JP2007325318A - Signature system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a public key encryption method and signature method with which public information (public key) to be converted from ID information of an entity can be easily determined by substituting the ID information of the entity into a polynomial. <P>SOLUTION: A center 1 selects a point on an elliptic curve that is capable of setting a primary or higher-order polynomial function and defining pairing and discloses the information as a public key. At a transmitting-side entity V, ciphertext C<SB>1</SB>, C<SB>2</SB>is created from plaintext (m) using a function value resulting from substituting ID information (u) of a receiving-side entity U into the polynomial function and the selected point on the elliptic curve. At the entity U, the ciphertext C<SB>1</SB>, C<SB>2</SB>is decrypted into plaintext (m) while using a private key K<SB>U</SB>based on its own ID information (u) and pairing on the elliptic curve. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a public key encryption method that performs encryption processing and decryption processing using specific information that identifies an entity (hereinafter referred to as ID (Identity) information), and signature data creation processing and verification using entity ID information. The present invention relates to a signature method for performing processing, a cryptographic communication system using this public key encryption method, and a computer program for causing a computer to execute these methods.

  In a modern society called an advanced information society, important business documents and image information are transmitted, communicated and processed in the form of electronic information based on a computer network. Such electronic information has the property that it can be easily copied, and it is difficult to distinguish between a copy and the original, and the problem of information maintenance is regarded as important. In particular, the realization of a computer network that satisfies the elements of "computer resource sharing", "multi-access", and "broadening" is essential for establishing an advanced information society. Contains conflicting elements. As an effective technique for resolving such contradiction, attention has been paid to cryptographic techniques that have been used mainly in the military and diplomatic aspects of human history.

  Cryptography is the exchange of information so that the meaning of the information cannot be understood by anyone other than the parties. In cryptography, encryption is the conversion of an original sentence (plain text) that anyone can understand into a sentence (cipher text) whose meaning is unknown to a third party, and decryption is to convert the cipher text back to plain text. The entire process of encryption and decryption is collectively called an encryption system. In the encryption process and the decryption process, secret information called an encryption key and a decryption key is used, respectively. Since a secret decryption key is required at the time of decryption, only a person who knows the decryption key can decrypt the ciphertext, and the confidentiality of information can be maintained by the encryption.

  The encryption key and the decryption key may be the same or different. An encryption system in which both keys are equal is called a common key encryption system, and DES (Data Encryption Standards) adopted by the US Bureau of Commerce Standards is a typical example. In addition, as an example of an encryption system in which both keys are different, an encryption system called a public key encryption system has been proposed. In this public key cryptosystem, each entity using the cryptosystem creates a pair of encryption key and decryption key, publishes the encryption key in the public key list, and keeps only the decryption key secretly. It is a system. In the public key cryptosystem, the pair of encryption key and decryption key are different, and the decryption key cannot be calculated from the encryption key by using a one-way function.

  The public key cryptosystem is an epoch-making cryptosystem that publishes an encryption key, and conforms to the above three elements necessary for establishing an advanced information society. In order to make use of the RSA cryptosystem, the research is actively conducted, and the RSA cryptosystem is proposed as a typical public key cryptosystem. This RSA cryptosystem is realized using the difficulty of prime factorization as a one-way function. Various methods have also been proposed for public key cryptosystems that utilize the difficulty of solving discrete logarithm problems (discrete logarithm problem).

  Also, an encryption system using ID information for identifying an individual such as the address, name, and e-mail address of each entity has been proposed. In this encryption system, a common encryption / decryption key is generated between transmitting and receiving entities based on ID information. In addition, the encryption technique based on the ID information includes (1) a method that requires preliminary communication between transmitting and receiving entities prior to ciphertext communication, and (2) standby between transmitting and receiving entities prior to ciphertext communication. There are methods that do not require communication. In particular, since the method (2) does not require preliminary communication, the convenience of the entity is high, and it is considered to be the center of the future encryption system.

  The encryption system based on the method (2) is called ID-NIKS (ID-based non-interactive key sharing scheme), and the encryption / decryption key is used without performing preliminary communication using the ID information of the communication partner. The method of sharing is adopted. ID-NIKS is a method that does not require the exchange of public and private keys between transmitting and receiving entities, and does not require a key list or a service provided by a third party, and enables secure communication between arbitrary entities.

  In the above-described public-key cryptosystem, for example, the length of the public key for RSA cryptosystem becomes ten times the current phone number is extremely complicated. On the other hand, in ID-NIKS, if each ID information is registered in the form of a name list, a common key can be generated with any entity by referring to the name list. Therefore, if the ID-NIKS system is realized safely, a convenient encryption system can be constructed on a computer network to which a large number of entities are subscribed. For these reasons, ID-NIKS is expected to become the center of future cryptographic systems.

