JP2005184134A - Electronic signature method, program, and device thereof - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an electronic signature method for confirming whether a message is electronically signed by an entity of at least a threshold in a group by the size of a relatively small public key. <P>SOLUTION: A center opens a set including J pieces of two sets of pairs to the public. The entity selects one of the two sets of pairs for J times, one of the pairs is set to an encryption key, the other is set to a decryption key, and the product of J encryption keys and that of J decryption keys are obtained. The center obtains the product of the encryption keys and the decryption keys over the entire entity and opens its reciprocal Γ<SP>-1</SP>to the public. When the message (m) is electronically signed, encryption is made by the encryption key for each entity and the Γ<SP>-1</SP>, the decryption key of the entity participating in the electronic signature is used, and the product of the encryption key and decryption key of the entity that does not participates in the electronic signature is estimated for decryption. When decryption is successful within the prescribed number of trials, it is considered that the entity of the threshold or higher has performed the electronic signature. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to an electronic signature.

  Non-Patent Documents 1 and 2 disclose threshold encryption. This cipher is used, for example, to conceal a secret key, and a large secret key is decomposed into a number of distributed keys, and these are stored separately, for example. The original secret key cannot be reproduced with a number of distributed keys equal to or less than the threshold, the amount of information obtained with respect to the original secret key can be substantially reduced to zero, and the original secret key can be reproduced with a distributed key equal to or greater than the threshold. You can

A special form of modulus n by the inventors for the RSA cipher, ie, n = 10 ^a -b (a and b are positive integers)
A method of using is proposed (Non-Patent Documents 3 and 4). This realizes the following in the RSA encryption.
(1) High speed is possible.
(2) The public key size can be reduced.
(3) When using for signature, it is not necessary as a practical problem to consider the size relationship of the laws used mutually.
Here n, the size of a and b | n | ~ 1000 bits, a = 160, | b | assumed to 160 bits.
Y. Desmet, and Y. Frankel: "Theshold Cryptosystems", Crypto '89 (LNCS 435) 1988, pp.307-315. T.Pedersen: "A theshold cryptosystems without a trusted party", EuroCrypt'91, 1991, pp.522-526 Kenji Satake, Masao Kasahara; “A simple RSA cryptosystem using high-speed modular exponentiation”, IEICE Transactions 1996.3 Yuki Tsutsui and Masao Kasahara: "A Study on High-Speed Power Residue Operations in RSA Cryptography", Information Theory and Its Application Symposium, Dec. 1997, pp.529-532

  A basic object of the present invention is to provide a new electronic signature method, a program thereof, and an electronic signature device that can confirm that an entity having a threshold value or more has joined a signature.

The present invention provides an electronic signature method in which an electronic signature is encrypted by encrypting a message with a first secret key, and the electronic signature is confirmed by decrypting the message with a second key.
For the entity (number of entities N), the center discloses J-dimensional data with multiple options for each dimension as secret key candidates,
Each entity selects one of the options for each dimension from the candidates, composes and stores a secret key with the selected J pieces of data,
The center obtains a function Γ of the secret key (number N of secret keys) of the entity, and transmits an inverse element Γ ⁻¹ of Γ related to a predetermined operation to the entity.
When K out of N entities sign a message m, the message m is digitally signed by encrypting the inverse element Γ ⁻¹ and a total of K private keys of each signing entity, and
In addition, for the encrypted message m, the secret keys of the NK entities remaining under a predetermined constraint are estimated, and the encrypted message is decrypted. It is characterized by confirming that the electronic signature is signed.

  Preferably, each of the J-dimensional options in the secret key candidate is composed of at least a pair of data, and one of the J pairs of data is selected for each pair to form a secret key for electronic signature. By constructing a key for electronic signature verification from the other of each pair of data and making the function Γ symmetric with respect to the exchange of the pair of data, the entity can change J without changing Γ. By changing the selection from the paired data, the private key for electronic signature and the key for confirmation can be changed freely, and both the private key and the confirmation key for entities that did not participate in the electronic signature at the time of decryption Is estimated.

Preferably, a plurality of centers A and B are provided, and the secret key candidates SA and SB and the inverse elements ΓA ⁻¹ and ΓB ⁻¹ are disclosed to entities for each center. The entity stores the key, and the entity performs a first-stage electronic signature on the message m with the inverse element ΓA ⁻¹ for the center A and the private key for the center A, and the inverse element ΓB ⁻ for the center B. ¹ and a second-stage electronic signature with a secret key for center A, and for a digitally signed message, a secret key for center A and a secret key for center B for an entity that did not perform the electronic signature Is estimated under a predetermined constraint, and the electronic signature is confirmed by decrypting the message m.

Preferably, a plurality of groups A and B each consisting of an entity and a center are provided, and public keys EA and EB on a group basis are disclosed, and the inverse element in each group is assigned to each entity in the group. In the group A, for the message m to be digitally signed, the private key of the entity participating in the signature, the inverse element in the group A, The private key of the entity that did not participate in the electronic signature is encrypted under a predetermined constraint and the public key in group B, and is sent to group B after being encrypted in a total of two stages. Using the secret key of the entity that participates in the decryption of the ciphertext, the secret key of the entity that did not participate in the decryption under a predetermined constraint is estimated, and one-stage decryption is performed. The message m, which is decrypted with the participation of entities greater than the threshold of the group B, joins the message m digitally signed by the entities greater than or equal to the threshold of the group B. Confirm. Here, for example, in the decryption in the group B, the secret key of the entity participating in the decryption of the received ciphertext and the inverse element in the group B may be used, or the public key of the group B in the group A may be used. When encryption is performed, the inverse element of the inverse element Γ ^{−1 in} the group B, that is, the function Γ in the group B may be used.

  Preferably, the set of the entire entity is divided into a plurality of small groups, and the original message m is converted into a plurality of partial messages by a secret sharing method, and each partial message reflects some information of the original message m, In addition, at least one partial message is transmitted to each small group so that the original message m can be reproduced by a predetermined number or more of partial messages, and the partial messages digitally signed by entities that are equal to or greater than the threshold in the small group are collected. Depending on whether or not the predetermined number of partial messages have been digitally signed, it is determined whether or not a predetermined percentage or more of the entities have been digitally signed. Note that the type of secret sharing method is arbitrary.

  Particularly preferably, the secret sharing method uses a Chinese remainder theorem, the original message m is a polynomial m (X) of the g term, and the polynomial m (X) is a value αi for each small group Gi as the partial message. Using the evaluated value m (αi), and when the electronically signed evaluation value m (αi) is g or more, the Chinese message is decrypted using the Chinese remainder theorem, and the entities exceeding the predetermined ratio Confirm that has been digitally signed.

