JP2904819B2 - Digital signature method - Google Patents

Description

Description: FIELD OF THE INVENTION The present invention relates to a digital signature system in a signature communication system, and more particularly, to a system for performing a digital signature using a public key and user identification information common to users. About.

[Conventional technology]

Conventionally, digital signatures have been implemented using RSA.
The method is well known (Rivest, RLetal. “A Method f
or Obtaining Digital Signatures and Pubblic-Key C
ryptosystems ", Communications of the ACM, Vol. 21, No.
2, pp. 120-126, (1978)). As a method for performing digital signature using a common public key and user identification information, a method proposed by Okamoto, Shiraishi, and Kawaoka (“Secure user authentication method using single management information”, IEICE Research report, IN83-92 (1984)) and the method proposed by A. Shamir (“Indentity-Based Cryptosystems”).
and Signature Schemes, "Crypto'84 (1984)).

[Problems to be solved by the invention]

The greatest drawback of the RSA method is that the amount of calculation processing becomes enormous and the processing speed is slow. Furthermore, the RSA method cannot construct a digital signature using a common public key and user identification information. Meanwhile, Okamoto, Shiraishi, Kawaoka and A.Sh
The method of amir et al. also has a practical problem because the processing speed is equal to or lower than that of the RSA method.

An object of the present invention is to improve the processing speed in a digital signature scheme using a common public key and user identification information.

[Means for solving the problem]

In order to achieve the above object, according to the present invention, a reliable center device in a system publishes a public key common to users and secret information (private key) of the user i held by each user device. Si is generated from the identification information IDi of the user i and secret information secretly held by the center device, and is secretly delivered to each user device. Each user device wants to attach the signature of the user i. The signature information (B, Y) is created for the document M using the secret key Si distributed from the center device, and the document M is transmitted to the signature verifier device together with the signature information (B, Y) and the identification information IDi. Upon receiving the document M, the signature information (B, Y), and the identification information IDi, the signature verifier uses the information and a public key common to all users to confirm the validity, and passes the confirmation. If the identification information of the user who signed the document M is the ID
It is characterized by being authenticated as i.

(Operation)

In the present invention, for example, an authentication method using user identification information proposed by Fiat et al. (A. Fiat & A. Shamir, “How to Pr
ove Yourself, "Crypto '86 (1986)" and the authentication method proposed by the inventors of the present invention (K. Ohta & T. Okamoto, "A Mo
dification of the Fiat-Shamir Scheme, "Crypto'88
By creating the random number information component used in (1988)) depending on the value obtained from the message to be signed, a high-speed digital signature scheme is realized.

〔Example〕

Hereinafter, an embodiment of the present invention will be described with reference to the drawings.

FIG. 1 is a schematic block diagram of a system for implementing a digital signature system according to the present invention.
1, a user device (1) 2 and a user device (2) 3 are connected via a communication line 4 or the like. Here, the user device (1) 2 is simply a user, and the user device (2) 3 is a signature verifier (signature verifier device). The center device 1 is abbreviated as the center 1. FIG. 2 is a detailed configuration of the center 1, and FIG. 3 is a detailed configuration of the user 2 and the signature verifier 3.

First, a procedure in which the center 1 creates public information common to users and secret information of each user will be described with reference to FIG.

First, the center 1 uses the prime number generator 101 to generate prime numbers P and Q, and also uses the multiplier 103 to calculate the product N = P
-Calculate Q. On the other hand, P-1 and Q-1 are obtained from the prime numbers P and Q using the subtractor 102, and the least common multiple calculator 104
Is used to find C = LCM (P-1, Q-1). Therefore,
L that satisfies GCD (L, C) = 1 is determined at random, and the value of K that satisfies L · K = 1 (mod C) is determined using the remainder divider 105. LCM is the least common multiple, G
CD means greatest common divisor.

Among the values obtained above, N and L are disclosed as public keys common to users. On the other hand, the values of P, Q, K, etc.
Only keep it secret.

Next, using the secret information of the center, the center 1 generates secret information of the user to be passed to the user 2 as follows. This is the same for other users. First, the identification information ID of the user 2 is obtained. Next, the one-way function unit 106
Is used to obtain a one-way function h (ID), and the remainder divider 107
Is used to calculate 1 / h (ID) (mod N) and the remainder power multiplier
S = (1 / h (ID)) ^k (mod N) is ^obtained by using 107.
This S is the secret information (secret key) of the user 2, and the center 1 secretly delivers this to the user 2. The user 2 to whom the secret information S has been delivered does not need to access the center 1 thereafter.

Next, the digital signature procedure will be described with reference to FIG.

