JP2010087590A - System, method and program for generating aggregate signature - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a system, method and program for generating aggregate signatures, capable of representing a hierarchy to which a signer belongs. <P>SOLUTION: Nodes are provided for each signer who signs, and a plurality of nodes are disposed while the hierarchy of a plurality of layers is formed. An aggregate signature σ, in which each signer uses an own node to sign to mutually different messages and the signatures are collected, is represented by power operation by a signature key of each signer and a prescribed value differing for each hierarchy to which oneself belongs to a hash hf-q of a message mf-q. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an aggregate signature generation system, an aggregate signature generation method, and an aggregate signature generation program.

  Conventionally, various electronic information has been transmitted via a network or a medium. As a mechanism for guaranteeing a source of electronic information, there is an electronic signature. An electronic signature is a signature operation that uses a signature key and electronic information that only a specific person knows as input values, and the verifier uses public information called a verification key and signed data as input values. By performing the verification calculation, it is possible to confirm whether or not the above-mentioned specific person is a data transmission source. According to this electronic signature, since it is difficult to derive a signature key from a verification key, a person who is not a specific person cannot impersonate a specific person to perform the signature. Can guarantee sex.

  Here, depending on the electronic information, a case in which a plurality of people intervene and sign is assumed. Examples of this case include circulation of electronic data and an approval system in a company. Thus, multiple signatures (Non-Patent Document 1) and group signatures (Patent Document 1) have been proposed as methods for performing signatures of a plurality of persons.

However, since the multiple signatures and group signatures described above are signed by a plurality of signers for one message, they cannot be used for circulation of adding a message. Therefore, an aggregate electronic signature (Non-patent Documents 2 and 3) has been proposed as a scheme in which each signer signs different messages and collects the signatures. According to this aggregate electronic signature, it is possible to aggregate the signatures of different messages signed by each signer while keeping the signature size constant regardless of the number of signers. For this reason, the aggregate electronic signature can be used in circulation for adding a message.
Shinpo, “An ElGamal Signature Modification Suitable for Multiple Signatures”, Symposium on Cryptography and Information Security (CSS), 2C, IEICE, 1994 Isamu Teranishi, Kazue Sako, Jun Noda, Daigo Taguchi, “RSA-based Sequential Aggregate signature scheme whose signature length is not proportional to the number of signers”, CSEC-28, 2005 D. Boneh, C.I. Gentry, B.M. Lynn, and H.M. Shacham, “Aggregate and Verify Encrypted Signatures from Bilinear Map,” Advances in Cryptology EUROCRYPT 2003, Springer-Verlag, 2003 JP 2001-166687 A

  However, the above-described aggregate electronic signature method cannot express to which hierarchy the signer belongs.

  Accordingly, the present invention has been made in view of the above-described problems, and provides an aggregate signature generation system, an aggregate signature generation method, and an aggregate signature generation program that can express to which hierarchy a signer belongs. The purpose is to do.

  The present invention proposes the following matters in order to solve the above problems.

  (1) The present invention provides an aggregate signature generation system in which a plurality of signature generation apparatuses used by a signer to form a signature are arranged in a plurality of hierarchies and each signer signs a different message Each of the plurality of signature generation devices includes a key storage unit that stores different private keys, a public key obtained by performing a power operation on the private key with respect to a predetermined parameter, and an own message. The signature generation unit that generates a signature by performing a power operation on the hash of the private key and the signature generated by the signature generation unit with a predetermined value that is different for each hierarchy to which the signature belongs A power calculation unit that performs a power operation, and a predetermined signature generation device among the plurality of signature generation devices calculates a sum of the calculation results of the power operation unit for each layer, and By multiplying the result of the calculation, it has proposed an aggregate signature generation system characterized in that it further comprises an aggregate signature generation unit for generating an aggregate signature.

  According to the present invention, each of the plurality of signature generation apparatuses generates a signature by performing a power operation with its own secret key on the hash of its own message by the signature generation unit. Then, the exponentiation operation unit performs an exponentiation operation on the signature generated by the signature generation unit with a predetermined value different for each hierarchy to which the signature belongs. The predetermined signature generation device among the plurality of signature generation devices calculates the sum of the calculation results of the power calculation unit for each hierarchy by the aggregate signature generation unit, multiplies the calculation results for each hierarchy, and Generate a signature.

