JP2010103623A - Group signature system, revocation information management device, member device, and revocation processing method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a group signature system, or the like, capable of collectively executing revocation processings, even when the re are many revoked members. <P>SOLUTION: The group signature system is constituted by mutual connection between a revocation information management device 10 and member devices 11 to 1m. The revocation information management device includes a first input/output part 21 for accepting input of public keys of a plurality of revoked members which are the object of revocation processing and a first operation part 24 that uses the public keys of the plurality of revoked members to calculate revocation information, and each member device includes a second input/output part 31 for accepting input of the calculated revocation information and a second operation part 33 for updating public keys of members on the basis of the calculated revocation information. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an electronic signature used in digital data, and more particularly to a group signature method for proving that a signer belongs to a specific group.

  The group signature method is a signature method capable of generating an electronic signature in which a member belonging to a specific group such as a specific company or a specific department can indicate that it is a member of the group but an individual is not specified. In the group signature method, a group administrator having special authority has a function of specifying a member who generates a signature.

  Hereinafter, a member who loses the qualification as a member of the group and is excluded from the members of the group is referred to as a revoked member. The process of excluding such a revoked member from the members of the group is referred to as a revocation process. Usually, in the group signature method, since the signer has anonymity, the revocation process is complicated and requires many processing steps.

  For this reason, Non-Patent Document 1 describes an example of a method for performing revocation processing with fewer processing steps. The method will be described below. Each member of the group has a member public key. Here, it is assumed that a part of the member public key of the revoked member is hat (e ′), and a part of the member public key of the member other than the revoked member is e ′. Members other than the revoked member calculate integers α and β satisfying the following formula 1 when a revoked member is issued, and update the member public key using this.

  In addition, a symbol in which ^ is superimposed on e 'in Expression 1 is expressed as hat (e') in a line other than the mathematical expression. This hat (e ′) has only a meaning to be distinguished from e ′.

これに関連して、他には次のような文献がある。特許文献１には、グループ署名方式で該グループのメンバー各々に配布された署名鍵の一部をリボーク（無効化）する手法の一例が記載されている。特許文献２には、私有鍵を用いてグループ署名を更新する手法が記載されている。特許文献３には、デジタル証明書の有効性の再検証を行い、直前の期間において失効した証明書の集合に対してコンプリメントカバーを再構築して、該コンプリメントカバーのサイズを小さくするという技術が記載されている。

There are other references related to this. Patent Document 1 describes an example of a technique for revoking (invalidating) a part of a signature key distributed to each member of the group by a group signature method. Patent Document 2 describes a method for updating a group signature using a private key. In Patent Document 3, the validity of a digital certificate is re-verified, and a complement cover is reconstructed for a set of certificates revoked in the immediately preceding period to reduce the size of the complement cover. The technology is described.

Japanese Patent Laying-Open No. 2005-210638 JP 2005-525721 Gazette Special table 2008-524931 Isshiki Isshiki, Kengo Mori, Kazue Sako, Isamu Teranishi, Shoko Yonezawa “Improvement and Implementation of Member Revocation Method in Group Signatures” 2007 Cryptography and Information Security Symposium (SCIS), 2007

  For example, there may be a case where a number of revoked members are generated at one time, such as at the end of the fiscal year, such as when a group signature is used for authentication when lending a book at a library. In the technique of Non-Patent Document 1, since it is necessary to perform the revocation process as described above for each revoked member, there is a problem that the processing becomes complicated when a large number of revoked members are generated at one time. A configuration that solves this problem is not described in Non-Patent Document 1, and is not described in any of Patent Documents 1 to 3.

  An object of the present invention is to provide a group signature system, a revocation information management device, a member device, a revocation processing method, and a program that can execute revocation processing collectively even when there are many revoked members.

  In order to achieve the above object, a group signature system according to the present invention is a group signature system capable of revocation processing for revoking a specific member, and the revocation information management device and the member device are connected to each other. A revocation information management device configured to calculate revocation information using a first input / output unit that receives input of public keys of a plurality of revoked members that are revocation processing targets, and a plurality of revoked member public keys. A second input / output unit that receives an input of the calculated revocation information, and a second calculation unit that updates the member's public key based on the calculated revocation information. It is characterized by providing.

  In order to achieve the above object, a revocation information management device according to the present invention is a revocation information management device that constitutes a group signature system that is interconnected with member devices and that can perform revocation processing for revoking a specific member. And an input / output unit that receives input of public keys of a plurality of revoked members that are targets of revocation processing, and an arithmetic unit that calculates revocation information using the public keys of the plurality of revoked members.

