invention is to provide an untraceable authentication method based on the extended Fiat-Shamir method, which is faster than the conventional method.

[Means for Solving the Problems] In the present invention, in order to reduce the amount of memory of secret information, improve communication efficiency, and reduce the amount of processing, the extended Fiat-Shamir method using a query sentence and a response sentence Based on this, authentication processing is realized. In addition, a third party prover device 10
0-verified device 200 and verified device 200-verified device 3
In order to hide the correspondence of data communicated between 00 and make it impossible to track, the verified device 200 gives the correspondence of the inquiry sentence and the correspondence of the response sentence by random numbers, and keeps the random numbers secret. . As a result, the present invention implements an untraceable authentication process.

Embodiment FIG. 1 is a diagram illustrating the principle of the present invention. FIG. 1 shows the device of the prover A (hereinafter referred to as the prover device) (100) and the device of the verified person B (hereinafter referred to as the verified device (200) and the verifier C).
Device (hereinafter referred to as a verifier device) (300) is connected via a communication line or the like, and a user authentication method (FIG. (A))
And a communication example for realizing a message authentication method (FIG. (B)). In the following, first, the prover device 100
Verifier device 3 confirms that the
A method of authenticating a user to be proved is shown for 00, and thereafter, a method of authenticating a message in which the verified device 200 signs the message m with the help of the prover device 100 will be described.

In FIG. 1A, the prover apparatus 100-verified person apparatus 2
The user authentication method of the extended Fiat-Shamir method is adopted between 00 and between the device under test 200 and the device 300
By keeping the information associated with the Fiat-Shamir method secret in the device under test 200, authentication processing of a user that cannot be tracked is realized.

As in the case of the extended Fiat-Shamir method, a reliable center discloses the combined number N, the one-way function f, and the integer L, and furthermore, secret information s corresponding to the identification information ID of the prover apparatus 100.
And deliver s to the prover apparatus 100. here,
s s ^L mod N = f (ID).

FIG. 2 shows an outline of the prover apparatus 100, FIG. 3 shows an outline of the verified apparatus 200, and FIG. 4 shows an outline of the verifier apparatus 300.

The prover device 100 certifies the validity of the verified device 200 to the verifier device 300 in the following procedure.

step1: The prover apparatus 100 sends the ID to the verified apparatus 200 and the verifier apparatus 300. The message may not be sent directly to the verifier device 300, but may be sent indirectly via the verified device 200.

step2: The verified device 200 and the verified device 300 calculate x = f (ID) using the one-way function calculators 205 and 305, respectively.

Next, steps 3 to 6 are repeated t times. The case where t = 1 corresponds to claim (1) of the claims, and the case where t> 1 corresponds to claim (2).

step3: The prover apparatus 100 generates an initial response sentence x ′ using the initial response sentence generator 110 and sends it to the verified person apparatus 200.

For example, the initial response sentence generator 110 includes a random number generator 111 and a multiplier 112 with a remainder, generates a random number r using the random number generator 111, and uses the multiplier 112 with a remainder to obtain x ′ = r ^L X 'is calculated by (mod N).

An efficient calculation method for multiplication with remainder is described in, for example, Ikeno,
Koyama “Modern Cryptography Theory” IEICE, pp. 16-17, (198
6), is shown.

step4: Upon receiving x ′, the device under test 200 uses the random number generator 210 and the initial response sentence
The integer e generated from 0 to less than L, the random number u from 1 to less than N, x 'and the previously generated x are input to the initial response sentence disturber 215, and the disturbed initial response sentence x ″ is calculated. To the verifier device 300.

For example, the initial response sentence disturber 215 is configured as a multiplier with a remainder, and x ″ = x ″ × u ^L × x ^e (mod N) is calculated from the received initial response sentence x ″, x, e, and u. I do.

Step 5: Upon receiving x ″, the verifier apparatus 300 stores x ″ in the information storage 310, and then uses the random number generator 320 to
As described above, the integer β smaller than L is generated and sent to the device under test 200 as a query sentence.

step6: Upon receiving β, the verified device 200 inputs β and the previously generated e to the query sentence disturber 220, calculates the disturbed query sentence β ′, and sends it to the prover device 100.

