JP2001134179A - Trust signature system and program storage medium to be used in the system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To shorten the length of a signature and also to reduce computational complexity needed for a verification. SOLUTION: An alternative terminal Si receives a letter of attorney (entrusting condition discribing list Wi=w1, ..., wi, trust verification information list Vi=v1,-..., vi, a trust signature key xi) from a terminal Si-1 and verifies whether Wi and Vi are correct with respect to a common public key Yo or not in a device 21 and when they are correct, in the case that the terminal Si entrusts a signature to a next terminal Si+1, the terminal produces a trust signature key xi+1, trust verification information vi+1 from Wi, Vi wi+1 in a device 31 and transmits a letter of attorney (Wi+1, Vi+1, xi+1) to a terminal Si+1 and in the case that the terminal Si performs an alternative signature, the terminal inputs Wi, Vi, xi, a document (m) to a device 41 to produce signatures (c), (s) with respect to (m) and it transits Wi, Vi, (c), (s), (m) to a verification terminal.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an efficient method for temporarily transferring the right to issue an electronic signature to another person for use in safely distributing documents digitized in a telecommunications system. The present invention relates to an implementation method and a program recording medium.

[0002]

2. Description of the Related Art First, a digital signature will be described using a Schnorr signature as an example. p and q are large prime numbers, and p is q
Is divisible. Let g be an element of order q in Z _p ^* . Zp ^* represents a set of integers from 1 to _p -1. The signer selects the signature key x from {1,..., Q−1} and calculates the verification key y as y = g ^x mod p. The signature key x is kept secret and the verification key y is made public. The signature (c, s) for the document m is performed in the following procedure. First, the signer of the random number r {0, ..., q- 1} select from, c = H (g ^r modp‖
m) is calculated. Here, H (•) is a one-way hash function, and the binary operator ‖ represents a bit combination of values at both ends. Next, the signer calculates s = r-cx modq. The validity of the signature (c, s) for the document m is determined by the verification equation c = H
(G ^s y ^c modp‖m) can be confirmed by examining whether the holds.

[0003] the terminal S ₀ for holding the Schnorr signature key (x _0, y _0), the terminal U ₁ for holding parameter g required to verify, p, and y _0, ..., assume a system of U _n . Consider the case where the terminal S ₀ to delegate the right of signature to a certain period of time only terminal S _1. First, the simplest way is to pass the signature key x ₀ to S _1. According to such a method, rather than any difference in the signature issued by the signature S ₁ issued by S _0, thereby verifying the signature by S ₁ without performing any changes with respect to data held in another computer Can be. Secondly, as a method for performing a delegation without revealing the signature key x _0, key S ₁ is on its own held (x _1,
For y ₁ ), there is a method in which S ₀ issues a signature. In this method, first, S ₀ creates a delegation condition description w ₁ , which is a document describing the period of delegation and other conditions, and signs (c ₀ , s ₀ ) for m ₀ = y ₁ ‖w ₁ Calculate and pass (w ₁ , c ₀ , s ₀ ) to S ₁ as a proxy. When S ₁ performs signature in place of S ₀ , S ₁ first calculates a signature (c ₁ , s ₁ ) for the document m to be signed using the key (x ₁ , y ₁ ) and sends the signature (c ₁ , s ₁ ) to the verifier. c ₀ , s ₀ , y
_{1, w 1, c 1,} s 1, m) to send. Verifier c
^{_{0 = H (g s0 y 0}} c0 mod p‖y 1 ‖w 1) and c ₁ = H
By both to verify that holds the ^{_{(g s1 y 1 c1 mod p‖m}} ), it is possible to verify the correctness of the signature for m.

Further, S₁Is S_TwoDelegate signing rights to
In that case, similarly, S₁Is S_TwoVerification key y_Twoand
Delegation condition description w_TwoFor m₁= Y_Two‖W_TwoAs m
₁(C₁, S₁) Is issued. S_TwoAgainst
The power of attorney is (y₁, W₁, C₀ , S₀, W_Two, C₁, S
₁). S_TwoIs the signature for document m (c_Two, S_Two)
And the verifier calculates (y₁, W₁, C₀, S₀, Y_Two, W
_Two, C₁, S₁, C_Two, S_Two). Verify this signature
Is c₀= H (g^s0y₀ ^c0 modp @ y₁‖W₁), C₁=
H (g^s1y₁ ^c1modp @ y_Two‖W_Two) And c_Two= H
(G^s2y_Two ^c2modp‖m).
According to this method, each conditional document has a fixed length | w |
, The length of the value of H (•) is | q | bits
And d-th commissioned S_dIssues for document m
The signature has a length d | p | +2 (d + 1) | q | + d | w |
It becomes a unit. Where | p | and | q | are p and q, respectively.
Bit length. In addition, it is necessary
The average of the number of necessary remainder multiplications can be estimated as 7 | q | / 4
Therefore, the amount of calculation at the time of verification can be converted to the number of remainder multiplications.
This gives 7 (d + 1) | q | / 4.

