JP2013257456A - Certification device, verification device and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To easily strengthen safety of an IBI protocol.SOLUTION: A certification device outputs (a,a) by (a,st)←Σ(mpk,M(id,b(id),sk, c←Σ(mpk), and (a,u←Σ(mpk,M(id,rb(id),c. A verification device outputs c←Σ(mpk). The certification device outputs (c,u,u) by c=c-c, and u←Σ(mpk,M(id,b(id),sk,a,c,st). The verification device obtains c=c-c, and determines whether both Σ(mpk,M(id,0),a,c,u) and Σ(mpk,M(id,1),a,c,u) are accepted.

Description

  The present invention relates to partner authentication in information security technology, and more particularly to a security enhancement method in a partner authentication method (ID-based authentication method) using an identifier (ID) of an authentication partner as a public key.

There is a partner authentication technique as a technique for confirming the legitimacy of a communication partner. As a method for realizing partner authentication, in addition to a method using a password and a protocol using a digital signature (SI protocol), an ID-based authentication protocol (hereinafter referred to as a public key) that uses an identifier such as a user name or an e-mail address IBI protocol). In general, the IBI protocol is executed by a key issuing authority, a certifier, and a verifier. The key issuing authority issues a secret key sk _id corresponding to the identifier id of the prover to the prover, and the prover and the verifier communicate with each other, so that the verifier obtains the secret key sk _id corresponding to the identifier id. It is a technology that can verify "having".

  Security in the IBI protocol is defined by the strength of the attack, and the strongest security is that impersonation under concurrent attacks (hereinafter referred to as “imp-ca security”). Also, the definition of weak security is that it cannot impersonate passive attacks (secure against impersonation under passive attacks, hereinafter referred to as “imp-pa security”). The difference between imp-ca safety and imp-pa safety is roughly the same: the attacker who is assumed to be imp-ca secure always accesses and operates in parallel all users using the IBI protocol. On the other hand, attackers who are assumed to be imp-pa secure are only allowed to eavesdrop on the communication history between users of the IBI protocol (for example, Non-Patent Document 1). reference).

  Assuming actual use, it is desirable to use an imp-ca secure IBI protocol with higher security. In order to solve this problem, Non-Patent Document 2 proposes a method of configuring an imp-ca secure IBI protocol based on the imp-pa secure IBI protocol. The configuration of Non-Patent Document 3 prepares two parameters in the imp-pa secure scheme, and performs authentication using a secret key issued using each parameter for one identifier. However, this configuration is based on a specific method (a method in which the Boneh-Boyen digital signature method (for example, see Non-Patent Document 3) is extended to the IBI protocol), and a general-purpose configuration method is not shown. .

  As a well-known fact, there is a technique called OR-prof as a method of constructing an imp-ca secure SI protocol from an imp-pa secure SI protocol. In general, OR-proof is a method of “providing that one of two pieces of secret information (secret key) is possessed” (see, for example, Non-Patent Document 4). However, the OR-prof technique is a concept level talk as described above, and except for the method of Non-Patent Document 4, the configuration of the OR-prof that can prove the enhanced security by ID-based authentication is not well understood. It was.

Mihir Bellare, Chanathip Namprempre, and Gregory Neven, “Security proofs for identity-based identication and signature schemes,” In Christian Cachin and Jan Camenisch, editors, EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 268-286, Springer -Verlag, 2004. Kaoru Kurosawa and Swee-Huay Heng, “Identity-based identi cation without random oracles,” In Osvaldo Gervasi, Marina L. Gavrilova, Vipin Kumar, Antonio Lagana, Heow Pueh Lee, Youngsong Mun, David Taniar, and Chih Jeng Kenneth Tan, editors, ICCSA 2005, Part II, volume 3481 of Lecture Notes in Computer Science, pages 603-613, Springer-Verlag, 2005. Dan Boneh and Xavier Boyen, “Short signatures without random oracles,” In Christian Cachin and Jan Camenisch, editors, EUROCRYPT, volume 3027 of Lecture Notes in Computer Science, pages 56-73, Springer, 2004. Uriel Feige and Adi Shamir, “Witness indistinguishable and witness hiding protocols,” In STOC'90, pages 416-426, ACM, 1990.

An object of the present invention is to provide a technique that can be universally applied to any Σ ⁺ type and / or Σ ^* type IBI protocol and can easily enhance the safety of the IBI protocol.

As a premise, SK _ID ← KG (MSK, ID) is a mapping for obtaining the secret key SK _ID from the master secret key MSK and the identifier ID, and (A, ST) ← Σ _ibi-com (MPK, ID, SK _ID ) is This is a mapping that obtains commitment A and internal state information ST from master public key MPK, identifier ID, and secret key SK _ID , and C ← Σ _ibi-ch (MPK, ID) obtains challenge C from master public key MPK and identifier ID. U ← Σ _ibi-res (MPK, ID, SK _ID , A, C, ST) is a response from master public key MPK, identifier ID, secret key SK _ID , commitment A, challenge C, and internal state information ST DEC ← Σ _ibi-vrfy (MPK, ID, A, C, U) is a master public key MPK, identifier ID, and commit Is a map that obtains a verification result DEC from an event A, a challenge C, and a response U, and C ′ ← Σ ⁺ _ibi-ch (MPK) is a map that obtains a challenge C ′ from the master public key MPK, and C ′ ← Σ ^* _{ibi −ch} (1 ^κ ) is a mapping for obtaining the challenge C ′ from the security parameter 1 ^κ , and (A ′, U ′) ← Σ _ibi-sim (MPK, ID, C) is the master public key MPK, the identifier ID, and the challenge This is a mapping for obtaining a commitment A ′ and a response U ′ for which the verification result DEC is accepted for the challenge C from C.

[First aspect]
In the first aspect, the master public key MPK is mpk, the master secret key MSK is msk, id is a user identifier, M (α, β) is a value corresponding to α and β, and sk _{( id, b (id))} is obtained by sk _{(id, b (id))} ← KG (msk, M (id, b (id))) corresponding to any b (id) ∈ {0, 1} Rb (id) = 1−b (id). In the first aspect, the following processing is executed on the premise of these.
Proof _device, the st and _{(a b (id), st} ) ← Σ ibi-com (mpk, M (id, b (id)), sk (id, b (id))) by _{a b (id)} Then, crb _(id) is obtained by crb _(id) <-Σ ⁺ _ibi-ch (mpk), and (arb _(id) , urb _(id) ) <-Σibi _-sim (mpk, M (id, rb _(id)), to give _{a rb (id)} and _{u rb} an _(id) by _{c rb (id)),} and outputs the commitment _(a 0, a _1).
The verification device receives an input of commitment (a ₀ , a ₁ ), obtains challenge c by c ← Σ ⁺ _ibi-ch (mpk), and outputs challenge c.
The proving device obtains c _{b (id)} = c−c _{rb (id)} from the input challenge c, and u _{b (id)} ← Σ _ibi-res (mpk, M (id, b (id)), sk U _{b (id)} is obtained by _{(id, b (id))} , a _{b (id)} , c _{b (id)} , st), and a response (c ₀ , u ₀ , u ₁ ) is output.
The verification device accepts the input of the response (c ₀ , u ₀ , u ₁ ), obtains c ₁ = c−c ₀ , and dec ← Σ _ibi-vrfy (mpk, M (id, 0), a ₀ , c ₀ , u ₀ ) and the verification result dec ′ obtained by dec ′ ← Σ _ibi-vrfy (mpk, M (id, 1), a ₁ , c ₁ , u ₁ ) are both accepted. It is determined whether it becomes.

[Second embodiment]
In the second mode, the master public key MPK is mpk, the master secret key MSK is msk, id is a user identifier, M (α, β) is a value corresponding to α and β, and b ( id) ∈ {0, 1}, and sk _{(id, b (id))} is a value obtained by sk _{(id, b (id))} ← KG (msk, M (id, b (id))) Yes, rb (id) = 1-b (id). In the second aspect, the following processing is executed on the premise of these.
The proving device corresponds to any of b (id) ε {0, 1} (a _{b (id)} , st) ← Σ _ibi-com (mpk, M (id, b (id)), sk _{(id , B (id))} ) to obtain a _{b (id)} and st, and crb _(id) ← Σ ⁺ _ibi-ch (mpk ₎ to obtain crb _(id) , and (a _{rb (id)} , u _{rb (id)) ← Σ ibi-} sim give (mpk, M (id, rb (id)), a rb by _{c rb (id)) (id} ) and _{u rb (id),} commitment _(a 0, a ₁ ) Is output.
The verification device receives an input of commitment (a ₀ , a ₁ ), obtains challenge c by c ← Σ ⁺ _ibi-ch (mpk), and outputs challenge c.
The proving device obtains c _{b (id)} = c−c _{rb (id)} from the input challenge c, and u _{b (id)} ← Σ _ibi-res (mpk, M (id, b (id)), sk U _{b (id)} is obtained by _{(id, b (id))} , a _{b (id)} , c _{b (id)} , st), and a response (c ₀ , u ₀ , u ₁ ) is output.
The verification device accepts the input of the response (c ₀ , u ₀ , u ₁ ), obtains c ₁ = c−c ₀ , and dec ← Σ _ibi-vrfy (mpk, M (id, 0), a ₀ , c ₀ , u ₀ ) and the verification result dec ′ obtained by dec ′ ← Σ _ibi-vrfy (mpk, M (id, 1), a ₁ , c ₁ , u ₁ ) are both accepted. It is determined whether it becomes.

