JP2003309556A - Signature creation method and signature verification method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a signature creating method and a signature verification method in which a discrete logarithm type public key and a unidirectional substitution type public key are mixed. <P>SOLUTION: These signature creation method and signature verification method allow to create a proper 1-out-of-n signature by discriminating whether it is a discrete logarithm type public key or a unidirectional substitution type public key via a public key discriminating means even if they are mixed, and applying the transaction corresponding to the discriminated classification to the public key in question without limiting the classification of public keys to discrete logarithm types or unidirectional substitution types. <P>COPYRIGHT: (C)2004,JPO

Description

Detailed Description of the Invention

[0001]

TECHNICAL FIELD The present invention relates to a signature generation method,
The present invention also relates to a signature verification method, and particularly to a signature generation method and a signature verification method in which both types are mixed without limiting the type of public key to either the discrete logarithmic type or the one-way permutation type.

[0002]

2. Description of the Related Art A conventional example will be described with reference to the drawings. First
As a conventional technique, 1-out-of-n discrete logarithm by Cramer et al.
Proofs of Partial Knowledge and S
implified Design of Witness Hiding Proofs "Cry
pto'94, LNCS839, pp.174-187, Springer-Verlag, 1994)
explain about. p_i, Q_iBe large prime numbers,
q_iIs p_iShall be divisible. g_i P_iOrder q_iof
The source of the subgroup. x_i∈ Z_qiThe secret key, y_i= G_i
^xi mod p_iG_i, Q_i, P_iTogether with the public key.

N public keys (y _j , g _j , q _j , p _j ), j
The signer who knows the corresponding private key x _i with respect to a certain y _i in = 0, ..., N−1 generates a signature for the document m by the following procedure. Let l (lowercase letter of L) represent the number of bits of the largest one of q _j of n, and let H be a hash function having an output range of 1 bit. We will write β ← α as the act of randomly selecting one element β from the set α. 1. Repeat the following for j ≠ i up to j = 0, ..., n-1. (A) s _j ← Z _qj (b) c _j ← {0,1} ^l (c) z _j : = g _j ^sj y _j ^cj mod p _j 2.r _i ← Z _qi 3.z _i : = g _i ^ri mod p _i 4.c _{k + 1} = H _{k + 1} (z ₀ ‖z ₂ ‖ ・ ・ ・ ‖z _n-1 ‖m) 5.c _i = c (XOR) c ₀ (XOR) ・ ・ ・ ( XOR) c _i-1 (XOR) c _{i + 1} (XO
_{R) ··· c n 6.s i:} = r i -c i · x i mod q i 7. (c 0, s 0, c 1, s 1, ···, c n-1, s n _-1 ) is output.

The signature (c ₀ , s ₀ , c ₁ , s ₁ , ...
···, C _n-1 , s _n-1 ) is recognized as a correct signature when the following formula is satisfied. c ₀ (XOR) ... (XOR) c _n-1 = H (g ₀ ^s0 y ₀ ^c0 mod p ₀ ‖ ・ ・ ・ ・ ・ ・ ‖g _n-1 ^sn-1 y
_n-1 ^cn-1 mod p _n-1 ) However, (XOR) represents an exclusive OR for each bit. According to the above conventional example, the signature receiver cannot distinguish which public key the signer holds the private key. Therefore, if a signature is generated by the above method based on the public key of another person and the public key of the signer himself, which is independently generated, the verifier cannot judge who generated the signature. The privacy of the group is protected and the signature is generated as a representative of the group.

As a second conventional technique having similar characteristics, a Ring type signature (How to L by Rivest, Shamir, Tauman is used.
eak a Secret.Asiacrypt 2001, LNCS 2248, pp552-565,
Springer-Verlag, 2001). One-way permutation function with trapdoor having an input / output area of {0,1} ^l is g ₀ , ..., g
_n-1 . l is a sufficiently large numerical value, for example, about 1024. Let H be a hash function, E and D be a common key encryption encryption function and a decryption function, respectively, and let (XOR) be an exclusive OR for each bit. Signer P _i holds a trapdoor information for g _i (secret key), which shall be able to calculate the g _i ^-1.