  For this reason, the aggregate signature is represented by a structure in which a power operation is performed on the hash of the message by each private key and a predetermined value. And this predetermined value is a value which changes with every hierarchy to which self belongs. Therefore, the hierarchy of the signature generation apparatus can be expressed by the structure of the exponent of the mathematical expression representing the aggregate signature. Therefore, by using different signature generation apparatuses for each signer, it is possible to express to which hierarchy the signer belongs.

  Further, since the aggregate signature is in the same cyclic group as the signatures of the respective signers, the aggregate signature can be stored in a certain size regardless of the number of signers.

  (2) In the aggregate signature generation system according to (1), the predetermined value is a value obtained by performing a power operation on a specific value by a difference in the number of layers between the layer to which the self belongs and the lowest layer. We propose an aggregate signature generation system characterized by

  According to the present invention, the predetermined value is represented by a value obtained by performing a power operation on the specific value by the difference in the number of layers between the layer to which the device belongs and the lowest layer. For this reason, the hierarchy to which the signature generation apparatus belongs can be expressed by a specific value among the exponents of the mathematical expression representing the aggregate signature.

  (3) The present invention further includes a signature verification device for verifying the aggregate signature in the aggregate signature generation system according to (1) or (2), wherein the signature verification device includes the predetermined parameter, the public key And an aggregate signature verification unit that performs a GAP-Diffie-Hellman signature operation using the hash of the message and the aggregate signature as input, and verifies the validity of the aggregate signature. An aggregate signature generation system is proposed.

  According to the present invention, the signature verification apparatus performs the calculation of the GAP-Diffie-Hellman signature using the predetermined parameter, public key, message hash, and aggregate signature as inputs by the aggregate signature verification unit. Verify the validity of the gate signature.

  Here, the calculation of the GAP-Diffie-Hellman signature will be described below. A GAP-Diffie-Hellman (GDH) signature is a signature that uses the decision-difficult-Hellman (DDH) problem that can be solved by using a certain black box function e (P, Q) called pairing. .

  First, the DDH problem will be described. The DDH problem is a problem that determines whether or not ab = c is satisfied when g, ga, gb, and gc are given. For this problem, the function e (P, Q) has the following properties.

  Due to the properties shown in Formula 1, when g, ga, gb, and gc are input to the function e (P, Q), Formulas 2 and 3 are obtained.

  For this reason, whether or not the above-mentioned ab = c is satisfied can be determined based on whether or not the values of Equation 2 and Equation 3 match.

  Next, the GDH signature procedure will be described. In the GDH signature, a key is generated, and the signature is performed using the generated key.

  When generating a key, x is randomly selected from Zp *, and v is calculated such that v = gx. Then, v is a public key and x is a secret key.

  When signing, a secret key x and a message m are prepared. Then, a hash h is calculated from the message m, and a signature σ is obtained by raising the hash h to the power of x.

  The verification of the signature σ is performed as follows. Here, since the GDH signature uses an element of G *, the hash h is also an element of G *, and as a result, h = ga holds. Therefore, if the signature σ is correct, the following expression is established.

  When (g, v, h, σ) is input to the function e (P, Q), the following equation is established.

  As described above, if the signature σ is correct, the values of Equation 5 and Equation 6 match. Therefore, the signature σ can be verified based on whether the values of Formula 5 and Formula 6 match.

  As described above, the validity of the aggregate signature can be verified by the calculation of the GDH signature.

  (4) The present invention relates to an aggregate signature generation system in which a plurality of signature generation apparatuses used for signing by a signer to form a multi-level hierarchical structure and each signer signs a different message. A method of generating an aggregate signature, wherein each of the plurality of signature generation devices stores a secret key different from each other and a public key obtained by performing a power operation on the predetermined key with the secret key. A second step of generating a signature by performing a power operation on the hash of its own message with its own secret key by each of the plurality of signature generation devices, and the plurality of signature generations Third, each device performs a power operation on the signature generated in the second step with a predetermined value that is different for each hierarchy to which the signature belongs. A sum of the calculation results of the third step is calculated for each layer by a predetermined signature generation device among the plurality of signature generation devices, and an aggregate signature is generated by multiplying the calculation result for each layer And a fourth step of providing an aggregate signature generation method.