[Third Aspect]
In the third aspect, the master public key MPK is mpk, the master secret key MSK is msk, id is a user identifier, id _master is a master identifier, id ≠ id _master , and sk _id is sk. It is a value obtained by _id ← KG (msk, id). In the third aspect, the following processing is executed on the premise of these.
Proof _device, to obtain a _{(a 0, st) ← Σ} ibi-com (mpk, id, sk id) to give the _{a 0} and st by, _{c 1} by ^{_{c 1 ← Σ + ibi-ch}} (mpk), (a ₁ , u ₁ ) ← Σ _ibi-sim (mpk, id _master , c ₁ ) to obtain a ₁ and u ₁ and output a commitment (a ₀ , a ₁ ).
The verification device receives an input of commitment (a ₀ , a ₁ ), obtains challenge c by c ← Σ ⁺ _ibi-ch (mpk), and outputs challenge c.
Proof device, obtain the _c 0 = _{c-c 1} from the input challenge c, obtained _{u 0 ← Σ ibi-res (} mpk, id, sk id, a 0, c 0, st) and the _{u 0,} response (C ₀ , u ₀ , u ₁ ) is output.
The verification device receives the input of the response (c ₀ , u ₀ , u ₁ ), obtains c ₁ = c−c ₀ , and dec ← Σ _ibi-vrfy (mpk, id, a ₀ , c ₀ , u ₀ ) It is determined whether the verification result dec obtained by the above and the verification result dec ′ obtained by dec ′ ← Σ _ibi-vrfy (mpk, id _master , a ₁ , c ₁ , u ₁ ) are accepted.

[Fourth aspect]
In the fourth aspect, each of (mpk ₀ , msk ₀ ) and (mpk ₁ , msk ₁ ) is a key pair (MPK, MSK) of a master public key and a master secret key, id is a user identifier, sk _{(id, b (id))} is a value obtained by sk _{(id, b (id))} ← KG (msk _{b (id)} , id) corresponding to any b (id) ∈ {0, 1} And rb (id) = 1−b (id). In the fourth aspect, the following processing is executed on the premise of these.
Proof _device, to obtain a st and _{(a b (id), st} ) ← Σ ibi-com (mpk b (id), id, sk (id, b (id))) by _{a b (id), c rb ^{(id) ← Σ * ibi-}} ch give _{c rb (id)} by _{^{(1 κ), (a rb}} (id), u rb (id)) ← Σ ibi-sim (mpk rb (id), id, c _{rb (id)} ) obtains a _{rb (id)} and u _{rb (id)} , and outputs the commitment (a ₀ , a ₁ ).
The verification device receives the input of commitment (a ₀ , a ₁ ), obtains challenge c by c ← Σ ^* _ibi-ch (1 ^κ ), and outputs challenge c.
The proving device obtains c _{b (id)} = c−c _{rb (id)} from the input challenge c, and u _{b (id)} ← Σ _ibi-res (mpk _{b (id)} , id, sk _{(id, b (id)), a b (} id), c b (id), st) give _{u b (id)} by, outputs a response _{(c 0, u 0, u} 1).
The verification device receives the input of the response (c ₀ , u ₀ , u ₁ ), obtains c ₁ = c−c ₀ , and dec ← Σ _ibi-vrfy (mpk ₀ , id, a ₀ , c ₀ , u ₀ ) And the verification result dec ′ obtained by dec ′ ← Σ _ibi-vrfy (mpk ₁ , id, a ₁ , c ₁ , u ₁ ) are determined to be acceptable.

The present invention can be applied universally to all IBI protocols of the Σ ⁺ type and the Σ ^* type, and the safety of the IBI protocol can be easily enhanced.

It is a block diagram which illustrated the composition of the authentication system of an embodiment. It is the flowchart which illustrated the authentication method of 1st Embodiment. It is the flowchart which illustrated the authentication method of 1st and 2 embodiment. It is the flowchart which illustrated the authentication method of 2nd Embodiment. It is the flowchart which illustrated the authentication method of 3rd Embodiment. It is the flowchart which illustrated the authentication method of 3rd Embodiment. It is the flowchart which illustrated the authentication method of 4th Embodiment. It is the flowchart which illustrated the authentication method of 5th Embodiment.

An embodiment of the present invention will be described.
<Definition>
First, terms used in this embodiment are defined.

≪ID-based authentication protocol≫
The ID-based identification protocol (Identity-based identification protocol: IBI protocol) is a partner authentication method that can use a user identifier as a public key. In general, the ID-based authentication protocol is executed by a key issuing authority, a prover, and a verifier. In the ID-based authentication protocol, the key issuing authority issues a secret key SK _ID corresponding to the identifier ID of the prover to the prover, and the verifier and the verifier communicate with each other. It can be verified that it has a corresponding SK _ID . More formally, ID-based authentication consists of the following four probabilistic polynomial time algorithms IBI = (SetUp, KG, P, V).
SetUp (master key generation algorithm): SetUp executed by the key issuing authority outputs the security parameter 1 ^κ as an input and outputs a master secret key MSK and a master public key MPK of an ID-based encryption method ((MPK, MSK)) ← SetUp (1 ^κ)). The master secret key MSK is kept secret, and the master public key MPK is made public. Note that κ is a positive integer, and 1 ^κ is a bit string of length κ in which 1s are arranged.
KG (User Key Generation Algorithm): KG receives MSK and identifier ID, and outputs a secret key SK _ID corresponding to the _ID (SK _ID ← KG (MSK, ID)).
P (provider algorithm): P communicates with V with (MPK, ID, SK _ID ) as input.
V (verifier algorithm): (MPK, ID) is input, communicates with P, and finally verifies that the prover has the SK _ID , “accept”, otherwise “accept” "Reject" is output.
Among the above, the key issuing authority executes SetUp and KG, the prover executes P, and the verifier executes V.

≪Σ ⁺ type and Σ ^* type IBI protocol≫
Here, assuming that the IBI protocol IBI = (SetUp, KG, P, V), the communication between P and V is completed in three times, and P and V are represented by the following stochastic polynomial time algorithm (Σ _ibi-com , Σ _{ibi). -Ch} , Σ _ibi-res , Σ _ibi-vrfy ) (“standard IBI protocol”).
P → V: P calculates (A, ST) ← Σ _ibi-com (MPK, ID, SK _ID ) and sends commitment A to V. However, ST is P's internal state information. (A, ST) ← Σ _ibi-com (MPK, ID, SK _ID ) is an algorithm for obtaining the commitment A and the internal state information ST from the master public key MPK, the identifier ID, and the secret key SK _ID .
V → P: V calculates challenge C ← Σ _ibi-ch (MPK, ID) and sends C to P. However, C ← Σ _ibi-ch (MPK, ID) is an algorithm for obtaining the challenge C from the master public key MPK and the identifier ID.
P → V: P calculates the response U ← Σ _ibi-res (MPK, ID, SK _ID , A, C, ST) and sends U to V. However, U ← Σ _ibi-res (MPK, ID, SK _ID , A, C, ST) is a response U from the master public key MPK, the identifier ID, the secret key SK _ID , the commitment A, the challenge C, and the internal state information ST. Is the algorithm to obtain
V: V calculates the verification result DEC ← Σ _ibi-vrfy (MPK, ID, A, C, U), and outputs DECε {accept, reject}. However, DEC ← Σ _ibi-vrfy (MPK, ID, A, C, U) is an algorithm for obtaining the verification result DEC from the master public key MPK, the identifier ID, the commitment A, the challenge C, and the response U.

Among the standard IBI protocols, an IBI protocol that simultaneously satisfies the following three properties (special zero-knowledge, special soundness, and special challenge) is called a Σ ⁺ type IBI protocol.

Special zero-knowledge: An acceptable communication history can be calculated from the challenge C, the master public key MPK, and the identifier ID. That is, C satisfying MPK, ID and C ← Σ _ibi-ch (MPK, ID) is input and satisfying accept = Σ _ibi-vrfy (MPK, ID, A, C, U) (verification result DEC is accepted) The probabilistic polynomial time algorithm Σ _ibi-sim (MPK, ID, C) that outputs commitment and response (A ′, U ′) can be constructed. However, (A ′, U ′) ← Σ _ibi-sim (MPK, ID, C) is changed from the master public key MPK, the identifier ID, and the challenge A to the commitment A ′ whose verification result DEC is accepted from the challenge C to the challenge C. An algorithm for obtaining the response U ′ is assumed. Here, the probability distribution of the outputs of Σ _ibi-ch and Σ _ibi-sim is indistinguishable from the output distribution of the actual protocol.

