JP3385519B2 - Validity authentication method and system - Google Patents

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a legitimacy authentication method and system, and more particularly to an authentication method such as a digital signature for detecting the presence or absence of falsification of document information, or a user authentication for confirming a communication partner. The present invention relates to an efficient legitimacy authentication method and system that can reduce the processing amount of signatures at the sender while guaranteeing security, and at the same time reduce the redundancy of communication text.

[0002]

2. Description of the Related Art As a typical example of an authentication method, an RSA cryptosystem (Rivest. RL et al. "A Method for Obtaining
Digital Signatures and Public-Key Cryptosystems ",
Communications of the ACM, Vol. 21, No.2, pp.120-1
26, (1978)). The RSA cryptosystem is as follows.

The user device A uses the signature key (d, N) and the inspection key (e, N) as N = P × Q e × d≡1 (mod L) (where P and Q are prime numbers, L = LCM {(P-1),
(Q-1)}) so that the inspection key (e,
N) is made public, and the signature key (d, N) is secretly managed.

Here, LCM {a, b} is an integer a and b
Represents the least common multiple of P and Q are two large prime numbers different from each other. Further, a≡b (mod L) represents that a−b is a multiple of L. The RSA cryptosystem is a cryptosystem whose security is based on the fact that it is difficult to decompose the prime factor of N when N is large, and the d component of the secret signature key from the public inspection key (e, N) Is difficult to ask for.

The signature verification apparatus B manages the inspection key (e, N) of the user apparatus in combination with the personal identification information (ID) as an inspection key file. If the signature function D and the check function E are defined by D (P) = P ^d (mod N) E (C) = C ^e (mod N), E (D ( It can be seen that P)) = P. "A (mod N)" means a is N
Represents the remainder when divided by.

The authentication method using the RSA cryptosystem is as follows. The signature generation apparatus A applies the secret signature function D to f (m) generated from the document information m using the one-way function f, and outputs the signature sentence C with C = D (f (m)). A combination (ID, m, C) of the generated personal identification information ID, the document information m, and the signature text C is transmitted to the authentication device B as a signed communication text.

The signature verification apparatus B searches the inspection key file with the ID as a key to obtain the inspection function E, obtains the decrypted text with E (C) from the C component of the signed communication text, and obtains it from the document information m. It is checked whether or not it matches the one-way function f (m). E
If (C) = f (m) holds, only the true user A has the signature function D, so the sender is the real A, and (ID, m, C) is tampered with. Determine that not.

Here, a function f is a one-way function.
Although the calculation of (x) is easy, it is a function that makes it difficult to obtain x from f (x). The function f is a high-speed conventional encryption device, for example, DES encryption (Data Encryption Standard,
Federal Information Processing Standards Publicatio
n 46, (1977)). If high-speed components are used, the calculation time of the one-way function f can be almost ignored.

By the way, the integer N used in the RSA encryption is usually about 200 decimal digits (500 bits), and the d component of the signature key is also about 500 bits. Here, even if the fast exponential calculation method is used to calculate the signature function D, it is 200
There is a problem that the multiplication of an integer of digits (however, including the remainder calculation by the modulus N) is required 768 times on average, and the signature generation device A has a large amount of processing for generating a signature text (the fast exponential calculation method, for example, Ikeno, Koyama “Modern Cryptography”, IEICE, pp.16-17, (1986)).

Increasing signature processing in signature generators
The method of Fiat-Shamir is proposed as a method to solve the problem of
Proposed (Fiat, A. and Shamir, A: "How to Prove
 Yourself: Practical Solutions to Identification a
nd Signature Problems ". Proceedings of Crypto 86,
Santa Barbara, August 1986, pp.18-1-18-7). Fiat _-S
The authentication method of hamir is as follows. Here, de
The digital signature will be described.