[0005]

In the [0006] first conventional method described above, even after the S ₀ has ended a period of delegation desired, that she can be S ₁ is to issue a valid signature There's a problem. In the second conventional method, the verification key _yi held by each terminal needs to be sent to the verifier terminal. Furthermore, the verifier must individually verify the signature at each delegation stage, which is computationally expensive.

SUMMARY OF THE INVENTION It is an object of the present invention to provide a delegated signature system and a program recording medium which can reduce the number of bits of a signature and the amount of calculation required for signature verification.

[0007]

Means for Solving the Problems The terminal S _i performing the delegation is:
A signature key x _{i + 1} is issued to the terminal S _{i + 1} receiving the request. However, the signature using the signature key is the original verification key y ₀
To be able to verify. That is, the delegation condition description w ₁ and the signature key x ₀ are input to the signature generation terminal, and the delegation signature key x
₁ and delegation verify the information v ₁ to generate output, proxy terminal S _i to receive the i-th to the delegation and the delegation signing key x _i, all of delegation condition description w ₁ up to it, ..., delegation conditions consisting of w _i description List W _i and all the delegated verification information v ₁ ,
..., v and the delegation verification information list V _i and become more power of attorney, which consists of _i, W and enter a verification key Y ₀ in the delegation information verification device
_i , V _i are verified against Y ₀ to see if they are correct, and if so, if that terminal S _i delegates the signature to the next terminal,
Delegation condition description wi _{+ 1} for x _i , W _i , V _i and S _i is input to the delegation chain information generation device, and delegation signature key x _{i + 1} and delegation verification information v _{i + 1} are generated and delegation. The states W _{i + 1} , V _{i + 1} ,
x _{i + 1} is sent to the terminal S _{i + 1,} and when the terminal S _i performs a proxy signature, x _i , W _i , V _i and the document m are input to the delegation signature generation device to generate a signature Σ, Σ, W _i , V _i , and m are sent to the signature verification terminal.

[0008]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiment 1 An embodiment of the present invention will be described. As shown in FIG. 8, this system includes a plurality of terminals (signature terminal S ₀ , proxy terminals S ₁ , S ₂ ,...) That can communicate with each other via communication network 10.
S _i , a signature verification terminal V). Communication network 10
Has a function of providing a secure secret communication path for communication between any two terminals so that the communication contents do not leak to others. Such a function can be easily realized using, for example, secure encryption.

[0009] Let p and q be large prime numbers, and p is divisible by q
Shall be. g to Z_p ^*In the order q.
Number x randomly selected from {1, ..., q-1}
₀And y ₀= G^x0 By the number that satisfies modp, X₀: =
(X₀, G, p, q) as the signature key, Y ₀: = (Y₀, G,
p, q). Signing terminal S using FIG.₀The composition of
I will tell. The signature key X is stored in the storage device 16.₀Is remembered and
Delegation condition description w input by input means 17₁Remember
It is assumed that it is stored in the device 16. Signing terminal S₀To
A delegation information generation device 11 is provided.
Random number generator 12, exponentiation operator 13, hasher 14,
A remainder power adder 15 is provided. Signing terminal S₀Is the control unit 1
8, g, p, q, x₀And delegation condition description
w₁Is input to the delegation information generation device 11 to generate the delegation information.
The device 11 operates as follows.

[0010] 1. By driving the random number generator 12, {1,.
obtaining a random number r ₁ in the range of q-1}. 2. r ₁ , g, and p are input to the power calculator 13, and v ₁ :
= G ^r1 modp. 3. w ₁ and v ₁ are input to the hasher 14 and c ₁ : = H
(V ₁ ‖w ₁ ). 4. c ₁ , r ₁ , x ₀ , and q are input to the modular exponentiation adder 15 to obtain x ₁ : = c ₁ r ₁ + x ₀ mod q.

5. x ₁ and v ₁ are output. The signing terminal S ₀ is (W ₁ , x ₁ , V ₁ ) (W ₁ = w ₁ ,
V ₁ = v ₁ ) is synthesized as a proxy by the proxy synthesizing unit 19 and transmitted from the transmitting unit to the proxy terminal S ₁ to be delegated via the secret communication path of the communication network 10. Delegation condition description w _1, the description for limiting the document to be valid period and signed delegation, further description of the proxy terminal for receiving a delegation, for example, may include a public key or the like of the proxy terminal.

