JPS6026387A - Digital signature system - Google Patents

Abstract

(57) [Summary] This bulletin contains application data before electronic filing, so abstract data is not recorded.

Description

[Detailed Description of the Invention] Description of the field to which the invention pertains This invention provides a method for a receiver to confirm the identity of the sender and to determine whether or not the communication has been tampered with in response to a clear text message of digital information sent from the sender. Concerning verification and authentication methods and digital signature methods.

PRIOR ART AND THEIR PROBLEMS With conventional signatures, the authenticity of the document's content and authorship has been authenticated by a signature unique to one person written on paper. However, if this conventional signature is applied to data communication in a distorted manner, it will not be able to perform the authentication function. Therefore, for example, when placing a shopping order using digital information, it is possible for the author to easily be mistaken as having placed an order when he or she has not placed an order, or for the contents of the order to be changed. It is desirable to file a text in a storage device as digital information, and when a reader reads the file, to be able to confirm that the author of the read content is correct. In digital signatures for digital information, the following two conditions (and (B)) must be satisfied from the viewpoint of security.

(4) A signed message cannot be forged by a third party.

(B) E-name messages cannot be forged by the recipient.

The conventional digital signature methods are classified from the viewpoints of (1) cryptography used for digital signatures and (2) inspection methods for signed messages, and their characteristics are described below.

■Classification by cryptography As a code used for digital signature, (
There are a) conventional cryptography and (b) public key cryptography.

(a) Conventional cipher A conventional cipher is a cipher in which the encryption key and decryption key are the same and are kept secret. DES (Data Encryption Stan) is currently a typical commonly used cipher.
dard). With digital signatures using conventional cryptography, a signed message is generated using a secret key shared only by the sender and receiver, the message is sent, and the receiver decrypts the received message using the secret key. can be,
Although the above-mentioned condition (A) is satisfied, there is a drawback that condition (B) is not satisfied.

(b) Public-key cryptography Public-key cryptography is a cryptography in which a pair of encryption keys and a reprint server 1 are different, the encryption key is made public, and only the decryption key 1 is kept secret. R8A as the current representative public key cryptosystem
Law CR, L., Rivest, A., Sbamir
and A, Adleman” Amethod
for obtaining digitalsign
atures and public-key cry
ptosystem”, CACM.

With digital signatures, a signed message is generated by performing cryptographic processing (reprinting) using a key (decryption key) that only the sender keeps secret (7, the recipient decrypts the message with the public key). (encryption) processing, and the above conditions (
g) and ω) i'! : It is filled. A digital signature based on public key cryptography satisfies conditions (4) and (B) above even without an arbitrator (which may be sent via a trusted arbitrator to ensure high confidentiality). This is called a “true signature” or “direct signature.”

RS Am IJ) The feature is that all messages can be signed, but the drawback is that the amount of calculation required for encryption and decryption is large. The feature of the R method is that the encryption division h1
However, the disadvantage is that not all messages can be signed.

■ Classification by inspection method There are two methods for inspecting digital signatures: (a) message recovery method and (b) authenticator method.

<) Message Restoration Method In the message restoration method, first, the sender performs cryptographic processing on a plain text message to convert it into an authenticated message, which is a type of signed message, and sends it to the recipient. Next, the recipient restores the original message of condolence by performing inverse cryptographic processing on the received authentication message. If the restored condolence message is meaningful (for example, if it makes sense in Japanese), the receiver authenticates that the sender and content of the message are correct.

This method uses cryptography and is realized through bidirectional operations through encryption and decryption. However, there is a drawback that it is not easy to mechanically (automatically) understand the meaning of the reconstructed condolence message without human intervention.

(b) Authenticator method The authenticator method is also called verification. In the authenticator method, the sender first encrypts (scrambles) the condolence message.
The message is then converted into an authenticator, which is a type of signed message, and the authenticator is sent to the recipient along with the raw condolence message. The recipient receives the raw information that was sent! , -1, is subjected to similar cryptographic processing (scrambling) to generate a new authentication code, and the generated authentication code is compared with the sent authentication code. If there is a match, the recipient authenticates the sender and content of the message as correct.

This method is realized by performing one-way scrambling with a secret nail, and does not necessarily require the use of a cipher that guarantees inverse conversion. Since it is necessary to maintain , it has the disadvantage that key distribution is difficult and security condition (B) is not satisfied.

An efficient verification method has also been proposed for the Kasuda authenticator method, in which a small-sized authenticator is generated by compressing the data of the condolence message using the hashing method without compromising security, and this method satisfies both efficiency and security. , D to generate the authenticator.
ES to CB C (C1pherBlock Chain
ing) mode to generate a 32-bit authenticator is recommended by ANSI (American National Standards Institute) and I5O (International Standards Organization). However, since this data compression method uses conventional cryptography, key distribution is still difficult and security conditions (2) are still not met. Furthermore, there is also the disadvantage that there are many calculations E required for data compression.

