JP2008219708A - Signature generating device and signature verifying device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an electronic signature method by which a signature size is reduced for several electronic signature systems such as an electronic signature capable of using a public key that can be converted from the ID information of a signer, as a key for verifying a signature that each person uses. <P>SOLUTION: Regarding a system of signature generation using a public key based on pairing on an elliptic curve, in a sort of case, the signature size is reduced by using the fact that data for two points can be reduced into a size for one point using characters of points of the elliptic curve. A solution means includes steps of: selecting points on the elliptic curve, creating a pair of public keys of a signer therefrom, and distributing a private key to the signer; enabling the signer to generate the signature using the keys; and enabling a signature verifier to verify the establishment of an inspection expression using the pairing on the elliptic curve. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

The present invention relates to a signature generation apparatus and signature verification apparatus for signing an electronic document.

Various methods have been devised for creating electronic signatures.

In recent years, a method of creating a public key from ID information of an owner is known as one of methods for associating a public key with an owner of a private key corresponding to the public key. When this is used, it is usually PKI (
There is an advantage that a public key certificate or the like used in a public key infrastructure (Public Key Infrastructure) is not required, and a simpler security system can be constructed.

By the way, in the encryption / signature technology, many methods using elliptic curve pairing have been devised. As a result, encryption / signature technology based on ID information, which has been difficult in the past, has been realized. For example, for the signature, there are methods disclosed in Patent Document 1, Patent Document 2, and Non-Patent Document 1.

On the other hand, by using pairing, signature data having a shorter length than the conventional one is also generated. For example, it is the method of nonpatent literature 2.
K. G. Paterson, “ID-Based signatures from pairings on elliptic curves,“ Electronics Letters 38 (18) (2002), pp. 1025-1026. D. Boneh, B. Lynn, H. Shacham, "Short signatures from the Weil Pairing," Advanceds in Cryptology-Asiacrypt'2001, Lecture index.html> 2248, Springer-Verlag (2002), pp. 514--532. J. Mallone-Lee, "IDentity-Based Signcryption," IACR ePrint Archive: Report 2002/098. A. Boldyreva, A. Palacio and B. Warinsch, "Secure Proxy Signature Scheme for Delegation of Signing Lights," IACR PrintPrint 96. JP 2004-201124 A JP 2006-203825 A

However, according to the inventors of the present invention, compared to the techniques disclosed in Patent Document 1, Patent Document 2, Non-Patent Document 1, Non-Patent Document 2, Non-Patent Document 3, and Non-Patent Document 4 described above, There is room for study on a signature method using a public key by pairing on an elliptic curve. Specifically, with respect to a signature generation method using a public key by pairing on an elliptic curve, the signature generation method in the above-mentioned various documents cannot significantly reduce the signature length. It is generally desired that the signature length be as short as possible, and it can be determined that such a technique capable of shortening the signature length is promising in the future.

In such a situation, the object of the present invention is for a certain signature scheme using pairing:
To provide a signature generation device and a signature verification device that can further reduce the length of signature data.

A first invention for achieving the above object is a signature device that creates electronic signature data for document data M and generates a signature based on the electronic signature data, and includes an elliptic curve E on a finite field and , The n twist points P and Q, the signer's private key d, the public key PpuB, a signature key using the secret key d and the document data M, and the document data M
The signature data and the signer's public key PpuB are received, and the signature data is a pair of n twist points R and S, and R belongs to <P>. When S is a point belonging to <Q>, a step of generating a point T = R + S instead of a pair of points R and S as signature data, and a pair of n twist points R and S from the point T 1 In the signature verification step, this data, the document data M, the signature data, and the public information Q, PpuB, Q of the center
It has a step of receiving the puB and the signer's public key Q_ID and checking the signature.

In addition, although 1st invention is expressed as "apparatus", not only this but "system",
Needless to say, it may be expressed as “method”, “program” or “storage medium”.

According to the present invention, the length of signature data can be further reduced for a certain type of signature method using pairing.

  Embodiments of the present invention will be described with reference to the drawings.

First, pairing (Baille pairing) used in the present invention will be described. Finite field Fq
For the upper elliptic curve E, two points P and Q of a group E [n] formed by n twist points of the elliptic curve are taken. The pairing e (,) is a mapping from E [n] to a multiplicative group of order n included in Fq or its extension field, and has the following properties. All points are considered in the group E [n].

(Non-degenerate)
When a certain point P satisfies e (P, Q) = 0 with respect to an arbitrary point Q, P = 0.

(Anti-symmetric)
For any point P.Q, e (P, Q) = e (Q, P) ^ (-1) holds.

(Double line type)
For any point P.Q,
e (P + Q, R) = e (P, R) e (Q, R)
e (P, Q + R) = e (P, Q) e (P, R)
Is established.

  Hereinafter, an embodiment based on this property will be described.

(First embodiment)
The following is applied to the method of Non-Patent Document 3 that simultaneously performs encryption and signature generation.

First, as shown in FIG. 1, the center 101 prepares elliptic curve parameters, base points G, P, PpuB = sP, Q, QpuB = sQ and secret information s, which are public information, and the I-th signer. Public key Q_ID for signature device I (I: 1, 2,..., N) used by IDi
i = H1 (Q_ID) {H1 is a public hash function, secret key D_IDi = sH1 (Q_ID)}, and secret key D_IDi is secretly distributed to the I-th signer (see FIG. 1).

At this time, the encryption and signature are generated simultaneously in the next step.