[0012] illustrating the configuration of the proxy terminal S _i which receives the i-th delegated with reference to FIG. The verification key Y ₀ is stored in the storage device 26.
= (G ₀ , g, p, q) is stored, and the delegation condition description w _{i + 1} input by the input means is stored, and further received from the preceding terminal S _i-1 via the receiving unit. Power of Attorney (W
_i , V _i , and x _i ) are stored, and a signature target document m is also stored when a proxy signature is performed. Received power of attorney _{(W i, V i, x} i) delegation information verification apparatus 21 for verifying the
And a delegation chain information generation device 31 that generates delegation chain information (v _{i + 1} , x _{i + 1} ) when delegating a proxy signature to the next proxy terminal S _{i + 1} , and a proxy (W _{i + 1} , V _{i + 1} , x _{i + 1} ) and the signatures c and s when performing proxy signature
Generating a signature generation device 41 and a signed document ( _Wi , V
_i , c, s, m), and a signed document synthesizing unit 28 for synthesizing _i , c, s, m), and the power of attorney ( _{Wi + 1} , Vi _{+ 1} , xi _{+ 1} ) is transmitted to the next proxy terminal _{Si + 1} . transmitted from parts, or signed document _{(W i, V i, c} , s, m) is transmitted to the signature verification terminal V from the transmitting unit. The overall control is performed by the control unit 29. Whether the proxy terminal S _i sends out a power of attorney or a document with a signature can be determined by inputting a command indicating which of them is to be output from the input means, for example.
Decrypts the instruction and executes it as such. Alternatively, the control unit 29 decodes specific bit position information in the input data received from the terminal S _{i-1 at the} preceding stage to create either proxy chain information or signature information. You may do so.

The processing at the proxy terminal S _i will be roughly described with reference to FIG. Proxy terminal S _i waits for reception of terminal S _i-1 (S ₀ signature terminal) than sent proxy _{(W i, V i, x} i) (Step1), the proxy is received, the The delegation information is verified (Step 2), and if the verification result is not OK (NG), the process is terminated (Step 3).
If OK proxy terminal S _i is determined whether it is required that the proxy signature (Step4), if it is not requested to the proxy signature, proxy _{(W i + 1, V i} + 1, x i + ₁ ) is created (Step 5), and the proxy is transmitted to the next proxy terminal S _{i + 1} (Step 6). When the terminal S _i is requested proxy signature, signed document _{(W i, V i, c} , s, m) generates (Step7), and sends the signed document to the signature verification terminal V (Step8 ).

Referring to FIG. 4, the delegation information verification device 2 shown in FIG.
1 will be described. The delegation information verification device 21 includes a control unit
22, hash unit 23, exponentiation unit 24, comparator 25
Is provided. The delegation information verification device 21 performs the following procedure.
The received power of attorney (W_i, V _i, X_iVerify).
In the following description, W_i, V_iDelegation condition description and delegation
List of verification information, w₁, ..., w_iand
v₁, ..., v_iShall be expressed. From storage device 26
(W_i, V_i, X_i) And Y₀Information verification device 21
Enter The commission information verification device 21 is controlled according to the following procedure.
It operates under the control of the unit 29.

1. The following procedure is repeated for each j of j = 1,..., I: w ₁ ,..., W _j , v ₁ ,..., V _j are input to the hasher 23 and c _j : = H (v _{1 1} . ‖V _j ‖
w ₁ ‖... ‖w _j ) are obtained. This processing is performed by the control unit 29. 2. _{c 1, ..., c i,} x i, g, p, v 1, ..., a v _i input to the power calculator ^{_{24, T i: = g xi}} v 1 -c1 ... v i
^{Get -ci} modp. 3. T _i , y ₀ is input to the comparator 25, and if T _i and y ₀ are equal, OK is output, and if they are not equal, NG is output.

[0016] If the output of the delegation information verification device 21 is OK, is underwriting the delegation proxy terminal S _i, if NG, reject the delegation. The configuration of the delegation chain information generation device 31 in FIG. 2 will be described with reference to FIG. Delegation chain information generation device 31
Is a random number generator 32, an exponentiation operator 33, a hasher 3
4. It has a modular exponentiation adder 35. The proxy terminal S _i determines the delegation condition description w _{i + 1} and inputs w _{i + 1} and x _i , Y ₀ , V _i , and W _i from the storage device 26 to the delegation chain information generation device 31. The following is an operation of the delegation chain information generation device 31, which is controlled by the control unit 29.

1. By driving the random number generator 32, {1,.
Obtain a random number ri _{+ 1} in the range of q-1. 2. r _{i + 1} , g, p are input to the power calculator 33,
_{i + 1} : = g ^{ri + 1} mod p is obtained. 3. _{w 1, ..., w i +} 1, v i, ..., v i + 1 and the input to the hash unit _{34, c i + 1: =} H (v 1 || ... ‖v _{i + 1} ‖w ₁
‖ ... ‖w _{i + 1} ).

