JP2011114504A - Anonymous authentication system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an anonymous authentication system reduced in communication loads by making the size of a public key small. <P>SOLUTION: In the anonymous authentication system comprising a management device, a device for members and an authentication device, the management device includes: a table for belonging certificates for dividing members into a plurality of subgroups and storing belonging certificates generated on the basis of an ID for a subgroup and an individual ID; a table for public keys for using a member's valid individual ID of each subgroup to store a value defined by an accumulator as a public key; and a table for auxiliary certificates for storing auxiliary certificates generated by using a public key of a subgroup specified by the ID for a subgroup and the ID for a subgroup, and makes a memory of the device for members store the public key together with the belonging certificate for members and the auxiliary certificates. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to an anonymous authentication system, and more particularly, to an anonymous authentication system using a group signature.

  In providing a service using a network such as the Internet, personal authentication is generally performed using an ID and a password in order to manage the users who use the service. Only users who pass this personal authentication pass. I try to provide services.

  This personal authentication is performed using an authentication device called an authentication server, and an authentication history is stored as a log in the authentication server based on an authentication process by the authentication server.

  This authentication history is composed of information such as which user did what and when, and by analyzing this information, it is possible to acquire personal information such as user access history, and leakage of authentication history. Has the same meaning as the leakage of personal information.

  Therefore, in the authentication server, it is necessary to prevent leakage of the authentication history, and strict management is required.

  In order to avoid the accumulation of the authentication history of an individual user in such an authentication server, a group signature has been proposed as a method for enabling anonymous authentication.

  The group signature authenticates that each user belongs to a predetermined group, and can authenticate the user without individually specifying the user at the time of authentication.

  That is, in the group signature, the administrator provides an ID for identifying an individual user, but the user is given an affiliation certificate generated based on the ID instead of the ID, Based on the individual affiliation certificate, a signature that guarantees possession of the affiliation certificate without leaking the affiliation certificate itself is generated, and this signature is verified by a predetermined authentication server.

More specifically, the administrator manages the ID of the user i as x _i for management, generates the belonging certificate Cert (x _i ) for each user, and creates the belonging certificate Cert ( x _i ) is assigned to user i.

When the user i receives a predetermined service via a telecommunication line such as the Internet, the user i sends a signature generated from the affiliation certificate Cert (x _i ) to the authentication server, and the authentication server uses the public key, Whether or not the transmitted signature is a correct signature is verified, and if the signature is correct, the use of the user i is permitted. It is mathematically guaranteed that x _i cannot be identified from the signature. Further, the administrator discloses a predetermined public key.

Thus, the authentication server is only x in _i no sign private personally identifiable information is accumulated, since it has the anonymity of this signature x _i can not be identified, the personal information It is possible to solve the problem of leakage.

On the other hand, only the administrator who manages x _i , which is the ID of user i, can identify user i from the signature, and only the administrator can prevent information leakage by taking strict information leakage countermeasures. The management cost can be reduced by eliminating the need for information leakage countermeasures. And only when it is necessary to specify the user i by an illegal act etc., the administrator can maintain the reliability by specifying the user i. In the group signature, “user” is generally referred to as “member”, and in the present invention, the term “member” is used.

  However, in group signatures that allow anonymous authentication, the disadvantage of not specifying individual members is that the members who have declared suspension of service use or the members who have been deprived of their authority as members are revoked. It was difficult to identify the person.

  That is, the process for determining whether or not the member who transmitted the signature data to the authentication server is a revoker must be performed without specifying the member.

  Several methods have been proposed as a method for performing such revocation processing for determining a revoked person.

Group As one, the set of all members of the ID, that, x _1, · · ·, f the accumulator using a _{x n (x 1, ···,} x n) the values y which is defined as a = y The public key of the group is updated each time a revoker occurs, and the secret key w _j related to the accumulator of each member is updated based on the updated public key of the group. A method for generating a signature based on w _j has been proposed (see, for example, Non-Patent Document 1 and Non-Patent Document 2).

In this case, since the member set for revocation cannot generate the private key w _j , when the signature is generated and verified by the authentication server, it cannot be recognized as the correct signature, and the revoked person is surely excluded. be able to.

