JP2010002662A - Recovery signature system, signature creating device, signature verification device, method for them and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a signature technique for message recovery, capable of reducing complexity in acquiring and managing a public key, and of flexibly coping with messages of various bit lengths. <P>SOLUTION: A signature creating device 10 selects an integer y and calculates R=e(P<SB>1</SB>, P<SB>2</SB>)<SP>y</SP>, h=H<SB>1</SB>(rec¾R¾id), v=H<SB>2</SB>(h¾R¾id), r=h¾(v(+)rec), u=H<SB>3</SB>(r¾M<SB>clr</SB>¾id), t=u mod p, σ=y×P<SB>1</SB>-t×S<SB>id</SB>, then transmits signature information (r, σ). A signature verifying device 20 receives signature information (r', σ'), calculates u'=H<SB>3</SB>(r'¾M<SB>clr</SB>¾id), t=u' mod p, R'=e(σ', P<SB>2</SB>)×e(P<SB>id</SB>, mp)<SP>t'</SP>, extracts bit strings h' and x' from r', calculates v'=H<SB>2</SB>(h'¾R'¾id), rec'=v'(+)x', h''=H<SB>1</SB>(rec'¾R'¾id), and then determines whether the relation h'=h'' holds. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an application technology of information security technology, and more particularly to a message restoration signature that can restore a message from a signature.

  Non-patent document 1 discloses a conventional technique for message restoration signature. This system is a system whose safety is proved by a random oracle model. The outline of this method is shown below.

In this method,
Message Mε {0,1} ^k2
Function F ₁ : {0, 1} ^{k 2} → {0, 1} ^k 1
Function F ₂ : {0,1} ^k1 → {0,1} ^k2
Function F: {0,1} ^{k1 + k2} → {0,1} ^k
E: elliptic curve defined on finite field F _q p: prime number satisfying p · R = O (O is an infinite point) for point R on elliptic curve E G1: order p on elliptic curve E Points of a subset of w∈Z / pZ
Secret key: x∈Z / pZ
Public key: (F _q , E, G1, Y) (Y = −x · G1 (∈E))
And {0, 1} ^δ indicates binary δ-digit bit data, and {0, 1} ^δ → {0, 1} ^ε indicates binary ε-digit bit data to binary ε-digit bit data. Here is a function that maps to.

<Signature generation>
Signature generation is performed as follows. Here, R _x represents the x coordinate of the point RεE, and (+) represents the exclusive OR operator.

M ′ = F ₁ (M) | (F ₂ (F ₁ (M)) (+) M) (1)
R _x = (w · G1) _x
r = R _x (+) M ′ (2)
c = F (r)
z = w + c · x mod p
Signature Sign = (r, z)

<Signature verification>
Signature verification is performed as follows. However, [M ′] ^k1 indicates the first k1 bits of M ′, and [M ′] ^k2 indicates the remaining k2 bits of M ′.

M ′ = r (+) (z · G1 + F (r) · Y) _x
M = [M ′] ^k2 (+) F ₂ ([M ′] ^k1 )
[M ′] If ^k1 = F ₁ (M), pass verification
Masayuki Abe, Tatsuaki Okamoto, "A Signature Scheme with Message Recovery as Secure as Discrete Logarithm," ASIACRYPT 1999, pp.378-389

  However, in the method of Non-Patent Document 1, the signature verification apparatus that performs signature verification needs to acquire the public key of the signature generation apparatus that generated the signature. In the case of the conventional configuration, since the public key is different for each signature generation device, acquisition and management thereof are complicated.

In the method of Non-Patent Document 1, the bit length of (F ₂ (F ₁ (M)) in equation (1) and R _{x in} equation (2) is a fixed length, and the bit length of message M is also a fixed length. In particular, R _x in equation (2) is the x coordinate of the point RεE on the elliptic curve E, and its bit length depends on the elliptic curve E. However, depending on the bit length of the message M, The elliptic curve E is changed so that the bit length of R _x is equal to the bit length of M ′ (the calculation result of the expression (1)), and safety is ensured in all the changed elliptic curves E. Is not easy.

  For this reason, conventionally, even if the length of the message M is shorter than the fixed length, the bit length of the part r of the signature Sign cannot be shortened accordingly, which is inefficient. If the bit length of the message M is longer than the fixed length, only a part of the message M can be substituted into the expression (1), and a message restoration signature for all the bits of the message M cannot be configured. .

  The present invention has been made in view of these points, and provides a message restoration signature technique that can reduce the complexity of public key acquisition and management and can flexibly handle messages of various bit lengths. For the purpose.

The signature generation apparatus of the present invention uses E as the elliptic curve on the finite field F _q , p as the prime number that divides the number of elements #E of the finite set of rational points on the elliptic curve E, p on the elliptic curve E, etc. A finite set consisting of dividing points is E [p], a finite set consisting of an extension field based on the finite field F _q is μ _p, and two elements of the finite set E [p] are 1 of the finite set μ _p . Let e: E [p] × E [p] → μ _p be a non-degenerate bilinear pairing function that maps to two _elements, and let P be an element of a finite set E [p] that satisfies e (P ₁ , P ₂ ) ≠ 1 ₁ , P ₂ ∈ E [p], the identifier of the signature generation device is id, the element of the finite set E [p] corresponding to the identifier id is P _id , the master secret key that is an integer is ms, and P _id The secret key when the ms multiple point ms · P _id on the elliptic curve E is the secret key S _id of the signature generation device A first storage unit that stores S _id , a second storage unit that stores restored signature target information rec that is a bit string to be concealed, an arbitrary number selection unit that selects an arbitrary integer y, and a bilinear function a first bi-linear function calculator for calculating a value _{R = e (P 1, P} 2) y ∈μ p, the bit combination value α, including a bit string of restoration signed information rec and the bit string of the bilinear function value R On the other hand, a bit combination value including a first hash calculation unit that calculates a hash value h = H ₁ (α) obtained by applying the first hash function H _1, and a bit string of the hash value h and a bit string of the bilinear function value R A second hash that calculates a hash value v = H ₂ (β) obtained by applying a second hash function H ₂ for converting a bit string having an arbitrary bit length into a bit string having the same bit length as the restored signature target information rec for β Calculation unit and hash value v A first exclusive OR operation unit that calculates an exclusive OR value x with the restoration signature target information rec, a bit string of the hash value h are arranged at the first bit position, and a bit string of the exclusive OR value x is A hash value u = H ₃ (γ) obtained by applying the third hash function H ₃ to the bit combination unit that calculates the bit combination value r arranged at the 2-bit position and the bit string γ including the bit string of the bit combination value r. Y multiple point y · P ₁ on the elliptic curve E of the element P ₁ where t is an integer determined with respect to the hash value u according to a predetermined rule, elliptic curve calculating a t multiplied point t · _S elliptic curve calculation value and the elliptic curve addition and elliptic inverse -t · _{S id} of _{id σ = y · P 1 -t} · S id on elliptic curve E S _id An arithmetic unit, a bit combination value r, and an elliptic curve calculation value σ And a transmission unit that transmits the signature information (r, σ).

As described above, in the present invention, the second hash calculation unit uses the second hash function H ₂ that converts a bit string having an arbitrary bit length into a bit string having the same bit length as the restoration signature target information rec, and uses the bit combination value β to It is converted into a hash value v having the same bit length as the restoration signature target information rec. Changing the output bit length of the hash function is much easier than changing the elliptic curve E. Therefore, the signature generation apparatus according to the present invention can generate a signature that flexibly corresponds to any bit length of the restored signature target information rec.

