JPH09284271A - Blind signature method and system with limitation - Google Patents

Abstract

PROBLEM TO BE SOLVED: To classify signatures at verification by allowing a signature verifica tion station to use a specific public key so as to verify it that the signature is a signature of an object signature. SOLUTION: A signature generating station 100 generates a public key exponent part eD1 from public information D1, calculates a corresponding secret key exponent part dD1 and generates it. Upon the receipt of a blind signature object Z from a signature request station 200, the station 100 calculates a signature (tentative signature) Q with respect to the signature object Z and returns the signature Q to the signature request station 200. In the case of conducting verification, a signature verification station 300 receives a document (m), the signature 5 and public information D1 as verification data from the signature request station, generates the public key exponent part 2D1 from the public information D1 and obtains a signature object M=g(m) by using the document (m) and a unidirectional function (g) through hash arithmetic operation. Succeedingly, an equation of M'=S<e> D<1> modN is obtained by using the S, the eD1 and the public key N and when the M and M' are compared and they are equal to each other, the signature S is a correct signature based on the public information D1 of the document (m).

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a digital signature method and system for adding signature information to electronic information, and more specifically, a restricted blind signature method and system suitable for setting an expiration date for a signature. It is about.

[0002]

2. Description of the Related Art Blind signature is a technique in which a signature generation station signs a document while keeping the content of the document secret (blind). As a conventional technique of this, a method based on the RSA method is disclosed in Document D. Chaum, “Security wi
thout Identification: Transactions Systems to Ma
ke Big Brother Obsolete, “Comm. of the ACM
28, 10, pp. 1030-1044 (1985). The outline is shown below.

The signature requesting authority generates a blind message (x) by disturbing the document (m) with a random number (r) by blind signature preprocessing. The signature generation authority calculates a temporary signature (y) corresponding to x using the private key. At this time,
The signature generation authority cannot know the document (m) because m is disturbed by r. The signature requesting authority removes the influence of the random number (r) from y by the blind signature post-processing, obtains the true signature (y ′) for the original document (m), and verifies the pair m and y ′. Send to the station. The signature verification authority verifies that y ′ is the signature of m using the public key of the signature generation authority. Here, the signature verification authority cannot know the correspondence between y and y '.

Now, A is a signature generation authority, B is a signature request authority,
Let e _{A be} the public key of the signature generation authority A. Further, F is a blind signature pre-processing algorithm, D is a multiple blind signature algorithm, and G is a blind signature post-processing algorithm. Using these functions, the signature of the temporary created from F _eA and _{D eA Ω (= D eA (} F eA (m 1), ···, F eA (m
_k ))) is subjected to _GeA , and k messages m ₁ , ... M _k
To compute the true signature of A for S = D _eA (m ₁ , ... M _k ). The signature generation authority A and the signature request authority B create a multiple blind signature according to the following procedure.

Step 1: B performs k blind message preprocessing using F _eA to _generate k messages {m _i | i = 1, 1.
2, ..., k} k blind messages {F _eA
(M _i ) | i = 1, 2, ..., K} is generated and transmitted to A. Here, each F _eA (m _i ) is calculated independently, and the function F _eA uses a random number to hide m _i . Step 2: A is a temporary signature Ω = D _eA (F _eA (m ₁ ), ...,
F _eA (m _k ) is k blind messages F
_{It is} generated from _eA (m ₁ ), ... F _eA (m _k ) and is returned to B. Step 3: B is a true digital signature of A corresponding to m ₁ , ..., M _k by post blind processing using G _eA S = D _eA (m ₁ , ..., M _k ). To calculate.

When the RSA method is used for blind signature,

[0007]

[Equation 9]

[0008]

(Equation 10)

In addition,

[0010]

[Equation 11]

## EQU1 ## At this time, the verification formula V _e (m ₁ , ...
., M _k , S) is

[0012]

(Equation 12)

At the time of, a pass (OK) is output. here,
(E, n) is the RSA public key used by A,
The following formula is satisfied. n = p × q e × d≡1 (mod L) where L = LCM {(p−1), (q−1)} where L = LCM {a, b} is the least common multiple of a and b. And a≡b (mod n) indicates that (ab) is a multiple of n. In the embodiment of the present invention described later, k = 1
Is assumed.