A reliable center generates k pieces of secret information s _j (1 ≦ j ≦ k) for a user device that uses an ID as personal identification information (k is a parameter that determines security). And a value of 1 or more). Step 1) Calculate v _j = f (ID, j) (1 ≦ j ≦ k) using the one-way function f.

Step 2) For v _j , take the reciprocal of (mod N) and use the prime factors P and Q of N (mod N).
Square root at

[0013]

[Equation 1]

Calculate That is, s _j ² = 1 / v _j (mo
d N). Step 3) Secretly issue k pieces of secret information s _j to the user device, and disclose the composite number N. The calculation method of the reciprocal number in "(mod N)" is shown in, for example, Ikeno, Koyama "Modern Cryptographic Theory", IEICE, pp.17-18 (1986). , N can be performed only when the prime factors (P and Q) are known, which can be performed by, for example, Rabin, Mo: "Digitalized Signatures.
and Public-Key Functions as Intractable as Factor
ization ", Technical Report. MIT / LCS / TR-212 MIT Lab
Atories of Computer. Science. (1979). A concrete configuration example of the square root calculation device is shown in the public key cryptosystem (Japanese Patent Laid-Open No. 63-26137).

The signature generation apparatus A proves to the signature verification apparatus B that the document information m is authentic by the following procedure. Step 10) The signature generating apparatus A generates a random number r _i , and calculates x _i = r _i ² (mod N) (1 ≦ i ≦ t) (t is a parameter that determines security and is a value of 1 or more). ).

Step 11) The signature generation device A is 0, 1
The bit string e _ij (1 ≦ i ≦ t, 1 ≦ j ≦ k) is calculated using the one-way function f as (e _ij , ..., e _tk ) = f (m, x ₁ , ..., x _t ). To do.

Step 12) The signature device A causes the signature text y _i
(1 ≦ i ≦ t)

[0018]

[Equation 2]

Generated by {ID, m, e ₁₁ , ...,
e _tk , y _i , ..., Y _t } is sent to the signature verification apparatus B. Step 13) The signature verification apparatus B determines that v _j = f (ID,
j) Calculate (1 ≦ j ≦ k).

Step 14) The signature verification device B

[0021]

[Equation 3]

Calculate Step 15) The signature verification apparatus B uses (e_1i  ,,, e
_tk  ) = F (m, z ₁,…, Z_t) Holds
inspect.

From the method of creating the signature component y _i

[0024]

[Equation 4]

Therefore, if the above inspection is passed,
The signature verification device B recognizes that the document information m is transmitted from the signature generation device A. At this time, the bit string (e ₁₁
, ..., e _tk ) and y ₁ , ..., y _t , and then x ₁ ,
…, X _t is calculated, and (e ₁₁ , ..., e _tk ) = f (m, x ₁ , ..., x _t ) holds, {ID, m, e ₁₁ , ..., e _tk , y
_1, ..., when signing y _t}, it will be successful in forgery. However, the check formula (e ₁₁ , ..., E _tk ) = f
Since the probability that (m, x ₁ , ..., X _t ) holds is 1/2 ^kt , the amount of calculation required for forging a signature is considered to be proportional to 2 ^kt . Hereinafter, the calculation amount required for forgery is called a safety factor. Here, k is the number of secret information (s _j ) that the user device secretly manages, and t defines the data amount of the communication message.

According to the Fiat-Shamir method, the signature generation processing at the sender is t (k + 2) / 2 times on average (however, the remainder calculation in the modulus N is included). In particular,
In the above-mentioned Fiat and Shamir documents, it is recommended to select k = 18 and t = 4 in the case of digital signature, so the number of multiplications of the Fiat-Shamir signature method is 40 times,
It can be seen that the processing amount can be significantly reduced compared to the signature method using RSA encryption (40/768 = 0.05,
This can be achieved with a throughput of about 5%).

[0027]

However, the above-mentioned conventional authentication method using the RSA encryption has a problem that the redundancy of the communication text is small and the amount of information secretly managed is small, but the processing amount at the sender is large. is there.

