JP3293461B2 - Restricted blind signature method and system - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a digital signature method and system for adding signature information to electronic information, and more particularly to a restricted blind signature method and system suitable for setting an expiration date for a signature. It is about.

[0002]

2. Description of the Related Art Blind signature is a technique in which a signature generation apparatus is provided with a signature while keeping the contents of a document secret (blind). As a conventional technique for this, a method based on the RSA method is described in, for example, Document D. Chaum, “Security
without Identification: Transaction Systems to
Make Big Brother Obsolete, "Comm. Of the AC
M 28, 10, pp. 1030-1044 (1985)
It is described in. The outline is shown below.

[0003] The signature request device generates a blind message (x) by disturbing the document (m) with a random number (r) by blind signature preprocessing. The signature generation device calculates a temporary signature (y) corresponding to x using the secret key. At this time, since m is disturbed by r, the signature generation device cannot know the document (m). The signature request device is
The effect of the random number (r) is removed from y by the blind signature post-processing to obtain a true signature (y ') for the original document (m), and the pair of m and y' is transmitted to the signature verification device . The signature verification device confirms that y 'is a signature of m using the public key of the signature generation device . Here, the signature verification device cannot know the correspondence between y and y '.

Now, A is a signature generation device , and B is a signature request device.
Let e _{A be} the public key of the signature generation device A. F is a blind signature pre-processing algorithm, D is a multiple blind signature algorithm, and G is a blind signature post-processing algorithm. Using these functions, the signature of the temporary created from F _eA and _{D eA Ω (= D eA (} F eA (m 1), ···, F
_eA (m _k ))) by applying G _eA to k messages m ₁ ,
_.. A true signature of A for S _k = D _eA (m ₁ ,... M _k )
Is calculated. The signature generation device A and the signature request device B create a multiple blind signature according to the following procedure.

[0005] Step 1: B performs k messages {m _i | i = 1, k by the blind _signature preprocessing using _FeA .
K blind messages {F _eA from 2, ..., k}
(M _i ) | i = 1, 2,..., K} is generated and transmitted to A. Here, each of F _eA (m _i) are calculated independently function F _eA hide m _i using a random number. Step
2: A is a temporary signature Ω = D _eA (F _eA (m ₁ ),..., F _eA
(M _k ) is _replaced with k blind messages F _eA (m ₁ ) _,.
Generate from F _eA (m _k ) and reply to B Step 3:
B performs a post-blind signature process using _GeA ,
m _1, ···, true digital signature A corresponding to m _k S =
_DeA (m ₁ ,..., _{M k} ) is calculated.

When using the RSA method for blind signatures,

[0007]

(Equation 9)

[0008]

(Equation 10)

In addition,

[0010]

[Equation 11]

## EQU1 ## At this time, the verification equation V _e (m ₁ ,.
·, M _k , S) is

[0012]

(Equation 12)

At this time, a pass (OK) is output. here,
(E, n) is the public key of the RSA scheme used by A,
The following equation is satisfied. n = p × q e × d {1 (mod L) where L = LCM {(p−1), (q−1)} where L = LCM {a, b} is the least common multiple of a and b And a≡b (mod n) indicates that (ab) is a multiple of n. In an embodiment of the present invention described later, k = 1
Is assumed.

[0014]

In the above-mentioned conventional blind signature method, since the signature generation device cannot know or operate the signature target, the signature generation device cannot include any information in the signature. Therefore, the signature verification instrumentation
If the location is desired to classify the signatures, but will be embedded information required in the signature subject M in the aforementioned conventional method, the signature subject M is on signing request unit creates, so are disturbed,
Since the signature verification device cannot detect false information even if it is embedded, the signature verification device cannot correctly classify the information at the time of verification.

For example, when the expiration date is given to the signature, in the above-mentioned conventional method, the signature requesting device embeds information about the expiration date in the signature target M. But here the signature verification to see if the correct expiration date is embedded
The device cannot be verified. Therefore, signing request instrumentation
The device (signature requester) can easily set an invalid expiration date, obtain a signature for the invalid expiration date, and illegally operate signature classification based on the expiration date.

