JP5931797B2 - Signature system and method, signature generation apparatus, and signature verification apparatus - Google Patents

Signature system and method, signature generation apparatus, and signature verification apparatus Download PDF

Info

Publication number
JP5931797B2
JP5931797B2 JP2013111050A JP2013111050A JP5931797B2 JP 5931797 B2 JP5931797 B2 JP 5931797B2 JP 2013111050 A JP2013111050 A JP 2013111050A JP 2013111050 A JP2013111050 A JP 2013111050A JP 5931797 B2 JP5931797 B2 JP 5931797B2
Authority
JP
Japan
Prior art keywords
signature
secret key
key
random number
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
JP2013111050A
Other languages
Japanese (ja)
Other versions
JP2014230254A (en
Inventor
陵 西巻
陵 西巻
英一郎 藤崎
英一郎 藤崎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nippon Telegraph and Telephone Corp
Original Assignee
Nippon Telegraph and Telephone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp filed Critical Nippon Telegraph and Telephone Corp
Priority to JP2013111050A priority Critical patent/JP5931797B2/en
Publication of JP2014230254A publication Critical patent/JP2014230254A/en
Application granted granted Critical
Publication of JP5931797B2 publication Critical patent/JP5931797B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Description

この発明は、情報セキュリティ技術に関する。特に、電子署名技術に特に関する。   The present invention relates to information security technology. In particular, it relates specifically to electronic signature technology.

従来の公開鍵の安全性は秘密鍵の情報が部分的に漏洩することを想定しないものであったが、近年サイドチャネル攻撃という攻撃方法の進展により、秘密鍵が漏洩した場合の安全性を考慮する必要があると考えられている(例えば、非特許文献1参照。)。   Conventional public key security did not assume that private key information would be partially leaked, but in recent years, due to the development of side-channel attacks, the security in the event of a private key leak is considered. It is thought that it is necessary to do (for example, refer nonpatent literature 1).

秘密鍵が漏洩したとしても安全な署名方式はKatz,Vaikuntanathanらによって初めて構成された(例えば、非特許文献2参照。)。   Even if a secret key is leaked, a signature scheme that is secure is first constructed by Katz, Vaikuntanathan et al. (See Non-Patent Document 2, for example).

また、Dodis,Haralambiev,L opez-Alt,Wichsらは鍵漏洩耐性をもちかつ秘密鍵を更新可能な方式を提案した(例えば、非特許文献3参照。)。   Also, Dodis, Haralambiev, Lopez-Alt, Wichs et al. Proposed a method that has key leakage resistance and can update a secret key (see, for example, Non-Patent Document 3).

また、Malkin,Teranishi,Vahlis,Yungらは秘密鍵漏洩耐性に加え署名生成時の乱数が漏洩しても安全な方式を提案した(例えば、非特許文献4参照。)。   In addition, Malkin, Teranishi, Vahlis, Yung and others proposed a method that is secure even if a random number at the time of signature generation leaks in addition to the secret key leakage resistance (see Non-Patent Document 4, for example).

また、Boyle,Segev,WichsらはMalkinらと同様、秘密鍵漏洩耐性に加え署名生成時の乱数が漏洩しても安全な方式を提案した(例えば、非特許文献5参照。)。   Also, Boyle, Segev, Wichs et al. Proposed a method that is secure even if a random number at the time of signature generation leaks in addition to the secret key leakage resistance in the same manner as Malkin et al.

さらに、Lewko,Rouselakis,Watersらはマスター秘密鍵漏洩耐性をもつID ベース暗号を構成したので、その方式から秘密鍵漏洩耐性をもつ署名を得ることができる(例えば、非特許文献6参照。)。   Furthermore, Lewko, Rouselakis, Waters et al. Constructed an ID-based cipher with master secret key leakage resistance, so that a signature with secret key leakage resistance can be obtained from the scheme (see, for example, Non-Patent Document 6).

J.A.Halderman, S.D.Schoen, N.Heninger, W.Clarkson, W.Paul, J.A.Calan-drino, A.J.Feldman, J.Appelbaum, and E.W.Felten. “Lest we remember: cold-boot attacks on encryption keys”, Commun. ACM, 52(5), 2009.JAHalderman, SDSchoen, N. Heninger, W. Clarkson, W. Paul, JACalan-drino, AJFeldman, J. Appelbaum, and EWFelten. “Lest we remember: cold-boot attacks on encryption keys”, Commun. ACM, 52 (5), 2009. J.Katz and V.Vaikuntanathan, “Signature Schemes with Bounded Leakage Resilience”, In ASIACRYPT, volume 5912 of Lecture Notes in Computer Science, pages 703-720. Springer, 2009.J.Katz and V.Vaikuntanathan, “Signature Schemes with Bounded Leakage Resilience”, In ASIACRYPT, volume 5912 of Lecture Notes in Computer Science, pages 703-720. Springer, 2009. Y.Dodis, K.Haralambiev, A.Lopez-Alt, and D.Wichs, “Efficient Public-Key Cryptogra-phy in the Presence of Key Leakage”, In ASIACRYPT, volume 6477 of Lecture Notes in Computer Science, pages 613-631. Springer, 2010.Y.Dodis, K.Haralambiev, A.Lopez-Alt, and D.Wichs, “Efficient Public-Key Cryptogra-phy in the Presence of Key Leakage”, In ASIACRYPT, volume 6477 of Lecture Notes in Computer Science, pages 613- 631.Springer, 2010. T.Malkin, I.Teranishi, Y.Vahlis, and M.Yung. “Signatures Resilient to Continual Leakage on Memory and Computation”, In TCC, volume 6597 of Lecture Notes in Computer Science, pages 89-106. Springer, 2011.T.Malkin, I.Teranishi, Y.Vahlis, and M.Yung. “Signatures Resilient to Continual Leakage on Memory and Computation”, In TCC, volume 6597 of Lecture Notes in Computer Science, pages 89-106. Springer, 2011. E.Boyle, G.Segev, and D.Wichs, “Fully Leakage-Resilient Signatures”, In EUROCRYPT, volume 6632 of Lecture Notes in Computer Science, pages 89-108, Springer, 2011.E. Boyle, G. Segev, and D. Wichs, “Fully Leakage-Resilient Signatures”, In EUROCRYPT, volume 6632 of Lecture Notes in Computer Science, pages 89-108, Springer, 2011. A.B.Lewko, Y.Rouselakis, and B.Waters, “Achieving Leakage Resilience through Dual System Encryption”, In TCC, volume 6597 of Lecture Notes in Computer Science, pages 70-88. Springer, 2011.A.B.Lewko, Y.Rouselakis, and B.Waters, “Achieving Leakage Resilience through Dual System Encryption”, In TCC, volume 6597 of Lecture Notes in Computer Science, pages 70-88. Springer, 2011.

