JP2003076270A - Digital signing method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable digital signing with high safety by preventing a sign from being forged. SOLUTION: A sign key (d) is divided into N (integer: N>=2) d1 , dN, etc.; and the signer keeps one of them as a personal key d1 by oneself and stores the remaining N-1 personal keys di (2<=i<=N) as registered keys di at key deposition institutions Pi (2<=i<=N) at N-1 places so that the signer oneself and the key deposition institutions Pi cooperate to digitally sign object data. This digital signing method has a step where the object data are partially signed on a computer of the signer oneself by using the personal key d1 and sent out to the key deposition institutions Pi and a step where the key deposition institutions Pi having received the partially signed object data further partially sign the received partial sign by using the registered keys di that the institutions store and send them out to the computer of the signer oneself or other key deposition institutions Pi.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a digital signature method in which a signer himself and a key depository cooperate to digitally sign target data.

[0002]

2. Description of the Prior Art Since digital signatures have the same effect as digital signatures on digital data, the storage of keys used for signatures is very important. For this reason, various means have been devised for storing and using the key, such as encrypting and storing the key, storing in a medium such as a smart card having a built-in arithmetic function, and also performing the signature itself in the card. Generating a digital signature requires complicated calculation, and conventionally, a signature is generated by a computer or a smart card. That is, the user trusts the computer he is using and believes that the computer has signed the signature target data such as the document intended by the user.

[0003]

However, the user cannot directly confirm whether or not the computer has signed the document intended by the user. For example, if a computer used by the user is infected with a virus, it is possible that a document different from the intended document or a document that the user does not know is signed without the user knowing it. This is true even with smart cards. That is,
Data sent to a smart card can be swapped in without your knowledge. As a result, the signature may be forged without the person's knowledge.

In the future, if contracts and the like exchanged between individuals, between individuals and organizations, or between organizations will also be digitized, the damage caused by forgery of signatures will be extremely large, and countermeasures against forgery will be extremely difficult. Becomes important to. In addition, the possibility that such a thing will occur will be a major obstacle to the spread of digital signatures.

The present invention has been made to solve such a problem, and an object thereof is to provide a digital signature method capable of preventing forgery of a signature and performing a highly secure digital signature. Especially.

[0006]

In order to achieve the above object, the digital signature method of the present invention uses a signature key d ₁ , d ₂ ,
..., d _N divided into N pieces (an integer of N ≧ 2), one of which is stored by the signer himself as a private key d ₁ , and the remaining N−1 private keys d _i
For (2 ≦ i ≦ N), there are N-1 key depositary institutions Pi (2
≤ i ≤ N) as a registration key d _i , which is a digital signature method in which the signer himself and the key depository Pi cooperate to digitally sign the target data. A step of partially signing the target data using the private key d ₁ and sending it to the key depository Pi, and the registration key d stored by the institution itself at the key depository Pi that has received the partially signed target data Pi use _i
The method further comprises the step of further performing a partial signature on the received partial signature and sending the partial signature to the signer's own computer or another key depository Pi.

Further, _N signature keys d ₁ , ..., D _N (N ≧
2), one is stored as the private key d _{1 by the} signer himself, and the remaining N−1 private keys d _i (2 ≦ i ≦ N) are N−1 key depository institutions. Registration key d for Pi (2 ≤ i ≤ N)
_This is a digital signature method in which the signer himself and the key depository Pi cooperate with each other to digitally sign the target data, and the target data is sent from the signer's own computer to the key depositary Pi. Steps to
At the key depositary institution Pi that has received the target data, a step of partially signing the target data using the registration key d _i stored by the institution itself and sending it to the signer's own computer or another key depositary institution Pi. It is characterized by being provided. Furthermore, in the key method of the RSA algorithm, the signature key d is set such that the sum of the private key d ₁ and the registration keys d ₂ , ..., D _N is equal to the signature key d modulo (p-1) (q-1). Is divided. In addition, in the key method of the RSA algorithm, the signature key d is set so that the product of the private key d ₁ and the registration keys d ₂ , ..., d _N is equal to the signature key d modulo (p-1) (q-1). Is divided. Further, the number N of divisions of the signature key is set to 2. Also, d ₁ · d ₁ '= ₁ mod (p-1) (q-1)
(However, p and q are large prime numbers) The confirmation key d ₁ ′ is stored in the key depository Pi.