The signature for the document m is generated by the following procedure. 1. K: = H (m) 2. Generate a 2-bit random number z ₀ . 3. Repeat the following until j = 0, ..., i-1. (A) Generate an l-bit random number r _j . _{(B) y j: = g} j (r j) (c) z j ': = z j (XOR) y j (d) z j + 1: = E k (z j') 4.z 'n- ₁ = D _k (z ₀ ) 5. Repeat the following until j = n−1, ..., I + 1. (A) Generate an l-bit random number r _j . (B) y _j : = g _j (r _j ) (c) z _j : = z _j ′ (XOR) y _j (d) z ′ _j-1 = D _k (z _j ) 6.y _i : = z _i (XOR) z _i ′ 7.r _i : = g _i ^-1 (y _i ) 8. (z ₀ , r ₀ , r ₁ , ..., R _n-1 ) is output.

A signature (z ₀ , r ₀ , r ₁ , ..., R on document m
_n-1 ) is verified by the following procedure. 1. K: = H (m) 2. The following is repeated until j = 0, ..., N-1. _{(A) y j: = g} j (r j) (b) z j ': = z j (XOR) y j (c) z j + 1: = E k (z j') 3.z n = z Pass if ₀ .

[0008]

Since each of the above-mentioned conventional examples is intended only for a set of discrete logarithm type keys such as Schnorr signature or a set of one-way permutation type keys such as RSA, In general, a signature cannot be constructed for a key set in which these different types of keys are mixed. The present invention provides a signature generation method capable of performing a 1-out-of n type signature on a general key set that can include keys of any form of the discrete logarithm problem and one-way permutation. Is provided.

[0009]

[Means for Solving the Problems] Let G _j be a commutative group and its order be q _j . G _j (x) has an index x ∈ Z _qj
Let G _j be an element such that Also, G _j (x)
Shall also represent the act of computing such an element from x. Let y _j = G _j (x _j ), let y _j and G _j be public keys, and x _j be private keys. For the commutative group G _j , the following x _j
A zero-knowledge proof of the knowledge of can be constructed. 1. The prover selects a random index w from Z _qj and sends z _j : = G _j (w) to the verifier. 2. The verifier selects a random challenge c _j from Z _qj and sends it to the prover. 3. The prover submits the answer s _{j according} to the answer calculation formula F _{j as} s _j = F _j
Calculate (w, c, x _j , G _j ) and send it to the verifier. 4. verifier for verification value calculation formula _{R j z j = R j (} s,
c, y _j , G _j ) is checked, and if it is satisfied, it is accepted, otherwise it is rejected.

Let f _{j be} a trapezoidal one-way permutation function, and its input / output area be G _j . Let f _j ^{-1 be} the inverse calculation of f _j . That is, for all x ∈ G _j , f _j ^-1 (f
_j (x)) = x holds. G _j is at least a ring, and the binary operations a (+) _j b and a (-) _j b are G _j respectively.
Let us denote the result of the addition and subtraction a + b and a−b above, and a
‖B represents a bit combination of a and b. Let f _j be the public key,
Let f _j ^-1 be the private key. Let L be a list of public keys containing a total of n public keys (y _j , G _j ) and (f _j , G _j ). How many each of them is included is arbitrary. In the list L, there are 0th to (n-1) th public keys.
The symbol L [j] represents the symbol D or T. When L [k] = D, the j-th public key in the list L is a discrete logarithm type y _j.
And L [k] = T indicates that the j-th public key in the list L is a one-way permutation type f _j . Let H _j be a one-way hash function and L
For j such that [k] = D, the output range is Z _qj , and L
For j such that [k] = T, the output range is G _j .

A signer who knows the secret key corresponding to a certain k-th public key among the n public keys included in L generates a signature for the document m by the following procedure. Where _u ∈ _U v
Means to randomly select an element from the set v and call the selected element u. Also, all subscripts are mo
Let dn be taken. That is, when j + 1 becomes n, it is regarded as 0. Step1 L [k] = time _{D: α∈ U Z qk, β} = G
_{When k} (α) L [k] = T: Let β ∈ _U G _k, and calculate c _{k + 1} = H _{k + 1} (L ∥m ∥β). Step2 The following is repeated until j = k + 1, ..., n-1,0, ..., k-1. L [j] = time _{D: s j ∈ U Z qj} , z j = R j (s j, c j,
y _j , G _j ) L [j] = T: s _j ∈ _U G _j , z _j = c _j (+) _j f _j (s
_j ) and calculate c _{j + 1} = H _{j + 1} (L / _{m /} z _z ). Step3 Calculate the following. When L [j] = D: s _k = F (α, c _k , x _k , G _k ) When L [j] = T: s _k = f _k ^-1 (β-c _k ) Step 4 Signature ( Output c ₀ , s ₀ , s ₁ , ..., s _n-1 ).