  In order to achieve the above object, a member device according to the present invention is a member device that constitutes a group signature system that is interconnected with a revocation information management device and is capable of revocation processing for revoking a specific member. An input / output unit that receives input of revocation information calculated by the revocation information management device, and a calculation unit that updates a member's public key based on the calculated revocation information.

  In order to achieve the above object, a revocation processing method according to the present invention is a group signature system in which a revocation information management device and a member device are connected to each other, and a revocation processing for revoking a specific member. The revocation information management device accepts input of public keys of a plurality of revocation members to be revoked, and the revocation information management device calculates revocation information using the revocation members public keys. The member device accepts the input of the calculated revocation information, and the member device updates the public key of the member based on the calculated revocation information.

  In order to achieve the above object, a revocation processing program according to the present invention constitutes a revocation information management device that constitutes a group signature system that is interconnected with member devices and is capable of revocation processing for revoking a specific member. It is characterized by causing a computer to execute a process of accepting input of public keys of a plurality of revoked members that are subject to revocation processing and a process of calculating revocation information using the public keys of a plurality of revoked members.

  In order to achieve the above object, another revocation processing program according to the present invention includes a member device that constitutes a group signature system that is interconnected with a revocation information management device and is capable of revocation processing for revoking a specific member. It is characterized by causing a computer to be configured to execute processing for accepting input of revocation information calculated by the revocation information management device and processing for updating a member's public key based on the calculated revocation information.

  In the present invention, as described above, when the revocation member's public key is input to the revocation information management device, revocation processing is executed in each member device based on the revocation information calculated there. As a result, it is possible to provide an unprecedented superior group signature system, revocation information management device, member device, revocation processing method, and program that enable revocation processing to be executed collectively even when there are many revoked members.

(Embodiment)
The configuration of the embodiment of the present invention will be described below with reference to the accompanying drawings.
First, the basic content of the present embodiment will be described, and then more specific content will be described.
The group signature system 1 according to the present embodiment is a group signature system capable of revocation processing for revoking a specific member, and is configured by revocation information management device 10 and member devices 11-1m being connected to each other. The revocation information management apparatus 10 calculates revocation information using the first input / output unit 21 that receives the input of the public keys of a plurality of revoked members that are the targets of revocation processing, and the public keys of the plurality of revoked members. The first arithmetic unit 24, and the member devices 11 to 1m update the member's public key based on the second input / output unit 31 that receives the input of the calculated revocation information and the calculated revocation information. A second arithmetic unit 33.

  Here, the second input / output unit 31 receives the input of the revocation information calculated from the first calculation unit 24 via the network and performs the above-described processing.

  The revocation information management apparatus 10 has a storage unit 22 for storing revocation manager public keys, and the first calculation unit 24 uses the plurality of revocation member public keys and revocation manager public keys to store revocation information. At the same time, the revocation manager public key is updated.

By providing this configuration, the present invention can collectively execute the revocation process in each of the member devices 11 to 1m even when there are many revoked members.
Hereinafter, this will be described in more detail.

  FIG. 1 is an explanatory diagram showing a configuration of a group signature system 1 according to the embodiment of the present invention. The group signature system 1 includes a revocation information management device 10 and m member devices 11, 12,..., 1m connected to each other via a LAN (Local Area Network) or the like. Here, m is an integer of 1 or more.

  The revocation information management device 10 is a computer device that is operated by a revocation manager who has the authority to exclude a specific member from a group. A revocation manager public key and a revocation manager private key, which will be described later, Possess information. The revocation information is obtained by merging a part of member public keys of revoked members. The revocation information management device 10 has a function of updating a revocation manager public key and revocation information every time a member expires.

  Each of the member devices 11, 12,..., 1m is a computer device operated by a member belonging to the group, and holds a member public key and a member secret key described later. Each member device 11, 12,..., 1 m has a function of updating its own member public key using the revocation information of the revocation information management device 10.

  FIG. 2 is an explanatory diagram showing in more detail the configuration of the revocation information management apparatus 10 shown in FIG. The revocation information management device 10 includes an input / output unit 21 that is an input / output device, a key storage unit 22 that stores a public / private key pair of each member, and a revocation information storage unit 23 that stores the revocation information described above. And an arithmetic unit 24 that performs processing to be described later.