[0014]

In the above-mentioned conventional blind signature method, the signature generation station cannot know or operate the signature target, so that the signature generation station cannot include any information in the signature. Therefore, when the signature verification authority wants to classify signatures, the above-mentioned conventional method embeds necessary information in the signature object M, but the signature object M is disturbed by the signature requesting authority. , The signature verification authority cannot detect even if the fake information is embedded, it cannot be correctly classified at the time of verification.

For example, when a signature has an expiration date, in the above-mentioned conventional method, the signature requesting authority embeds information regarding the expiration date in the signature object M. However, the signature verification authority cannot verify here whether the correct expiration date is embedded. Therefore, the signature requesting authority (signature requester) can easily set an invalid expiration date and obtain a signature for the expiration date, and thus can illegally operate the classification of signatures according to the expiration date.

An object of the present invention is that the signature verification result is correct only when the signature is created based on the classification information published by the signature generation authority, and the signature can be classified at the time of verification. It is an object of the present invention to provide a restricted blind signature method and system.

[0017]

SUMMARY OF THE INVENTION The present invention generally comprises:
The signature generation authority discloses the public information D and the procedure for generating the public key P from the public information D, that is, the function f (). The signature requesting authority obtains the public key P by P = f (D), and the signature target M
With the public key P, and sends the blind signature target Z to the signature generation station. The signature generation authority also uses the public key P
From P = f (D), a secret key d corresponding to the public key P is generated, a signature Q (temporary signature) for the blind signature target Z is generated using the secret key d, and the signature Q To the signature requesting authority. The signature requesting authority returns the perturbation component of the signature Q, and sets the resulting S as the signature for the signature target M before the perturbation. When verifying the signature, the signature requesting authority sends the signature S and the signature target M to the signature verifying authority. The signature verification authority obtains the public key P by P = f (D) and verifies that the signature S is a signature for the signature target M using the public key P.

In one embodiment, the invention provides that the signature generation authority
Holds the product N of two large prime numbers p, p and q, q, the least common multiple λ of p-1 and q-1, and the public information D1 and
The public key exponent part generation function f () is made public. N is also disclosed as a public key.

The signature requesting authority sets the public key exponent part e _D1 to e _D1 =
f (D1), the document m and the one-way function g
() Is used to calculate the signature target M = g (m). Then, from the random number R, the signature target M, the public key exponent part e _D1 , and the public key N,

[0020]

(Equation 13)

Then, the Z (blind signature target) is transmitted to the signature generation station in the search for. Signature generation station, after receiving the blind signature target Z, obtains the public key exponent e _D1 from the same public information D1 and signing request station by e _D1 = f (D1),
The secret key exponent part d _D1 corresponding to this e _D1 is d _D1 = 1 / e _D1
Calculate and obtain mod λ. Then, for the blind signature target Z

[0022]

[Equation 14]

The calculation of (3) is performed and the Q (temporary signature) is returned to the signature requesting authority. The signing authority requests the tentative signature Q returned.
For S = Q / R mod N,
Is the signature of the signature generation authority based on the public information D1 for the document m.

At the signature verification authority, m, S,
D1 is received, and the public key exponent part e _D1 is obtained from the public information D1 by e _D1 = f (D1). Subsequently, the signature object M = g (m) is calculated using the document m and the one-way function g (), and

[0025]

(Equation 15)

## EQU1 ## It is confirmed that M and M'are equal, and only when they are equal, the signature S is a correct signature based on the public information D1 of the document m.

[0027]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS One embodiment of the present invention will be described below in detail with reference to the drawings. FIG. 1 shows an overall block diagram of the system configuration of an embodiment of the present invention. In FIG. 1, reference numeral 100 is a signature generation authority, 200 is a signature request authority, and 300 is a signature verification authority, and the processing procedures thereof are shown in FIGS. 2, 3 and 4, respectively. In this embodiment, the signature generation authority 100 uses two large prime numbers p, q and a product N, p−q and p of p, q.
It is assumed that the least common multiple λ of −q is held and the public information D1 and the public key exponent part generation function f () are made public. Also,
N is disclosed as a public key.