Accordingly, the present inventors have used a key sharing method that can easily share a common key between both entities without performing preliminary communication based on pairing on an elliptic curve using ID information of each entity. An encryption communication system using a key sharing method has been proposed (see, for example, Patent Document 1).
JP 2002-26892 A

  Even after proposing the key sharing method (ID-NIKS) as in Patent Document 1, the present inventors have disclosed a public key encryption method and a signature method based on ID information of each entity using pairing on an elliptic curve. I continue my research.

  The present invention has been made in view of such circumstances, and can assign public information (public key) converted from entity ID information by substituting entity ID information into a polynomial. It is an object to provide an encryption method and a signature method, an encryption communication system using the public key encryption method, and a computer program for causing a computer to execute these methods.

  Another object of the present invention is to use ciphertext or signature data for a group and ciphertext or signature for each of a plurality of entities belonging to the group by using the ID information of the group and the ID information of each of the entities belonging to the group. It is an object of the present invention to provide a public key encryption method or a signature method that can easily create data independently.

  The signature system according to claim 1 uses the second entity device to verify signature data created by the first entity device, using the private key and public key of the entity generated by the center device. The center device includes means for generating an elliptic curve capable of defining pairing, means for appropriately selecting two points on the generated elliptic curve, means for setting at least an arbitrary polynomial function, and Means for substituting the specific information of the first and second entities into the set polynomial function to obtain a function value, and means for generating a secret key by multiplying the selected one of the selected points by the inverse of the obtained function value And a means for generating a public key by multiplying the selected other point by a coefficient of a set polynomial function, and the first entity device generates the secret key of the generated first entity And creating means for creating signature data using the public key of the second entity, and the second entity device uses the generated public key of the first entity and the secret key of the second entity. And verifying means for verifying the signature data.

  The signature system according to claim 2 uses specific information for specifying a group to which a plurality of entities including the first entity belong and specific information for specifying the first entity, and the verification unit includes the verification unit Signature data created by the first entity device of the first entity belonging to a group is verified by the second entity device of the second entity belonging to or not belonging to the group. .

  In the public key encryption method of the present invention, a polynomial function is set and a point on an algebraic curve that can define pairing is selected, and ID information of an entity that receives the ciphertext is substituted into the polynomial function. A ciphertext is created using the resulting function value and the selected point on the algebraic curve. Therefore, a public key that is converted from an entity's ID information using an algebraic curve is more easily obtained.

  In the signature method of the present invention, a polynomial function is set and a point on an algebraic curve that can define pairing is selected, and ID information of an entity that creates signature data is substituted into the polynomial function. Signature data is created using the function values and the selected points on the algebraic curve. Therefore, a public key that is converted from an entity's ID information using an algebraic curve is more easily obtained.

  In the public key encryption method or signature method of the present invention, the ID information of the group and the ID information of each of the plurality of entities belonging to the group are used, and the ciphertext or signature data for the group and the plurality of entities belonging to the group The ciphertext or signature data for each is created independently. Therefore, these ciphertexts or signature data can be easily created.

  In the public key encryption method of the present invention, a function value obtained by setting a polynomial function, selecting a point on an algebraic curve that can define pairing, and substituting ID information of an entity that receives the ciphertext into the polynomial function Since the ciphertext is generated using the selected point on the algebraic curve, the public key converted using the algebraic curve can be more easily obtained from the ID information of the entity.

  In the signature method of the present invention, a function value obtained by setting a polynomial function and selecting a point on an algebraic curve that can define pairing, and substituting ID information of an entity that creates signature data into the polynomial function Since the signature data is generated using the selected point on the algebraic curve, the public key converted using the algebraic curve can be easily obtained from the ID information of the entity.

  Furthermore, in the public key encryption method or signature method of the present invention, the ciphertext or signature data for the group and the plurality of entities belonging to the group are respectively used using the group ID information and the ID information of each of the entities belonging to the group. Since the ciphertext or signature data is independently created, the ciphertext or signature data can be easily created.

The embodiment of the present invention will be specifically described.
First, the basic properties of elliptic curve Baye pairing used in the present invention will be described. It represents an elliptic curve defined on a finite field vector F _q with E / vector F _q, represents the group formed by rational points on the vector F _q of the elliptic curve E / vector F _q and E (vector F _q) . Here, it is assumed that the n-twisted subgroup E [n] is included in the subgroup of the elliptic curve group E (vector F _q ).

Pairing on the elliptic curve is a mapping from two n twist points P, QεE [n] on the elliptic curve to a multiplicative group of order n on the vector F _q . Pairing has the following properties. Incidentally, e _n (,) denotes the pairing.

