JPS637388B2 - - Google Patents

Description

[Detailed Description of the Invention] Description of the field to which the invention pertains This invention is a method for a receiver to confirm the identity of the sender and to check whether or not the communication has been tampered with in response to a plain text message of digital information sent from the sender. Concerning verification and authentication methods and digital signature methods.

Prior Art and its Problems Conventional signatures rely on an individual's unique handwriting written on paper to authenticate the authenticity of the document's content and authorship. However, if you try to apply this traditional signature to data communication as is,
It cannot perform the authentication function. Therefore, for example, when placing a shopping order using digital information,
It is possible for an author to easily assume that he or she has placed an order without placing an order, or for the contents of an order to be changed. It is desirable to be able to confirm that the author of the read content is correct when reading out the content. There is a need for digital information to be able to perform the same functions as conventional signatures, and this solution is called a digital signature.

In digital signatures, it is necessary to satisfy the following two conditions (A) and (B) from the viewpoint of security.

(A) A signed message cannot be forged by a third party.

(B) The signed message cannot be forged by the recipient.

Conventional digital signature methods are classified from the viewpoints of cryptographic methods used for digital signatures and methods for inspecting signed messages, and their characteristics are described below.

Classification by cryptography There are two types of cryptography used for digital signatures: (a) conventional cryptography and public key cryptography.

(a) Conventional cipher A conventional cipher is a cipher in which the encryption key and decryption key are the same and are kept secret. DES (Data Encryption) is currently the most commonly used cipher.
Standard). With digital signatures using conventional cryptography, a signed message is generated using a secret key shared only by the sender and receiver, the message is sent, and the receiver decrypts the received message using the secret key. Although condition (A) is satisfied, condition (B) is not satisfied.

(b) Public-key cryptography Public-key cryptography is a type of cryptography in which a pair of encryption keys and decryption keys are different, and the encryption key is made public while only the decryption key is kept secret. RSA method [RLRivest, A. Shamir and
A.Adleman“Amethod for obtaining digital
signatures and public-key cryptosystem“,
CACM, 21, No. 2, pp120-126, 1978] and R
Law〔MORabin “Digitalized signatures and
public-key functions as intractable as
factorization,”Tech.Rep.MIT/LCS/
TRMIT Lab. Comput. Sci., 1979]. Digital signatures using public key cryptography generate a signed message by performing cryptographic processing (decryption) using a key (decryption key) that is kept secret only by the sender, and the recipient can make the message public. The decryption (encryption) process is performed using a key, and the above condition (A) is met.
(B) is satisfied. A digital signature based on public key cryptography satisfies conditions (A) and (B) above even without an arbitrator (sometimes sending it through a trusted arbitrator to ensure high confidentiality). This is called a "true signature" or "direct signature."

A feature of the RSA method is that all messages can be signed, but the disadvantage is that the amount of calculation required for encryption and decryption is large. The R method is characterized by a small amount of encryption calculation, but its drawback is that it is not possible to sign all messages.

Classification by inspection method Digital signature inspection methods include (a) message recovery method and (b) authenticator method.

(a) Message recovery method In the message recovery method, the sender first performs cryptographic processing on a plain text message to convert it into an authenticated message, which is a type of signed message, and sends it to the recipient. Next, the recipient restores the original plaintext message by performing inverse cryptographic transformation on the received authentication message. If the restored plaintext message is meaningful (for example, if it makes sense in Japanese), the receiver authenticates that the sender and content of the message are correct.

This method uses cryptography and is realized through bidirectional operations through encryption and decryption. However, there is a drawback that it is not easy to mechanically (automatically) understand the meaning of the restored plaintext message because there is no human intervention.

(b) Authenticator method The authenticator method is also called verification. In the authenticator method, the sender first performs cryptographic processing (scramble) on a plaintext message to convert it into an authenticator, which is a type of signed message, and sends this authenticator along with the raw plaintext message to the recipient. . The recipient performs similar cryptographic processing (scrambling) on the plain text message sent to them, generates a new authentication code, and checks it against the sent authentication code. If there is a match, the recipient authenticates the sender and content of the message as correct.

This method is realized by performing one-way scrambling using a secret key, and does not necessarily require the use of a cipher that guarantees inverse transformation. This method requires the sender and receiver to hold a common secret key, so it has the drawbacks that key distribution is difficult and security condition (B) is not satisfied.

In addition, an efficient verification method has been proposed that generates a small-sized authenticator by compressing plaintext messages using the hashing method to the extent that security is not compromised. , DES is used to generate the authenticator using CBC (Cipher
The method for generating a 32-bit authenticator in Block Chaining mode is based on ANSI (American National Standards Institute).
Recommended by ISO (International Organization for Standardization). However, since this data compression method uses conventional encryption, key distribution is still difficult and security condition (B) is not satisfied. Furthermore, there is also the drawback that the amount of calculation required for data compression is large.