[0008]

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail based on illustrated embodiments. (First Embodiment) FIG. 1 is a system configuration diagram showing a first embodiment of a system to which the present invention is applied when a digital signature is made using an RSA algorithm. The system shown in FIG. 1 is composed of a user computer 100 and a key escrow computer 110. The key depository computer 110 is, in detail, a signature key for digital signature divided and deposited as a registration key in advance, and completed using the deposited registration key in cooperation with the user computer 100. A computer that digitally signs. Note that, in the present invention, the key escrow computer 110 may be two or more escrow computers, but here, in order to simplify the explanation, the case where there is one key escrow computer is shown.

The user computer 100 includes a document creation program 101 and a user partial signature generation program 10.
2. The private key 103 and the signature approval program 104 are stored in advance. The key depository computer 110 also has a user signature verification program 111 and a verification key 112.
(D ₁ '), signature acceptance confirmation program 113, registration key 1
14 (d ₂ ), the institutional signature generation program 115 is stored in advance. The document creation program 101 in the user computer 100 is for the user to create a document to be signed.

The user partial signature generation program 102 is
This is for generating a partial signature of a document using the private key d ₁ and sending the user partial signature-added document 121 to the key depository institution computer 110. The private key 103 is the private key d ₁ used by the user partial signature generation program 102 when generating the user partial signature. Only the user partial signature generation program 102 can access this private key d ₁ . This private key d ₁ is, in detail, the key depository computer 110.
It has a relationship with a registration key d ₂ that is registered in advance in the following equation (1). The signature approval program 104 cooperates with the signature acceptance confirmation program 113 of the key escrow computer 110 to confirm with the user that the user is really willing to sign the document 122.
Is to do.

On the other hand, the user signature confirmation program 111 in the key escrow computer 110 receives the document partially signed by the user computer 100, that is, the user partially signed document 121, and outputs the confirmation key 112 (d ₁ '). It is used to confirm whether the partial signature is correctly signed by the user. The confirmation key d ₁ ′ in this case has a relationship with the personal key 103 (d ₁ ) as shown in “Mathematical Expression 1” described later, and can be accessed only by the user signature confirmation program 111.

The signature acceptance confirmation program 113 cooperates with the signature approval program 104 of the user computer 100 to perform a procedure 122 for confirming to the user that he / she really wants to sign the document. The institutional signature generation program 115 uses the registration key d ₂ to generate a digital signature in the key depository, completes the final digital signature, and outputs the signed document 123 to the user computer 10.
It is for sending to 0. The registration key d _{2 in} this case can be accessed only by the institutional signature generation program 115.

The user-partial-signature-added document 121 is a partially-signed document (M) sent from the user-partial-signature generation program 102 to the user-signature confirmation program 111, and a partial digital signature alone is generally a formal digital signature. Can't confirm as. The confirmation procedure 122 is a procedure for confirming the digital signature of the user between the signature approval program 104 and the signature acceptance confirmation program 113.
The signed document 123 has a final digital signature attached to the document to be signed, and the digital signature can be confirmed by a method open to the public.