In this method, the calculation load for ensuring that x _i is accumulated does not depend on the number of expired members, so that the calculation can be speeded up.

Camenish, Lysyanskaya: Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials.CRYPTO 2002, pp. 61-76, 2002. Camenish, Kohlweiss, Soriente: An Accumulator Based on Bilinear Maps and Efficient Revocation for Anonymous Credentials.PKC 2009, pp. 481-500, 2009.

However, when the value y defined as f (x ₁ ,..., X _n ) = y by the accumulator is used as the group public key, the IDs of all members are used as the group public key. When a large-scale group is configured, the public key becomes extremely large, and the communication load for passing the group public key to each member becomes large, and there is a possibility that the influence of this communication load cannot be ignored.

  Therefore, the present inventor has conducted research and development in order to reduce the communication load by reducing the size of the public key, and has achieved the present invention.

  In the anonymous authentication system of the present invention, a affiliation certificate to be given to each member belonging to a group, revocation information that is information of a revoked member, and a management device that manages a public key, and the affiliation certificate A member device comprising a storage means for storing a certificate, a signature generation means for generating a signature using the affiliation certificate stored in the storage means, and verifying the signature transmitted from the member device In the anonymous authentication system comprising an authentication device provided with a verification means, the management device divides the members into a plurality of subgroups, and the affiliation proof generated based on the subgroup ID and personal ID The value defined by the accumulator using the affiliation certificate table storing the certificate and the personal ID of the valid member of each subgroup as the public key A stored public key table, an auxiliary certificate table storing an auxiliary certificate generated using the subgroup public key identified by the subgroup ID and the subgroup ID, In the storage unit of the member device, the membership certificate and auxiliary certificate for the member are stored, and the public key is stored.

  In addition, the anonymous authentication system of the present invention is characterized in that the management device has public key update means for updating the public key stored in the public key table every time the revocation information is updated. .

Furthermore, the anonymous authentication system of the present invention is characterized in that the number of subgroups is set to a minimum integer of N ^1/2 or more when the total number of members is N.

  According to the present invention, by dividing members into subgroups, the key length of the public key can be shortened, the communication load of the public key can be reduced, and anonymous authentication can be performed at high speed.

  In addition, since the key length of the public key is shortened, the speed of calculation using the public key can be improved, and the speed of calculation processing can also be increased.

In particular, when the total number of members is N, and the minimum number of subgroups equal to or greater than N1 ^{/ 2} is provided, the number of members belonging to each subgroup is set to about N1 ^{/ 2} . For example, when the total number of members is 1 million, the total number of members of the subgroup is 1000, and anonymous authentication can be executed at the highest speed.

It is system configuration explanatory drawing of the anonymous authentication system which concerns on this embodiment. It is explanatory drawing of the operation | movement sequence of the anonymous authentication system which concerns on this embodiment.

  The anonymous authentication system of the present invention uses a group signature. As shown in FIG. 1, a telecommunication line 10 such as the Internet is provided for a management device 20 used by an administrator and a member used by a member. The apparatus 30 is connected to the authentication apparatus 40 that executes the authentication process, and the signature generated by the member apparatus 30 is verified by the authentication apparatus 40.

  The management device 20, the member device 30, and the authentication device 40 are each composed of an electronic computer and can be connected to the telecommunication line 10. In particular, the management device 20 and the authentication device 40 are not limited to being configured by a single electronic computer, and may be configured by a plurality of electronic computers.

  In FIG. 1, the management device 20 is provided independently of the authentication device 40. However, the management device 20 does not necessarily have to be independent of the authentication device 40, and the management device 20 and the authentication device 40 are dedicated. The management device 20 may be connected to the telecommunication line 10 via a line and via the authentication device 40.

  The management device 20 is provided with management means for managing membership certificates to be assigned to members belonging to a group, revocation information that is information on revoked members, and public keys.

In particular, the members are divided into a plurality of subgroups, and an ID for identifying one member is set by combining the ID of the subgroup to which the member belongs and a personal ID within the subgroup. Here, for convenience of explanation, it is assumed that the ID of the subgroup is S _j and the personal ID in the subgroup is represented by x _i .