しかしながら、これまでに提案されてきた秘密鍵漏洩耐性を持つ署名方式は全て、非対話ゼロ知識証明を利用するか、マスター秘密鍵漏洩耐性をもつIDベース暗号を利用して構成されていたため効率が悪かった。   However, all the proposed signature schemes with secret key leakage resistance have been configured using either non-interaction zero knowledge proof or ID-based cryptography with master secret key leakage resistance. It was bad.

非特許文献2から6のそれぞれに記載された署名方式が、非ゼロ知識証明を利用するかどうか、IDベース暗号を利用しているかどうかを図3に示す。なお、非特許文献2から6のそれぞれに記載された署名方式が、鍵更新を行うか、乱数漏洩耐性を持つかどうかについても図3に示す。   FIG. 3 shows whether the signature method described in each of Non-Patent Documents 2 to 6 uses non-zero knowledge proof or ID-based encryption. FIG. 3 also shows whether the signature schemes described in each of Non-Patent Documents 2 to 6 perform key update or have random number leakage resistance.

この発明は、従来よりも効率が良い署名システム及び方法、署名生成装置並びに署名検証装置を提供することを目的とする。   It is an object of the present invention to provide a signature system and method, a signature generation device, and a signature verification device that are more efficient than those of the prior art.

この発明の一態様による署名システムは、p1,p2,p3を素数とし、位数N=p1p2p3の群をG,GTとし、e:G×G→GTを双線形写像として、乱数g∈Gp1,g2∈Gp2,g3,R3 1,…,R3 n+4∈Gp3と、乱数x,y,xe,ye,r^,r^′,z1,…,zn,w1,…,wn∈ZNとを生成する第一乱数生成部と、Kz 1=gz1R3 1,…,Kz n=gznR3 n,Kr=gr^g2 r^′R3 n+1,Kx=gr^xg2 r^′xeR3 n+2,Ky=gr^yg2 r^′yeR3 n+3,Kxy=gr^xyg2 r^′xeyeR3 n+4Πi=1 ng-ziwiとして、秘密鍵SK=(Kz 1,…,Kz n,Kr,Kx,Ky,Kxy)を生成する秘密鍵生成部と、公開鍵VK=(N,G,g,X=gx,Y=gy,g3,gw1,…,gwn)を生成する公開鍵生成部と、を含む鍵生成装置と、乱数r~,z1′,…,zn′∈ZNを生成する第二乱数生成部と、署名の対象となるメッセージをmとし、σ1=(Kz 1)r~(gr~z1′),…,σn=(Kz n)r~(gr~zn′),σn+1=(Kr)r~n+2=(Ky)r~n+3=(Kx)r~(Kxy)r~mi=1 n(gwi)r~mzi)として、秘密鍵SKを用いてメッセージmに対する署名をσ=(σ1,…,σn+3)を生成する署名生成部と、を含む署名生成装置と、m≠0かつ2つの式e(Y,σn+1)=e(g,σn+2),e(X,σn+1)e(X,σn+2)mΠi=1 ne(gwii)m=e(g,σn+3)が成立するかどうか判定し、m≠0かつ2つの式が成立する場合には署名σを受理する判定部を含む署名検証装置と、を含む。 In the signature system according to an aspect of the present invention, p 1 , p 2 , and p 3 are prime numbers, the group of order N = p 1 p 2 p 3 is G, G T, and e: G × G → G T As a bilinear map, random numbers g∈G p1 , g 2 ∈G p2 , g 3 , R 3 1 ,…, R 3 n + 4 ∈G p3 and random numbers x, y, x e , y e , r ^, , z 1 , ..., z n , w 1 , ..., w n ∈Z N and K z 1 = g z1 R 3 1 , ..., K z n = g zn R 3 n , K r = g r ^ g 2 r ^ ′ R 3 n + 1 , K x = g r ^ x g 2 r ^ ′ xe R 3 n + 2 , K y = g r ^ y g 2 r ^ ′ ye R 3 n + 3 , K xy = g r ^ xy g 2 r ^ ′ xeye R 3 n + 4 Π i = 1 n g -ziwi , secret key SK = (K z 1 ,…, K z n , K r , K x , K y , K xy ) and a secret key generator, and a public key VK = (N, G, g, X = g x , Y = g y , g 3 , g w1 , ..., g wn ), a key generation device including a second random number generation unit for generating random numbers r ~, z 1 ′, ..., z n ′ ∈Z N , and a signature Let m be the target message, and σ 1 = (K z 1 ) r ~ (g r ~ z1 ′ ),…, σ n = (K z n ) r ~ (g r ~ zn ′ ), σ n + 1 = (K r) r ~, σ n + 2 = (K y) r ~, n + 3 = (K x) r ~ (K xy) r ~ m (Π i = 1 n (g wi) r ~ mzi) as, = a signature for the message m by using the secret key SK sigma (sigma 1, .., Σ n + 3 ), a signature generation device including the signature generation unit, m ≠ 0, and two expressions e (Y, σ n + 1 ) = e (g, σ n + 2 ), e Determine whether (X, σ n + 1 ) e (X, σ n + 2 ) m Π i = 1 n e (g wi , σ i ) m = e (g, σ n + 3 ) holds, a signature verification device including a determination unit that accepts the signature σ when m ≠ 0 and two expressions are satisfied.