Purpose of the Invention The present invention solves the problems of conventional digital signature methods, satisfies the conditions (A) and (B) above, and allows authentication in communication or storage to be performed mechanically.
Additionally, the purpose is to facilitate key management and speed up authentication processing.

Summary of the Invention In this invention, for example, a message is compressed using an encryption function of Rabin's public key cryptography (R method) to generate an authenticator, and this authenticator is used as a new message to send a message using the RSA method. Apply the restoration method. The procedure is shown below.

(a) The sender divides the plaintext message M into blocks of, for example, 512 bits.

M=<M1, M2, . . . , Mm> An authentication code T is generated by applying the R method encryption function in CBC mode to each block Mi (1≦i≦m).

T=f(M, b, n) However, b and n are public keys that are known not only to the sender and the receiver but also to third parties. Specifically, f is C1=M1(M1+b) (mod n) N2=M2C1 C2=N2(N2+b) (mod n) N3=M3C2 C3=N3(N3+b) (mod n) ...... Nm=MmCm-1 Cm=Nm (Nm+b) (mod n) T=Cm (1). However, the size of b and n is 512 bits, and represents exclusive OR.

(b) The sender performs a decryption process g on T (512 bits) using the RSA method using a private key d known only to him and a public key n known to everyone, and generates an authentication message V.

V=g(T, d, n)=T ^d (mod n) (2) However, n in equation (1) and equation (2) is the same value.

A plain text message M and an authentication message V are sent to the recipient.

(c) The recipient receives the sent plaintext message M by using the public keys b and n in the same way as in (b) to authenticate the authenticator T.
generate.

T=f(M, b, n) If the plaintext message M is tampered with M′ on the way, T′=f(M′, b, n) will be used as the authenticator by processing (c). can get.

(d) The recipient further performs RSA encryption processing g ^-1 on the sent authentication message V using public keys e and n, and restores the authentication code T.

T=g ⁻¹ (V, e, n)=V ^e (mod n) (3a) However, e and d are a pair of keys that satisfy V ^ed ≡ ^V (mod n). If authentication message V
is tampered with V′ during the process, or if a third party forges V′ from the beginning, then T″=g ^-1 (V′, e, n) = V as the authenticator through process (d). ′ ^e (mod n) (3b) is obtained. However, equation (1) and equations (3a) and (3b)
n has the same value.

(E) The recipient receives the authentication code T obtained in (C) or
Compare and judge T′ with the authenticator T or T″ obtained in (d), and if it is confirmed that they match, it means that the message M has not been tampered with and the identity of the sender is correct. authenticate.

That is, if M and V are not tampered with, (a)
The T obtained in (d) is equal to the T obtained in (d). If only M is tampered with, T' obtained in (a) and T obtained in (d) are not equal. if,
If only V is tampered with, T obtained in (a)
and T″ obtained in (d) are not equal. If both M and V are falsified, the T″ obtained in (b)
T′ and T″ obtained in (d) are not equal.

The flow of the above procedure is shown in FIG.

DESCRIPTION OF EMBODIMENTS FIG. 2 is a block diagram of an authentication message transmitting device 1 and an authentication message receiving device 2 that implement the digital signature system of the present invention. A case where the message is not tampered with by a third party during the communication as shown by line 3, and a case where the message is tampered with by a third party using the tampering device 5 during the communication as shown by line 4 will be explained.

The sender inputs a message M, a private key d, public keys b and n into the authenticated message transmitting device 1, generates V, and transmits M and V. If there is no tampering by a third party during the communication, the recipient will receive the received M.
, V, and public keys b, n, and e are inputted into the authentication message receiving device 2, and an output result indicating that no tampering has occurred is obtained. Suppose that a third party falsifies M and V into M' and V', respectively, during the communication. The recipient inputs the received M' and V' and the public keys b, n, and e into the authentication message receiving device 2, and obtains an output result indicating that the message has been tampered with. in this way,
Based on the output result of the authentication message receiving device 2,
The receiver authenticates whether the message sent by the real sender has been received correctly.The details of the authenticated message sending device 1 in FIG. 2 are shown in FIG. 3, and the details of the authenticated message receiving device 2 are shown in FIG. 4. show.

The detailed operation of the authentication message transmitting device shown in FIG. 3 will be explained. When a plaintext message M is input to the data reading circuit 11, it is divided into m blocks <M1, M2, . Further, public keys b, n and private key d are input to the data reading circuit 11 and stored in areas 14a, 14e. Based on the message <M1, M2,...Mm> read out and made into blocks and the public keys b, n, the function f of equation (1) is executed by the data compressor 12, and intermediate variables Ci, Nj (1<i<m, 2<j<m)
is obtained and stored in the area 14c of the memory 14, the final authentication code T is obtained, and the data storage memory 14
It is stored in the area 14d. Next, based on T in the area 14d obtained in this way and the input public key n and private key d in the area 14e, the function g of equation (2) is executed in the multiplier 13 for authentication. The message V is obtained and stored in the area 14f of the data storage memory 14. Finally, the plaintext message M in the area 14d and the authentication message V in the area 14f are read out and communicated to the recipient via the data transmission circuit 15.