On the other hand, in the method of Fiat and Shamir, the redundant bit number of the communication text is 500 × t + k × t bits.
In order to secure the safety, it is necessary to select k and t of a certain size, so that the redundancy becomes large. Further, the sender secretly manages k pieces of information, which is k times as large as that of the RSA encryption. As described above, although the amount of processing at the sender is small, in order to obtain a sufficiently large safety factor, there is a problem that the redundancy of the communication text is large and the amount of information secretly managed is large.

The present invention has been made in view of the above points, and is a document in which the amount of processing at the sender is small, the redundancy of communication text is small, and the amount of information secretly managed by the sender can be reduced. The purpose is to provide a method and system for authenticating information and users.

[0030]

FIG. 1 is a diagram for explaining the first principle of the present invention. According to the present invention, when a user device operates as a signature generation device, a signature verification device analyzes the content of signature information transmitted by the user device together with the document information and confirms the validity of the document information. In the method of authenticating the authenticity of document information, as the initial information setting process at the time of system construction, the center device generates a prime number (P, Q) and keeps it secretly (step 1), and the prime number (P, Q).
Product N (= P × Q) and k (k ≧ 2) integers {L ₁ ,
, L _k } is made public (step 2), and when the user who uses the ID as an identifier joins the system, the center device k secret information {S ₁ , ..., S related to the ID.
Let _k } be an integer {L ₁ , ..., L _k } and a secret prime (P, Q)
Is calculated and transmitted to the user device of the user (step 3), and the user device performs signature generation processing as
The random number R is changed to L
_{(L = L 1 × ... ×} L k) th power live a more common value X to
Form (Step 4), using a one-way function f to the common value X and the document information m to be signed and calculate the E = f (m, X) (Step 5), the random number R and {L ₁ , ..., L _k }
From R _i = R ^{L / Li} (mod N) (1 ≦ i ≦ k) to obtain R _i , and further secret information {S ₁ , ..., S
_k } and the R _i and E, Y _i = R _i × S _i ^E (mod N) (1 ≦ i ≦ _k ) to calculate (Y ₁ , ..., Y _k ), and the signed document information {ID , M, E, (Y ₁ , ..., Y _k ) are transmitted to the signature verification device (steps 6 and 7) , and the signature verification device performs 1 ≦ i ≦
For any i satisfying k, all the values obtained by the remainder operation modulo N from ID, Y _i and E are matched (step 8), and when the matched value is set to Z, E = f When (m, Z) is satisfied, the validity of the document information transmitted by the user device is confirmed (step 9).

FIG. 2 is a diagram for explaining the second principle of the present invention. The present invention, when the user device operates as a device to be verified, is used by the verification device for analyzing the content transmitted from the user device to the verification device to confirm the validity of the user device. in validity authentication method's apparatus, as initial information setting process at the time of system construction, the center device generates a prime number (P, Q) and kept secret (step 21), the prime number (P, Q) The product N (= P × Q) and k
The number (k ≧ 2) of integers {L ₁ , ..., L _k } is made public (step 22), and when the user who uses the ID as an identifier joins the system, the center device has k secrets related to the ID. Information {S ₁ , ..., S _k } is converted into an integer {L ₁ , ..., L
_k } and the secret prime number (P, Q) are used for calculation and transmitted to the user device of the user (step 23), and the user device generates a random number R as the process to be authenticated, The random number R is changed to L (= L ₁
X ... × L _k ) to calculate the common value X used by the verification device for verification (step 24), and sends it to the verification device (step 25). The verification device generates a random number E,
It is transmitted to the user device (step 26), and the user device
Random number R and _{{L 1, ..., L k} } from seeking R _i by ^{_{R i = R L / Li (}} mod N) (1 ≦ i ≦ k), the secret information _{{S 1, ..., S k} } and From the random number R _i and the random number E, Y _i = R _i × S _i ^E (mod N) (1 ≦ i ≦ _k ) is calculated (Y ₁ , ..., Y _k ) (step 27),
It is sent to the verification device (step 28), and the verification device performs 1 ≦
For any i that satisfies i ≦ k, ID, Y _i and E
Are all common values obtained by the remainder operation modulo N
If it matches X, the legitimacy of the user device is confirmed (step 29).

