JP3860396B2 - Electronic bidding method and recording medium - Google Patents

Description

【０１１２】
ここで、乱数ｘは使い捨ての秘密鍵であり、この秘密鍵ｘに対応するのが使い捨ての公開鍵ｈである。
【０１１３】
以上の計算結果のうち、入札者５ｊから
【０１１４】
【数２】

【０１１５】
がオークション主催者２に送付される。金額ｗ_k を送らないことに注意する。このときにメッセージである金額ｗ_kを送らないために、否認不可署名とほとんど同じ情報を送付しつつ、署名とはなっていないのである。つまり、この情報送付の仕方により事実上の暗号情報送付となっている。なお、このとき送付される情報は金額ｗ_kが添付されていないことを除けば否認不可署名となっているため、後に秘密鍵ｘが与えられることにより、この時点で送付された否認不可署名形態を通常のデジタル署名に変換させることができる。これにより、金額ｗ_kの検証はその後の時点で可能となる。金額ｗ_kの検証をどのように検証するかは後述する。
【０１１６】
ステップｕ３：次に、オークション主催者２により、証明書Ｃert_j の正当性が検証される。正当である場合、主催者２により、入札者５ｊについての
【０１１７】
【数３】

【０１１８】
が公開掲示板３の該当するグループの欄に記載される。
【０１１９】
ここまでの様子を図７によって模式的に示す。
【０１２０】
図７は入札段階の様子を模式的に示す図である。
【０１２１】
ステップｕ４：予め定めておいた時刻が来た段階で主催者２によって、入札要求が締め切られる。
【０１２２】
ステップｕ５：全ての入札者５により、自分の送信した入札情報が正しく掲示されているかが確認される。正しく掲示されている場合は、各入札者５により、同じグループのｎ個全ての入札情報に対し署名
【０１２３】
【数４】

【０１２４】
が施される。すなわち、入札者５ｊは（Ｐ_j ，ＧＩＤ，Ｃert_j ，σ_j ）を主催者３に送る。
【０１２５】
ステップｕ６：主催者２により、入札者５からの（Ｐ_j ，ＧＩＤ，Ｃert_j ，σ_j ）の正当性が検証される。正当な場合にのみ、主催者２により入札者５ｊの属すグループ欄に（Ｐ_j ，ＧＩＤ，Ｃert_j ，σ_j ）が記載される。
暗号情報としての入札情報が公開掲示板に公開され、さらに、その掲示情報に対する入札者５自身の確認がなされることになる。
【０１２６】
［開示・落札プロトコル］
入札プロトコルの処理は、図４のフロー図におけるステップｓ６，ｓ７と対応する。
【０１２７】
開示・落札プロトコルにおいては、オークション主催者２は一番の高値（底値）から始め、入札者５からの通知を受信するまで、金額のカウントダウン（アップ）をある時間周期で行う。ある時点で、自分の入札した額になった時、その入札者５は主催者２にσ（ｗ_k ）を暗号化して送る。主催者２は署名σ（ｗ_k ）の正当性と関数値Ｙとの関連性を検証する。正当である場合のみ、その入札者５を落札者としオークションを終了する。σ（ｗ_k ）は公開掲示板に記載されるため、全ての入札者５が落札者決定手続きの正当性を確認することができる。この手順を図８を用いて説明する。
【０１２８】
図８は本実施形態における開示・落札プロトコルの処理を示す図である。
ステップｖ１：まず、オークション主催者２により、公開掲示板３における落札処理用の部分に一番高い金額ｗ_m がセットされる。
【０１２９】
ステップｖ２：この金額で入札した入札者５ｊがいれば（ｖ２−１）、当該入札者５ｊからオークション主催者２にその旨通知され、該当者がいない場合は（ｖ２−１）、否認プロトコルによる確認が行われる（ｖ２−２）。例えば金額ｗ_k で入札した入札者５ｊは、金額ｗ_m による入札を否認するため、以下の（ｙ，ｚ，β′）で否認を行う。
【０１３０】
【数５】

【０１３１】
なお、否認プロトコルについては後に細述する。
【０１３２】
金額ｗ_m に対してすべての入札者５についての入札否認が確認された後、次により小さい金額（ｗ_m-1 ）が主催者２によって公開掲示板３にセットされる（ｖ２−３）。そして、その金額で入札した入札者５が現れるまで、このステップｖ２−１〜ｖ２−３の処理が繰り返される。
【０１３３】
ここまでの様子を図９によって模式的に示す。
【０１３４】
図９は落札までの様子を模式的に示す図である。
【０１３５】
ステップｖ３：ある金額ｗ_k において、入札者５ｊが通知を行った場合（ｖ２−１：ＹＥＳ）には、確証プロトコルにより入札の正当性が検証される（ｖ３−１）。なお、確認プロトコルについては後述する。そして、正当性が検証されたときには、当該入札者５ｊが落札候補者とされる。ここで落札候補者が一人である場合（ｖ３−２）、その入札者５ｊが落札者とされる。この場合には、入札者５ｊから使い捨ての秘密鍵ｘが開示用情報として主催者２に送信される（ｖ３−３）。主催者３においては、
【０１３６】
【数６】

【０１３７】
によりその署名の正当性が検証される。さらに主催者２により
【０１３８】
【数７】

【０１３９】
が公開掲示板３に記載され（ｖ３−４）、オークションが終了する。なお、このとき公開掲示板３に掲示された情報は、いわゆる通常のデジタル署名となっているので、他の入札者５や監視員７，その他の第３者はその内容を検証することができる。したがって、落札価格である金額ｗ_kを確認できることになる。
【０１４０】
ここまでの様子を図１０によって模式的に示す。
【０１４１】
図１０は落札及びその検証の様子を模式的に示す図である。
【０１４２】
ステップｖ４：ステップｖ３−２において落札候補者が複数いる場合には、以下のように取り扱われる。
【０１４３】
（ａ）まず、候補者の人数が少ない場合（ｖ４−１：ＮＯ）には、候補者５ｊはｘを送り、主催者２は
【０１４４】
【数８】

【０１４５】
を公開掲示板３に記載し、候補者間で同点決勝が行われる（ｖ４−２）。
【０１４６】
（ｂ）また、候補者の人数が多い場合（ｖ４−１：ＹＥＳ）には、ｗ_k ＜ｔ＜ｗ_k+1 の金額が主催者によって複数用意され、これらの金額を用いたオークションを再度行われる（ｖ４−３）。
【０１４７】
開示・落札プロトコルにおける処理は以上の通りであるが、上記否認プロトコル、確認プロトコル並びに否認不可署名から通常署名（デジタル署名）への変換について説明する。
【０１４８】
すなわち本実施形態の電子入札システムは、否認不可署名方式としてMichels−Stadler法を利用するものであるが、上記したようにその利用の仕方に特徴がある。また、本実施形態では、一方向性関数として離散対数問題に基づく暗号系を選択している。
【０１４９】
つまり、従来の否認不可署名方式では、署名の対象となるメッセージが明かされた上で署名の確証・否認を行う。これに対して、本実施形態ではメッセージは署名に添付せず、署名をメッセージ（入札価格）のビットコミットメントとみなす応用的手法を取っている。これは入札価格の秘密性と否認不可を同時に満たすためである。
【０１５０】
以下、Michels−Stadler法による否認プロトコル及び確認プロトコル、並びに否認不可署名から通常署名への変換について説明する。
【０１５１】
［離散対数の等価・非等価証明］
今、（ｐ，ｑ，α）が公開されており、ｐはｐ＝２ｑ＋１を満たす大きな素数である（ただし、ｑは素数とする）。αは乗法群Ｚ_p ^* での位数がｑとなるような生成器とする。Ｈを一方向性ハッシュ関数とする。
【０１５２】
以下、ｚ＝β^x (mod p)とｙ＝α^x を満たすｘ∈Ｚ_q ^* が存在する時、log_βｚ＝log_αyであることを証明するプロトコルを示す。これは、署名の確証プロトコルで用いられる。また逆に、否認プロトコルはlog_βｚ≠log_αyであることの証明である。以下に離散対数の等価性・非等価性を証明するプロトコルを示す。
【０１５３】
【数９】

【０１５４】
［署名生成と通常署名への変換］
署名者であるアリスが否認不可署名を生成する。アリスには検証者ボブに対し、その署名の正当性を確証プロトコルと不当な署名を否認する否認プロトコルがある。更に否認不可署名を誰もが検証可能な通常のディジタル署名に変換することができる。
【０１５５】
アリスは二つの秘密鍵ｘ₁ ，ｘ₂ ∈Ｚq を選び、ｙ₁ ＝α^x1（mod p)，ｙ₂ ＝α^x2（mod p)を公開鍵とする。メッセージｍ（上記金額ｗ_kに相当する）に対する署名を生成する時、アリスは乱数ｋ∈Ｚ_q を生成し、ｒ＝α^k （mod p）を計算する。それから以下を計算する。
【０１５６】
【数１０】

【０１５７】
ここで、
【０１５８】
【数１１】

【０１５９】
をメッセージｍへの署名とする。この署名の正当性を示す際には、上記のように
【０１６０】
【数１２】

【０１６１】
であることを証明する。不当な署名の否認は、log_βＺ≠log_αｙであることを証明する。
【０１６２】
この否認不可署名を誰もが検証可能な通常のディジタル署名を変換するには、アリスが秘密鍵ｘ₂ を公開する。これにより、
【０１６３】
【数１３】

【０１６４】
を入手した検証者は署名の正当性を次式にて検証することができる。
【０１６５】
【数１４】

【０１６６】
［請負入札］
次に請け負い入札の場合を説明する。
請負入札プロトコルにおいても、出品入札と同様な処理が行われる。ただし、出品請負入札では最高値をつけた入札者が落札するのに対し、請負入札では最も低い金額をつけた入札者が落札者となる。そこで、開示・落札プロトコルでは一番低い金額から始めてのカウントアップ方式に変更される。つまり、図８のステップｖ１とステップｖ２が以下のように修正される。
【０１６７】
ステップｖ１′：オークション主催者２は公開掲示板３を用いて、一番低い金額ｗ₁ をセットする。
【０１６８】
ステップｖ２′：この金額で入札した入札者５ｊからオークション主催者２に通知がなされる（ｖ２−１）。誰もいない場合は、ある時刻で次に小さい金額（ｗ₂ ）にセットされる（ｖ２−３′）。その金額で入札した入札者が現れるまで、この処理が繰り返される。その間の否認プロトコルは出品入札と同様に行われる（ｖ２−２）。
【０１６９】
上述したように、本発明の実施の形態に係る電子入札方法は、選択的な入札情報を予め暗号化して入札させ、その後に最高額（若しくは最低額）から順に入札有無を入札者に確認して落札を決定するようにしたので、匿名通信路といった仮定を必要とすることなく入札者のプライバシを保護し、かつ談合を防止して依頼者利益を保護することができる。
【０１７０】
また、落札値以外の入札額は一切露呈しないようにしつつ落札情報を公開掲示板に掲示するようにしたので、入札・落札の正当性を全ての入札者が検証することができる。
【０１７１】
このように、本発明では、入札者プライバシ保護、談合防止、公平性等が実現されるが、入札プロトコルにおいて、一方向性関数として単にハッシュ関数を選んだ場合には、入札の否認において不都合が生じる特殊なケースも考え得る。入札者が開示・落札段階で自分の入札を名乗りでないという行為によるものである。この行為を利用すると以下のような状況が生じ得る。
【０１７２】
今、請負入札においてＡ社、Ｂ社が結託している。この２社は最小限の金額で落札しようと考える。この時、Ｂ社は最低と見積もられる金額Ｐ_min で、Ａ社は実際に落札したい金額Ｐ_realで入札する。Ｐ_min とＰ_realとの間に名乗り出る応札者がいない場合には、Ｂ社は入札Ｐ_min が否認してＡ社がＰ_realで落札する。このように応札者が結託することで、落札金額を操作し最小限のコストで仕事を請け負うことができる。
【０１７３】
しかしながら、本実施形態では、否認不可署名技術を利用し、予めメッセージ（入札額）を明かさず、署名をメッセージのビットコミットメントとみなして主催者に送信するようにしたので、入札額を明かさずに入札確認を行い、否認プロトコルによる否認不可を行いつつ落札することができ、談合をより確実に防止できる。さらに、この否認不可署名技術を利用していることから、落札時にのみ額を明かして入札の正当性を証明するとともに、落札者としての容認後、誰もが検証可能な通常のディジタル署名に変換することができる。したがって、入札額（メッセージ）を秘匿し、同時に否認不可性の条件を同時に満足することができる。
【０１７４】
さらに、本実施形態では、機関の信頼性や匿名通信路といった仮定には依存せず、一般的な暗号技術のみでシステム構築するようにしているので、容易に実装することができ、システム構築を容易かつ低コストのものとすることができる。
【０１７５】
また、本実施形態の方法によれば、否認プロトコルを利用した確認を行うので、落札処理に応答しない場合には、主催者は誰が途中で降りようとしているかを特定することができる。また、否認不可署名という入札事実を示す絶対の証拠が残っているので、これを基に罰金請求や入札禁止等の種々の措置を取ることができる。したがって、談合を防止し、ひいては価格操作の不正を防止することができる。
【０１７６】
また、落札事実の公開は、すべての入札者についての購入意思や否認証明等の情報がすべて揃った段階で行うようにすれば、意思・証明の送付順序を悪用した落札価格操作を防止することができる。
【０１７７】
さらに、本実施形態のシステムは、上記のように構成され動作するので、以下のような特徴を備える。
【０１７８】
入札金額の秘匿性：敗者の入札金額はビットコミットメントにより暗号化されているため、本人以外には分からず、誰にも露呈しない。オークション主催者にも露呈しない。
【０１７９】
入札金額の健全性：入札当事者以外は正当な入札を行うための秘密鍵を知らないので、入札内容を改竄することはできない。また、開示・落札時における主催者による入札情報の改竄は、掲示板に記載されるグループの入札情報への署名にて防ぐことができる。すなわち第三者は、正規の登録を行った正式な秘密鍵所有者になりすまして入札することができず、正当な入札情報を作成することができない。
【０１８０】
落札金額の正当性：入札の否認不可性とカウントダウン（アップ）の性質から満足される。また全ての応札者は、落札額が自分の入札価格よりも高い（低い）ことを検証することができる。すなわち落札金額が全ての入札価格の中での最高（最低）金額であることが確保される。
【０１８１】
公平性：入札金額は本人しか知らないことと入札の否認不可性による落札額の操作防止により、他より有利な条件で入札できる応札者はいないことになる。
【０１８２】
（発明の第２の実施の形態）
第１の実施形態においては、落札者についても公開される情報に身元を明かす情報を添付する必要がないために、他の入札者や第三者に対する一応の匿名性はある。また、第１実施形態では、仮名の概念を導入することで公開される入札情報に匿名性が持たされている。しかし、入札プロトコルにおいて各入札者は、入札情報確認のために署名を行うことから、公開鍵と応札者の関係を知っている第三者は、誰が入札を行ったか、誰が落札したかを、公開情報より把握することが可能である。
【０１８３】
一方、前回の落札者が誰であるか、また、誰が入札を行っているかという情報がわかることを利用して、次のような談合を行うことが考えられる。すなわち談合グループは不当に低い値段で落札を続けていく。これを繰り返し根強く行ってゆくことで、他の参加希望者の応札意欲を失わせる。入札希望者は談合グループのメンバを見つけた時点で応札を諦めてしまう。このような状況を作った上で、徐々にグループ以外の参加人数を減らし、市場を独占することにより、対象物を自分たちの思うがままの値段で落札することができる。この談合方法は、入札時の入札者に関する情報公開をいわば印籠のように扱うことで、参加意欲を操作するものである。
【０１８４】
本実施形態では、入札者が誰であるかを匿名にするべき相手を、主催者以外の全てとして、競争原理を円滑に働かせる方法について説明する。具体的には、入札プロトコルにおける入札者による入札情報確認にあたり、個人の公開鍵でなく、主催者が与えるグループ鍵を用いて署名させるものである。
【０１８５】
図１１は本発明の第２の実施形態における電子入札方法を説明する概念図である。同図（ａ）は、第１の実施形態の方法において公開掲示板に掲示される情報であり、同図（ｂ）は、本実施形態の方法において公開掲示板に掲示される情報を示している。
【０１８６】
同図（ｂ）に示すように本実施形態では、入札プロトコル時の入札情報確認はグループ鍵によって行われ、個人情報を知るきっかけとなる公開鍵は開示されない。
【０１８７】
また、本実施形態の電子入札システムは、このようなグループ署名が行われ、これに応じて入札プロトコル及び落札プロトコルが修正される他、第１の実施形態と同様に構成される。但し、グループ分けは任意の箇所で行なえるので、ここでは第１の実施形態での登録機関４によるグループ分けに代えて、主催者２によるグループ分けが行われる場合について述べる。
【０１８８】
以下、修正される入札プロトコル及び落札プロトコルについて説明する。
【０１８９】
［入札プロトコル］
主催者の処理：
主催者２は入札者５をいくつかのグループに分け、各グループＪの署名用秘密鍵Ｓ_Gjを登録時に秘密吏に送付する。
【０１９０】
入札者の処理：
例えばあるグループｊに属す入札者５Ａが入札する場合を考える。このとき、入札者５Ａが属するグループの秘密鍵をＳ_G 、公開鍵をＰ_G ＝α^SG(mod p)とする。また入札者５Ａの常用の秘密鍵をＳ_A 、公開鍵をＰ_A ＝α^SA(mod p)とする。
【０１９１】
入札者５Ａは出品物に対し、入札金額ｗ_k （１＜ｋ＜ｍ）を選ぶ。次に、乱数ｘ，ｋ，μ∈Ｚ_q ^* を選び、以下を計算する。
【０１９２】
【数１５】