In the electronic signature program for the center of the present invention, the center discloses to the entity (number of entities N) a secret key candidate that has a plurality of options for each dimension in the J dimension data, Each entity selects one of the options for each dimension from the candidates, and configures and stores a secret key with the selected J pieces of data, and the center stores the secret key of the entity (the number of secret keys). N), the function Γ of N) is obtained, and the inverse element Γ ⁻¹ of Γ related to a predetermined operation is transmitted to the entity. When the entity K in N signs the message m, the inverse element Γ ⁻¹ and the signature The message m is digitally signed by encrypting the message m with a total of K secret keys of each entity to be processed, and the encrypted message m is subjected to N−K entity remaining under a predetermined constraint. Estimate the secret key By decrypting the encrypted message, the number of entities than the threshold value is a program for the electronic signature method so as to confirm that the electronic signature to the message m,
A command for transmitting to the entity a secret key candidate having J-dimensional data having multiple options for each dimension;
Instructions for secretly receiving information regarding the selection of a secret key from each entity;
An instruction for obtaining a function Γ of the whole secret key of the entity from the received information on the secret key and transmitting an inverse element Γ ⁻¹ of Γ related to a predetermined operation to each entity; Features.

In the electronic signature program for an entity of the present invention, the center discloses to the entity (number of entities N) J-dimensional data as a secret key candidate that has a plurality of options for each dimension. , Each entity selects one of the options for each dimension from the candidates, composes and stores a secret key from the selected J pieces of data, and the center stores a function Γ of the entity's secret key. Finding an inverse element Γ ⁻¹ of Γ related to a predetermined operation to an entity, and if K entities in N sign a message m, the sum of the inverse element Γ ⁻¹ and each entity to sign The message m is digitally signed by encrypting the message m with K secret keys, and the secret keys of the NK entities remaining under a predetermined constraint are estimated for the encrypted message m. Dark By decoding the phased messages, the number of entities than the threshold value is a program for the electronic signature method so as to confirm that the electronic signature to the message m,
A command for selecting one of the options for each dimension from the secret key candidates, and configuring and storing the secret key with the selected J pieces of data;
A command for secretly sending information related to the selection of a secret key to the center for the operation of Γ ⁻¹ ;
And a command for signing a message using the stored secret key.

In the electronic signature device for the center of the present invention, the center discloses to the entity (the number of entities N) a secret key candidate that has a plurality of options for each dimension in J dimension data, Each entity selects one of the options for each dimension from the candidates, composes and stores a secret key with the selected J pieces of data, and the center obtains a function Γ of the entity's secret key. Then, when an inverse element Γ ⁻¹ of Γ related to a predetermined operation is transmitted to an entity and K entities in N sign the message m, the inverse element Γ ⁻¹ and the sum K of each entity to sign The message m is digitally signed by encrypting the message m with a plurality of secret keys, and the secret key of the NK entities remaining under a predetermined constraint is estimated for the encrypted message m, Encrypted message By decoding the di-, the number of entities than the threshold value is a device for electronic signature method so as to confirm that the electronic signature to the message m,
Means for sending to the entity a secret key candidate having J-dimensional data with multiple options for each dimension;
Instructions for secretly receiving information regarding the selection of a secret key from each entity;
Means for obtaining a function Γ of the entire secret key of the entity from the received information on the secret key, and transmitting an inverse element Γ ⁻¹ of Γ related to a predetermined operation to each entity; Features.

In the electronic signature device for an entity of the present invention, the center discloses to the entity (number of entities N) J-dimensional data having a plurality of options for each dimension as secret key candidates. , Each entity selects one of the options for each dimension from the candidates, composes and stores a secret key from the selected J pieces of data, and the center stores a function Γ of the entity's secret key. Finding an inverse element Γ ⁻¹ of Γ related to a predetermined operation to an entity, and if K entities in N sign a message m, the sum of the inverse element Γ ⁻¹ and each entity to sign The message m is digitally signed by encrypting the message m with K secret keys, and the secret keys of the NK entities remaining under a predetermined constraint are estimated for the encrypted message m. , Encrypt By decoding the message, the number of entities than the threshold value is a device for electronic signature method so as to confirm that the electronic signature to the message m,
Means for selecting one of the options for each dimension from the secret key candidates published from the center, and configuring and storing the secret key with the selected J pieces of data;
A command for secretly sending information related to the selection of a secret key to the center for the operation of Γ ⁻¹ ;
And means for signing a message using the stored secret key.

  The entity and the center may be physically the same, and the entity is an information communication device corresponding to the member. The disclosure may be disclosed by a CD-ROM or the like, or may be disclosed by transmission via a network or the like.

In the present invention, each entity has at least 2 ^J or more key selection degrees of freedom. As J increases, it becomes more difficult to estimate the key of an entity that did not participate in the electronic signature, and at the same time, the threshold of the electronic signature is increased. Becomes sharper. On the other hand, if the number of members is large, increasing the value of J increases the number of trials required to decrypt the electronically signed message. Therefore, the value of J is selected so that the key estimation has a moderate difficulty and the threshold value has a desired sharpness. The public key Γ ⁻¹ is determined so that the original message is decrypted when the key of the entity that did not participate in the electronic signature is correctly estimated. In order to determine the public key Γ ⁻¹ , the center secretly receives information on the key selection of the entity, obtains a function Γ of the entire secret key of the entity, and calculates the inverse element Γ ⁻¹ of Γ related to the predetermined operation. Ask. For information processing, when an entity digitally signs with a private key and the private key of an entity that did not participate in the electronic signature can be estimated correctly, the whole of these keys and Γ ^-1 cancel each other. Thus, the message encrypted by the electronic signature is decrypted. For example, if the operation is a product between the secret keys, Γ ⁻¹ is the inverse of the appropriate modulo for Γ, and if the operation between the secret keys is an addition, Γ ⁻¹ is, for example, the addition of the secret key The sign is inverted.

  As described above, according to the present invention, it is confirmed whether or not an entity having a threshold value or more has participated in the electronic signature by checking whether the private key of the entity that has not participated in the electronic signature can be estimated under a predetermined constraint. it can. At this time, if the secret key of the entity that did not participate in the electronic signature can be correctly estimated, the original message is decrypted. As shown in the examples, the size of the public key required for this electronic signature is relatively small, and the electronic signature of the present invention is used for voting, questionnaires, signed communications in organizations such as companies and schools, etc. Can do.

A problem with the electronic signature of the present invention is that the center may estimate the private key of the entity and decrypt the electronically signed message. On the other hand, each of the J-dimensional options in the secret key selection candidate is composed of at least a pair of data, one of these data as a secret key for electronic signature and the other as a key for confirmation of electronic signature. If Γ ⁻¹ is configured as a symmetric function between the secret key and the confirmation key, the entity can change the secret key for electronic signature and the decryption key each time, for example. For example, the J = 20, degrees of freedom which constitutes the key for confirming the private key for signing the 20 kinds of pair up to 2 ^20, the center is difficult to estimate the key entity. If the entity can change the key in this way, decryption by the center can be prevented. As a problem related to the center, there is a possibility that the center creates an appropriate message, adds an appropriate electronic signature to the message, and decrypts the message by itself. On the other hand, if a plurality of centers are provided, decoding by the centers can be prevented.