4. c _{i + 1} , r _{i + 1} , x _i , and q are input to the modular exponentiation adder 35, and x _{i + 1} : = c _{i + 1} r _{i + 1} + x _i mod
Get q. 5. Output v _{i + 1} and x _{i + 1} . The proxy terminal _Si receives the (W _{i + 1} , V
_{i + 1} , x _{i + 1} ) are combined and output as a proxy, and sent to the proxy terminal to be delegated via the secret communication path of the communication network 10.

The configuration of the signature generation device 41 in FIG. 2 will be described with reference to FIG. The signature generation device 41 includes a random number generator 4
2. It has an exponentiation unit 43, a hash unit 44, and a modular exponentiation adder 45, and stores x _i , Y ₀ , V _i , W
_i and the document m are input, and the control unit 29 operates as follows. 1. The random number generator 42 is driven to obtain a random number t in the range of {1,..., Q−1}. 2. t, g, and p are input to the power calculator 43, and u: = g
^{Get t} mod p.

3. _{w 1, ..., w i,} v 1, ..., v i,
u, m are input to the hasher 44, and c: = H (v ₁ ‖.
‖V _i ‖u‖w ₁ ‖... ‖W _i ‖m). 4. c, t, x _i , and q are input to the modular exponentiation adder 45,
s: = get a ct + x _i mod q. 5. Output c and s. The proxy terminal S _i sends the signed document synthesizing unit 28 (W _i , V _i ,
c, s) is used as a signature for m, and these are combined and output.

FIG. 7 shows a signature verification terminal V. Proxy terminal S
_i , the signed document (W _i , V _i ,
c, s, m) are temporarily stored in the storage device 56. The verification key Y ₀ = (y ₀ , g, p, q) is also stored in the storage device 56 in advance. Signature verification terminal V of operation is performed signed document by the control unit _{52 (W i, V i,} c, s, m) is verified by the signature verifying apparatus 51 by. Signature verification device 51
The hash unit 53, a power calculator 54, comprises a comparator 55, the signature proxy terminal S _i which receives the i-th to the delegation issued and _{(W i, V i, c} , s) and target document m The verification key Y ₀ is input, and operates as follows.

1. The following procedure is repeated for each j of j = 1,..., I: w ₁ ,..., W _j , v ₁ ,..., V _j are input to the hasher 53, and c _j : = H (v ₁ ‖. ‖V _j ‖
w ₁ ‖... ‖w _j ) are obtained. 2. _{c 1, ..., c i,} g, p, v 1, ..., v i, c,
s, y ₀ is input to the exponentiation operator 54, and u ′: = (g ^s
v ₁ ^-c ₁ ... v _i ^-ci y ₀ ^-1 ) ^{1 / c} mod p is obtained. 3. _{w 1, ..., w i,} v 1, ' enter, m to the hash unit _{53, c' ..., v i,} u: = H (v 1 || ... ‖v _i ‖
u′‖w ₁ ‖... ‖w _i ‖m).

4. c ′ and c are input to the comparator 55, and c ′
OK is displayed if c and c are equal, and NG is displayed if they are not equal.
Output from an output device 57 such as a device. In this embodiment, the bit length of the H (•) value is | q |
Then, the terminal S_iIssued by (W_i, V_i, C,
s) is i | p | +2 | q | + i | W | bits. This
This is i | p | +2 (i + 1) | q | + i | W | bits
2i | q | bits compared to the required second conventional method
Savings. G^aThe amount of calculation required to calculate
On average, the number of "1" when expressed in binary is | a | /
2, it is estimated as | a | + | a | / 2. Follow
T required for verification in this embodiment_i= G ^xiv₁ ^-c1... v_i ^-ci
 The number of remainder multiplications required to calculate modp is | q | +
(| Q | / 2) (i + 1) = (i / 2 + 3/2) | q |
Only about times. Therefore, 7 (i + 1) | q | / 4 times are required
Calculation amount is reduced to about 1/3 compared to the second conventional method.
Be reduced.

Note that the order of the input variables to the hash function may be rearranged in any order. Second Embodiment In the first embodiment, the proxy terminal S _i uses the signature generation device 41
Alternatively, the delegation chain information generation device 31 shown in FIG. 5 may be used. That is, the document m is input to the delegation chain information generation device 31 as the delegation condition description w _{i + 1} , and the obtained output (W
_{i + 1} , V _{i + 1} , x _{i + 1} ) as the signature for the document w _{i + 1} = m.