【０１９３】
［否認プロトコル］
【０１９４】
【数１６】

【０１９５】
と現在価格ｗ_i を用いて、第１の実施形態の場合と同様に応札者Ａと主催者は否認フェーズを実行する。ここで、
【０１９６】
【数１７】

【０１９７】
とし、主催者はβと否認プロトコルでの通信データを公開掲示板に記載する。なお、Michels−Stadler否認不可署名方式では、Ｐ_A を公開せずとも、離散対数の等価・非等価を検証できる。
【０１９８】
［落札プロトコル］
【０１９９】
【数１８】

【０２００】
主催者による個人署名の検証と否認フェーズの確認には、個人の公開鍵Ｐ_Aが使用され、落札時の署名にはグループの公開鍵Ｐ_G が使用されている。つまり、公開される情報に個人を所定する情報が含まれていないこととなる。すなわち主催者以外はグループ署名である落札情報を検証する。
【０２０１】
なお、図１２にオークション主催者に与えられる情報と、公開掲示板に掲示される情報とを示す。
【０２０２】
上述したように、本発明の実施の形態に係る電子入札方法は、入札プロトコルで入札者が入札情報を確認するときに、個人の公開鍵でなく、主催者に与えられたグループ鍵を用いて署名を行うようにしたので、各入札者個人に連結した情報が公開されることなく、入札者が誰であるかを利用した談合を防止することができる。すなわち、次回オークションへの影響をなくし市場独占を防止することができる。
【０２０３】
例えば、譲り合いで落札している複数業者からなるグループがあるときに、一社談合に加わらない業者が存在すると、この業者が加わる入札では競争原理が働き、落札価格が予想価格を大きく下回るが、参加しない入札ではほぼ予想価格で落札されるという事例がある。この場合、ある業者による寄合からの抜けがけが市場に競争原理を働かせている。
【０２０４】
したがって、本実施形態のように、公開情報から入札者を識別する情報がなくなれば、談合グループでの抜けがけが促進され、寄合、譲り合いによる入札形式が崩れる。これにより、自由競争による本来のオークション形態に導くことができる。つまり、本実施形態では、オークションにおける匿名性を強め、入札したことの証拠を残さないような方式としたので、談合により不正な価格操作を防止することができる。
【０２０５】
また、本実施形態においては、Mitchels−Stadlerの否認・確証証明プロトコルを利用することで、検証者に応じて与える情報量を段階的に制御することができる。本実施形態では、この手法とグループ署名を適用することで、主催者には落札者情報まで検証できるようにし、第三者は入札者情報や落札者情報を開示せずに落札価格の検証までを行えるようにしている。
【０２０６】
また、本実施形態は、次の条件（１）〜（３）を満足することができる。
（１）オークション主催者装置２及び他の入札者装置５は、落札した入札者装置５が落札時新規データを送らない限り、入札者がどの入札金額に署名を施したかを知ることができない。
（２）入札者装置５は、否認プロトコルにおいて、選択した入札金額に署名を施した旨を否認できない。
（３）オークション主催者装置２及び他の入札者装置５は、落札した入札者装置５の秘密鍵を知らないので、落札した入札者装置５の正当な署名及び否認付加署名を計算できない。
【０２０７】
（発明の第３の実施の形態）
第２の実施形態では、選択する入札金額の種類が少ない場合、応札者が開示情報を送付する前に、主催者は応札者がどの入札金額に署名をしたかを所定の攻撃アルゴリズムにより察知する可能性があると、本発明者は考えた。この攻撃アルゴリズムは、入札金額ｗ＝｛ｗ_１，ｗ_２，…，ｗ_ｎ｝の全ての要素を逐次、検証式に入れて一致／不一致を計算する方法である。すなわち、検証式を用いる攻撃アルゴリズムによれば、入札金額の種類が少ない場合、主催者が入札金額の署名の秘匿性を打破する可能性があると、本発明者は考えた。これは、第２の実施形態の効果に記載した条件（１）に反する可能性のあることを意味している。
【０２０８】
なお、応札価格の種類が多い場合には攻撃アルゴリズムの計算量的手間が増大し、攻撃アルゴリズムの効率が著しく低下するので、第２の実施形態でも充分な秘匿性を有する。しかしながら、応札価格の種類の多少によらず、署名作成や署名検証時の計算量が多少増えても、入札金額の署名の秘匿性が保たれる方式が望ましい状況もある。
【０２０９】
そこで、第３の実施形態は、入札金額の種類の多少に関わらず、上記攻撃アルゴリズムを阻止し、常に上記条件（１）〜（３）を満足させるものとなっている（以下、文字ｒ，λの上に波線“〜”を付した変数データ
【０２１０】
【数１９】

【０２１１】
を、数式領域［数ｎ］以外の文章領域では各々ｒ^〜，λ^〜のように表記しながら説明する）。
具体的には、第３の実施形態では、入札プロトコル及び落札プロトコルで用いられるデータｒ^〜，σ，ｔが次のように変更されている。
すなわち、第３の実施形態は、第２の実施形態におけるｒ^〜＝ｒ^ｘ（ｍｏｄ ｐ）、σ＝ｋ−ｃＳ_A（ｍｏｄ ｑ）、ｔの分母内のハッシュ関数Ｈ（Ｗ_k，ｒ^〜，λ）に代えて、攻撃アルゴリズムを阻止する観点から、それぞれｒ^〜＝（ｒ^ｒ）^ｘ（ｍｏｄ ｐ）、σ＝ｋｒ−ｃＳ_A（ｍｏｄ ｑ）、ｔの分母内にてハッシュ関数Ｈ（Ｗ_k，ｒ^〜，ｒ，λ）が使用されている。
【０２１２】
本実施形態の電子入札システムは、このような乱数ｒを自己を含む二変数ｒ，ｘにより秘匿する暗号化処理と、秘匿前後の乱数ｒ，ｒ^〜に基づくグループ署名とが行なわれ、これに応じて入札プロトコル、落札プロトコルが修正される他、第２の実施形態と同様に構成される。
【０２１３】
以下、修正される入札プロトコル及び落札プロトコルについて説明する。
［入札プロトコル］
登録時における主催者２のグループ分けの処理及び各グループＪの署名用秘密鍵のＳ_Gjの送付処理は前述した通りである。
次に、入札者５Ａは、前述同様に、出品物に対する入札金額Ｗ_k（１＜ｋ＜ｍ）を選択し、次に、乱数ｘ，ｋ，μ∈Ｚ_q ^* を選び、以下を計算する。なお、以下の計算中、ｒ^〜，σ，ｔのＨは、第２の実施形態とは異なり、乱数ｒを用いた暗号化が施されている。また、ｒはオークション主催者装置にとって未知のデータであり、ｒ^〜はその未知のデータｒを当該ｒ自身を用いて暗号化した暗号化未知データである。また、σは第１の暗号化入札金額情報であり、ｔ内のＨ（ｗk，ｒ^〜，ｒ，λ）は第２の暗号化入札金額情報である。
【０２１４】
【数２０】

【０２１５】
更に、グループ署名ｔを計算する。
【０２１６】
【数２１】

【０２１７】
以下、前述同様に、応札者５Ａは（Ｐ_A，Cert_A，ｈ，ｒ^〜，λ，λ^〜，σ，ｔ）を主催者２に送る。主催者２は（ｈ，ｒ^〜，σ，ｔ）を公開掲示板３の該当するグループ欄に記載する。
【０２１８】
［否認プロトコル］
否認プロトコルは、第２の実施形態と同様に実行される。
［落札プロトコル］
全体の流れは第２の実施形態と同様であるが、ｒを用いた暗号化に伴い、各検証式がｒを含む内容に変更されている。以下、前述した文脈に沿って説明する。
【０２１９】
落札時、応札者５Ａは、ｘ，ｒを主催者２に送付する。主催者２は、（Ｐ_A，Cert_A，ｈ，ｒ^〜，λ，λ^〜，σ，ｔ）とｘ，ｒを用いて以下の検証式により否認不可署名の正当性を検証する。
【０２２０】
【数２２】

【０２２１】
次に、λ^〜＝λ^ｘ（ｍｏｄ ｐ）の一致性を検証する。これら否認不可署名が正当である時のみ、次式によりグループ署名を検証する。
【０２２２】
【数２３】

【０２２３】
主催者２は、否認不可署名ｒ^〜，λ^〜と、グループ署名ｔとが正当である時のみ、（ｒ，λ）を公開掲示板３に掲載する。
【０２２４】
一般応札者は、前述同様に（ｒ，λ，ｒ^〜，ｔ，Ｗ_k，Ｐ_G）を用いてグループ署名の正当性（落札価格の正当性）を次式より検証する。
【０２２５】
【数２４】

【０２２６】
なお、図１３にオークション主催者２に与えられる情報と、公開掲示板３に掲示される情報とを示す。本実施形態では、前述した図１２とは異なり、確証時にオークション主催者２に与えられる情報にｒが追加されている。
【０２２７】
上述したように本実施形態によれば、入札プロトコル及び落札プロトコルで用いられるデータｒ^〜，σ，ｔを、乱数ｒを用いた暗号化処理により秘匿するので、第２の実施形態の効果に加え、主催者２が攻撃アルゴリズムを用いて総当たりで入札金額の署名の秘匿性を打破しようとしても、乱数ｒが未知のために打破することができない。すなわち、本実施形態によれば、入札金額の種類の多少に関わらず、攻撃アルゴリズムによる攻撃を阻止することができる。
【０２２８】
係る作用効果を詳しく述べる。すなわち、第３の実施形態では、第２の実施形態に対し、入札金額を秘匿する乱数ｒを自身で暗号化する第１の秘匿処理と、グループ署名ｔのハッシュ関数Ｈに乱数ｒを用いる第２の秘匿処理とが付加されている。
【０２２９】
ここで、第１の秘匿処理は、自身ｒを含めた２つの秘密変数ｒ，ｘで乱数ｒをべき乗して乱数ｒを秘匿するものであり、暗号理論の基盤を築いている離散対数問題の困難性に匹敵する段階まで乱数ｒの秘匿性を高めている。
【０２３０】
第２の秘匿処理は、グループ署名ｔの生成の際に、図１４に示すように、主催者２の未知の乱数ｒを一方向性ハッシュ関数Ｈに入力したハッシュ値Ｈ（ｗk，ｒ^〜，ｒ，λ）を用いることにより、主催者２がグループ署名ｔを計算することが不可能となる。なお、第２の実施形態では、図１５に示すように、グループ署名ｔにおけるハッシュ関数Ｈの入力値（ｗk，ｒ^〜，λ）が全て主催者２に既知であるので、悪意の主催者２により、既知の情報と入札金額の種類とから入札金額が限定される可能性がある。
【０２３１】
まとめると、第３の実施形態によれば、第１の秘匿処理でｒ算出の困難性を高め、第２の秘匿処理でｒの算出を必須要件としたことにより、総合的に攻撃アルゴリズムの適用を不可とすることができる。
【０２３２】
このような第３の実施形態は、入札金額の署名の完全な秘匿性が求められる環境に適している。一方、第２の実施形態は、第３の実施形態よりも計算の手間が小さいので、入札金額の種類が多い場合や入札金額の署名の秘匿性よりも処理の高速性が求められる場合に適している。このような第２及び第３の実施形態は、適用する環境に応じて、使い分けられることが望ましい。
【０２３３】
（発明の第４の実施の形態）
第１及び第２の実施形態では、暗号化されていないメッセージを添付しない否認不可署名（メッセージ無し否認不可署名という）を用いて、入札者の入札情報を開示することなく、ある情報を選択したか否かの検証を行うことができる。また、入札者から開放用の鍵を与えることでメッセージ無し否認不可署名を通常のデジタル署名（以下、単にデジタル署名）に変換することができる。この技術を用いることにより、情報選択者が選択情報を開示することなく選択情報を証明できる情報証明システムを構築することが可能となる。本実施形態では、第１の実施形態の方法を情報証明方法に適用する場合を説明する。
【０２３４】
図１６は本発明の第４の実施形態に係る情報証明方法を適用したインターネットゲームシステムの構成例を示す図である。
【０２３５】
同図に示すシステムは、情報証明方法をインターネットゲームシステムに適用する場合を示しており、インターネット網５１に出題者装置５２及び解答者装置５３が接続されて構成されている。
【０２３６】
出題者装置５２は、第１実施形態における登録機関装置４とオークション主催者装置２と公開掲示板装置３とを組み合わせたものであり、登録部６１、公開掲示板６２、ゲーム進行部６３、解答格納部６４及び問題格納部６５を備える。
【０２３７】
登録部６１は、第１実施形態の登録機関装置４と同様に構成され、ゲーム参加者の登録を受け付ける。また、公開掲示板６２は、第１実施形態の公開掲示板装置３と同様に構成され、ゲーム進行上必要でかつ公開してもよい情報が掲示される。
【０２３８】
ゲーム進行部６３は、第１実施形態におけるオークション主催者装置２と同様に構成され、署名検証や否認・確認プロトコルを実行するための機能を備え、また、解答者装置５３に対する出題や解答確認処理等を行う。
【０２３９】
解答格納部６４は、ゲーム参加者（解答者装置５３）からの解答を格納する。この解答は公開掲示板６２に掲示してもよい。また、問題格納部６５は、ゲームに用いる問題を格納する。
【０２４０】
一方、解答者装置５３は、第１実施形態における入札者装置５と同様に構成され、登録部７１、解答作成部７２及び応答処理部７３を備える。登録部７１は、出題者装置５２に対してゲーム参加登録を要求し、解答作成部７２は、メッセージ無し否認不可署名を作成して出題者装置に送信する。
【０２４１】
また、応答処理部７３は、署名検証や否認・確認プロトコルを実行するための機能を備え、また、出題者装置５２に対する解答や解答確認処理等を行う。
【０２４２】
このように構成を有するインターネットゲームシステムは以下のように動作する。
【０２４３】
まず、出題者装置５２がホームページ等を通じてゲーム参加者を募集し、ゲーム参加を希望する解答者装置５３はゲーム参加の登録を行う（ｗ１）。この登録処理は第１実施形態における登録プロトコルと同様である。
【０２４４】
ゲームが開始されると、出題者装置５２からは問題が各解答者装置５３に送付され（ｗ２）、又は公開掲示板６２に掲示される。ただし、問題に対する解答の候補は選択的に提示される。
【０２４５】
解答者装置５３からは、メッセージ無し否認不可署名の形式で解答が出題者装置５２に送付される（ｗ３）。このとき出題及び解答形式は、１問１答でもよく、まとめて問題を出してまとめて解答するようにしてもよい。
【０２４６】
次に、出題者装置５２からは、問題に対する正解が解答者装置５３に通知される（ｗ４）。
これに対して、解答者装置５３から出題者装置５２に対して正答したか否かが通知される（ｗ５）。このとき、通知方法として、解答者がどの選択肢を選んだかをあくまで伏せたい場合には、第１実施形態の確認プロトコル及び否認プロトコルを用いる。また、実際の解答内容そのものを公開したい場合には、解答者装置５３から解答開放キーを送付し、出題者装置５２においてはメッセージ無し否認不可署名をデジタル署名に変換して公開する。何れにするかはゲームの性質に応じて選択できる。
【０２４７】
上記処理を繰り返すことにより、リアルタイムでかつ、インターネットを介した不特定多数のゲーム参加希望者を解答者とし、ゲームを進行させていくことができる。
【０２４８】
上述したように、本発明の実施の形態に係る情報証明方法は、メッセージ無し否認不可署名を用いて選択的な情報に対して解答を行うようにしたので、解答内容を伏せたままで正解か否かだけを証明することができる。
【０２４９】
また、本実施形態はインターネットゲームに適用する場合を説明したが、この情報証明方法は種々の状況に適用することができる。
【０２５０】
（発明の第５の実施の形態）
第２の実施形態では、入札金額の署名を秘匿する電子入札方式を開示している。しかしながら、第２の実施形態は、入札金額ｗ_k（１＜ｋ＜ｍ）及びその種類（ｗ_１，ｗ_２，…，ｗ_ｍ）に代えて、一般的なメッセージｍ_k（１＜ｋ＜ｎ）及びその種類（ｍ_１，ｍ_２，…，ｍ_ｎ）を用いることにより、電子入札に限らず、その上位概念のデジタル署名方式に拡張可能であると考えられる（ここでいう入札金額ｗの個数ｍと、メッセージｍの個数ｎとは互いに等しい）。
【０２５１】
そこで、第５の実施形態では、第２の実施形態のプロトコルに基づくデジタル署名方式について説明する。なお、本実施形態では、第１及び第２の実施形態における名称を上位概念を表す名称に変更して用いる。例えば、前述した入札プロトコルは、内容が同じであるが、名称が受付プロトコルに変更され、且つ入札金額ｗは、名称がメッセージｍという名称に変更されている。同様に、開示・落札プロトコルは、内容が同じであるが、名称が公開プロトコルに変更される。さらに、依頼者６によるオークション出品依頼は、名称が依頼、要求、問合せ、懸賞応募、クイズ、択一式試験、選挙、アンケート調査、予約受付、人材派遣のような履歴の登録、のように何らかの選択的なメッセージ応答を伴うものの名称に変更される。
【０２５２】
図１７は本発明の第５の実施形態に係るデジタル署名方法を適用したデジタル署名システムの一例を示す構成図であり、図１と同種の部分には同一符号にアルファベットの添字を付してその詳しい説明を省略し、異なる部分について主に述べる。なお、以下の各実施形態も同様にして重複した説明を省略する。
【０２５３】
すなわち、本実施形態は、第２の実施形態を汎用性のあるデジタル署名方法に拡張した変形例であり、具体的には、ネットワーク１を介して複数の第一検証者装置２ｘ、グループ鍵生成機関装置２ｙ、複数の第二検証者装置３ｘ、鍵登録機関装置４ｘ及び署名者装置５ｘが互いに接続されている。
【０２５４】
ここで、各第一検証者装置２ｘは、前述した主催者装置２の機能において、グループ鍵生成機能が省略されており、且つ公開掲示板装置３に代えて、第二検証者装置３ｘにデータ（ｈ，ｒ^〜，σ，ｔ），（ｒ，λ）を順次与える機能をもっている。
【０２５５】
グループ鍵生成機関装置２ｙは、前述した主催者装置２におけるグループ鍵生成機能を有するものであり、具体的には図１８に示すように、鍵生成部２ｙ_ａを備えている。
鍵生成部２ｙ_ａは、受付プロトコルの実行中、署名者装置５ｘ及び図示しない複数の第三者装置（例、他の署名者装置５ｘ’等）をいくつかのグループに分ける機能と、各グループＪに対する秘密鍵Ｓ_Gj∈Ｚｑ^＊と公開鍵Ｐ_Gj＝α^{Ｓ Gj}（ｍｏｄ ｐ）を生成する機能と、各グループＪの署名用秘密鍵Ｓ_Gjを秘密裏に当該署名者装置５ｘ及び各第三者装置に送る機能をもっている。
【０２５６】
各第二検証者装置３ｘは、第一検証者装置２ｘよりも少ない情報を用いて可能な範囲（＝グループ署名）の検証を行なう低レベルの検証者装置であり、前述した公開掲示板３の情報登録機能（公開機能を除く）及び前述した入札者装置５におけるグループ署名検証機能を有するものである。
【０２５７】
鍵登録機関装置４ｘは、前述した登録機関装置４の機能をもつものであり、具体的には、署名者装置５ｘから送られた公開鍵Ｐ_Aを署名者の個人情報と関連付けてデータベース（図示せず）に登録する機能と、この登録後、公開鍵Ｐ_Aに対する鍵証明書Ｃert_Aを発行して署名者装置５ｘに送る機能をもっている。
【０２５８】
署名者装置５ｘは、前述した入札者装置５の機能を有するものであり、具体的には図１８に示すように、鍵生成部５ｘ_ａ、署名生成部５ｘ_ｂ、否認処理部５ｘ_ｃ及び確証処理部５ｘ_ｄを備えている。
【０２５９】
鍵生成部５ｘ_ａは、署名者の秘密鍵Ｓ_A∈Ｚｑ^＊と公開鍵Ｐ_A＝α^{Ｓ A}（ｍｏｄｐ）を生成する機能と、公開鍵Ｐ_Aを鍵登録機関装置４ｘに送る機能をもっている。
【０２６０】
署名生成部５ｘ_ｂは、署名者の操作により、メッセージ空間Ｍ＝｛ｍ_１，ｍ_２，…，ｍ_ｎ｝から１つのメッセージｍ_k（ｋ∈Ｍ）を選択する機能と、乱数ｘ，ｋ，μ∈Ｚｑ^＊を選択し、当該乱数ｘ，ｋ，μに基づいて、変数データｈ，ｒ，ｒ^〜，λ，λ^〜，ｃ，σ及びグループ署名ｔを算出する機能と、算出結果のうちのｒを除くデータ（ｈ，ｒ^〜，λ，λ^〜，σ，ｔ）、公開鍵Ｐ_A及び鍵証明書Ｃert_Aを第一検証者装置２ｘに送る機能とをもっている。
【０２６１】
なお、署名生成部５ｘ_ｂは、第一検証者装置２ｘが第二検証者装置３ｘに一部のデータ（ｈ，ｒ^〜，σ，ｔ）を送出する機能の無い場合、算出結果のうちの当該データ（ｈ，ｒ^〜，σ，ｔ）を第二検証者装置３ｘに送る機能をもつものとなる。換言すると、データ（ｈ，ｒ^〜，σ，ｔ）は、署名者装置５ｘから第一検証者装置２ｘを経由して第二検証者装置３ｘに送られても良く、あるいは、署名者装置５ｘから直接に第二検証者装置３ｘに送られても良い。
【０２６２】
否認処理部５ｘ_ｃは、前述した否認プロトコルを実行する機能を有し、各第一検証者装置２ｘ、各第二検証者装置３ｘ又は各第三者装置のいずれかが選択したメッセージｍ_i∈Ｍ（i≠k）が、署名生成部５ｘ_ｂにて選択されたメッセージｍ_kでないこと（ｍ_i≠ｍ_k）を示す場合、前述同様に、離散対数の非等価性ｌｏｇ_βｚ≠ｌｏｇ_αｙを第一検証者装置２ｘに提示する機能をもっている。
【０２６３】
確証処理部５ｘ_ｄは、前述同様の公開プロトコル（例、開示・落札プロトコル）を実行する機能を有し、各第一検証者装置２ｘ、各第二検証者装置３ｘ又は各第三者装置のいずれかが選択したメッセージｍ_i∈Ｍ（i＝k）が、署名生成部５ｘ_ｂにて選択されたメッセージｍ_kであること（ｍ_i＝ｍ_k）を示す場合、データｘを第一検証者装置２ｘに送る機能をもっている。
【０２６４】
次に、以上のように構成されたメッセージ選択システムの動作を説明する。なお、各プロトコルは、第２の実施形態と同様であるが、各プロトコル内の各処理を分担する装置が若干異なっている。以下、前述した文脈に沿って各プロトコル毎に説明する。
【０２６５】
［初期設定］
初期設定は、第１及び第２の実施形態と同様である。
［登録プロトコル］
登録プロトコルは、署名者装置５ｘが署名者の公開鍵Ｐ_A に対し、鍵登録機関装置４ｘから鍵証明書Ｃert_A を発行してもらう処理である。
【０２６６】
署名者装置５ｘの鍵生成部５ｘ_ａでは、秘密鍵Ｓ_A ∈Ｚ_q ^* が生成され、公開鍵Ｐ_A ＝α^SA（mod p）が定められる。この公開鍵Ｐ_A は、身元を明かした署名者装置５ｘから鍵生成部５ｘ_ａにより、鍵登録機関装置４ｘに送られる。
【０２６７】
一方、鍵登録機関装置４ｘは、この公開鍵Ｐ_Aを署名者の個人情報と関連付けてデータベースに登録し、しかる後、公開鍵Ｐ_Aに対する鍵証明書Ｃert_Aを発行して署名者装置５ｘに送る。
【０２６８】
［受付プロトコル］
グループ鍵生成機関装置２ｙの鍵生成部２ｙ_ａは、受付プロトコルの実行中、署名者装置５ｘ及び図示しない複数の第三者装置をいくつかのグループに分け、各グループＪに対する秘密鍵Ｓ_Gj∈Ｚｑ^＊と公開鍵Ｐ_Gj＝α^{Ｓ Gj}（ｍｏｄ ｐ）を生成し、各グループＪの署名用秘密鍵Ｓ_Gjを秘密裏に当該署名者装置５ｘ及び同グループＪの各第三者装置（図示せず）に送る。
【０２６９】
次に、署名者装置５ｘは、、何らかの要求等に対し、前述同様に、メッセージ空間Ｍ＝｛ｍ_１，ｍ_２，…，ｍ_ｎ｝から１つのメッセージｍ_k（ｋ∈Ｍ）を選択し、次に、乱数ｘ，ｋ，μ∈Ｚ_q ^* を選び、以下を計算する。
【０２７０】
【数２５】