Special soundness: Secret corresponding to the identifier ID from the master public key MPK, the identifier ID, and the two communication histories (A, C, U) (A, C ″, U ″) (where C ≠ C ″) Key SK _ID can be calculated. That is, two communication histories (MPK, ID, A, C ″, U ″) satisfying MPK, ID, and accept = Σ _ibi-vrfy (MPK, ID, A, C, U) = Σ _ibi-vrfy (MPK, ID, A, C ″, U ″) a, C, U), ( a, C '', U ' and enter'), probabilistic polynomial time algorithm _{SK ID} for outputting _{SK ID ← Σ ibi-ext (} MPK, (a, C, U), (A, C ″, U ″)) can be configured.

Special challenge: Σ _ibi-ch depends only on the master public key MPK (that is, independent of ID), and its output challenge C ′ is an element of a set G (for example, a commutative group) and is output Is a uniform distribution on G. Furthermore, the operation + on G can be performed in polynomial time. That is, there is a stochastic polynomial time algorithm C ′ ← Σ ⁺ _ibi-ch (MPK) that takes only MPK as input and outputs C ′, and its output has a uniform distribution on G.

In addition, the IBI protocol in which the special challenge is replaced by the following Strongly special challenge in the above Σ ⁺ type property is referred to as a Σ ^* type IBI protocol.
Strongly special challenge: Σ ^* _ibi-ch depends only on security parameter 1 ^κ (ie independent of MPK and ID), and its output challenge C ′ is an element of a certain set G (eg commutative group) The output distribution is a uniform distribution on G. Furthermore, the operation + on G can be performed in polynomial time. That is, there is a stochastic polynomial time algorithm C ′ ← Σ ^* _ibi-ch (1 ^κ ) that takes only the security parameter 1 ^κ as an input and outputs a challenge C ′, and its output is a uniform distribution on G.

≪Specific examples of Σ ⁺ type and Σ ^* type IBI protocol≫
There are many specific methods for the above-mentioned Σ ⁺ type and Σ ^* type IBI protocols, and their configuration methods are well known.

For example, as a specific example of the Σ ⁺ type IBI protocol, Reference 1 “Kaoru Kurosawa and Swee-Huay Heng,“ Identity-based identification without random oracles, ”In Osvaldo Gervasi, Marina L. Gavrilova, Vipin Kumar, Antonio Lagana, Heow Pueh Lee, Youngsong Mun, David Taniar, and Chih Jeng Kenneth Tan, editors, ICCSA 2005, Part II, volume 3481 of Lecture Notes in Computer Science, pages 603-613, Springer-Verlag, 2005. '' is there. In this method, the Boneh-Boyen method (reference document 2 “Dan Boneh and Xavier Boyen,“ Short signatures without random oracles, ”In Christian Cachin and Jan Camenisch, editors, EUROCRYPT, volume 3027 of Lecture Notes in Computer Science, pages 56 -73, Springer, 2004.) has been shown to be imp-ca safe if it can potentially be counterfeit against an adaptive selected document attack.

As a specific example of the Σ ^* type IBI protocol, Reference 3 “Mihir Bellare, Chanathip Namprempre, and Gregory Neven,“ Security proofs for identity-based identification and signature schemes, ”Journal of Cryptology, 22 (1): 1-61, January 2009, Preliminary version in EURO-CRYPT 2004, 2004. ”. The scheme described in Reference 3 is based on Shamir's ID-based signature (Reference 4 “Adi Shamir,“ Identity-based cryptosystems and signature schemes, ”In George Robert Blakley and David Chaum, editors, CRYPTO '84, volume 196 of Lecture Notes in Computer Science, pages 47-53, Springer-Verlag, 1985, etc.)).

Specific examples of the Σ ⁺ type and Σ ^* type IBI protocols are shown below. However, these do not limit the present invention, and the present invention can be applied universally to various Σ ⁺ and / or Σ ^* type IBI protocols.

[Σ ⁺ type IBI protocol of Reference 1]
The Σ ⁺ type IBI protocol of Reference 1 is illustrated. In this example, (G ₁ , G ₂ ) is a bilinear group with prime order p, g ₁ is a generator of group G ₁ , and g ₂ is a generator of group G ₂ . e is a bilinear map defined by the bilinear group (G ₁ , G ₂ ).

SetUp: (MPK, MSK) <-SetUp (1 ^κ ) is configured as follows.
1. Security parameter 1 ^κ is input and x, yεZ _p ^* is selected at random.
2. Calculate w = g ₁ ^x and v = g ₂ ^y .
3. A hash function H that is difficult to collide is selected: {0, 1} ^* → Z _p ^* .
4). The master public key MPK = (g ₁ , g ₂ , w, v, H) and the master secret key MSK = (x, y).

KG: SK _ID ← The structure of KG (MSK, ID) is as follows.
1. With MSK = (x, y) and identifier ID as inputs, rεZ _p ^* is selected at random.
2. σ = g ₁ ^{1 / (x + H (ID) + yr)} εG ₁ is calculated. However, (x + H (ID) + yr) is obtained as a remainder operation (x + H (ID) + yr) mod p modulo p. When (x + H (ID) + yr) mod p is 0 mod p, KG reselects the random number r and newly obtains σ.
3. Let the secret key be SK _ID = (σ, r).

P → V: (A, ST) ← Σ _ibi-com (MPK, ID, SK _ID ) is configured as follows.
1. MPK = (g ₁ , g ₂ , w, v, H), ID, and SK _ID = (σ, r) are input, and RεG ₁ is selected at random.
2. X = e (R, w · g ₂ ^{H (ID)} · v ^r ) is calculated.
3. Let ST = R and commitment A = (r, X). Send commitment A to V.

The configuration of V → P: C ← Σ _ibi-ch (MPK, ID) is as follows.
1. MPK and ID are input, and a challenge CεZ _p is selected at random.
2. Send C to P.

P → V: U ← Σ _ibi-res (MPK, ID, SK _ID , A, C, ST) has the following configuration.
1. MPK = (g ₁ , g ₂ , w, v, H), ID, SK _ID = (σ, r), A, C and ST = R are input, and S = R · σ ^C is calculated.
2. S is sent to V as a response U.

The configuration of V: DEC ← Σ _ibi-vrfy (MPK, ID, A, C, U) is as follows.
MPK = (g ₁ , g ₂ , w, v, H), ID, A, C, U are input, and e (U, w · g ₂ ^{H (ID)} · v ^r ) = X · e (g ₁ , G ₂ ) Output DEC = accept when ^C is satisfied, and output DEC = reject otherwise.

Special zero-knowledge: The configuration of (A ′, U ′) ← Σ _ibi-sim (MPK, ID, C) is as follows.
1. MPK, ID, and C are input, and S′εG ₁ is selected at random.
2. X ′ = e (S ′, w · g ₂ ^{H (ID)} · v ^r ) / e (g ₁ , g ₂ ) ^C is calculated.
3. A ′ = (r, X ′) and U ′ = S are output.

Special soundness: SK _ID ← Σ _ibi-ext (MPK, (A, C, U), (A, C ″, U ″)) is configured as follows.
1. Since U = R · σ ^C and U ″ = R · σ ^{C ″} , U / U ″ = σ ^{C−C ″} , and therefore σ = (U / U ″) ^{1 / ( CC ″)} can be obtained.
2. Since A = (r, X), the secret key SK _ID = (σ, r) can be obtained.

Special challenge: C ← Σ _ibi-ch (MPK, ID) in this example depends only on the master public key MPK, and the challenge C that is the output is an element of a certain commutative group G = Z _p and is output Is a uniform distribution on G. Furthermore, it is clear that the group operation + of G can be performed in polynomial time. Therefore, Σ _ibi-ch (MPK, ID) can be changed to Σ ⁺ _ibi-ch (MPK).

[Σ ^* type IBI protocol of Reference 3]
The Σ ^* type IBI protocol of Reference 3 is illustrated.
SetUp: (MPK, MSK) <-SetUp (1 ^κ ) is configured as follows.
1. Let (N, E, D) ← K _rsa (1 ^κ ) be the output of the prime power RSA generation algorithm. That is, N is a product of two prime numbers, (E, D) is E · D≡1 (mod λ (N)), and E (> 2 ^{L (κ)} ) is a prime number. Here, λ (N) is a value of the Carmichael function of N, and when N = p · q (p and q are prime numbers), λ (N) = LCM (p−1, q−1) is satisfied. (LCM is the least common multiple). L (1 ^κ ) is a function such that the value of | L (1 ^κ ) / lg κ | diverges to infinity when κ is increased.
2. One hash function H: {0, 1} → Z _N ^* is determined, and the master public key MPK = (N, E, H) and the master secret key MSK = D.

KG: SK _ID ← The structure of KG (MSK, ID) is as follows.
1. MSK = D and ID are input, and X = H (ID) (mod N) is calculated.
2. Calculate x = X ^D (mod N).
3. The secret key is SK _ID = x.

P → V: (A, ST) ← Σ _ibi-com (MPK, ID, SK _ID ) is configured as follows.
1. MPK = (N, E, H), ID, and SK _ID = x are input, and yεZ _N ^* is selected at random.
2. Y = y ^E mod N is calculated.
3. Set ST = y, set A = Y, and send commitment A to V.