Also, the signature verification apparatus of the present invention, the original P _2, and a third storage unit for storing a master public key mp, which is the ms multiple point ms · P ₂ on the elliptic curve of the original P ₂ E, bit string A receiving unit that receives signature information (r ′, σ ′) including first part information r ′ and second part information σ ′ that is an element of the finite set E [p], and first part information r A fourth storage unit that stores 'and second part information σ'; a fifth storage unit that stores an original P _id of a finite set E [p] corresponding to the identifier id of the signature generation device; and first part information r A hash value u ′ = H ₃ (γ ′) obtained by applying the third hash function H ₃ to the bit string γ ′ including the bit string “and a hash value according to a predetermined rule in the case of 'an integer determined with respect t' u was, bilinear function value R '= e (σ', P 2) · e ( _id, mp) t ^'and the second bi-linear function calculator for calculating a ∈Myu _p, first part information r''and, the first part information r' bit sequence h of the first bit position of the second bit position of the 'a bit dividing unit for extracting a hash value h' bit string x to 'bit connection value β including the bit string of' bit stream and the bilinear function value R of the hash value by applying a second hash function H ₂ a fifth hash operation unit for calculating v ′ = H ₂ (β ′), and a second exclusive unit for calculating the exclusive ethical value of the hash value v ′ and the bit string x ′ as the restoration value rec ′ of the signature target information A hash value h obtained by applying the first hash function H ₁ to the bit combination value α ′ including the logical OR operation unit, the bit string of the restoration value rec ′ of the signature target information, and the bit string of the bilinear function value R ′ a sixth hash calculator for calculating the _{'' = H 1 (α '} ), ha bit string h' Has a comparison unit for determining the whether Interview value h '' are equal.

  This signature verification apparatus can verify the signature generated by the signature generation apparatus. In addition, the signature verification apparatus according to the present invention can perform signature verification and restoration of signature target information if there is a master public key mp common to a plurality of signature generation apparatuses and an identifier id of a signature generation apparatus that has actually generated a signature. You can. Therefore, it is possible to reduce the complexity of key acquisition and management necessary for performing signature verification and restoration of signature target information, as compared with a conventional configuration in which a different public key is used for each signature generation apparatus that has actually generated a signature.

  In the present invention, the complexity of public key acquisition and management can be reduced, and a message restoration signature that can flexibly handle messages of various bit lengths can be realized.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[Definition of symbols and terms]
First, symbols and terms used in each embodiment are defined.

Z: integer set.
k: Security parameter with kεZ (element of Z).
E: An elliptic curve defined on a finite field F q of order _q . The affine coordinate version of the Weierstrass equation y ² + a ₁ · x · y + a ₃ · y = x ³ + a ₂ · x ² + a ₄ · x + a ₆ (3)
It is defined as a set of points (x, y) satisfying (where a ₁ , a ₂ , a ₃ , a ₄ , a ₆ ∈ F _q ) and a special point O called an infinite point. A binary operation + called ellipse addition can be defined for any two points on the elliptic curve E, and a unary operation called ellipse inverse can be defined for any one point on the elliptic curve E. In addition, it is well known that grouping and ellipse addition can be used to define an operation called elliptic scalar multiplication (for example, Reference 1 “Ian F. Brake, Gadiel Selosi, Nigel)・ See P. Smart = Author, “Elliptic Curve Cryptography”, Publishing = Pearson Education, ISBN4-89471-431-0 ”).

#E: The number of elements in a finite set of rational points on the elliptic curve E. Number #E of rational points of a finite field F _q on the defined elliptic curve E is finite.
p: A large prime number that divides #E.
E [p]: A finite set of p equal points of the elliptic curve E. Of the points A on the elliptic curve E, the elliptic scalar multiplication value p · A on the elliptic curve E is defined as a finite set of points A satisfying p · A = O. E [p] is a subgroup of E.
μ _p : A finite set that is an extension field based on the finite field F _q . An example is a finite set of one of the p th root of the algebraic closure of a finite field F _q.
e: Non-degenerate bilinear pairing function (hereinafter referred to as “pairing function”), which is defined by the following equation.
E [p] × E [p] = μ _p (4)

The pairing function e has the following properties.
[Property 1] e (A ₁ , A ₁ ) = 1 holds for an arbitrary point A ₁ on E [p].
[Property 2] For any two points A ₁ and A ₂ on E [p], e (A ₁ , A ₂ ) = e (A ₂ , A ₁ ) ⁻¹ holds.
[Property 3] For any three points A ₁ , A ₂ , A ₃ on E [p], e (A ₁ + A ₂ , A ₃ ) = e (A ₁ , A ₃ ) e (A ₂ , an _{a 3), e (a 1} , a 2 + a 3) = e (a 1, a 2) e (a 1, a 3) holds.
[Property 4] e (A ₁ , O) = 1 holds for an arbitrary point A ₁ on E [p].
[Property 5] If a certain point A ₁ on E [p] satisfies e (A ₁ , A ₂ ) = 1 for all points A ₂ on E [p], then A ₁ = O holds. .

  Specific examples of the pairing function e include Weil pairing and Tate pairing (for example, Reference 2 “Alfred. J. Menezes, ELLIPTIC CURVE PUBLIC KEY CRYPTOSYSTEMS, KLUWER ACADEMIC PUBLISHERS, ISBN0- 7923-9368-6, pp. 61-81 ”). For the method of generating a non-supersingular curve in which the pairing function can be calculated efficiently, see Reference 3 “A. Miyaji, M. Nakabayashi, S. Takano,“ New explicit conditions of elliptic curve Traces for FR-Reduction, "IEICE Trans. Fundamentals, vol. E84-A, no05, pp. 1234-1243, May 2001", reference 4 "PSLM Barreto, B. Lynn, M. Scott," Constructing elliptic curves with prescribed embedding degrees, "Proc. SCN '2002, LNCS 2576, pp.257-267, Springer-Verlag. 2003", Reference 5, R. Dupont, A. Enge, F. Morain, "Building curves with arbitrary small MOV degree over finite prime fields, "http://eprint.iacr.org/2002/094/". As an algorithm for calculating the pairing function on a computer, the well-known Miller algorithm (reference document 6 “VS Miller,“ Short Programs for functions on Curves, ”[online], 1986, [June 2008] 13th search], the Internet <http://crypto.stanford.edu/miller/miller.pdf> ”.

P ₁ , P ₂ : An element of a finite set E [p] that satisfies e (P ₁ , P ₂ ) ≠ 1.
<P ₁ >: A traveling group having P ₁ as a generation source.
<P ₂ >: A traveling group having P ₂ as a generation source.
IDencode: collision function to transfer arbitrary bit string to ^{_{<P 1> {0,1} *}} → <P 1>. An example of IDencode is as follows.

"Examples of IDencode 1" function _{^{H: {0,1} * → F}} q and a collision function. Such a function can be obtained by, for example, associating the output of a hash function such as SHA-1 with an element of the finite field _Fq by a certain method. Let c be a natural number, and # E = c · p. c is usually called a cofactor. Based on the above preparation, a function that executes the following algorithm is defined as IDencode.

Process 1. ran ← 0
Process 2. Calculate x1 = H (is | ran) for the input is.
Process 3. For y1∈F _q , a quadratic equation derived from the condition (x1, y1) ∈E is solved. If the solution y1 exists, the process proceeds to process 5.
Process 4. Return to processing 2 as ran ← ran + 1.
Process 5. The point (x1, y1) εE is multiplied by c and the result is output. # E = c · p, and when an arbitrary point on the elliptic curve E is multiplied by c · p, it becomes an infinite point O, so the point obtained by multiplying the point (x1, y1) ∈E by c is E [p] Be original.