  According to the present invention, each of the plurality of signature generation devices generates a signature by performing a power operation with the own secret key on the hash of its own message. Then, a power operation is performed on the generated signature with a predetermined value that is different for each hierarchy to which the signature belongs. Then, a predetermined signature generation device among a plurality of signature generation devices calculates the sum of the calculation results of the exponentiation operation for each layer and multiplies the calculation results for each layer to generate an aggregate signature.

  For this reason, the aggregate signature is represented by a structure in which a power operation is performed on the hash of the message by each private key and a predetermined value. And this predetermined value is a value which changes with every hierarchy to which self belongs. Therefore, the hierarchy of the signature generation apparatus can be expressed by the structure of the exponent of the mathematical expression representing the aggregate signature. Therefore, by using different signature generation apparatuses for each signer, it is possible to express to which hierarchy the signer belongs.

  Further, since the aggregate signature is in the same cyclic group as the signatures of the respective signers, the aggregate signature can be stored in a certain size regardless of the number of signers.

  (5) In the aggregate signature generation method according to (4), the predetermined value is a value obtained by performing a power operation on a specific value by a difference in the number of layers between the layer to which the self belongs and the lowest layer. We propose an aggregate signature generation method characterized by

  According to the present invention, the predetermined value is represented by a value obtained by performing a power operation on the specific value by the difference in the number of layers between the layer to which the device belongs and the lowest layer. For this reason, the hierarchy to which the signature generation apparatus belongs can be expressed by a specific value among the exponents of the mathematical expression representing the aggregate signature.

  (6) The present invention relates to the aggregate signature generation method according to (4) or (5), wherein the signature verification apparatus for verifying the aggregate signature is further arranged in the aggregate signature generation system. Then, the signature verification device performs an operation of a GAP-Diffie-Hellman signature with the predetermined parameter, the public key, the hash of the message, and the aggregate signature as inputs, thereby validating the aggregate signature. The present invention proposes an aggregate signature generation method comprising a fifth step of verifying the authenticity.

  According to the present invention, the signature verification apparatus performs a GAP-Diffie-Hellman signature calculation by inputting predetermined parameters, a public key, a message hash, and an aggregate signature, and verifies the validity of the aggregate signature. To do. Therefore, the validity of the aggregate signature can be verified.

  (7) The present invention relates to an aggregate signature generation system in which a plurality of signature generation apparatuses used for signing by a signer to form a multi-layered hierarchical structure and each signer signs a different message An aggregate signature generation program for causing a computer to execute an aggregate signature generation method that performs a secret key that is different from each other by each of the plurality of signature generation devices and a predetermined parameter. A first step of storing a public key that has been exponentiated with a key; and each of the plurality of signature generation devices performs a power operation with its own secret key on a hash of its own message, thereby obtaining a signature. A second step of generating the signature generated by the second step by each of the plurality of signature generation devices; A third step of performing a power operation with a different predetermined value for each layer to which the device belongs, and a predetermined signature generation device among the plurality of signature generation devices to calculate a sum of the operation results of the third step An aggregate signature generation program for causing a computer to execute a fourth step of generating an aggregate signature by calculating for each layer and multiplying a calculation result for each layer is proposed.

  According to the present invention, by causing the computer to execute the aggregate signature generation program, the signature is generated by performing a power operation with the own secret key on the hash of the own message. Then, a power operation is performed on the generated signature with a predetermined value that is different for each hierarchy to which the signature belongs. Then, the sum of the operation results of the power operation is calculated for each layer, and the calculation result for each layer is multiplied to generate an aggregate signature.

  For this reason, the aggregate signature is represented by a structure in which a power operation is performed on the hash of the message by each private key and a predetermined value. And this predetermined value is a value which changes with every hierarchy to which self belongs. Therefore, the hierarchy of the signature generation apparatus can be expressed by the structure of the exponent of the mathematical expression representing the aggregate signature. Therefore, by using different signature generation apparatuses for each signer, it is possible to express to which hierarchy the signer belongs.

  Further, since the aggregate signature is in the same cyclic group as the signatures of the respective signers, the aggregate signature can be stored in a certain size regardless of the number of signers.