Purpose of the Invention The present invention solves the problems of the conventional digital signature method, and allows authentication in communication or storage to be performed under the above conditions (B
), can be performed mechanically, facilitates key management, and aims to speed up the authentication process.

Summary of the invention In this invention, for example, Rabin's public button dark + 3 method (R
An authentication code is generated by compressing the message using the encryption function of the R8A method, and the message 79 element method based on the R8A method is applied to this authentication code as an eyebrow-crossing message. The procedure is shown below.

(a) The sender divides the condolence message M into blocks of 512 bits each.

M-<Ml, N2, -=-, Mm> An authentication code T is generated by applying the R method encryption function in CBC mode to each block Mi (1≦1≦m).

T=f (M, b, n) However, b and n are public keys that are known not only to the sender and the receiver but also to third parties. Specifically, f is CI=M1(M1
+b) (mod n)N2=M2■CI C2=N2(N2+b) (mod n)N3=M
3■C2 C3=N3(N3+b') (mod n)Nm=Mm
■Cm-1 (:m=Nm(Nm+b) (mod n)T=Cm
(1) becomes. However, the size of b and n is 512 bits, and ■ represents exclusive OR.

(b) The sender performs a decryption process g on T (512 bits) using the R8A method using a secret nail d known only to him and a public key n known to everyone, and generates an authentication message V.

V=g(T, d, n)=Td(mod n) (2) Then, n in equation (1) and equation (2) is the same value.

A plain text message M and an authentication message V are sent to the recipient.

(c) The recipient responds to the sent condolence message M,
Same as in (a), use the public key in 17j< and use n to authenticate the authenticator
generate.

T=f (M, b, n) If the plaintext message M is tampered with M' on the way, T'=f is used as the authenticator by the process (c).
(M', bln) is obtained.

) The recipient further receives the authentication message V that was sent.
1111 encryption processing g71 of the R8A method is performed using the public keys e and n, and the authenticator T is quadrupled.

T=g” (V, e, n)=Ve (mod
n) (3a) However, e and d are yed'=V
(mod n) is a la fv- key pair. If the authentication message V is tampered with M' on the way, or if a third party forges M' from the beginning, then T""g-'(V' +e+n)= V'
. (mod n) (3b) is obtained. However, the formula (
]) and n in formulas (aa) and (3b) have the same valence.

(E) The recipient receives the authenticator T or T' obtained in (C).
The message M is compared with the authenticator T or "T" found in the previous page, and if it is confirmed that they match, it is verified that the message M has not been tampered with and that the sender's identity is correct. do.

That is, if M and ■ have not been tampered with, the T obtained in (a) is equal to the T obtained in ). If M has been tampered with, T' obtained in (a) is not equal to T obtained in (a). If only ■ has been tampered with, the T obtained in (a) is equal to the T'' obtained in ). If both M and V have been tampered with, then (a) The T' obtained in and T'' obtained in ) are not equal.

The flow of the above procedure is shown in FIG.

DESCRIPTION OF THE EMBODIMENTS FIG. 2 is a block diagram of an authentication message transmitting device 61 and an authentication message receiving device 2 that realize the digital signature system of the present invention. A case where the message is not tampered with by a third party during the communication as shown by line 3, and a case where the message is tampered with by a third party using the tampering device 5 during the communication as shown by line 4 will be explained.

The sender inputs the message M, the private key d, and the public key n into the edict message transmitting device 1, generates V, and transmits M and ■. If there is no tampering by a third party during the communication, the recipient receives (- also M and V and the public key)
n and e are input to the authentication message receiving device @2, and an output result indicating that there has been no falsification is obtained. Suppose that a third party falsifies M and ■ into M' and M', respectively, during the communication. The recipient receives the received M' and M' and the public keys, n, e.
is input into the authentication message receiving device 2, and an output result indicating that there has been falsification is obtained.In this way, the output result of the authentication message receiving device 2 allows the receiver to confirm that the message was sent by the real sender. The details of the authentication message transmitting device 1 shown in FIG.
The details of the authentication message receiving device 2 are shown in FIG.

The detailed operation of the authentication message transmitting device shown in FIG. 3 will be explained. When a plaintext message, ji M, is input to the data reading circuit 11, m blocks of every 512 pits <Ml,
M2, . . . Mm> and stored in the area 14bK of the data storage memory 14. Furthermore, the public keys n and secret #d are input to the data reading circuit 11 and stored in the areas 14a' and 14e. These are read out and blocked messages (Ml, ,
M2. .

...Mm) and the public key S, n, the formula (1
) is executed by the data inflator 12, and the intermediate variable c;
, Nj (1<i<m, 2<j<m,) and memory 1
4, store it in area 14c, and get the final authentication code T from Kotobuki.
Data storage memory] 4 is stored in area 14d. next,
Based on the thus obtained T in the area 14d and the input public key n and private key d in the area 14e, the function g of equation (2) is executed by the multiplier 13 to generate the authentication message V. eye,
The data is stored in the area 14f of the data storage memory 14. Finally, the condolence message M in the area 14d and the authentication message V in the area 14f are read out and communicated to the recipient via the data transmission circuit 15.