【０２７１】
更に、グループ署名ｔを計算する。
【０２７２】
【数２６】

【０２７３】
以下、前述同様に、署名者装置５ｘは（Ｐ_A，Cert_A，ｈ，ｒ^〜，λ，λ^〜，σ，ｔ）を第一検証者装置２ｘに送る。第一検証者装置２ｘは、（ｈ，ｒ^〜，σ，ｔ）を第二検証者装置３ｘに送る。
【０２７４】
［否認プロトコル］
否認プロトコルは、第２の実施形態と同様に実行される。
すなわち、否認時、署名者装置５ｘの否認処理部５ｘ_ｃは、各第一検証者装置２ｘ等が選択したメッセージｍ_i∈Ｍ（i≠k）が、署名生成部５ｘ_ｂにて選択されたメッセージｍ_kでないこと（ｍ_i≠ｍ_k）を示す場合、前述同様に、離散対数の非等価性ｌｏｇ_βｚ≠ｌｏｇ_αｙを第一検証者装置２ｘに提示する。
【０２７５】
［公開プロトコル］
公開時、署名者装置５ｘの確証処理部５ｘ_ｄは、各第一検証者装置２ｘ等が選択したメッセージｍ_i∈Ｍ（i＝k）が、署名生成部５ｘ_ｂにて選択されたメッセージｍ_kであること（ｍ_i＝ｍ_k）を示す場合、データｘを第一検証者装置２ｘに送る。
【０２７６】
第一検証者装置２ｘは、（Ｐ_A，Cert_A，ｈ，ｒ^〜，λ，λ^〜，σ，ｔ）とｘを用いて以下の検証式により否認不可署名の正当性を検証する。
【０２７７】
【数２７】

【０２７８】
次に、λ^〜＝λ^ｘ（ｍｏｄ ｐ）の一致性を検証する。これら否認不可署名が正当である時のみ、
【０２７９】
【数２８】

【０２８０】
を計算し、次式によりグループ署名を検証する。
【０２８１】
【数２９】

【０２８２】
第一検証者装置２ｘは、否認不可署名ｒ^〜，λ^〜と、グループ署名ｔとが正当である時のみ、データ（ｒ，λ）を第二検証者装置３ｘに送る。
【０２８３】
第二検証者装置３ｘは、前述同様に（ｒ，λ，ｒ^〜，ｔ，ｍ_k，Ｐ_G）を用いてグループ署名の正当性を次式より検証する。
【０２８４】
【数３０】

【０２８５】
なお、図１９に第一検証者装置２ｘに与えられる情報と、第二検証者装置３ｘに与えられる情報とを示す。
【０２８６】
上述したように本実施形態によれば、電子入札方法に限らず、その上位概念のデジタル署名方法においても、第２の実施形態と同様の作用効果を得ることができる。
【０２８７】
すなわち、署名者のプライバシを保護し談合を防止して依頼者利益を保護することができ、第一検証者装置２ｘの信頼性や匿名通信路といった仮定には依存せずに、一般的な暗号技術のみでシステム構築可能として実装を容易にすることができる。
【０２８８】
また、暗号化メッセージ情報を、非暗号化状態のメッセージを非添付とした否認不可署名として送付するとともに、確認の際には、否認不可署名に含まれる離散対数の等価・非等価を証明することにより指定メッセージの選択有無を確認するので、署名者の発信する情報の秘匿性が強化され、この結果、プライバシ保護や談合防止が一層強化される。
【０２８９】
さらに、グループ署名を用いたことにより、指定メッセージを選択した旨が確定した後に、当該署名者装置５に関する公開鍵等の情報を漏らさずに、第二検証者装置３ｘにそのメッセージ情報を確認させることができる。
【０２９０】
また、本実施形態は、前述同様の条件（１ｘ）〜（３ｘ）を満足することができる。
（１ｘ）第一検証者装置２ｘ及び他の署名者装置は、署名者装置５ｘが確証時新規データを送らない限り、署名者がどのメッセージに署名を施したかを知ることができない。
（２ｘ）署名者装置５ｘは、否認プロトコルにおいて、選択したメッセージに署名を施した旨を否認できない。
（３ｘ）第一検証者装置２ｘ及び他の署名者装置は、指定メッセージを選択した署名者装置５ｘの秘密鍵を知らないので、当該選択した署名者装置５ｘの正当な署名及び否認付加署名を計算できない。
【０２９１】
（発明の第６の実施形態）
第６の実施形態は、第２の実施形態の電子入札システムを上位概念化した第５の実施形態において、主催者２（第一検証者装置２ｘ）の攻撃アルゴリズムを阻止する第３の実施形態を適用させたものである。
以下、前述した図１７及び図１８を用い、第５の実施形態に対する変更部分について第３の実施形態の文脈に沿って説明する。第６の実施形態は、メッセージの種類の多少に関わらず、上記攻撃アルゴリズムを阻止し、常に上記条件（１ｘ）〜（３ｘ）を満足させるものとなっている。
【０２９２】
具体的には、第６の実施形態では、受付プロトコル及び公開プロトコルで用いられるデータｒ^〜，σ，ｔが次のように変更されている。
すなわち、第６の実施形態は、第５の実施形態におけるｒ^〜＝ｒ^ｘ（ｍｏｄ ｐ）、σ＝ｋ−ｃＳ_A（ｍｏｄ ｑ）、ｔの分母内のハッシュ関数Ｈ（Ｗ_k，ｒ^〜，λ）に代えて、攻撃アルゴリズムを阻止する観点から、それぞれｒ^〜＝（ｒ^ｒ）^ｘ（ｍｏｄ ｐ）、σ＝ｋｒ−ｃＳ_A（ｍｏｄ ｑ）、ｔの分母内にてハッシュ関数Ｈ（Ｗ_k，ｒ^〜，ｒ，λ）が使用されている。
【０２９３】
本実施形態のデジタル署名システムは、このような乱数ｒを自己を含む二変数ｒ，ｘにより秘匿する暗号化処理と、秘匿前後の乱数ｒ，ｒ^〜に基づくグループ署名とが行なわれ、これに応じて受付プロトコル、公開プロトコルが修正される他、第５の実施形態と同様に構成される。
【０２９４】
以下、修正される受付プロトコル及び公開プロトコルについて説明する。
［受付プロトコル］
登録時におけるグループ鍵生成機関装置２ｙのグループ分けの処理及び各グループＪの署名用秘密鍵のＳ_Gjの送付処理は前述した通りである。
次に、署名者装置５ｘは、前述同様に、何らかの要求等に対し、メッセージ空間Ｍ＝｛ｍ_１，ｍ_２，…，ｍ_ｎ｝から１つのメッセージｍ_k（ｋ∈Ｍ）を選択し、次に、乱数ｘ，ｋ，μ∈Ｚ_q ^* を選び、以下を計算する。なお、以下の計算中、ｒ^〜，σ，ｔのＨは、第５の実施形態とは異なり、乱数ｒを用いた暗号化が施されている。また、ｒは第一検証者装置２ｘにとって未知のデータであり、ｒ^〜はその未知のデータｒを当該ｒ自身を用いて暗号化した暗号化未知データである。また、σは第１の暗号化メッセージ情報であり、ｔ内のＨ（ｗk，ｒ^〜，ｒ，λ）は第２の暗号化メッセージ情報である。
【０２９５】
【数３１】

【０２９６】
更に、グループ署名ｔを計算する。
【０２９７】
【数３２】

【０２９８】
以下、前述同様に、署名者装置５ｘは（Ｐ_A，Cert_A，ｈ，ｒ^〜，λ，λ^〜，σ，ｔ）を第一検証者装置２ｘに送る。第一検証者装置２ｘは（ｈ，ｒ^〜，σ，ｔ）を第二検証者装置３ｘに送る。
【０２９９】
なお前述同様に、第一検証者装置２ｘが第二検証者装置３ｘにデータ（ｈ，ｒ^〜，σ，ｔ）を送出せず、署名生成部５ｘ_ｂが当該データ（ｈ，ｒ^〜，σ，ｔ）を第二検証者装置３ｘに送るようにしても良い。
【０３００】
［否認プロトコル］
否認プロトコルは、第５の実施形態と同様に実行される。
［公開プロトコル］
全体の流れは第５の実施形態と同様であるが、ｒを用いた暗号化に伴い、各検証式がｒを含む内容に変更されている。以下、前述した文脈に沿って説明する。
【０３０１】
落札時、署名者装置５ｘは、ｘ，ｒを第一検証者装置２ｘに送付する。第一検証者装置２ｘは、（Ｐ_A，Cert_A，ｈ，ｒ^〜，λ，λ^〜，σ，ｔ）とｘ，ｒを用いて以下の検証式により否認不可署名の正当性を検証する。
【０３０２】
【数３３】

【０３０３】
次に、λ^〜＝λ^ｘ（ｍｏｄ ｐ）の一致性を検証する。これら否認不可署名が正当である時のみ、次式によりグループ署名を検証する。
【０３０４】
【数３４】

【０３０５】
第一検証者装置２ｘは、否認不可署名ｒ^〜，λ^〜と、グループ署名ｔとが正当である時のみ、データ（ｒ，λ）を第二検証者装置３ｘに送る。
【０３０６】
第二検証者装置３ｘは、前述同様に（ｒ，λ，ｒ^〜，ｔ，ｍ_k，Ｐ_G）を用いてグループ署名の正当性を次式より検証する。
【０３０７】
【数３５】