In this case, the document m issued by the proxy terminal S _i-1
The signature verification device 51 of the signature verification terminal V that verifies the signature of the delegation information verification device 2 of Si shown in FIG.
1 at this time, input as w _i = m, and T _i and y ₀
Will be checked to see if they match. Proxy terminal S _i
In the above, the hashers 23, 34, and 53 can be shared by one hasher, and similarly, the power calculators 24,
33 and 54 can be shared by one unit, and the modular exponentiation adders 35 and 45 can be shared by one unit.

In the above description, each terminal can perform its function by decoding and executing a program by a computer.

[0027]

According to the present invention, it is possible to efficiently delegate authority by reducing the length of a signature on a document and the amount of calculation required for verification.

[Brief description of the drawings]

1 is a block diagram illustrating a functional configuration example of the signature terminal S _0.

2 is a block diagram illustrating a functional configuration example of a proxy terminal S _i.

FIG. 3 is a flowchart illustrating an example of a processing procedure of a proxy terminal.

FIG. 4 is a block diagram showing an example of a functional configuration of a delegation information verification device 21 in FIG. 2;

FIG. 5 is a block diagram showing a functional configuration example of a delegation chain information generation device 31 in FIG. 2;

FIG. 6 is a block diagram showing a functional configuration example of a signature generation device 41 in FIG. 2;

FIG. 7 is a block diagram showing a functional configuration example of a signature verification terminal V.

FIG. 8 is a block diagram illustrating a configuration example of a delegation signature system.

Claims (8)