  (8) In the aggregate signature generation program according to (7), the predetermined value is a value obtained by performing a power operation on a specific value by a difference in the number of layers between the layer to which the program belongs and the lowest layer. We have proposed an aggregate signature generation program characterized by

  According to this invention, by causing the computer to execute the aggregate signature generation program, the predetermined value is expressed as a value obtained by performing a power operation on the specific value by the difference in the number of layers between the layer to which the computer belongs and the lowest layer. The For this reason, the hierarchy to which the signature generation apparatus belongs can be expressed by a specific value among the exponents of the mathematical expression representing the aggregate signature.

  (9) The present invention relates to the aggregate signature generation program in the aggregate signature generation system in which the signature verification device for verifying the aggregate signature is further arranged for the aggregate signature generation program of (7) or (8). Then, the signature verification device performs an operation of a GAP-Diffie-Hellman signature with the predetermined parameter, the public key, the hash of the message, and the aggregate signature as inputs, thereby validating the aggregate signature. This invention proposes an aggregate signature generation program comprising a fifth step for verifying the authenticity.

  According to the present invention, by causing the computer to execute the aggregate signature generation program, the GAP-Diffie-Hellman signature is calculated using the predetermined parameters, public key, message hash, and aggregate signature as inputs, Verify the validity of the aggregate signature. Therefore, the validity of the aggregate signature can be verified.

  According to the present invention, the aggregate signature is represented by a structure in which a power operation is performed on the hash of the message by each private key and a predetermined value. And this predetermined value is a value which changes with every hierarchy to which self belongs. Therefore, the hierarchy of the signature generation apparatus can be expressed by the structure of the exponent of the mathematical expression representing the aggregate signature. Therefore, by using different signature generation apparatuses for each signer, it is possible to express to which hierarchy the signer belongs.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
Note that the constituent elements in the present embodiment can be appropriately replaced with existing constituent elements and the like, and various variations including combinations with other existing constituent elements are possible. Therefore, the description of the present embodiment does not limit the contents of the invention described in the claims.

  The aggregate signature system includes a plurality of nodes provided for each signer who performs a signature, and a signature verification apparatus that verifies signatures generated by the plurality of nodes. Each node includes a key storage unit that stores a signature key (secret key) and a verification key (public key), a signature generation unit that generates a signature, and a hierarchy to which the node belongs to the signature generated by the signature generation unit And a power calculation unit for performing power calculation with different predetermined values. In addition, a predetermined node of these nodes includes an aggregate signature generation unit that generates an aggregate signature. The signature verification apparatus includes an aggregate signature verification unit that verifies the validity of the aggregate signature.

  As shown in FIG. 1, a plurality of nodes are arranged to form a hierarchy of d layers (d is an integer satisfying 4 ≦ d). In the first layer, which is the highest layer, p nodes (p is an integer satisfying 1 ≦ p) are arranged, and in the (d−2) layer, o nodes (o is 1 ≦ o). (Integer integer) nodes are arranged, n nodes (n is an integer satisfying 1 ≦ n) are arranged in the (d−1) layer, and m is arranged in the d layer, which is the lowest layer. Nodes (m is an integer satisfying 1 ≦ m) are arranged. In the present embodiment, each signer signs a different message using his / her node.

<Generation of an aggregate signature when a hierarchy of d layers is formed>
Hereinafter, a case where an aggregate signature is generated by the node of FIG. 1 will be described.

  Here, the pair of the signature key (private key) and the verification key (public key) is the one of the node (d-2) layer (( d-2) -k) is represented by Equation 8, node (d-1) layer node ((d-1) -j) is represented by Equation 9, and d layer is numbered. It is expressed as 10. In Equation 7, l is an integer satisfying 1 ≦ l ≦ p, in Equation 8, k is an integer satisfying 1 ≦ k ≦ o, and in Equation 9, j satisfies 1 ≦ j ≦ n. An integer is used, and in Expression 10, i is an integer satisfying 1 ≦ i ≦ m.

  First, each node (d-i) in the d-th layer performs a GDH signature as shown in Equation 11 and performs a power operation with its signature key xd-i on the hash hd-i of the message md-i. To make the signature σd-i belonging to the d-th layer.

  Next, each node ((d-1) -j) in the (d-1) layer performs a GDH signature, as shown in Equation 12, and a hash h () of the message m (d-1) -j After performing a power operation on d-1) -j with its own signature key x (d-1) -j, it further performs a power operation on the first value and belongs to the (d-1) layer. Let it be its own signature σ (d−1) -j. Here, the first value is a value obtained by raising “2” to the power of “1” times equal to the difference in the number of layers between the (d−1) layer and the d layer, which is the lowest layer. 2 (= 21) ".