An object of the present invention is to make a signature verification result correct only when a signature is created based on classification information published by a signature generation device , and to classify a signature at the time of verification. It is an object of the present invention to provide a restricted blind signature method and system.

[0017]

SUMMARY OF THE INVENTION The present invention generally comprises:
The signature generation device obtains the public information D and the public key P from the public information D.
Publish function f () for calculating The signature requesting device calculates and obtains the public key P by P = f (D),
By using the public key P, and sends the blind signature target Z to the signature generation device . The signature generation device similarly obtains the public key P by P = f (D), generates a secret key d corresponding to the public key P, and uses the secret key d to generate a signature Q (temporary) for the blind signature target Z. Signature), and the signature Q
Is returned to the signature requesting device . The signature requesting device returns the disturbance component of the signature Q, and sets the resulting S as a signature for the signature target M before the disturbance. When verifying the signature, the signature request device sends the signature S and the signature target M to the signature verification device . The signature verification device obtains the public key P by P = f (D), and verifies that the signature S is a signature for the signature target M using the public key P.

In one embodiment, the present invention provides a method for generating a signature.apparatus
Are two large prime numbers p,q and p, Q, N,(P
-1) and (q-1)Holds the least common multiple λ of
D1 andFrom the public information D1, a public key exponent e _D1 To
Function to calculatePublish f (). N is also published as a public key
I do.

The signature request device receives the public information D1 as an input.
Public key exponent by Te function f () unit e _D1 = f a (D1)
Calculate and output, also out to calculate the signature object M = g (m) using a one-way function g () the document m as an input
Power . Then, random number R, signature object M, public key exponent part e
_D1 and the public key N,

[0020]

(Equation 13)

The Z (blind signature target) is transmitted to the signature generation device . After receiving the blind signature target Z, the signature generation device inputs the same public information D1 as the signature request device, and uses the function f () to generate a public key exponent e _D1 =
Calculate the f (D1) and outputs the secret key exponent d _D1 corresponding to the e _D1 determined by calculating the _{d D1 = 1 / e D1 mod} λ. Then, for blind signature target Z

[0022]

[Equation 14]

And returns the Q (temporary signature) to the signature requesting device . The signature request device obtains S = Q / R mod N for the returned temporary signature Q,
This S is used as a signature generation device based on public information D1 for document m.
The location of the signature.

[0024] In the signature verification device, m from the signature requesting device,
S, D1 is received, and the function f
Calculate the public key exponent part e _D1 = f (D1) by ()
Output . Then , the one-way function g
Using (), the signature target M = g (m) is calculated and output ,
further

[0025]

(Equation 15)

Is calculated, it is confirmed that M and M 'are equal, and it is assumed that the signature S is a correct signature based on the public information D1 of the document m only when they are equal.

[0027]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS One embodiment of the present invention will be described below in detail with reference to the drawings. FIG. 1 is an overall block diagram of a system configuration according to an embodiment of the present invention. In FIG. 1, reference numeral 100 denotes a signature generation device , 200 denotes a signature request device , and 300 denotes a signature verification device .
And FIG. In the present embodiment, the signature generation device 100
Is the product N of two large prime numbers p, q and p, q, (p
-1) and the least common multiple λ of (p-1) , and obtains public information D1 and a public key exponent e _D1 from the public information _D1.
A function f () for calculating is disclosed. Also, N
Is published as a public key.

The signature requesting device 200 includes the signature generating device 10
When public information D1 is input when requesting a signature for
The public key exponent e _{D1 is changed} to e _D1 by the published function f ().
= F (D1) to generate (step 2
1) In addition, a signature target M = g (m) is obtained by a hash operation using the one-way function g () with the document m as an input (step 22). Subsequently, random number R, signature object M, public key exponent part e _D1 , and N
With this, the blind signature target Z

[0029]

(Equation 16)

Then, the blind signature target Z is transmitted to the signature generation device 100 (step 24). Thereafter, the signature request device 200 waits for reception from the signature generation device 100.