秘密鍵漏洩耐性を持つ署名方式を、従来よりも効率良く実現することができる。   A signature scheme having a secret key leakage resistance can be realized more efficiently than before.

署名システムの例を説明するためのブロック図。The block diagram for demonstrating the example of a signature system. 署名方法の例を説明するためのフローチャート。The flowchart for demonstrating the example of the signature method. 背景技術を説明するための図。The figure for demonstrating background art.

以下、図面を参照して、署名システム及び方法、署名生成装置並びに署名検証装置の実施形態を説明する。   Hereinafter, embodiments of a signature system and method, a signature generation device, and a signature verification device will be described with reference to the drawings.

署名システムは、図1に示すように、鍵生成装置1、署名生成装置2及び署名検証装置3を例えば備えている。図1の例では、鍵生成装置1は、署名生成装置2の内に備えられている。   As shown in FIG. 1, the signature system includes, for example, a key generation device 1, a signature generation device 2, and a signature verification device 3. In the example of FIG. 1, the key generation device 1 is provided in the signature generation device 2.

<ステップS1、図2>
鍵生成装置1の第一乱数生成部11は、乱数g∈Gp1,g2∈Gp2,g3,R3 1,…,R3 n+4∈Gp3と、乱数x,y,xe,ye,r^,r^′,z1,…,zn,w1,…,wn∈ZNとを生成する(ステップS1)。ここで、p1,p2,p3は所定の素数であり、G,GTは位数N=p1p2p3の群であるとする。Gp1,Gp2,Gp3は、それぞれ位数p1,p2,p3の群であるとする。ZNは、Nに関する剰余類群である。 <Step S1, FIG. 2>
The first random number generation unit 11 of the key generation device 1 includes random numbers gεG p1 , g 2 εG p2 , g 3 , R 3 1 ,..., R 3 n + 4 εG p3 and random numbers x, y, x e , y e , r ^, r ^ ′, z 1 ,..., z n , w 1 ,..., w n ∈Z N are generated (step S1). Here, p 1 , p 2 , and p 3 are predetermined prime numbers, and G and G T are groups of order N = p 1 p 2 p 3 . G p1 , G p2 , and G p3 are groups of orders p 1 , p 2 , and p 3 , respectively. Z N is a residue class group related to N.

ただし、λ1=logp12=logp23=logp3としたとき、logN=λ123であるとする。ここで、λ2=λ,λ1=c1λ,λ3=c3λとする。λは、セキュリティパラメータであり、任意の正の自然数である。c1及びc3は定数であり、任意の正の自然数である。言い換えれば、c1及びc3は、正の自然数であれば何でもよい。 However, when λ 1 = logp 1 , λ 2 = logp 2 , and λ 3 = logp 3 , logN = λ 1 + λ 2 + λ 3 is assumed. Here, λ 2 = λ, λ 1 = c 1 λ, λ 3 = c 3 λ. λ is a security parameter and is an arbitrary positive natural number. c 1 and c 3 are constants and are arbitrary positive natural numbers. In other words, c 1 and c 3 may be any positive natural number.

よって、セキュリティパラメータλは、群Gp2の位数p2のビット数を表し、他の群の位数p1,p3のビット数に関してはp2のビット数の定数倍ということになる。 Therefore, the security parameter λ represents the bit number of the order p 2 of the group G p2 , and the bit numbers of the orders p 1 and p 3 of the other groups are a constant multiple of the bit number of p 2 .

<ステップS2>
鍵生成装置1の秘密鍵生成部12は、Kz 1=gz1R3 1,…,Kz n=gznR3 n,Kr=gr^g2 r^′R3 n+1,Kx=gr^xg2 r^′xeR3 n+2,Ky=gr^yg2 r^′yeR3 n+3,Kxy=gr^xyg2 r^′xeyeR3 n+4Πi=1 ng-ziwiとして、第一乱数生成部11により生成された乱数を用いて、秘密鍵SK=(Kz 1,…,Kz n,Kr,Kx,Ky,Kxy)を生成する(ステップS2)。生成された秘密鍵SKは、署名生成装置2の記憶部23に記憶される。 <Step S2>
The secret key generation unit 12 of the key generation device 1 has K z 1 = g z1 R 3 1 ,..., K z n = g zn R 3 n , K r = g r ^ g 2 r ^ ′ R 3 n + 1 , K x = g r ^ x g 2 r ^ ′ xe R 3 n + 2 , K y = g r ^ y g 2 r ^ ′ ye R 3 n + 3 , K xy = g r ^ xy g 2 r ^ ′ Xeye R 3 n + 4 Π i = 1 n g -ziwi , using the random number generated by the first random number generator 11, the secret key SK = (K z 1 ,..., K z n , K r , K x , K y , K xy ) are generated (step S2). The generated secret key SK is stored in the storage unit 23 of the signature generation device 2.

ここで、Kz 1=gz1R3 1の中のgの上付き添え字の「z1」は、z1を意味する。Kz n=gznR3 nの中のgの上付き添え字の「zn」は、znを意味する。Kx=gr^xg2 r^′xeの中のg2の上付き添え字の「r^′xe」は、r^′xeを意味する。Ky=gr^yg2 r^′yeR3 n+3の中のg2の上付き添え字の「r^′ye」は、r^′yeを意味する。Kxy=gr^xyg2 r^′xeyeR3 n+4Πi=1 ng-ziwiの中のg2の上付き添え字の「r^′xeye」はr^′xeyeを意味し、gの上付き添え字の「-ziwi」は-ziwiを意味する。 Here, the superscript “z1” of g in K z 1 = g z1 R 3 1 means z 1 . The superscript “zn” of g in K z n = g zn R 3 n means z n . K x = g r ^ x g 2 r ^ '"xe r ^" of on superscript g 2 in the xe' refers to the r ^ 'x e. The superscript “r ^ ′ ye” of g 2 in K y = g r ^ y g 2 r ^ ′ ye R 3 n + 3 means r ^ ′ y e . K xy = g r ^ xy g 2 r ^ 'xeye R 3 n + 4 Π i = 1 n g of the above subscript g 2 in -ziwi "r ^'xeye" is r ^ 'x e y means e, and the superscript “-ziwi” in g means -z i w i .