<< Example 2 of IDencode >> D elements of <P ₁ > are selected, each of which is associated with an integer d of 0 or more and D−1 or less, and each element of the selected <P ₁ > is SP _d ∈ <P ₁ >. Also, a hash function H ₀ is prepared that outputs a D-bit hash value for an arbitrary input bit string. It is assumed that the d-th bit from the top of the D-bit bit string obtained by applying the hash function H ₀ to the input arbitrary bit string is h _d ε {0, 1}. A function that outputs Σ _{d = 0} ^D−1 h _d · SP _d for an inputted arbitrary bit string is defined as IDencode.

M _rec : a recovery message M _rec ε {0, 1} ^* having an arbitrary bit length that is a restored part of the message to be signed. The message restoration part means information that is once concealed in the message and restored by the signature verification apparatus. That is, the recovery message M _rec is a secret bit string to be concealed.

M _clr : Clear message M _clr ε {0, 1} ^{* of} any bit length that is a non-restored part of the message to be signed. The non-restored part of the message means information disclosed to the signature verification apparatus without being confidential. That is, the clear message M _clr is a bit string to be signed that is not concealed.

then the encode: Function ^{0,1} to be converted to bit strings of a bit length corresponding to the input bit length bit string of arbitrary bit length ^* → {0, ^1} *. However, the output bit length of encode is L (L is an integer of 1 or more). An example of encode will be described later.

decode: Inverse function of encode.
rec: Restoration signature target information rec = encode (M _rec ) which is a bit string restored by the signature verification device.
rounddown {*}: A function that rounds off the decimal part of *.
length (*): A function for obtaining the bit length of *. The output bit length is constant.
delete {δ, ε}: A function that deletes δ bits from the head of ε.

H ₁ : Hash function {0, 1} ^* → {0, 1} ^N for converting a bit string having an arbitrary bit length into an N-bit bit string. N is an integer of 1 or more. In addition, as a specific example of the hash function, SHA-1 and a one-way function using the same can be exemplified.
H ₂ : Hash function with variable output length H ₂ : {0, 1} ^* × N → {0, 1} ^* . For any L∈N, the output value H ₂ (ω, L) for any ω∈ {0,1} ^* is a bit string of length L. Hereinafter, H ₂ (ω, L) is expressed as H ₂ (ω).
H ₃ : Hash function.

b | c: Bit combination value of bit string b and bit string c.
b (+) c: Exclusive OR of b and c.
Z / pZ: a residue class modulo p. In each embodiment, the representative element is expressed as Z / pZ. An example of the representative is an integer of 0 or more and p−1 or less.
(Z / pZ) \ {0}: a set obtained by removing 0 from Z / pZ. In each embodiment, an integer from 1 to p−1 is (Z / pZ) \ {0}.
ms: Master secret key for ID-based encryption msεZ / pZ. Regarding ID-based encryption, for example, Reference 7 “D. Boneh and M. Franklin,“ Identify-based encryption from the Weil pairing ”, Advances in Cryptology 0 CRYTPO '01, volume 2139 of LNCS, pages 213-229 Springer, 2001. ”and the like.

mp: Master public key of ID-based encryption mp = ms · P ₂ ∈ <P ₂ >.
id: Signature generating device identifier idε {0, 1} ^* .
P _id : A point P _id = IDencode (id) ∈ <P ₁ > on the elliptic curve E corresponding to id.
S _id : Secret key of the signature generation device S _id = ms · P _id ∈ <P ₁ >.

[First Embodiment]
A first embodiment of the present invention will be described.

<Configuration>
FIG. 1 is a system configuration diagram for explaining a recovery signature system 1 of the first embodiment. FIG. 2 is a block diagram for explaining a detailed configuration of the signature generation apparatus 10 according to the first embodiment. FIG. 3 is a block diagram for explaining an example of a detailed configuration of the hash calculation unit 10i in the first embodiment. FIG. 4 is a block diagram for explaining a detailed configuration of the signature verification apparatus 20 according to the first embodiment. FIG. 5 is a block diagram for explaining a detailed configuration of the management apparatus 30 according to the first embodiment.

  As shown in FIG. 1, a recovery signature system 1 according to the present embodiment is a signature generation apparatus 10 that generates a signature, a signature verification apparatus 20 that verifies a signature, and a third-party organization apparatus that manages the recovery signature system 1. There is a certain management apparatus 30, and they are communicably connected through a network 40. For simplification of explanation, FIG. 1 illustrates one signature generation apparatus 10 and one signature verification apparatus 20, but two or more signature generation apparatuses 10 and signature verification apparatuses 20 may exist. Similarly, two or more management devices 30 may exist.

  As shown in FIG. 2, the signature generation apparatus 10 of the present embodiment includes a memory 10a (“first storage unit”, “second storage unit”, “sixth storage unit”), a temporary memory 10b, a control unit 10c, Input unit 10d, encoding unit 10e, arbitrary number selection unit 10f, bilinear function calculation unit 10g ("first bilinear function calculation unit"), and hash calculation unit 10h ("first hash calculation unit") A hash operation unit 10i (“second hash operation unit”), an exclusive OR operation unit 10j (“first exclusive OR operation unit”), a bit combination unit 10k, and a hash operation unit 10m (“ 3rd hash calculation part "), remainder calculation part 10n, determination part 10p, 10r, elliptic curve calculation part 10q, and communication part 10s (" transmission part "). In the example illustrated in FIG. 3, the hash calculation unit 10 i includes a hash number calculation unit 10 ia, a partial hash calculation unit 10 ib, a bit combination unit 10 ic, and a bit deletion unit 10 id. The signature generation apparatus 10 according to the present embodiment is configured by reading a predetermined program into a known computer having communication means including a CPU (Central Processing Unit) and a RAM (Random Access Memory). Here, the memory 10a and the temporary memory 10b are, for example, a RAM, a register, an auxiliary storage device, or a storage area obtained by combining these. Further, the control unit 10c, the encoding unit 10e, the arbitrary number selection unit 10f, the bilinear function calculation unit 10g, the hash calculation units 10h, 10i, and 10m, the exclusive OR calculation unit 10j, and the bit combination unit The 10k, the remainder calculation unit 10n, the determination units 10p and 10r, and the elliptic curve calculation unit 10q are, for example, processing means constructed by the CPU executing a predetermined program. The input unit 10d is an input interface such as a keyboard, a mouse, and an input port. The communication unit 10s is a communication unit such as a LAN card or a modem that is driven only by control of a CPU that executes a predetermined program. Further, the signature generation device 10 executes each process under the control of the control unit 10c. Further, unless otherwise specified, each data in the calculation process is read and written to the temporary memory 10b one by one.

  As shown in FIG. 4, the signature verification apparatus 20 of the present embodiment includes a memory 20a (“third storage unit”, “fourth storage unit”, “fifth storage unit”, “seventh storage unit”) and a temporary memory. 20b, control unit 20c, communication unit 20d ("receiving unit"), hash calculation unit 20e ("fourth hash calculation unit"), remainder calculation unit 20f, identifier encoding unit 20g, bilinear function Operation unit 20h (“second bilinear function operation unit”), determination unit 20i, bit division unit 20j, hash operation unit 20k (“fifth hash operation unit”), and exclusive OR operation unit 20m ( “Second exclusive OR operation unit”), hash operation unit 20n (“sixth hash operation unit”), comparison unit 20p, decryption unit 20q, output unit 20r, and input unit 20s. Note that the signature verification apparatus 20 according to the present embodiment is configured by reading a predetermined program into a known computer having communication means including a CPU and a RAM. Here, the memory 20a and the temporary memory 20b are, for example, a RAM, a register, an auxiliary storage device, or a storage area obtained by combining these. Further, the control unit 20c, the hash calculation unit 20e, the remainder calculation unit 20f, the identifier encoding unit 20g, the bilinear function calculation unit 20h, the determination unit 20i, the bit division unit 20j, and the hash calculation unit 20k The exclusive OR operation unit 20m, the hash operation unit 20n, the comparison unit 20p, and the decryption unit 20q are, for example, processing means constructed by the CPU executing a predetermined program. The communication unit 20d is a communication unit such as a LAN card or a modem that is driven only by control of a CPU that executes a predetermined program. The output unit 20r is an output interface such as a display and an output port, and the input unit 20s is an input interface such as a keyboard, a mouse, and an input port. In addition, the signature verification apparatus 20 executes each process under the control of the control unit 20c. Further, unless otherwise specified, each data in the calculation process is read and written to the temporary memory 20b one by one.