The signature generation device 100 similarly transmits the public information D
The public key exponent part e _D1 is calculated by e _D1 = f (D1) by the function f () using 1 as an input and generated (step 3).
1), the secret key exponent d _D1 corresponding to the e _D1 d _D1 = 1
/ E _D1 mod λ is calculated and generated (step 32).
The signature requesting apparatus 200 sends the blind signature target Z
Is received (step 33), a signature (temporary signature) Q is given to the signature target Z.

[0032]

[Equation 17]

(Step 34), and the signature Q
Is returned to the signature requesting device 200 (step 35).

[0034] signing request device 200, the signature generating apparatus 10
When the signature Q is received from 0 (step 25), as the post-blind signature processing,

[0035]

(Equation 18)

By calculating S, the signature S is set as a signature by the signature generation device 100 based on the public information D1 for the document m (step 26).

The signature verification device 300 performs
The document m, the signature S, and the public information D1 are received from the signature request device 200 as verification data (step 41). In the signature verification device 300, the public information D1 is
The public key exponent part e _D1 is calculated from the number f () by e _D1 = f (D1).
(Step 42), and further, a document m is input.
Signature object M = g using one-way function g () as force
(M) is obtained by hash operation (step 43). Subsequently, by S and e _D1 and N,

[0038]

[Equation 19]

Is obtained (step 44), M is compared with M '(step 45), and if they are equal, it is assumed that the signature S is a viable signature based on the public information D1 of the document m.

Next, specific configurations and operations of the signature generation device 100, the signature request device 200, and the signature verification device 300 will be described.

FIG. 5 shows an example of the configuration of the signature generation device 100 and the signature request device 200 related to signature generation in the present embodiment. The signature generation device 100 includes a storage device 101, a public key exponent portion generator 102, a secret key exponent portion generator 103, and a power-residue arithmetic unit 104. The storage device 101 stores a product of two large prime numbers p and q. N (public key), (p-1) and (q
-1) and the date of today (signature generation date) as the public information D1.

In the signature generation device 100, the public information D1
Is input to the public key exponent generator 102 and the public key exponent e
_D1 is calculated by e _D1 = f (D1) and output. Then, the e _D1 and λ, N are converted to a secret key exponent generator 103.
And the secret key exponent d _D1 is _calculated as d _D1 = 1 / e _D1 mod
Obtained by λ, and holds the d _D1 in the storage device 101.

On the other hand, the signature request device 200
1. public key exponent generator 202, random number generator 203, hash calculator 204, blind signature preprocessor 205,
A storage device 20 including a blind signature post-processor 206;
1 holds a public key N, public information D1, and a document m to be signed.

First, the signature request device 200 transmits the public information D
1 is input to the public key exponent part generator 202,
The public key exponent e _D1 is calculated by e _D1 = f (D1) . Next, the random number generator 203 is driven to generate a random number R. Further, the document m is input to the hash calculator 204 to obtain the signature target M. After that, e _D1 , R, M, and N are input to the blind signature preprocessor 205 and

[0045]

(Equation 20)

The Z (blind signature target) and D1
To the signature generation device 100.

The signature generation device 100 confirms that the public information D1 is today's date. Thereafter, the secret key exponents d _D1 and N corresponding to D 1 are read from the storage device 101, and d _{D 1} , N and Z are converted to the power-residue calculator 104.
Enter

[0048]

(Equation 21)

And returns the Q (temporary signature) to the signature requesting device 200.

The signature requesting apparatus 200 inputs Q, R, and N to the blind signature post- processor 206 and S = Q / R m
od N is calculated, and this S is used as a signature of the signature generation device 100 based on the public information D1 for m,
Stored in 1.

FIG. 6 shows a configuration example of the signature request device 200 and the signature verification device 300 in the signature verification of this embodiment. At the time of verification, the signature request device 200 reads the document m, the signature S, the public key N, and the date D1 of the public information from the storage device 201 and sends them to the signature verification device 300.