<ステップS3>
鍵生成装置1の公開鍵生成部13は、第一乱数生成部11により生成された乱数を用いて、公開鍵VK=(N,G,g,X=gx,Y=gy,g3,gw1,…,gwn)を生成する(ステップS3)。生成された公開鍵VKは、鍵生成装置1の外部に公開される。この例では、生成された公開鍵VKは、署名生成装置2の記憶部23に記憶され、また、署名検証装置3に送信され記憶部32に記憶される。 <Step S3>
The public key generation unit 13 of the key generation device 1 uses the random number generated by the first random number generation unit 11 to public key VK = (N, G, g, X = g x , Y = g y , g 3 , g w1 ,..., g wn ) are generated (step S3). The generated public key VK is disclosed to the outside of the key generation device 1. In this example, the generated public key VK is stored in the storage unit 23 of the signature generation device 2, transmitted to the signature verification device 3, and stored in the storage unit 32.

ここで、gの上付き添え字の「w1」はw1を意味する。gの上付き添え字の「wn」はwnを意味する。 Here, "w1" of the superscript of g means w 1. The superscript “wn” of g means w n .

<ステップS4>
署名生成装置2の第二乱数生成部21は、乱数r~,z1′,…,zn′∈ZNを生成する(ステップS4)。生成された乱数r~,z1′,…,zn′は、署名生成部22に送信される。 <Step S4>
The second random number generation unit 21 of the signature generation device 2 generates random numbers r˜, z 1 ′,..., Z n ′ εZ N (step S4). The generated random numbers r˜, z 1 ′,..., Z n ′ are transmitted to the signature generation unit 22.

<ステップS5>
署名生成装置2の署名生成部22は、署名の対象となるメッセージをmとし、σ1=(Kz 1)r~(gr~z1′),…,σn=(Kz n)r~(gr~zn′),σn+1=(Kr)r~n+2=(Ky)r~n+3=(Kx)r~(Kxy)r~mi=1 n(gwi)r~mzi)として、秘密鍵SKを用いてメッセージmに対する署名をσ=(σ1,…,σn+3)を生成する(ステップS5)。生成された署名σは、メッセージmと共に、署名検証装置3に送信される。 <Step S5>
The signature generation unit 22 of the signature generation apparatus 2 sets m as a message to be signed, and σ 1 = (K z 1 ) r ~ (g r ~ z1 ′ ),..., Σ n = (K z n ) r ~ (g r ~ zn ′ ), σ n + 1 = (K r ) r ~ , σ n + 2 = (K y ) r ~ , σ n + 3 = (K x ) r ~ (K xy ) r ~ As mi = 1 n (g wi ) r˜mzi ), a signature for the message m is generated σ = (σ 1 ,..., σ n + 3 ) using the secret key SK (step S5). The generated signature σ is transmitted to the signature verification apparatus 3 together with the message m.

ここで、σ1=(Kz 1)r~(gr~z1′)の中のgの上付き添え字の「r~z1′」は、r~z1′を意味する。σn=(Kz n)r~(gr~zn′)の中のgの上付き添え字の「r~zn′」は、r~zn′を意味する。σn+3=(Kx)r~(Kxy)r~mi=1 n(gwi)r~mzi)の中のgの上付き添え字「wi」はgの上付きのwiを意味し、(gwi)の上付き添え字の「r~mzi」はr~mziを意味する。 Here, the superscript “r˜z1 ′” in σ 1 = (K z 1 ) (g r˜z1 ′ ) means r˜z 1 ′. σ n = (K z n) r ~ (g r ~ zn ') on superscript of g in the "r ~ zn'" means a r ~ z n '. σ n + 3 = (K x ) r ~ (K xy ) r ~ mi = 1 n (g wi ) r ~ mzi ) g superscript `` wi '' is g superscript w i means the superscript “r ~ mzi” of (g wi ) means r ~ mz i .

<ステップS6>
署名検証装置3の判定部31は、署名生成装置2から受信した署名σ及びメッセージmと、記憶部32から読み込んだ公開鍵VKとを用いて、m≠0かつ2つの式e(Y,σn+1)=e(g,σn+2),e(X,σn+1)e(X,σn+2)mΠi=1 ne(gwii)m=e(g,σn+3)が成立するかどうか判定し、m≠0かつ上記2つの式が成立する場合には署名σを受理する(ステップS6)。2つ目の式の中のgの上付き添え字の「wi」は、wiを意味する。一方、m=0又は上記2つの式の何れかが成立しない場合には、署名σを受理しない。 <Step S6>
The determination unit 31 of the signature verification device 3 uses the signature σ and the message m received from the signature generation device 2 and the public key VK read from the storage unit 32, and m ≠ 0 and two expressions e (Y, σ n + 1 ) = e (g, σ n + 2 ), e (X, σ n + 1 ) e (X, σ n + 2 ) m Π i = 1 n e (g wi , σ i ) m = e It is determined whether (g, σ n + 3 ) holds, and if m ≠ 0 and the above two expressions hold, the signature σ is accepted (step S6). The superscript “wi” in g in the second expression means w i . On the other hand, if m = 0 or any of the above two expressions does not hold, the signature σ is not accepted.

G,GTを位数N=p1p2p3の群として、e:G×G→GTは双線形写像である。 G, as a group of order N = p 1 p 2 p 3 and G T, e: G × G → G T is the bilinear map.

署名検証装置3は、署名σを受理する場合には、その署名σを受理したことを示す情報、例えば「1」を出力してもよい。また、署名検証装置3は、署名σを受理しない場合には、その署名σを受理しないことを示す情報、例えば「0」を出力してもよい。   When the signature verification apparatus 3 accepts the signature σ, the signature verification apparatus 3 may output information indicating that the signature σ is accepted, for example, “1”. If the signature verification device 3 does not accept the signature σ, the signature verification device 3 may output information indicating that the signature σ is not accepted, for example, “0”.