  As a method of using an electronic signature, there is a method in which an entity having an electronic signature equal to or greater than a threshold in group A transmits an electronic signature to group B, and decryption is performed when an entity greater than or equal to the threshold in group B participates in decryption. In this case, the group A attempts to decrypt with the electronic signature as described above, and when the decryption is successful, the entity in the group A exceeding the threshold is electronically kept secret while keeping the secret who actually signed the electronic signature. You can confirm that you signed. Therefore, in group A, the private key of the entity that participated in the electronic signature, the estimated value of the private key of the entity that did not participate in the electronic signature, and the inverse element in group A are encrypted in one step, This is subjected to another level of encryption with the public key of group B, and encrypted to a total of two levels. Either the first-stage encryption or the second-stage encryption may be performed first. In Group B, since encryption is performed with its own public key, the private key of the entity that participates in the decryption is used, and the private key of the entity that did not participate in the decryption is estimated and decrypted. The original message is decrypted by decrypting with A's public key. If the decryption is successful under a predetermined constraint, in the group A, it is guaranteed that the entities having the threshold value or more are digitally signed, and in the group B, the entities having the threshold value or more are participating in the decryption.

In this invention, the total number of keys of entities that have not participated in the electronic signature can be expressed as (F + 1) ^J, where F is the number of entities that have not participated in the signature, and J is used as described above. . This value increases sharply as J increases, and the threshold value becomes sharper. In practice, it is preferable to decrease F and increase J. However, this makes it difficult to sign a large group. Therefore, the threshold value can be kept sharp by dividing the group as a whole into a large number of small groups and performing the threshold electronic signature of the present invention within each small group. For example, when the secret sharing method is applied to a plurality of small groups so that the original message is decrypted as a whole when a digital signature is made in a small group of a predetermined ratio or more, the number of entities It is possible to solve the problem that the threshold value becomes gentler as the value increases.

  In particular, the Chinese remainder theorem is used as a secret sharing method, a message is expressed by a polynomial of g term, and an electronic signature in each small group is obtained for this polynomial evaluated by a value for each small group. As shown in the embodiment, when an electronic signature is made with a small group of g or more, the message m can be decrypted as a whole. Therefore, the electronic signature can be performed by participation of entities of a predetermined ratio or more by the ratio of the number of small groups to the number g of polynomial terms and the threshold necessary for the electronic signature in each small group. . Such a method can be applied to 1 million or 100 million entities, and can be used for elections and large-scale questionnaires.

  In the following, an optimum embodiment for carrying out the present invention will be shown.

FIG. 1 shows a threshold electronic signature system 2 of the embodiment. For example, a pair of centers 6 is provided in an appropriate network 4 such as the Internet, one of which is called center A and the other is called center B. Only one center may be provided, or three or more centers may be provided. Furthermore, physically, the center may be the same as the entity. Reference numeral 10 denotes a plurality of entities participating in the threshold electronic signature system 2, where the total number is N, and the entity 10 as a whole may be called a group G or the like. The electronic signature program 12 required for the center 6 and the entity 10 is supplied via the network 4, for example. Instead, the electronic signature program 12 may be supplied by a CD-ROM or the like. Similarly, the public key 14 is supplied via the network 4. The public key 14 includes, for example, a set S, a modulus n, an inverse element Γ ^{−1, and the} like which will be described later. The message 16 is also transmitted / received between the entities 10 and between the entity 10 and the center via the network 4, and a digital signature procedure and a decryption procedure (electronic signature confirmation procedure) will be described later.

When the configuration of the center 6 is shown, reference numeral 18 denotes an information communication processing device that uses a personal computer, a server, or the like to provide resources for the center 6, and an electronic signature program storage unit 20 stores an electronic signature program necessary for the center. A key storage unit 22 stores a public key S, n, Γ ⁻¹ and the like in addition to the secret key φ (n), Γ e and the like. The secret communication unit 24 is for receiving information related to the key selection of the entity 10 by secret communication in order to calculate the secret key Γe, the public key Γ- ¹ , and the like. Note that the secret communication means that the data being communicated is kept secret from a third party. The decryption authentication unit 26 confirms whether or not an entity that is equal to or greater than the threshold has participated in the signature for the message that the entity has digitally signed. The secret sharing processing unit 28 determines whether or not the electronic signature is effectively performed in a predetermined number or more of small groups by a secret sharing method using a Chinese remainder theorem described later.

The configuration of the entity 10 will be described. The information communication processing device 30 provides resources of the entity 10 and is configured by a personal computer, a portable information terminal, a mobile phone, or the like. The electronic signature program storage unit 32 stores an electronic signature program necessary for the entity, and the secret communication unit 34 secretly transmits information related to key selection to the center 6 or the like. The electronic signature unit 36 electronically signs the message using the private key for electronic signature, and the entity that performs the electronic signature first performs a power operation on the message using the public key Γ ⁻¹ . The decryption authentication unit 38 uses a key of an entity that has participated in the electronic signature and an estimated value of the key of the entity that has not participated in the electronic signature, for example, by cooperating between the plurality of entities 10. Under the restriction, for example, it is tried whether or not the encrypted message can be decrypted within a predetermined number of trials. The key storage unit 40 stores its own secret key and, if necessary, a public key.

The electronic signature program storage unit 20 in the center 6 only needs to store a program necessary for the center, and its main instruction is to transmit a public key to the entity, receive information on key selection from the entity, and The key Γe and the public key Γ ⁻¹ are calculated. In FIG. 1, the decryption authentication units 26 and 38 are provided in both the entity 10 and the center 6, but these may be provided in either the center or the entity, and the decryption of the encrypted message is performed on the center side. If so, an attempt is made to estimate and decrypt the product of the keys of entities that did not participate in the electronic signature within a predetermined number of attempts. When decryption is performed on the center side, an instruction for decryption is stored in the electronic signature program storage unit. When decrypting on the entity side, the decryption instruction is stored in the electronic signature program storage unit of the entity. The secret sharing processing unit 28 does not need to be provided in particular. Further, it is assumed that the threshold electronic signature system 3 having the same configuration exists separately from the threshold electronic signature system 2, and the message electronically signed by the threshold electronic signature system 2 is processed. The threshold electronic signature system 3 may receive and decrypt the data.

  The description in the embodiment can be applied as it is to an electronic signature method, a program therefor, and an electronic signature apparatus. The description of the embodiment relating to the electronic signature and the confirmation thereof is not limited to the electronic signature method, and it is assumed that an instruction corresponding to the electronic signature method exists also in the electronic signature program. Shall also exist. Further, in an embodiment, collusion between entities is assumed to be negligible.

Necessary keys are generated by performing interactive exchange between the group and the center (see FIG. 2). The center may be constituted by representatives of entities in the group, but here the group and the center are considered separately for simplicity. The group is composed of N entities M1, M2,. The center is a set S consisting of two pairs on the integer ring Z / nZ:
S = {(αh ⁽⁰⁾ , βh ⁽⁰⁾ ), (αh ⁽¹⁾ , βh ⁽¹⁾ )}: h = 1, 2,..., J (1)
Publish. However, n is a composite number n = pq of large prime numbers p and q. Note that two pairs (αh ⁽⁰⁾ , βh ⁽⁰⁾ ), (αh ⁽¹⁾ , βh ⁽¹⁾ ) in the set S are called h-th classes. If there is no particular problem regarding the class number h and the pair, the first component and the second component of the pair are referred to as the first component α and the second component β for simplicity. To.