For example, the query sentence disturber 220 is configured as an adder with a remainder to calculate β ′ = e + β (mod L).

step7: Upon receiving β ′, the prover apparatus 100 inputs the previously generated random number r and the received inquiry sentence β ′ to the proving device 120, calculates the response sentence z, and sends the response sentence z to the verifier apparatus 200.

For example, the certifier 120 is composed of a secret information storage unit 121 and a multiplier 122 with a remainder, reads out the secret information s from the secret information storage unit 121, and receives r and the β ′ received from the initial response sentence generator 110. The result is input to the multiplier 122 with a remainder to calculate z = r × s ^{β ′} (mod N) z.

step8: Upon receiving z, the verifier 200 inputs z and the previously generated x, e, and u to the random number component remover 230, calculates the response sentence z ', and sends it to the verifier 300.

For example, the random number component remover 230 is composed of a condition determiner 231 and a multiplier 232 with a remainder, and z ′ = u × z × ^c (mod N) where c = 1 (β ′ <e) c = 0 ( Other than the above).

step9: Upon receiving z ', the verifier apparatus 300 checks the validity of z' using the checker 330.

For example, the checker 330 is composed of a multiplier 331 with a remainder and a comparator 332.
In Configure took over from the information the pay unit 310 x "and x with respect to one-way function inherited from the calculator 305 taken over from x and the random number generator ^{320 β" = z 'L ×} x -β (mod N) Check if.

Here, an example in which the inquiry-response exchange is repeated t times and performed sequentially has been described, but the t components of the inquiry-response exchange may be arranged in parallel and simultaneously performed.

Next, a method of authenticating a message in which B signs the message m with the help of A will be described with reference to FIG.

Extended Fiat-Sh between the prover device 100 and the verified device 200
The user authentication method of the amir method is adopted, and the message authentication method of the extended Fiat-Shamir method is adopted between the verified device 200 and the verifier device 300. By making the information that associates the two authentication methods secret in the verified device 200, an authentication process for a message that cannot be tracked is realized.

Like the extended Fiat-Shamir method, a reliable center
The composite number N, the one-way function f, and the integer L are disclosed.
The secret information s corresponding to the identification information ID of the prover apparatus 100 is calculated, and s is delivered to the prover apparatus 100.

FIG. 2 shows an outline of the prover apparatus 100, FIG. 5 shows an outline of the verified apparatus 200, and FIG. 6 shows an outline of the verifier apparatus 300.

B, with the help of A, signs document m in the following procedure.

step1: The prover apparatus 100 sends the ID to the verified apparatus 200 and the verifier apparatus 300. In this case as well, the information may be sent to the verifier device 300 via the verified device 200.

step2: The verified device 200 and the verified device 300 calculate x = f (ID) using the one-way function calculators 205 and 305, respectively.

step3: The prover device 100 uses the initial response sentence generator 110 to
X ′ composed of the initial response sentences x ′ _i (i = 1, 2,..., T) is calculated and sent to the device under test 200.

For example, the initial response sentence generator 110 is composed of a random number generator 111 and a multiplier 112 with a remainder, and t random number generators
generating a r _i, using the remainder with multiplier ^{_{112 x 'i = r i L}} (mod N) (i = 1,2, ..., t) in, t pieces of _x' to compute the _i.

step4: Upon receiving x ′, the verified device 200 generates a pair of t pairs of e _i equal to or greater than 0 and less than L and random numbers u _i equal to or greater than 1 and less than N using the random number generator 210 and receives the value. T's x '
_The initial response sentence disturber 215 is input to the initial response sentence disturber 215 together with _i and the previously generated x, and is transferred to the sentence generator 250 for calculating and inquiring t disturbed initial response sentences x ″ _i .