以上に説明した署名システム及び方法は、非対話ゼロ知識証明を用いておらず、かつ、IDベース暗号を利用していない。   The signature system and method described above does not use non-interactive zero knowledge proof and does not use ID-based encryption.

また、この署名システム及び方法は、いわゆる合成数位数群上の部分群識別仮定が成立するならば、秘密鍵漏洩耐性を持つ安全な署名方式である。この署名システム及び方法では、秘密鍵SK=(Kz 1,…,Kz n,Kr,Kx,Ky,Kxy)が多数の数値Kz 1,…,Kz n,Kr,Kx,Ky,Kxyにより構成されており、また、これらの数値Kz 1,…,Kz n,Kr,Kx,Ky,Kxyは、ZN等の剰余類群ではない群Gp1,Gp2,Gp3の要素とされているためである。この署名システム及び方法が、いわゆる合成数位数群上の部分群識別仮定が成立するならば、秘密鍵漏洩耐性を持つ安全な署名方式であることの証明の詳細については、参考文献1を参照のこと。
〔参考文献1〕小関義博,西巻陵,藤崎英一郎,田中圭介,「秘密鍵の漏洩に対して安全なデュアルフォーム署名」,SCIS2013 In addition, this signature system and method is a secure signature scheme having a secret key leakage resistance if a subgroup identification assumption on a so-called composite number group is established. In this signature system and method, the secret key SK = (K z 1 ,..., K z n , K r , K x , K y , K xy ) has a large number of numerical values K z 1 ,…, K z n , K r. , K x , K y , K xy , and these numbers K z 1 ,…, K z n , K r , K x , K y , K xy are in the remainder class group such as Z N This is because there are no elements in the groups G p1 , G p2 and G p3 . If this signature system and method is a so-called subgroup identification hypothesis on the composite number group, the details of the proof that the signature system and method are a secure signature scheme with secret key leakage resistance can be found in Reference 1. about.
[Reference 1] Yoshihiro Koseki, Ryo Nishimaki, Eiichiro Fujisaki, Keisuke Tanaka, “Dual Form Signature Secure against Secret Key Leakage”, SCIS2013

[変形例]
図1の例では、鍵生成装置1は、署名生成装置2の内に備えられているが、鍵生成装置1は、署名生成装置2の外に設けられていてもよい。この場合、鍵生成装置1は、上記と同様に秘密鍵SK及び公開鍵VKを生成し、秘密鍵SKを秘密裏に署名生成装置2に送信し、公開鍵VKを署名生成装置2及び署名検証装置3に送信する。 [Modification]
In the example of FIG. 1, the key generation device 1 is provided in the signature generation device 2, but the key generation device 1 may be provided outside the signature generation device 2. In this case, the key generation device 1 generates the secret key SK and the public key VK in the same manner as described above, transmits the secret key SK secretly to the signature generation device 2, and the public key VK is transmitted to the signature generation device 2 and the signature verification. Transmit to device 3.

上記装置及び方法において説明した処理は、記載の順にしたがって時系列に実行されるのみならず、処理を実行する装置の処理能力あるいは必要に応じて並列的にあるいは個別に実行されてもよい。   The processes described in the above apparatus and method are not only executed in time series according to the description order, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the process.

また、署名システムの各装置における各処理をコンピュータによって実現する場合、その各装置が有すべき機能の処理内容はプログラムによって記述される。そして、このプログラムをコンピュータで実行することにより、その各処理がコンピュータ上で実現される。   Further, when each process in each apparatus of the signature system is realized by a computer, the processing contents of the functions that each apparatus should have are described by a program. Then, by executing this program on a computer, each process is realized on the computer.

この処理内容を記述したプログラムは、コンピュータで読み取り可能な記録媒体に記録しておくことができる。コンピュータで読み取り可能な記録媒体としては、例えば、磁気記録装置、光ディスク、光磁気記録媒体、半導体メモリ等どのようなものでもよい。   The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

また、各処理手段は、コンピュータ上で所定のプログラムを実行させることにより構成することにしてもよいし、これらの処理内容の少なくとも一部をハードウェア的に実現することとしてもよい。   Each processing means may be configured by executing a predetermined program on a computer, or at least a part of these processing contents may be realized by hardware.

その他、この発明の趣旨を逸脱しない範囲で適宜変更が可能であることはいうまでもない。   Needless to say, other modifications are possible without departing from the spirit of the present invention.

1 鍵生成装置
11 第一乱数生成部
12 秘密鍵生成部
13 公開鍵生成部
2 署名生成装置
21 第二乱数生成部
22 署名生成部
23 記憶部
3 署名検証装置
31 判定部
32 記憶部 DESCRIPTION OF SYMBOLS 1 Key generation apparatus 11 First random number generation part 12 Private key generation part 13 Public key generation part 2 Signature generation apparatus 21 Second random number generation part 22 Signature generation part 23 Storage part 3 Signature verification apparatus 31 Determination part 32 Storage part

Claims (4)