Here, the private key 103, the registration key 114, and the confirmation key 112 have a relationship as shown in the following "Formula 1". n = pq ed = 1 mod (p-1) (q-1) d = (d ₁ d ₂ ) mod (p-1) (q-1) d ₁ d ₁ '= 1 mod (p-1) ( q-1) ... (Equation 1) Here, p and q are sufficiently large prime numbers, e is a public key, and d is a signature key (secret key). These signature key d, public key e, personal key d ₁ , registration key d ₂ and confirmation key d ₁ 'are expressed in detail as follows, but for the sake of clarity, , D, e, d ₁ , d ₂ , d ₁ '. Signature key = (d, n) Public key = (e, n) Private key = (d ₁ , n) Registration key = (d ₂ , n) Confirmation key = (d ₁ ', n) The digital signature of the document 121 is M ^d1
Mod n, and the digital signature of the signed document 123 is (M ^d1 mod n) ^d2 mod n = M ^d mod n. As will be described later with reference to FIG. 2, the user computer 100 further prestores a key generation program 201 and a key registration program 204, and the key depository institution computer 110 prestores an institution key registration program 211. .

In FIG. 2, a user is a key depository computer 1
10 is an explanatory view showing a procedure of registering a confirmation key d ₁ 'and registration key d _2. In FIG. 2, 201 is a key generation program that operates on the user computer 100 and is a signature key.
(Private key) d, public key e, private key d ₁ , confirmation key d ₁ 'and registration key d ₂ are generated. A signing key (secret key) d 202 is generated by the key generating program 201. This signature key d
Corresponds to what is generally called a secret key in a public key algorithm. Reference numeral 203 is a public key e, which is generated by the key generation program 201. The digital signature generated with the signature key (private key) d can be confirmed with this public key e.

Reference numeral 204 denotes a key registration program that operates on the user computer 100. The public key e is used as a certificate authority (certificate authority computer) 221, and the registration key 114 (d ₂ ) and the confirmation key 112 (d ₁ ') are used as keys. Registration is made with the registration application 231 attached to the depository institution computer 110. 211 is the key depositor computer 110, the registration key 114 (d ₂ ) and the confirmation key 11
A key registration program for registering 2 (d ₁ '),
The public key e, the registration key d ₂ , the confirmation key d ₁ 'and the registration application form 231 are combined to confirm whether the key registration application is correct, and the registration process of the registration key d ₂ and the confirmation key d ₁ ' is performed. Reference numeral 203 denotes a public key e necessary for confirming the signature generated by the signature key (secret key) d. The method required for confirmation is open to the public.

FIG. 3 is a flow chart showing a process when the registration key d ₂ and the confirmation key d ₁ ′ are generated in the user computer 100 and registered in the key depository institution computer 110, where the RSA algorithm is used. The process of the registration procedure in this case will be described. After performing the process according to this flowchart, the entire registration procedure is completed by performing the procedure shown in FIG. First, in step 301, the key generation program 201 generates large prime numbers p and q. In the following step 302, the key generation program 201 obtains the public key e, n = p × q and e. Generally, e is “10001” in hexadecimal notation, but it is not limited to this. Furthermore, e modulo (p-1) (q-1)
Then, the reciprocal d of is obtained and used as the signature key (secret key) d. Then, for any number M, modulo n to the power of d, and then to the power of e, it becomes M. That is, ((M ^d mod n) ^e mod n) = M ^d × ^e
mod n = M ¹ . In digital signatures using the RSA algorithm, a certain procedure is performed on the document to be signed using a certain procedure.
Find M and ^let M ^d mod n be the digital signature. By using the public key e to raise the digital signature e to the power of n modulo M, that is, ((M ^d mod n) ^e mod n) = M
It will be a signature confirmation. Here, M ^d mod n on the left side is a digital signature, and M on the right side is the number M directly calculated from the document to be signed. Since the details are not directly related to the present invention, the description thereof will be omitted.