When requesting a signature from the signature generation station 10, the signature requesting station 200 generates a public key exponent part e _D1 from the public information _D1 by e _D1 = f (D1) (step 2
1) Further, the signature object M = g (m) is obtained by hash calculation using the document m and the one-way function g () (step 22). Subsequently, as blind signature preprocessing, a random number R, a signature target M, a public key exponent part e _D1 , and N
Blind signature target Z

[0029]

(Equation 16)

Obtained by (step 23), the blind signature target Z is transmitted to the signature generating station 100 (step 24). After that, the signature requesting authority 200 makes the signature generating authority 100
Wait for reception from.

The signature generation station 100 similarly releases the public information D1.
To generate a public key exponent part e _D1 by e _D1 = f (D1) (step 31), and generate a secret key exponent part d _D1 corresponding to this e _D1 by calculating d _D1 = 1 / e _D1 mod λ (Step 32). When the blind signature target Z is received from the signature requesting station 200 (step 33), the signature (temporary signature) Q is given to the signature target Z.

[0032]

[Equation 17]

(Step 34), the signature Q
Is sent back to the signature requesting authority 200 (step 35).

When the signature requesting authority 200 receives the signature Q from the signature generating authority 100 (step 25), it performs blind signature post-processing as follows.

[0035]

(Equation 18)

By calculating, the S is used as the signature by the signature generation station 100 based on the public information D1 for the document m (step 26).

When performing verification, the signature verification authority 300 receives the document m, the signature S, and the public information D1 as verification data from the signature request authority 200 (step 41). In the signature verification authority 300, from the public information D1 to the public key exponent e _D1
By e _D1 = f (D1) (step 42),
Furthermore, using the document m and the one-way function g (), the signature target M
= G (m) is calculated by hashing (step 4
3). Then, with S, e _D1 , and N,

[0038]

[Equation 19]

(Step 44), M and M'are compared (step 45), and if they are equal, it is assumed that the signature S is a proper signature based on the public information D1 of the document m.

Next, the signature generation station 100 and the signature requesting station 20
0 and the specific configuration and operation of the signature verification authority 300 will be described.

FIG. 5 shows a configuration example of the signature generation station 100 and the signature requesting station 200 related to the signature generation of this embodiment. The signature generation station 100 includes a storage device 101, a public key exponent part generator 102, a secret key exponent part generator 103, and a modular exponentiation calculator 104. The storage device 101 has a product of two large prime numbers p and q. N (public key), the least common multiple λ of p−1 and q−1, and today (signature generation date) as public information D1 are held.

In the signature generation station 100, the public information D1 is input to the public key exponent generator 102, and the public key exponent e _D1 is input.
Is output. Then, the output e _D1 and λ, N are input to the secret key exponent generator 103, the secret key exponent d _D1 is calculated by d _D1 = 1 / e _D1 mod λ, and the d _D1 is stored in the storage device 101. Hold to.

On the other hand, the signature requesting authority 100 stores the storage device 20.
1, a public key exponent generator 202, a random number generator 203, a hash calculator 204, a blind signature preprocessing 205, a blind signature postprocessing 206, and a storage device 201.
Holds a public key N, public information D1, and a document m to be signed.

First, the signature requesting authority 200 makes the public information D1.
The today's date is input to the public key exponent part generator 202, and the public key exponent part e _D1 is obtained as an output. Next, the random number generator 203 is driven to generate a random number R. Further, the document m is input to the hash calculator 204 to obtain the signature target M. Thereafter, e _D1 , R, M, N are assigned to the blind signature preprocessor 20.
Enter in 5

[0045]

(Equation 20)

Then, the Z (blind signature target) is transmitted to the signature generation station 100.

The signature generation station 100 confirms that the public information D1 is today's date. Then, the secret key exponents d _D1 and N corresponding to the D1 are read from the storage device 101, and d _D1 , N and Z are input to the modular exponentiation unit 104.

[0048]

(Equation 21)

Then, the Q (temporary signature) is obtained and the signature requesting station 2
Reply to 00.

The signature requesting authority 200 inputs Q, R, and N to the blind signature post-processor 206 and S = Q / R mod
N is calculated, and this S is stored in the storage device 201 as the signature of the signature generation station 100 based on the public information D1 for m.