(Non-degenerate)
For a point PεE [n] and an arbitrary point QεE [n],
When e _n (P, Q) = 1 holds, P = 0.
(Anti-symmetric)
For any point P, QεE [n]
_{e n (P, Q) =} e n (Q, P) -1 is satisfied.
(Bilinear)
For any point P, Q, R∈E [n]
e _n (P + Q, R) = e _n (P, R) e _n (Q, R),
e _n (P, Q + R) = e _n (P, Q) e _n (P, R)
Is established.

When pairing on an elliptic curve is applied to an encryption scheme, it is necessary to select the elliptic curve to be used and its n-twisted subgroup so as to satisfy the following conditions in order to ensure sufficient security.
(1) n has a prime number of 160 bits or more as a factor.
(2) q is 2 ¹⁰²⁴ or more.
(3) The following condition is satisfied for the subfield of the vector F _q .

  In the following description, an elliptic curve that satisfies these conditions (1) to (3) is referred to as a safe elliptic curve that can be paired. In the following, n is a prime number for simplicity.

(First embodiment: public key encryption method based on ID information)
FIG. 1 is a schematic diagram showing a configuration of a cryptographic communication system according to the present invention. A center 1 that can trust the concealment of information is set, and the center 1 can correspond to, for example, a public organization of society. The center 1 and a plurality of entities A, B,..., Z as users who use this cryptographic communication system are connected by secret communication paths 2a, 2b,. Secret key information (secret keys K _A , K _B ,..., K _Z ) is distributed to each entity A, B,..., Z from the center 1 via 2a, 2b,. . Further, communication paths 3ab, 3az, 3bz,... Are provided between the two entities, and ciphertext obtained by encrypting communication information via the communication paths 3ab, 3az, 3bz,. It is supposed to be transmitted with.

Next, information communication between entities in the cryptographic communication system will be described. FIG. 2 is a schematic diagram showing a communication state of information between the two entities V and U. In the example of FIG. 2, the plaintext (message) m is encrypted by the entity V into the ciphertexts C ₁ and C ₂ and transmitted to the entity U. The entity U transmits the ciphertexts C ₁ and C ₂ to the original plaintext ( Message) m shows the case of decoding. Note that there are various entities such as humans, devices, machines, programs, and systems using these as components, and the present invention can be applied between any of these.

The center 1 generates a public key generation unit 1a that generates various public keys including the vector H that is public information, a secret key generation unit 1b that calculates the secret keys K _V and K _U of the entities V and U, A secret key distribution unit 1c that distributes the secret keys K _V and K _U to the entities V and U.

The encryption device 10 of the entity V on the transmission side includes a secret key receiving unit 11 that receives the secret key K _V from the center 1, a random number generating unit 12 that generates a random number r, and plaintext m as ciphertexts C ₁ and C _2. Are provided with an encryption unit 13 for encrypting, and a ciphertext sending unit 14 for sending the created ciphertexts C ₁ and C ₂ to the communication path 50.

Further, the decoding device 20 of the entity U which is the transmission side, from the center 1 and the secret key receiving portion 21 for receiving a secret key K _U, from the channel 50 with the ciphertext receiving unit 22 that receives the ciphertext C _1, C _2, The decryption unit 23 decrypts the ciphertexts C ₁ and C ₂ into the plaintext m, and the plaintext output unit 24 outputs the decrypted plaintext m.

  Next, the operation will be described. 3 is a flowchart showing the operation procedure of the process in the center 1, FIG. 4 is a flowchart showing the operation procedure of the encryption process in the entity V (transmission side), and FIG. 5 is the decryption process in the entity U (reception side). It is a flowchart which shows an operation | movement procedure.

First, in the center 1, a safe elliptic curve that can be calculated for pairing is generated (step S1), and n twist points P and Q are randomly selected (step S2). _{However, e n (P, Q)} ≠ 1 and becomes like a point P, Q are selected. Next, a d-order polynomial function f (x) as shown in the following formula (1) is generated (step S3). In equation (1), the highest order coefficient a _d may be 1, and d = 1, that is, a linear expression.
f (x) = a _d x ^d + a _d−1 x ^d−1 +... + a ₁ x + a ₀ (1)

In the center 1, a vector H as shown in the following formula (2) is calculated, and the vector H is disclosed as public information (step S4). Also, using the ID information v and u of the entities V and U, secret keys K _V and K _U are generated as shown in the following formulas (3) and (4) (step S5), and the entities V and U are generated. (Step S6).

In the entity V, a random number r is generated by the random number generation unit 12 (step S11), and using the ID information u of the entity U, the public information vector H of the center 1 and the random number r, the following equations (5) and (6 ), The ciphertexts C ₁ and C ₂ are created from the plaintext m by the encryption unit 13 (steps S12 and S13). In addition, the operation symbol in Formula (6) represents EXOR (exclusive OR) for every bit in public key encryption, for example.

The _en (P, Q) in the ciphertext C ₂ can be calculated as follows using the ID information v of the entity V, the secret key K _{V of the} entity V, and the public information vector H of the center 1. .