  Next, each node ((d-2) -k) in the (d-2) layer performs a GDH signature, as shown in Equation 13, and a hash h () of the message m (d-2) -k d-2) -k is subjected to a power operation with its own signature key x (d-2) -k and then a power operation is further performed with the second value to belong to the (d-2) layer. It is assumed that its signature σ (d−2) −k. Here, the second value is a value obtained by raising “2” to the power of “2” times equal to the difference in the number of layers between the (d−2) th layer and the dth layer that is the lowest layer. 4 (= 22) ".

  For each node belonging to a layer higher than the (d-2) -th layer, signatures are sequentially generated in the same manner as in Equations 12 and 13 above.

  For example, each node (1-l) in the first layer, which is a layer higher than the (d-2) layer, performs GDH signature as shown in Equation 14, and the hash h1- of the message m1-l After performing a power operation on l with its own signature key x1-l, it further performs a power operation with a predetermined value to obtain its own signature σ1-l belonging to the first layer. Here, the predetermined value is a value obtained by raising “2” to the power of “d−1” times equal to the difference in the number of layers between the first layer and the d-th layer that is the lowest layer. "

  Next, after all nodes in all layers generate their own signatures, a predetermined node such as the node that finally generated their signatures is the signature of all nodes in all layers as shown in Equation 15. And the product of these is used as the aggregate signature σ.

  Next, (g, h, σ) is disclosed.

<Verification of the aggregate signature generated when the hierarchy of the d layer is formed>
The case where the aggregate signature generated at the node of FIG. 1 is verified will be described below.

  First, the signature verification apparatus inputs (g,..., Vf-q,..., Hf-q,...) To a function e (P, Q) as shown in equations 16 and 17. , GDH signature calculation is performed. Here, vf-q represents the verification key of the node (fq) of the f-th layer (f is an integer satisfying 1 ≦ f ≦ d), and hf-q represents the f-th layer (f is 1 The hash of the message mf-q in the node (f-q) of ≦ f ≦ d is shown. Q is an integer satisfying 1 ≦ q <f.

  The aggregate signature σ is verified by verifying whether the value of Expression 16 and the value of Expression 17 match. Specifically, if the value of Expression 16 and the value of Expression 17 match, it is determined that the aggregate signature σ is correct, and if the value of Expression 16 does not match the value of Expression 17, the aggregate signature σ is Judge that it is not correct.

  As described above, the aggregate signature σ can be expressed by performing a power operation with a predetermined value on the hash hf-q of the message mf-q as shown in Equation 15. Here, the predetermined value is expressed by multiplying each signature key by a different value for each hierarchy to which the node belongs.

  The different value for each layer to which this node belongs is “1” in the d-th layer, “2” in the (d−1) -th layer, and “4” in the (d-2) -th layer. In the first layer, “2d−1” is obtained. Therefore, the hierarchy to which the node belongs can be distinguished by a multiple of the signature key. Therefore, since the nodes belonging to each hierarchy can be distinguished by the structure of the exponent of the mathematical expression representing the aggregate signature σ, it is possible to express which hierarchy the signer belongs to.

  Further, since the aggregate signature σ is in the same cyclic group as the signatures of each signer, the aggregate signature σ can be stored in a certain size regardless of the number of signers.

  The processing of the node and signature verification device of the present invention is stored in a computer-readable recording medium, and the program recorded on these recording media is read and executed by the node and signature verification device (both are computer systems). By doing so, the present invention can be realized.

  Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW (World Wide Web) system is used. Further, the above-described program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.

  Further, the above-described program may be for realizing a part of the above-described function. Furthermore, what can implement | achieve the above-mentioned function in combination with the program already recorded on the computer system, what is called a difference file (difference program) may be sufficient.

  The embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the embodiments, and includes designs and the like that do not depart from the gist of the present invention.

It is a figure which shows arrangement | positioning of the some node which concerns on embodiment of this invention.