It is assumed that the following relationship holds for any class pair (αh ⁽⁰⁾ , βh ⁽⁰⁾ ), (αh ⁽¹⁾ , βh ⁽¹⁾ ) in the set S.
αh ⁽⁰⁾ βh ⁽⁰⁾ ≡th ⁽⁰⁾ modφ (n) (2)
αh ⁽⁰⁾ βh ⁽¹⁾ ≡th ⁽¹⁾ modφ (n) (3)
h = 1, 2,..., J
However, φ (n) is a Euler function of n and is a secret of the center together with th ⁽⁰⁾ and th ⁽¹⁾ . As with α and β, the remainder components th ⁽⁰⁾ and th ⁽¹⁾ are simply referred to as the remainder component t when the class number is not a problem.

The entity M1 belonging to the key generation group G in the entity is one of two pairs (α1 ⁽⁰⁾ , β1 ⁽⁰⁾ ), (α1 ⁽¹⁾ , β1 ⁽¹⁾ ) belonging to the first class. Pick one at random. The entity M1 randomly selects either the first or second component pair for the remaining second to Jth classes. A pair selected by the entity Mi in the h-th class is generally expressed as (αhi, βhi).

Based on the above selection, the secret encryption key E1 of entity M1 is obtained as follows: Ei = Παhi (h = 1 to J) (4)
Give as. On the other hand, the secret decryption key corresponding to Ei is given as the product of the second component β of the pair as follows. The multiplication method for Ei and Di is the Euler function φ (n).
Di = Πβhi (h = 1 to J) (5)

  In the basic method satisfying the above equations (2) and (3), the encryption key is kept secret. However, when generalizing Equations (2) and (3) and giving a plurality of remainder components t to the same α component, the encryption key can be safely transmitted to other entities and centers constituting the group. It can be made public. This will be described later.

Each entity cooperates with, for example, the entity Pα (h), that is, Pα (h) = with the first component α of the pair belonging to the hth class selected by each entity kept secret. Παhi (i = 1 to N) (6)
Where the multiplication method is the Euler function φ (n). Pα (h) is secretly sent to the center according to the following sequential encryption method.

Here, a method is considered in which the entities of the group G are sequentially encrypted according to an appropriately determined order, and the products of the α components of all the entities are secretly transmitted to the center. Let αi be the secret key (α component) of entity Mi of group G. Here, the public key for sequential encryption of the center is a large prime number p, the generation source of the field Fp is g, and the entities of the group G are secret keys based on the sequential encryption method (algorithm I) described below. The product of α components, which are components, is constructed in the following order.
M1 → M2 →… → MN → M1 → M2 →… → MN → center (7)
The product α1α2... ΑN is of the form A1 ^a1 , A2 ^a2 ,..., AJ ^aJ with A1, A2,..., AJ and a1, a2,. . However, a1 + a2 + ... + aJ = N. Therefore, the secret αi of the entity Mi cannot be known sufficiently accurately.

Algorithm I
Step 1: Entity Mi generates a random number r1,
g ^r1α1 ≡G1modp (8)
Is sent to entity M2. M2 similarly generates a random number r2,
G1 ^r2α2 ≡G2 modp (9)
Lead. Hereinafter, encryption is performed in the order shown in Equation (7).
Step 2: The entity MN is derived from the cooperation of N entities as follows:
g ^{r1r2… rNα1α2… αN} ≡GN modp (10)
Is sent to M1 again.
Step 3: Entity M1 is GN ^-r1 ≡G1'modp (11)
Is sent to entity M2. M2 is G1 ' ^{-r2 ≡} G2'modp (12)
Lead. Encryption is performed in the order shown in the latter half of the following equation (7).
Step 4: The entity MN is derived from N entities by the following GN ': g ^{α1α2 ... αN} ≡GN' modp (13)
Is sent to the center. The center derives the value of α1, α2,... ΑN by a brute force method and keeps it secretly.

Only the center knows the actual value of Pα (h). The center cannot know the selection information of each entity sufficiently accurately unless the entities make a very biased selection, i.e., all accidentally choose the same first component. All the entities in group G execute the above for all classes h = 1, 2,..., J, and form Pα (1), Pα (2),. All of these are sent secretly to the center. Based on the received Pα (1), Pα (2),..., Pα (J), the center calculates the product Γe, that is, Γe = ПPα (h): h = 1 to J (14)
Lead. Here, the center derives the product Γ over all of the second components β determined in correspondence with the selected first component α at the same time as in the equation (7). Then Γ = ΓE · Γd and Γ ⁻¹ is disclosed. The multiplication method for obtaining Γe, Γd, and Γ is φ (n), and Γ ⁻¹ is the reciprocal of Γ with respect to the method φ (n).

Table 1
Basic symbol n Integer for constructing the integer ring Z / Zn: Public key: | n | = about 1000 bits p, q pq = n Secret prime number: Center secret φ (n) Euler function φ (n) = (p-1) (q-1)
m message

S A set of data used to generate encryption and decryption keys
S = {(α _h ⁽⁰⁾ , β _{h (} ⁰⁾ ), (α _h ⁽¹⁾ , β _h ⁽¹⁾ )}: h = 1 to J,
(α _h ⁽⁰⁾ , β _h ⁽⁰⁾ ) etc. as a pair,
Two pairs (α _h ⁽⁰⁾ , β _h ⁽⁰⁾ ), (α _h ⁽¹⁾ , β _h ⁽¹⁾ ) are called classes.
α _h ⁽⁰⁾ , β _h ^(0), etc. are about 1000 bits each.
The number of classes J corresponds to the degree of freedom of key selection for each entity,
Increasing J makes the threshold clear
Th ^{(0) or (1)} is the product of the first component α _h ⁰ etc. and the second component β _h ⁰ etc. of the pair
α _h ⁽⁰⁾ β _h ⁽⁰⁾ ≡ th ⁽⁰⁾ modφ (n)
α _h ⁽¹⁾ β _h ⁽¹⁾ ≡ th ⁽¹⁾ modφ (n)
Ei Ei = Παhi h = 1 to J Encryption (signature) key for entity i Di Di = Παhi h = 1 to J Decryption (authentication) key for entity i Γe Γe = ΠEi i = 1 to N
Γd Γd = ΠDi i = 1 to N
Γ Γ = Γe ・ Γd Γ ・ Γ ⁻¹ ≡1

Table 2
Entity relationship symbol N Number of entities K Number of entities that agreed with the signature F Number of entities that did not participate in the signature

Subscript Identification target Typical usage
i entity i = 1 to N
h class h = 1 to J

  The key information necessary for cryptography is summarized as follows.

Table 3
center
Secret key φ (n), Γe
Public key S, n, Γ ^-1

  The sizes of the first component α, the second component β, and the modulus n of the pair of the center public key S are expressed as | α |, | β |, | n |, respectively. It is conceivable that these values are about | α | = | β | = | n | = 1000 bits. Since the value of J is about 50, the public key size can be set to a relatively small value of about 200 Kbits at most. Even if the pair S is disclosed, the safety is not necessarily impaired. However, it is better to publish only within the entity.

An appropriate threshold value K is set for the total number of constituent entities N of the signature method group G. If more than K entities agree to encrypt the message m, the following algorithm 2 is executed. The agreed entities are written as M1, M2,..., MK without losing generality. Also, the order of encryption does not lose generality as well,
M1 → M2 →… → MK
It shall be performed in the order of. In the following algorithm I, encryption follows the sequential encryption method described above, but the sequential encryption process is omitted in order to avoid complicated description. The product Пαhβh k = 1 to J over J classes of the first component and the second component αhβh selected by the entity M1 is defined as Ti. Also, let Ti ′ be the estimated value of Ti.