U = xP, r = H2 (U || m), W = xPpuB, V = rS_IDB + W, y = e (W, Q_IDB),
k = H3 (y), c = k (+) m
In Non-Patent Document 2, c is a cipher and (U, V) is a signature. However, by applying the present invention, T = U + V
And T is a signature (see FIG. 3).

In the decryption step, decryptor B decrypts using secret key D_IDB (see FIG. 4).

When F is the Frobenius map defined on E [n], λ1 and λ2 are eigenvalues of φ and λ1 and λ2 are different, μ = (φ-λ2) / (λ1-λ2)
From the point T, V = μT and U = T−V or U = μT and V = TU.

At this time, m is decoded by the following calculation.

y = e (D_IDB, U), k = H_3 (y), m = k (+) c
In the signature verification process,
First, find r = H_2 (U || m)
e (P, V) = e (P_puB, Q_IDa) ^ r e (Q_puB, U)
Or if a relational expression equivalent to this is established, if it is established, it is determined that the signature is valid, and if not, it is determined that the signature is not correct (see FIG. 4). ).

(Second Embodiment)
For the two short signatures generated by the method of Non-Patent Document 2, the present invention is applied to combine the signatures into one to shorten the signature size.

As a preparation, key generation is performed as follows.

First, the parameters of the elliptic curve E, the base points G, P, and Q are shared among users. In this case, distribution from the center is not necessarily required.

The elements x_a and x_B of F_q are randomly selected, and Y_a = x_aP and Y_B = x_BP are the public keys of A and B, respectively, for the secret keys A and B and the element P of E [n] (FIG. 5). reference).

In the signature generation process,
Let H be a hash function that takes a value of <P>.

A's signature for message M1 is Sa = xaH (M1),
B's signature for message M2 is SB = xBH (M2).

Let ψ be an automorphism on E [n] called the distortion map, and ψ (P) = Q
And At this time, S = Sa + ψ (SB) is used as a signature for both the messages M1 and M2 (
(See “Signature generation” in FIG. 6).

In the signature verification process,
The verification of A's signature for M1 is established by checking whether e (S, Q) = e (H (M1), ψ (Y_a)) or an equivalent relational expression is established. In this case, it is determined that the signature is valid. If the signature is not established, it is determined that the signature is not correct.

The verification of B's signature for M2 is accomplished by checking whether e (P, S) = e (Y_B, ψ (H (M2))) or an equivalent relational expression is established. In this case, it is determined that the signature is valid. If the signature is not established, it is determined that the signature is not correct (see “signature verification” in FIG. 6).

(Third embodiment)
The following proxy signature (proxy signature) different from Non-Patent Document 4 can be configured.

As a preparation, key generation is performed as follows.

The elements x_a and x_B of F_q are randomly selected, and Y_a = x_aP and Y_B = x_BP are the public keys of A and B, respectively, for the secret keys A and B and the element P of E [n] (FIG. 5). reference).

In the proxy signature key generation process,
The signer A generates a cert for the wrent w as a signature for W = 00 || Y_B || w as follows.

S_w = x_aH (W)
The proxy signature key skp is as follows (see FIG. 7).

skp = (x_B, Y_a, Y_B || w, S_w)
In the proxy signature generation process,
Using this skp, the signer B uses the proxy signature PS (skp, m) for the message m.
Is generated as a signature for M = 01 || Ya || m as follows (refer to “proxy signature generation” in FIG. 8).

S_skp = xBH (M) + ψ (S_w)
In the signature verification process,
e (Sskp, Q) = e (H (M), ψ (Y_B)), e (P, Sskp) = e (Y_a, ψ (H (M))), or an equivalent relational expression Is established, if it is established, it is determined that the signature is valid. If it is not established, it is determined that the signature is not correct (“prox” in FIG. 8).
y signature verification ”).

1 is a schematic diagram showing a system configuration for simultaneously performing encryption / signature generation according to a first embodiment. FIG. The flowchart which showed the flow of signature production | generation and signature verification. The flowchart which showed the flow which performs the production | generation of a encryption and a signature simultaneously. The flowchart which showed the flow which performs the decoding of a signature and the verification of a signature. The schematic diagram which shows the system configuration | structure for performing encryption and signature generation concerning 2nd Embodiment simultaneously. The flowchart which showed the flow of signature production | generation and signature verification. 10 is a flowchart showing a flow of generation of a Proxy signature key according to the third embodiment. The flowchart which showed the flow of a production | generation and verification of a Proxy signature.

Explanation of symbols

  101 ... Center, 1, 2, 3 ... Signature device

Claims (3)

A signature device that creates electronic signature data for document data M and generates a signature based on the electronic signature data,
Elliptic curve E on a finite field, its n twist points P and Q, the signer's private key d, and the public key Ppu
Means for creating B;
Means for generating signature data using the secret key d and the document data M;
Means for inspecting the signature data using the document data M, the signature data, and the public key PpuB of the signer;
The signature data is a pair of n twist points R and S, where R belongs to <P>, and S is <Q
>, A point T = R + instead of a pair of points R and S is used as the signature data.
A signature generation apparatus using S. The means for examining the signature data generates a pair of n twist points R and S from the point T when the signature data generated for the document data M is the point T, and verifies the signature data 2. The signature verification apparatus according to claim 1, wherein the signature data is inspected by means of the document data M, the signature data, and the public key Q of the signer. When generating a pair of n torsion points R and S from a point T, φ is a Frobenius map defined on E [n], λ 1 and λ 2 are eigenvalues of φ, and λ 1 and λ 2 are different, μ = (φ-λ2) / (λ1-λ2
)
3. The signature verification apparatus according to claim 2, wherein a pair of points R and S is generated by setting S = μT, R = TS, or R = μT, and S = TR.