【０３０８】
なお、図２０に第一検証者装置２ｘに与えられる情報と、第二検証者装置３ｘに掲示される情報とを示す。本実施形態では、前述した図１９とは異なり、第一検証者装置２ｘに与えられる情報にｒが追加されている。
上述したように本実施形態によれば、デジタル署名方法における第５の実施形態においても、第３の実施形態と同様の作用効果を付加することができる。
すなわち、第６の実施形態は、第５の実施形態の効果に加え、未知のデータによる第１及び第２の秘匿ステップを用いたことにより、悪意の第一検証者装置による総当り的な攻撃アルゴリズムの適用を阻止することができる。
【０３０９】
なお、本発明は、上記各実施の形態に限定されるものでなく、その要旨を逸脱しない範囲で種々に変形することが可能である。また、各実施形態は可能な限り適宜組み合わせて実施してもよく、その場合組み合わされた効果が得られる。
【０３１０】
例えば第１〜第３の実施形態においては、オークション主催者装置から選択的に入札金額が提示され、これを入札者が選択する場合を説明しているが、ここでいう選択的というのは非常に広い意味で用いている。すなわち一円単位での選択であっても選択的なのであって、このような場合にはオークション主催者装置は、最高金額又は最低金額（落札プロトコル開始金額）しか示さない場合もある。この場合は、一円単位で選択される結果となる。また、最高金額又は最低金額（落札プロトコル開始金額）すら提示不要の場合もある。この場合には、オークション主催者装置では、仮の最高金額（若しくは最低金額）を提示し、この金額以上（若しくは以下）で入札したかを否認プロトコルで確認すればよい。否認できない者がいる場合には、仮の最高金額を上げればよい。
【０３１１】
このように、選択的な入札金額というのは本明細書では、広い意味を有するが、オークション主催者装置にて具体的に提示された有限個の金額の中から選択させるようにすると、効率的な処理を行うには好ましい。
【０３１２】
また、実施形態に記載した手法は、計算機（コンピュータ）に実行させることができるプログラム（ソフトウエア手段）として、例えば磁気ディスク（フロッピーディスク、ハードディスク等）、光ディスク（ＣＤ−ＲＯＭ、ＤＶＤ等）、半導体メモリ等の記憶媒体に格納し、また通信媒体により伝送して頒布することもできる。なお、媒体側に格納されるプログラムには、計算機に実行させるソフトウエア手段（実行プログラムのみならずテーブルやデータ構造も含む）を計算機内に構成させる設定プログラムをも含むものである。本装置を実現する計算機は、記憶媒体に記録されたプログラムを読み込み、また場合により設定プログラムによりソフトウエア手段を構築し、このソフトウエア手段によって動作が制御されることにより上述した処理を実行する。
【０３１３】
なお、本願発明は、上記各実施形態に限定されるものでなく、実施段階ではその要旨を逸脱しない範囲で種々に変形することが可能である。また、各実施形態は可能な限り適宜組み合わせて実施してもよく、その場合、組み合わされた効果が得られる。さらに、上記各実施形態には種々の段階の発明が含まれており、開示される複数の構成用件における適宜な組み合わせにより種々の発明が抽出され得る。例えば実施形態に示される全構成要件から幾つかの構成要件が省略されることで発明が抽出された場合には、その抽出された発明を実施する場合には省略部分が周知慣用技術で適宜補われるものである。
【０３１４】
その他、本発明はその要旨を逸脱しない範囲で種々変形して実施できる。
【０３１５】
【発明の効果】
以上詳記したように本発明によれば、入札者や署名者のプライバシを保護し談合を防止して依頼者利益を保護することができる電子入札方法及び記録媒体を提供することができる。
【０３１６】
また、本発明によれば、プライバシ保護及び談合防止を図りつつ、入札機関並びに第一検証者装置の信頼性や匿名通信路といった仮定には依存せずに、一般的な暗号技術のみでシステム構築可能として実装を容易にすることができる電子入札方法及び記録媒体を提供することができる。
【図面の簡単な説明】
【図１】本発明の第１の実施の形態に係る電子入札方法を適用した電子入札システムの一例を示す構成図。
【図２】オークション主催者装置の構成例を示すブロック図。
【図３】入札者装置の構成例を示すブロック図。
【図４】実施形態の電子入札方法における処理手順を説明する流れ図。
【図５】実施形態における登録プロトコルの処理を示す図。
【図６】実施形態における入札プロトコルの処理を示す図。
【図７】入札段階の様子を模式的に示す図。
【図８】実施形態における開示・落札プロトコルの処理を示す図。
【図９】落札までの様子を模式的に示す図。
【図１０】落札及びその検証の様子を模式的に示す図。
【図１１】本発明の第２の実施形態における電子入札方法を説明する概念図。
【図１２】同実施形態におけるオークション主催者に与えられる情報と公開掲示板に掲示される情報とを示す図。
【図１３】同実施形態におけるオークション主催者に与えられる情報と公開掲示板に掲示される情報とを示す図。
【図１４】同実施形態におけるグループ署名の生成過程を説明するための模式図。
【図１５】第２の実施形態におけるグループ署名の生成過程を説明するための模式図。
【図１６】本発明の第４の実施形態に係る情報証明方法を適用したインターネットゲームシステムの構成例を示す図。
【図１７】本発明の第５の実施形態に係るデジタル署名方法を適用したデジタル署名システムの一例を示す構成図
【図１８】同実施形態におけるグループ鍵生成機関装置及び署名者装置の構成を示す模式図
【図１９】同実施形態におけるオークション主催者に与えられる情報と公開掲示板に掲示される情報とを示す図。
【図２０】本発明の第６の実施形態におけるオークション主催者に与えられる情報と公開掲示板に掲示される情報とを示す図。
【符号の説明】
１…ネットワーク
２…オークション主催者装置
２ｘ…第一検証者装置
２ｙ…グループ鍵生成機関装置
２ｙ_ａ，５ｘ_ａ…鍵生成部
３…公開掲示板装置
４…登録機関装置
４ｘ…鍵登録機関装置
５…入札者装置
５ｘ…署名者装置
５ｘ_ｂ…署名生成部
５ｘ_ｃ…否認処理部
５ｘ_ｄ…確証処理部
６…依頼人装置
７…監査員装置
１１…入札処理部
１２…開示落札処理部
２１…ネット情報検索部
２２…入札処理部
２３…落札処理部
２４…登録処理部
５１…インターネット網
５２…出題者装置
５３…解答者装置
６１…登録部
６２…公開掲示板
６３…ゲーム進行部
６４…解答格納部
６５…問題格納部
７１…登録部
７２…解答作成部
７３…応答処理部[0001]
BACKGROUND OF THE INVENTION
  This invention is an electronic bidding method.LawAnd a recording medium.
[0002]
[Prior art]
An auction sale is a way for buyers to get goods that are competing with each other in a public place, and is best suited to the principle of free competition, the economic principle of a capitalist society. With the recent development of computer communication technology, this auction / sale can be realized on a computer network.
[0003]
However, since the auction / sale is a mechanism led by the buyer, the target value can be determined and determined by the buyer, but has the problem of collusion to manipulate the winning bid.
[0004]
Even in a system for electronically auctioning and selling (hereinafter referred to as an electronic bidding system. The electronic bidding system is an example of a digital signature system), it is necessary to avoid the problem of collusion.
Therefore, Imamura et al. Have proposed a method that assumes an anonymous communication path and does not reveal participants (Yukihiro Imamura, Tsutomu Matsumoto, Hideki Imai, “Electronic Anonymous Bidding Method,” SCIS94-11B, 1994). This method can prevent the bidder from having an opportunity to form a collusion group from the participant list in an unspecified number of competitive bids. This makes it easier to work the principle of competition, protects the profits of the seller who requested the bidding (protection of the profits of the client), and the anonymity of the bid makes privacy information such as bidder strategies and bid limits It also satisfies the condition of not leaking (bidder's privacy protection).
[0005]
However, Nakanishi et al. Pointed out fraud in manipulating the winning bid by denying the bid that the highest bidder is not a rider in the method of Imamura et al. Therefore, Nakanishi et al. Proposed an electronic bidding method in which bid denial is impossible in order to technically prevent this fraud due to collusion (Toru Nakanishi, Hajime Watanabe, Jun Fujiwara, Tadao Takashi) Bidding protocol, “SCIS95-B1.4, 1995). They use non-repudiation signatures to prevent manipulation of winning bids by collusion. As a result, fair free competition is realized. However, both Imamura's method and Nakanishi's method are based on the assumption of an anonymous communication channel (anonymous broadcasting network).
[0006]
Kudo, on the other hand, has a time management organization (M. Kudo, “Secure electronic sealed-bid auction protocol with public key cryptography,” IEICE Trans, Fundamentals, Vol. E81-A (1), pp, 20-27. , January 1998). In this method, the auction organizer can only know the bid amount. However, the relationship between all bidders and bid amounts can be grasped by collaborating with the seller. In this way, the method of protecting the bidder's privacy by the anonymity of the bid is based on assumptions such as the reliability of the anonymous communication path and the organization.
[0007]
On the other hand, Kikuchi and Nakanishi use a secret sharing method to protect the privacy of bidders (bidders) (Hiroaki Kikuchi, Shohachiro Nakanishi, “Anonymous auction without user registration,” Computer Security Symposium '98, pp.243-248, 1998.). Their proposal is a bidding method that uses a number theoretic technique and does not expose any bid values other than the winning bidder. In this method, bidder identification information is distributed and distributed to a plurality of auction organizers by secret sharing. At the time of disclosure / successful bid, only the identification information of the bidder with the maximum amount is restored by a plurality of organizers. However, if it is easy to calculate a combination of identification information of bidders, there is a risk that the confidentiality of the bid amount is lost.
[0008]
[Problems to be solved by the invention]
  As described above, in the conventional electronic bidding method, it is not possible to prevent collusion and protect the bidder's privacy unless an anonymous communication path is used and the assumption that the bidding institution is reliable. Even when the secret sharing method is used, the protection of bidder privacy is not necessarily perfect. Furthermore, in an electronic bidding system that uses anonymous communication channels and secret sharing methods, the entire system is complicated and difficult to implement..
[0009]
  The present invention has been made in consideration of such circumstances, and a first object thereof is an electronic bidding capable of protecting the bidder and the signer's privacy, preventing collusion and protecting the client's profit. DirectionLawAnd providing a recording medium.
[0010]
  The second objective is to build a system using only common cryptographic techniques, while protecting privacy and preventing collusion, and not relying on the assumptions such as the reliability of the bidding institution and first verifier device and anonymous communication path. E-bidding method that can be easily implemented as possibleLawAnd providing a recording medium.
[0012]
[Means for Solving the Problems]
  In order to solve the above-mentioned problem, the first invention made to solve the above-mentioned problem is through an electronic communication path,Can refer to public bulletin board equipmentWith bidder equipmentThe electronic bulletin board device can be referred to and written onThis is an electronic bidding method for conducting an auction by transmitting and receiving information to and from an auction sponsor device.
[0013]
  In the present invention, first, in the bidding step,Posted on the electronic bulletin board deviceAny one of the selected bid amounts is selected, and the selected bid amount information is encrypted and transmitted from the bidder apparatus to the auction organizer apparatus.
[0014]
  Next, in the confirmation step, after all bidder devices have sent the encrypted bid amount information,Of the selective bid amountSpecify the amount from the highest or lowest bid amount, and from the auction sponsor device to the bidder deviceConcernedCheck whether or not the bid was made with the specified amount using the non-repudiation signature protocol. further,Of the selective bid amountThe designated amount is successively lowered or raised until any bidder device confirms that a bid has been placed at the designated amount.
[0015]
Then, in the successful bid determination step, when the bidder device that bids at the specified amount is confirmed in the confirmation step, it is determined to make a successful bid by bidding from the bidder device.
[0016]
Therefore, it is possible to protect the bidder's privacy by protecting the bidder's privacy and protect the client's profit, and without relying on the assumptions such as the reliability of the bidding institution and the anonymous communication path, the system is based only on general encryption technology. It can be constructed and can be easily implemented.
[0017]
UpElectronic bidding method of the first inventionIsIn the bidding step, the encrypted bid amount information is sent as a non-repudiation signature with the non-encrypted bid amount not attached, and in the confirmation step, the equivalent logarithm of the discrete logarithm included in the non-repudiation signature is sent. EquivalenceJudgmentBy confirming whether there is a bid at the specified amount.
[0018]
Therefore, the confidentiality of the information transmitted by the bidder is strengthened, and as a result, privacy protection and collusion prevention are further strengthened.
[0019]
  Next, the second invention for solving the problem is:Of the first inventionIn e-bidding method,in frontThe successful bid determination step is an electronic bidding method in which after the successful bid is determined, the encrypted bid price information for the successful bid is decrypted and confirmed. Therefore, the third party can confirm the successful bid amount after a successful bid.
[0020]
  Next, the third invention for solving the problem is:Of the first inventionIn e-bidding method,in frontThe bidding step encrypts the selected bidding price information to create different first and second encrypted bidding price information, and the first encrypted bidding price information is used as an auction organizer device. And a group signature transmission step of transmitting a group signature using the secret key of the group to which the bidder device belongs and the second encrypted bid amount information from the bidder device to the auction sponsor device. In the selection determining step, after the successful bid is determined, the private key used for the group signature is posted on the electronic bulletin board device, and the group signature is converted into a normal digital signature. The bid price information included in the encrypted bid price information of 2 is in a state where it can be confirmed from other bidder apparatuses.
[0021]
Therefore, by using the group signature, after a successful bid is determined, it is possible to allow other bidder apparatuses to confirm the successful bid price without leaking information such as a public key related to the bidder apparatus.
[0022]
  Next, the first step4The invention of the above3In the electronic bidding method of the invention, in the bidding step, the bidder device converts the data unknown to the auction organizer device into encrypted unknown data by encryption using the unknown data itself as a variable. A first concealment step of creating the first encrypted bid price information using encrypted unknown data; and the bidder device creates the second encrypted bid price information using the unknown data. A second concealment step, wherein in the confirmation step, the bidder device transmits the unknown data to the auction organizer device when confirming a bid at the designated amount; Using the data, the auction organizer device confirms the bid amount information included in the first encrypted bid amount information, and using the unknown data And a step of confirming the bid amount information the auctioneer device is included in the second encryption bid price information in the group signature.
[0023]
Therefore, by using the first and second concealment steps based on unknown data, it is possible to prevent the brute force attack algorithm from being applied by the malicious auction organizer apparatus.
[0024]
  Next, a fifth invention for solving the problem is:In the electronic bidding method of the first invention,Bid publishing step of posting the encrypted bid amount information transmitted by the bidder device on the electronic bulletin board deviceHaveTo do.
[0025]
Further, in the confirmation step, the designation of the designated amount is started after all the encrypted bid amount information from the bidder device is posted on the electronic bulletin board device.
[0026]
Further, in the successful bid determination step, after the successful bid is determined, the encrypted bid price information for the successful bid is decrypted and posted on the electronic bulletin board apparatus.
[0027]
  Next, the first step6The invention of the above5In the electronic bidding method of the invention, in the bidding step, the encrypted bid amount information is sent as a non-repudiation signature with the non-encrypted bid amount not attached, and the confirmation step is included in the non-repudiation signature. Discrete logarithm equivalent / non-equivalentJudgmentAs a result, the presence / absence of a bid at a specified amount is confirmed, and after a successful bid is determined, the encrypted bid amount information for the successful bid is converted from a non-repudiation signature to a digital signature and posted on the electronic bulletin board apparatus.
[0028]
  Next, the first step7The invention of the above6In the electronic bidding method of the present invention, before starting the confirmation step, each bidder device confirms whether or not its own encrypted bid price information posted on the electronic bulletin board device is correct. A bid information confirmation step for transmitting a digital signature of confirmation to the bidder apparatus;
[0029]
  Next, the first step8The invention of the above7In the electronic bidding method of the present invention, in the bid information confirmation step, the key used for the signature is a key that is given from the auction organizer apparatus and is used in common by a plurality of bidder apparatuses.
[0030]
  Next, the first step9The invention of the present invention via an electronic communication path,Can refer to public bulletin board equipmentWith bidder equipmentThe electronic bulletin board device can be referred to and written onThe present invention relates to a recording medium that stores a program for controlling an organizer apparatus in an electronic bidding system that performs an auction by transmitting and receiving information to and from an auction organizer apparatus. The program stored in the recording medium causes the computer to function as the following means.
[0031]
  That is, first, the selective bid amountIn the electronic bulletin board deviceIt is made to present, and it functions as a bid means which receives bid amount information selected and encrypted by the bidder apparatus.
[0032]
  In addition, after receiving all encrypted bid amount information,Of the selective bid amountLet the bidder device specify the amount from the highest or lowest bid amountConcernedWhether or not a bid has been made at a specified amount is confirmed using a non-repudiation signature protocol. further,Of the selective bid amountThe designated amount is sequentially lowered or raised until it is confirmed from any of the bidder devices that the bid has been made at the designated amount. Further, when a bidder apparatus that bids at the specified amount is confirmed, the computer functions as a successful bid means for making a successful bid by bidding from the bidder apparatus, and the bid means includes the encrypted bid price information as non- Received as a non-repudiation signature in which the encrypted bid amount is not attached, and the successful bid means determines whether or not to bid at the specified amount by determining the equivalent / non-equivalence of the discrete logarithm included in the non-repudiation signature Make your computer work to make sure.
[0034]
  Next, a tenth invention for solving the problem is:In the recording medium of the ninth invention,The bidding means receives the first encrypted bid price information out of the first and second encrypted bid price information selected by the bidder apparatus and encrypted respectively, and the second encryption After receiving the group signature including the bid amount information and determining the successful bid, the successful bid means posts the private key used for generating the group signature on the electronic bulletin board device and converts the group signature into a normal digital signature. By performing the conversion, the bid price information included in the second encrypted bid price information in the group signature can be confirmed from other bidder apparatuses.
[0035]
  Next, the first step11The invention of the above10In the recording medium of the invention, when the bidding means confirms the bidding at the designated amount, the bidding means receives unknown data used to create the first and second encrypted bid amount information from the bidder apparatus. Then, the unknown price is used to confirm the bid price information included in the first encrypted bid price information, and the unknown data is used to be included in the second encrypted bid price information in the group signature. Check bid amount information.
[0036]
  Next, the first step12The invention of the present invention via an electronic communication path,Can refer to public bulletin board equipmentWith bidder equipmentThe electronic bulletin board device can be referred to and written onThe present invention relates to a recording medium that stores a program for controlling a bidder apparatus in an electronic bidding system that performs an auction by transmitting and receiving information to and from an auction organizer apparatus. The program stored in the recording medium causes the computer to function as the following means.
[0037]
  First,In the electronic bulletin board deviceAny one of the presented selective bid amounts is selected, and the selected bid amount information is encrypted and functions as a bid means for transmitting to the auction organizer apparatus.
[0038]
  In addition, whether or not the auction organizer has bid for the specified amountBy non-repudiation signature protocolWhen a confirmation is requested, the computer functions as a confirmation means for sending information necessary for the confirmation to the organizer.The bidding means transmits encrypted bid price information as a non-repudiation signature with the non-encrypted bid price unattached, and the confirmation means includes a discrete logarithm included in the non-repudiation signature. Send information to determine whether it is equivalent or notThe
[0079]
DETAILED DESCRIPTION OF THE INVENTION
Hereinafter, embodiments of the present invention will be described.
[0080]
(First Embodiment of the Invention)
First, an outline of the electronic bidding method of this embodiment will be described. In the present invention, an assumption such as an anonymous communication path is not required, and a system is constructed only by a conventional encryption technique. In addition, a public bulletin board is used so that all bidders can verify the validity of bids and bids. At this time, no bid amount other than the winning bid value is revealed. Technically, Michels and Stadler, "Efficient convertible undeniable signature schemes," Proc. 4th Annual Workshop on Selected Areas in Cryptography, SAC '97, 1997.) is applied.
[0081]
That is, in the electronic bidding method of this embodiment, first, in the first stage, the bidder is submitted with the encrypted bid information, and this bid information is posted on the public bulletin board. In addition, the bid price is selected from a plurality of prices previously presented by the auction organizer. As described above, since any one of the selective amounts is submitted to the bidder in the first stage, the successful bidder is substantially determined at this point. In addition, the bid information is disclosed while being encrypted. Further, since the bid information is encrypted, at this point, no one including the auction organizer can know the true winning bidder or the winning bid amount. Therefore, fraud can be surely prevented as long as bid rejection can be prevented.
[0082]
In the second stage, bidding and successful bid information disclosure are performed while preventing bid denial. At this stage, as the so-called Dutch auction, the amount is gradually reduced (increased) while checking the presence / absence of bidders in order from the highest (minimum) amount. In this method, unlike the Dutch auction, the true winning bidder is already determined before entering the bidding process. The processing of this method is to confirm the determined successful bidder without causing the bid to be rejected. In this second stage, the application method of the Michels-Stadler method described above is used in the present embodiment.
[0083]
In the first place, the conventional non-repudiation signature method including the Michels-Stadler method is a method in which a message and a signature (a part of the signature) are previously paired and revealed to the verifier. In other words, the non-repudiation signature is a kind of electronic signature, and there is no viewpoint of keeping the message itself secret. The non-repudiation signature is an electronic signature in a format in which only a person who acquires specific information from the signer can check the signature on the message content.
[0084]
In contrast, in this embodiment, the message is not disclosed in advance, and the signature is regarded as a bit commitment of the message. That is, the encrypted bid information is submitted as a non-repudiation signature in this format. By using the non-repudiation signature technique, each bidder proves in the bidding process that he / she has not bid with that amount without revealing the bid amount. And the amount of money is revealed only at the time of a successful bid to prove the validity of the bid. After acceptance as a successful bidder, the bid information is converted into a normal digital signature that anyone can verify. By applying this non-repudiation signature technique, it is possible to conceal the bid amount (message) and simultaneously satisfy the non-repudiation condition.
[0085]
Therefore, in this electronic bidding system, the system can be constructed only by the conventional encryption technique without depending on the assumptions such as the reliability of the institution and the anonymous communication path.
[0086]
In this embodiment, two types of bidding models are considered. One is a bid for a certain product and the highest bidder is the winning bidder, and this is called an “exhibition bid”. This is known as a general auction model. The other is a bid for the highest bidder for work such as construction work, which is called “contract bidding”.
[0087]
In the above explanation, the electronic bidding has been described in two stages, but in order to realize this electronic bidding method, there are more specifically three stages, divided into registration protocol, bidding protocol, and disclosure / successful bidding protocol. Yes. In the bidding protocol, participating bidders bid with a secret amount (corresponding to the first stage). The bidding is terminated at a certain time, and the winning bidder who bids the highest (lowest) in the disclosure / successful biding protocol is determined (corresponding to the second stage).
[0088]
Hereinafter, a specific configuration and processing in the present embodiment will be described.
FIG. 1 is a configuration diagram showing an example of an electronic bidding system to which an electronic bidding method according to the first embodiment of the present invention is applied.
This electronic bidding system includes an auction organizer device 2, a public bulletin board device 3, a registration institution device 4, a plurality of bidder devices 5 (representing any one of a plurality of bidders) on a public network 1 such as the Internet. Device 5 or bidder device 5j), client device 6 and auditor device 7 are connected. Here, the network 1 is not limited to a public system, and may use a dedicated line. Each of the devices 2 to 7 is a computer system provided with communication means, and realizes functions described below by its control program. Furthermore, in the following description, the devices 2 to 7 are also simply referred to as auction organizer 2 or organizer 2, public bulletin board 3, registration organization 4, bidders 5 and 5 j, requester 6, and auditor 7.
[0089]
Each of these devices will be described.
FIG. 2 is a block diagram illustrating a configuration example of the auction organizer apparatus.
The auction organizer apparatus 2 collects the clients 6 and hosts the auction. For this purpose, a bidding processing unit 11 that realizes an organizer execution part in the bidding protocol and a disclosure successful bid processing unit 12 that realizes an organizer execution part in the disclosure / successful bidding protocol are provided. Also, the public bulletin board 3 is managed by these processing units 11 and 12.
[0090]
The bid processing unit 11 accepts the exhibition of the client 6 and writes bid information from the bidder 5 on the public bulletin board 3.
Further, the disclosure successful bid processing unit 12 updates the amount of money on the public bulletin board 3 at a certain cycle until the highest (low) value is determined. The correctness of the sending information of the bidder 5 who bids with the highest (low) value is verified to determine the winning bidder. All the verification information and the sending information are written on the public bulletin board 3, and the validity is disclosed to all participants.
[0091]
The registration organization device 4 performs a registration operation for the bidder 5. In practice, the bidder 5 is authenticated, and a certificate for the key sent from the bidder 5 is issued.
[0092]
The client is a seller who sells works of art and programs in an auction, and sells the exhibit to the highest bidder with the highest price. Or, in contract bidding, work such as construction and programs are auctioned and the highest bidder with the lowest amount of money is asked to do the job. The client apparatus 6 makes an exhibition request to the auction organizer apparatus 2 via the network 1.
[0093]
FIG. 3 is a block diagram illustrating a configuration example of the bidder apparatus.
The bidder apparatus 5 realizes a successful bid for purchase / contract for an exhibit or work that has been auctioned. For this purpose, a network information search unit 21, a bid processing unit 22, a successful bid processing unit 23, and a registration processing unit 24 are provided. In addition, the bidder 5 showing the highest price in the exhibition bid and the lowest price in the contract bid is the winning bidder.
[0094]
The network information search unit 21 accesses the public bulletin board 3 via the network 1 and acquires the posted information. The bid processing unit 22 and the successful bid processing unit 23 communicate with the organizer apparatus 2 and perform processing of a bidder execution part in the bidding protocol and the disclosure / successful bidding protocol, respectively.
[0095]
The registration processing unit 24 processes the bidder execution part in the registration protocol, generates a key when participating in the auction, and issues a key certificate to the registration organization.
[0096]
The public bulletin board device 3 posts data in a format that allows anyone to refer to the written data. However, data can be written / erased only by the auction organizer 2 as an administrator. The organizer 2 writes on the bulletin board 3 only the data of the participant (bidder 5) who has been registered correctly based on the signature of the registration organization 4. The public bulletin board device 3 is shown as a separate device from the auction organizer device 2 in the system shown in FIG. 1, but the bulletin board 3 may be incorporated in the auction organizer device 2, for example.
[0097]
The inspector apparatus 7 includes a processing unit similar to the net information search unit 21 shown in FIG. 3 and observes whether information described in the public bulletin board 3 has been altered or deleted by the auction organizer 2 in the middle. To do. Inspect and notify the auction organizer 2 of fraud and mistakes. Since anyone can read the data on the bulletin board 3, each bidder 5 may be responsible for the auditor 7.
[0098]
Next, the operation of the electronic bidding system in the present embodiment configured as described above will be described.
In the following description, first, processing in time series in the electronic bidding system will be described, and then processing of each protocol of registration, bidding, disclosure / successful bidding will be described in detail.
[0099]
FIG. 4 is a flowchart for explaining the processing procedure in the electronic bidding method of this embodiment.
First, an auction listing request is made by the client 6 to the auction organizer 2 (s1), and the organizer 2 that accepts the listing request posts information on the exhibits and a price option for bidding (s2). .
[0100]
This posting is performed for a certain period, and during that period, the exhibition information on the public bulletin board 3 is searched by the bid candidate device (device having the function of the bidder device 5 shown in FIG. 3) (s3). Here, a candidate who wishes to make a bid requests the registration organization 4 to register a bidder, and the registration is made. (S4)
Next, a non-repudiation signature in a format that does not publish a message is applied to the bid information including the bid amount and the like, that is, the bid information is virtually encrypted and sent from the registered bidder 5 to the auction organizer 2. This bid information is examined by the organizer 2 and further posted on the public bulletin board 3. The bid is accepted until the bidder is closed by the organizer 2 (s5).
[0101]
When the bid is closed, the successful bid processing by the auction organizer 2 is started (s6). This successful bid processing proceeds by checking whether or not there are bidders in order from the highest amount, and continues until the successful bidder is determined.
Finally, information such as the bid amount presented by the successful bidder is posted on the public bulletin board 3 in a verifiable state, and the electronic bidding ends.
[0102]
Next, processing of each protocol of registration, bidding, disclosure / successful bidding in the electronic bidding system will be described. Here, the exhibition bidding will be described first, and the contract bidding will be described later.
[0103]
[Initial setting]
First, (p, q, α) is disclosed as a system parameter. p and q are large prime numbers, and the relationship of p = 2q + 1 is established. α is the multiplicative group Z_p ^* The generator is such that the order at q is q. H_l: {0, 1}^* → {0,1}^lIs a one-way hash function.
[0104]
[Registration Protocol]
The registration protocol process corresponds to step s4 in the flowchart of FIG.
This is because each bidder 5j has created a key P_jIn response to the certificate Cert_jIs a process of issuing
[0105]
FIG. 5 is a diagram showing processing of the registration protocol in the present embodiment.
Step t1: For this purpose, in the registration processing unit 24 of each bidder 5j, the secret key S_j∈Z_q ^* Is generated and the public key P_j= Α^Sj(Mod p) is defined. Public key P_jIs sent to the registration agency 4 from the bidder 5j whose identity is revealed.
[0106]
Step t2: On the other hand, the registration organization 4 assigns a group number GID to the bidder 5j. One group is a set of n people. n is determined by estimating the number of bid participants. Then (P_j, GID)_jIs returned to bidder 5j. The reason for grouping is that the public bulletin board 3 is easy to see, and the evidence of the information posted on the public bulletin board by allowing each group member (bidder) to confirm the bulletin board contents in the bidding protocol. This is to increase ability.
[0107]
[Bid protocol]
The bid protocol processing corresponds to steps s1, s2, s3, and s5 in the flowchart of FIG.
[0108]
In the bidding protocol, bidder 5 selects one of a plurality of monetary values prepared by auction organizer 2 (w_kAnd). Signature σ (w_k). Then, the function value Y = f (w calculated using the one-way function f_k‖Σ (w_k)) To the organizer. The organizer writes Y on the public bulletin board. This procedure will be described with reference to FIG.
[0109]
FIG. 6 is a diagram showing a bidding protocol process in the present embodiment.
Step u1: First, the bid processing unit 11 of the auction organizer 2 prepares a plurality (m) of bid amounts. Here, (w₁, W₂, ..., w_m ). However, the magnitude relationship between the amounts shown is w₁<W₂<... <w_mIt has become.
[0110]
Step u2: On the other hand, the bid amount w_k(1<k<m) is selected, and a random number x, kεZ_q ^* Is selected and the following calculation is performed.
[0111]
[Expression 1]