  As shown in FIG. 5, the management device 30 includes a memory 30a, a temporary memory 30b, a control unit 30c, a master secret key generation unit 30d, a master public key generation unit 30e, and an identifier encoding unit 30f. And a secret key generation unit 30g and a communication unit 30h. The management apparatus 30 according to the present embodiment is configured by reading a predetermined program into a known computer having communication means including a CPU and a RAM.

<Processing>
Next, the processing of this embodiment will be described.
[Preprocessing]
First, as a pre-process, a third-party organization has an elliptic curve E, a large prime number p that divides #E, and a pairing function e so that k-bit safety is ensured for the security parameter kεZ. , Elements P ₁ , P ₂ , function IDencode, function encode, function decode, and hash functions H ₁ , H ₂ , H ₃ are set.

The set elliptic curve E, pairing function e, function encode, and hash functions H ₁ , H ₂ , and H ₃ are described in, for example, a program for configuring the signature generation apparatus 10, and the prime number p and the elements P ₁ , the P _2, for example, stored in the memory 10a of the signature generating apparatus 10, these signature generating apparatus 10 is in the available state. Further, the set elliptic curve E, the pairing function e, the function IDencode, the function decode, and the hash functions H ₁ , H ₂ , and H ₃ are described in a program for configuring the signature verification apparatus 20, for example, and the prime number p And the source P ₂ are stored in, for example, the memory 20 a of the signature verification device 20, and these are made available to the signature verification device 20. Further, the set elliptic curve E, function encode, and function IDencode are described in, for example, a program for configuring the management device 30, and the prime number p and the elements P ₁ and P ₂ are, for example, those of the management device 30. These are stored in the memory 30a and are made available to the management device 30.

The master private key generating section 30d of the management apparatus 30, the master secret key ms∈ _U Z / pZ selected uniformly randomly, securely store it in the memory 30a. Then, the master public key generation unit 30e can read, and the original _{P 2} master secret key ms from the memory 30a, the original _{P 2} is a point on the elliptic curve E and ms on an elliptic curve E, the operation result mp = Ms · P ₂ ∈ <P ₂ > is stored in the memory 30a as the master public key mp. The master public key mp generated in this way is also distributed to the signature verification device 20 and stored in the memory 20a of the signature verification device 20.

[Secret key generation process]
Next, a secret key generation process in which the management apparatus 30 generates a secret key for the signature generation apparatus 10 will be described. The secret key generation process may be executed in the pre-process, may be executed every time the signature generation apparatus 10 generates a signature, or may be executed regularly or irregularly at a predetermined opportunity. .

In the secret key generation process, first, the identifier id of the signature generation apparatus 10 is input to the input unit 10d of the signature generation apparatus 10. Examples of the identifier id are a mail address, URL, telephone number, location information, time information, user name, and the like of the signature generation device 10. The input identifier id is stored in the memory 10a. The identifier id is transmitted from the communication unit 10q to the management device 30 via the network 40 together with the secret key issue request information. These pieces of information are received by the communication unit 30h of the management apparatus 30, and the identifier id is stored in the memory 30a. Next, the identifier id is read by the identifier encoding unit 30f, and the identifier encoding unit 30f inputs the identifier id to the function IDencode, and calculates a point P _id = IDencode (id) on the elliptic curve E. This is an element of the finite set E [p]. The point P _id on the elliptic curve E is stored in the memory 30a and further read into the secret key generation unit 30g. The secret key generation unit 30g generates the secret key S _id = ms · P _id of the signature generation apparatus 10 obtained by multiplying the point P _id on the elliptic curve E by ms on the elliptic curve E, and stores the secret key S _id in the memory 30a. Store. Secret key S _id that generated is sent to the communication unit 30h, etc. using a dedicated line or a known public key cryptography and common key cryptography, it is securely transmitted to the signature generating apparatus 10. The secret key S _id is received by the communication unit 10q of the signature generation apparatus 10 and stored securely in the memory 10a.

[Signature generation processing]
Next, the signature generation process of the signature generation apparatus 10 will be described. As a premise of this process, it is assumed that the elements P ₁ and P ₂ , the prime number p, the secret key S _id of the signature generation apparatus 10 and the identifier id are stored in the memory 10 a of the signature generation apparatus 10.

  FIG. 6 is a flowchart for explaining the signature generation processing according to the first embodiment. Hereinafter, the signature generation processing according to this embodiment will be described with reference to FIG.

First, a recovery message M _rec and a clear message M _clr to be signed are input to the input unit 10d and stored in the memory 10a (step S1). Next, the encoding unit 10e reads the recovery message M _rec from the memory 10a, encodes it using the function encode, and generates L-bit restoration signature target information rec = encode (M _rec ). A specific example of the function “encode” is shown below.

[Description of specific example of function encode]
The function “encode” is a reversible function (a function having an inverse function) that outputs, for an arbitrary input bit string, restored signature target information rec having a bit length that can provide security corresponding to the security parameter k. An example of the function “encode” in the case where the bit length for obtaining the security corresponding to the security parameter k is 72 bits or more is as follows.

_{<< When} length (M _rec ) is less than 72 bits >>
encode (M _rec ) = length (M _rec ) | M _rec | 0... 0 (4)
(However, the bit length of M _rec | 0... 0 is 72 bits.)

_{<< When} length (M _rec ) is 72 bits or more >>
encode (M _rec ) = 0 _x ff | M _rec (5)
(However, 0 _x ff is header information indicating that no additional bit is added. The bit length BL of 0 _x ff is equal to the output bit length BL of the function length.)
In this case, the operation of the function decode is as follows.

<< When the first BL bit of rec is 0 _x ff >>
A bit string obtained by removing the head BL bit from rec is output.

<< When the first BL bit of rec is not 0 _x ff >>
If the first BL bit of rec is not 0 _x ff, a bit string lower than the first BL bit of rec by the bit length indicated by the first BL bit is extracted and output from rec ([Explanation of specific example of function encode] ]the end).

  The generated restoration signature target information rec is stored in the memory 10a (step S2). Next, the arbitrary number selection unit 10f selects a random number yε (Z / pZ) \ {0} and stores it in the memory 10a (step S3). The random number is selected using, for example, a pseudo-random number generation algorithm based on the computational complexity theory, which is configured using a one-way hash function such as SHA-1.

Next, the bilinear function calculation unit 10g reads the elements P ₁ and P ₂ and the random number y from the memory 10a, and uses the pairing function e to set the bilinear function value R = e (P ₁ , P ₂ ) ^y ∈ It calculates mu _p, stores the bilinear function value R in the memory 10a (step S4). Note that e (P ₁ , P ₂ ) ^y ∈μ _p is an operation on the m-th (m ≧ 2) -order extended field F _q ^{m of} the characteristic _q with the finite field F _q as a base field. The element of the extension field F _q ^m can be expressed by an m−1th order polynomial with respect to α having the coefficient of the element of the finite field F _q . Note that α is a root of an irreducible polynomial whose coefficient is an element of the finite field _Fq . Further, if the minimum degree of the irreducible polynomial is f and the two polynomials representing the elements of the extension field F _q ^m are A (α) and B (α), multiplication on the extension field F _q ^m is performed. Can be expressed as C (α) = A (α) · B (α) mod f (α), and can be calculated by polynomial operation A (α) · B (α) and division by f (α). In addition, the calculation between the coefficients of each order in the polynomial calculation A (α) / B (α) is an operation on the finite field _Fq . Also, power of the extension field F _q ^m means repeating the exponentiation times multiplication over such an extension field F _q ^m. For example, e (P ₁ , P ₂ ) ³ εμ _p means e (P ₁ , P ₂ ) · e (P ₁ , P ₂ ) · e (P ₁ , P ₂ ) εμ _p .