The created ciphertexts C ₁ and C ₂ are transmitted from the ciphertext sending unit 14 to the entity U via the communication path 50 (step S14).

The ciphertexts C ₁ and C ₂ transmitted through the communication path 50 are received by the ciphertext receiving unit 22 of the entity U (step S21). Entity U, the decoding unit 23, by using the secret key K _U itself, the ciphertext C _1, C ₂ is decrypted into the plaintext m as shown in the following formula (7) (step S22).

  As described above, information communication can be safely performed using ciphertext by a relatively simple algorithm.

In the first embodiment described above, the entity V (transmission side) is registered in the center 1, and e _n (P, Q) is obtained using its own secret key K _V. the e _n (P, Q) if is published as the public information from center 1, entity V (transmission side) can also not be registered in the center 1 to create the ciphertext.

Second Embodiment: Signature Method Based on ID Information
Next, a signature scheme based on ID information using the same method as the public key cryptosystem described in the first embodiment will be described.

  FIG. 6 is a schematic diagram showing a signature system between two entities U and V. The example of FIG. 6 shows a case where the entity U creates signature data and the entity V verifies the signature data.

  Center 1, the same public key generation unit 1a in the first embodiment, and a secret key generating unit 1b and a secret key distribution unit 1c.

Signature device 30 of the signature entity U from the center 1 and the secret key receiving portion 31 for receiving a secret key K _U, a random number generator 32 for generating random numbers, various public key and its own ID information u and its of and a signature data creation unit 33 for creating a signature data by using the secret key K _U. The verification device 40 of the entity V that is the verification side includes a secret key receiving unit 41 that receives the secret key K _V from the center 1 and a signature data verification unit 42 that verifies the signature data from the entity U.

  Next, the operation will be described. 7 is a flowchart showing an operation procedure of processing in the center 1, FIG. 8 is a flowchart showing an operation procedure of signature processing in an entity U (signing side) that creates signature data, and FIG. 9 is an entity V that verifies signature data. It is a flowchart which shows the operation | movement procedure of the verification process in (verification side).

First, in the center 1, as in the first embodiment, a safe elliptic curve capable of calculating pairing is generated (step S31), and n twist points P and Q are randomly selected (step S32). Next, a d-order polynomial function f (x) as shown in the above equation (1) is generated (step S33). Various public keys (which differ depending on each method described later) are disclosed as public information (step S34). Also, using the ID information u, v of the entities U, V, secret keys K _U , K _V are generated as shown in the equations (4), (3) (step S35), and the entities U, V are (Step S36).

Entity U, the random number k is generated by the random number generating unit 32 (step S41), using the the random number k ID information u and a secret key K _U and various public key of the entity U (public information), signature data Signature data is created by the creation unit 33 (step S42). The created signature data is sent to the entity V (step S43).

The created signature data is received by the entity V (step S51), and in the signature data verification unit 42, the ID information v and u of itself and the entity U, its own secret key K _V and various public keys (public information). Are used to verify the signature data (step S52).

  Next, specific examples (first to sixth examples) of the signature method of the present invention will be described. Representative types of signature scheme, are known and ElGamal type and Schnorr-type, the following description will be centered on these types.

[First example] (ElGamal type I)
PεE [n] is added to the public key in the center 1 in the first embodiment. From the center public key vector H and the ID information c of an arbitrary entity C, f (c) Q can be calculated as shown in the following equation (8). Furthermore, using its own secret key K _C , the entity C can calculate e _n (P, Q) as shown in the following equation (9). That is, any entity that has its own private key can calculate e _n (P, Q).

  The specific signature and verification are performed as follows. The center 1 discloses the hash function h (•), which is a one-way function, as a public key.

Signature: (signature data (R, S)) In the entity U, a random number kεZ _n is generated (S41), and signature data (R, S) is created as in the following equations (10) and (11). (S42). The created signature data (R, S) is sent to the entity V (S43). However, x represents the x coordinate of R.

Verification: In entity V, signature data (R, S) is received (S51), it has been ascertained v ₂ are equal as shown in v ₁ and the following formula represented by the following formula (12) (13), the signature data Is verified (S52).

[Second example] (Schnorr type I)
PεE [n] is added to the public key in the center 1 in the first embodiment. The specific signature and verification are performed as follows. The center 1 publishes the hash function h (•) as a public key.

Signature: (signature data (e, S)) In the entity U, a random number kεZ _n is generated (S41), and intermediate data r as shown in the following equation (14) is calculated. Signature data (e, S) is created as shown in (16) (S42). The signature data e is obtained as a hash value that is a concatenation of the plaintext m and the intermediate data r, as shown in equation (15). The created signature data (e, S) is sent to the entity V (S43).

  Verification: In the entity V, the signature data (e, S) is received (S51), the following equations (17) and (18) are confirmed, and the signature data is verified (S52).