[0112]
Here, the random number x is a disposable private key, and a disposable public key h corresponds to the secret key x.
[0113]
Of the above calculation results, from bidder 5j
[0114]
[Expression 2]

[0115]
Is sent to the auction organizer 2. Amount w_kNote that do not send The amount w which is a message at this time_kIn order not to send the message, almost the same information as the non-repudiation signature is sent, but the signature is not obtained. In other words, the encryption information is effectively sent by this information sending method. The information sent at this time is the amount w_kSince it is a non-repudiation signature except that is not attached, the non-repudiation signature form sent at this time can be converted into a normal digital signature by being given a secret key x later. As a result, the amount w_kVerification of this will be possible at a later time. Amount w_kHow to verify this will be described later.
[0116]
Step u3: Next, the certificate Cert is given by the auction organizer 2._jIs validated. If it is valid, the organizer 2 will inform the bidder 5j about
[0117]
[Equation 3]

[0118]
Is described in the corresponding group column of the public bulletin board 3.
[0119]
The situation up to this point is schematically shown in FIG.
[0120]
FIG. 7 is a diagram schematically showing the state of the bidding stage.
[0121]
Step u4: The bid request is closed by the organizer 2 when the predetermined time has come.
[0122]
Step u5: It is confirmed by all bidders 5 whether or not the bid information transmitted by himself / herself is correctly posted. If posted correctly, each bidder 5 signs all n bid information in the same group.
[0123]
[Expression 4]

[0124]
Is given. That is, bidder 5j has (P_j, GID, Cert_j, Σ_j) Is sent to the organizer 3.
[0125]
Step u6: The organizer 2 sends (P_j, GID, Cert_j, Σ_j) Is verified. Only when it is legitimate, organizer 2 adds (P_j, GID, Cert_j, Σ_j) Is described.
Bid information as encryption information is released on the public bulletin board, and further, the bidder 5 himself confirms the posted information.
[0126]
[Disclosure / Successful bid protocol]
The bid protocol processing corresponds to steps s6 and s7 in the flowchart of FIG.
[0127]
In the disclosure / successful bid protocol, the auction organizer 2 starts from the highest price (bottom price) and counts down (ups) the money amount in a certain time period until receiving a notification from the bidder 5. At a certain point, when the bid amount is reached, the bidder 5 sends the organizer 2 σ (w_k) Is sent encrypted. Organizer 2 has signature σ (w_k) And the relevance between the function value Y and the validity. Only when it is valid, the auction is terminated with the bidder 5 as the winning bidder. σ (w_k) Is described on the public bulletin board, all the bidders 5 can confirm the validity of the successful bidder determination procedure. This procedure will be described with reference to FIG.
[0128]
FIG. 8 is a diagram showing processing of the disclosure / successful bid protocol in the present embodiment.
Step v1: First, by the auction organizer 2, the highest amount w is given to the portion for successful bid processing in the public bulletin board 3._mIs set.
[0129]
Step v2: If there is a bidder 5j who bids at this amount (v2-1), the bidder 5j notifies the auction organizer 2 and if there is no relevant person (v2-1), the denial protocol is used. Confirmation is performed (v2-2). For example, the amount w_kThe bidder 5j who made a bid at_mIn order to reject the bid by, the following (y, z, β ′) is rejected.
[0130]
[Equation 5]

[0131]
The denial protocol will be described later.
[0132]
Amount w_mAfter confirming bid rejection for all bidders 5, the next smaller amount (w_m-1) Is set on the public bulletin board 3 by the organizer 2 (v2-3). And the process of this step v2-1-v2-3 is repeated until the bidder 5 who bid by the amount appears.
[0133]
The situation up to this point is schematically shown in FIG.
[0134]
FIG. 9 is a diagram schematically showing a state until a successful bid.
[0135]
Step v3: A certain amount w_kWhen the bidder 5j gives notification (v2-1: YES), the validity of the bid is verified by the confirmation protocol (v3-1). The confirmation protocol will be described later. When the validity is verified, the bidder 5j is determined as a successful bidder candidate. Here, when there is only one successful bid candidate (v3-2), the bidder 5j is determined as the successful bidder. In this case, a disposable private key x is transmitted from the bidder 5j to the organizer 2 as disclosure information (v3-3). In organizer 3,
[0136]
[Formula 6]