[Claims] A signature generation terminal generates a digital signature.
Signing key X₀And the signature verification terminal stores the signature key X₀
Verification key Y for verifying the signature by₀And the proxy terminal
Signature generation terminal or other delegated end that has already been delegated
The signature is issued from the end and the signature verification terminal substitutes
Verification key Y for signature by terminal₀Delegated signature verified by
The signature generation terminal includes: a delegation condition description w which is a document in which delegation conditions and the like are described.₁
And signature key X₀And the delegation signing key x₁and
Delegation verification information v₁Delegation information generation device that generates and outputs
And the i-th delegated terminal S_iIs: Delegated signing key x_iAnd all the delegation condition descriptions w so far
₁, ..., w_iCondition description list W consisting of_iAnd it
All delegation verification information up to v₁, ..., v_iDelegation consisting of
Verification information list V_iPower of Attorney (W_i, V_i, X
_i) And verification key Y ₀, And W_i, V_iIs Y₀Shine
And a delegation information verification device that verifies whether or not it is correct._i, Delegation condition description list W_i, Delegated validation
Information list V_i, Delegation condition description w_{i + 1} Enter and delegate
Signing key x_{i + 1} And delegation verification information v_{i + 1}Generate and output
A delegation chain information generation device and a delegation signature key x_i, Delegation condition description list W_i, Delegated validation
Information list V_i, Input document m, generate signature 出力 and output
The signature verification terminal includes: a document m, a signature Σ, a delegation condition description list W_i, Delegated validation
Information list V_i, Verification key Y₀And the signature Σ is the document
Delegate to verify correct delegation signature for m
A delegated signature system comprising a signature verification device
Tem. 2. The delegated signature system according to claim 1, wherein p and q are large prime numbers, and g is Z_p ^* Of order q at
And x₀, Y₀To y₀= G^x0a number that satisfies modp
And signing key X₀To X₀: = (X₀, G, p, q),
Verification key Y₀Is Y₀: = (Y₀, G, p, q)
Y is stored in each storage device of all proxy terminals and signature verification terminals.₀But
The delegated information generation device of the signature generation terminal stores:
Random number r in the range of 1｝₁A random number generator that generates₁, G, p and v₁: = G^r1 calculate modp
Exponentiation unit, w₁, V₁And enter c₁: = H (v₁‖W₁) Is calculated
Hashing device, c₁, R₁, X₀, Q and x₁: = C₁r₁+ X
₀The signature generation terminal includes a modular exponentiation adder that calculates modq.₁= W₁, X₁, V₁) Power of Attorney
And the proxy terminal S performing the ith delegation for i> 0_i
The delegated information verification device of w₁, ..., w_j, V₁, ..., v_jAnd enter c_j: = H
(V₁‖… ‖V_j‖W ₁‖… ‖W_j) Is j = 1, ..., i
The calculation is sequentially performed for each j of₁, ..., c
_iA hasher that obtains c₁, ..., c_i, X_i, G, p, v₁, ..., v_iEnter
Then T₁: = G^xiv₁ ^{- c1} ... v_i ^-ci modp should be calculated
Multiplication operator, T₁And y₀OK, if not equal, must be equal
And a comparator that outputs NG if the delegation chain information generation device has a random number r in the range of {1,..., Q−1}._{i + 1} Generate random numbers
Generator, r_{i + 1} , G, p and v_{i + 1} : = G^{ri + 1} play modp
Power operator to calculate, w₁, ..., w_{i + 1} , V₁, ..., v_{i + 1} And enter c
_{i + 1} : = H (v₁‖… ‖V_{i +1}‖W₁‖… ‖W_{i + 1} Play)
Hasher to calculate, c_{i + 1} , R_{i + 1} , X_i, Q and x_{i + 1} : = C_{i + 1} 
r_{i + 1} + X_iA modulo adder for calculating modq is provided._{i + 1}, V_{i + 1} , X_{i + 1} ) As a power of attorney
The delegation signature generation device generates a random number t for generating a random number t in the range of {1,..., Q-1}.
U, = g by inputting t, g, p^tmodp should be calculated
Multiplication unit, w₁, ..., w_i, V₁, ..., v_i, U and c: =
H (v₁‖… ‖V_i‖U‖w₁‖… ‖W_i‖M)
Hasher, c, t, x_i, Q and s: = ct + x_imodq
A surplus terminal adder for performing the operation;_i, V_i, C, s) to m
The signature verification device of the signature verification terminal outputs the signature (W_i,
V_i, C, s) and the target document m, and for each j of j = 1,.₁, ..., w_j,
v₁, ..., v_jAnd enter c_j: = H (v₁‖… ‖V
_j‖W₁‖… ‖W_j) To calculate
c₁, ..., c_jA hasher that obtains c₁, ..., c_i, G, p, y₀, V_i, ..., v_i, C,
Enter s and u ': = (g^sv₁ ^-c1... v_i ^-ciy₀ ^-1)
^{1 / c}power operator for calculating modp, w₁, ..., w_i, V₁, ..., v_i, U ', m
c ′: = H (v₁‖… ‖V_i‖U'‖w₁‖… ‖W_i‖
a hasher for calculating m), comparing c 'and c, if equal, OK, otherwise
Delegation comprising a comparator for outputting NG
Signature system. 3. The delegated signature system according to claim 1, wherein p and q are large prime numbers, and g is Z_p ^*Of order q at
And x₀, Y₀To y₀= G^x0 a number that satisfies modp