The configuration of V → P: C ← Σ _ibi-ch (MPK, ID) is as follows.
1. With MPK and ID as inputs, Challenge C is randomly selected from {0,..., 2 ^{L (κ)} −1}, and Challenge C is transmitted to P.

P → V: U ← Σ _ibi-res (MPK, ID, SK _ID , A, C, ST) has the following configuration.
1. MPK, ID, SK _ID = x, A, C, ST = y are input, and it is determined whether Cε {0,..., 2 ^{L (κ)} −1}.
2. If C∈ {0,..., 2 ^{L (κ)} −1}, the process ends. If C∈ {0,..., 2 ^{L (κ)} −1}, the response U = x · Calculate y ^C mod N and send response U to V.

The configuration of V: DEC ← Σ _ibi-vrfy (MPK, ID, A, C, U) is as follows.
1. MPK = (N, E, H), ID, A, C, U are input, and X = H (ID) (mod N) is calculated.
2. U ^E ≡X ^· A C mod N and A, if U∈Z _N ^*, outputs DEC = the accept, otherwise, outputs a DEC = reject.

Special zero-knowledge: The configuration of (A ′, U ′) ← Σ _ibi-sim (MPK, ID, C) is as follows.
1. With MPK = (N, E, H), ID, and C as inputs, a, bεZ satisfying a · C + b · E = 1 are obtained by the Euclidean algorithm.
2. Randomly select y′εZ _N ^* .
3. Calculate X ′ = H (ID) and Y ′ = ^X′ − ^a · y ′ ^E mod N.
4). Calculate the ^{U '= X' b · y} 'C mod N.
5. (A ′, U ′) is output.

Special soundness: SK _ID ← Σ _ibi-ext (MPK, (A, C, U), (A, C ″, U ″)) is configured as follows.
1. A and bεZ satisfying a (C−C ″) + b · E = 1 are obtained by the Euclidean mutual division method.
2. (U / U ″) ^E = Y ^{C−C ″} is satisfied. Therefore, since Y = Y ^{a (C−C ″) + b · E} = ((U / U ″) ^a · Y ^b ) ^E , y = (U / U ″) ^a · Y ^b is calculated. it can. Since U = x · y ^C mod N to x = U · y ^−C mod N, SK _ID = x can be calculated.

Strongly special challenge: C ← Σ _ibi-ch (MPK, ID) depends only on the security parameter 1 ^κ , and its output challenge C is an element of the commutative group G = Z ₂ ^{L (κ)} and is output Is a uniform distribution on G. Furthermore, it is clear that the group operation + of G can be performed in polynomial time. Therefore, Σ _ibi-ch (MPK, ID) can be set to Σ ^* _ibi-ch (1 ^κ ).

<First Embodiment>
A first embodiment will be described. In the first embodiment, an IBI protocol having imp-ca safety is configured from the Σ ⁺ type or Σ ^* type IBI protocol IBI = (SetUp, KG, P, V). In this embodiment, the verifier proves that “the prover has either sk _{(id, 0)} or sk _{(id, 1)} ” (Dual-Identity Transformation).

  As illustrated in FIG. 1, the authentication system 1 according to the first embodiment includes a key generation device 11 that functions as a key issuing authority, a certification device 12 that functions as a prover, and a verification device 13 that functions as a verifier. . The key generation device 11, the certification device 12, and the verification device 13 are configured to be able to communicate through a network.

  The key generation device 11 includes a master key generation unit 111, a key generation unit 112, a control unit 116, a storage unit 117, and a communication unit 118. The proving device 12 includes calculation units 121 to 125, a control unit 126, a storage unit 127, and a communication unit 128 (output unit and input unit). The verification device 13 includes calculation units 131 and 132, a determination unit 133, a control unit 136, a storage unit 137, and a communication unit 138 (an output unit and an input unit). Each of the key generating device 11, the proving device 12, and the verification device 13 is a special device configured by, for example, reading a special program into a known or dedicated computer having a communication function.

  The key generation device 11, the certification device 12, and the verification device 13 execute each process under the control of the control unit 116, the control unit 126, and the control unit 136, respectively. Input information to the key generation device 11, the verification device 12, and the verification device 13 is stored in the storage unit 117, the storage unit 127, and the storage unit 137, respectively. Information obtained by the key generation device 11, the certification device 12, and the verification device 13 is also stored in the storage unit 117, the storage unit 127, and the storage unit 137, respectively. Information stored in the storage unit 117, the storage unit 127, and the storage unit 137 is read out as necessary and used for each process.

The authentication process of the first embodiment will be described with reference to FIGS. 2 and 3.
≪SetUp'≫
The master key generation unit 111 of the key generation device 11 receives the security parameter 1 ^κ stored in the storage unit 117 and executes (mpk, msk) ← SetUp (1 ^κ ) to execute the master public key and the master Obtain and output a secret key (mpk, msk). The master public key mpk and the master secret key msk are stored in the storage unit 117 (step S101). The master public key mpk is output from the communication unit 118 and transmitted to the certification device 12 and the verification device 13 via the network. The master public key mpk is input to the communication units 128 and 138 of the proving device 12 and the verification device 13, respectively, and stored in the storage units 127 and 137 (steps S102 and S103). The master secret key msk is not disclosed.

≪KG'≫
The key generation unit 112 of the key generation device 11 receives the master secret key msk and the user identifier id stored in the storage unit 117, and selects b (id) ε {0, 1} of 0 or 1. . The key generation unit 112 selects b (id) at random, for example (step S104). The user identifier id is public information. Further key generation unit 112, ID = M and (id, b (id)) , sk (id, b (id)) ← KG (msk, M (id, b (id))) by _{sk (id, b (Id))} . However, M (α, β) is a value corresponding to α and β. For example, M (α, β) is a function value for α and β, and has collision resistance. A specific example of M (α, β) is a bit concatenation value of a bit string corresponding to α and b (id) (step S105). Communication unit _{118, sk (id, b (id} )) and b secret key sk corresponding to _{(id) '(id, b} (id)) = (sk (id, b (id)), b (id) ) Is output. The secret key sk ′ _{(id, b (id))} is transmitted to the certification device 12 via the network, is input to the communication unit 128 of the certification device 12, and is stored in the storage unit 127 (step S107).

≪P '→ V'≫
The master public key mpk, the user identifier id, and the secret key sk ′ _{(id, b (id))} stored in the storage unit 127 are input to the calculation unit 121 of the certification device 12. The computing unit 121 parses the secret key sk ′ _{(id, b (id)} ), obtains sk _{(id, b (id))} and b (id), and stores them in the storage unit 127 (step S107). The calculation unit 121 uses the master public key mpk, the user identifier id, sk _{(id, b (id)),} and b (id), and uses (a _{b (id)} , st) ← Σ _ibi-com (mpk, M (Id, b (id)), sk _{(id, b (id))} ) _{ab (id)} and st are obtained and stored in the storage unit 127 (step S108). The calculation unit 122 receives b (id) as input and obtains rb (id) = 1−b (id) ε {0, 1} (step S109), and receives the master public key mpk as input, and crb _(id) ← Σ c _{rb (id)} is obtained by ⁺ _ibi-ch (mpk) (step S110). rb (id) and _{crb (id)} are stored in the storage unit 127. The calculation unit 123 receives the master public key mpk, the user identifier id, rb (id), and crb _(id), and inputs (arb _(id) , urb _(id) ) ← Σ _ibi-sim (mpk, A _{rb (id)} and _{urb (id)} are obtained from M (id, rb (id)), _{crb (id)} ) and stored in the storage unit 127 (step S111). The communication unit 128 outputs a ₀ and a ₁ as commitment (a ₀ , a ₁ ). The commitment (a ₀ , a ₁ ) is transmitted to the verification device 13 via the network. The commitment (a ₀ , a ₁ ) is input to the communication unit 138 of the verification device 13 and stored in the storage unit 137 (step S112).

≪V '→ P'≫
The arithmetic unit 131 of the verification device 13 receives the master public key mpk stored in the storage unit 137 and the master public key mpk among the user identifiers id, and challenges c by c ← Σ ⁺ _ibi-ch (mpk). Is obtained and stored in the storage unit 137 (step S113). The communication unit 138 outputs a challenge c. The challenge c is transmitted to the certification device 12 via the network. The challenge c is input to the communication unit 128 of the certification device 12 and stored in the storage unit 127 (step S114).

≪P '→ V'≫
The calculation unit 124 of the proving device 12 receives the challenge c, obtains c _{b (id)} = c−c _{rb (id)} , and stores it in the storage unit 127 (step S115). Further calculation unit 125, had been stored in the storage unit 127, a master public key mpk and user identifier id and b (id) and _{sk (id, b (id)} ) and _{a b (id)} and _{c b ( id)} and internal state information st are input, and u _{b (id)} ← Σ _ibi-res (mpk, M (id, b (id)), sk _{(id, b (id))} , a _{b (id)} , ub _(id) is obtained by cb _(id) , st) and stored in the storage unit 127 (step S116). The communication unit 128 outputs _{c 0} and _{u 0} and _{u 1} as a response _{(c 0,} u 0, _{u 1).} The response (c ₀ , u ₀ , u ₁ ) is transmitted to the verification device 13 via the network. The response (c ₀ , u ₀ , u ₁ ) is input to the communication unit 138 of the verification device 13 and stored in the storage unit 137 (step S117).