[Third example] (ElGamal type II)
In the third example method, P is not used, so that P can be used as the secret information of the center 1. The specific signature and verification are performed as follows. The center 1 publishes the hash function h (•) as a public key.

Signature: (signature data (vector R, S)) In entity U, random number kεZ _n is generated (S41), and signature data (vector R, S) is created as in the following equations (19), (20). (S42). The created signature data (vector R, S) is sent to the entity V (S43). However, x represents the x-coordinate of the kH _0.

Verification: In the entity V, the signature data (vector R, S) is received (S51), the following relationship is confirmed, and the signature data is verified (S52). First, kf (v) Q is obtained from the vector R as in the following equation (21), and then w ₁ , w ₂ , and w ₃ are obtained as in the following equations (22), (23), and (24). can get. Then, the validity of the signature data (vector R, S) is verified by the following expression (25).

[Fourth example] (Schnorr type II)
In the method of the fourth example, as in the third example, P is not used, so that P can be used as the secret information of the center 1. The specific signature and verification are performed as follows. The center 1 publishes the hash function h (•) as a public key.

Signature: (Signature data (e, S)) In the entity U, a random number kεZ _n is generated (S41), and intermediate data r such as the following equation (26) is calculated, then the following equation (27), Signature data (e, S) is created as shown in (28) (S42). The created signature data (e, S) is sent to the entity V (S43).

  Verification: In the entity V, the signature data (e, S) is received (S51), and the signature data is verified as follows (S52). First, w is obtained according to the following equation (29), and then the following equation (30) is established, whereby the validity of the signature data (e, S) and the plaintext m is verified.

[Fifth example] (ElGamal type III)
In the fifth example method, P is the public key of the center 1. The feature of this method is that it always requires its own secret key when verifying signature data. The specific signature and verification are performed as follows. The center 1 publishes the hash function h (•) as a public key.

Signature: (signature data (vector R, S)) In entity U, random number kεZ _n is generated (S41), and signature data (vector R, S) is created as in the following equations (31), (32). (S42). The created signature data (vector R, S) is sent to the entity V (S43). However, x represents the x-coordinate of the kH _0.

Verification: In the entity V, the signature data (vector R, S) is received (S51), the following relationship is confirmed, and the signature data is verified (S52). After w ₁ , w ₂ , and w ₃ are calculated as in the following formulas (33), (34), and (35), the validity of the signature data (vectors R and S) is satisfied by the following formula (36). Is verified.

[Sixth example] (Other types)
The specific signature and verification in the method of the sixth example is performed as follows. The center 1 publishes the hash function h (•) as a public key.

Signature: In entity U, random numbers k, rεZ _n are generated (S41), and n twist points M = h (m) on the elliptic curve corresponding to plaintext m are calculated using hash function h (·). The Then, the signature data (S ₁ , S ₂ , vector S ₃ ) for the plaintext m is the secret key P _{U of the} entity U (the ID information u of the entity U mapped to the n twist point P on the elliptic curve), Using the public information h (•) of the center and the vector H, it is created as in the following formulas (37), (38), (39) (S42). The created signature data (S ₁ , S ₂ , vector S ₃ ) is sent to the entity V (S 43).

Verification: At the entity V, signature data (S ₁ , S ₂ , vector S ₃ ) is received (S 51), M = h (m) is obtained from the plaintext m, and then the private key P _V of the entity _V is used. Thus, it is confirmed that the following formula (40) is established, and the signature data is verified (S52).

In the second embodiment described above, the entity V (verification side) is registered in the center 1 and the private key K _V is used to obtain e _n (P, Q). the e _n (P, Q) if is published as the public information from center 1, entity V (verifier) can be not registered in the center 1 can verify the signature data.

(Third embodiment)
Next, the signature method of the third embodiment using a secret key and a public key different from those of the second embodiment will be described by taking ElGamal type (seventh example) and Schnorr type (eighth example) as examples. . The configuration of the signature device and the verification device and the operation procedure of the center processing, signature processing, and verification processing in the third embodiment are the same as those in the second embodiment (FIGS. 6 to 9). Description is omitted.

[Seventh example] (ElGamal type)
Preparation: At a reliable center, a secure elliptic curve that can be paired is generated, and the ID information u of the entity U (signing side) is converted into an n twist point P _U on the elliptic curve. The hash function h (•) is disclosed. Also, a secret key yεZ _n is generated at the center, and Q and yQ are calculated and released using n twist points QεE [n]. Further, the secret key K _U = yP _{U of the} entity _U is calculated from the ID information u of the entity U at the center, and this secret key K _U is sent to the entity U.

Signature: (Signature data (R, S)) In entity U, a random number kεZ _n is generated, and signature data (R, S) is created as in the following equations (41) and (42). The created signature data (R, S) is sent to the entity V. Where x is the x coordinate of R.