  The input / output unit 21 is an input / output device such as a keyboard and a display, and inputs the public key of a member to be revoked and outputs revocation information. In addition, information input from a keyboard or the like by a person operating the revocation information management apparatus 10 is received. Further, data is exchanged with each of the member devices 11, 12, ..., 1m.

  The key storage unit 22 is a non-volatile storage device such as a hard disk or a flash memory, and stores a pair of each member's public key and private key, including the revocation manager public key and the revocation described above. A pair with the administrator private key is also included. At the same time, the key storage unit 22 also stores the public key of the revoked member provided from the input / output unit 21. In addition, the key storage unit 22 provides the revocation manager public key, the revocation manager private key, and the public key of the member to be revoked to the calculation unit.

The revocation manager public key rpk and revocation manager private key rsk stored in the key storage unit 22 are as follows. The revocation manager private key rsk is expressed by the following equation. Hereinafter, regarding the process of actually generating a public key and a secret key from each parameter, each mathematical expression will be described on the assumption that a known method can be used according to Non-Patent Document 1 described above.

It is represented by Here, l1 and l2 are prime numbers called safe primes, and when l1, l2, l′ 1, and l′ 2 are all prime numbers, the following expression is satisfied. Also, in this specification, a prime number represented by “cursive el” in a mathematical expression is normally expressed as “l (alphabet small letter el)” in a line other than the mathematical expression. Be careful not to confuse it with “1)” or “I”.

The revocation manager public key rpk is expressed by the following formula.

  l = l1 × l2, and ω and b0 are random elements of QR (l). Here, QR (l) means a set of integers y smaller than l such that χ that satisfies χ ^ 2 = y (mod l) exists. b is a value updated every time the user is revoked, and the initial value of b is b0. χ ^ 2 is “square of χ”.

  The revocation information storage unit 23 is also a non-volatile storage device, and stores the above-described revocation information. The initial value of the revocation information P is P = 1 mod (l′ 1 × l′ 2). The revocation information P is updated every time a member expires. The revocation information storage unit 23 provides revocation information to the calculation unit 24.

  The calculation unit 24 is a calculation device such as a CPU (Central Processing Unit) and is a main body that executes a computer program. The calculation unit 24 uses the revocation manager public key rpk provided from the key storage unit 22, the public key of the member to be revoked, and the revocation information P provided from the revocation information storage unit 23, and the revocation information P and revocation management. A new public key rpk is generated or updated. The revocation information P generated or updated is provided to the revocation information storage unit 23, and the revocation manager public key rpk generated or updated is provided to the key storage unit 22.

  FIG. 3 is an explanatory diagram showing in more detail the configuration of the member devices 11 to 1m shown in FIG. Each of the member devices 11 to 1m includes an input / output unit 31 that is an input / output device, a key storage unit 32 that stores a pair of a public key and a secret key, and a calculation unit 33 that performs processing described later.

  The input / output unit 31 exchanges data from the revocation information management apparatus 10 via the network, and thereby inputs revocation information P. Moreover, the information which the person who operates member apparatus 11-1m input from the keyboard etc. is received. The revocation information P may be input via a network or may be input using a keyboard or the like. The input / output unit 31 provides the received revocation information P to the calculation unit 33.

  The key storage unit 32 stores a pair of a member public key and a member secret key. The key storage unit 32 provides the member public key and the member secret key to the calculation unit 33. Furthermore, the member apparatuses 11 to 1 m receive the member public key mpk and the member secret key msk from the issuing authority who has the authority to join the group members in advance and store them in the key storage unit 32.

  The member public key mpk and member secret key msk stored in the key storage unit 32 are shown below. The member secret key msk is defined as msk = χ. However, χ is a positive integer.

The member public key mpk is defined by the following formula.

However, h is an element of the group G of order q. A is an integer modulo n. n is the public information of the issuing authority and is a positive integer. e ′ is a prime number, and parameters B and B0 are defined by the following equations.

  The calculation unit 33 is a calculation device such as a CPU, and is a main body that executes a computer program. The computing unit 33 uses the revocation information P provided from the input / output unit 31 and the member public key mpk provided from the key storage unit 32 to newly generate a member public key mpk based on Equation 5 above. The newly generated member public key mpk is provided to the key storage unit 32.