FIG. 3 is a block diagram showing the principle of the present invention. The document information correctness authentication system of the present invention generates a prime number (P, Q) and keeps it secretly in the initial information setting at the time of system construction, and the product N (= P × Q) of prime numbers (P, Q). ) And k (k ≧ 2) integers {L ₁ , ..., L _k } are disclosed, and when a user who uses an ID as an identifier joins the system, k secret information related to the ID. {S
_1, ..., a S _k},該整number {L _1, ..., L _k} and secret prime number P, a center apparatus 100 includes means for transmitting to the user device calculates and with Q, a random number R The random number R is generated and the random number R is L (= L ₁ × ... × L) under a modulo modulo N.
to generate more common value X to _k) th power to be, subjected to one-way function to the document information m and the common value X to calculate the E = f (m, X) , R and {L _1, ..., L _k} from the ^{_{R i = R L / Li (}} mod N) (1 ≦ i ≦ k) obtains the R _i, secret information obtained from the center device {S _1, ..., from S _k}, Y _i = R _i * S _i ^E (mod N) (1 ≦ i ≦ k) to calculate (Y ₁ , ..., Y _k ), and the signed communication message (ID, m, E, Y ₁ , ..., Y _k ). In all i satisfying 1 ≦ i ≦ k, the values generated by the remainder operation modulo N from ID, Y _i, and E are the same, and the values are the same. , Where E = f (m, Z), the validity of the signed communication message (ID, m, E, Y ₁ , ..., Y _k ) transmitted by the signature generation device is confirmed. Signature verification device It has a 300, a.

In the present invention, the user device (200 or 3) is used.
00) is a legitimacy authentication system of a user device when it operates as a device to be verified, and in the initial information setting at the time of system construction, a prime number (P, Q) is generated and kept secretly, and a prime number (P , Q) product N (= P × Q) and k (k ≧
2) means for disclosing the integers {L ₁ , ..., L _k }, and when a user who uses an ID as an identifier joins the system, k pieces of secret information {S ₁ , ...,
Let S _k } be the integer {L ₁ , ..., L _k } and the secret prime P,
A center device 100 having means for calculating using Q and transmitting it to a user device, and a random number R are generated, and the random number R is L (= L ₁ × ... ×) under a remainder operation modulo N. L _k ) to calculate a common value X used for verification and transmit the calculation result, and R _i = R ^{L / Li} (mod N) from the random number R and {L ₁ , ..., L _k }. R _i is obtained from (1 ≦ i ≦ k) and Y _i = R _i × S _i ^E (mod N) (1 ≦ i ≦) from the secret information {S ₁ , ..., S _k } and the random numbers R _i and E. k) calculates (Y ₁ , ..., Y _k ) and transmits the user device 200 having a means for transmitting the random number E,
The means for transmitting the random number E to the user apparatus and the value obtained by the remainder operation modulo N from ID, Y _i and E are all common values X in any i satisfying 1 ≦ i ≦ k. When they match, a means for verifying that the user device is valid,
The verification device 300 includes

Since the Fiat-Shamir method is based on the quadratic operation, there is a trade-off between the amount of confidential information and the amount of transfer information when security is kept constant. On the other hand, in the present invention,
Multiple (k) types of L-th (low-order) exponentiation operations (for example,
When L = L ₁ and L ₂ ) with k = 2, the common X is calculated using L = L ₁ × ... × L _k at the time of signature generation, and E = f (m, X) is obtained, and the signature component {Y _1, ... _, Y _k } is generated with Y _i , and {ID, m, E, Y
_{Let 1,} ... _, Y _k } be a signed message.