[0137]
Verifies the validity of the signature. By organizer 2
[0138]
[Expression 7]

[0139]
Is described in the public bulletin board 3 (v3-4), and the auction is ended. At this time, since the information posted on the public bulletin board 3 is a so-called normal digital signature, the other bidders 5, the supervisor 7, and other third parties can verify the contents. Therefore, the amount w that is the winning bid_kCan be confirmed.
[0140]
The state up to here is schematically shown in FIG.
[0141]
FIG. 10 is a diagram schematically showing a successful bid and its verification.
[0142]
Step v4: When there are a plurality of successful bid candidates in Step v3-2, they are handled as follows.
[0143]
(A) First, when the number of candidates is small (v4-1: NO), the candidate 5j sends x and the organizer 2
[0144]
[Equation 8]

[0145]
Is put on the public bulletin board 3 and a tie is made between candidates (v4-2).
[0146]
(B) If the number of candidates is large (v4-1: YES), w_k <t<w_{k + 1} A plurality of amounts are prepared by the organizer, and the auction using these amounts is performed again (v4-3).
[0147]
The processing in the disclosure / successful bid protocol is as described above. The non-repudiation protocol, the confirmation protocol, and the conversion from the non-repudiation signature to the normal signature (digital signature) will be described.
[0148]
That is, the electronic bidding system of the present embodiment uses the Michels-Stadler method as a non-repudiation signature method, but has a feature in its use as described above. In the present embodiment, an encryption system based on the discrete logarithm problem is selected as the one-way function.
[0149]
In other words, in the conventional non-repudiation signature scheme, the message to be signed is revealed and the signature is verified / rejected. On the other hand, in this embodiment, the message is not attached to the signature, but an applied method is used in which the signature is regarded as a bit commitment of the message (bid price). This is to satisfy the confidentiality of the bid price and the non-repudiation at the same time.
[0150]
Hereinafter, a non-repudiation protocol and a confirmation protocol by the Michels-Stadler method, and conversion from a non-repudiation signature to a normal signature will be described.
[0151]
[Equivalent / non-equivalent proof of discrete logarithm]
Now, (p, q, α) is open to the public, and p is a large prime number that satisfies p = 2q + 1 (where q is a prime number). α is the multiplicative group Z_p ^* The generator is such that the order at is q. Let H be a one-way hash function.
[0152]
Hereinafter, z = β^x(mod p) and y = α^xX∈Z that satisfies_q ^* When there is a log_βz = log_αIndicates the protocol that proves y. This is used in the signature verification protocol. Conversely, the denial protocol is log_βz ≠ log_αThis is a proof of y. The following is a protocol that proves the equivalence / non-equivalence of discrete logarithms.
[0153]
[Equation 9]

[0154]
[Signature generation and conversion to normal signature]
Alice, the signer, generates a non-repudiation signature. Alice has a verifier protocol that verifies the verifier Bob's validity of the signature and a denial protocol that denies the illegal signature. Furthermore, a non-repudiation signature can be converted into a normal digital signature that anyone can verify.
[0155]
Alice has two secret keys x₁, X₂Choose ∈Zq, y₁= Α^x1(Mod p), y₂= Α^x2Let (mod p) be the public key. Message m (above amount w_kAlice generates a random number k∈Z_qAnd r = α^k(Mod p) is calculated. Then calculate:
[0156]
[Expression 10]

[0157]
here,
[0158]
## EQU11 ##

[0159]
Is a signature for the message m. When showing the legitimacy of this signature,
[0160]
[Expression 12]

[0161]
Prove that Denial of illegal signature is log_βZ ≠ log_αProve that y.
[0162]
To convert a normal digital signature that anyone can verify this non-repudiation signature into, Alice uses the private key x₂Publish. This
[0163]
[Formula 13]

[0164]
The verifier who obtained the signature can verify the validity of the signature by the following equation.
[0165]
[Expression 14]

[0166]
[Contract bid]
Next, the case of contracted bidding will be described.
In the contract bidding protocol, the same processing as that of the exhibition bidding is performed. However, the bidder with the highest price wins the bid in the contracted exhibition bid, while the bidder with the lowest price in the contract bid becomes the winning bidder. Therefore, the disclosure / successful bid protocol is changed to the count-up method starting from the lowest amount. That is, step v1 and step v2 in FIG. 8 are corrected as follows.
[0167]
Step v1 ′: The auction organizer 2 uses the public bulletin board 3 and uses the lowest amount w.₁Set.
[0168]
Step v2 ': The bidder 5j who bids at this amount notifies the auction organizer 2 (v2-1). If there is no one, the next smaller amount (w₂(V2-3 '). This process is repeated until a bidder who bids for that amount appears. The denial protocol during that time is performed in the same way as for the exhibition bidding (v2-2).
[0169]
As described above, in the electronic bidding method according to the embodiment of the present invention, selective bid information is pre-encrypted to bid, and then the bidder is confirmed in order from the highest amount (or lowest amount). Since the successful bid is determined, the privacy of the bidder can be protected without requiring an assumption such as an anonymous communication channel, and the client profit can be protected by preventing collusion.
[0170]
In addition, since bid information other than the winning bid value is not exposed at all and the winning bid information is posted on the public bulletin board, all bidders can verify the validity of the bid / successful bid.
[0171]
As described above, in the present invention, bidder privacy protection, collusion prevention, fairness, and the like are realized. However, in the bidding protocol, when a hash function is simply selected as a one-way function, there is inconvenience in denial of bidding. The special cases that occur are also conceivable. This is due to the act of the bidder not taking his bid at the disclosure / successful bid stage. When this action is used, the following situations can occur.
[0172]
Now, Company A and Company B are colluding in the contract tender. The two companies will try to make a successful bid with the least amount of money. At this time, Company B is estimated to be the lowest amount P_minSo, Company A wants to make a successful bid_realBid on. P_minAnd P_realIf there are no bidders in the middle of_minDenied and Company A P_realMake a successful bid. In this way, bidders can consign work at a minimum cost by manipulating the winning bid amount.
[0173]
However, in the present embodiment, the non-repudiation signature technology is used and the message (bid price) is not disclosed in advance, and the signature is regarded as a bit commitment of the message and transmitted to the organizer. Therefore, the bid price is not disclosed. A bid can be confirmed and a successful bid can be made while refusal is prohibited by a refusal protocol, and rigging can be prevented more reliably. Furthermore, because this non-repudiation signature technology is used, the amount of money is disclosed only at the time of a successful bid to prove the validity of the bid, and after acceptance as a successful bidder, it is converted into a normal digital signature that anyone can verify can do. Therefore, it is possible to conceal the bid amount (message) and simultaneously satisfy the non-repudiation condition.
[0174]
Furthermore, in this embodiment, since the system is constructed only with general encryption technology without depending on assumptions such as the reliability of the institution and the anonymous communication path, it can be easily implemented, and the system construction can be performed. It can be easy and low cost.
[0175]
Further, according to the method of the present embodiment, since confirmation is performed using a denial protocol, the organizer can specify who is going to get off halfway when not responding to the successful bid process. In addition, since there is still absolute evidence indicating the fact of bidding of non-repudiation signatures, various measures such as requesting a fine and prohibiting bidding can be taken based on this evidence. Therefore, it is possible to prevent rigging and, in turn, prevent price manipulation fraud.
[0176]
In addition, if successful bid facts are disclosed at the stage where all the information on purchase intentions and refusals of all bidders is available, it will be possible to prevent successful bid price manipulation by misusing the order of intention and proof. Can do.
[0177]
Furthermore, since the system of the present embodiment is configured and operates as described above, it has the following features.
[0178]
Confidentiality of bid amount: Since the bid amount of the loser is encrypted by bit commitment, it is unknown to anyone other than the person himself and is not exposed to anyone. It is not exposed to auction organizers.
[0179]
Soundness of the bid amount: Since the parties other than the tenderer do not know the secret key for performing a legitimate bid, the contents of the bid cannot be falsified. In addition, falsification of bid information by the organizer at the time of disclosure / successful bid can be prevented by signing the bid information of the group described on the bulletin board. In other words, a third party cannot pretend to be a formal private key owner who has performed regular registration, and cannot create valid bid information.
[0180]
Validity of the highest bid: Satisfied by the non-repudiation of bids and the nature of countdown (up). All bidders can verify that the winning bid is higher (lower) than their bid price. That is, it is ensured that the winning bid amount is the highest (minimum) amount of all bid prices.
[0181]
Fairness: No bidders can bid on more favorable conditions than others because they know only the bid amount and prevent manipulation of the winning bid due to non-repudiation of bidding.
[0182]
(Second Embodiment of the Invention)
In the first embodiment, since there is no need to attach information that identifies the successful bidder to the information that is disclosed, there is some anonymity to other bidders and third parties. Moreover, in 1st Embodiment, the anonymity is given to the bid information disclosed by introducing the concept of kana. However, since each bidder signs in the bid protocol to confirm bid information, a third party who knows the relationship between the public key and the bidder can determine who made the bid and who made the successful bid. It is possible to grasp from public information.
[0183]
On the other hand, it is conceivable that the following collusion is performed by using information indicating who is the previous successful bidder and who is bidding. In other words, the rigging group continues to make a successful bid at an unreasonably low price. By repeating this process repeatedly, other applicants will lose their willingness to bid. The bidder gives up the bid when he finds a member of the collusion group. After creating such a situation, by gradually reducing the number of participants outside the group and monopolizing the market, it is possible to make a successful bid for the target object at the price they want. In this rigging method, the information disclosure regarding the bidder at the time of bidding is treated like a seal, so that the willingness to participate is manipulated.
[0184]
In the present embodiment, a method for smoothly operating the competition principle will be described in which all the parties other than the organizer are who should be anonymous about who the bidder is. Specifically, when the bid information is confirmed by the bidder in the bid protocol, the signature is signed using a group key given by the organizer instead of an individual public key.
[0185]
FIG. 11 is a conceptual diagram illustrating an electronic bidding method according to the second embodiment of the present invention. FIG. 5A shows information posted on the public bulletin board in the method of the first embodiment, and FIG. 5B shows information posted on the public bulletin board in the method of the present embodiment.
[0186]
As shown in FIG. 5B, in the present embodiment, the bid information confirmation at the time of the bid protocol is performed by the group key, and the public key that triggers the personal information is not disclosed.
[0187]
The electronic bidding system of this embodiment is configured in the same manner as in the first embodiment except that such a group signature is performed and the bidding protocol and the bidding protocol are modified accordingly. However, since grouping can be performed at an arbitrary location, here, a case where grouping by the organizer 2 is performed instead of grouping by the registration organization 4 in the first embodiment will be described.
[0188]
Hereinafter, the modified bidding protocol and bidding protocol will be described.
[0189]
[Bid protocol]
Organizer processing:
Organizer 2 divides bidder 5 into several groups, and each group J's private key S for signature_GjWill be sent to the secret box upon registration.
[0190]
Bidding process:
For example, consider a case where a bidder 5A belonging to a certain group j bids. At this time, the secret key of the group to which the bidder 5A belongs is set to S_G, P is the public key_G= Α^SG(mod p). Also, bidder 5A's common secret key is S_A, P is the public key_A= Α^SA(mod p).
[0191]
Bidder 5A will bid for the item_k(1<k<m). Next, random numbers x, k, μ∈Z_q ^*And calculate the following:
[0192]
[Expression 15]

[0193]
[Rejection Protocol]
[0194]
[Expression 16]

[0195]
And current price w_iAs in the first embodiment, the bidder A and the organizer execute the denial phase. here,
[0196]
[Expression 17]

[0197]
The organizer writes the communication data in β and the denial protocol on the public bulletin board. In the Michels-Stadler non-repudiation signature method, P_AYou can verify the equivalence / non-equivalence of discrete logarithm without publishing.
[0198]
[Successful bid protocol]
[0199]
[Formula 18]

[0200]
For the verification of the personal signature and confirmation of the denial phase by the organizer, the personal public key P_AIs used, and the public key P of the group is used to sign the successful bid._GIs used. That is, the information to be disclosed does not include information for specifying an individual. That is, other than the organizer verifies successful bid information which is a group signature.
[0201]
FIG. 12 shows information given to the auction organizer and information posted on the public bulletin board.
[0202]
As described above, the electronic bidding method according to the embodiment of the present invention uses the group key given to the organizer instead of the individual public key when the bidder confirms the bid information by the bidding protocol. Since the signature is made, it is possible to prevent rigging using who the bidder is without releasing information linked to each individual bidder. That is, the influence on the next auction can be eliminated and the market monopoly can be prevented.
[0203]
For example, if there is a group consisting of multiple vendors who are making a successful bid in concession, and there is a vendor that does not participate in one company collusion, the competitive principle works in the bid that this vendor joins, and the winning bid price is far below the expected price, There are cases where bids that do not participate are awarded at an expected price. In this case, an injured person from a tie-up by a certain company uses the principle of competition in the market.
[0204]
Therefore, if there is no information for identifying the bidder from the public information as in the present embodiment, the rigging group is promoted and the form of bidding by collaborating and transferring is lost. Thereby, it can lead to the original auction form by free competition. That is, in this embodiment, since the anonymity in the auction is strengthened and no proof of bidding is left, an illegal price operation can be prevented by collusion.
[0205]
Further, in the present embodiment, the amount of information given according to the verifier can be controlled in stages by using the Mitchels-Stadler denial / verification proof protocol. In this embodiment, by applying this method and the group signature, the organizer can verify the winning bidder information, and the third party can verify the winning bid price without disclosing the bidder information or the winning bidder information. Can be done.
[0206]
In addition, the present embodiment can satisfy the following conditions (1) to (3).
(1) The auction sponsor device 2 and other bidder devices 5 cannot know which bid amount the bidder has signed unless the bidder device 5 that has made a successful bid sends new data at the time of a successful bid.
(2) The bidder apparatus 5 cannot deny that the selected bid amount has been signed in the denial protocol.
(3) Since the auction organizer apparatus 2 and the other bidder apparatuses 5 do not know the secret key of the bidder apparatus 5 that has made a successful bid, the legitimate signature and the denial addition signature of the bidder apparatus 5 that has made a successful bid cannot be calculated.
[0207]
(Third embodiment of the invention)
In the second embodiment, when the number of bid amounts to be selected is small, the organizer detects which bid amount the bidder has signed by a predetermined attack algorithm before the bidder sends the disclosure information. The inventor thought that there was a possibility. This attack algorithm uses the bid amount w = {w₁, W₂, ..., w_n}, All the elements of} are sequentially put into a verification formula to calculate match / mismatch. That is, according to the attack algorithm using the verification formula, the present inventor considered that the organizer may break the confidentiality of the bid price signature when the types of bid prices are small. This means that the condition (1) described in the effect of the second embodiment may be violated.
[0208]
If there are many types of bid prices, the computational effort of the attack algorithm increases, and the efficiency of the attack algorithm is significantly reduced. Therefore, the second embodiment also has sufficient confidentiality. However, there is a situation where it is desirable to have a scheme in which the confidentiality of the bid price signature is maintained even if the amount of calculation at the time of signature creation and signature verification increases slightly, regardless of the type of bid price.
[0209]
Therefore, the third embodiment prevents the attack algorithm regardless of the kind of bid amount, and always satisfies the above conditions (1) to (3) (hereinafter referred to as characters r, Variable data with wavy line “~” on λ
[0210]
[Equation 19]

[0211]
In the text area other than the mathematical expression area [number n].^~, Λ^~I will explain it with the notation).
Specifically, in the third embodiment, data r used in the bidding protocol and the bidding protocol.^~, Σ, t are changed as follows.
That is, the third embodiment is the same as the r in the second embodiment.^~= R^x(Mod p), σ = k−cS_A(Mod q), a hash function H (W in the denominator of t_k, R^~, Λ) instead of r^~= (R^r)^x(Mod p), σ = kr−cS_A(Mod q), a hash function H (W in the denominator of t_k, R^~, R, λ) are used.
[0212]
The electronic bidding system of the present embodiment includes an encryption process for concealing such a random number r using two variables r and x including itself, and random numbers r and r before and after concealment.^~A group signature based on the above is performed, and the bidding protocol and the bidding protocol are modified accordingly, and the configuration is the same as in the second embodiment.
[0213]
Hereinafter, the modified bidding protocol and bidding protocol will be described.
[Bid protocol]
Processing of grouping by organizer 2 at the time of registration and S of signature private key for each group J_GjThe sending process is as described above.
Next, the bidder 5A makes a bid amount W for the exhibit as described above._k(1<k<m) and then random numbers x, k, μεZ_q ^*And calculate the following: In the following calculation, r^~, Σ, and t are encrypted using a random number r, unlike the second embodiment. Also, r is data unknown to the auction organizer device, and r^~Is encrypted unknown data obtained by encrypting the unknown data r using the r itself. Σ is the first encrypted bid price information, and H (wk, r in t^~, R, λ) is second encrypted bid amount information.
[0214]
[Expression 20]

[0215]
Further, a group signature t is calculated.
[0216]
[Expression 21]