And signing key X₀To X₀: = (X₀, G, p, q),
Verification key Y₀Is Y₀: = (Y₀, G, p, q)
Y is stored in each storage device of all proxy terminals and signature verification terminals.₀But
The signature information generation device of the signature generation terminal stores a random number r in the range of {1,..., Q−1}.₁Generate random numbers
Generator, r₁, G, p and v₁: = G^r1 calculate modp
Exponentiation unit, w₁, V₁And enter c₁: = H (v₁‖W₁) Is calculated
Hashing device, c₁, R₁, X₀, Q and x₁: = C₁r₁+ X
₀a modulo q adder for calculating mod q;₁= W₁, X₁, V₁) Power of Attorney
And the proxy terminal S performing the ith delegation for i> 0_i
The delegation information verification device of the formula (1): For each j of j = 1,.₁, ..., w_j,
v₁, ..., v_iAnd enter c_j: = H (v₁‖… ‖V
_j‖W₁‖… ‖W_j) To calculate
c₁, ..., c_iA hasher that obtains c₁, ..., c_i, X_i, G, p, v₁, ..., v_iEnter
Then T₁: = G^xiv₁ ^{- c1}... v_i ^-cimodp should be calculated
Multiplication operator, T₁And y₀OK, if not equal, must be equal
And a comparator that outputs NG if the delegation chain information generation device has a random number r in the range of {1,..., Q−1}._{i + 1} Generate random numbers
Generator, r_{i + 1} , G, p and v_{i + 1} : = G^{ri + 1} play modp
Power operator to calculate, w₁, ..., w_{i + 1} , V₁, ..., v_{i + 1} And enter c
_{i + 1} : = H (v₁‖… ‖V _{i + 1} ‖W₁‖… ‖W_{i + 1} )
A hasher to operate on, c_{i + 1} , R_{i + 1} , X_i, Q and x_{i + 1} : = C_{i + 1} 
r_{i + 1} + X_ia modulo adder for calculating mod q
And the proxy terminal is (W_{i + 1}, V_{i + 1}, X_{i + 1}) As a power of attorney
The delegation signature generation device outputs a random number r in the range of {1,..., Q−1}._{i + 1}Generate random numbers
Generator, r_{i + 1} , G, p and r_{i + 1} : = G^{ri + 1} play modp
Power operator to calculate, w₁, ..., w_i, V₁, ..., v_{i + 1} , M and c
_{i + 1} : = H (v₁‖… ‖V_{i + 1}‖W₁‖… ‖W_i‖M)
A hash device for calculating c_{i + 1} , R_{i + 1} , X_i, Q and x_{i + 1} : = C_{i + 1} 
r_{i + 1} + X_ia modulo adder for calculating modq
And the proxy terminal is (W_{i + 1}, V_{i + 1} , X_{i + 1} ) For m
The signature is output as a signature, and the signature verification device of the signature verification terminal receives the delegation for the (i-1) th.
The signature (W_i, V_i, X_i) (W
_i= M) for each j of j = 1,..., I: w₁, ..., w_j,
v₁, ..., v_jAnd enter c_j: = H (v₁‖… ‖V
_j‖W₁‖… ‖W_j) To calculate
c₁, ..., c_iA hasher that obtains c₁, ..., c_i, X_i, G, p, v₁, ..., v_iEnter
Then T₁: = G^xiv ₁ ^-c1... v_i ^-ci modp should be calculated
Multiplication operator, T₁And y₀OK, if not equal, must be equal
A comparator that outputs NG
Delegation signature system. 4. p and q are large prime numbers, g is an element of the order q in Z _p ^* , and x ₀ and y ₀ are y ₀ = g ^x0 modp
And a number satisfying the signature key _{X 0 = (x 0, g} , p, q) and proxy terminal stores the delegate condition description w ₁ in the storage device for S _1, the output by creating a proxy for the proxy terminal S ₁ A computer-readable recording medium on which a program for operating a signature terminal to be executed is recorded, wherein the program generates a random number r _{1 in} the range of {1,..., Q−1}; Reading out g and p from, calculating v ₁ = g ^r1 modp using r ₁ , g and p, reading out x ₀ and q from the storage device, and x ₁ = c ₁ r ₁ + x _A recording medium, comprising: calculating ₀ modq; and transmitting W ₁ = w ₁ , V ₁ = v ₁ , x ₁ as a proxy to the proxy terminal S ₁ . 5. p and q are large prime numbers, and g is Z_p ^*To
X is the element of the order q₀, Y₀To y₀= G^x0modp
And a verification key Y₀= (Y₀, G, p, q) and
(I + 1) -th (i = 1, 2,...) Proxy terminal S_{i + 1} 
Delegation condition description w_{i + 1}And document m to be signed
And the proxy terminal S_{i + 1} Create a power of attorney for
Output or sign the document m and sign the signed document to the signature verification end
Program that operates the i-th proxy terminal that outputs
Computer-readable recording
Recording medium, wherein the program includes a delegation information verification program and a delegation chain
Information generation program and signature generation program
The delegation information verification program is based on the i-1st proxy terminal S_i-1(Terminal S with i = 1)₁Ha station
From the proxy (name terminal)_i=
w₁, ..., w_i, Delegation verification information list V_i= V₁,…,
v_i, Terminal S_iSigning key x_i), And a hash function operation c for each j of j = 1,._j=
H (v₁‖… ‖V_j‖W₁‖… ‖W_j) Is performed sequentially, and c
₁, ..., c_iC) reading g and p from a storage device; and c.₁, ..., c_i, X_i, G, p, v₁, ..., v_iUsing
T_i= G^xiv₁ ^-c1... v_i ^-ciStep of calculating modp
And y from the storage device₀Reading T;_iAnd y₀And OK, if they are equal,
And outputting an NG if the delegation chain information generation program has a range of {1,..., Q-1}.
The surrounding random number r_{i + 1} Generating g, p from a storage device, and r_{i + 1}, G, and p_{i + 1} = G^{ri + 1} calculate modp
Steps and w_{i + 1} Reading from a storage device; w₁, ..., w_{i + 1} , V₁, ..., v_{i + 1}Hash function