鍵格納部２２は、前述の数４で表される失効管理者公開鍵ｒｐｋを演算部２４に提供する。失効情報格納部２３は、失効情報Ｐを演算部２４に提供する。 Next, the revocation processing operation of the revocation information management device 10 shown in FIG. 2 will be described. First, the operator inputs the public keys mpk1, mpk2,..., Mpkn of n members revoked to the revocation information management device 10 to the input / output unit 21. These public keys are represented by the following formula. The input / output unit 21 receives inputs of these members' public keys mpk1, mpk2,..., Mpkn and provides them to the calculation unit 24.

The key storage unit 22 provides the calculation unit 24 with the revocation manager public key rpk expressed by the above-described formula 4. The revocation information storage unit 23 provides the revocation information P to the calculation unit 24.

The computing unit 24 uses the provided member public keys mpk1, mpk2,..., Mpkn, the revocation manager public key rpk, and the revocation information P to update the revocation information P ′ and b ′ after updating as shown in the following equation. Is calculated. b ′ is an updated value of the parameter b used to calculate the revocation manager public key rpk used in the above-described equation (4).

  The calculation unit 24 provides the calculated P ′ to the revocation information storage unit 23. In addition, the calculation unit 24 provides the calculated b ′ to the key storage unit 22. The revocation information storage unit 23 replaces P ′ provided from the calculation unit 24 with the revocation information P and newly sets the revocation information. The key storage unit 22 replaces b ′ provided from the calculation unit 24 with “b” of the revocation manager public key rpk, thereby updating the revocation manager public key.

  When a request for revocation information P is input to the input / output unit 21, the input / output unit 21 requests the revocation information P from the revocation information storage unit 23. However, the request for the revocation information P to the input / output unit 21 may be a person such as a revocation manager or a device such as a member device. Upon receiving the request for the revocation information P from the input / output unit 21, the revocation information storage unit 23 provides the revocation information P to the input / output unit 21.

  FIG. 4 is a flowchart in which the revocation manager public key rpk and revocation information P update operation performed by the revocation information management apparatus 10 shown in FIG. When the operation is started (step S101), the revocation information management apparatus 10 accepts input of public keys mpk1, mpk2,..., Mpkn of n members to be revoked from the input / output unit 21 as shown in Equation 7 (step S102). .

  The calculation unit 24 uses the input member public keys mpk1, mpk2,... Mpkn, the revocation manager public key rpk provided from the key storage unit 22 and the revocation information storage unit 23, and the revocation information P, and The revocation information P ′ and the parameter b ′ after the update are calculated by the formula shown in (Step S103).

  The computing unit 24 replaces the calculated P ′ with the revocation information P, updates the revocation information, updates the revocation manager public key rpk using the calculated parameter b ′ (step S104), and the update operation is performed as described above. Ends (step S105).

  FIG. 5 is a flowchart describing the update operation of the revocation processing operation in the member devices 11 to 1m shown in FIG. The operation is started (step S201), and the revocation information P updated in the above-described step S104 is input to the input / output unit 31 from the revocation information management apparatus 10 via the network or by the revocation manager's direct operation. (Step S202), the input / output unit 31 provides the revocation information P to the calculation unit 33. In addition, the key storage unit 32 provides the member public key mpk represented by the above equation 5 to the calculation unit 33.

The computing unit 33 uses the revocation information P provided from the input / output unit 31 and the member public key mpk provided from the key storage unit 32 to calculate integers α and β satisfying the following expressions (step S203).

Further, the calculation unit 33 calculates the parameter B ′ using the calculated α and β and the member public key mpk as follows (step S204).

  The calculation unit 33 provides the calculated parameter B ′ to the key storage unit 32. The key storage unit 32 replaces B in the expression representing the member public key mpk represented by the above-described equation 5 with B ′ provided from the calculation unit 33, thereby updating the member public key mpk (step S205). Thus, the update operation ends (step S206).

(Overall operation)
Next, the overall operation of the above embodiment will be described. In a group signature system in which a revocation information management device and a member device are connected to each other, a revocation processing method for revoking a specific member belonging to the revocation information management device 10 is subject to revocation processing. The revocation information management apparatus 10 calculates revocation information using the revocation member public keys (FIG. 4: step S103). The member devices 11 to 1m accept the input of the calculated revocation information (FIG. 5: Step S202), and the member devices 11 to 1m update the member's public key based on the calculated revocation information (FIG. 5). : Step S205).

  Here, each of the above operation steps is programmed to be executable by a computer, and these are executed by the revocation information management device 10 and the member devices 11 to 1m which are computers that directly execute the respective steps. Good.