For example, the initial response sentence disturber 215 is composed of a multiplication base with a remainder, and the t sets of e _i and u _i generated by the random number generator 210 and the received initial response sentence x ′ _i and x are disturbed by the initial response sentence disturbance. Is input to the unit 215, and t x ″ _i are calculated by x ″ _i = u _i ^L × x ^ei × x ′ _i (mod N) (i = 1, 2,..., T).

step5: The device under test 200 transmits the message m and t x ″ s.
_i is input to the query sentence generator 250, query sentences β and β ′ are created, and β ′ is transmitted to the prover apparatus 100,
β ′ is passed to the random number component remover 260. For example, the query statement generator 250 is composed of a one-way function calculator 251 and an adder 252 with a remainder, and (β ₁ ,..., Β _t ) = f (m, x ″ _i ,..., X ″ _t ) β ′ _I = e _i + β _i (mod L) (i = 1, 2,..., T), and β ′ = (β ′ ₁ ,..., Β ′ _t ) and β = ｛β ₁ ,.
β _t ).

Here, β ′ _i and β _i are integers of 0 or more and less than L.

step6: prover device 100 'receives the using prover 120, the query statement and the received random number r _i generated earlier beta' beta sent from the calculates the response sentence z to the verification device 200 .

For example, the certifier 120 is composed of a secret information storage 121 and a multiplier 122 with a remainder, reads secret information s from the secret information storage 121, receives r _i inherited from the initial response sentence generator 110, and receives β ′ = (Β ′ ₁ ,..., Β ′ _t )
Input to 2 and calculate z _i using z _i = r _i × s ^β′i (mod N) (i = 1, 2,..., T), and obtain z = (z ₁ ,..., Z _t ) .

step7: Upon receiving z, the device under test 200 inputs z and the previously generated set of x and t (e _i , u _i ) to the random number component remover 260, calculates the response sentence z ′, Verifier device 300 with β, m
Send to

For example, the random number component remover 260 is composed of a condition determiner 261 and a multiplier with a remainder 262, and z ′ _i = u _i × z _i × x ^ci (mod N) where c ⁱ = 1 (β ′ _i <e _i ) z ′ _i is calculated with c ⁱ = 0 (other than the above) to obtain z ′ = (z ′ _i ,..., z ′ _t ).

step8: When the verifier apparatus 300 receives m, β, z ′, the verifier 3
The validity of m, β, z 'is checked using 40.

For example the checker 340, constituted by a comparator 343 with the remainder with multiplier 341 and the one-way function calculator 342, ^x in _{^{x * i = z 'i L}} × x -βi (mod N) * = (x * ₁ ,..., X ^* _t ), and checks whether β = f (m, x ^* ) holds.

The non-trackable authentication method based on the extended Fiat-Shamir method has been described above. The extended Fiat-Shamir method is based on the difficulty of calculating the Lth root in (mod N) when it is difficult to factor N. A similar argument holds based on an authentication method that utilizes difficulties such as the discrete logarithm problem. Regarding the authentication method based on the discrete logarithm problem, for example, M. Tompa & H. Woll, “Random Self-Reducib
ility and Zero Knowledge Interactive Proofs of Pos
session of Information, "FOCS, pp 472-482 (1987)" and Okamoto and Ota, "Illegal Use of Zero Knowledge Proof Problem and Its Countermeasures and Applications" (Cryptography and Information Security Symposium 1988) .

[Effects of the Invention] Since the present invention is based on the extended Fiat-Shamir method, the amount of memory for storing secret information can be reduced, communication efficiency can be improved, and high-speed authentication processing can be realized.

Also, when the verifier 200 provides the correspondence between the inquiry sentence and the correspondence between the response sentence with a secret random number and keeps its value secret, the verifier device 100-the verifier device 200 and the verifier device It is possible to hide the correspondence of data communicated between 200 and the verifier device 300. That is, in the user authentication process, it can be proved to the verifier device 300 that the prover device 100 guarantees the identity of the verified device 200 without revealing the identity of the verified device 200. In the message authentication process, the verified device 200 can cause the prover device 100 to sign the content of the message m without being known. As a result, even if the prover device 100 and the verifier device 300 are colluded, the identity of the verified device 200 is not clarified, and it cannot be detected that the verified device 200 has transmitted m. That is, an authentication process that cannot be traced can be realized.