Arithmetic c_{i + 1}= H (v ₁‖… ‖V_{i + 1} ‖W₁‖… ‖W
_{i + 1} ), Reading q from the storage device, and c._{i + 1} , R_{i + 1} , X_i, Q_{i + 1} = C_{i + 1} r
_{i + 1} + X_icalculating mod q; W_{i + 1} , V_{i + 1} , X_{i + 1} Terminal S as a proxy_{i + 1} 
To the signature generating program.
Generating a random number t in the range {1,..., Q-1}
Reading g and p from the storage device, and u = g using t, g and p^tStep of calculating modp
Reading m from the storage device; w₁, ..., w_i, V₁, ..., v_i, U, m
Function function c = H (v₁‖… ‖V_i‖U‖w₁‖… ‖
w_i‖M), reading q from the storage device, c, t, x_i, Q using s = ct + x_iCalculate modq
And W_i, V_i, C, s, m as a signed document
Transmitting to the other end.
Medium. 6. Let p and q be large prime numbers and q be Z_p ^*To
X is the element of the order q₀, Y₀To y₀= G^x0modp
And a verification key Y₀= (Y₀, G, p, q)
Stored in the storage device, the proxy terminal S_iSigned text received from
A program that operates a signature verification terminal that verifies
On a recording medium that can be read by a computer
A signed document (Delegation condition description list W_i= W₁, ..., w
_i , Delegation verification information list V_i= V₁, ..., v_i,signature
c, s, document m);_i, V_iFor each j of j = 1,..., I
Function function c_j= H (v₁‖… ‖V_j‖W₁‖… ‖
w_j) Is performed sequentially, and c₁, ..., c_jAnd g, p, y from the storage device₀Reading c; and c.₁, ..., c_i, V₁, ..., v_i, C, s, g, p, y
₀And u ′ = (g ^sv₁ ^-c1... v_i ^-ciy₀ ^-1)^{1 / c} mod
 The step of calculating p is compared with c 'and c.
Outputting NG.
Recording medium. 7. p and q are large prime numbers, and g is Z_p ^*To
X is the element of the order q₀, Y₀To y₀= G^x0 modp
And a verification key Y₀= (Y₀, G, p, q) and
(I + 1) -th (i = 1, 2,...) Proxy terminal S_{i + 1} 
Delegation condition description w_{i + 1} And document m to be signed
And the proxy terminal S_{i + 1} Create a power of attorney for
Output or sign the document m and sign the signed document to the signature verification end
Program that operates the i-th proxy terminal that outputs
Computer-readable recording
Recording medium, wherein the program includes a delegation information verification program and a delegation chain
Information generation program and signature generation program
The delegation information verification program is the (i-1) th proxy terminal S
_{i + 1}(Terminal S with i = 1)₁From the signing terminal)
Terms and conditions description list W_i= W₁, ..., w_i, Delegation verification information
List V_i= V₁, ..., v_i, Terminal S_iSigning key x_i)
And a hash function operation c for each j of j = 1,..., I_j=
H (v₁‖… ‖V_j‖W₁‖… ‖W_j) Is performed sequentially, and c
₁, ..., c_iC) reading g and p from a storage device; and c.₁, ..., c_i, X_i, G, p, v₁, ..., v_iUsing
T_i= G^xiv₁ ^-c1... v_i ^-ci Step of calculating modp
And y from the storage device₀Reading T;_iAnd y₀And OK, if they are equal,
And outputting an NG if the delegation chain information generation program has a random number r in the range of {1,..., Q−1}._{i + 1}Generate
Reading g and p from the storage device; and r_{i + 1} , G, and p_{i + 1} = G^{ri + 1} calculate modp
Steps and w_{i + 1} Reading from a storage device; w₁, ..., w_{i + 1} , V₁, ..., v_{i + 1}Hash function
Arithmetic c_{i + 1} = H (v ₁‖… ‖V_{i + 1}‖W₁‖… ‖W
_{i + 1} ), Reading q from the storage device, and c._{i + 1}, R_{i + 1} , X_i, Q_{i + 1} = C_{i + 1} r
_{i + 1} + X_icalculating modq; W_{i + 1}, V_{i + 1} , X_{i + 1} Terminal S as a proxy_{i + 1} 
And the signature generating program generates a random number in the range {1,..., Q-1}.
r_{i + 1}Generating g, p from a storage device, and r_{i + 1} , G, and p_{i + 1} = G^{ri + 1} mod p
Reading n from the storage device; w₁, ..., w_i, V₁, ..., v_{i + 1}, M
Function c = H (v ₁‖… ‖V_{i + 1} ‖W₁‖… ‖W_i
‖M), reading q from the storage device, c, r_{i + 1} , X_i, Q_{i + 1} = C^{ri + 1}+ X_imo
calculating d q, W_{i + 1} , V_{i + 1}, X_{i + 1} , M as a signed document
Transmitting to a certificate terminal.
recoding media. 8. p and q are large prime numbers, q is an element of order q in Z _p ^* , and x ₀ and y ₀ are y ₀ = g ^x0 modp
The verification key Y ₀ = (y ₀ , g, p, q) is stored in the storage device, and the program for operating the signature verification terminal that verifies the signed document received from the proxy terminal _Si-1 A recording medium that can be read by a recording computer, and includes a signed document (delegation condition record list W _i-1 = w ₁ ,..., W
_i-1 , the delegated verification information list V _i = v ₁ ,..., v _i , Receiving signature x _i, a document m), and m = w _i, W _i, with _{V i, j = 1, ...} , hash function operation for each j in the i c _j = H (v ₁ || ... ‖v
_{j ‖w 1} || ... c _{1 ‖w j)} sequentially performed, ..., obtaining a c _j, a step of reading g, the p from the storage _{device, c 1, ..., c i} , v 1, ..., _{v i, x i, g,} u with ^{_{p '= g xi v 1 -c1}} , ..., v i a step of computing the ^-ci modp, reading out y ₀ from the storage device, u' and y ₀ And outputting OK if they are equal and NG if they are not equal.