FIG. 6 shows a configuration example of the signature requesting authority 200 and the signature verifying authority 300 in the signature verification of this embodiment.
At the time of verification, the signature requesting authority 200 reads the document m, the signature S, the public key N, and the date D1 of the public information from the storage device 201 and sends them to the signature verifying authority 300.

The signature verification authority 300 has a storage device 301, a date comparator 302, a public key exponent generator 303, a modular exponentiation calculator 304, a hash calculator 305, and a comparator 306.
Is provided. Here, it is assumed that the storage device 301 holds the public key N, the number of valid days t, and the date D2.

In the signature verification authority 300, the signature request authority 200
When m, S, D1 is received from the
Then, the valid date t and D1 are input to the date comparator 302 to verify whether D1 has expired. If it has expired, NG is output and the operation is stopped. If not expired,
The D1 is input to the public key exponent generator 303 and the public key exponent e _D1 is output. At the same time, m is the hash calculator 305
To output the signature target M. Further, by inputting S, e _D1 and N to the modular exponentiation operator 304,

[0054]

(Equation 22)

Calculate The output M ′ of the modular exponentiation calculator 304 and the output M of the hash calculator 305 are input to the comparator 306, and the signature S is correct based on the public information D1 of the document m only when the comparison results of the two match. OK is output as the signature, and NG is output if the signatures do not match.

Here, in the above embodiment, e _D1 must be coprime to λ as a condition for the existence of the secret key corresponding to the output e _D1 of the public key exponent generator. To satisfy this condition, the output e _D1 of the public key exponent generator
The bit width of is set to y bits, and p and q such that p-1 and q-1 have only prime factors of x bits or more may be used. At the same time, the output e _D1 must always be odd.

Depending on the configuration of the public key exponent generator, the following signature forgery may be possible. For example, when the signature requester can obtain a set of D1, D2 and D3 such that e _D1 = e _D2 · e _D3 mod λ, d _D1 = d _D2
・ D _D3 mod λ holds. To forge a signature using this, first, the signature S2 of the date D2 for the document m is obtained. Next, the signature S3 of the date D3 for S2 is obtained with S2 as the signature target. here,

[0058]

(Equation 23)

Therefore, S3 is equivalent to the signature S1 of the date D1 and the forgery has been completed.

In order to prevent such forgery, e _D1 is changed to e _Dj
It is necessary not to represent the multiplication on mod λ of. However, since only the signature generator knows λ, e
_{If D1} cannot be represented by multiplication of e _Dj ,
It is possible to secure the same level of security as RSA by placing a safety base on the difficulty of obtaining λ.

In order to satisfy this condition, the output of the public key exponent generator should always be a constant bit. Under such a configuration, e _D1 > e _Dj · e _Dk holds for all i,
Since it holds for j and k, it is possible to prevent forgery.

Considering the above conditions, p-1, q-1
When p and q are used such that both have only prime factors of x bits or more, the public key exponent generator generates the most significant bit MS.
B and the least significant bit LSB can be configured to be 1 by using a bit combiner that outputs y (x> y) bits. For example, when the input value D is y-2 bits or more,
As described above, it is configured by using the hash calculator 401 having the output of y−2 bits where x> y−2 and the bit combiner 402 of the y bit output in which both MSB and LSB are 1.
Alternatively, as shown in FIG. 8, a subtracter 403 for subtracting some reference value, for example, a date as a starting point from the input value, and a MS
It is configured by using a bit combiner 404 which outputs y bits in which both B and LSB are set to 1.

[0063]

According to the present invention, since the signature generation authority can issue a signature based on the public information for classifying the signature, the signature verification authority uses the public information included in the signature information. , Signatures can be classified. For example,
When setting the expiration date for a signature, if the public information is the expiration date and time, the created signature will be based on that expiration date, and at the time of verification, the signature that is within the expiration date and the signature that has expired will be classified. It becomes possible to do. Further, by using the date as the public information for classifying the signature, the signature requesting authority can easily verify that the public information cannot be used for personally specified purposes.

[Brief description of drawings]

FIG. 1 is an overall block diagram of a system of one embodiment of the present invention.

FIG. 2 is a flowchart showing a procedure of a signature requesting authority.