p1,p2,p3を素数とし、位数N=p1p2p3の群をG,GTとし、e:G×G→GTを双線形写像として、乱数g∈Gp1,g2∈Gp2,g3,R3 1,…,R3 n+4∈Gp3と、乱数x,y,xe,ye,r^,r^′,z1,…,zn,w1,…,wn∈ZNとを生成する第一乱数生成部と、Kz 1=gz1R3 1,…,Kz n=gznR3 n,Kr=gr^g2 r^′R3 n+1,Kx=gr^xg2 r^′xeR3 n+2,Ky=gr^yg2 r^′yeR3 n+3,Kxy=gr^xyg2 r^′xeyeR3 n+4Πi=1 ng-ziwiとして、秘密鍵SK=(Kz 1,…,Kz n,Kr,Kx,Ky,Kxy)を生成する秘密鍵生成部と、公開鍵VK=(N,G,g,X=gx,Y=gy,g3,gw1,…,gwn)を生成する公開鍵生成部と、を含む鍵生成装置と、
乱数r~,z1′,…,zn′∈ZNを生成する第二乱数生成部と、署名の対象となるメッセージをmとし、σ1=(Kz 1)r~(gr~z1′),…,σn=(Kz n)r~(gr~zn′),σn+1=(Kr)r~n+2=(Ky)r~n+3=(Kx)r~(Kxy)r~mi=1 n(gwi)r~mzi)として、上記秘密鍵SKを用いてメッセージmに対する署名をσ=(σ1,…,σn+3)を生成する署名生成部と、を含む署名生成装置と、
m≠0かつ2つの式e(Y,σn+1)=e(g,σn+2),e(X,σn+1)e(X,σn+2)mΠi=1 ne(gwii)m=e(g,σn+3)が成立するかどうか判定し、m≠0かつ上記2つの式が成立する場合には上記署名σを受理する判定部を含む署名検証装置と、
を含む署名システム。 p 1 , p 2 , p 3 are prime numbers, the group of order N = p 1 p 2 p 3 is G, G T , e: G × G → G T is a bilinear map, and random number g∈G p1 , g 2 ∈G p2 , g 3 , R 3 1 ,…, R 3 n + 4 ∈G p3 and random numbers x, y, x e , y e , r ^, r ^ ′, z 1 ,…, z n, w 1, ..., w n and the first random number generation unit for generating a ∈Z n, K z 1 = g z1 R 3 1, ..., K z n = g zn R 3 n, K r = g r ^ g 2 r ^ ′ R 3 n + 1 , K x = g r ^ x g 2 r ^ ′ xe R 3 n + 2 , K y = g r ^ y g 2 r ^ ′ ye R 3 n + 3 , K xy = g r ^ xy g 2 r ^ ′ xeye R 3 n + 4 Π i = 1 n g -ziwi , secret key SK = (K z 1 ,…, K z n , K r , K x , K y , K xy ) and a public key VK = (N, G, g, X = g x , Y = g y , g 3 , g w1 , ..., g wn ) A key generation device including a key generation unit;
The second random number generator for generating random numbers r ~, z 1 ′, ..., z n ′ ∈Z N , and the message to be signed is m, and σ 1 = (K z 1 ) r ~ (g r ~ z1 ′ ),…, σ n = (K z n ) r ~ (g r ~ zn ′ ), σ n + 1 = (K r ) r ~ , σ n + 2 = (K y ) r ~ , σ n +3 = (K x ) r ~ (K xy ) r ~ mi = 1 n (g wi ) r ~ mzi ), and the signature for the message m using the secret key SK is σ = (σ 1 , ..., σ n + 3 ), and a signature generation device including the signature generation unit,
m ≠ 0 and two equations e (Y, σ n + 1 ) = e (g, σ n + 2 ), e (X, σ n + 1 ) e (X, σ n + 2 ) m Π i = 1 n e (g wi , σ i ) m = e (g, σ n + 3 ) is determined whether or not, and if m ≠ 0 and the above two expressions are satisfied, the determination unit accepting the signature σ A signature verification device including:
Including signature system. 鍵生成装置の第一乱数生成部が、p1,p2,p3を素数とし、位数N=p1p2p3の群をG,GTとし、e:G×G→GTを双線形写像として、乱数g∈Gp1,g2∈Gp2,g3,R3 1,…,R3 n+4∈Gp3と、乱数x,y,xe,ye,r^,r^′,z1,…,zn,w1,…,wn∈ZNとを生成する第一乱数生成ステップと、
鍵生成装置の秘密鍵生成部が、Kz 1=gz1R3 1,…,Kz n=gznR3 n,Kr=gr^g2 r^′R3 n+1,Kx=gr^xg2 r^′xeR3 n+2,Ky=gr^yg2 r^′yeR3 n+3,Kxy=gr^xyg2 r^′xeyeR3 n+4Πi=1 ng-ziwiとして、秘密鍵SK=(Kz 1,…,Kz n,Kr,Kx,Ky,Kxy)を生成する秘密鍵生成ステップと、
鍵生成装置の公開鍵生成部が、公開鍵VK=(N,G,g,X=gx,Y=gy,g3,gw1,…,gwn)を生成する公開鍵生成ステップと、
署名生成装置の第二乱数生成部が、署名生成部が、乱数r~,z1′,…,zn′∈ZNを生成する第二乱数生成ステップと、
署名生成装置の署名生成部が、署名の対象となるメッセージをmとし、σ1=(Kz 1)r~(gr~z1′),…,σn=(Kz n)r~(gr~z′n),σn+1=(Kr)r~n+2=(Ky)r~n+3=(Kx)r~(Kxy)r~mi=1 n(gwi)r~mzi)として、上記秘密鍵SKを用いてメッセージmに対する署名をσ=(σ1,…,σn+3)を生成する署名生成ステップと、
署名検証装置の判定部が、m≠0かつ2つの式e(Y,σn+1)=e(g,σn+2),e(X,σn+1)e(X,σn+2)mΠi=1 ne(gwii)m=e(g,σn+3)が成立するかどうか判定し、m≠0かつ上記2つの式が成立する場合には上記署名σを受理する判定ステップと、
を含む署名方法。 The first random number generator of the key generation device uses p 1 , p 2 , and p 3 as prime numbers, the group of order N = p 1 p 2 p 3 as G, G T, and e: G × G → G T Is a bilinear map, random numbers g∈G p1 , g 2 ∈G p2 , g 3 , R 3 1 ,…, R 3 n + 4 ∈G p3 and random numbers x, y, x e , y e , r ^ , r ^ ′, z 1 , ..., z n , w 1 , ..., w n ∈Z N and
The secret key generation unit of the key generation device has K z 1 = g z1 R 3 1 ,..., K z n = g zn R 3 n , K r = g r ^ g 2 r ^ ′ R 3 n + 1 , K x = g r ^ x g 2 r ^ ′ xe R 3 n + 2 , K y = g r ^ y g 2 r ^ ′ ye R 3 n + 3 , K xy = g r ^ xy g 2 r ^ ′ xeye A secret key generation step for generating a secret key SK = (K z 1 ,…, K z n , K r , K x , K y , K xy ) as R 3 n + 4 Π i = 1 n g -ziwi ,
A public key generation unit for generating a public key VK = (N, G, g, X = g x , Y = g y , g 3 , g w1 ,..., G wn ) ,
A second random number generation unit of the signature generation device, wherein the signature generation unit generates a random number r ~, z 1 ′,..., Z n ′ ∈Z N ;
The signature generation unit of the signature generation apparatus sets m as a message to be signed, and σ 1 = (K z 1 ) r ~ (g r ~ z1 ′ ), ..., σ n = (K z n ) r ~ ( g r ~ z′n ), σ n + 1 = (K r ) r ~ , σ n + 2 = (K y ) r ~ , σ n + 3 = (K x ) r ~ (K xy ) r ~ mi = 1 n (g wi ) r ~ mzi ), and a signature generation step of generating σ = (σ 1 ,..., Σ n + 3 ) as a signature for the message m using the secret key SK,