[0035] In the present invention, how to make Y _i is, Y _i since ^{_{Li × v i E ≡X (mod}} N), the conventional check equation, in addition to E = f (m, X) , each of Y _1, It is checked whether each value calculated from Y _k matches X. Conventional Fiat-S
In the hamir method, the safety coefficient is determined by the number of bits of (e ₁ , ..., E _k ), but the present invention adds a new common value X to the inspection condition, so the common value X If the number of bits is 6, the safety coefficient can be increased up to 2b. Normally, the common value X is 512 bits, so k =
2, security can be sufficiently ensured even if t = 1, and the amount of confidential information and the amount of transfer information can be reduced at the same time.

[0036]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below. FIG. 4 shows the system configuration of the present invention. The system shown in the figure includes a center 100 and a plurality of stations 200, 30.
0 and a secure communication path 400. In addition, the plurality of stations 200 and 300 are connected to the insecure communication channel 50.
Assume that they are connected via 0.

Initially, an initial information setting process will be described as a process of the center when the system is constructed. Figure 5
Shows the structure of the center of the present invention. The center 100 includes a prime number generator 110 that generates prime numbers P and Q, a multiplier 120 that multiplies prime numbers P and Q, a one-way function calculator 130 that generates secret information S _j, and an inverse number calculator 140. And an L-th root calculation device 150. The specific configuration of the L-th root calculation device 150 is shown in the public key cryptosystem (Japanese Patent Laid-Open No. 63-26137).

First, an initial information setting process will be described as a process of the center when the system is constructed. [Initial Information Setting Process] FIG. 6 is a flowchart of the initial information setting process at the time of system construction on the center side of the present invention.

Step 101) The center 100 uses the prime number generator 110 to generate two prime numbers P and Q and keep them secretly, and the multiplier 120 calculates N = (P × Q). Step 102) Generate a random number in a random number generator (not shown) and select _k integers {L ₁ , ..., L _k }. However, 2 ≦ k. Considering safety here,
For the prime numbers P and Q, recommended values are 70 to 100 decimal digits, respectively.

Step 103) Next, the center 100
For the station 200 that uses the ID as the station identification information in the following procedure, the one-way function calculator 130 and the reciprocal calculator 140
And L root calculation device 150, S _j = (1 / v _j ) ^{1 / Lj} (mod N) (where v _j = f (ID, j) (1 ≦ j ≦ k) is satisfied. The secret information S _j that satisfies is generated.

[Processing of the center when joining a station] FIG. 7
FIG. 7 is a flowchart of a process of the present invention at the time of joining a station on the center side. Step 201) Using the one-way function calculator 130 for the ID requested by the station, v _j = f (ID, j) is calculated and passed to the reciprocal calculator 140.

Step 202) The reciprocal calculator 140 calculates 1 / v _j (mod N) and transfers it to the L-th root calculating device 150. Step 203) The L-th root calculating device 150 uses the composite number N
The secret information S _j satisfying S _j ^Lj ≡1 / v _j (mod N) is output using the prime factors P and Q of.

Step 204) The secret information {S ₁ , ..., S _k } and the public information N, {L ₁ are sent to each station via the secure communication path 400 (the secret of the secret information S is not leaked). , ..., L _k } are delivered. For example, when a station joins the network, it may be stored in an ID card or the like and handed over.

Next, the digital signature by which the station 200 proves to the station 300 the authentication of its own document information will be described. Hereinafter, the station 200 will be referred to as a signature generation apparatus , and the station 300 will be referred to as a signature verification apparatus . The configuration of the station 200 of the signature generation apparatus is shown in FIG. 8, and the configuration of the station 300 of the signature verification apparatus is shown in FIG.