  Verification: In the entity V, the signature data (R, S) is received, the establishment of the following formula (43) is confirmed, and the signature data is verified.

[Eighth example] (Schnorr type)
Preparation: The preparation process at the center is the same as in the seventh example.

Signature: (Signature data (e, S)) In the entity U, a random number kεZ _n is generated, and intermediate data r as shown in the following equation (44) is calculated. Then, the following equations (45) and (46) Signature data (e, S) is created as follows. The created signature data (e, S) is sent to the entity V.

  Verification: In the entity V, the signature data (e, S) is received, the following formulas (47) and (48) are confirmed, and the signature data is verified.

(Fourth embodiment)
Next, a public key encryption method and a signature method considering a group composed of a plurality of entities will be described. The configuration of the encryption device and the decryption device and the operation procedure of the center process, the encryption process, and the decryption process in the public key encryption method of the fourth embodiment are described in the first embodiment (FIGS. 2 to 5). The configuration of the signature device and the verification device and the operation procedure of the center processing, signature processing and verification processing in the signature method of the fourth embodiment are the same as those in the second embodiment (FIGS. 6 to 9). ), The description thereof is omitted.

In the fourth embodiment, two sets of center secret polynomial functions as described in the first and second embodiments are generated for each entity and group. Specifically, a d-order polynomial function f (x) for each entity as shown in the following formula (49) (similar to the above formula (1)) and a group for the group as shown in the following formula (50). A z-order polynomial function t (x) is generated.
f (x) = a _d x ^d + a _d−1 x ^d−1 +... + a ₁ x + a ₀ (49)
_{t (x) = b z x} z + b z-1 x z-1 + ··· + b 1 x + b 0 ... (50)

Assume that entity U belongs to group G. Further, the ID information of the entity U is u, and the ID information of the group G is g. In this case, the secret key K _UG of the entity U is given by the following equation (51) and calculated at the center. Further, the public key of the group G as public information published by the center is given by the following formula (52), and the information for the entity U (not required to be published) is given by the following formula (53), Calculated at the center.

  Hereinafter, specific examples of the public key encryption method (the ninth example and the tenth example) and the signature method (the eleventh example to the fourteenth example) will be described.

[Ninth Example] (Public Key Encryption Method for Group Based on ID Information)
A public key encryption method for the group G that can be decrypted by any entity belonging to the group G will be described. This example is suitable for the case where the same ciphertext is sent to all entities belonging to one group G.

Encryption: A random number rεZ _n is generated at the transmitting entity (transmitting side), and C _i and C _{d + 1} as shown in the following formulas (54) and (55) are generated as ciphertext for the group G. . e _n (P, Q) can be calculated from the ID information and secret key of the transmitting entity and the public information of the center.

Decryption: In any entity U (receiving side) belonging to group G, plaintext m is decrypted from ciphertexts C _i and C _{d + 1} according to the following equation (56).

[Tenth example] (Public key encryption method for each entity based on ID information)
An example in which a ciphertext is sent to a specific entity U belonging to the group G using the same secret key and public key as in the ninth example will be described. Encryption to the entity U (receiving side) belonging to the group G and decryption at the entity U can be performed in the same manner as in the first embodiment.

Encryption: A random number rεZ _n is generated at the transmitting entity (transmitting side), and C ₁ and C ₂ as in the following formulas (57) and (58) are created as ciphertext for the entity U.

Decryption: On the entity U side, plaintext m is decrypted from ciphertexts C ₁ and C ₂ according to the following equation (59).

[Eleventh example] (Group signature method based on ID information: Schnorr type)
Although the signature data cannot identify which entity in the group has signed, a signature method capable of verifying that an entity belonging to the group has signed will be described.

Signature: A random number kεZ _n is generated at the entity U (signing side), intermediate data r as shown in the following equation (60) is calculated, and then the group G is expressed as in the following equations (61) and (62). Signature data (e, S _i ) is created. e _n (P, Q) can be calculated from the ID information and secret key of the entity U and the public information of the center.

Verification: First, in any entity V (verification side) belonging to the group G ′, _en (P, Q), w is obtained according to the following formulas (63) and (64), and then the following formula (65) Thus, the validity of the signature data (e, S _i ) is verified.

The eleventh example has a property that when the entity U ′ (signing side) having u ′ satisfying the following formula (66) as ID information selects x ′ and k, the signature data becomes exactly the same. Yes. Therefore, the signature entity cannot be specified from the signature data.
xf (u) ≡x′f (u ′) (mod n) (66)
If both the group G secret key K _G = (1 / t (g)) P and the entity U secret key K _U = (1 / f (u)) P are considered, it is considered to have an equivalent function. In this eleventh example, since the group secret key and the entity secret key cannot be separated, it is impossible to transfer each secret key separately.