The user (user device) 2 uses the random number generator 201 to generate a random number R (0 ≦ R <N). The function value g (M) of the one-way function g is calculated for the document M to be signed by using the one-way function unit 202. This R and g
(M) and the remainder power multipliers 203 and 204 are used to calculate the value of X = R ^{g (M) .L} (mod N) using L and N. Here, 0 ≦ g (M) <N. This X is converted to a one-way function unit 20 for realizing a one-way function element f.
Input to 5 and calculate the function value of B = f (X) (0 ≦ B <L). Further, the B and S, N are input to the remainder power multiplier 206, and the output S ^B (mod N) and the random number R,
And, type N to modular multiplier 207, to calculate the value of ^{Y = S B · R (mod} N). User 2 assigns M, B, Y to his or her own identification information I.
It is sent to Signature Verifier 3 together with D.

The signature verifier (signature verifier device) 3 inputs the document M to the one-way function unit 301 and obtains the function value g of the one-way function g.
Calculate (M). From this g (M) and Y, N, L,
Using the power multipliers 302 and 303, ^Yg ( ^{M) .L} (mod
N). On the other hand, the user identification information ID is input to the one-way function 304, and the function value h (ID) of the one-way function h is calculated. From h (ID), g (M) and B, N,
By using the remainder power multipliers 305 and 306, h (ID) ^{g (M) .B}
Calculate (mod N). And the remainder power multipliers 303 and 30
The output of 6 is input to the remainder multiplier 307, and the value of X '= ^{Yg (M) .Lh} (ID) ^{g (M) .B} (mod N) is obtained.

This X 'is input to the one-way function unit 308 to calculate the function value f (X') of the one-way function f. This f (X ')
Is input to the comparator 309 together with B, and it is determined whether or not f (X ′) and B match. If they match, it is judged as pass, and if they do not match, it is judged as fail.

If the above procedure is successful, the signature verifier 3
It authenticates that the person who signed the sent document M is a user having an ID as user identification information.

In the above embodiment, the authentication method proposed by the inventors of the present invention (K. Ohta & T. Okamoto, “A Modifiastion o
f The method of using the Fiat-Shamir Scheme, "Crypto'88 (1988)) has been shown, but the authentication method of Fiat and Bath et al. (A.
Fiat & A. Shamir, “How to Prove Yourself,” Crypto'8
6 (1986); T. Beth, “Efficient Zero-Knowledge Ident
ification Scheme For Smart Cards, "Eurocrypt'88 (19
88)) can be similarly configured.

〔The invention's effect〕

According to the digital signature scheme of the present invention using a common user public key and user identification information, the processing speed can be improved as compared with the RSA method or the like. For example, when the size of the modulus N is 512 bits and the size of L is 72 bits, the RSA method requires an average of about 770 modular multiplications, but the present invention requires an average of about 220 modular multiplications. Is fine.
In these systems, the processing speed is almost proportional to the number of remainder multiplications.
More than twice as fast.

[Brief description of the drawings]

FIG. 1 is a schematic block diagram of a system for implementing the digital signature system of the present invention, FIG. 2 is a detailed configuration diagram of a center, and FIG. 3 is a detailed configuration diagram of a user and a sign verifier. 1 ... center device, 2 ... user device (1) (user), 3 ... user device (2) (signature verifier), 4 ...
Communication line.

Continuation of front page (56) References JP-A-61-2445 (JP, A) JP-A-61-72436 (JP, A) JP-A-61-30827 (JP, A) JP-A-3-82237 (JP) , A) H. Tanaka, "Generation of a common key without mutual communication based on ID information", IEICE Technical Report (ISEC88-11-19), Vol. 88, No. 207, (September 27, 1988) p. 31-34 (58) Fields investigated (Int. Cl. ⁶ , DB name) H04L 9/00 G09C 1/00

Claims (1)

(57) [Claims] 1. A system in which a user device and a signature verifier device are connected to a center device and perform signature communication using a common public key and user identification information among all users. A public key common to all users is disclosed,
Means for generating the secret information (secret key) Si of the user i held by each user device from the identification information IDi of the user i and the secret information held by the center device and distributing it to each user device. Each user device is a document M to which the user i wants to sign.
Using the secret key Si delivered from the center device,
Means for generating the signature information (B, Y) and transmitting the document M to the signature verifier device together with the signature information (B, Y) and the identification information IDi. The signature verifier device includes the document M, the signature information (B , Y), when the identification information IDi is received, the validity is confirmed using the information and the public key common to all users, and if the confirmation is passed, the identification information of the user i who signed the document M is obtained. A digital signature method comprising means for authenticating IDi.