The signature generator station 200 (hereinafter referred to as the signature generation device).
Is a random number generator 210 that generates a random number R,
Public information N, {L₁, ..., L_k} To perform exponentiation
Joint power calculator 22 for finding common value X for verification
0, using the one-way function f for the common value X and the document information m
One-way function calculator 2 for calculating E = f (m, X)
30 and the random number R generated by the random number generator 210
Open information N, {L₁, ..., L _k} Performs the exponentiation operation, and R
_iPower calculator 240 for obtaining
The value E obtained by the calculator 230 and the joint power calculation 240
R_iUsing Y_iJoint decision to obtain (1 ≤ i ≤ k)
Power calculator 250, document information m, values E, Y _iBy
Named document information {ID, m, E, (Y₁,…, Y_i)}
A transmitting unit 260 that synthesizes and transmits to the signature verification apparatus 300.
It is composed of

The signature verifier's station 300 (hereinafter referred to as a signature verification device) receives the signed document information {I from the signature generation device 200.
D, m, E, (Y ₁ , ..., Y _i )} and i (1 ≦ i ≦ k)
By using unidirectional function calculator 310 for calculating v _i = f (ID, i), and v _i and public information N, {L obtained by unidirectional function calculator 310
_1, ..., using a _{L k}, Z i = Y} i Li × v i E Joint power calculator 320 for calculating a (mod N), Z _1, ..., checks whether Z _k matches all matches If the checker 330 and the match checker 330 match, it is determined whether E and W match the one-way function calculator 340 that obtains W = f (m, Z) from the value Z and the document information m. It is composed of a coincidence checker 350 for checking.

The following is shown in FIGS. 8, 9 and 10 above.
Based on the communication sequence chart for digital signature
The digital signature will be described below. First, signer
Of the document information when the generating device 200 transmits the document information m
The authentication method will be described. The signature generation device 200 is
E created by applying the directionality function to the document information m and the common value X
= F (m, X) and secret information acquired from the center 100
{S ₁,…, S_k} From the signed message (ID, m,
E, Y₁,…, Y_k) Is generated. Signature verifier 300
Is a message (ID, m, E, Y₁,…, Y_k) And public
Information (N {L₁, ..., L_k}_,ID) using the message
Check that satisfies the check expression.

[Signature Creation Processing] FIG. 11 is a flow chart for explaining the signature creation processing of the present invention. Step 301) The signature generator 200 uses the random number generator 2
10 is used to generate a random number R, and public information {L ₁ ,
, L _k }, N, and the common power calculator 220 are input to calculate the common value X by X = ^RL (mod N). Here, it is assumed that L = L ₁ × ... × L _k .

Step 302) Next, using the one-way function calculator 230, E = f (m, X) is obtained. Step 303) Calculate R _i = R ^{L / Li} (mod N) from the random number R inherited from the random number generator 210 and the public information {L ₁ , ..., L _k }, N using the congruential exponentiation unit 240. (However, 1 ≦ i ≦ k). Here, L / L _i = L ₁ × ... × L _(i-1) × L _{(i + 1)} × ... × L _k .

Step 304) Joint power calculator 24
Y _i = R _i × S _i ^E (mod N) is calculated from R _i inherited from 0, E obtained above, secret information S _i, and public information N using a congruential exponentiation calculator 250 (however, 1 ≦ i ≦ k).

(Step 305) The transmitting section 260 sends E,
An ID is added to (Y _i , ..., Y _k ), and the signature information {ID, m, E, (Y _i , ..., Y _k )} of the document information m is transmitted to the signature verification apparatus 300. [Signature Verification Processing] FIG. 12 is a flowchart for explaining the operation of signature authentication of the present invention.

Step 401) Signature verification device 300
Is {ID, m, E, (Y_i,…, Y _k)} Is received
And input the ID to the one-way function calculator 310, v_i= F (ID, i) Is calculated (where 1 ≦ i ≦ k).