Algorithm 2
Step 1: Entities M1, M2,..., MK that agree with K signatures of group G are m ^Γ-1 ≡C0 modn (15)
Lead.
Step 2: For message m, entity M1 has C0 ^E1 ≡ C1 modn (16)
Is sent to entity M2. M2 is C1 ^E2 ≡ C2 modn (17)
Lead. Thereafter, encryption is performed in the order of M1, M2,.
Step 3: Message group encrypted with K entities C0 ^{E1E2 ... EK} ≡ CK modn (18)
Lead. The electronic signature procedure is shown in FIG.
Step 4: The K entities in group G are used as decryption keys D1D2 ... DKTK + 1 '... TN' (19)
Is estimated. Here, D1D2... DK is information that can be obtained from the participant of the signature, and TK + 1 '... TN' is an estimated value of TK + 1 ... TN.

However, Ti≡Ei · Di modφ (n), and Ti ′ is the estimated value. Note that the fact that this estimation has been performed correctly can be known by decoding the message m when the right side of the equation (18) is rounded to the power of D1D2... DKTK + 1 '. That is, when the product TK + 1'TK + 2 '... TN' is correctly estimated
(m ^{E1E2 ... ENΓ-1} ) D1D2 ^{... DN} ≡m modn (20)
The relationship is established. Γ ⁻¹ TK + 1TK + 2... TN is set as Γ ′ ⁻¹ . The decoding algorithm is shown in FIG.

^Disclosed m ^{E1E2 ... EKΓ-1} derived by executing the above algorithm. This message can be decrypted by K entities that have joined the encryption of the message m, and the decryption key is given by the public key product D1D2... DK. The total number ND of decryption key products to be estimated when the number of classes is J is ND = (F + 1) ^J (21) where NK = F.
It is clear that For example, when ND <10 ¹⁵ , the decryption key can be estimated in terms of computational complexity in this example. Note that the difference between ND = 10 ¹⁵ and ND = 9 × 10 ¹⁴ is very small, and there is practically no difference in computational complexity. However, in order not to complicate the discussion, 10 ¹⁵ is set as a threshold value for determining whether or not estimation is possible.

Encryption method that does not fix the encryption key of the entity (variation)
In the basic method, the first component α is used for encryption and the second component β is used for decryption. However, it should be noted that once each entity chooses a pair, the pair must be fixed, but the first component α or second component β of the pair can be changed randomly for each signature. It is. That is, it is not necessary to fix the encryption key and the decryption key, and each entity can randomly select one of them. The problem that the center can decrypt the electronic signature of the group G can be solved by the feature that the encryption key can be freely selected.

  In this correction method, the selection of either the first component α or the second component β does not affect the i component. For this reason, the entity of the group G can change the encryption key / decryption key randomly each time, and can successfully prevent the problem that the center decrypts the electronically signed message.

Since the center that is directly involved in the design of the cryptographic system knows φ (n), let u and v be appropriate integers.
m ^u ≡C0 modn
uv≡1 modv (n)
It can be claimed that a message satisfying the above is a group electronic signature message and v is a decryption key. As long as the center knows v (n), it is difficult to prevent this. Although this problem can be solved by placing a plurality of centers, in the embodiment, since the public key S and the like can be shared regardless of the number of centers, the increase in the number of centers is not necessarily a big problem. The improvement of safety by using a plurality of centers will be described later.

Numerical example When number of group constituent entities N = 10, threshold K = 8, J = 31:
The total number ND of possible values of the product for decryption with NK = F = 2 to be estimated is ND = 3 ³¹ = 6.18 × 10 ¹⁴ , and the decryption key can be estimated. On the other hand, if the number of entities that agree with the signature is a value K ′ = 7 that does not satisfy K = 8, the total number ND of the remaining three entity decryption key products is ND = 4.62 × 10. ¹⁸ This indicates that in the case of an entity that does not satisfy the threshold, it is impossible to estimate the decryption key of the remaining entity, and the threshold electronic signature is not established.

  As is clear from this specific example, the difference between the number of group constituent entities N and the threshold value K becomes larger as the difference F = N−K becomes smaller, so that the difference from the calculation amount required when the number is less than the threshold value can be increased. Can be sharpened. However, when the difference F increases, the difference in calculation amount decreases and the threshold value becomes gentle. The threshold electronic proof that solves this problem is described below.

In the above embodiment, two pairs are considered for each class. Here, this is more generalized to consider powers of 2, that is, 2 ^a pairs. However, in order to avoid making the discussion complicated, it is assumed that there are four pairs (α, β) satisfying the following formula in each class as shown in FIG.
αh ⁽⁰⁾ βh ⁽⁰⁾ ≡th ⁽⁰⁾ modφ (n)
αh ⁽⁰⁾ βh ⁽¹⁾ ≡th ⁽¹⁾ modφ (n)
αh ⁽¹⁾ βh ⁽²⁾ ≡th ⁽²⁾ modφ (n)
αh ⁽¹⁾ βh ⁽³⁾ ≡ th ⁽³⁾ modφ (n) (30)

Considering four pairs as shown in the equation (30), even if it is known that an entity M1 has selected, for example, αh ⁽⁰⁾ in class h, the remainder component is either th ⁽⁰⁾ or th It is clear that which of ⁽¹⁾ can be determined only with probability 1/2. This means that even if all the products of the α components selected by any entity in the J classes (the amount of information is given in J bits) are disclosed, the J-bit ambiguity still remains for the decryption key. Means that The following theorem holds.

Theorem 1 Assume that K entities out of a group of entities N participate in the signature and estimate the product of the remaining F = N−K residue components t. If the value of the remainder component t is appropriately set and the number of classes is J, the total number NF of different products to be estimated is NF = (4HF) ^J = (3 + F C3) ^J (31)
Given in.

In this embodiment, a threshold electronic signature method using the above will be described. The configuration of the cryptographic system is shown in FIG. Here, in order to avoid complexity, it is assumed that the number of constituent entities in both groups is the same N without loss of generality. In FIG. 6, it is assumed that data with a threshold electronic signature is transmitted from group A to B. However, here, the problem due to the magnitude relationship between the laws nA and nB is not questioned. Note that ΓA ⁻¹ , nA, pA, qA, etc. used in each group are obtained by adding a group name as a subscript to Γ ⁻¹ , n, p, q defined in the first embodiment. The threshold digital signature algorithm between groups is given below.

Algorithm 3
Step 1: Assume that in group A, K out of N entities agree to digitally sign message m. K entities for message m
C0≡m ^ΓA-1 modnA (32)
And then
C0 ^{DA1 ... DAK D'AK + 1 ... D'AN} modnA (33)
And so on. D′ AK + 1 D′ AK + 2... D′ AN is an estimated value of the decryption key product DAK + 1 DAK + 2. The estimate is correct
C0 ^{(EA1 ... EAN DA1 ... DAK) D'AK + 1 ... D'AN} ≡ m modnA (34)
Can be confirmed.
Step 2: The electronic signature is performed as follows.
(C0 ^{DA1 ... DAK DAK + 1 DAN} modnA) ^{EB1 EB2 ... EBN} ≡C _{A → B} modnB
(35)

Step 3: If K entities in group B agree, estimate the product of the remaining NK decryption keys,
C ' _{A → B} ≡C _{A → B} ^ΓB-1 modnB (36)
C ' _{A → B} ^{DB1 DB2 DBN} modnB (37)
By multiplying the exponent part by the public key of Group A
(C'A _{→ B} ^{DB1 DB2 DBN} modnB) ^{EA1 EA2 EAN} ≡ m modnA (38)
Lead.