The detailed operation of the authentication message receiving device shown in FIG. 4 will be explained. In order to distinguish between cases in which there has been no tampering and cases in which there has been tampering, the symbol names in the case in which there has been tampering are shown below, surrounded by zeros, alongside the symbol names in the case in which there has been no tampering. A plaintext message M (M') is sent to the data receiving circuit 25.
When the authentication message v (v') is input and the public Wb and nle are input to the data reading circuit 21,
First, M (M') is m blocks of every 512 bits <
Ml, M2, """Mrn:>(<Ml'
.

M2', . . . Mm'>) and stored in the area 24b of the data storage memory 24, viI'lt,
The keys bn and en are stored in the area 24-f, respectively. a and 24e, respectively. next,
Blocked message < Ml + M2 + ・
------1'llJm) (<Ml' + M2'
+...-Mm') )) and the public key S, n,
The function f in equation (1) is executed by the theta compressor 22, and intermediate variables ci (C1'), Nj (Nj') (1(1(m
, 2 (j < m) in the area 24c of the data storage memory 24, the final authenticator T(T
' ) in the area 24. of the data storage memory 24. Store in d. Furthermore, the authentication message v(M′) and the public key n
Based on and e, the function g"-1 of equation (3) is
to generate the authenticator T (T") and store it in the area 24g. Finally, T (T') in the area 24d and
The comparator 26 compares T (T'') of g to authenticate it. If they match, it indicates that the sender's identity is correct and that the condolence message has not been tampered with, and the plaintext message M is 0 outputted via the data writing circuit 27. Note that in the above data compression, the encryption function of the R method is
This is not limited to the BC mode, and may be simple data compression. However, the public encryption method used to generate the authentication message is not limited to the R8A method, and other methods may be used. Furthermore, the present invention is applicable not only to digital signatures for digital transmission, but also to digital signatures for storing and reading digital information.

Description of Effects The digital signature system of the present invention described above has the following advantages.

■No need to send private keys.

Since all the methods of this invention are based on public key cryptography, the secret key (d in the above example) only needs to be held by the sender, making key management easy.

■Data compression can be achieved quickly and safely.

In the above example, the R method was used for data compression, but the encryption function of the R method is significantly smaller than the DBS algorithm.

In addition, since public key cryptography is used, it is impossible for the injured person or a third party to tamper with the message while leaving the authenticator intact. It is difficult to make, and safety is maintained.

■The message restoration method can be realized at high speed.

Since the message targeted by the message restoration method is a 1-block (512-bit) authenticator with data compression, the amount of calculation required by the R8A method is small in this example.

■No need for semantic processing in the message restoration method.

Since the authenticator restored by data compression and the authenticator restored by the message restoration method can be mechanically matched at the syntax level, semantic processing is no longer necessary, and the verification can be performed mechanically (automatically) without human intervention. ) can be authenticated.

■Good consistency between the authenticator method and the message recovery method.

In the embodiment described above, since the same key n is used for the R method and the R8A method, calculations are performed using the same modulus of n, so there is no need to convert the size, and key generation can also be made common.

[Brief explanation of drawings]

1(2) is a diagram showing the information flow of the digital signature method of the present invention, FIG. 2 is a block diagram showing the configuration of the digital layer name method of the present invention, and FIG. 3 is a detailed example of an authentication message transmitting device. FIG. 4 is a block diagram showing a detailed example of an authentication message receiving device. 1... Authentication message transmitting device, 2... Authentication message receiving device, 3... Communication line without tampering, 4...
Tampered communication line, 5. Tampering device, 11... Data reading circuit, 12... Data compressor, 13...
・Power calculation unit, 14...Data storage memory, 15.
Data transmission circuit, 21...Data reading circuit, 22
...Data compressor, 23...Power operator, 24
...data storage memory, 25...data reception circuit,
26... Comparator, 27... Data 1'' included circuit.

Claims (1)

[Claims] (1) In a system that communicates or stores digital information, the sender has a means for data-compressing a plaintext message to generate an authenticator, and cryptographically processing this authenticator using a private key in a public cryptographic method for authentication. The device includes means for generating a message, and means for transmitting or storing the plaintext message and the authentication message, and compresses the plaintext message sent to or read from the receiving side using the same method as the sending side, and generates an authentication code. means for generating an authentication message sent or read out using a public key in the public encryption method to restore the original authentication code by performing inverse cryptographic processing on the authentication message sent or read; 1. A digital signature method, comprising means for verifying a sender's identity and confirming the presence or absence of tampering during communication based on a plain text message and an authentication message from the sender.