The determination unit of the signature verification apparatus determines that m ≠ 0 and two expressions e (Y, σ n + 1 ) = e (g, σ n + 2 ), e (X, σ n + 1 ) e (X, σ n +2 ) m Π i = 1 n e (g wi , σ i ) m = e (g, σ n + 3 ) is determined to be satisfied, and if m ≠ 0 and the above two expressions are satisfied A determination step for accepting the signature σ;
Including signing method. p1,p2,p3を素数とし、位数N=p1p2p3の群をG,GTとし、e:G×G→GTを双線形写像とし、g∈Gp1,g2∈Gp2,g3,R3 1,…,R3 n+4∈Gp3と、x,y,xe,ye,r^,r^′,z1,…,zn,w1,…,wn∈ZNとを乱数とし、Kz 1=gz1R3 1,…,Kz n=gznR3 n,Kr=gr^g2 r^′R3 n+1,Kx=gr^xg2 r^′xeR3 n+2,Ky=gr^yg2 r^′yeR3 n+3,Kxy=gr^xyg2 r^′xeyeR3 n+4Πi=1 ng-ziwiとし、SK=(Kz 1,…,Kz n,Kr,Kx,Ky,Kxy)を秘密鍵とし、VK=(N,G,g,X=gx,Y=gy,g3,gw1,…,gwn)を公開鍵として、
乱数r~,z1′,…,zn′∈ZNを生成する第二乱数生成部と、
署名の対象となるメッセージをmとし、σ1=(Kz 1)r~(gr~z1′),…,σn=(Kz n)r~(gr~z′n),σn+1=(Kr)r~n+2=(Ky)r~n+3=(Kx)r~(Kxy)r~mi=1 n(gwi)r~mzi)として、上記秘密鍵SKを用いてメッセージmに対する署名をσ=(σ1,…,σn+3)を生成する署名生成部と、
を含む署名生成装置。 p 1 , p 2 , p 3 are prime numbers, the group of order N = p 1 p 2 p 3 is G, G T , e: G × G → G T is a bilinear map, g∈G p1 , g 2 ∈G p2 , g 3 , R 3 1 ,…, R 3 n + 4 ∈G p3 and x, y, x e , y e , r ^, r ^ ′, z 1 ,…, z n , Let w 1 ,…, w n ∈Z N be random numbers, and K z 1 = g z1 R 3 1 ,…, K z n = g zn R 3 n , K r = g r ^ g 2 r ^ ′ R 3 n + 1 , K x = g r ^ x g 2 r ^ ′ xe R 3 n + 2 , K y = g r ^ y g 2 r ^ ′ ye R 3 n + 3 , K xy = g r ^ xy g 2 r ^ ′ xeye R 3 n + 4 Π i = 1 n g -ziwi , SK = (K z 1 ,…, K z n , K r , K x , K y , K xy ) is a secret key, VK = (N, G, g, X = g x , Y = g y , g 3 , g w1 , ..., g wn )
A second random number generator for generating random numbers r ~, z 1 ′,..., Z n ′ ∈Z N ;
Let m be the message to be signed, and σ 1 = (K z 1 ) r ~ (g r ~ z1 ′ ),…, σ n = (K z n ) r ~ (g r ~ z′n ), σ n + 1 = (K r ) r ~ , σ n + 2 = (K y ) r ~ , σ n + 3 = (K x ) r ~ (K xy ) r ~ mi = 1 n (g wi ) r ~ mzi ), a signature generation unit that generates σ = (σ 1 ,..., σ n + 3 ) as a signature for the message m using the secret key SK, and
A signature generation device including: p1,p2,p3を素数とし、位数N=p1p2p3の群をG,GTとし、e:G×G→GTを双線形写像とし、g∈Gp1,g2∈Gp2,g3,R3 1,…,R3 n+4∈Gp3と、x,y,xe,ye,r^,r^′,z1,…,zn,w1,…,wn∈ZNとを乱数とし、Kz 1=gz1R3 1,…,Kz n=gznR3 n,Kr=gr^g2 r^′R3 n+1,Kx=gr^xg2 r^′xeR3 n+2,Ky=gr^yg2 r^′yeR3 n+3,Kxy=gr^xyg2 r^′xeyeR3 n+4Πi=1 ng-ziwiとし、SK=(Kz 1,…,Kz n,Kr,Kx,Ky,Kxy)を秘密鍵とし、VK=(N,G,g,X=gx,Y=gy,g3,gw1,…,gwn)を公開鍵とし、r~,z1′,…,zn′∈ZNを乱数とし、署名の対象となるメッセージをmとし、σ1=(Kz 1)r~(gr~z1′),…,σn=(Kz n)r~(gr~zn′),σn+1=(Kr)r~n+2=(Ky)r~n+3=(Kx)r~(Kxy)r~mi=1 n(gwi)r~mzi)とし、σ=(σ1,…,σn+3)をメッセージmに対する署名として、
m≠0かつ2つの式e(Y,σn+1)=e(g,σn+2),e(X,σn+1)e(X,σn+2)mΠi=1 ne(gwii)m=e(g,σn+3)が成立するかどうか判定し、m≠0かつ上記2つの式が成立する場合には上記署名σを受理する判定部、
を含む署名検証装置。 p 1 , p 2 , p 3 are prime numbers, the group of order N = p 1 p 2 p 3 is G, G T , e: G × G → G T is a bilinear map, g∈G p1 , g 2 ∈G p2 , g 3 , R 3 1 ,…, R 3 n + 4 ∈G p3 and x, y, x e , y e , r ^, r ^ ′, z 1 ,…, z n , Let w 1 ,…, w n ∈Z N be random numbers, and K z 1 = g z1 R 3 1 ,…, K z n = g zn R 3 n , K r = g r ^ g 2 r ^ ′ R 3 n + 1 , K x = g r ^ x g 2 r ^ ′ xe R 3 n + 2 , K y = g r ^ y g 2 r ^ ′ ye R 3 n + 3 , K xy = g r ^ xy g 2 r ^ ′ xeye R 3 n + 4 Π i = 1 n g -ziwi , SK = (K z 1 ,…, K z n , K r , K x , K y , K xy ) is a secret key, Let VK = (N, G, g, X = g x , Y = g y , g 3 , g w1 ,…, g wn ) be the public key, r ~, z 1 ′,…, z n ′ ∈Z N Is a random number, the message to be signed is m, and σ 1 = (K z 1 ) r ~ (g r ~ z1 ′ ),…, σ n = (K z n ) r ~ (g r ~ zn ′ ), σ n + 1 = (K r ) r ~ , σ n + 2 = (K y ) r ~ , σ n + 3 = (K x ) r ~ (K xy ) r ~ mi = 1 n (g wi ) r ~ mzi ), and σ = (σ 1 , ..., σ n + 3 ) as a signature for the message m,
m ≠ 0 and two equations e (Y, σ n + 1 ) = e (g, σ n + 2 ), e (X, σ n + 1 ) e (X, σ n + 2 ) m Π i = 1 n e (g wi , σ i ) m = e (g, σ n + 3 ) is determined whether or not, and if m ≠ 0 and the above two expressions are satisfied, the determination unit accepting the signature σ ,
A signature verification device.
JP2013111050A 2013-05-27 2013-05-27 Signature system and method, signature generation apparatus, and signature verification apparatus Active JP5931797B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2013111050A JP5931797B2 (en) 2013-05-27 2013-05-27 Signature system and method, signature generation apparatus, and signature verification apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2013111050A JP5931797B2 (en) 2013-05-27 2013-05-27 Signature system and method, signature generation apparatus, and signature verification apparatus