[0217]
Hereinafter, as described above, the bidder 5A (P_A, Cert_A, H, r^~, Λ, λ^~, Σ, t) is sent to the organizer 2. Organizer 2 is (h, r^~, Σ, t) are entered in the corresponding group column of the public bulletin board 3.
[0218]
[Rejection Protocol]
The denial protocol is executed as in the second embodiment.
[Successful bid protocol]
The overall flow is the same as that of the second embodiment, but with the encryption using r, each verification expression is changed to a content including r. Hereinafter, the description will be made in accordance with the above-described context.
[0219]
When making a successful bid, the bidder 5A sends x, r to the organizer 2. Organizer 2 (P_A, Cert_A, H, r^~, Λ, λ^~, Σ, t) and x, r are used to verify the validity of the non-repudiation signature by the following verification expression.
[0220]
[Expression 22]

[0221]
Next, λ^~= Λ^xVerify the consistency of (mod p). Only when these non-repudiation signatures are valid, the group signature is verified by the following formula.
[0222]
[Expression 23]

[0223]
Organizer 2 has non-repudiation signature r^~, Λ^~And (r, λ) is posted on the public bulletin board 3 only when the group signature t is valid.
[0224]
General bidders can use (r, λ, r^~, T, W_k, P_G) To verify the validity of the group signature (the validity of the winning bid) using the following formula.
[0225]
[Expression 24]

[0226]
FIG. 13 shows information given to the auction organizer 2 and information posted on the public bulletin board 3. In the present embodiment, unlike FIG. 12 described above, r is added to the information given to the auction organizer 2 at the time of confirmation.
[0227]
As described above, according to the present embodiment, data r used in the bidding protocol and the bidding protocol is used.^~, Σ, t are concealed by an encryption process using a random number r. In addition to the effect of the second embodiment, the organizer 2 breaks the confidentiality of the signature of the bid amount with a brute force using an attack algorithm. Even if it tries to do so, it cannot be broken because the random number r is unknown. That is, according to the present embodiment, an attack by an attack algorithm can be prevented regardless of the kind of bid amount.
[0228]
This function and effect will be described in detail. That is, in the third embodiment, compared to the second embodiment, the first concealment process for encrypting the random number r for concealing the bid amount by itself and the random function r for the hash function H of the group signature t are used. 2 concealment processing is added.
[0229]
Here, the first concealment process is to conceal the random number r by raising the random number r to the power of the two secret variables r and x including the self r, and is a discrete logarithm problem that lays the foundation of the cryptographic theory. The confidentiality of the random number r is increased to a level comparable to the difficulty.
[0230]
In the second concealment process, the hash value H (wk, r) obtained by inputting the unknown random number r of the organizer 2 to the one-way hash function H as shown in FIG.^~, R, λ) makes it impossible for the organizer 2 to calculate the group signature t. In the second embodiment, as shown in FIG. 15, the input value (wk, r) of the hash function H in the group signature t^~, Λ) are all known to the organizer 2, the malicious organizer 2 may limit the bid amount from the known information and the type of bid amount.
[0231]
In summary, according to the third embodiment, the difficulty of r calculation is increased in the first concealment process, and the calculation of r is an essential requirement in the second concealment process, so that the attack algorithm can be applied comprehensively. Can be disabled.
[0232]
Such a third embodiment is suitable for an environment in which complete secrecy of the bid price signature is required. On the other hand, the second embodiment is less time consuming to calculate than the third embodiment, so it is suitable for cases where there are many types of bid amounts or when higher processing speed is required than the confidentiality of the bid amount signature. ing. It is desirable that the second and third embodiments are properly used according to the environment to which they are applied.
[0233]
(Fourth embodiment of the invention)
In the first and second embodiments, a non-repudiation signature that does not attach an unencrypted message (called a non-repudiation signature without a message) is used to select certain information without disclosing the bidder's bid information. It can be verified whether or not. In addition, a messageless non-repudiation signature can be converted into a normal digital signature (hereinafter simply referred to as a digital signature) by giving a release key from the bidder. By using this technique, it is possible to construct an information certification system that enables the information selector to prove the selection information without disclosing the selection information. In the present embodiment, a case where the method of the first embodiment is applied to an information certification method will be described.
[0234]
FIG. 16 is a diagram showing a configuration example of an Internet game system to which the information proving method according to the fourth embodiment of the present invention is applied.
[0235]
The system shown in the figure shows a case where the information certification method is applied to an Internet game system, and is configured by connecting a questioner apparatus 52 and an answerer apparatus 53 to an Internet network 51.
[0236]
The questioner apparatus 52 is a combination of the registration institution apparatus 4, the auction organizer apparatus 2, and the public bulletin board apparatus 3 in the first embodiment, and includes a registration unit 61, a public bulletin board 62, a game progression unit 63, and an answer storage unit. 64 and a problem storage unit 65.
[0237]
The registration part 61 is comprised similarly to the registration organization apparatus 4 of 1st Embodiment, and receives registration of a game participant. The public bulletin board 62 is configured in the same manner as the public bulletin board apparatus 3 of the first embodiment, and displays information necessary for the progress of the game and may be disclosed.
[0238]
The game progression unit 63 is configured in the same manner as the auction organizer apparatus 2 in the first embodiment, and has a function for executing a signature verification and a denial / confirmation protocol. Etc.
[0239]
The answer storage unit 64 stores the answer from the game participant (the answerer device 53). This answer may be posted on the public bulletin board 62. The problem storage unit 65 stores problems used in the game.
[0240]
On the other hand, the answerer apparatus 53 is configured similarly to the bidder apparatus 5 in the first embodiment, and includes a registration unit 71, an answer creation unit 72, and a response processing unit 73. The registration unit 71 requests game participation registration from the questioner device 52, and the answer creation unit 72 creates a message non-repudiation signature and transmits it to the questioner device.
[0241]
In addition, the response processing unit 73 has a function for executing a signature verification and a denial / confirmation protocol, and performs an answer to the questioner apparatus 52, an answer confirmation process, and the like.
[0242]
The Internet game system having such a configuration operates as follows.
[0243]
First, the questioner device 52 recruits game participants through a homepage or the like, and the answerer device 53 who wishes to participate in the game registers to participate in the game (w1). This registration process is the same as the registration protocol in the first embodiment.
[0244]
When the game is started, a question is sent from each questioner device 52 to each answerer device 53 (w2) or posted on the public bulletin board 62. However, answer candidates for the question are selectively presented.
[0245]
From the answerer apparatus 53, the answer is sent to the questioner apparatus 52 in the form of a message non-repudiation signature (w3). At this time, the question and answer format may be one question and one answer, or the problem may be collectively answered and answered.
[0246]
Next, the answerer device 53 is notified of the correct answer to the question from the questioner device 52 (w4).
In response to this, the answerer device 53 notifies the questioner device 52 whether or not the answer is correct (w5). At this time, as a notification method, when it is desired to conceal which option the answerer has selected, the confirmation protocol and the denial protocol of the first embodiment are used. Also, when the actual answer content itself is desired to be disclosed, an answer release key is sent from the answerer apparatus 53, and the questioner apparatus 52 converts the messageless refusal signature into a digital signature and publishes it. It can be selected according to the nature of the game.
[0247]
By repeating the above process, the game can be progressed in real time with an unspecified number of game participants wishing to participate through the Internet as answerers.
[0248]
As described above, since the information proving method according to the embodiment of the present invention answers the selective information using the message non-repudiation non-repudiation signature, whether the answer is correct or not is correct Can only prove.
[0249]
Moreover, although this embodiment demonstrated the case where it applied to an internet game, this information certification method can be applied to various situations.
[0250]
(Fifth embodiment of the invention)
In the second embodiment, an electronic bidding method that conceals the signature of the bid amount is disclosed. However, in the second embodiment, the bid amount w_k(1<k<m) and its type (w₁, W₂, ..., w_m) Instead of general message m_k(1<k<n) and its type (m₁, M₂, ..., m_n) Is not limited to electronic bidding, but can be extended to a digital signature scheme of a higher concept (the number m of bid amounts w and the number n of messages m are equal to each other).
[0251]
Therefore, in the fifth embodiment, a digital signature scheme based on the protocol of the second embodiment will be described. In the present embodiment, the name in the first and second embodiments is changed to a name representing a superordinate concept. For example, the bid protocol described above has the same content, but the name has been changed to the acceptance protocol, and the bid amount w has been changed to the name message m. Similarly, the disclosure / successful bid protocol has the same content, but the name is changed to the public protocol. In addition, the auction listing request by the client 6 can be selected by name, request, request, inquiry, sweepstakes application, quiz, alternative test, election, questionnaire survey, reservation reception, registration of history such as temporary staffing, etc. To the name of the one with a typical message response.
[0252]
FIG. 17 is a block diagram showing an example of a digital signature system to which a digital signature method according to the fifth embodiment of the present invention is applied. The same kind of parts as in FIG. Detailed explanation is omitted, and different parts are mainly described. In the following embodiments, the same description is omitted.
[0253]
That is, the present embodiment is a modification example in which the second embodiment is extended to a versatile digital signature method. Specifically, a plurality of first verifier devices 2x and group key generation via the network 1 An institution apparatus 2y, a plurality of second verifier apparatuses 3x, a key registration institution apparatus 4x, and a signer apparatus 5x are connected to each other.
[0254]
Here, each first verifier device 2x has the group key generation function omitted in the function of the organizer device 2 described above, and instead of the public bulletin board device 3, data ( h, r^~, Σ, t), (r, λ) are sequentially provided.
[0255]
The group key generation institution apparatus 2y has a group key generation function in the organizer apparatus 2 described above. Specifically, as shown in FIG. 18, the key generation unit 2y_aIt has.
Key generator 2y_aIs a function for dividing the signer device 5x and a plurality of third-party devices (not shown) (for example, other signer devices 5x ', etc.) into several groups during execution of the reception protocol, and a secret key S for each group J._Gj∈Zq^*And public key P_Gj= Α^{S Gj}A function for generating (mod p) and a private key S for signature of each group J_GjIs secretly transmitted to the signer device 5x and each third party device.
[0256]
Each second verifier device 3x is a low-level verifier device that verifies a possible range (= group signature) using less information than the first verifier device 2x. It has a registration function (excluding a public function) and a group signature verification function in the bidder apparatus 5 described above.
[0257]
The key registration institution apparatus 4x has the function of the registration institution apparatus 4 described above. Specifically, the public key P sent from the signer apparatus 5x is used._AIs registered in a database (not shown) in association with the personal information of the signer, and after this registration, the public key P_AKey certificate Cert for_AIs issued and sent to the signer apparatus 5x.
[0258]
The signer apparatus 5x has the function of the bidder apparatus 5 described above. Specifically, as shown in FIG. 18, the key generation unit 5x_a, Signature generation unit 5x_b, Denial processing part 5x_cAnd confirmation processing unit 5x_dIt has.
[0259]
Key generator 5x_aSigner's private key S_A∈Zq^*And public key P_A= Α^{S A}(Modp) generating function and public key P_AIs sent to the key registration institution apparatus 4x.
[0260]
Signature generator 5x_bIs a message space M = {m₁, M₂, ..., m_n} To one message m_kA function for selecting (k∈M) and a random number x, k, μ∈Zq^*And variable data h, r, r based on the random numbers x, k, μ^~, Λ, λ^~, C, σ and a group signature t, and data excluding r in the calculation results (h, r^~, Λ, λ^~, Σ, t), public key P_AAnd key certificate Cert_ATo the first verifier device 2x.
[0261]
The signature generation unit 5x_bThe first verifier device 2x sends some data (h, r) to the second verifier device 3x.^~, Σ, t), when there is no function to send out the data (h, r)^~, Σ, t) has a function of sending the second verifier apparatus 3x. In other words, the data (h, r^~, Σ, t) may be sent from the signer device 5x via the first verifier device 2x to the second verifier device 3x, or directly from the signer device 5x. May be sent to.
[0262]
Denial processing part 5x_cHas a function of executing the above-described denial protocol, and the message m selected by each first verifier device 2x, each second verifier device 3x, or each third party device._iΕM (i ≠ k) is the signature generation unit 5x_bMessage m selected in_kNot (m_i≠ m_k), As described above, discrete logarithm non-equivalence log_βz ≠ log_αIt has a function of presenting y to the first verifier device 2x.
[0263]
Confirmation processing unit 5x_dHas a function of executing the same public protocol (eg, disclosure / successful bid protocol) as described above, and is selected by each first verifier device 2x, each second verifier device 3x, or each third party device. Message m_iΕM (i = k) is the signature generation unit 5x_bMessage m selected in_k(M_i= M_k), The data x is sent to the first verifier device 2x.
[0264]
Next, the operation of the message selection system configured as described above will be described. Each protocol is the same as that in the second embodiment, but the devices that share the processes in each protocol are slightly different. Hereinafter, each protocol will be described in accordance with the above-described context.
[0265]
[Initial setting]
The initial setting is the same as in the first and second embodiments.
[Registration Protocol]
The registration protocol is that the signer device 5x uses the signer's public key P_AIn response to the key certificate Cert from the key registration authority device 4x_AIs a process of issuing
[0266]
Key generation unit 5x of signer apparatus 5x_aThe secret key S_A∈Z_q ^* Is generated and the public key P_A= Α^SA(Mod p) is defined. This public key P_AIs the key generation unit 5x from the signer device 5x whose identity is revealed._aIs sent to the key registration institution apparatus 4x.
[0267]
On the other hand, the key registration authority device 4x is configured to use the public key_AIs registered in the database in association with the personal information of the signer, and then the public key P_AKey certificate Cert for_AIs sent to the signer apparatus 5x.
[0268]
[Reception protocol]
Key generation unit 2y of group key generation organization apparatus 2y_aDuring execution of the acceptance protocol, the signer device 5x and a plurality of third-party devices (not shown) are divided into several groups, and the secret key S for each group J is assigned._Gj∈Zq^*And public key P_Gj= Α^{S Gj}(Mod p) and a signature private key S for each group J_GjIs secretly sent to the signer device 5x and each third party device (not shown) of the group J.
[0269]
Next, the signer apparatus 5x responds to any request or the like in the same manner as described above by using the message space M = {m₁, M₂, ..., m_n} To one message m_k(K∈M) is selected, then random numbers x, k, μ∈Z_q ^*And calculate the following:
[0270]
[Expression 25]

[0271]
Further, a group signature t is calculated.
[0272]
[Equation 26]

[0273]
Hereinafter, as described above, the signer apparatus 5x is (P_A, Cert_A, H, r^~, Λ, λ^~, Σ, t) are sent to the first verifier apparatus 2x. The first verifier device 2x is (h, r^~, Σ, t) are sent to the second verifier apparatus 3x.
[0274]
[Rejection Protocol]
The denial protocol is executed as in the second embodiment.
That is, at the time of denial, the denial processing unit 5x of the signer apparatus 5x_cIs the message m selected by each first verifier device 2x etc._iΕM (i ≠ k) is the signature generation unit 5x_bMessage m selected in_kNot (m_i≠ m_k), As described above, discrete logarithm non-equivalence log_βz ≠ log_αy is presented to the first verifier device 2x.
[0275]
[Public protocol]
Confirmation processing unit 5x of signer apparatus 5x at the time of publication_dIs the message m selected by each first verifier device 2x etc._iΕM (i = k) is the signature generation unit 5x_bMessage m selected in_k(M_i= M_k), The data x is sent to the first verifier device 2x.
[0276]
The first verifier device 2x (P_A, Cert_A, H, r^~, Λ, λ^~, Σ, t) and x are used to verify the validity of the non-repudiation signature by the following verification formula.
[0277]
[Expression 27]

[0278]
Next, λ^~= Λ^xVerify the consistency of (mod p). Only when these non-repudiation signatures are valid
[0279]
[Expression 28]

[0280]
And the group signature is verified by the following formula.
[0281]
[Expression 29]

[0282]
The first verifier device 2x uses a non-repudiation signature r^~, Λ^~The data (r, λ) is sent to the second verifier device 3x only when the group signature t is valid.
[0283]
The second verifier device 3x is similar to the (r, λ, r^~, T, m_k, P_G) To verify the validity of the group signature using the following formula.
[0284]
[30]