Next, the hash calculation unit 10h reads the restored signature target information rec, the bilinear function value R, and the identifier id from the memory 10a, and performs a hash function on the bit combination value α = rec | R | id of each of these bit strings. hash value of N bits allowed to act _{H 1 h = H 1 (α} ) is calculated (step S5). The generated hash value h is stored in the memory 10a. Next, the hash calculation unit 10i reads the bit string of the hash value h, the bit string of the bilinear function value R, and the bit string of the identifier id from the memory 10a, and sets the bit combination value β = h | R | id of each of these bit strings. On the other hand, an L-bit hash value v = H ₂ (β) obtained by applying the hash function H ₂ is calculated (step S6). The generated hash value v is stored in the memory 10a. Details of step S6 will be exemplified below.

[Example of detailed processing in step S6]
FIG. 7 is a flowchart for illustrating the detailed processing of step S6.
First, the hash calculation number calculation unit 10ia (FIG. 3) reads the restoration signature target information rec from the storage unit 10a,
e _max = rounddown {L / length (H)}, L = length (rec)… (6)
E _max
Is stored in the temporary memory 10b (step S6a). H means a known hash function such as SHA-1, and length (H) means the bit length of the output bit of the hash function H. Incidentally, L is when a constant is also possible that you precompute e _max, the processing in step S6a in that case is not necessary.

Next, the control unit 10c substitutes 0 for the variable e, and stores the variable e in the temporary memory 10b (step S6b). Next, the partial hash calculation unit 10ib reads the variable e from the temporary memory 10b, reads the bit string of the hash value h, the bit string of the bilinear function value R, and the bit string of the identifier id from the storage unit 10a, Hash value for bit combined value β = h | R | id
H (e, β)… (7)
Is calculated and stored in the temporary memory 10b (step S6c).

Next, the control unit 10c reads e _max and the variable e from the temporary memory 10b,
e = e _max … (8)
It is determined whether or not the condition is satisfied (step S6d). If the expression (8) is not satisfied, the control unit 10c sets e + 1 as a new e, stores the new e in the temporary memory 10b (step S6e), and then returns the process to step S6c. On the other hand, if Expression (8) is satisfied, the control unit 10c gives an instruction to the bit combination unit 10ic, and the bit combination unit 10ic receives the hash values H (0, β), H (1, β from the temporary memory 10b. ), H (2, β),..., H (e _max , β), and their bit combination values
HC (β) = H (0, β) | ・ ・ ・ | H (e _max , β)… (9)
Is calculated and stored in the temporary memory 10b (step S6f).

Next, the bit deletion unit 10id reads the bit combination value HC (β) from the temporary memory 10b,
v = H ₂ (β) = delete {length (HC (β))-L, HC (β)}… (10)
Is calculated and output to the storage unit 10a (step S6g). That is, v = H ₂ (β) is obtained by deleting the first few bits of HC (R) and setting the total bit length to L.

In addition, the processing method of step S6 is not limited to this. For example, instead of using e, a method of extending the bit length of the hash value by a hash chain may be used. In this case, HC (β) in the formula (9) is, for example,
HC (β) = H (β) | H (H (β)) | H (H (H (β))) |… | H (H (H… (β)…))
(End of description of [Example of Detailed Processing in Step S6]).

  Next, the exclusive OR operation unit 10j reads the hash value v and the restoration signature target information rec from the memory 10a, calculates their exclusive OR value x = v (+) rec, and performs the exclusive OR operation. The value x is stored in the memory 10a (step S7). Next, the bit combination unit 10k reads the hash value h and the exclusive OR value x from the memory 10a, arranges the bit string of the hash value h at the first bit position, and sets the bit string of the exclusive OR value x to the first bit position. The bit combination value r of N + L bits arranged at the 2-bit position is calculated (step S8). The first bit position and the second bit position may be set to any bit position, but the first bit position set by the signature generation apparatus 10 and the first bit position set by the signature verification apparatus 20 Are the same, and the second bit position set by the signature generation apparatus 10 and the second bit position set by the signature verification apparatus 20 are the same. An example of setting the first bit position and the second bit position is as follows.

[Setting example of first bit position and second bit position]
FIG. 9 is a diagram illustrating a setting example of the first bit position and the second bit position.
Example 1 The first N bits are the first bit position and the remaining L bits are the second bit position (FIG. 9A).
Example 2 The first L bit is the second bit position and the remaining N bits are the first bit position (FIG. 9B).
<< Example 3 >> Let L odd bits be the second bit positions and the remaining N bits be the first bit positions (FIG. 9C).

  These are only examples, and other settings are possible (end of description of [setting example of first bit position and second bit position]).

Then, the hash calculator 10m is, reads the bit connection value r and the clear message _{M clr} the identifier id from the memory 10a, their bit combination value γ _{= r | M} clr _| id hand, acts a hash function _{H 3} The hash value u = H ₃ (γ) is calculated (step S9). The generated hash value u is stored in the memory 10a. Next, the remainder calculation unit 10n reads the hash value u and the prime number p from the memory 10a, performs a remainder calculation t = u mod p, and stores the calculation result in the memory 10a (step S10). Next, the determination unit 10p reads the calculation result t from the memory 10a and determines whether t = 0 (step S11). Here, if t = 0, the process returns to step S3, the random number y is taken again, and the process is repeated. On the other hand, unless t = 0, the elliptic curve computation unit 10q reads the operation result t and the original _{P 1} and the random number y from the memory 10a and the secret key _{S id,} y multiplied point on an elliptic curve of the original _{P 1} E and y · _{P 1,} elliptic curve calculation value and the elliptic inverse -t · _{S id} of t times points t · _{S id} on elliptic curve E and elliptic curve addition of _{S id σ = y · P 1} -t · S _id ∈ E [p] is calculated (step S12). The calculated elliptic curve calculation value σ is stored in the memory 10a. Next, the determination unit 10r reads the elliptic curve calculation value σ from the memory 10a and determines whether or not it indicates the infinity point O (step S13). Here, if the elliptic curve calculation value σ = O, the process returns to step S3, the random number y is taken again, and the process is performed again. On the other hand, unless the elliptic curve calculation value σ = O, the control unit 10c deletes the random number y from the memory 10a (step S14). Then, the clear message M _clr , the bit combination value r, and the elliptic curve calculation value σ are transmitted to the transmission unit 10s, and the transmission unit 10s signs the clear message M _clr and the signature information (r, σ) via the network 40. It transmits to the verification apparatus 20 (step S15).

[Signature verification]
Next, the signature verification process of the signature verification apparatus 20 will be described. Given this process, it is assumed that the master public key mp and the original P ₂ in the memory 20a of the signature verifying apparatus 20 and the prime number p is stored.

  FIG. 8 is a flowchart for explaining the signature verification processing according to the first embodiment. Hereinafter, the signature verification processing according to this embodiment will be described with reference to FIG.