The detailed operation of the authentication message receiving device shown in FIG. 4 will be explained. In order to distinguish between cases where no tampering has occurred and cases where there has been tampering, the symbol names for cases where tampering has occurred will be enclosed in parentheses below along with the symbol names for cases where there has been no tampering. When a plaintext message M (M') and an authentication message V (V') are input to the data receiving circuit 25, and public keys b, n, and e are input to the data reading circuit 21, first, M
(M′) is m blocks of every 512 bits <M1,
M2, . 24a and 24e, respectively. Next, the blocked message <M1, M2, ...Mm>(<M1′, M2′, ...
Mm′>) and the public keys b, n, the data compressor 22 executes the function f in equation (1), and the intermediate variable Ci
(Ci'), Nj (Nj') (1<i<m, 2<j<m) while storing it in the area 24c of the data storage memory 24, and obtain the final authentication code T(T'). The data is stored in the area 24d of the data storage memory 24. Furthermore, based on the authentication message V (V') and the public keys n and e, the function g ^-1 of equation (3) is executed by the multiplier 23,
Generate an authentication code T (T'') and store it in the area 24g.Finally, T (T') in the area 24d and the area 24g
The comparator 26 compares and authenticates the message M with T (T''). If they match, it indicates that the sender's identity is correct and that the plaintext message has not been tampered with. It is output via the write circuit 27.

Note that data compression in the above is not limited to the case where the encryption function of the R method is performed in the CBC mode, but may be simple data compression. Further, the public encryption method used to generate the authentication message is not limited to the RSA method, and other methods may be used. Furthermore, the present invention can be applied not only to digital signatures for digital transmission, but also to digital signatures for storing and reading digital information.

Description of Effects The digital signature system of the present invention described above has the following advantages.

No need for private key delivery.

Since all the methods of this invention are based on public key cryptography, the secret key (d in the above example) only needs to be held by the sender, making key management easy.

Data compression can be achieved quickly and safely.

In the above example, R method was used for data compression, but R
The method's encryption function requires less calculation than the DES algorithm. Furthermore, since public key cryptography is used, it is difficult for the recipient and a third party to tamper with the message while leaving the authenticator intact.
In other words, it is difficult to create a forged authentication message that corresponds to a forged plaintext message.
Safety is maintained.

A message restoration method can be realized at high speed.

Since the message that is the target of the message restoration method is a one-block (512-bit) authenticator that has been compressed, the amount of calculation required for the RSA method is small in this example.

No need for semantic processing in the message recovery method.

Since the authenticator restored by data compression and the authenticator restored by the message recovery method can be mechanically matched at the syntactic level, semantic processing is not necessary, and there is no need for human intervention.
Authentication can be performed mechanically (automatically).

There is good consistency between the authenticator method and the message recovery method.

In the above embodiment, since the same key n is used for the R method and the RSA method, calculations are performed using the same modulus of n, so there is no need to convert the size, and key generation can also be made common.

[Brief explanation of the drawing]

FIG. 1 is a diagram showing the information flow of the digital signature system of this invention, FIG. 2 is a block diagram showing the configuration of the digital signature system of this invention, and FIG. 3 is a block diagram showing a detailed example of an authentication message transmitting device. ,
FIG. 4 is a block diagram showing a detailed example of an authentication message receiving device. 1... Authentication message transmitting device, 2... Authentication message receiving device, 3... Tamper-proof communication line, 4...
Tampered communication line, 5... Tampering device, 11...
Data reading circuit, 12...Data compressor, 13
...Power calculator, 14...Data storage memory, 15
...data transmitting circuit, 21...data reading circuit,
22...Data compressor, 23...Power calculator, 24
...Data storage memory, 25...Data receiving circuit, 2
6... Comparator, 27... Data writing circuit.

Claims (1)

[Claims] 1. In a system that communicates or stores digital information, the sender has a means for data-compressing a plaintext message to generate an authentication code, and a means for generating an authentication message by cryptographically processing this authentication code using a private key in a public cryptographic method. and a means for transmitting or storing the plaintext message and the authentication message, and generates an authentication code by compressing the plaintext message sent to or read from the receiving side using the same method as the sending side. means for inversely converting the sent or read authentication message using the public key in the public encryption method to restore the original authenticator, and collating these authenticators. A digital signature system characterized in that the digital signature method is characterized in that the sender's identity is confirmed and the presence or absence of tampering during communication is confirmed and authenticated from the plain text message and authentication message from the sender side.