  Specifically, the management means provided in the management device 20 includes a membership certificate table storing a membership certificate generated based on a subgroup ID and a personal ID, and valid members of each subgroup. Auxiliary proof generated using the public key table storing the value defined by the accumulator using the personal ID as a public key, and the subgroup public key and subgroup ID specified by the subgroup ID This is a table for auxiliary certificates storing certificates.

For convenience of explanation, it is assumed that represent the affiliation certificate generated based on the x _i If it is S _j and personal ID is an ID for subgroup Cert (S _j, x _i) and. Note that i = 1, 2,..., M and j = 1, 2,.

The membership certificate table stores Cert (S _j , x _i ) (i = 1, 2,..., M, j = 1, 2,..., K) of all members.

The public key stored in the public key table is provided for each subgroup, and f (x ₁ ,..., X _n ) is obtained by the accumulator f using the personal ID of a valid member of the subgroup. = Y _j (j = 1, 2,..., K) and stored in the public key table.

The auxiliary certificate stored in the auxiliary certificate table is generated from S _j that is a subgroup ID and y _j that is the public key of the subgroup. It will be expressed as (S _j , y _j ).

  As described above, the public key is generated using the personal ID of a valid member of the subgroup, and the revocation of the member who has declared suspension of use of the service or the member whose authority as a member has been revoked When a password is generated, the management device 20 updates the public key.

More specifically, for example, when a subgroup is composed of five members x ₁ , x ₂ , x ₃ , x ₄ , and x ₅ , the public key is f (x ₁ , x ₂ , x ₃ , x ₄ , x ₅ ) = y, and when the member x ₃ is revoked, the management apparatus 20 sets f (x ₁ , x ₂ , x ₄ , x ₅ ) = y ′ by the public key update means A new public key is generated, and the new public key is stored in the public key table.

Further, along with the update of the public key, the management device 20 updates the auxiliary certificate Cert (S _j , y _j ) generated using the public key by the auxiliary certificate update means, and creates a new auxiliary certificate. Is stored in the auxiliary certificate table.

  Each of the public key update unit and the auxiliary certificate update unit is a predetermined program, and is activated as appropriate in accordance with the revocation process in the management apparatus 20 to update the public key and the auxiliary certificate.

  The management device 20 can easily increase or decrease the number of members by preparing a membership certificate in advance based on the maximum possible total number of members and by setting members who have not been assigned a membership certificate as revoked members. Yes. Further, when it becomes necessary to manage more members than the total number of members assumed in advance, it can be handled relatively easily by increasing the total number of members in units of subgroups.

The member device 30 stores the membership certificate Cert (S _j , x _i ) and auxiliary certificate Cert (S _j , y _j ) for the member given by the administrator who manages the management device 20. Storage means for storing the public key y _j published by the management device 20, the affiliation certificate Cert (S _j , x _i ), the auxiliary certificate Cert (S _j , y _j ), and the public key Signature generation means for generating a signature by using is provided.

Here, the storage means for storing the affiliation certificate Cert (S _j , x _i ), the auxiliary certificate Cert (S _j , y _j ) and the public key is generally a hard disk, but is limited to the hard disk An appropriate storage device may be used instead. In particular, the public key may be obtained from the management device 20 via the telecommunication line 10 in the signature generation stage and stored in an appropriate memory.

Further, in the present embodiment, the member device 30 generates the signature using the public key y _j reflecting the revocation information as the public key y _j is obtained from the management device 20 when generating the signature. To do. Further, the member for apparatus 30, an auxiliary certificate Cert (S _j, y _j) by using the public key y _j acquired updated the updated auxiliary certificate Cert (S _j, y _j) by using a signature Is going to generate.

The signature generation means is a predetermined program executed by the member device 30 and includes an affiliation certificate Cert (S _j , x _i ) and an auxiliary certificate Cert (S _j , y _j ) stored in the storage means. The signature is generated using the public key. In particular, in the present embodiment, a signature is generated by performing a predetermined operation with zero knowledge proof.

  The member device 30 transmits the signature generated via the telecommunication line 10 to the authentication device 40.

  The authentication device 40 is provided with verification means for verifying the signature transmitted from the member device 30.