First, the communication unit 20d of the signature verification apparatus 20 receives the clear message M _clr and the signature information (r ′, σ ′) (step S21). If the signature information is valid, the signature information (r ′, σ ′) = (r, σ) is unknown, but since it is unknown at this point, the signature information received by the communication unit 20d is It is expressed as (r ′, σ ′). The received signature information (r ′, σ ′) includes first part information r ′ that is a bit string and second part information σ ′ that is an element of the finite set E [p], and these are stored in the memory 20a. Stored. Next, the identifier id of the signature generation device 10 is input to the input unit 20s and stored in the memory 20a (step S22). If the identifier id is already stored in the memory 20a, step S22 can be omitted. Next, the hash calculator 20e reads the first part information r ′, the clear message M _clr, and the identifier id from the memory 20a, and sets the bit string γ ′ = r ′ | M _clr | id consisting of bit combinations of these bit strings. On the other hand, the hash value u ′ = H ₃ (γ ′) obtained by applying the hash function H ₃ is calculated (step S23). The calculated hash value u ′ is stored in the memory 20a. Next, the remainder calculation unit 20f reads the hash value u ′ and the prime number p from the memory 20a, performs a remainder calculation t ′ = u ′ mod p, and stores the calculation result in the memory 20a (step S24). Next, the identifier encoding unit 20g reads the identifier id from the memory 20a, inputs the identifier id to the function IDencode, and calculates a point P _id = IDencode (id) on the elliptic curve E (step S25). This is the original P _id of the finite set E [p] corresponding to the identifier id of the signature generation apparatus 10. The generated point P _id on the elliptic curve E is stored in the memory 20a. Next, the bilinear function calculator 20h is read from the memory 20a, the second part information sigma 'original P ₂ and elliptic curve E on a point P _id master public key mp arithmetic result t', the pairing function A bilinear function value R ′ = e (σ ′, P ₂ ) · e (P _id , mp) ^{t ′} is calculated using e (step S26). The generated bilinear function value R ′ is stored in the memory 20a. Next, the determination unit 20i reads the bilinear function value R ′ from the memory 20a and determines whether R ′ = 1 (step S27). If R ′ = 1, the control unit 20c rejects the signature (step S36) and ends the process. On the other hand, if R ′ = 1, the bit dividing unit 20j reads the first part information r ′ from the memory 20a, and the bit string h ′ at the first bit position of the first part information r ′ and the first part. The bit string x ′ at the second bit position of the information r ′ is extracted (step S28) and stored in the memory 20a. As described above, the first bit position and the second bit position are the same as those set in the bit combination unit 10k of the signature generation apparatus 10. For example, if the bit combining unit 10k of the signature generating apparatus 10 has the first N bits as the first bit position and the remaining L bits as the second bit position, the bit dividing unit 20j also sets the first N bits as the first bit position. The remaining L bits are processed as the second bit position. Next, the hash calculator 20k reads the hash value h ′, the bilinear function value R ′, and the identifier id from the memory 20a, and for the bit combination value β ′ = h ′ | R ′ | id of these bit strings, A hash value v ′ = H ₂ (β ′) obtained by applying the hash function H ₂ is calculated (step S29). The calculated hash value v ′ is stored in the memory 20a. Next, the exclusive OR operation unit 20m reads the hash value v ′ and the bit string x ′ from the memory 20a, and calculates the exclusive ethical value of these as the restoration value rec ′ of the signature target information (step S30). ), The calculated restoration value rec ′ is stored in the memory 20a. Next, the hash calculation unit 20n reads the signature value restoration value rec ′, the bilinear function value R ′, and the identifier id from the memory 20a, and the bit combination value α ′ = rec ′ | R ′ | A hash value h ″ = H ₁ (α ′) obtained by applying the hash function H ₁ to id is calculated (step S31). The calculated hash value h ″ is stored in the memory 20a. Next, the comparison unit 20p reads the bit string h ′ and the hash value h ″ from the memory 20a, and determines whether or not they are equal (step S32). Here, if these are not equal, the control part 20c rejects a signature (step S36), and complete | finishes a process. On the other hand, if they are equal, the decoding unit 20q next reads the restored value rec 'from the memory 20a, inputs it to the decode function, calculates the decoded value M _rec ' = decode (rec '), and stores it in the memory. 20a is stored (step S34). Here, if the decrypted value M _rec 'is not in accordance with a predetermined format, the control unit 20c rejects the signature (step S36) and ends the process. On the other hand, if the decoded value M _rec ′ conforms to a predetermined format, the verification is successful and the decoded value M _rec ′ is sent to the output unit 20r and output therefrom (step S35).

<Features of this embodiment>
Signature generating apparatus 10 of this embodiment, in step S6, the bit coupling value beta = h of the bit string and the bit string of the identifier id bit string and a bilinear function value R of the hash value h | R | to id, a hash function H ₂ The applied L-bit hash value v = H ₂ (β) is obtained, and the exclusive OR value x = v (+) rec of the hash value v and the L-bit restored signature target information rec is obtained to obtain the restored signature. The target information rec is associated with the final signature information. Here, in order to perform the exclusive OR value x = v (+) rec, it is necessary to make the bit lengths of the hash value v and the restored signature target information rec the same. the input bit length, it is easy to set the hash function H ₂ for outputting a hash value v of the same bit length as recovery signature object information rec. Therefore, in this embodiment, it is possible to generate signature information that can flexibly correspond to the restoration signature target information rec and the recovery message M _rec of various bit lengths.

If the signature information (r ′, σ ′) received by the signature verification apparatus 20 in step S21 is valid and (r ′, σ ′) = (r, σ), it is calculated in step S23. The hash value u ′ is
u ′ = H ₃ (γ ′)
= H ₃ (r ′ | M _clr | id)
= H ₃ (r | M _clr | id)
= U
Thus, the remainder calculation result t ′ = t calculated in step S24 is obtained. The bilinear function value R ′ calculated in step S26 is
R ′ = e (σ ′, P ₂ ) · e (P _id , mp) ^{t ′}
= E (σ, P ₂ ) · e (P _id , mp) ^t
= E (y · P ₁ −t · S _id , P ₂ ) · e (P _id , mp) ^t (11)
It becomes. And from the fact that mp = ms · P ₂ and [property 3] of the pairing function, equation (11) is
R ′ = e (y · P ₁ −t · ms · P _id , P ₂ ) · e (P _id , ms · P ₂ ) ^t
_{= E (y · P 1 -t} · ms · P id, P 2) · e (ms · t · P id, P 2)
_{= E (y · P 1 -t} · ms · P id + ms · t · P id, P 2)
= E (y · P ₁ , P ₂ )
= E (P ₁ , P ₂ ) ^y
= R
It becomes.

Here, since y ≠ 0 in this embodiment, R ′ ≠ 1 is not satisfied (step S27). When r ′ = r, h ′ = h, x ′ = x (step S28), β ′ = β, v ′ = v (step S29), and rec ′ = rec. (Step S30). Therefore, h ″ = h ′ = h (steps S31 and S32), and the recovery message M _rec ′ = M _rec is decoded from rec ′ = rec, and the verification is successful (steps S33 to S35).

In addition to the clear message M _clr and signature information (r ′, σ ′), information to be acquired by the signature verification apparatus 20 in order to perform this signature verification processing is an elliptic curve E, pairing shared by all apparatuses. The shared parameter such as the function e, the function IDencode, the function decode, the hash function H ₁ , H ₂ , H ₃ , the master public key mp, and the identifier id of the signature generation apparatus 10 that has actually generated the signature. Among these, the information unique to the signature generation apparatus 10 is only the identifier id, and this identifier id is easily available information such as a mail address. Therefore, in comparison with the conventional method using a public key such as RSA that requires a public key certificate or the like, it is possible to reduce the complexity of obtaining and managing a key necessary for signature verification. Further, when specific position information detected by the GPS device, time information output from a clock, or the like is used as an identifier id, the signature verification device 20 reaches a predetermined position or reaches a predetermined time. It is possible to construct a system that enables signature verification and recovery of the recovery message M _rec only when it is performed.