In the following step 303, the key generation program 201 causes d _{1 to} be d ₁ = d ₁ × d ₂ modulo (p-1) (q-1).
And d ₂ are obtained. Then, for any number M, ((M ^d1 mod
n) ^d2 mod n) = M ^d1 × ^d2 mod n = M ^d . Here, using d ₁ as the private key d ₁ and d ₂ as the registration key d ₂ , the number M is obtained from the document, M ^d1 mod n is calculated using the private key d ₁ , and this is the partial signature. Then, by using the registration key d ₂ to raise the partial signature to the power of d ₂ , ((M ^d1 modn) ^d2 mod n) = M ^d1 × ^d2 mod n = M ^d
It becomes mod n, and the same signature as the signature M ^d using the normal d can be obtained.

In the next step 304, the key generation program 201 causes the reciprocal of the private key d ₁ modulo (p-1) (q-1).
d ₁ 'is obtained and used as the confirmation key d ₁ '. Then, for any number M, ((M ^d1 mod n) ^{d1 '} mod n) = M ^d1 × ^d1' mod n = M, and it is possible to confirm whether M is correctly d ₁ -powered. In the following step 305, the key registration program 204
The public keys e and n are registered in the certificate authority 221. This registration method is outside the scope of the present invention and will not be described in detail.

In the following step 306, the key registration program 204 sends the registration application 231 signed by the confirmation key d ₁ 'and the registration keys d ₂ and d ₁ to the key depository institution computer 110. As a signature method, there is a method of using M ′ ^d1 mod n as a signature for the number M ′ calculated from the registration application 231, but the signature is not limited to this. In the registration application 231, in addition to the user name, the public key e, the registration key d ₂ , and the confirmation key d ₁ '
Certificate 221 and certificate authority 22 that have registered information and public key e
Includes information on the public key certificate issued by 1. The information is not limited to the key itself, but may be information such as the hash value of the key. Also, when sending the registration key d ₂ or confirmation key d ₁ ',
It is desirable to encrypt it so that it will not be leaked to a third party during transmission. Further, when the registration application 231 includes the key itself, it is desirable to encrypt the registration application 231 itself.

In the following step 307, the key registration program 204 causes the signature key (secret key) d, the registration key d ₂ and the confirmation key d.
To remove a ₁ 'from the user computer 100. Furthermore, the private key d ₁ is stored securely so that it cannot be used by others.
There are methods of storage such as storage in a smart card and encryption, but the details are omitted because they are outside the scope of the present invention.

FIG. 4 is a flow chart showing the registration process of the confirmation key and the registration key in the key depository institution computer 110. First, in step 401, the institution key registration program 211 receives the registration application 231 signed by the confirmation key d ₁ ′, the registration key d ₂ and the private key d ₁ transmitted by the key registration program 204. In the following step 402, the institution key registration program 211 extracts the public key e of the application user in the registration application 231 from the certificate authority 221.

In subsequent step 403, the institution key registration program 211 confirms the registration application form 231 received in step 401. As for the contents of confirmation,
_First , the signature M ′ ^d1 mod n of the application form 231 is confirmed with the confirmation key d ₁ ′. The confirmation method is ((M ' ^d1 mod n)
To confirm ^{d1 '} mod n) = M'. ^M'd1 mo on the left side
dn is the signature of the registration application 231, and M ′ on the right side is M ′ calculated from the received registration application 231. The second confirmation is (((M ' ^d1 mod n) ^d2 mod n)) ^e mod n) = M'. ^M'd1 mod n on the left side is the signature of registration application 231 and d
₂ is the registration key d ₂ , e is the public key e obtained in step 402, and M ′ on the right side is M ′ calculated from the received registration application 231. If either of the two verifications fails, the registration is cancelled. In subsequent step 404, the institution key registration program 211 securely stores the confirmation key d ₁ ′ and the registration key d ₂ , the confirmation key d ₁ ′ is only from the user signature confirmation program 111, and the registration key d ₂ is the institution signature. It is stored so that it can be accessed only by the generation program 115.