  As described above, K entities in N of group B can know that the signature is indeed the threshold electronic signature sentence of group A.

  In the method described in the second embodiment, the center involved in key generation can, of course, create a threshold digital signature sentence for the group. However, this problem can be prevented relatively easily and effectively by using a plurality of centers.

  In general, H ≧ 2 centers can be installed, but here, in order to avoid complicated explanation, it is assumed that H = 2, two groups are present in each group, and these centers are not collocated. To do. Here, the notation for the public key of the first center is n, Γ, etc., as described above, and the public key for the other center is denoted by n ′, Γ ′, etc. FIG. 7 shows an inter-group encryption system according to the third embodiment. Assume that two groups A and B each have two centers, and these four centers do not collide with each other. The outline of the threshold electronic signature method between groups having two centers will be described below.

Suppose that K entities of group A agree to threshold digital signature for message m. K entities in group A are
((m ^ΓA-1 ) ^{DA1 ... DAN} modnA) ^{ΓA-1DA1 '... DAN'} ≡CD modnA '(40)
Lead. And the threshold digital signature sentence
((CD ^{EB1 ... EBN} modnB) ^{EB1 '... EBN'} ≡C _{A → B} modnB '(41)
Create

The K entities in group B decrypt the electronically signed message C _{A → B} and confirm that it is a message from group A. In this system, unless a plurality of centers are involved in collusion, the electronically signed message of the group cannot be forged. That is, one of the centers of group A naturally knows pA and qA, so that the decryption key ПDAi: i = 1 to N can be easily calculated from the publicly available EA1,. it can. However, since the secret keys pA ′ and qA ′ relating to the public keys created by other centers are unknown, the decryption keys ПDAi ′: i = 1 to N cannot be calculated. As described above, it is extremely difficult to forge the threshold digitally signed message of group A unless there is collusion between centers. A specific example will be given below in the case of using four pairs given by equation (30).

Example 2
When the number of group constituent entities is N = 10, threshold value K = 8, and J = 14:
Since the public key selected by an arbitrary entity M1 is 1 bit in each class, the total public key size of the entity M1 is given by 28 bits. Therefore, the public key of the entity is 280 bits for the entire group. On the other hand, the sum of the sizes of the public keys Γ ⁻¹ , Γ ′ ⁻¹ , n, n ′ is given as 4K bits as 1K bits, respectively. Therefore, when the public keys of the two centers are combined, it becomes 8K bits. On the other hand, the size of the set S of classes consisting of four pairs is | S | = 112K bits.

Example 3
When the number of constituent entities of the group N = 100, threshold K = 90, J = 6:
The public keys of the entities that make up the class are very few at 1.2K bits in total. On the other hand, the size of the set S is given by | S | = 48K bits. It is worth noting that despite the total number of constituent entities being 100, the size of the public key is only 53.2K bits.

  As shown in the two specific examples, the size | S | of the set S indicates the main part of the total size of the public key, but this size is unchanged regardless of the number of centers. For this reason, the increase of the public key accompanying the increase of one center is only about 2K bits. Therefore, in an extreme case, an interesting scheme in which all the entities become the center and publish the public key becomes realistic.

In the electronic signature method using the Chinese remainder theorem , the value of F generally increases as the value of N increases, and the value of J must inevitably be reduced. For this reason, it has been difficult to give a large difference in the amount of calculation required for decryption key estimation to the number of entities below the threshold. Here, we attempt to modify the threshold digital signature method of Example 3 by using the Chinese remainder theorem to improve this.

A message m to be a group signature in g-dimensional vector m on extension field F2 ^mu expressed as follows.
m = (m1, m2,..., mg), mi ∈ F2 ^μ (50)
Furthermore, the polynomial expression of the message m is expressed as m (X) = m1 + m2X +... + MgX ^g−1 , mi∈F2 ^μ (51)
And

As N >> 1, the total number of entities N is divided into small groups G1, G2,. However,
ηS = N / nS (52)
It is. In addition, the small group shall be unified and use the set S and the law n etc. of the pair class given as the whole group, and the encryption and decryption keys for each entity shall also be configured through the center. To do. It is also considered to select the modulus n and the set S independently for each small group. In this case, it is possible to design a safer system on the assumption that fraudulent groups are included at a certain rate.

As shown in FIGS. 8 and 9, the threshold digital signature is executed between the two groups A and B. It is assumed that an arbitrary small group of group A sends a message divided into a predetermined transmission destination and a small group of B. Assume that a signature is sent from group A to group B. Here, it is assumed that the following conditions are satisfied.
(1) Among the ηS group of small groups belonging to group A, the ηSkA small group agrees with the signature.
(2) Among the ηSkA group of small groups of Group B that have received the signature text, the ηSkB group of small groups agrees to decrypt the electronic signature.
(3) In the above, ηSkB ≦ ηSkA, but ηSkB ≧ g holds.
The threshold digital signature method of the fourth embodiment is given as follows.

Algorithm 4
Step 1: The center gives m (αi) to a small group Ai consisting of ηS entities.
Step 2: When an entity equal to or greater than the threshold value of group Ai agrees with the signature, the divided message m (αi) is signed according to the threshold signature method of the embodiment.
Step 3: It is assumed that the ηSkB group of the small groups of the ηSkA group of the group B that has received (ηSkA) signature sentences from the group A agrees to decrypt the signature sentence. These small groups decrypt their signature texts according to the threshold signature method of the embodiment.
Step 4: Group B decrypts the message m using the Chinese remainder theorem for the decrypted η SkB signatures.

In the above, the following obvious theorem holds.
Theorem 2
The remainder of dividing m (X) by X-αi is given by m (αi). However, αi∈F2 ^μ .
Theorem 3
When arbitrarily selected η SkB polynomials {(X−αi)} are relatively prime, the message m can be uniquely decoded. However, it is assumed that η SkB ≧ g holds.

In the threshold value digital signature method described above, for example, if N = 10 ⁶ and n S = 10, the number of small blocks η S is 10 ⁵ . If it is desired to set a threshold value so that the signature can be decrypted when 65,000 pairs agree with the signature among the 10 ⁵ small groups, g = 65000 may be simply set. In this case, it is clear that the signature cannot be decrypted if the number of small groups that support the signature decryption is 64999 pairs or less.

Assume that a threshold electronic signature is considered on the field F2 ^m , and m (αi) is given to one small group (this is Gi). Assuming 2 ^m values for m (αi), one of them is correct. For this reason, the value of m must be relatively large, for example, | m | = about 80 bits. Thus, when the size of m is relatively large, the threshold value gives a threshold value in a practically strict sense as compared with the threshold value electronic signature method of the second embodiment.