[Second Embodiment]
Next, a second embodiment of the present invention will be described. The second embodiment is a modification of the first embodiment, in which the clear message M _clr is not used and the clear message M _clr is set to a null value. Below, it demonstrates centering around difference with 1st Embodiment, and abbreviate | omits description about the matter which is common in 1st Embodiment.

<Configuration>
FIG. 10 is a block diagram for explaining a detailed configuration of the signature generation apparatus 110 according to the second embodiment. FIG. 11 is a block diagram for explaining a detailed configuration of the signature verification apparatus 120 according to the second embodiment.

  The recovery signature system of the present embodiment has a configuration in which the signature generation apparatus 10 constituting the recovery signature system 1 of the first embodiment is replaced with a signature generation apparatus 110 and the signature verification apparatus 20 is replaced with a signature verification apparatus 120. The difference between the signature generation device 10 and the signature generation device 110 is that the hash calculation unit 10m is replaced with a hash calculation unit 110m ("third hash calculation unit"). The difference between the signature verification device 20 and the signature verification device 120 is that the hash calculation unit 20e is replaced with a hash calculation unit 120e (“fourth hash calculation unit”).

<Processing>
Next, the processing of this embodiment will be described.
[Pre-processing and secret key generation processing]
Since it is the same as 1st Embodiment, description is abbreviate | omitted.

[Signature generation processing]
Next, the signature generation process of the signature generation apparatus 110 will be described. FIG. 12 is a flowchart for explaining a signature generation process according to the second embodiment. Hereinafter, the difference from the first embodiment will be mainly described.

First, the recovery message M _rec to be signed is input to the input unit 10d and stored in the memory 10a (step S101). In this embodiment, the clear message _McIr is not input. After that, the same processes of steps S2 to S8 are executed as in the first embodiment. Next, the hash calculator 10m reads the bit combination value r and the identifier id from the memory 10a, and a hash value u = H _{3 obtained} by applying a hash function H ₃ to the bit combination value γ = r | id. (Γ) is calculated (step S109). The generated hash value u is stored in the memory 10a. Thereafter, after the processing of steps S10 to S14, which is the same as in the first embodiment, is performed, the bit combination value r and the elliptic curve calculation value σ are sent to the transmission unit 10s, and the transmission unit 10s receives the signature information (r, σ) is transmitted to the signature verification apparatus 120 via the network 40 (step S115).

[Signature verification]
Next, the signature verification process of the signature verification apparatus 120 will be described. FIG. 13 is a flowchart for explaining the signature verification processing of the second embodiment. Hereinafter, the difference from the first embodiment will be mainly described.

First, the communication unit 20d of the signature verification apparatus 20 receives the signature information (r ′, σ ′) (step S121). In this embodiment, the clear message M _clr is not received. Next, the identifier id of the signature generation device 10 is input to the input unit 20s and stored in the memory 20a (step S22). If the identifier id is already stored in the memory 20a, step S22 can be omitted. Next, the hash calculator 20e reads the first part information r ′ and the identifier id from the memory 20a, and applies the hash function H ₃ to the bit string γ ′ = r ′ | id consisting of the bit combination of these bit strings. The calculated hash value u ′ = H ₃ (γ ′) is calculated (step S123). The calculated hash value u ′ is stored in the memory 20a. Thereafter, signature verification and recovery of the recovery message are performed by the processing of steps S24 to S36 of the first embodiment.

[Modifications, etc.]
In addition, this invention is not limited to each above-mentioned embodiment. For example, in the first embodiment, the bit combination value rec | R | id of each bit string of the restored signature target information rec, the bilinear function value R, and the identifier id is α, and the restored value rec ′ of the signature target information is bilinear. The bit combination value rec ′ | R ′ | id of each bit string of the function value R ′ and the identifier id is α ′. However, the bit combination value including each bit string of the restoration signature object information rec and the bilinear function value R is α, and the bit including each bit string of the restoration value rec ′ of the signature object information and the bilinear function value R ′ If the combined value is α ′ and the bit string constituting the bit combined value α is equal to the bit string constituting the bit combined value α ′, α and α ′ include the identifier id if α = α ′. The information may not be included, may include other information, and may be combined in any order.

  Similarly, in the first embodiment, β = h | R | id and β ′ = h ′ | R ′ | id, but a bit combination including each bit string of the hash value h and the bilinear function value R is used. The value is β, the bit combination value including each bit string of the hash value h ′ and the bilinear function value R ′ is β ′, and the bit string constituting the bit combination value β and the bit string constituting the bit combination value β ′ are If β = β ′ in the case of equality, β and β ′ may not include the identifier id, may include other information, and may be combined in any order.

Similarly, in the first embodiment, γ = r | M _clr | id is set and γ ′ = r ′ | M _clr | id is set, but a bit sequence including a bit sequence of the bit combination value r is set to γ, and the signature information If the bit string including the bit string of the first part information r ′ is γ ′, and γ = γ ′ when the bit string constituting the bit combination value γ and the bit string constituting the bit combination value γ ′ are equal, then γ And γ ′ may not include the identifier id, may not include M _clr (for example, the second embodiment), may include other information, and are combined in any order. May be.

Further, the determination unit 20i of the signature verification device 20, 120 reads the second part information σ ′ and the remainder calculation result t ′ from the memory 20a, and whether or not σ ′ is the infinity point O and the remainder calculation result t. It may be configured to determine whether or not “0” and reject signature information when σ ′ = O or t ′ = 0. In particular, when the configuration is such that signature information is rejected when t ′ = 0, safety in an actual environment that does not assume a random oracle model is improved. That is, it is assumed that the attacker has found an integer r satisfying 0 = u mod p, u = H ₃ (r | M _clr | id). Here, when the signature verification devices 20 and 120 permit t ′ = 0, the attacker uses only public information P ₁ and impersonates any signature generation device as an elliptic curve calculation. The value σ = y · P ₁ −t · S _id = y · P ₁ is generated, and signature information (r, σ) that passes the signature verification can be generated. Such an attack can be prevented by eliminating the signature information in which the signature verification devices 20 and 120 have t ′ = 0.

  In the first and second embodiments, the random number y is selected from the range of (Z / pZ) \ {0}. However, the configuration may be such that the random number y is selected from Z / pZ including 0 and the determination of step S27 is not performed at the time of signature verification. Furthermore, although the calculation efficiency is lowered, a configuration in which the random number y is selected from general integers may be used. Moreover, the structure which does not perform determination of step S11 or step S13 may be sufficient.

In the first and second embodiments, rec = encode (M _rec ) is set, but rec = M _rec may be set, and steps S2, S33, and S34 may not be executed. In the first and second embodiments, t and t ′ are calculated by the remainder calculation t = u mod p and t ′ = u ′ mod p, but t = u and t ′ = u ′ The structure which does not perform S10 and S24 may be sufficient.

Further, the step S4, instead of _{P 1} in S12 belonging to _{<P 1>} other source _{(e.g., P id)} may be used.

  In this embodiment, since the signature can be generated regardless of the bit length of the recovery message, the recovery message can be a null value. In this case, only the clear message is to be signed. As described above, in the configuration of the present embodiment, the degree of freedom of the signature target is improved.

  In addition, the various processes described above are not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processes or as necessary. Needless to say, other modifications are possible without departing from the spirit of the present invention.

  Further, when the above-described configuration is realized by a computer, processing contents of functions that each device should have are described by a program. The processing functions are realized on the computer by executing the program on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

  The present invention is applicable to various uses using an electronic signature.