≪V'≫
The calculation unit 132 of the verification device 13 receives c and c ₀ stored in the storage unit 137, obtains c ₁ = c−c ₀ , and stores it in the storage unit 137 (step S118). The determination unit 133 receives the master public key mpk, the user identifier id, a ₀ , c ₀ , u ₀ , a ₁ , c _1, and u ₁ and inputs dec ← Σ _ibi-vrfy (mpk, M (id, 0 ), A ₀ , c ₀ , u ₀ ) to obtain the verification result dec, and dec ′ ← Σ _ibi-vrfy (mpk, M (id, 1), a ₁ , c ₁ , u ₁ ) to obtain the verification result dec ′. Obtain (step S119). The determination unit 133 determines whether both of the verification results dec and dec are accept (acceptance) (step S120). The determination unit 133 outputs accept if the verification results dec and dec ′ are both accept (step S121), and outputs reject if not (step S122).

Second Embodiment
A second embodiment will be described. Also in the second embodiment, the IBI protocol having imp-ca security is configured from the IBI protocol IBI = (SetUp, KG, P, V) of the Σ ⁺ type or the Σ ^* type, It proves that it has either sk _{(id, 0)} or sk _{(id, 1)} (Dual-Identity Transformation). Below, it demonstrates centering around difference with 1st Embodiment, and abbreviate | omits description about the matter which is common in 1st Embodiment using the same referential mark.

  As illustrated in FIG. 1, the authentication system 2 according to the second embodiment includes a key generation device 21 that functions as a key issuing authority, a certification device 22 that functions as a prover, and a verification device 13 that functions as a verifier. . The key generation device 21, the certification device 22, and the verification device 13 are configured to be communicable through a network.

  The key generation device 21 includes a master key generation unit 111, a key generation unit 212, a control unit 116, a storage unit 117, and a communication unit 118. The proving device 22 includes calculation units 221, 122 to 125, a control unit 126, a storage unit 127, and a communication unit 128 (output unit and input unit). Each of the key generation device 21 and the certification device 22 is a special device configured by, for example, reading a special program into a known or dedicated computer having a communication function.

  The key generation device 21 and the certification device 22 execute each process under the control of the control unit 116 and the control unit 126, respectively. Information input to the key generation device 21 and the certification device 22 is stored in the storage unit 117 and the storage unit 127, respectively. Information obtained by the key generation device 21 and the certification device 22 is also stored in the storage unit 117 and the storage unit 127, respectively.

With reference to FIG. 3 and FIG. 4, the authentication process of 2nd Embodiment is demonstrated.
≪SetUp'≫
It is the same as in the first embodiment, and the key generation device 21 executes the same processing as that in steps S101 to S103 described above.

≪KG'≫
The key generation unit 212 of the key generation device 21 receives the master secret key msk and the user identifier id stored in the storage unit 117, and for each of b (id) = 0 and b (id) = 1, Sk _{(id, 0)} and sk _{(id, 1)} are generated by sk _{(id, b (id))} ← KG (msk, M (id, b (id))) (step S205). The communication unit 118 outputs the secret key sk ′ _id = (sk _{(id, 0)} , sk _{(id, 1)} ). The secret key sk ′ _id is transmitted to the certification device 22 via the network, is input to the communication unit 128 of the certification device 22, and is stored in the storage unit 127 (step S206).

≪P '→ V'≫
The master public key mpk, the user identifier id, and the secret key sk ′ _id stored in the storage unit 127 are input to the calculation unit 221 of the certification device 22. The calculation unit 221 parses the secret key sk ′ _id , obtains sk _{(id, 0)} and sk _{(id, 1)} , and stores them in the storage unit 127 (step S207). The computing unit 221 selects 0 or 1 b (id) ε {0, 1}. The computing unit 221 selects b (id) at random, for example (step S208). The calculation unit 221 receives the master public key mpk, the user identifier id, the selected b (id) ε {0, 1} and the corresponding sk _{(id, b (id)),} and inputs (a _{b (id )} , St) ← Σ _ibi-com (mpk, M (id, b (id)), sk _{(id, b (id))} )) _{ab (id)} and st are obtained and stored in the storage unit 127. (Step S209). Thereafter, the calculation unit 221 executes the same processing as steps S109 to S112 described in the first embodiment. However, b (id) is b (id) selected in step S208.

≪V '→ P'≫
As in the first embodiment, the verification device 13 executes the same processing as steps S111 to S113 described above on the certification device 22 instead of the certification device 12.

≪P '→ V'≫
This is the same as in the first embodiment, and the proving device 22 executes the same processing as in steps S115 to S117 described above. However, b (id) is b (id) selected in step S208.

≪V'≫
This is the same as in the first embodiment, and the verification device 13 executes the same processing as in steps S118 to S122 described above.

<Third Embodiment>
A third embodiment will be described. In the third embodiment, the IBI protocol having imp-ca security is configured from the Σ ⁺ type or Σ ^* type IBI protocol IBI = (SetUp, KG, P, V), _Prove that you have either sk _id or sk _idmaster (Master-Identity Transformation). Below, it demonstrates centering around difference with 1st Embodiment, and abbreviate | omits description about the matter which is common in 1st Embodiment using the same referential mark.

  As illustrated in FIG. 1, the authentication system 2 according to the third embodiment includes a key generation device 31 that functions as a key issuing authority, a proof device 32 that functions as a prover, and a verification device 33 that functions as a verifier. . The key generation device 31, the certification device 32, and the verification device 33 are configured to be able to communicate through a network.

  The key generation device 31 includes a master key generation unit 311, a key generation unit 312, a control unit 116, a storage unit 117, and a communication unit 118. The proving device 32 includes calculation units 321 to 325, a control unit 126, a storage unit 127, and a communication unit 128 (output unit and input unit). The verification device 33 includes arithmetic units 331 and 332, a determination unit 133, a control unit 136, a storage unit 137, and a communication unit 138 (output unit and input unit). Each of the key generating device 31, the proving device 32, and the verification device 33 is a special device configured by, for example, reading a special program into a known or dedicated computer having a communication function.

  The key generation device 31, the verification device 32, and the verification device 33 execute each process under the control of the control unit 116, the control unit 126, and the control unit 136, respectively. Information input to the key generation device 31, the verification device 32, and the verification device 33 is stored in the storage unit 117, the storage unit 127, and the storage unit 137, respectively. Information obtained as input information to the key generation device 31, the verification device 32, and the verification device 33 is also stored in the storage unit 117, the storage unit 127, and the storage unit 137, respectively.

With reference to FIG. 5 and FIG. 6, the authentication processing of the third embodiment will be described.
≪SetUp'≫
The master key generation unit 311 of the key generation device 31 receives the security parameter 1 ^κ stored in the storage unit 117 as an input, executes (mpk, msk) ← SetUp (1 ^κ ), and executes the master public key and the master Obtain and output a secret key (mpk, msk). The master public key mpk and the master secret key msk are stored in the storage unit 117 (step S101). The master key generation unit 311 selects the master identifier id _master and stores it in the storage unit 117. The master identifier id _master is selected at random, for example (step S300). The master key generation unit 311 sets the public key mpk ′ = (mpk, id _master ), and the communication unit 118 outputs the public key mpk ′ (step S301). The public key mpk ′ is transmitted to the certification device 32 and the verification device 33 via the network. The public key mpk ′ is input to the communication units 128 and 138 of the proving device 32 and the verification device 33, respectively, and stored in the storage units 127 and 137 (steps S302 and S303). The master secret key msk is not disclosed.

≪KG'≫
The key generation unit 312 of the key generation device 31 determines whether the user identifier id stored in the storage unit 117 is equal to the master identifier id _master (step S304). If id = id _master , the key generation unit 312 outputs ⊥ (error) (step S305) and ends the authentication process. If id ≠ id _master , the key generation unit 312 receives the master secret key msk and the user identifier id stored in the storage unit 117 and inputs the secret key sk _id by sk _id ← KG (msk, id). Is generated. The communication unit 118 outputs the secret key sk _id . The secret key sk _id is transmitted to the certification device 32 via the network, is input to the communication unit 128 of the certification device 32, and is stored in the storage unit 127 (step S306).