FIG. 3 is a flowchart showing a procedure of a signature generation authority.

FIG. 4 is a flowchart showing a procedure of a signature verification authority.

FIG. 5 is a block diagram of a system that executes a signature generation operation according to an embodiment of the present invention.

FIG. 6 is a block diagram of a system that executes a signature verification operation according to an embodiment of the present invention.

FIG. 7 is a diagram illustrating a first configuration example of a public key exponent generator.

FIG. 8 is a diagram showing a second configuration example of a public key exponent generator.

[Explanation of symbols]

 100 signature generation authority 101 storage device 102 public key exponent part generator 103 secret key exponent part generator 104 exponentiation modular operator 200 signature requesting authority 201 storage device 202 public key exponent part generator 203 random number generator 204 hash calculator 205 blind Signature preprocessor 206 Blind signature postprocessor 300 Signature verification authority 301 Storage device 302 Date comparator 303 Public key exponent generator 304 Exponentiation residue operator 305 Hash operator 306 Comparator

─────────────────────────────────────────────────── ─── Continuation of the front page (51) Int.Cl. ⁶ Identification number Office reference number FI Technical display location H04L 9/30 H04L 9/00 663B

Claims (9)

[Claims] 1. The signature generation authority publishes the public key P, the signature request authority disturbs the signature object M by a disturbance function based on the public key P, and sends the disturbed signature object Z to the signature generation authority,
The signature generation station generates the signature Q for the disturbed signature object Z using the secret key d corresponding to the public key P, and returns the generated signature Q to the signature requesting agency, and the signature requesting agency disturbs In the blind signature method, in which the signature Q is input to the function that returns, the disturbance component is removed, and as a result, S is the signature for the signature target M before the disturbance, the signature generation authority publishes the public information D, and The procedure for generating the public key P from the public information D is published, and the signature requesting authority uses the public information D to publish the public information D.
To generate a public key P, disturb the signature target M using the generated public key P, and send the disturbed signature target Z to the signature generation station, and the signature generation station uses the above procedure to publish the public information. Generate a public key P from D, generate a secret key d corresponding to the public key P,
A restricted blind signature method, wherein a signature Q for a signature target Z sent from the signature requesting authority is generated using the secret key d. 2. The signature generation authority publishes the public information D, and discloses the procedure for generating the public key P from the public information D, and the signature request authority uses the public information D by using the published procedure.
To generate a public key P, disturb the signature target M using the generated public key P, and send the disturbed signature target Z to the signature generation station, and the signature generation station uses the above procedure to publish the public information. Generate a public key P from D, generate a secret key d corresponding to the public key P,
The private key d is used to generate a signature Q for the signature target Z sent from the signature requesting authority, and the signature Q is returned to the signature requesting authority. The signature Q returned from is input and the disturbing component is removed. As a result, S
Is a blind signature method for the signature target M before disturbance, and when verifying the signature, the signature requesting authority sends the signature S and the signature target M to the signature verification authority, and Public information D using the procedure
A blind signature method, comprising: generating a public key P from the signature key and verifying that the signature S sent from the signature requesting authority is a signature for the signature target M using the public key P. 3. The signature generation station has a product N of two large prime numbers p and q, a least common multiple λ of p-1 and q-1, an integer e relatively prime to λ, and d = 1 / e mod λ. The integer d that satisfies the relationship is held, the values N and e are made public, and the signature requesting authority makes a random number R, a signature target M, and a public key e,
Let Z be the signature object that is disturbed from N Then, the signature target Z is sent to the signature generation authority, and the signature generation authority assigns the signature Q to the signature object Z by And the signature Q is returned to the signature requesting authority, and the signature requesting authority is a blind signature method in which S = Q / R mod N is determined and the S is the signature of the signature generating authority for the signature target M. Then, the signature generation authority publishes the public information D1 and the public key exponent part generation function f (), and the public key exponent part e _D1 is e _D1 = f (D1)
And the secret key exponent part d _D1 is _calculated as d _D1 = 1 / e _D1 mod
The signature requesting authority calculates the public key exponent e _D1 by e _D1 = f (D1), and uses the document m and the one-way function g () to obtain the signature target M = g (m ) Is calculated, and from the random number R, the signature target M, the public key exponent e _D1 , and the value N, the disturbed signature target Z