Even if the prover device 100 and the verifier device 300 collude, it is impossible to determine who is the authenticated person or who is the sender of the message m. The zero-knowledge interactive proof system, which is a theoretical research result of computation theory, can be guaranteed by satisfying non-transferability.

For zero-knowledge interactive proof system property and non-transition property, Feige, U., Fiat, A. and Shamir, A. “Zero know
ledge Proofs of Identity "Proceedings of the 19th A
nnual ACM Symposium on Theory of Computing, 1987, p
See pages 210-217.

[Brief description of the drawings]

FIG. 1 is a diagram showing a communication example of an embodiment of the present invention, FIG. 2 is a block diagram of a prover device 100, FIG. 3 is a block diagram of a verified person device 200 in a user authentication method, and FIG. Is a block diagram of the verifier device 300 in the user authentication method,
FIG. 5 shows the verification target device 20 in the message authentication method.
FIG. 6 is a block diagram of the verifier device 300 in the message authentication method.

Claims (8)

(57) [Claims] An apparatus of a prover A (hereinafter referred to as a prover apparatus).
And the device of the verified person B (hereinafter referred to as the verified device) can communicate with each other, and the device of the verified person and the device of the verifier C (hereinafter referred to as the verifier device) can communicate with each other. In a user authentication method in which a system is configured to confirm the identity of a communication partner, the prover device includes an initial response sentence generator and a prover, and the verified device has a random number generator, an initial response sentence disturber, and an inquiry. The verifier device includes a sentence disturber and a random number component remover, and the verifier device includes a checker. The prover device verifies the initial response sentence x ′ generated using the initial response sentence generator together with the personal identification information ID. And the personal identification information ID is transmitted to the verifier device, and the verified device transmits the initial response sentence x ′ received from the prover device and the random number component generated by using the random number generator to the initial response sentence. The initial response sentence x ″ is created by inputting it to the The verifier device sends the query sentence β to the verifier device, and the verifier device inputs the query sentence β received from the verifier device and the previously generated random number component to the query sentence disturber. And sends the query sentence β ′ to the prover device. The prover device converts the initial response sentence x ′ and the response sentence z corresponding to the query sentence β ′ into a relational expression s ^L mod N corresponding to the ID. = F (I
D) is generated using a proving device that operates using the secret information s that satisfies D), and is sent back to the verified device (where the integer N,
The verified device inputs the response sentence z, ID, the previously generated random number component and the query sentence β to the random number component remover, removes the influence of the random number component, and returns the response sentence z. ', And transmits the value to the verifier. The verifier inputs the response sentence z' and the ID to the checker, and z 'receives the initial response sentence x ". The verifier B verifies that the response is correct, and verifies that the random number component is kept secret so that x ′, β ′, z communicated between the verifier and the prover can be verified. A user authentication method characterized in that the correspondence between x ″, β, z ′ communicated between a user device and a device under test can be kept secret. 2. The procedure according to claim 1 is repeated,
A user authentication method that improves security. 3. The device of the prover A (hereinafter referred to as the prover device).
And a device of the verified person B (hereinafter referred to as a verified device) can communicate with each other, and a device of the verified person and a device of the verifier C (hereinafter referred to as a verifier device) can communicate with each other. In a method for authenticating a message for confirming the validity of a message, a prover device is provided with an initial response sentence generator and a prover, and a device to be verified is a random number generator, an initial response sentence disturber, and a query sentence. The verifier device includes a generator and a random number component remover, and the verifier device includes a checker. The prover device sends the initial response sentence x ′ generated using the initial response sentence generator together with the personal identification information ID to the verifier device. The verifier transmits the personal identification information ID to the verifier device, and the verifier verifies the initial response sentence x ′ received from the prover device, the ID, and the random number component generated using the random number generator. The initial response sentence x ″ is created by inputting it into the sentence The initial response sentence x ″ and the message m to be signed are input to the query sentence generator, and the query sentence β and β ′ are created and β ′ is transmitted to the prover device. A response sentence z 'corresponding to the response sentence x' and the received query sentence β 'is generated using a proving device which operates using secret information s satisfying a relational expression s ^L mod N = f (ID) for ID. Then, the verified device sends the response z, the ID, the previously generated random number component, and the inquiry β ′ to the verified device (the integer N, the integer L, and the function f are public information). The value is input to the remover to remove the influence of the random number component to obtain a value z 'corresponding to the message m, and z' is transmitted to the verifier along with m and β. β and ID