Publications (2)

Publication Number Publication Date
JP2014230254A JP2014230254A (en) 2014-12-08
JP5931797B2 true JP5931797B2 (en) 2016-06-08

Family

ID=52129686

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2013111050A Active JP5931797B2 (en) 2013-05-27 2013-05-27 Signature system and method, signature generation apparatus, and signature verification apparatus

Country Status (1)

Country Link
JP (1) JP5931797B2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105049451A (en) * 2015-08-25 2015-11-11 清华大学 Method for generating digital signature and method for verifying digital signature

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011068996A1 (en) * 2009-12-04 2011-06-09 Cryptography Research, Inc. Verifiable, leak-resistant encryption and decryption
US8527766B2 (en) * 2009-12-30 2013-09-03 Microsoft Corporation Reducing leakage of information from cryptographic systems
US8861716B2 (en) * 2010-03-30 2014-10-14 International Business Machines Corporation Efficient homomorphic encryption scheme for bilinear forms

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105049451A (en) * 2015-08-25 2015-11-11 清华大学 Method for generating digital signature and method for verifying digital signature
CN105049451B (en) * 2015-08-25 2018-10-30 清华大学 The method for generating the method and verification digital signature of digital signature

Also Published As

Publication number Publication date
JP2014230254A (en) 2014-12-08

Similar Documents

Publication Publication Date Title
Ding et al. Current state of multivariate cryptography
CN104539423B (en) A kind of implementation method without CertPubKey cipher system of no Bilinear map computing
US9698984B2 (en) Re-encrypted data verification program, re-encryption apparatus and re-encryption system
KR101431412B1 (en) Signature processing system, key generation device, signature device, verification device, signature processing method and computer readable recording medium storing signature processing program
CN105933102A (en) Identity-based and hidden matrix-constructed fully homomorphic encryption method
CN108183791B (en) Intelligent terminal data security processing method and system applied to cloud environment
JP2012203182A (en) Encryption processing system, key generation device, encryption device, decoding device, encryption processing method, and encryption processing program
JP2011147047A (en) Proxy re-encryption system, transmitter, re-encryption key generating device, proxy device, receiver, proxy re-encryption method, programs therefor, and recording medium
JP2012151756A (en) Decryption system, key device, decryption method, and program
EP2846493A1 (en) Method for ciphering and deciphering, corresponding electronic device and computer program product
JP2014158265A (en) Cryptographic devices and methods for generating and verifying commitments from linearly homomorphic signatures
Al-Riyami et al. Escrow-free encryption supporting cryptographic workflow
WO2018043049A1 (en) Encryption system, encryption method, and encryption program
JP6053983B2 (en) Cryptographic system, signature system, cryptographic program and signature program
WO2013004691A1 (en) Traitor tracing for software-implemented decryption algorithms
JP5931797B2 (en) Signature system and method, signature generation apparatus, and signature verification apparatus
Zhang et al. Improving the leakage rate of ciphertext-policy attribute-based encryption for cloud computing
Xiong et al. Introduction to certificateless cryptography
Mohapatra Signcryption schemes with forward secrecy based on elliptic curve cryptography
JP5871827B2 (en) Safety enhancement system, safety enhancement device, verification device, and program
JP6087849B2 (en) Proxy signature device, signature verification device, key generation device, proxy signature system, and program
Orsini et al. Bootstrapping BGV ciphertexts with a wider choice of p and q
JP2010164897A (en) System, method and program for converting encrypted numeric value into binary
Zhang et al. Online/offline attribute based signature
WO2012176408A1 (en) Signature verification method, signature verification system, and signature verification program

Legal Events

Date Code Title Description
A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20150714

A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20160419

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20160426

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20160427

R150 Certificate of patent or registration of utility model

Ref document number: 5931797

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150