The signature verification device 300 includes a storage device 301,
Date comparator 302, public key exponent generator 303, modular exponentiation operator 304, hash operator 305, comparator 30
6 is provided. Here, the public key N,
It is assumed that the number of valid days t and the date D2 are held.

In the signature verification device 300, the signature request device 2
When m, S, and D1 are received from 00, the date D2 of the signature verification date, the number of valid days t, and D1 are input to the date comparator 302 to verify whether D1 has expired. If the period has expired, NG is output and the operation is stopped. If not expired, D1 is input to the public key exponent part generator 303, and the public key exponent part e _D1 is calculated by e _D1 = f (D1) and output. At the same time, m is input to the hash calculator 305 to output the signature target M. Further, S, e _D1 , and N are input to the modular exponentiation unit 304 and

[0054]

(Equation 22)

Is calculated. The output M ′ of the modular exponentiation unit 304 and the output M of the hash calculation unit 305 are input to the comparator 306, and the signature S is correct based on the public information D1 of the document m only when the comparison result between the two matches. It outputs OK as a signature, and outputs NG if they do not match.

Here, in the above embodiment, as a condition for the existence of the secret key corresponding to the output e _D1 of the public key exponent part generator, e _D1 must be relatively prime to λ. To satisfy this condition, the output e _D1 of the public key exponent part generator
Is set to y bits, and p and q such that both (p-1) and (q-1) have only prime factors of x bits or more may be used. At the same time, the output e _D1 must always be odd.

Also, depending on the configuration of the public key exponent generator, the following forgery of the signature may be possible. For example, if the signature requester can obtain a set of D1, D2, and D3 that satisfies e _D1 = e _D2 · e _D3 mod λ, then d _D1 = d _D2
D _d3 mod λ holds. In order to forge a signature using this, first, a signature S2 with a date D2 for the document m is obtained. Next, a signature S3 with a date D3 for S2 is obtained with S2 as a signature target. here,

[0058]

(Equation 23)

Thus, S3 is equivalent to the signature S1 of the date D1, and it is forged.

In order to prevent such forgery, e _D1 must be _equal to e _Dj
It is necessary that the multiplication on mod λ cannot be expressed. However, since only the signature creator can know λ, e
_{If D1} cannot be represented by e _Dj multiplication, then
The same level of security as RSA can be secured based on the security based on the difficulty in obtaining λ.

In order to satisfy this condition, the output of the public key exponent generator should always be a fixed bit. Under such a configuration, e _D1 > e _Dj · e _Dk is a function of all i,
Since the condition holds for j and k, forgery can be prevented.

Considering the above conditions, (p-1),
In the case of using p and q such that (q-1) has only prime factors of x bits or more, the public key exponent part generator sets both the most significant bit MSB and the least significant bit LSB to 1 y
(X> y) It can be configured using a bit combiner that outputs bits. For example, if the input value D is (y-2) bits or more, as shown in FIG. 7, x> becomes (y-2) (y-
2) A hash calculator 401 having a bit output and MS
It is configured using a bit combiner 402 that outputs y bits and sets both B and LSB to 1. Alternatively, as shown in FIG. 8, a subtractor 403 for subtracting some reference value, for example, a date as a starting point from the input value, and setting both the MSB and LSB to 1 y
It is configured by using a bit combiner 404 for bit output.

[0063]

According to the present invention, since the signature generation device can issue a signature based on public information for classifying the signature, the signature verification device can use the public information included in the signature information. , The signature can be categorized. For example, when setting an expiration date for a signature, if the public information is the date and time of the expiration date, the created signature is based on the expiration date.
It is possible to classify expired signatures. Also,
By using dates for public information to classify signatures,
The signature request device can easily verify that the public information cannot be used for an individual specific use.

[Brief description of the drawings]

FIG. 1 is an overall block diagram of a system according to an embodiment of the present invention.

FIG. 2 is a flowchart showing a procedure of a signature requesting device .