≪P '→ V'≫
The public key mpk ′, the user identifier id, and the secret key sk _id stored in the storage unit 127 are input to the calculation unit 321 of the proving device 32. The computing unit 321 parses the public key mpk ′, obtains the master public key mpk and the master identifier id _master , and stores them in the storage unit 127 (step S307). The calculation unit 321 uses the master public key mpk, the user identifier id, and the secret key sk _id , obtains a ₀ and st by (a ₀ , st) ← Σ _ibi-com (mpk, id, sk _id ), The data is stored in the storage unit 127 (step S308). Calculation unit 322 obtains the _{c 1} a master public key mpk as input by ^{_{c 1 ← Σ + ibi-ch}} (mpk), and stores it in the storage unit 127 (step S310). Calculation unit 323, a master public key mpk and the master identifier _{id master} and _{c 1} as _input, give _{a 1} and _{u 1} by _{(a 1, u 1) ←} Σ ibi-sim (mpk, id master, c 1) And stored in the storage unit 127 (step S311). The communication unit 128 outputs a ₀ and a ₁ as commitment (a ₀ , a ₁ ). The commitment (a ₀ , a ₁ ) is transmitted to the verification device 33 via the network. The commitment (a ₀ , a ₁ ) is input to the communication unit 138 of the verification device 33 and stored in the storage unit 137 (step S112).

≪V '→ P'≫
The public key mpk ′ and the user identifier id stored in the storage unit 137 are input to the calculation unit 331 of the verification device 33. The computing unit 331 parses the public key mpk ′, obtains the master public key mpk and the master identifier id _master , and stores them in the storage unit 137 (step S313). The computing unit 331 receives the master public key mpk, obtains a challenge c by c ← Σ ⁺ _ibi-ch (mpk), and stores it in the storage unit 137 (step S113). The communication unit 138 outputs a challenge c. The challenge c is transmitted to the certification device 32 via the network. The challenge c is input to the communication unit 128 of the proving device 32 and stored in the storage unit 127 (step S114).

≪P '→ V'≫
The computing unit 324 of the proving device 32 receives the challenge c, obtains c ₀ = c−c ₁ and stores it in the storage unit 127 (step S315). Further, the calculation unit 325 receives the master public key mpk, the user identifier id, the secret key sk _id , a ₀ , c ₀ and st stored in the storage unit 127, and u ₀ ← Σ _ibi-res ( u ₀ is obtained by mpk, id, sk _id , a ₀ , c ₀ , st) and stored in the storage unit 127 (step S316). The communication unit 128 outputs _{c 0} and _{u 0} and _{u 1} as a response _{(c 0,} u 0, _{u 1).} The response (c ₀ , u ₀ , u ₁ ) is transmitted to the verification device 33 via the network. The response (c ₀ , u ₀ , u ₁ ) is input to the communication unit 138 of the verification device 33 and stored in the storage unit 137 (step S117).

≪V'≫
This is the same as in the first embodiment, and instead of the verification device 13, the verification device 33 executes the same processing as steps S <b> 118 to S <b> 122 described above.

<Fourth embodiment>
A fourth embodiment will be described. In the fourth embodiment, an IBI protocol having imp-ca security is configured from the Σ ^* -type IBI protocol IBI = (SetUp, KG, P, V), and the verifier is “provider is sk _{(id, 0, )} Or sk _{(id, 1)} ”(Double-Parameter Transformation). Below, it demonstrates centering around difference with 1st Embodiment, and abbreviate | omits description about the matter which is common in 1st Embodiment using the same referential mark.

  As illustrated in FIG. 1, the authentication system 2 of the fourth embodiment includes a key generation device 41 that functions as a key issuing authority, a proof device 42 that functions as a prover, and a verification device 43 that functions as a verifier. . The key generation device 41, the certification device 42, and the verification device 43 are configured to be communicable through a network.

  The key generation device 41 includes a master key generation unit 411, a key generation unit 412, a control unit 116, a storage unit 117, and a communication unit 118. The proving device 42 includes calculation units 124, 421 to 423, 425, a control unit 126, a storage unit 127, and a communication unit 128 (output unit and input unit). The verification device 43 includes calculation units 431 and 432, a determination unit 433, a control unit 136, a storage unit 137, and a communication unit 138 (output unit and input unit). Each of the key generation device 41, the certification device 42, and the verification device 43 is a special device configured by, for example, reading a special program into a known or dedicated computer having a communication function.

  The key generation device 41, the proof device 42, and the verification device 43 execute each process under the control of the control unit 116, the control unit 126, and the control unit 136, respectively. Information input to the key generation device 41, the proof device 42, and the verification device 43 is stored in the storage unit 117, the storage unit 127, and the storage unit 137, respectively. Information obtained as input information to the key generation device 41, the proof device 42, and the verification device 43 is also stored in the storage unit 117, the storage unit 127, and the storage unit 137, respectively.

The authentication process of the fourth embodiment will be described with reference to FIGS.
≪SetUp'≫
The master key generation unit 411 of the key generation device 41 receives the security parameter 1 ^κ stored in the storage unit 117 as input, and (mpk ₀ , msk ₀ ) ← SetUp (1 ^κ ) and (mpk ₁ , msk ₁ ). ← SetUp (1 ^κ ) is executed to obtain and output (mpk ₀ , msk ₀ ) and (mpk ₁ , msk ₁ ). (Mpk ₀ , msk ₀ ) and (mpk ₁ , msk ₁ ) are stored in the storage unit 117. Since msk ₀ and msk ₁ are generated randomly, for example, and mpk ₀ and mpk ₁ correspond to msk ₀ and msk ₁ , (mpk ₀ , msk ₀ ) and (mpk ₁ , msk ₁ ) usually do not match (step S400). The master key generation unit 411 sets the master public key as mpk ′ = (1 ^κ , mpk ₀ , mpk ₁ ), sets the master secret key as msk ′ = (msk ₀ , msk ₁ ), and stores these in the storage unit 117. . The master public key mpk ′ is output from the communication unit 118 and transmitted to the certification device 42 and the verification device 43 via the network (step S401). The master public key mpk ′ is input to the communication units 128 and 138 of the proving device 42 and the verification device 43, respectively, and stored in the storage units 427 and 437 (steps S402 and S403). The master secret key msk ′ is not disclosed.

≪KG'≫
The key generation unit 412 of the key generation device 41 receives the master secret key stored in the storage unit 117 as msk ′ and the user identifier id, parses the master secret key msk ′, and generates msk ₀ and msk _1. Get. The key generation unit 412, 0 or 1 b (id) Select ∈ {0, 1} for example _{randomly, sk} by _{(id, b (id))} ← KG (msk b (id), id) sk ( _{id, b (id))} is generated (step S405). Communication unit _{118, sk (id, b (id} )) and b secret key sk corresponding to _{(id) '(id, b} (id)) = (sk (id, b (id)), b (id) ) Is output. The secret key sk ′ _{(id, b (id))} is transmitted to the certification device 42 via the network, is input to the communication unit 128 of the certification device 42, and is stored in the storage unit 127 (step S406).

≪P '→ V'≫
The master public key mpk ′, the user identifier id, and the secret key sk ′ _{(id, b (id))} stored in the storage unit 127 are input to the calculation unit 421 of the proving device 42. The calculation unit 421 parses the master public key mpk ′ to obtain 1 ^κ , mpk _0, and mpk ₁ , and parses the secret key sk ′ _{(id, b (id))} to obtain sk _{(id, b (id)).} And b (id) are obtained and stored in the storage unit 127 (step S407). The computing unit 421 uses mpk _{b (id)} , id, sk _{(id, b (id)),} and b (id), and (a _{b (id)} , st) ← Σ _ibi-com (mpk _{b (id)} , Id, sk _{(id, b (id))} ), a _{b (id)} and st are obtained and stored in the storage unit 127 (step S408). The calculation unit 422 obtains rb (id) = 1−b (id) ∈ {0, 1} by using b (id) as an input (step S109), and receives the security parameter 1 ^κ as _{crb (id)} ← Σ ^* _{crb (id)} is obtained by _ibi-ch (1 ^κ ) (step S410). rb (id) and _{crb (id)} are stored in the storage unit 127. Calculating section 123 receives _as input _{mpk rb (id)} and id and rb (id) and _{c rb (id), (a} rb (id), u rb (id)) ← Σ ibi-sim (mpk rb (id ₎ , Id, _{crb (id)} ), _{arb (id)} and _{urb (id)} are obtained and stored in the storage unit 127 (step S411). The communication unit 128 outputs a ₀ and a ₁ as commitment (a ₀ , a ₁ ). The commitment (a ₀ , a ₁ ) is transmitted to the verification device 43 via the network. The commitment (a ₀ , a ₁ ) is input to the communication unit 138 of the verification device 43 and stored in the storage unit 137 (step S112).

≪V '→ P'≫
The calculation unit 431 of the verification device 43 receives the master public key mpk ′ out of the master public key mpk ′ and the user identifier id stored in the storage unit 137, parses the master public key mpk ′, and 1 ^κ And mpk ₀ and mpk ₁ are obtained (step S412), a challenge c is obtained by c ← Σ ^* _ibi-ch (1 ^κ ), and stored in the storage unit 137 (step S413). The communication unit 138 outputs a challenge c. The challenge c is transmitted to the certification device 42 via the network. The challenge c is input to the communication unit 128 of the certification device 42 and stored in the storage unit 127 (step S114).