  The verification means is a predetermined program executed by the authentication device 40, and uses the signature transmitted from the member device 30 and the signature transmitted from the management device 20 using the public key. The authenticity is determined, and when the transmitted signature is a correct signature, use of a predetermined service by the member is permitted.

Below, operation | movement of the anonymous authentication system of this embodiment is demonstrated using explanatory drawing shown in FIG. In the following, a case where the public key y _j is obtained when the signature is generated in the member device 30 will be described.

  Also, the operation for generating a signature by the member device 30 is usually performed as a background process, and when the member tries to use a predetermined service using the member device 30, the operation is executed in the background. is there.

Here, it is assumed that the member x _i is registered as a member in the management device 20, and the affiliation certificate Cert (S _j , x _i ) and the auxiliary certificate Cert (S _j are stored in the storage unit of the member device 30. , y _j ) are stored. Further, it is assumed that the public key y _j is also stored in the storage means of the member device 30.

First, in the member device 30, when the member requests access to a predetermined site (step S101), the member device 30 requests the management device 20 to transmit the public key y _j (step S102).

The management device 20 transmits the public key y _j to the member device 30 in response to the request (step S103). The public key y _j is not limited to being acquired from the management device 20, and may be acquired from the authentication device 40.

When the acquired public key y _j is the updated public key y _j based on the revocation information, the member device 30 updates the public key y _j stored in the storage unit of the member device 30 and adds the auxiliary certificate The document Cert (S _j , y _j ) is updated (step S104).

Next, the member device 30 generates a signature using the affiliation certificate Cert (S _j , x _i ), the updated public key y _j and the auxiliary certificate Cert (S _j , y _j ) (step S105). The generated signature is transmitted to the authentication device 40 (step S106).

Upon receiving the signature, the authentication device 40 requests the management device 20 to transmit the public key y _j (step S107). The management device 20 transmits the public key y _j to the authentication device 40 in response to the request (step S108), and executes signature verification processing using the acquired public key y _j (step S109).

  When the signature is correct, the authentication device 40 permits the member to access a predetermined site (step S110) and accesses the site.

As described above, in the anonymous authentication system of this embodiment, by previously dividing the member into subgroups, it is possible to shorten the key length of the public key y _j, to reduce the communication load of the public key y _j Anonymous authentication can be performed at high speed.

In addition, since the key length of the public key y _j is shortened, the transmission process of the auxiliary certificate Cert (S _j , y _j ) using the public key can be accelerated.

In particular, when the total number of members is N, and the minimum number of subgroups equal to or greater than N1 ^{/ 2} is provided, the number of members belonging to each subgroup is set to about N1 ^{/ 2} . For example, when the total number of members is 1 million, the total number of members of the subgroup is 1000, and anonymous authentication can be executed at the highest speed.

  In addition, the extended body element is usually used as the personal ID. By specifying the member by the ID of the subgroup and the personal ID in the subgroup, the extended body element necessary for the personal ID is used. As a result, it is possible to speed up the calculation.

10 Telecommunications line
20 Management device
30 Member device
40 Authentication device

Claims (3)

A management device provided with a management means for managing the membership certificate to be assigned to each member belonging to the group, the revocation information that is information of the revoked member, and the public key;
A storage unit for storing the membership certificate, and a member device including a signature generation unit for generating a signature using the membership certificate stored in the storage unit;
In a group signature system comprising an authentication device comprising verification means for verifying the signature transmitted from the member device,
In the management device,
A member certificate table storing the member certificate generated based on a subgroup ID and a personal ID by dividing the member into a plurality of subgroups;
A public key table that stores, as public keys, values defined by the accumulator using personal IDs of valid members of each subgroup;
An auxiliary certificate table storing an auxiliary certificate generated using the subgroup public key identified by the subgroup ID and the subgroup ID; and the storage means of the member device In addition, the group signature system stores the membership certificate and the auxiliary certificate for the member and the public key.   2. The group signature system according to claim 1, wherein the management device includes public key update means for updating the public key stored in the public key table each time the revocation information is updated. 3. The group signature system according to claim 1, wherein the number of the subgroups is a minimum integer of N ^1/2 or more, where N is the total number of the members.

Images