[0285]
FIG. 19 shows information given to the first verifier device 2x and information given to the second verifier device 3x.
[0286]
As described above, according to the present embodiment, not only the electronic bidding method but also the higher-level concept digital signature method can obtain the same operational effects as those of the second embodiment.
[0287]
That is, the privacy of the signer can be protected and the client profit can be protected by preventing the collusion, and the general encryption can be performed without depending on the reliability of the first verifier device 2x or the anonymous communication path. Implementation can be facilitated as a system can be constructed only by technology.
[0288]
Also, send encrypted message information as a non-repudiation signature with the unencrypted message unattached, and at the time of confirmation, prove the equivalence / non-equivalence of the discrete logarithm included in the non-repudiation signature Therefore, the confidentiality of the information transmitted by the signer is enhanced, and as a result, privacy protection and collusion prevention are further enhanced.
[0289]
Further, after confirming that the designated message has been selected by using the group signature, the second verifier device 3x confirms the message information without leaking information such as the public key related to the signer device 5. be able to.
[0290]
In addition, the present embodiment can satisfy the same conditions (1x) to (3x) as described above.
(1x) The first verifier device 2x and other signer devices cannot know which message the signer has signed unless the signer device 5x sends new data at the time of verification.
(2x) The signer apparatus 5x cannot deny that the selected message has been signed in the denial protocol.
(3x) Since the first verifier device 2x and the other signer devices do not know the private key of the signer device 5x that has selected the designated message, the legitimate signature and the denial-added signature of the selected signer device 5x are used. It cannot be calculated.
[0291]
(Sixth embodiment of the invention)
The sixth embodiment is the fifth embodiment in which the e-bidding system of the second embodiment is conceptualized, and the third embodiment for blocking the attack algorithm of the organizer 2 (first verifier device 2x). It has been applied.
Hereinafter, the modified part of the fifth embodiment will be described in the context of the third embodiment with reference to FIGS. 17 and 18 described above. In the sixth embodiment, regardless of the type of message, the attack algorithm is blocked and the conditions (1x) to (3x) are always satisfied.
[0292]
Specifically, in the sixth embodiment, data r used in the reception protocol and the public protocol.^~, Σ, t are changed as follows.
That is, the sixth embodiment is the same as the r in the fifth embodiment.^~= R^x(Mod p), σ = k−cS_A(Mod q), a hash function H (W in the denominator of t_k, R^~, Λ) instead of r^~= (R^r)^x(Mod p), σ = kr−cS_A(Mod q), a hash function H (W in the denominator of t_k, R^~, R, λ) are used.
[0293]
The digital signature system according to the present embodiment includes an encryption process for concealing such a random number r with two variables r and x including itself, and random numbers r and r before and after concealment.^~A group signature based on the above is performed, and the reception protocol and the public protocol are modified accordingly, and the configuration is the same as in the fifth embodiment.
[0294]
Hereinafter, the modified reception protocol and public protocol will be described.
[Reception protocol]
Processing of grouping of the group key generating institution apparatus 2y at the time of registration and S of the secret key for signature of each group J_GjThe sending process is as described above.
Next, in the same way as described above, the signer apparatus 5x responds to a request or the like with a message space M = {m₁, M₂, ..., m_n} To one message m_k(K∈M) is selected, then random numbers x, k, μ∈Z_q ^*And calculate the following: In the following calculation, r^~, Σ, and t are encrypted using a random number r, unlike the fifth embodiment. R is data unknown to the first verifier apparatus 2x, and r^~Is encrypted unknown data obtained by encrypting the unknown data r using the r itself. Σ is the first encrypted message information, and H (wk, r in t^~, R, λ) is the second encrypted message information.
[0295]
[31]

[0296]
Further, a group signature t is calculated.
[0297]
[Expression 32]

[0298]
Hereinafter, as described above, the signer apparatus 5x is (P_A, Cert_A, H, r^~, Λ, λ^~, Σ, t) are sent to the first verifier apparatus 2x. The first verifier device 2x is (h, r^~, Σ, t) are sent to the second verifier apparatus 3x.
[0299]
As described above, the first verifier device 2x sends data (h, r) to the second verifier device 3x.^~, Σ, t) is not transmitted, and the signature generation unit 5x_bIs the data (h, r^~, Σ, t) may be sent to the second verifier apparatus 3x.
[0300]
[Rejection Protocol]
The denial protocol is executed as in the fifth embodiment.
[Public protocol]
The overall flow is the same as that of the fifth embodiment, but with the encryption using r, each verification expression is changed to a content including r. Hereinafter, the description will be made in accordance with the above-described context.
[0301]
At the time of a successful bid, the signer device 5x sends x and r to the first verifier device 2x. The first verifier device 2x (P_A, Cert_A, H, r^~, Λ, λ^~, Σ, t) and x, r are used to verify the validity of the non-repudiation signature by the following verification expression.
[0302]
[Expression 33]

[0303]
Next, λ^~= Λ^xVerify the consistency of (mod p). Only when these non-repudiation signatures are valid, the group signature is verified by the following formula.
[0304]
[Expression 34]

[0305]
The first verifier device 2x uses a non-repudiation signature r^~, Λ^~The data (r, λ) is sent to the second verifier device 3x only when the group signature t is valid.
[0306]
The second verifier device 3x is similar to the (r, λ, r^~, T, m_k, P_G) To verify the validity of the group signature using the following formula.
[0307]
[Expression 35]

[0308]
FIG. 20 shows information given to the first verifier device 2x and information posted on the second verifier device 3x. In the present embodiment, unlike FIG. 19 described above, r is added to the information given to the first verifier device 2x.
As described above, according to the present embodiment, the same effects as those of the third embodiment can be added also in the fifth embodiment of the digital signature method.
That is, in the sixth embodiment, in addition to the effects of the fifth embodiment, the first and second concealment steps using unknown data are used, so that the brute force attack by the malicious first verifier device is performed. Application of the algorithm can be prevented.
[0309]
In addition, this invention is not limited to said each embodiment, It can change variously in the range which does not deviate from the summary. In addition, the embodiments may be appropriately combined as much as possible, and in that case, the combined effect is obtained.
[0310]
For example, in the first to third embodiments, the case where the bid amount is selectively presented from the auction organizer device and the bidder selects this is described. In a broad sense. That is, even selection in units of one yen is selective, and in such a case, the auction organizer apparatus may indicate only the maximum amount or the minimum amount (successful bid protocol start amount). In this case, the result is selected in units of one yen. In some cases, it is not necessary to present even the highest amount or the lowest amount (starting bid protocol starting amount). In this case, the auction organizer device may present a provisional maximum amount (or minimum amount) and confirm whether or not the bid is made at or above (or below) this amount by a denial protocol. If there is a person who cannot be denied, the provisional maximum amount may be increased.
[0311]
As described above, the selective bid amount has a wide meaning in this specification, but it is efficient to select from a finite amount of money specifically presented by the auction organizer device. It is preferable to perform a simple process.
[0312]
The method described in the embodiment is a program (software means) that can be executed by a computer (computer), for example, a magnetic disk (floppy disk, hard disk, etc.), an optical disk (CD-ROM, DVD, etc.), a semiconductor, etc. It can be stored in a storage medium such as a memory, or transmitted and distributed via a communication medium. The program stored on the medium side includes a setting program for configuring software means (including not only the execution program but also a table and data structure) to be executed in the computer. A computer that implements the present apparatus reads the program recorded in the storage medium, constructs software means by a setting program in some cases, and executes the processing described above by controlling the operation by the software means.
[0313]
Note that the present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the scope of the invention at the stage of implementation. In addition, the embodiments may be appropriately combined as much as possible, and in that case, combined effects can be obtained. Furthermore, the above embodiments include inventions at various stages, and various inventions can be extracted by appropriate combinations of a plurality of disclosed configuration requirements. For example, when an invention is extracted by omitting some constituent elements from all the constituent elements shown in the embodiment, when the extracted invention is implemented, the omitted part is appropriately supplemented by a well-known common technique. It is what is said.
[0314]
In addition, the present invention can be implemented with various modifications without departing from the gist thereof.
[0315]
【The invention's effect】
  As described above in detail, according to the present invention, an electronic bidding method that protects the privacy of the bidder and the signer, prevents rigging, and protects the client's profit.LawAnd a recording medium can be provided.
[0316]
  In addition, according to the present invention, while protecting privacy and preventing collusion, the system is constructed with only a general encryption technology without depending on the assumptions such as the reliability of the bidding institution and the first verifier device and the anonymous communication path. E-bidding method that can be easily implemented as possibleLawAnd a recording medium can be provided.
[Brief description of the drawings]
FIG. 1 is a configuration diagram showing an example of an electronic bidding system to which an electronic bidding method according to a first embodiment of the present invention is applied.
FIG. 2 is a block diagram illustrating a configuration example of an auction organizer apparatus.
FIG. 3 is a block diagram illustrating a configuration example of a bidder apparatus.
FIG. 4 is a flowchart illustrating a processing procedure in the electronic bidding method according to the embodiment.
FIG. 5 is a view showing processing of a registration protocol in the embodiment.
FIG. 6 is a diagram showing processing of a bidding protocol in the embodiment.
FIG. 7 is a diagram schematically showing a state of a bidding stage.
FIG. 8 is a diagram showing processing of a disclosure / successful bid protocol in the embodiment.
FIG. 9 is a diagram schematically showing a state until a successful bid.
FIG. 10 is a diagram schematically showing a successful bid and its verification.
FIG. 11 is a conceptual diagram illustrating an electronic bidding method according to a second embodiment of the present invention.
FIG. 12 is a view showing information given to the auction organizer and information posted on the public bulletin board in the embodiment.
FIG. 13 is a diagram showing information given to the auction organizer and information posted on the public bulletin board in the embodiment.
FIG. 14 is a schematic diagram for explaining a group signature generation process in the embodiment;
FIG. 15 is a schematic diagram for explaining a group signature generation process according to the second embodiment;
FIG. 16 is a diagram showing a configuration example of an Internet game system to which an information certification method according to a fourth embodiment of the present invention is applied.
FIG. 17 is a block diagram showing an example of a digital signature system to which a digital signature method according to a fifth embodiment of the present invention is applied.
FIG. 18 is a schematic diagram showing a configuration of a group key generating institution device and a signer device in the embodiment;
FIG. 19 is a view showing information given to the auction organizer and information posted on a public bulletin board according to the embodiment;
FIG. 20 is a diagram showing information given to an auction organizer and information posted on a public bulletin board according to the sixth embodiment of the present invention.
[Explanation of symbols]
1 ... Network
2 ... Auction organizer device
2x ... First verifier device
2y ... Group key generator organization device
2y_a, 5x_a... Key generator
3 ... Public bulletin board system
4 ... Registration organization equipment
4x ... Key registration authority device
5 ... Bidder device
5x ... Signer device
5x_b... Signature generator
5x_c... Denial processing section
5x_d… Confirmation processing department
6 ... Client device
7 ... Auditor device
11 ... Bid processing department
12 ... Disclosure successful bid processing section
21 ... Net information search section
22 ... Bid processing part
23 ... Successful bid processing part
24. Registration processing section
51 ... Internet network
52. Questioner device
53. Solver device
61 ... Registration Department
62 ... Public notice board
63 ... Game progression part
64 ... answer storage
65. Problem storage unit
71 ... Registration Department
72. Answer creation section
73 ... Response processing unit

Claims (14)

Through an electronic communication path, an auction is performed by transmitting and receiving information between a bidder apparatus that can refer to an open electronic bulletin board apparatus and an auction organizer apparatus that can refer to and write to the electronic bulletin board apparatus. In the e-bidding method,
A bid step of selecting any of the selective bid amounts posted on the electronic bulletin board device, encrypting the selected bid amount information and transmitting the selected bid amount information from the bidder device to the auction organizer device;
After bidder device transmits a bid price information encrypted by specifying the amount of money from the highest or lowest bid amount of said selective bid amount, in the amount specified to the bidder device from auctioneer device whether the bid with confirmed using undeniable signature protocol, successively lowering the authorized amount to be ascertained from any one of the bidders device that has bid on a specified amount of the selective bid Or a confirmation step that goes up,
In the confirmation step, when a bidder device that bids at a specified amount is confirmed, a successful bid determination step of determining to make a successful bid by bidding from the bidder device;
In the bidding step, the encrypted bid amount information is sent as a non-repudiation signature with the unencrypted bid amount not attached,
An electronic bidding method characterized in that, in the confirmation step, whether or not a bid is made at a specified amount is confirmed by determining whether the discrete logarithm included in the non-repudiation signature is equivalent or not. 2. The electronic bidding method according to claim 1 , wherein, in the successful bid determination step, after the successful bid is determined, the encrypted bid price information for the successful bid is decrypted and confirmed. In the bidding step, the selected bidding price information is encrypted to create first and second encrypted bidding price information different from each other, and the first encrypted bidding price information is used as an auction organizer device. And a group signature transmission step of transmitting a group signature using the secret key of the group to which the bidder device belongs and the second encrypted bid amount information from the bidder device to the auction sponsor device. ,
In the selection determining step, after the successful bid is determined, the private key used for the group signature is posted on the electronic bulletin board apparatus, and the group signature is converted into a normal digital signature, whereby the second in the group signature 2. The electronic bidding method according to claim 1 , wherein the bid price information included in the encrypted bid price information is in a state that can be confirmed from another bidder apparatus. In the bidding step, the bidder device converts data unknown to the auction organizer device into encrypted unknown data by encryption using the unknown data itself as a variable, and uses the encrypted unknown data to A first concealing step for creating first encrypted bid amount information; and a second concealing step for the bidder device to create the second encrypted bid amount information using the unknown data. ,
In the confirmation step, when confirming a bid at the specified amount, the bidder device transmits the unknown data to the auction organizer device, and the auction organizer device using the unknown data. Confirming the bid price information included in the first encrypted bid price information, and using the unknown data, the auction organizer device uses the unknown data to bid the second encrypted bid price information included in the second encrypted bid price information. The electronic bidding method according to claim 3, further comprising a step of confirming monetary amount information. A bid publishing step of posting the encrypted bid amount information transmitted by the bidder device on the electronic bulletin board device ;
In the confirmation step, after the encrypted bid price information from the bidder apparatus is all posted on the electronic bulletin board apparatus, designation of the designated price is started,
2. The electronic bidding method according to claim 1 , wherein, in the successful bid determination step, after the successful bid is determined, the encrypted bid price information for the successful bid is decrypted and posted on the electronic bulletin board apparatus. In the bidding step, the encrypted bid amount information is sent as a non-repudiation signature with the unencrypted bid amount not attached,
In the confirmation step, whether or not to bid at a specified amount is determined by determining whether the discrete logarithm included in the non-repudiation signature is equivalent or not, and after making a successful bid decision, 6. The electronic bidding method according to claim 5, wherein a non-repudiation signature is converted into a digital signature and posted on the electronic bulletin board apparatus.   Before starting the confirmation step, each bidder apparatus confirms whether or not its own encrypted bid amount information posted on the electronic bulletin board apparatus is correct, and if the information is correct, the digital signature of the confirmation is The electronic bidding method according to claim 6, further comprising a bid information confirmation step that is transmitted to a bidder apparatus.   8. The bid information confirmation step, wherein a key used for the signature is a key that is given from the auction organizer device and is used in common by a plurality of bidder devices. E-bidding method. Through an electronic communication path, an auction is performed by transmitting and receiving information between a bidder apparatus that can refer to an open electronic bulletin board apparatus and an auction organizer apparatus that can refer to and write to the electronic bulletin board apparatus. A program for controlling an organizer device in an electronic bidding system,
Bid means for presenting a selective bid amount to the electronic bulletin board device and receiving bid amount information selected and encrypted by the bidder device;
All encrypted bid information after receiving, the allowed to specify the amount from the highest or lowest bid amount of selective bid amount, undeniable signature whether the bid in the amount specified to the bidder device The designated amount is sequentially decreased or increased until it is confirmed by any bidder apparatus that the bid has been made with the designated amount of the selective bid amount, and the designated amount is selected. If the bidder device that bids on the amount is confirmed, the computer functions as a successful bid means for making a successful bid by bidding from the bidder device,
As the bidding means, the encrypted bid amount information is received as a non-repudiation signature with the unencrypted bid amount not attached,
As the successful bid means, a computer-readable program having recorded thereon a program for causing a computer to confirm whether or not a bid at a specified amount is confirmed by determining whether the discrete logarithm included in the non-repudiation signature is equivalent or not. recoding media. The bidding means receives the first encrypted bid price information out of the first and second encrypted bid price information selected by the bidder apparatus and encrypted respectively, and the second encryption Receive a group signature that includes bid amount information,
As the successful bid means, after the successful bid is determined, the secret key used for generating the group signature is posted on the electronic bulletin board device, and the group signature is converted into a normal digital signature. The recording medium according to claim 9, wherein the bid price information included in the encrypted bid price information of 2 is in a state in which it can be confirmed from another bidder apparatus.   When the bidding means receives the unknown data used to create the first and second encrypted bid price information from the bidder device when confirming the bid at the specified price, And confirming the bid amount information included in the first encrypted bid amount information, and confirming the bid amount information included in the second encrypted bid amount information in the group signature using the unknown data. The recording medium according to claim 10. Through an electronic communication path, an auction is performed by transmitting and receiving information between a bidder apparatus that can refer to an open electronic bulletin board apparatus and an auction organizer apparatus that can refer to and write to the electronic bulletin board apparatus. A program for controlling a bidder apparatus in an electronic bidding system,
Bidding means for selecting any one of the selective bid amounts presented on the electronic bulletin board device, causing the selected bid amount information to be encrypted and transmitted to the auction organizer device;
When requested by the non-repudiation signature protocol whether or not the auction organizer device bids at the specified amount, the computer functions as a confirmation means for transmitting information necessary for the confirmation to the organizer device,
As the bidding means, the encrypted bid amount information is transmitted as a non-repudiation signature with the unencrypted bid amount not attached,
As the confirmation means, a computer-readable recording medium recording a program for transmitting information for determining whether the discrete logarithm included in the non-repudiation signature is equivalent or not. The bidding means encrypts the selected bid amount information to create different first and second encrypted bid amount information, and transmits the first encrypted bid amount information to the auction organizer apparatus. together is, claims, characterized in that it includes a function to transmit a group signature using the private key of the group of the self bidders device and the second encryption bid price information auctioneer device 12. The recording medium according to 12 . The bidding means converts data unknown to the auction organizer device into encrypted unknown data by encryption using the unknown data itself as a variable, and uses the encrypted unknown data to perform the first encryption. A first concealment function that creates bid amount information; and a second concealment function that creates the second encrypted bid amount information using the unknown data;
14. The recording medium according to claim 13, wherein the confirmation means includes a function of transmitting the unknown data to the auction organizer device when confirming that a bid has been made at the specified amount.

Images