≪P '→ V'≫
The computing unit 124 of the proving device 42 receives the challenge c, obtains c _{b (id)} = c−c _{rb (id)} , and stores it in the storage unit 127 (step S115). Further, the calculation unit 425 stores mpk _{b (id)} , id, sk _{(id, b (id))} , a _{b (id)} , c _{b (id),} and internal state information st stored in the storage unit 127. was an _{input, u b (id) ← Σ} ibi-res (mpk b (id), id, sk (id, b (id)), a b (id), c b (id), st) by _{u b (Id)} is obtained and stored in the storage unit 127 (step S416). The communication unit 128 outputs _{c 0} and _{u 0} and _{u 1} as a response _{(c 0,} u 0, _{u 1).} The response (c ₀ , u ₀ , u ₁ ) is transmitted to the verification device 43 via the network. The response (c ₀ , u ₀ , u ₁ ) is input to the communication unit 138 of the verification device 43 and stored in the storage unit 137 (step S117).

≪V'≫
The calculation unit 432 of the verification device 43 receives c and c ₀ stored in the storage unit 137 as input, obtains c ₁ = c−c ₀ and stores it in the storage unit 137 (step S118). The determination unit 433 receives mpk ₀ , mpk ₁ , id, a ₀ , c ₀ , u ₀ , a ₁ , c _1, and u ₁ as input, and dec ← Σ _ibi-vrfy (mpk ₀ , id, a ₀ , c ₀ , u ₀ ) and a verification result dec obtained by dec ′ ← Σ _ibi-vrfy (mpk ₁ , id, a ₁ , c ₁ , u ₁ ) are obtained (step S419). Thereafter, the determination unit 433 performs the same process as steps S120 to S122 of the first embodiment.

<Features>
The configuration of each embodiment can be universally applied to all IBI protocols of the Σ ⁺ type and the Σ ^* type, and the safety of the IBI protocol can be easily enhanced.
For example, in the case of the Σ ^* type IBI protocol of Reference Document 3 described above, when the attacker sends a challenge C = 0 to the verifier P, the verifier outputs U = x · y ^C mod N = x as a response. Therefore, the secret key SK _ID = x is known to the attacker. This attack is not allowed in the imp-pa security, but is allowed in the imp-ca security. Such an attack can be prevented by the method of the above-described embodiment. In the method of the embodiment, the proving device determines c _{rb (id)} at the time of generating the commitment, and c ₀ , c ₁ (c _{b (id)} = c−c obtained by dividing the challenge c from the verification device in the response. _{rb (id)} ) is output. Therefore, the attacker cannot obtain a response corresponding to the arbitrary challenge. In order to make the attack successful, the attacker needs to guess c where c _{rb (id)} = c. Therefore, if G is sufficiently large, this attack can be prevented with an overwhelming probability.

  In the configurations of the first, third, and fourth embodiments, the data amount of the prover's private key is about ½ that of the method of Non-Patent Document 2, and the storage area necessary for the certification device can be reduced. it can. Further, the data amount of the secret key in the configuration of the second embodiment is the same as the method of Non-Patent Document 2, but the data amount of the master secret key and the master public key held by the key issuing authority is the method of Non-Patent Document 2. Therefore, the storage area required by the key generation device can be reduced.

<Modifications>
The present invention is not limited to the embodiment described above. For example, at least a part of the algorithm described above may be implemented as a function. That is, “mapping” is a concept including an algorithm and a function. The term "mapping to obtain δ from gamma ₁ and ... and gamma _I" does not mean only if δ is dependent on all the gamma ₁ and ... and gamma _I. That, [delta] is even a had been independent on at least a portion of the gamma ₁ and ... and gamma _I, gamma ₁ and ... and gamma if mapping is to obtain a [delta] for _{the I} "gamma ₁ and &・ ・ And γ _I to δ to obtain δ ”.

  The various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capacity of the apparatus that executes the processes. Needless to say, other modifications are possible without departing from the spirit of the present invention.

  When the above configuration is realized by a computer, the processing contents of the functions that each device should have are described by a program. By executing this program on a computer, the above processing functions are realized on the computer. The program describing the processing contents can be recorded on a computer-readable recording medium. An example of a computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium are a magnetic recording device, an optical disk, a magneto-optical recording medium, a semiconductor memory, and the like.

  This program is distributed, for example, by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, this computer reads a program stored in its own recording device and executes a process according to the read program. As another execution form of the program, the computer may read the program directly from the portable recording medium and execute processing according to the program, and each time the program is transferred from the server computer to the computer. The processing according to the received program may be executed sequentially.

  In the above embodiment, the processing functions of the apparatus are realized by executing a predetermined program on a computer. However, at least a part of these processing functions may be realized by hardware.

1-4 Authentication systems 11, 21, 31, 41 Key generation devices 12, 22, 32, 42 Proof devices 13, 33, 43 Verification devices

Claims (9)