[Equation 3] Then, the signature target Z is sent to the signature generation station, and the signature generation station outputs the signature Q to the signature target Z as follows: The signature requesting authority returns the signature Q to the signature requesting authority, and the signature requesting authority obtains S = Q / R mod N so that the S is the signature of the signature generating authority based on the public information D1 for the document m. , A blind blind signature method with restrictions. 4. In the restricted blind signature method according to claim 3, when verifying a signature, the signature requesting authority sends the signature S, the document m, and the public information D1 to the signature verifying authority, and the signature verifying authority publishes. The key exponent part e _D1 is obtained by e _D1 = f (D1), the signature object M = g (m) is calculated using the document m and the one-way function g (), and And the signature S if and only if M'is equal to M
Is a correct signature based on the public information D1 of the document m. 5. The restricted blind signature method according to claim 3, wherein the public information D1 is the date of signature generation. 6. A blind signature system comprising a signature requesting authority for secretly requesting a signature with the content of a document kept secret, and a signature generating authority for adding a signature to a signature target from the signature requesting authority and returning it to the signature requesting authority. In, the signature generation authority is equipped with a storage device, a public key exponent part generator, a secret key exponent part generator, and a modular exponentiation unit, and the signature request authority is a storage device, a public key exponent part generator, a random number generator, and a hash. The signature generation station is provided with an arithmetic unit, a blind signature preprocessor, and a blind signature postprocessor. In the signature generation station, the product N (public key) of two large prime numbers p and q, and the minimum of p-1 and q-1. The public multiple λ and the public information D1 are held, and further, the public key exponent part generation unit outputs the public key exponent part e _D1 with the public information D1 as input, and the secret key exponent part generation unit inputs e _D1 and λ, N. And the secret key exponent part d _D1 is d _D1 = 1 / e _D1 mod λ and d
_D1 is held in the storage device, and the signature requesting authority stores the public key N, public information D1,
When the signature target m is held and the signature request is made, first, the signature requesting authority determines the public information D1.
To the public key exponent generator to obtain the public key exponent e _D1 , drive the random number generator to generate the random number R, input the document m to the hash calculator to obtain the signature target M, and e _D1 , R,
Input M and N to the blind signature preprocessor, and , Z and D1 are transmitted to the signature generator, and the signature generation authority confirms that D1 from the signature request authority is public information, and then the secret key exponent part d _D1 corresponding to the _D1.
From the storage device, d _D1 , N and Z from the signature requesting authority are input to the modular exponentiation operator, And returns the Q (signature) to the signature requesting authority, and the signature requesting authority inputs Q, R and N to the blind signature post-processor, calculates S = Q / R mod N, and calculates the S A blind blind signature system with restrictions, wherein a signature of a signature generation authority based on public information D1 for document m is used. 7. The restricted blind signature system according to claim 6, further comprising a signature verification authority in addition to the signature generation authority and the signature request authority, the signature verification authority being a storage device, a public key exponent generator, and a power. When the signature requesting authority is provided with a remainder arithmetic unit, a hash arithmetic unit, and a comparator, holds the public key N in the storage device, and verifies the signature, the signature requesting authority S, the document m,
The public information D1 is sent to the signature verification authority, and the signature verification authority inputs the public information D1 to the public key exponent generator to obtain the public key exponent e _D1 and inputs the document m to the hash calculator and outputs it. Be M, and input S, e _D1 , and N to the modular exponentiation operator, and And the calculation result M ′ of the power calculation unit and the output M of the hash calculation unit are input to the comparator, and the signature S is the correct signature based on the public information D1 of the document m only when the comparison results match. A blind signature system with restrictions, characterized in that it outputs an affirmative signal. 8. The restricted blind signature system according to claim 6 or 7, wherein the public information D1 is the date of signature generation. 9. The restricted blind signature system according to claim 6, 7 or 8, wherein in the public key exponent generator, p-1 and q-1 are prime numbers p and q having only prime factors of x bits or more. , The most significant bit MSB and the least significant bit LSB of the output are always 1, and the part other than the MSB and LSB is a value corresponding to the input value [x> y] y
A restricted blind signature system that outputs the value of a bit.