  According to the embodiment described above, if the revocation member's public key is input to the revocation information management device 10, the revocation processing for each member's signature is performed by each member device 11-1m according to the revocation information calculated there. Executed. Therefore, it is not necessary to perform a complicated operation of reissuing the signatures of all members other than the revoked member with the revocation information management apparatus 10.

(Modification of embodiment)
The revocation process (FIG. 5) for each member signature executed in each member device 11 to 1m described above need not be executed at a time. For example, if the total number of revoked members is n and 1 ≦ i <n (where i and n are natural numbers), first, from the public key mpk1 of the first revoked member to the public key mpki of the i-th revoked member After the processing of FIG. 5 is executed and the processing of FIG. 5 is interrupted and other processing is performed, the remaining i + 1th revoked member public key mpki + 1 to the nth revoked member public key mpkn The process 5 may be executed.

  The present invention has been described with reference to the specific embodiments shown in the drawings. However, the present invention is not limited to the embodiments shown in the drawings, and any known hitherto provided that the effects of the present invention are achieved. Even if it is a structure, it is employable.

  The present invention can be applied to all digital data using an electronic signature. This is particularly useful in electronic signatures where it is necessary to prove that a signer belongs to a specific group.

It is explanatory drawing which shows the structure of the group signature system which concerns on embodiment of this invention. It is explanatory drawing shown in detail about the structure of the revocation information management apparatus shown in FIG. It is explanatory drawing shown in detail about the structure of the member apparatus shown in FIG. FIG. 3 is a flowchart describing an update operation of a revocation manager public key rpk and revocation information P performed by the revocation information management apparatus shown in FIG. 2. FIG. 4 is a flowchart describing an update operation of a revocation processing operation in the member device shown in FIG. 3.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Group signature system 10 Revocation information management apparatus 11, 12, 1m Member apparatus 21 Input / output part 22 Key storage part 23 Revocation information storage part 24 Calculation part 31 Input / output part 32 Key storage part 33 Calculation part

Claims (8)

A group signature system capable of revocation processing for revoking a specific member,
The revocation information management device and member devices are connected to each other.
The revocation information management device is
A first input / output unit that receives input of public keys of a plurality of revoked members that are targets of the revocation process;
A first calculation unit that calculates revocation information using public keys of the plurality of revoked members,
The member device is
A second input / output unit that receives input of the calculated revocation information;
A group signature system comprising: a second calculation unit that updates the public key of the member based on the calculated revocation information.   2. The group signature system according to claim 1, wherein the second input / output unit receives an input of the calculated revocation information from the first arithmetic unit via a network. The revocation information management device has a storage unit for storing a revocation manager public key,
The first calculation unit calculates the revocation information using the public keys of the plurality of revoked members and the revocation manager public key, and updates the revocation manager public key. Item 2. The group signature system according to Item 1. A revocation information management device that constitutes a group signature system that is interconnected with member devices and is capable of revocation processing for revoking a specific member.
An input / output unit that receives input of public keys of a plurality of revoked members that are targets of the revocation process;
A revocation information management apparatus comprising: a calculation unit that calculates revocation information using public keys of the plurality of revocation members. It is a member device that constitutes a group signature system that is interconnected with a revocation information management device and is capable of revocation processing for revoking a specific member.
An input / output unit for receiving input of revocation information calculated by the revocation information management device;
A member device comprising: an arithmetic unit that updates the public key of the member based on the calculated revocation information. In a group signature system in which a revocation information management device and a member device are connected to each other, a revocation processing method for revoking a specific member,
The revocation information management device accepts input of public keys of a plurality of revocation members that are targets of the revocation process,
The revocation information management device calculates revocation information using public keys of the plurality of revocation members,
The member device accepts input of the calculated revocation information,
The revocation processing method, wherein the member device updates the public key of the member based on the calculated revocation information. A computer that constitutes a revocation information management device that constitutes a group signature system that is reciprocally connected to member devices and capable of revocation processing for revoking specific membership members,
A process of accepting input of public keys of a plurality of revoked members that are targets of the revocation process;
A revocation processing program that executes revocation information calculation processing using public keys of the plurality of revocation members. A computer that constitutes a member device that constitutes a group signature system that is reciprocally connected to the revocation information management device and is capable of revocation processing for revoking a specific member.
Processing for receiving input of revocation information calculated by the revocation information management device;
A revocation processing program that executes a process of updating the public key of the member based on the calculated revocation information.

Images