The signature (c ₀ , s ₀ , s ₁ , ..., S for document m
_n-1 ) is verified by the following procedure. Step1 The following is repeated until j = 0, ..., n-1. L [j] = time _{D: z j = R j (} s j, c j, y j, G j) When L [j] = T: z j = c j (+) j f j (s j ) C _{j + 1} : = H _{j + 1} (L / _{m /} z _z ) is calculated. Step2 If c _n = c _0, it is regarded as a valid signature. As described above, when the post-stage challenge c _{j + 1} is calculated from the pre-stage output value z _j , the post-stage challenge c _{j + 1} is calculated by a hash function having an appropriate output range as the post-stage challenge. Regardless of whether the key is discrete logarithmic or one-way function type, an appropriately sized challenge can be generated.

[0013]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below with reference to the examples of the drawings. To explain the signature generation procedure of the present invention with reference to FIG. 1, public key type initialization means 1
1, a public key type chain processing unit 12, a public key type ring joining unit 13, a loop control unit 14 including a loop variable initialization unit 141, a loop variable updating unit 142, and a loop end determination unit 143. Perform signature generation. Referring to FIG. 2, the public key type initialization means 11
Public key discrimination means 111 and random number generation means 112, 11
2 ', group element calculation means 113, and hash means 114
With.

Referring to FIG. 3, the public key type chain processing means 12 is a public key discriminating means 121 and a random number generating means 12.
2, 122 ′, verification value calculation means 123, unidirectional replacement calculation means 124, addition / subtraction means 125, and hash means 126. Referring to FIG. 4, the public key type ring joining unit 13 includes a public key determination unit 131, a reply calculation unit 132, an addition / subtraction unit 133, and a one-way permutation back calculation unit 134. To explain the signature verification procedure of the present invention with reference to FIG. 5, the public key type chain processing means 12, the comparison means 15, and the loop variable initialization means 14 of FIG.
1, loop variable updating means 142, loop end judging means 1
And a loop control means 14 composed of 43 to perform signature verification.

(Explanation of Structure) As a group forming a discrete logarithm
, P_i A multiplicative group Z whose prime number is_piWith a trapdoor
Implementation when using RSA function as one-way permutation function
An example will be described. p_i, Q_iLet q be a large prime number and q
_iIs p_iShall be divisible. g_i P_iOrder q_iPart of
The source of the subgroup. x_i∈ Z_qiThe secret key, y_i= G_i ^xi
mod p_iG_i, Q_i, P_iTogether with the public key. (E_j,
N_j) Is the public key of RSA encryption, d_jIs the private key. Immediately
Then, all α ∈ Z^* _NjAgainst (α^ej)^dj mod
N_j= Α holds.

(Description of Operation) The operation of the signature generation procedure will be described with reference to FIG. FIG. 6 is a diagram corresponding to FIG. 1 described above, and FIGS. 7, 8, and 9 in FIG.
It is a figure corresponding to FIG. 3 and FIG. As an input, a list L including n public keys, a private key corresponding to a certain public key, and a document m to be signed are obtained. The types of public keys are represented by D and T, which represent the discrete logarithmic type and the one-way permutation type, respectively. Let the type of the j-th public key in list L be L [j]
Express. It is assumed that the public key corresponding to the input secret key is included in the kth list L. The secret key is x _k when L [k] = D, and d _k when L [k] = T
Is. For the input, first, the public key type initialization procedure shown in FIG. 7 is executed. Next, the loop variable initialization means 14
Sets the loop variable j to k + 1 (mod n). Next, the public key type chain processing procedure shown in FIG. 8 is executed, and j is replaced by j + 1 (mod
n) and the loop end determining means determines whether j is equal to k. If they are not equal, the procedure returns to the execution of the public key type chain processing procedure.
Execute the public key type ring joining procedure shown in, output the signature, and stop.