  Although it has been described above that the threshold value for each group is strictly given, it is still difficult to set a precise threshold value for the number of constituent entities of the group. However, the threshold value is much steeper than in the second embodiment. This will be considered below with a specific example.

Example 4
In order to ensure that the signature text can be decrypted with a sufficiently high probability when 80% of 1 million entities, or 800,000 agree with the signature, the details are omitted because it is relatively obvious. What is necessary is just to set g = 65000. On the other hand, when 780,000, which is less than 800,000, agrees with the signature, the details are similarly omitted, but the probability that the signature is decrypted with 65,000 or more small blocks becomes very small. Thus, in Example 4, it is possible to give a large difference between the case where the signature approver is 800,000 and 780,000.

  For this reason, it is easy to expect that the number of entities that produce a sufficient difference will be relatively smaller than when the number of entities is about 100 million, which is comparable to the total population of Japan.

  The methods described up to the previous section are not always easy to achieve high speed by parallel processing or the like because sequential encryption processing or the like is performed by a power-residue operation. Here, we describe a method that is based on an addition operation that facilitates parallel processing, but the basic principle is almost the same as the method up to the previous chapter. The center public key is n, and the secret key is a large prime number p and q and φ (n). In the following, a threshold digital signature method that allows easy parallel processing is given in the form of an algorithm.

Algorithm 5
Step 1: The entities of group G follow the same principle as the method shown in the above-mentioned sequential encryption method, and the original sum of a set {SEi} of secret keys generated at random:
SEI + SE2 + ... + SEN = SE (60)
Is sent to the center. However, {SEi} is a random number generated by the entity Mi. Of course, EPOC encryption or the like may be used, but in practice, sufficient security can be realized by a technique based on the above-described sequential encryption method. It is generally considered that the entity Mi divides and sends the SEi so that the center can be calculated by brute force.
Step 2: The entity is the first component or the second component for all pairs belonging to a set of random pairs {(Ah, Bh)}, h = 1, 2,. Select either (randomly for each pair). The sum of the selected J components of the entity Mi is set as SDi, and a secret key set {SDi} is derived.
Step 3: All entities in Group G work together in exactly the same way as in Step 1. SD1 + SD2 + ... + SDN = SD (61)
Secretly sent to the center Step 4: The center is SE ・ SD≡Γs modφ (n) (62)
And the inverse element ΓS ⁻¹ of ΓS is disclosed.

The threshold digital signature algorithm configured based on the above algorithm is given below. However, in the following, the two groups are A and B, respectively, n, SE, SD, and ΓS ^-1 are nA, SE (A), SD (A), and ΓS ^-1 (A) for group A, and group B Are expressed as nB, SE (B), SD (B), and ΓS ^-1 (B).

Algorithm 6
Step 1: Assume that in group A, K out of N entities agree to digitally sign message m. K entities for message m
C0 ^{SD1 (A) + ... + SDK (A) + S'DK + 1 (A) + ... + S'DN (A)} modnA (63)
And so on. However, C0≡m ^{Γs-1 (A)} , and S′DK + 1 (A) +... + S′DN (A) is a product SDK + 1 (A) + of decryption keys of entities not participating in the signature. This is an estimated value of SDN (A). The estimate is correct
C0 ^{(SD1 (A) + ... + SDK (A) + S'DK + 1 (A) + ... + S'DN (A)) SE (A)} ≡m modn (64)
Can be confirmed.
Step 2: The electronic signature sentence is constructed as follows.
C _{A → B} ≡ (m ^{SD (A)} 'modnA) ^{SE (B)} ≡C _{A → B} modnB (65)

Step 3: If the K entities of group B agree to decrypt the signature sentence C _{A → B} , estimate the remaining NK decrypting keys,
C ' _{A → B} ^{SD (B)} modnB (66)
Lead. However, C ′ _{A → B} ≡C _{A → B} ^Γs−1 mod nB.
Step 4: Using group A's public key SE (A)
(C'A _{→ B} ^{SD (B)} modnB) ^{SE (A)} ≡ m modnA (67)
Lead.

  As described above, K entities in N of group B can know that the electronically signed message is indeed a message of group B. In this method, it is clear that parallel processing becomes easy because addition in the exponent part is used as a basic operation.

Conclusion In the embodiment, when K out of N entities constituting a certain group agree with the signature, a method is provided in which an electronically signed message as a group can be configured. The embodiment has the following features.
(1) The ciphertext composed of K entities in the group is decrypted by the center deeply involved in the design of the cryptographic system (even if K identities are revealed). It is difficult.
(2) A method for executing threshold digital signatures between two groups was given. In this method, it was shown that security could be improved effectively by using multiple centers, and one center was added. The accompanying increase in public key can be pushed very low. For example, when the threshold is about 90 in a group of 100 entities, the increase in the public key size as a result of the increase of one center can be suppressed to a very small value of about 2 Kbits. By indicating a public key of about 2 Kbits, a collusion-free threshold electronic signature can be realized.

(3) The threshold can be sharpened by applying the Chinese remainder theorem.
(4) By speeding up the parallel processing of encryption and decryption, the operations necessary to create the threshold digital signature are centered on the addition of the exponent part. As a result, when the number of group constituent entities is very large, it is easy to realize the threshold electronic signature.

The figure which shows the structure of the threshold value electronic signature system of an Example. The figure which shows the production | generation mechanisms, such as an encryption key and a decryption key, in the Example of FIG. The figure which shows the threshold value electronic signature procedure in the Example of FIG. The figure which shows the decoding procedure in the Example of FIG. Diagram showing class configuration in the modified example The figure which shows the threshold value electronic signature procedure in 2nd Example, and an authentication procedure The figure which shows the threshold value electronic signature procedure and authentication procedure in 3rd Example The figure which shows the characteristic of a 4th Example The figure which shows the threshold value electronic signature and decryption procedure in a 4th Example

Explanation of symbols

2, 3 threshold electronic signature system 4 network 6 center 10 entity 12 electronic signature program 14 public key 16 signed message 18 information communication processing device 20 electronic signature program storage unit 22 key storage unit 24 secret communication unit 26 decryption authentication unit 28 secret Distributed processing unit 30 Information communication processing device 32 Electronic signature program storage unit 34 Secret communication unit 36 Electronic signature unit 38 Decryption authentication unit 40 Key storage unit

Claims (10)