By the processes of FIGS. 3 and 4, the confirmation key d ₁ 'and the registration key d ₂ are transferred to the key depository computer 110.
The process of registering with is completed. FIG. 5 is a flowchart showing the overall processing procedure when a digital signature is applied to a document to be signed. First, in step 501, the document creation program 101 creates a signature target document according to a user's instruction. In the following step 502, the user partial signature generation program 102 partially signs the signature target document using the private key d ₁ . The method of partial signature is the same as the method described in step 306 of FIG. That is, the number M is calculated from the document and M ^d1 mod n is used as the partial signature.

In the following step 503, the user partial signature generation program 102 sends the user partial signature signed document 121 to the key depository computer 110. In this case, when sending, it may be encrypted. In the following step 504, the user signature confirmation program 111
Receives the partially signed document 121 of the user and confirms it with the confirmation key d ₁ '
Verify the signature using. That is, ((M ^d1 mod n) ^{d1 '} mo
Check dn) = M. Here, M ^d1 mod n on the left side is a partial signature attached to the user partial signed document 121,
d ₁ ′ is the confirmation key d ₁ ′, and M is the number calculated from the document 121.

In the following step 505, the signature acceptance confirmation program 113 cooperates with the signature approval program 104 and confirms whether the user desires a signature 122.
I do. The confirmation method will be described later. Continued Step 5
At 06, the institutional signature generation program 115 of the key depository institution computer 110 generates a signature using the registration key d ₂ . That is, the partial signature M ^d1 mod n is raised to the power d ₂ modulo n to obtain (M ^d1 mod n) ^d2 mod n, which is the document signature.
In the following step 507, the institution signature generation program 115 of the key depository institution computer 110 causes the signed document 1
23 is transmitted to the user computer 100.

Here, as the signature confirmation procedure 122 to the user in step 505, any one of the following methods can be adopted. (1) Call the registered user number from the key depository and confirm the content and signature. Phone number is registration application form 2
31 to the user partial signature-added document 121. Calling this number can be considered as confirmation of the person himself. The contents to be confirmed vary depending on the document. For example, in the case of a loan book, the lender and the amount of money will be included. There is also a method in which the content to be confirmed is attached to the user partial signed document 12 and the content is confirmed according to the attached content. (2) The signature acceptance confirmation program 113 is the key depositor We
b Post the document on the server and send the URL to the user computer 100 by e-mail. The user accesses and confirms the sent URL. At this time, it is important that the user confirms himself, but the following method may be used, for example. (2-1) Make the URL complicated so that it cannot be guessed by others, and send it by e-mail. It is desirable to additionally encrypt when sending. The identity is confirmed by receiving the email. (2-2) Use a password to restrict access to the pages containing documents to only the person himself / herself. This password may be applied by the user in the registration application form 231, or may be attached to the user partially signed document 121. In any case, it is desirable to encrypt the password so that it cannot be intercepted on the network. (3) Send a document or an outline or important part of the document from the key depository to the user's mobile phone, and when the user can confirm, call the designated number to confirm. There is a method of using the summary creating function of the word processing program for creating the outline. Further, there is a method of sending a keyword that specifies an important part sent together with the user partial signed document 121 and making a sentence including this keyword an important part. When the user confirms, call the specified number to confirm. For the confirmation, there is a method of confirming with a secret word described in the registration application 231 or a method of confirming with a personal identification number sent together with the document summary and important parts. The secret word may be confirmed by the operator of the key escrow agency, or it may be confirmed without the operator using voice recognition technology. The personal identification number can be confirmed without an operator by dialing the number. (4) The key depositor computer 110 sends a document and a random number to the user computer 100 by electronic mail, and the mail program used by the user sends back the random number for confirmation. This email should be encrypted.