_{SK ID ← KG (MSK, ID} ) is a mapping to obtain the secret key _{SK ID} from the master secret key MSK and the identifier ID, (A, ST) ← Σ ibi-com (MPK, ID, SK ID) is a master public key This is a mapping that obtains commitment A and internal state information ST from MPK, the identifier ID, and the secret key SK _ID , and C ← Σ _ibi-ch (MPK, ID) _{creates a} challenge C from the master public key MPK and the identifier ID. U ← Σ _ibi-res (MPK, ID, SK _ID , A, C, ST) is the master public key MPK, the identifier ID, the secret key SK _ID , the commitment A, and the challenge C This is a mapping for obtaining a response U from the internal state information ST, and DEC ← Σ _ibi-vrfy (MPK, ID, A, C, U) is the master public This is a mapping for obtaining a verification result DEC from the open key MPK, the identifier ID, the commitment A, the challenge C, and the response U, and C ′ ← Σ ⁺ _ibi-ch (MPK) is a challenge C ′ from the master public key MPK. (A ′, U ′) ← Σ _ibi-sim (MPK, ID, C) is the verification result DEC from the master public key MPK, the identifier ID, and the challenge C to the challenge C. Is a mapping to obtain the accepted commitment A 'and response U'
The master public key MPK is mpk, the master secret key MSK is msk, id is a user identifier, M (α, β) is a value corresponding to α and β, and sk _{(id, b (Id))} is a value obtained by sk _{(id, b (id))} ← KG (msk, M (id, b (id))) corresponding to any b (id) ε {0, 1} Yes,
(A _{b (id)} , st) ← Σ _ibi-com (mpk, M (id, b (id)), sk _{(id, b (id))} ) First operation for obtaining a _{b (id)} and st And
rb (id) = 1−b (id), c _{rb (id)} ← Σ ⁺ _ibi−ch (mpk ₎ to obtain crb _(id) , a second arithmetic unit;
(A _{rb (id)} , u _{rb (id)} ) ← Σ _ibi-sim (mpk, M (id, rb (id)), crb _(id) ) a _{rb (id)} and u _{rb (id)} A third computing unit to obtain;
A first output unit for outputting a commitment (a ₀ , a ₁ );
A fourth operation unit for obtaining c _{b (id)} = c−c _{rb (id)} from the input challenge c;
_{u b (id) ← Σ ibi} -res (mpk, M (id, b (id)), sk (id, b (id)), a b (id), c b (id), st) by _{u b A} fifth arithmetic unit for obtaining _(id) ;
A second output unit for outputting a response (c ₀ , u ₀ , u ₁ );
Proving device with. _{SK ID ← KG (MSK, ID} ) is a mapping to obtain the secret key _{SK ID} from the master secret key MSK and the identifier ID, (A, ST) ← Σ ibi-com (MPK, ID, SK ID) is a master public key This is a mapping that obtains commitment A and internal state information ST from MPK, the identifier ID, and the secret key SK _ID , and C ← Σ _ibi-ch (MPK, ID) _{creates a} challenge C from the master public key MPK and the identifier ID. U ← Σ _ibi-res (MPK, ID, SK _ID , A, C, ST) is the master public key MPK, the identifier ID, the secret key SK _ID , the commitment A, and the challenge C This is a mapping for obtaining a response U from the internal state information ST, and DEC ← Σ _ibi-vrfy (MPK, ID, A, C, U) is the master public This is a mapping for obtaining a verification result DEC from the open key MPK, the identifier ID, the commitment A, the challenge C, and the response U, and C ′ ← Σ ⁺ _ibi-ch (MPK) is a challenge C ′ from the master public key MPK. (A ′, U ′) ← Σ _ibi-sim (MPK, ID, C) is the verification result DEC from the master public key MPK, the identifier ID, and the challenge C to the challenge C. Is a mapping to obtain the accepted commitment A 'and response U'
The master public key MPK is mpk, the master secret key MSK is msk, id is a user identifier, M (α, β) is a value corresponding to α and β, and b (id) ε {0, 1} and sk _{(id, b (id))} is a value obtained by sk _{(id, b (id))} ← KG (msk, M (id, b (id))),
(A _{b (id)} , st) ← Σ _ibi-com (mpk, M (id, b (id)), sk _{(id, b (id )} corresponding to any b (id) ε {0, 1} _{)) A} first computing unit that obtains a _{b (id)} and st by ₎ ,
rb (id) = 1−b (id), c _{rb (id)} ← Σ ⁺ _ibi−ch (mpk ₎ to obtain crb _(id) , a second arithmetic unit;
(A _{rb (id)} , u _{rb (id)} ) ← Σ _ibi-sim (mpk, M (id, rb (id)), crb _(id) ) a _{rb (id)} and u _{rb (id)} A third computing unit to obtain;
A first output unit for outputting a commitment (a ₀ , a ₁ );
A fourth operation unit for obtaining c _{b (id)} = c−c _{rb (id)} from the input challenge c;
_{u b (id) ← Σ ibi} -res (mpk, M (id, b (id)), sk (id, b (id)), a b (id), c b (id), st) by _{u b A} fifth arithmetic unit for obtaining _(id) ;
A second output unit for outputting a response (c ₀ , u ₀ , u ₁ );
Proving device with. DEC ← Σ _ibi-vrfy (MPK, ID, A, C, U) is a mapping for obtaining the verification result DEC from the master public key MPK, the identifier ID, the commitment A, the challenge C, and the response U, and C ′ ← Σ ⁺ _{ibi -Ch} (MPK) is a mapping to obtain a challenge C 'from the master public key MPK;
The master public key MPK is mpk, id is a user identifier, M (α, β) is a value corresponding to α and β,
A first input unit for receiving an input of a commitment (a ₀ , a ₁ );
a first arithmetic unit that obtains a challenge c by c ← Σ ⁺ _ibi-ch (mpk);
An output unit for outputting the challenge c;
A second input unit for receiving an input of a response (c ₀ , u ₀ , u ₁ );
a second computing unit for obtaining c ₁ = c−c ₀ ;
dec ← Σ _ibi-vrfy (mpk, M (id, 0), a ₀ , c ₀ , u ₀ ), the verification result dec, and dec ′ ← Σ _ibi-vrfy (mpk, M (id, 1), a determination unit that determines whether the verification result dec ′ obtained by a ₁ , c ₁ , u ₁ ) is acceptable;
A verification device having _{SK ID ← KG (MSK, ID} ) is a mapping to obtain the secret key _{SK ID} from the master secret key MSK and the identifier ID, (A, ST) ← Σ ibi-com (MPK, ID, SK ID) is a master public key This is a mapping that obtains commitment A and internal state information ST from MPK, the identifier ID, and the secret key SK _ID , and C ← Σ _ibi-ch (MPK, ID) _{creates a} challenge C from the master public key MPK and the identifier ID. U ← Σ _ibi-res (MPK, ID, SK _ID , A, C, ST) is the master public key MPK, the identifier ID, the secret key SK _ID , the commitment A, and the challenge C This is a mapping for obtaining a response U from the internal state information ST, and DEC ← Σ _ibi-vrfy (MPK, ID, A, C, U) is the master public This is a mapping for obtaining a verification result DEC from the open key MPK, the identifier ID, the commitment A, the challenge C, and the response U, and C ′ ← Σ ⁺ _ibi-ch (MPK) is a challenge C ′ from the master public key MPK. (A ′, U ′) ← Σ _ibi-sim (MPK, ID, C) is the verification result DEC from the master public key MPK, the identifier ID, and the challenge C to the challenge C. Is a mapping to obtain the accepted commitment A 'and response U'
The master public key MPK is mpk, the master secret key MSK is msk, id is a user identifier, id _master is a master identifier, id ≠ id _master , and sk _id is sk _id ← KG (Msk, id) is a value obtained by
A first arithmetic unit that obtains a ₀ and st by (a ₀ , st) ← Σ _ibi-com (mpk, id, sk _id );
a second arithmetic unit that obtains c ₁ by c ₁ ← Σ ⁺ _ibi−ch (mpk);
A third arithmetic unit that obtains a ₁ and u ₁ by (a ₁ , u ₁ ) ← Σ _ibi-sim (mpk, id _master , c ₁ );
A first output unit for outputting a commitment (a ₀ , a ₁ );
A fourth arithmetic unit for obtaining c ₀ = c−c ₁ from the input challenge c;
a fifth arithmetic unit that obtains u ₀ by u ₀ ← Σ _ibi-res (mpk, id, sk _id , a ₀ , c ₀ , st);
A second output unit for outputting a response (c ₀ , u ₀ , u ₁ );
Proving device with. DEC ← Σ _ibi-vrfy (MPK, ID, A, C, U) is a mapping for obtaining the verification result DEC from the master public key MPK, the identifier ID, the commitment A, the challenge C, and the response U, and C ′ ← Σ ⁺ _{ibi -Ch} (MPK) is a mapping to obtain a challenge C 'from the master public key MPK;
The master public key MPK is mpk, id is a user identifier, id _master is a master identifier, id ≠ id _master ,
A first input unit for receiving an input of a commitment (a ₀ , a ₁ );
a first arithmetic unit that obtains a challenge c by c ← Σ ⁺ _ibi-ch (mpk);
An output unit for outputting the challenge c;
A second input unit for receiving an input of a response (c ₀ , u ₀ , u ₁ );
a second computing unit for obtaining c ₁ = c−c ₀ ;
dec ← Σ _ibi-vrfy (mpk, id, a ₀ , c ₀ , u ₀ ) and a verification result dec obtained by dec ′ ← Σ _ibi-vrfy (mpk, id _master , a ₁ , c ₁ , u ₁ ) A determination unit that determines whether the verification result dec ′ obtained by
A verification device having _{SK ID ← KG (MSK, ID} ) is a mapping to obtain the secret key _{SK ID} from the master secret key MSK and the identifier ID, (A, ST) ← Σ ibi-com (MPK, ID, SK ID) is a master public key This is a mapping that obtains commitment A and internal state information ST from MPK, the identifier ID, and the secret key SK _ID , and C ← Σ _ibi-ch (MPK, ID) _{creates a} challenge C from the master public key MPK and the identifier ID. U ← Σ _ibi-res (MPK, ID, SK _ID , A, C, ST) is the master public key MPK, the identifier ID, the secret key SK _ID , the commitment A, and the challenge C This is a mapping for obtaining a response U from the internal state information ST, and DEC ← Σ _ibi-vrfy (MPK, ID, A, C, U) is the master public This is a mapping for obtaining a verification result DEC from the key-opening MPK, the identifier ID, the commitment A, the challenge C, and the response U, and C ′ ← Σ ^* _ibi-ch (1 ^κ ) is a challenge C ′ from the security parameter 1 ^κ. (A ′, U ′) ← Σ _ibi-sim (MPK, ID, C) is the verification result DEC from the master public key MPK, the identifier ID, and the challenge C to the challenge C. Is a mapping to obtain the accepted commitment A 'and response U'
Each of (mpk ₀ , msk ₀ ) and (mpk ₁ , msk ₁ ) is a key pair (MPK, MSK) of a master public key and a master secret key, id is a user identifier, and sk _{(id, b (Id))} is a value obtained by sk _{(id, b (id))} ← KG (msk _{b (id)} , id) corresponding to any b (id) ε {0, 1},
A first arithmetic unit that obtains a _{b (id)} and st by (a _{b (id)} , st) ← Σ _{ibi ibi-com} (mpk _{b (id)} , id, sk _{(id, b (id))} );
a rb (id) = 1-b (id), a second arithmetic unit for obtaining the _{c rb (id)} by ^{_{c rb (id) ← Σ *}} ibi-ch (1 κ),
(A _{rb (id)} , u _{rb (id)} ) ← Σ Ibi _-sim (mpk _{rb (id)} , id, crb _(id) ) The third operation to obtain a _{rb (id)} and u _{rb (id)} And
A first output unit for outputting a commitment (a ₀ , a ₁ );
A fourth operation unit for obtaining c _{b (id)} = c−c _{rb (id)} from the input challenge c;
_{u b (id) ← Σ ibi} -res (mpk b (id), id, sk (id, b (id)), a b (id), c b (id), st) and the _{u b (id)} A fifth computing unit to obtain;
A second output unit for outputting a response (c ₀ , u ₀ , u ₁ );
Proving device with. DEC ← Σ _ibi-vrfy (MPK, ID, A, C, U) is a mapping for obtaining the verification result DEC from the master public key MPK, the identifier ID, the commitment A, the challenge C, and the response U, and C ′ ← Σ ^* _{ibi -Ch} (1 ^κ ) is a mapping to obtain the challenge C ′ from the security parameter 1 ^κ ,
mpk ₀ and mpk ₁ are the master public key MPK, id is a user identifier,
A first input unit for receiving an input of a commitment (a ₀ , a ₁ );
a first arithmetic unit that obtains a challenge c by c ← Σ ^* _ibi-ch (1 ^κ );
An output unit for outputting the challenge c;
A second input unit for receiving an input of a response (c ₀ , u ₀ , u ₁ );
a second computing unit for obtaining c ₁ = c−c ₀ ;
dec ← Σ _ibi-vrfy (mpk ₀ , id, a ₀ , c ₀ , u ₀ ) and the verification result dec obtained by dec ′ ← Σ _ibi-vrfy (mpk ₁ , id, a ₁ , c ₁ , u ₁ And a determination unit that determines whether the verification result dec ′ obtained by
A verification device having   A program for causing a computer to function as the certification device according to claim 1.   A program for causing a computer to function as the verification device according to claim 3.

Images