In the electronic signature method of encrypting a message with a first private key and confirming the electronic signature by decrypting the message with a second key,
For the entity (number of entities N), the center discloses J-dimensional data with multiple options for each dimension as secret key candidates,
Each entity selects one of the options for each dimension from the candidates, composes and stores a secret key with the selected J pieces of data,
The center obtains a function Γ of the secret key (number N of secret keys) of the entity, and transmits an inverse element Γ ⁻¹ of Γ related to a predetermined operation to the entity.
When K out of N entities sign a message m, the message m is digitally signed by encrypting the inverse element Γ ⁻¹ and a total of K private keys of each signing entity, and
In addition, for the encrypted message m, the secret keys of the NK entities remaining under a predetermined constraint are estimated, and the encrypted message is decrypted. An electronic signature method characterized by confirming that an electronic signature has been signed. Each of the J-dimensional options in the secret key candidate is composed of at least a pair of data, and one of the J pairs of data is selected for each pair to constitute a secret key for electronic signature, and the J pairs of data Configure a key for electronic signature verification from the other of each pair of
And by making the function Γ symmetrical about the exchange of the pair of data,
Without changing Γ, the entity changes the selection from the data of the J pair so that the private key for electronic signature and the key for confirmation can be changed freely, and the entity that did not participate in the electronic signature at the time of decryption. 2. The electronic signature method according to claim 1, wherein both a tee secret key and a confirmation key are estimated. A plurality of centers A and B are provided, and the secret key candidates SA and SB and the inverse elements ΓA ⁻¹ and ΓB ⁻¹ are disclosed to entities for each center, and the entity stores a secret key for each center. ,
And entity for messages m, the inverse .gamma.a ^-1 for center A, while the digital signature of the first stage with a secret key for center A, the inverse .gamma.B ^-1 for center B, center A Second-stage digital signature with private key for
An electronic signature is obtained by estimating a secret key related to the center A and a secret key related to the center B with respect to an entity that has not performed an electronic signature, under a predetermined restriction, and decrypting the message m. The electronic signature method according to claim 1 or 2, wherein the electronic signature method is confirmed. A plurality of groups A and B each consisting of an entity and a center are provided,
Public keys EA and EB in group units are made public, and the inverse element in each group is an inverse element of the function of the private key of each entity in the group and the public key in group units,
In the group A, for the message m to be digitally signed, the private key of the entity participating in the signature, the reverse element in the group A, and the private key of the entity that did not participate in the electronic signature are subject to predetermined restrictions. The value estimated in step 1 and the public key in group B are encrypted in a total of two stages and transmitted to group B.
In the group B, the private key of the entity participating in the decryption of the received ciphertext is estimated, and the private key of the entity that did not participate in the decryption under a predetermined constraint is estimated and one stage of decryption is performed. , The remaining one-stage decryption is performed using the public key of group A, and the message m, which has been digitally signed by the entity having the threshold value of group A or higher, is decrypted by the participation of the entity having the threshold value of group B or higher. The electronic signature method according to claim 1, wherein the electronic signature method is confirmed to be present. Divide the entire set of entities into small groups,
The original message m is converted into a plurality of partial messages by the secret sharing method so that each partial message reflects a part of the information of the original message m and the original message m can be reproduced by a predetermined number of partial messages. Send at least one partial message to each small group,
Collecting partial messages that have been digitally signed by entities above a threshold in a small group, and checking whether or not a predetermined percentage or more of the entities have been digitally signed according to whether or not the predetermined number of partial messages have been digitally signed. The electronic signature method according to claim 1, wherein the electronic signature method is a digital signature method. The secret sharing method uses a Chinese remainder theorem, the original message m is the polynomial m (X) of the g term, and the polynomial m (X) is evaluated as the partial message by the value αi for each small group Gi m (αi)
When the digitally signed evaluation value m (αi) is greater than or equal to g, the original message m is decrypted using the Chinese remainder theorem, and it is confirmed that more than a predetermined percentage of entities have been digitally signed. The electronic signature method according to claim 5, For the entity (number of entities N), the center discloses J-dimensional data with multiple options for each dimension as secret key candidates,
Each entity selects one of the options for each dimension from the candidates, composes and stores a secret key with the selected J pieces of data,
The center obtains a function Γ of the secret key (number N of secret keys) of the entity, and transmits an inverse element Γ ⁻¹ of Γ related to a predetermined operation to the entity.
When K out of N entities sign a message m, the message m is digitally signed by encrypting the inverse element Γ ⁻¹ and a total of K private keys of each signing entity, and
In addition, for the encrypted message m, the secret keys of the NK entities remaining under a predetermined constraint are estimated, and the encrypted message is decrypted. A program for an electronic signature method for confirming that an electronic signature has been signed,
A command for transmitting to the entity a secret key candidate having J-dimensional data having multiple options for each dimension;
Instructions for secretly receiving information regarding the selection of a secret key from each entity;
An instruction for obtaining a function Γ of the whole secret key of the entity from the received information on the secret key and transmitting an inverse element Γ ⁻¹ of Γ related to a predetermined operation to each entity; An electronic signature program for the center. For the entity (number of entities N), the center discloses J-dimensional data with multiple options for each dimension as secret key candidates,
Each entity selects one of the options for each dimension from the candidates, composes and stores a secret key with the selected J pieces of data,
The center obtains a function Γ of the entity's secret key and sends an inverse element Γ ⁻¹ of Γ related to a predetermined operation to the entity.
When K out of N entities sign a message m, the message m is digitally signed by encrypting the inverse element Γ ⁻¹ and a total of K private keys of each signing entity, and
In addition, for the encrypted message m, the secret keys of the NK entities remaining under a predetermined constraint are estimated, and the encrypted message is decrypted. A program for an electronic signature method for confirming that an electronic signature has been signed,
A command for selecting one of the options for each dimension from the secret key candidates, and configuring and storing the secret key with the selected J pieces of data;
A command for secretly sending information related to the selection of a secret key to the center for the operation of Γ ⁻¹ ;
An electronic signature program for an entity, comprising: an instruction for signing a message using a stored secret key. For the entity (number of entities N), the center discloses J-dimensional data with multiple options for each dimension as secret key candidates,
Each entity selects one of the options for each dimension from the candidates, composes and stores a secret key with the selected J pieces of data,
The center obtains a function Γ of the entity's secret key and sends an inverse element Γ ⁻¹ of Γ related to a predetermined operation to the entity.
When K out of N entities sign a message m, the message m is digitally signed by encrypting the inverse element Γ ⁻¹ and a total of K private keys of each signing entity, and
In addition, for the encrypted message m, the secret keys of the NK entities remaining under a predetermined constraint are estimated, and the encrypted message is decrypted. An apparatus for an electronic signature method for confirming that an electronic signature has been signed.
Means for sending to the entity a secret key candidate having J-dimensional data with multiple options for each dimension;
Instructions for secretly receiving information regarding the selection of a secret key from each entity;
Means for obtaining a function Γ of the entire secret key of the entity from the received information on the secret key, and transmitting an inverse element Γ ⁻¹ of Γ related to a predetermined operation to each entity; An electronic signature device for a center, which is characterized. For the entity (number of entities N), the center discloses J-dimensional data with multiple options for each dimension as secret key candidates,
Each entity selects one of the options for each dimension from the candidates, composes and stores a secret key with the selected J pieces of data,
The center obtains a function Γ of the entity's secret key and sends an inverse element Γ ⁻¹ of Γ related to a predetermined operation to the entity.
When K out of N entities sign a message m, the message m is digitally signed by encrypting the inverse element Γ ⁻¹ and a total of K private keys of each signing entity, and
In addition, for the encrypted message m, the secret keys of the NK entities remaining under a predetermined constraint are estimated, and the encrypted message is decrypted. An apparatus for an electronic signature method for confirming that an electronic signature has been signed.
Means for selecting one of the options for each dimension from the secret key candidates published from the center, and configuring and storing the secret key with the selected J pieces of data;
A command for secretly sending information related to the selection of a secret key to the center for the operation of Γ ⁻¹ ;
An electronic signature device for an entity, comprising: means for signing a message using a stored secret key.

Images