[Twelfth example] (Group signature method based on ID information: ElGamal type)
A signature method for limiting verification entities to entities belonging to a group will be described. In the twelfth example method, P is the public key of the center.

Signature: In entity U (signing side), random number kεZ _n is generated, and signature data (vector R, S) of group G is created as in the following formulas (67) and (68). However, x represents the x-coordinate of the kU _0.

Verification: In an arbitrary entity V (verification side) belonging to the group G, first, kf (u) t (g) Q is obtained according to the following equation (69), and then, the following equations (70), (71), After w ₁ , w ₂ , and w ₃ are calculated as in (72), the validity of the signature data (vector R, S) is verified by the following expression (73).

[Thirteenth example] (Entity signature method based on ID information: Schnorr type I)
The signature data of the entity U (signing side) can be obtained by changing the signature method in the eleventh example as follows.

Signature: A random number kεZ _n is generated at the entity U (signing side), intermediate data r as shown in the following equation (74) is calculated, and then the entity U as shown in the following equations (75) and (76) Signature data (e, S _i ) is created. e _n (P, Q) can be calculated from the ID information and secret key of the entity U and the public information of the center.

Verification: First, in any entity V (verification side) belonging to the group G ′, _en (P, Q), w is obtained according to the following formulas (77) and (78), and then the following formula (79) Thus, the validity of the signature data (e, S _i ) is verified.

[14th example] (Entity signature method based on ID information: Schnorr type II)
The verification entity can be limited to entities belonging to the group G by changing the signature method in the thirteenth example as follows.

Signature: A random number kεZ _n is generated in the entity U (signing side), intermediate data r as shown in the following equation (80) is calculated, and then the entity U is expressed as in the following equations (81) and (82). Signature data (e, S _i ) is created. e _n (P, Q) can be calculated from the ID information and secret key of the entity U and the public information of the center.

Verification: In any entity V (verifier) belonging to the group G, first, the following equation (83), e _n (P, Q) in accordance with (84) ^x, w is determined, then the following equation (85) Thus, the validity of the signature data (e, S _i ) is verified.

In the method of the fourteenth example, the secret key K _VG of the entity V (verification side) is indispensable at the time of verification, and en _n (P, Q) ^x cannot be calculated unless the entity V belongs to the same group. The entity V can be limited to entities belonging to the same group G as the entity U (signing side).

  In the above-described example, the case where an elliptic curve is used as an algebraic curve has been described. However, even when a super elliptic curve is used, the same pairing can be defined and can be easily expanded.

  Here, a hardware configuration example of the encryption device 10 and the decryption device 20 described above will be described with reference to FIG.

  The encryption device 10 includes a CPU 51, a communication unit 52, an operation unit 53, a display unit 54, a ROM 55, a RAM 56, a key storage unit 57, and the like. The CPU 51 is connected to the hardware components of the encryption device 10 via the bus 58, and controls them, and executes various software functions according to the computer program for encryption processing stored in the ROM 55. . The communication unit 52 executes transmission / reception processing via the communication path 50. The operation unit 53 receives an external operation such as input of plain text to be encrypted by the user. The display unit 54 displays the input plaintext to be encrypted. The ROM 55 stores in advance various software computer programs necessary for the above-described encryption processing of the encryption device 10. The RAM 56 is configured by SRAM, flash memory, or the like, and stores temporary data generated during the encryption process. The key storage unit 57 stores a public key including the vector H described above.

  On the other hand, the decoding apparatus 20, CPU 61, communication unit 62, an operation unit 63, display unit 64, ROM 65, RAM 66, key storage unit 67, output unit 68 or the like. The CPU 61 is connected to the above hardware units of the decoding device 20 via the bus 69 and controls them, and executes various software functions according to a computer program for decoding processing stored in the ROM 65. The communication unit 62 executes transmission / reception processing via the communication path 50. The operation unit 63 receives an external operation by the user. The display unit 64 displays the decoding result and the like. The ROM 65 stores in advance various software computer programs necessary for the above-described decoding process of the decoding device 20. The RAM 66 is composed of SRAM, flash memory, or the like, and stores temporary data generated during the decoding process. The key storage unit 67 stores the above-described secret key and public key. The output unit 68 outputs the decrypted plaintext.

  Next, a hardware configuration example of the above-described signature device 30 and verification device 40 will be described with reference to FIG.

  The signature device 30 includes a CPU 71, an operation unit 72, a display unit 73, a ROM 74, a RAM 75, a key storage unit 76, and the like. The CPU 71 is connected to the hardware units of the signature device 30 via the bus 77, controls them, and executes various software functions according to a signature processing computer program stored in the ROM 74. The operation unit 72 receives an external operation by the user. The display unit 73 displays signature data and the like. The ROM 74 stores in advance various software computer programs necessary for the signature processing operation of the signature device 30 described above. The RAM 75 is configured by SRAM, flash memory, or the like, and stores temporary data generated during the signature processing operation. The key storage unit 76 stores a public key including the vector H described above.