FIG. 3 is a flowchart showing a procedure of the signature generation device .

FIG. 4 is a flowchart showing a procedure of the signature verification device .

FIG. 5 is a block diagram of a system for executing a signature generation operation according to one embodiment of the present invention.

FIG. 6 is a block diagram of a system that performs a signature verification operation according to an embodiment of the present invention.

FIG. 7 is a diagram showing a first configuration example of a public key exponent part generator.

FIG. 8 is a diagram showing a second configuration example of the public key exponent generator.

[Explanation of symbols]

REFERENCE SIGNS LIST 100 signature generation device 101 storage device 102 public key exponent part generator 103 secret key exponent part generator 104 exponentiation remainder arithmetic unit 200 signature request device 201 storage device 202 public key exponent part generator 203 random number generator 204 hash calculator 205 blind Signature preprocessor 206 blind signature postprocessor 300 signature verification device 301 storage device 302 date comparator 303 public key exponent generator 304 exponentiation operator 305 hash operator 306 comparator

────────────────────────────────────────────────── ─── Continued on the front page (56) References International Publication 95/4417 (WO, A1) Security with Identification: Transaction Systems to Make Big Observer, Communications Associates. 28, No. 10, p. 1030-1044 Information Security Technology and Services in Networks, The Institute of Television Engineers of Japan, December 20, 1995, Vol. 49, No. 12, p. 1567-1571 (58) Field surveyed (Int. Cl. ⁷ , DB name) H04L 9/32 G09C 1/00 640 JICST file (JOIS)

Claims (9)