(Second Embodiment) In the above-described embodiment, public keys e and n = p × q are determined for large prime numbers p and q, and the signature key (secret key) d is d = 1. / e mod (p-1) (q-1), and private key d ₁ , registration key d ₂ and confirmation key d ₁ 'are d ₁ × d ₂ mod
(p-1) (q-1) = d, d ₁ '= 1 / d ₁ mod (p-1) (q-1) is determined, but the following is also possible. That is, for large prime numbers p and q, the public key e and n = p × q are determined, the signature key (secret key) d is defined as d = 1 / e mod (p-1) (q-1),
In addition, the private key d ₁ , the registration key d _2, and the confirmation key d ₁ 'are d ₁ + d ₂ mod (p
1) (q-1) = d, d ₁ '= 1 / d ₁ mod (p-1) (q-1). Then, for any number M, M ^d1 × M ^d2 mod n = M
^{d1 + d2} mod n = M ^d , and (M ^d1
mod n) ^d2 mod n = M ^d1 × ^d2 mod n = M ^d can be similarly implemented by replacing the above part.

(Third Embodiment) In the above-described first embodiment, the confirmation key d ₁ 'is used to confirm the registration application 231 and the partial user name document 121. key
Even if d ₁ 'is not present, confirmation can be performed using the registration key d ₂ and the public key e. That is, in the first embodiment, it is confirmed by using the fact that (M ^d1 mod n) ^{d1 ′} mod n = M holds for an arbitrary number M, but ((M ^d1 mod n) ^d2 mod n) ^e mo
This is confirmed using dn = M ^d1 × ^d2 × ^e mod n = M. Then, the same operation can be performed without generating or registering the confirmation key d ₁ '. This is the same in the second embodiment.

(Fourth Embodiment) In the above-described first to third embodiments, a procedure is adopted in which the user computer 100 first makes a partial signature and then the key escrow computer 110 makes a signature. However, by reversing this order, the user computer 100 first generates a document to be signed, and then sends the document to the key escrow computer 110, and the key escrow computer 110 confirms the user's intention to sign. Then, a partial signature is made with the registration key d ₂ , the partial signed document is sent to the user computer 100, the user confirms the contents, and then the signature is made with the personal key d ₁ . This is technically possible because (M ^d2 mod n) ^d1 mod n = M ^d2 × ^d1 m
a od n = M ^d, also ^{M d2 × M d1 modn = M} d2 + d1 mod n =
It is clear from M ^d .

(Fifth Embodiment) In the embodiments described above, the digital signature using the RSA algorithm has been described, but an algorithm based on the discrete logarithm problem such as the DSA signature is also applied to the present application. The same is possible by applying the open-loop signature method described in Japanese Patent Application No. 2000-297373 filed by a person.

(Sixth Embodiment) In the above embodiments, the number of registration keys d ₂ is one, but the number of registration keys d ₂ is
The number may be N-1 (N-1 ≧ 2). That is, d in the above embodiment is d = (Π
d _i ) mod (p-1) (q-1) (where 1 ≦ i ≦ N), or d =
Divide d into N so that (Σd _i ) mod (p-1) (q-1) (where 1 ≦ i ≦ N). In this way, ((… ((M ^d1 mo
dn) ^d2 mod n)…) ^dN mod n) = MΠ ^di modn = M ^d , and
Since M ^d1 mod n × ... × M ^dN mod n = M Σ ^di mod n = M ^d , the signature can be completed by the following method. The user computer 100 stores d ₁ as a private key d ₁ , and the key depository computer Pi (2 ≦ i ≦ N) stores one different d _i (2 ≦ i ≦ N) as a registration key d _i. To do. After doing this, first, the user computer 1
After partial signing with the private key d ₁ at 00, each key depositing authority Pi completes the signature by adding additional partial signatures with the registration key d _i stored by itself. As can be seen from the above formula, the order of partial signatures performed by each key escrow authority Pi may be different each time, or may be the same. The point is that it is clear that all parties (users and N-1 key escrow institutions) need to make partial signatures.