Explanation of symbols

x1-l, x (d-1) -j, x (d-2) -k, xd-i ... signature key (secret key)
v1-l, v (d-1) -j, v (d-2) -k, vd-i ... verification keys (public keys)
σ ・ ・ ・ Aggregate signature

Claims (9)

An aggregate signature generation system in which a plurality of signature generation apparatuses used by a signer to form a signature is arranged in a plurality of layers to form a hierarchical structure, and each signer signs a different message,
Each of the plurality of signature generation devices includes:
A key storage unit for storing different secret keys, and a public key obtained by performing a power operation with the secret key for the predetermined parameter;
A signature generation unit that performs a power operation on the hash of its own message with its own secret key and generates a signature;
A power calculation unit that performs a power operation with a predetermined value different for each hierarchy to which the signature belongs, with respect to the signature generated by the signature generation unit;
With
The predetermined signature generation device among the plurality of signature generation devices calculates an aggregate sum of calculation results by the power calculation unit for each layer, and multiplies the calculation results for each layer to generate an aggregate signature. An aggregate signature generation system further comprising a generation unit.   2. The aggregate signature generation system according to claim 1, wherein the predetermined value is a value obtained by performing a power operation on a specific value by a difference in the number of layers between a layer to which the predetermined value belongs and a lowest layer. A signature verification device for verifying the aggregate signature;
The signature verification device verifies the validity of the aggregate signature by performing a GAP-Diffie-Hellman signature calculation using the predetermined parameter, the public key, the hash of the message, and the aggregate signature as inputs. The aggregate signature generation system according to claim 1, further comprising an aggregate signature verification unit configured to perform the aggregate signature verification. Aggregate signature generation method in which each signer signs a different message in an aggregate signature generation system in which a plurality of signature generation apparatuses used for signing by a signer to form a multi-level hierarchical structure are arranged Because
A first step of storing, by each of the plurality of signature generation devices, a different private key and a public key obtained by performing a power operation with respect to a predetermined parameter using the private key;
A second step of generating a signature by performing a power operation on the own hash of the message with the secret key of each of the plurality of signature generation devices;
A third step of performing a power operation with a predetermined value different for each hierarchy to which the signature belongs by each of the plurality of signature generation devices;
A sum of the calculation results of the third step is calculated for each hierarchy by a predetermined signature generation apparatus among the plurality of signature generation apparatuses, and an aggregate signature is generated by multiplying the calculation result for each hierarchy. And the steps
An aggregate signature generation method comprising:   5. The aggregate signature generation method according to claim 4, wherein the predetermined value is a value obtained by performing a power operation on a specific value by a difference between the number of layers to which the layer belongs and the lowest layer. An aggregate signature generation method in the aggregate signature generation system, further comprising a signature verification device for verifying the aggregate signature,
The signature verification device performs a GAP-Diffie-Hellman signature operation by inputting the predetermined parameter, the public key, the hash of the message, and the aggregate signature, and verifies the validity of the aggregate signature. The aggregate signature generation method according to claim 4, further comprising: a fifth step. Aggregate signature generation method in which each signer signs a different message in an aggregate signature generation system in which a plurality of signature generation apparatuses used for signing by a signer to form a multi-level hierarchical structure are arranged Is an aggregate signature generation program for causing a computer to execute
A first step of storing, by each of the plurality of signature generation devices, a different private key and a public key obtained by performing a power operation with respect to a predetermined parameter using the private key;
A second step of generating a signature by performing a power operation on the own hash of the message with the secret key of each of the plurality of signature generation devices;
A third step of performing a power operation with a predetermined value different for each hierarchy to which the signature belongs by each of the plurality of signature generation devices;
A sum of the calculation results of the third step is calculated for each hierarchy by a predetermined signature generation apparatus among the plurality of signature generation apparatuses, and an aggregate signature is generated by multiplying the calculation result for each hierarchy. And the steps
Aggregate signature generation program for causing a computer to execute.   8. The aggregate signature generation program according to claim 7, wherein the predetermined value is a value obtained by performing a power operation on a specific value by a difference in the number of layers between a layer to which the predetermined value belongs and a lowest layer. An aggregate signature generation program in the aggregate signature generation system in which a signature verification device for verifying the aggregate signature is further arranged,
The signature verification device performs a GAP-Diffie-Hellman signature operation by inputting the predetermined parameter, the public key, the hash of the message, and the aggregate signature, and verifies the validity of the aggregate signature. The aggregate signature generation program according to claim 7 or 8, further comprising a fifth step.

Images