(57) [Claims] 1. A signature generation device publishes a public key P, a signature request device disturbs a signature target M by a disturbance function based on the public key P, and sends the disturbed signature target Z to the signature generation device . signature generation apparatus, the generated using the private key d corresponding to the disturbed signed signature for target Z Q a public key P, and returns the signature Q thus generated to the signature request apparatus, the signature request apparatus, disturbance enter the signature Q removes disturbance components to function that returns, for signed M previous disturbance results
In the blind signing method using the signature S , the signature generation device publishes the public information D and publishes a function f for calculating a public key P from the public information D, and the signature request device publishes the published function f , the public key P is calculated from the public information D to generate the public key P, the signature target M is disturbed by using the generated public key P, and the disturbed signature target Z is sent to the signature generation device . The device calculates and generates a public key P from the public information D using the function f , generates a secret key d corresponding to the public key P, and sends the secret key d from the signature requesting device using the secret key d. And generating a signature Q for the signed signature target Z. 2. The restricted blind signature method according to claim 1.
In the law, when verifying a signature, the signature requesting device sends the signature S and the signature target M to the signature verifying device , and the signature verifying device uses the published function f to release the public information D.
The public key P generated by calculating from the signature sent signature S from the request device verifies that the signature for the signature target M, restricted blind signature, characterized by using the public key P Method. 3. The signature generation device comprises two large prime numbers p and q.
, The least common multiple λ of (p−1) and (q−1) , an integer e that is relatively prime to λ, and an integer d that satisfies the relationship of d = 1 / e mod λ. The signature requesting apparatus publishes the random number R, the signature target M, and the signature target Z disturbed from the public keys e and N as Found through, send the signing object Z to the signature generation device, signature generation device, to the signature target Z, Equation 2] The signature Q Found through, returns the signing Q to the signature request apparatus, the signature request apparatus, seeking S = Q / R mod N, in a blind signature method of the signature of the signature generating apparatus the S for signed M, The signature generation device publishes the public information D1, and
Function computes the public key exponent e _D1 from the information D1 f and ()
Public and the signature requesting device is made public with the public information D1 as input.
Calculate public key exponent part e _D1 = f (D1) by function f ()
And outputs the document m as an input and the one-way function g
Using (), the signature target M = g (m) is calculated and output ,
From the random number R, the signature target M, the public key exponent e _D1 and the value N, the disturbed signature target Z is expressed as , And sends the signature target Z to the signature generation device . The signature generation device receives the public information D1 as an input and performs a function f ().
To calculate and output the public key exponent part e _D1 = f (D1)
And calculates a secret key exponent part d _D1 = 1 / e _D1 mod λ.
The signature Q is given to the signature target Z sent from the signature requesting device as follows : And returns the signature Q to the signature requesting device . The signature requesting device obtains S = Q / R mod N, thereby obtaining the S and the signature S of the signature generation device based on the public information D1 for the document m. A restricted blind signature method. 4. In the restricted blind signature method according to claim 3, when verifying the signature , the signature requesting device transmits the signature S and the document m.
Public information D1 sent to the signature verification device and the signature verification device, was published a public information D1 as input
Calculate the public key exponent part e _D1 = f (D1) by f ()
Output, calculate the signature target M = g (m) using the one-way function g () with the document m as input, and output it . , And only if the M ′ is equal to the M, the signature S
Is verified as a correct signature based on the public information D1 of the document m. 5. The restricted blind signature method according to claim 3, wherein the public information D1 is a signature generation date. From a signing request device the contents of 6. document requiring a signature secret, the signature generation device to return the signature requesting device subjected to sign the signed from signing request apparatus
In the signature generation device, the product N (public) of two large prime numbers p and q
Public key) and the public information D1 and the public information.
Function computes the public key exponent e _D1 from the information D1 f and ()
Public, the signature request device sends the public key N, public information D1 and document m
Storage device for storing the public information D1 as an input
Public key exponent part e _D1 = f (D1) by the function f ( )
A public key exponent generator that calculates and outputs
A random number generator that generates and outputs
Calculate the signature target M = g (m) using the directional function g ()
Input the hash calculator to be output and e _D1 , R, M, N
And blind signature Z And sends Z and D1 to the signature generation device as a signature request.
Blind signature preprocessor to be attached and return from signature generation device
Enter the signature Q to be sent and R and N, and S = Q /
Calculate R mod N, and replace S with public information D for document m.
After a blind signature as a signature of the signature generation device based on No.1
And a signature generation device, the least common multiple of (p-1) and (q-1)
λ (secret information), public key N and public information D1
Storage device and the function f () with the public information D1 as input
Public key that calculates and outputs the public key exponent part e _D1 = f (D1)
Key exponent generator and secret using e _D1 and λ, N as inputs
The key exponent part d _D1 = 1 / e _D1 mod λ is calculated, and the d _D1 is recorded.
Secret key exponent generator to be stored in storage device and signature request device
Sends blind signature target Z and public information D1
And the secret key exponent d _D1 and the public key N corresponding to _D1 .
Read from the storage device , input d _D1 , N and Z, and sign
Name Q , And return the signature Q to the signature requesting device.
A restricted blind signature system , comprising a coprocessor . 7. The restricted blind signature system according to claim 6, wherein in addition to the signature generation device and the signature request device ,
A signature verification device, when verifying the signature, the signature request apparatus, the signature S, the document m, and sends the public information D1 to the signature verification device, signature verification device, a storage device for storing a public key N ,Release
Disclosure by function f () which is made public with information D1 as input
A public key finger that calculates and outputs a key exponent part e _D1 = f (D1)
Input a number generator and a document m to obtain a one-way function g ().
To calculate and output signature target M = g (m)
, And S, e _D1 , and N as inputs. Modular exponentiation unit for calculating and outputting
The output M of the arithmetic unit of the calculation result M 'and the hash calculator
And a comparator that outputs a positive signal that the signature S is a correct signature based on the public information D1 of the document m only when the two match. 8. The restricted blind signature system according to claim 6, wherein the public information D1 is a date of signature generation. 9. The restricted blind signature system according to claim 6, 7 or 8, wherein in the public key exponent part generator, both (p-1) and (q-1) have only prime factors of x bits or more. Using the prime numbers p and q, the most significant bit M of the output
SB, the least significant bit LSB is always 1, and the MSB,
The portion other than the LSB becomes a value corresponding to the input value [x>
y], and outputs a value of y bits.