  On the other hand, the verification device 40 includes a CPU 81, an operation unit 82, a display unit 83, a ROM 84, a RAM 85, a key storage unit 86, an output unit 87, and the like. The CPU 81 is connected to the above-described hardware units of the verification device 40 via the bus 88 and controls them, and executes various software functions according to the computer program for verification processing stored in the ROM 84. The operation unit 82 receives an external operation by the user. The display unit 83 displays verification results and the like. The ROM 84 stores in advance various software computer programs necessary for the above-described verification processing operation of the verification device 40. The RAM 85 is configured by SRAM, flash memory, or the like, and stores temporary data generated during the verification process. The key storage unit 86 stores the above-described secret key and public key. The output unit 87 outputs the verification result of the signature data.

  FIG. 12 is a diagram showing a configuration of an embodiment of a recording medium of the present invention. The computer program illustrated here is in the first to fourth embodiments described above, and includes a key generation process for generating a public key and a secret key, an encryption process for creating a ciphertext, and a decryption process for decrypting a ciphertext signature processing to create the signature data, or includes a verification process of verifying the signature data, recorded on the recording media described below. The computer 90 is provided on the center 1 side or on each entity side.

  In FIG. 12, the recording medium 91 connected online with the computer 90 is a WWW (World Wide Web) server computer installed at a distance from the installation location of the computer 90. The recording medium 91 includes the above-described computer. A program 91a is recorded. When the computer program 91a read from the recording medium 91 via the transmission medium 94 such as a communication line controls the computer 90, the computer 90 executes one of the processes described above.

  The recording medium 92 provided inside the computer 90 is, for example, a hard disk drive or ROM (corresponding to the ROM 55 or ROM 65 in FIG. 10 or the ROM 74 or ROM 84 in FIG. The computer program 92a as described above is recorded. When the computer program 92a read from the recording medium 92 controls the computer 90, the computer 90 executes one of the processes described above.

  The recording medium 93 used by being loaded into a disk drive 90a provided in the computer 90 is a portable medium such as a magneto-optical disk, a CD-ROM, or a flexible disk. 93a is recorded. When the computer program 93a read from the recording medium 93 controls the computer 90, the computer 90 executes one of the processes described above.

It is a schematic diagram which shows the structure of the encryption communication system of this invention. It is a schematic diagram which shows the communication state of the information between two entities. It is a flowchart which shows the operation | movement procedure of the process in a center. It is a flowchart which shows the operation | movement procedure of the encryption process in the transmission side entity. It is a flowchart which shows the operation | movement procedure of the decoding process in the entity by the side of reception. It is a schematic diagram which shows the signature system between two entities. It is a flowchart which shows the operation | movement procedure of the process in a center. It is a flowchart which shows the operation | movement procedure of the signature process in the entity by the side of a signature. It is a flowchart which shows the operation | movement procedure of the verification process in the entity by the side of verification. It is a figure which shows the hardware structural example of an encryption apparatus and a decoding apparatus. It is a figure which shows the hardware structural example of a signature apparatus and a verification apparatus. It is a figure which shows the structure of embodiment of a recording medium.

Explanation of symbols

1 Center 1a Public Key Generation Unit 1b Private Key Generation Unit 10 Encryption Device 13 Encryption Unit 20 Decryption Device 23 Decryption Unit 30 Signature Device 33 Signature Data Creation Unit 40 Verification Device 42 Signature Data Verification Unit 50 Communication Channel 90 Computer 91, 92 , 93 Recording medium 91a, 92a, 93a Computer program A, B, U, V, Z entity

Claims (2)

In the signature system for verifying signature data created in the first entity device by using the private key and public key of the entity generated in the center device, in the second entity device,
The center device is
A means of generating an elliptic curve that can define pairing;
Means for appropriately selecting two points on the generated elliptic curve;
Means for setting at least an arbitrary polynomial function of first order;
Means for substituting the specific information of the first and second entities into the set polynomial function to obtain a function value;
Means for generating a secret key by multiplying one selected point by the inverse of the obtained function value;
Means for generating a public key by multiplying the other selected point by a coefficient of a set polynomial function, and
The first entity device includes creation means for creating signature data using the generated private key of the first entity and the public key of the second entity,
The second entity device comprises verification means for verifying signature data using the generated public key of the first entity and the secret key of the second entity.   The identification information for identifying a group to which a plurality of entities including the first entity belong and the identification information for identifying the first entity are used, and the verification unit includes the first entity belonging to the group. The signature system according to claim 1, wherein signature data created by the first entity device is verified by the second entity device of the second entity belonging to or not belonging to the group.

Images