The procedure will be specifically described below with reference to FIGS. 7 to 9. In the public key type initialization procedure of FIG. 7, L, m, and k are input, and first, the public key determination means 111 determines whether the public key corresponding to the input private key is D or T. In the case of D, the random number generation means 112 randomly selects w from Z _qk , and the group element calculation means 11
Z _k = g _k ^w Calculate mod p _k . If T, then by the random number generation unit 112 ', choose z _k at random from Z ^* _Nk. The obtained z _k is hashed together with L and m by the hash means 114, and the result is set as c _{k + 1} .
In the public key type chain processing procedure of FIG. 8, L, m, j, and c _j are input, and first, the public key discrimination means 121
It is determined whether the j-th public key in the list L to be processed is D or T. In the case of D randomly selects s _j from Z _qj by the random number generation unit 122, the verification value calculation unit ^{_{123 z j = g j sj y}} j c j mod p _j
To calculate. In the case of T, the random number generating means 122 ′ randomly selects s _j from Z ^* _Nj , inputs this to the one-way permutation calculating means 124, and y _j = s _j ^ej mod N _j is calculated, and y _j , c _j , and N _j are input to the addition / subtraction means 125 to calculate z _j = y _j + c _j mod N _j . Obtained z
Hash _j with L and m by the hash means 126, and let the result be c _{j + 1} .

In the public key type ring joining means of FIG. 9,
L, c _k , k are input, and w and secret key x _k are input when the public key corresponding to the input secret key is D, and z _k and secret key d _k are input when T is T. To do. First, the public key determination means 131 determines whether the public key corresponding to the input private key is D or T. In the case of D computes _{s k = w-c k x} k mod p k by Answer calculating means 132. In the case of T, y _k = z _k − by the addition / subtraction means 133.
One-way permutation back calculation means 1 for calculating c _k mod N _k
Input y _k , d _k , and N _k to 34 and input s _k = y _k ^dk mod N _k
To calculate. By the above means, the 1-out-of-n signature by the public key in the list L for the document m can be obtained.

Next, the operation of the signature verification procedure will be described with reference to FIG. FIG. 10 is a diagram corresponding to FIG. Document m, public key list L, signature (c ₀ , s ₀ , s ₁ , ...,
s _n-1 ) as an input. First, the loop variable initialization means 1
41 to set j = 0. Next, according to the public key type chain processing procedure of FIG. 8, c ₁ , ... Are calculated in sequence. The last c _{j + 1} is output as c _n , and is input to the comparing means 15 together with c ₀ . If c _n and c ₀ match, the signature is passed, otherwise it is rejected.

[0020]

As described above, according to the present invention, the type of public key that can be used for the 1-out-of-n signature is limited to the discrete logarithmic type or the one-way permutation type. Even if both are mixed, it is determined through the public key determination means whether they are a discrete logarithmic type public key or a one-way permutation type public key, and they correspond to the determined type. The public key can be processed to generate an appropriate 1-out-of-n signature and the signature of the signature made can be verified. When the post-stage challenge c _{j + 1} is calculated from the pre-stage output value z _j , the public key used in the post-stage is discretely calculated by compressing the hash value having an appropriate output range as the post-stage challenge. An appropriately sized challenge can be generated regardless of whether it is logarithmic or one-way function type.

[Brief description of drawings]

FIG. 1 is a diagram showing an embodiment of a signature means.

FIG. 2 is a diagram showing public key type initialization means.

FIG. 3 is a diagram showing public key type chain processing means.

FIG. 4 is a diagram showing public key type ring joining means.

FIG. 5 is a diagram showing an example of a signature verification procedure.

FIG. 6 is a flowchart of a signature procedure according to the embodiment.

FIG. 7 is a flowchart of a public key type initialization procedure in the signature procedure of the embodiment.

FIG. 8 is a flowchart of a public key type chain processing procedure in the signature procedure of the embodiment.

FIG. 9 is a flowchart of a public key type ring joining procedure in the signature procedure of the embodiment.

FIG. 10 is a flowchart of a signature verification procedure according to the embodiment.

[Explanation of symbols]

11 public key type initialization means 111 public key discrimination means 112, 112 'random number generation means 113 group element calculation means 114 hash means 12 public key type chain processing means 121 public key discrimination means 122, 122' random number generation means 123 verification value calculation Means 124 One-way permutation calculation means 125 Addition / subtraction means 126 Hashing means 13 Public key type ring joining means 131 Public key discrimination means 132 Answer calculation means 133 Addition / subtraction means 134 One-way permutation inverse calculation means 14 Loop control means 141 Loop variable initialization Means 142 loop variable updating means 143 loop end judging means 15 comparing means

Claims (2)