FIG. 1 is a system configuration diagram for explaining a recovery signature system according to the first embodiment. FIG. 2 is a block diagram for explaining a detailed configuration of the signature generation apparatus according to the first embodiment. FIG. 3 is a block diagram for explaining an example of a detailed configuration of the hash calculation unit 10i in the first embodiment. FIG. 4 is a block diagram for explaining a detailed configuration of the signature verification apparatus according to the first embodiment. FIG. 5 is a block diagram for explaining a detailed configuration of the management apparatus according to the first embodiment. FIG. 6 is a flowchart for explaining the signature generation processing according to the first embodiment. FIG. 7 is a flowchart for illustrating the detailed processing of step S6. FIG. 8 is a flowchart for explaining the signature verification processing according to the first embodiment. FIG. 9 is a diagram illustrating a setting example of the first bit position and the second bit position. FIG. 10 is a block diagram for explaining a detailed configuration of the signature generation apparatus according to the second embodiment. FIG. 11 is a block diagram for explaining a detailed configuration of the signature verification apparatus according to the second embodiment. FIG. 12 is a flowchart for explaining a signature generation process according to the second embodiment. FIG. 13 is a flowchart for explaining the signature verification processing of the second embodiment.

Explanation of symbols

1 recovery signature system 10, 110 signature generation device 20, 120 signature verification device 30 management device

Claims (9)

A recovery signature system having a signature generation device and a signature verification device,
The signature generation device includes:
Let E be an elliptic curve on a finite field, p be a prime number that divides element number #E of a finite set of rational points on elliptic curve E, and E [p and, a finite set mu _p consisting enlarged body based body said finite field, a non-degenerate bilinear pairing function copy two original finite set E [p] to one original finite set mu _p e: and E [p] × E [p ] → μ p, the original _{e (P} 1, P ₂₎ meet the ≠ 1 finite set E [p] and _{P 1, P 2 ∈E [p} ], the The identifier of the signature generating device is set to id, the element of the finite set E [p] corresponding to the identifier id is set to P _id , the master secret key that is an integer is set to ms, and ms multiple points ms on the elliptic curve E of P _id - in the case of the _{P id} was secret key _{S id} of the signature generating apparatus, the first SL for storing the secret key _{S id} And parts,
A second storage unit for storing restored signature target information rec, which is a bit string of a signature target to be concealed;
An arbitrary number selector for selecting an arbitrary integer y;
A first bilinear function computing unit for calculating a bilinear function value R = e (P ₁ , P ₂ ) ^y ∈μ _p ;
A hash value h = H ₁ (α) obtained by applying the first hash function H ₁ to the bit combination value α including the bit string of the restored signature object information rec and the bit string of the bilinear function value R is calculated. 1 hash operation part,
A second hash for converting a bit string having an arbitrary bit length into a bit string having the same bit length as the restored signature object information rec for the bit combination value β including the bit string of the hash value h and the bit string of the bilinear function value R A second hash calculator that calculates a hash value v = H ₂ (β) obtained by applying the function H ₂ ;
A first exclusive OR operation unit for calculating an exclusive OR value x of the hash value v and the restored signature target information rec;
A bit combination unit that calculates a bit combination value r in which the bit string of the hash value h is arranged in a first bit position and the bit string of the exclusive OR value x is arranged in a second bit position;
A third hash calculator that calculates a hash value u = H ₃ (γ) obtained by applying a third hash function H ₃ to the bit string γ including the bit string of the bit combination value r;
In the case where an integer determined to the hash value u according to a predetermined rule set to t, the the y magnification point y · P ₁ on the original P ₁ of the elliptic curve E, on an elliptic curve E S _id An elliptic curve calculation unit for calculating an elliptic curve calculation value σ = y · P ₁ −t · S _id obtained by elliptically adding the elliptic inverse element −t · S _id of the t-fold point t · S _id of
A transmission unit for transmitting signature information (r, σ) composed of the bit combination value r and the elliptic curve calculation value σ,
The signature verification device includes:
And the source _{P 2,} and a third storage unit for storing a master public key mp, a is the a ms multiplied point ms · _{P 2} on the original _{P 2} elliptic curve E,
A receiving unit for receiving signature information (r ′, σ ′) including first part information r ′ that is a bit string and second part information σ ′ that is an element of a finite set E [p];
A fourth storage unit for storing the first part information r ′ and the second part information σ ′;
A fifth storage unit for storing an original P _id of a finite set E [p] corresponding to the identifier id of the signature generation device;
A fourth hash calculator that calculates a hash value u ′ = H ₃ (γ ′) obtained by applying a third hash function H ₃ to the bit string γ ′ including the bit string of the first part information r ′;
Bilinear function value R ′ = e (σ ′, P ₂ ) · e (P _id , mp) ^{t ′} where t ′ is an integer determined for the hash value u ′ according to the predetermined rule. a second bi-linear function calculator for calculating a ∈μ _p,
A bit dividing unit that extracts the bit string h ′ of the first bit position of the first part information r ′ and the bit string x ′ of the second bit position of the first part information r ′;
A hash value v ′ = H ₂ (β ′) obtained by applying the second hash function H ₂ to a bit combination value β ′ including the bit string of the hash value h ′ and the bit string of the bilinear function value R ′. A fifth hash calculation unit for calculating
A second exclusive OR operation unit that calculates an exclusive ethical sum value of the hash value v ′ and the bit string x ′ as a restoration value rec ′ of the signature target information;
A hash value h ″ = H obtained by applying the first hash function H ₁ to the bit combination value α ′ including the bit string of the restoration value rec ′ of the signature target information and the bit string of the bilinear function value R ′. _A sixth hash calculator that calculates ₁ (α ′);
A comparison unit that determines whether or not the bit string h ′ and the hash value h ″ are equal to each other.
A recovery signature system characterized by that. The recovery signature system of claim 1,
The signature generation apparatus includes a sixth storage unit that stores a clear message M _clr that is a bit string to be signed that is not concealed;
The third hash calculation unit of the signature generation device operates a third hash function H ₃ on a bit string γ that is a bit combination value including the bit string of the bit combination value r and the bit string of the clear message M _clr. Configured to calculate a hash value u = H ₃ (γ),
The transmission unit of the signature generation device is configured to transmit the signature information (r, σ) and the clear message M _clr ,
The receiving unit of the signature verification device is configured to receive the signature information (r ′, σ ′) and the clear message M _clr ;
The signature verification apparatus includes a seventh storage unit that stores the clear message M _clr .
The fourth hash calculation unit of the signature verification apparatus performs a third hash function H ₃ on a bit string γ ′ that is a bit combination value including the bit string of the first part information r ′ and the bit string of the clear message _Mclr. Configured to calculate a hash value u ′ = H ₃ (γ ′) obtained by applying
A recovery signature system characterized by that. The recovery signature system according to claim 1 or 2,
The signature generation device includes:
A first determination unit that determines whether or not an integer t determined for the hash value u is 0;
When the integer t determined for the hash value u is 0, the arbitrary number selection unit selects a new arbitrary integer y, and the first bilinear function calculation is performed based on the new arbitrary integer y. Processing, first hash operation unit processing, second hash operation unit processing, first exclusive OR operation unit processing, bit combination unit processing, and third hash A control unit for performing processing of the calculation unit again,
The signature verification device includes:
It is determined whether or not an integer t ′ determined for the hash value u ′ is 0. If the integer t ′ is 0, it is determined that the signature information (r ′, σ ′) is not valid. Having two determination units,
A recovery signature system characterized by that.   A signature generation device constituting the recovery signature system according to claim 1.   The signature verification apparatus which comprises the recovery signature system in any one of Claim 1 to 3.   A signature generation method executed by the signature generation apparatus according to claim 4.   A signature verification method executed by the signature verification apparatus according to claim 5.   A program for causing a computer to function as the signature generation apparatus according to claim 4.   A program for causing a computer to function as the signature verification apparatus according to claim 5.

Images