[0033]

As described above, according to the present invention, the signature key (secret key) d is at least the private key d ₁ stored and used by the user and the registration key d ₂ stored by the key depository institution. The formal signature cannot be generated unless it is divided into two and all the divided keys are used. Therefore, even if the user's computer is invaded by a computer virus or is illegally accessed and the private key d ₁ is stolen, the formal signature cannot be completed, the forgery of the digital signature is prevented, and the security is improved. You can Further, even if there is something that acts fraudulently inside the key escrow organization, it is impossible to generate a formal signature if the user does not partially sign the private key d ₁ . Therefore, the security of the digital signature can be improved.

[Brief description of drawings]

FIG. 1 is a system configuration diagram showing a first embodiment of the present invention.

[Fig. 2] User confirms key d ₁ 'on the key depository computer
FIG. 6 is an explanatory diagram showing a procedure for registering a registration key d ₂ and a registration key d ₂ .

[Fig. 3] Registration key d ₂ and confirmation key on the user computer
11 is a flowchart showing a process for generating d ₁ 'and registering it in the key escrow computer.

FIG. 4 is a flowchart showing registration processing of a confirmation key and a registration key in the key depository computer.

FIG. 5 is a flowchart showing an entire processing procedure when a document to be signed is digitally signed.

[Explanation of symbols]

100 ... User computer, 101 ... Document creation program, 102 ... User partial signature generation program, 103
... personal key, 104 ... signature approval program, 110 ... key depository computer, 111 ... user signature confirmation program, 112 ... confirmation key, 113 ... signature acceptance confirmation program, 114 ... registration key, 115 ... institutional signature generation program, 201 ... key generation program, 204 ... key registration program, 211 ... institution key registration program.

Claims (6)

[Claims] 1. A signature key d is divided into N pieces (n is an integer of N ≧ 2) of d ₁ , ..., D _N , and one is stored as a private key d _{1 by the} signer himself, and the remaining N−1 pieces. The private key d _i (2 ≤ i ≤ N) is stored as a registered key d _{i in} N-1 key depository institutions Pi (2 ≤ i ≤ N), and the signer and the key A method for digitally signing a digital signature in cooperation with a depository institution Pi, which comprises a step of partially signing target data using the personal key d ₁ in a computer of the signer himself and sending it to the key depositary institution Pi. , At the key depository institution Pi that has received the partially signed target data, further uses the registered key d _i stored by the institution to further partially sign the received partial signature, and then the signer's own computer or another A step of sending to the key depository Pi. Digital signature method. 2. The signature key d is divided into N pieces (n is an integer of N ≧ 2) of d ₁ , ..., D _N , and one is stored by the signer himself as a private key d ₁ and the rest is N−1 pieces. The private key d _i (2 ≤ i ≤ N) is stored as a registered key d _{i in} N-1 key depository institutions Pi (2 ≤ i ≤ N), and the signer and the key A digital signature method in which a digital signature is made in cooperation with a depository institution Pi, the step of sending target data from a computer of the signer to the key depositary institution Pi and the key depositary institution Pi receiving the target data. A digital signature method, comprising the step of partially signing the target data using the registration key d _i stored by the institution and sending it to the signer's own computer or another key depository institution Pi. 3. In the key method of the RSA algorithm,
Claiming that the signature key d is divided so that the sum of the private key d ₁ and the registration keys d ₂ , ..., D _N is equal to the signature key d modulo (p-1) (q-1) The digital signature method according to Item 1 or 2. 4. The key method of the RSA algorithm,
Claiming that the signature key d is divided so that the product of the private key d ₁ and the registration keys d ₂ , ..., d _N is modulo (p-1) (q-1) equal to the signature key d. The digital signature method according to Item 1 or 2. 5. The digital signature method according to claim 1, wherein the number of divisions N of the signature key is 2. 6. d ₁ · d ₁ '= ₁ mod (p-1) (q-1) (where p, q
The digital signature method according to any one of claims 1 to 5, characterized in that the confirmation key d ₁ 'which is a large prime number) is stored in the key escrow authority Pi.