Is input to the checker to check that β and z ′ are correct signatures for m. The verified person B keeps the random number component secret, so that the verified device and the prover device A message authentication method characterized in that the correspondence between x ', β', z to be communicated and m, β, z 'communicated between a verifier device and a verified device can be kept secret. 4. A certifier apparatus used for authenticating the identity of a communication partner or a message, storing means for storing integers N and L of public information and personal identification information ID, and generating an initial response sentence x '. Initial response sentence generation means and secret information satisfying s ^L mod N = f (ID) (f: public function)
A certifying means for generating a response sentence z using the initial response sentence x 'and the query sentence β' received from the verified person device; and verifying the initial response sentence x 'and the personal identification information ID with the verified A prover device comprising: a transmitting unit that transmits the personal identification information ID to the verifier device; and a receiving unit that receives the inquiry sentence β ′ from the verified device. 5. A device of a verifier for user authentication for confirming the identity of a communication partner, comprising: random number generating means for generating a random number; an initial response sentence x 'received from the prover device; Initial response sentence disturbing means for creating an initial response sentence x ″ using the query sentence β received from the verifier device, query sentence disturbing means for creating a query sentence β ′ using the random number, and the prover device A random number component removing unit that receives the response sentence z and the personal identification information ID, the random number, and the inquiry sentence β to generate a response sentence z ′ in which the influence of the random number component is removed, and the initial response sentence x ″ Transmitting means for transmitting the response sentence z 'to the verifier apparatus and transmitting the query sentence β' to the prover apparatus; and transmitting the initial response sentence x ', the ID, and the response sentence z to the prover. Received from the device and The verifier device was sentence β comprising a receiving means for receiving from the verifier apparatus. 6. A device of a verifier of user authentication for confirming the identity of a communication partner, comprising: a query sentence generating means for generating a query sentence β; a response to an initial response sentence x ″ received from the device to be verified; Sentence z '
And the personal identification information ID received from the prover device, and a check means for checking whether or not z ′ is a correct response to the inquiry sentence β, and sends the inquiry sentence β to the verified device. Transmitting means for transmitting; receiving the ID from the prover device;
Receiving means for receiving the response sentence z 'from the verified device. 7. A device to be verified in message authentication for confirming the validity of a message, a random number generating means for generating a random number, an initial response message x 'received from the prover device, and personal identification of the prover. An initial response sentence disturbing means for inputting the information ID and the random number to generate an initial response sentence x "; inputting the initial response sentence x" and the authentication target message m to generate inquiry sentences β and β '; The query sentence generating means, the response sentence z from the prover device, the ID, the random number, and the query sentence β are input, and a value z ′ corresponding to the message m from which the influence of the random number component has been removed is generated. Transmitting means for transmitting the inquiry sentence β 'to the prover device, and transmitting the values z', m, β to the verifier device, and an initial response sentence x 'from the prover device. ID above, response sentence z
And a receiving means for receiving the information. 8. A device of a verifier in message authentication for confirming the validity of a message, comprising: a message m received from a device to be verified; a value z 'corresponding thereto; Checking means for inputting the personal identification information ID received from the apparatus and checking that β and z 'are correct signatures for m; and receiving the m, z', and β from the apparatus to be verified. , Above ID
And a receiving means for receiving the certificate from the prover device.