[Claims] 1. G_jThe order q_jX is a commutative group of_qj 
Against G_j(X) is a G whose index is x_j
Of the secret key x_jAgainst y_j= G
_j(X_j) Become y_jAnd G_jLet f be a discrete logarithmic public key_j
A certain ring G_jThe one-way permutation function with trapdoor above
And f_j ^-1F_jF is the reverse calculation of_jBe a public key, and f_j ^-1
Be a one-way permutation type secret key, Let L be the public key (y_j, G_j) Or (f_j, G_j) Total n
The list of public keys to include, and one of the
Signature on document m using private key corresponding to public key
In the signature generation method that generates Each G in the discrete logarithmic public key_jIs y_jAgainst 1. The prover sets a random index w to Z_qj Choose from
And z_j: = G_jSend (w) to the verifier, 2. The verifier is a random challenge c_jZ_qjChoose from
Then, send it to the prover, 3. The prover answers s_jAnswer calculation formula s_j= F (w, x_j, c_j,
q_j ) And send it to the verifier, 4. The verifier is the verification value calculation formula R_j Against z_j= R
_j(Y_j, s_j, c_j, G_j) Holds, and holds
If three, then accept, otherwise refuse.
Assuming that there is a zero knowledge proof, Binary operation a (+)_jb and a (-)_jb is G_j Adjustment
Let us denote the result of the calculation a + b and a−b, and a‖b is a
b bit combination operation of b, H_j Let be a one-way hash function, and publish the j-th in L
If the key is a discrete logarithmic type, the output range is Z_qj And on the other hand
In the case of the directional substitution type, the output range is G_jAnd Included in signature target document m, public key list L, and l
K public key out of n public keys
The open key corresponds to the 0th to (n-1) th public keys.
Enter the corresponding private key, Determine whether the public key in the list is a discrete logarithmic type or a one-way permutation type
Separate public key discrimination means, random number generation means, group element calculation
Means, one-way permutation calculation means, and one-way permutation inverse calculator
Dan, addition / subtraction means, verification value calculation means, response calculation means
And hashing means, Loop variable initialization means, loop variable updating means, loop end
A loop control means including a completion determination means, Step1 ・ Lth k (However, the public key in the list is the th
0 to n-1) public keys of the discrete logarithm type
When the random number generation means Z_qkSelect α from and calculate group element
Β = G by means_k(Α) is calculated, G when the k-th public key of L is a one-way permutation type_kOut of order
Choose the number β and use c_{k + 1}= H_{k + 1}(L | m
‖Β) calculation step, Step2 For j = k + 1, ..., n-1,0, ...., k-1
hand,· Random number generation means when the j-th public key of L is a discrete logarithm type
By s_j∈ Z _qjIs generated and z is generated by the verification value calculation means._j=
R_j(S_j, c_j, y_j, G_j) Is calculated, Random number generation when the j-th public key of L is a one-way permutation type
By means of s_j∈ G_j Is generated, and z is added by the addition / subtraction means._j=
c_j(+)_jf_j(S_j) Is calculated and c is obtained by hash means.
_{j + 1 mod n}: = H_{j + 1 mod n}(L‖m‖z_j ) Is calculated
Steps, Step3 ・ Answer when the kth public key of L is a discrete logarithm type
S by calculation means_k= F_k(Α, c_k, x_k, G_k) Is calculated, One-way if the k-th public key of L is a one-way permutation type
S by substitution back calculation means_k= F_k ^-1(Β (-)_kc_k) Is calculated
Step, Step4 ・ Signature (c₀, s₀, s₁, ......, s_n-1) Is output
A signature generation method comprising the steps of: 2. The signature generation method according to claim 1.
Generated document m, public key list L signature (c
₀, s₀, s₁, ......, s_n-1) To the signature verification method
And Public key discrimination means, one-way permutation calculation means, addition and subtraction
Stage, verification value calculation means, hash means, Loop variable initialization means, loop variable updating means, loop end
A loop control means including a completion determination means, Step1 Set j = 0 by the loop variable initialization means, and
By the variable updating means and the loop end judging means, j =
For 0, ....., n-1, When the jth public key of L is a discrete logarithm type, a verification value calculator
Z depending on the step_j= R _j(S_j, c_j, y_j, G_j) Is calculated, One-way if the j-th public key of L is a one-way permutation type
F by the function calculation means_j(S_j) Is calculated and added / subtracted
More z_j= C_j(+)_jf_j(S_j) Is calculated and hashed
More c_{j + 1}= H_{j + 1 mod n}(L‖m‖z_j ) Is calculated sequentially
The steps to repeat the procedure Step2 c_n, And c₀Are compared by a comparison means, and these are
If equal, pass signature, otherwise fail
The signature verification method characterized by comprising
Law.