Step 402) Received (Y _i , ...,
Y _k) and public information _{{L 1, ..., L k} }, inputs the N congruent power calculator 320 calculates the Z _i in ^{_{Z i = Y i Li × v}} i E (mod N) ( where 1 ≦ i ≦ k).

Step 403) The coincidence checker 330 is used to check that Z ₁ = ... = Z _k holds. That is, it is determined whether all the values Z match. (Step 404) In step 403, if there is a mismatch value and it is not established, "fail" is output and the operation is stopped.

Step 405) If true, the one-way function calculator 340 is used to calculate W by W = f (m, Z). (Step 406) The match searcher 350 inputs E and W to the match checker 350 and checks that they match. The coincidence checker 350 outputs “pass” if the two values are the same and outputs “fail” if they are different.

Finally, the procedure for ending the document information authentication process will be described. From how to make a ^{_{Y i, Y i Li × v}} i E ≡X
(Mod N) holds (1 ≦ i ≦ k). Numerical examples are shown below. Let k = 2 and L ₁ = 3, L ₂ = 3, L ₂ = 5.
At this time, L = 15.

Y ₁ = R ^{L / L 1} × S ₁ ^E = R ^L2 × S ₁ ^E = R ⁵ × S ₁ ^E (mod N) Y ₂ = R ^{L / L} ₂ × S ₂ ^E = R ^L2 × S ₂ ^E = R ⁵ × S ₂ ^E (mod N). Where S ₁ ^L1 From ≡S ₁ ³ = 1 / v ₁ (mod N) S ₁ ³ × v ₁ ≡1 (mod N) S ₂ ^L1 Since ≡S ₂ ⁵ = 1 / v ₂ (mod N), S ₂ ⁵ × v ₂ ≡1 (mod N) is satisfied, so that Y ₁ ^L1 × v ₁ ^E ≡R ^5.3 × (S ₁ ^{3 E} × v ₁ ^{E ) ≡ (R 5) 3 ≡X} (mod N) Y 2 L2 × v 2 E ≡R 3.5 × (S 2 5 E × v 2 E) ≡ (R 3) 5 ≡X (mod N) is established.

[User Authentication] In the user authentication for confirming the communication partner, the verification apparatus transmits E created by E = f (m, X) in the above processing. The calculation method of the X component and the Y component is the same as the document information authentication procedure. Figure 1
3 is a sequence chart in user authentication of the present invention.

Step 501) A prime number generator 110 generates a prime number (P, Q) and keeps it secretly, and a multiplier 120 calculates a product N (= P × Q) of the prime numbers (P, Q). . Step 502) k (k ≧ 2) integers {L ₁ , ...,
Select L _k }.

Step 503) The center 100 uses the one-way function calculator 130, the reciprocal calculator 140, L when the user who uses the ID as an identifier joins the system.
Using the root calculation unit 150, k pieces of secret information {S ₁ , ..., S _k } regarding the ID are calculated using {L ₁ , ..., L _k } and secret prime numbers P and Q, Hand it over to the user device 200.

Step 504) When the user device 200 operates as a device to be authenticated, as a verification process, a random number generator 210 and congruent exponentiation calculators 220, 240, 25
0, using the one-way function calculator 230, the common value (X) used by the verification device 300 in the inspection from the random number (R), and the random number R to L (= L ₁ ×… ×
It is calculated by multiplying it by L _k ), and is transmitted from the transmission unit 260 to the verification device 300.

Step 505) The verification device 300 transmits a random number (E) to the device under verification 200. Step 506) The device under verification 200 sends the secret information {S
₁ , ..., S _k } and random numbers R and E are calculated (Y _1, ... _, Y _k ) and transmitted to the verification device 300.

Step 507) The verification device 300 receives the public information (N, {L ₁ , ..., L _k ) and E transmitted to the device to be verified 200, and received from the signature device (Y ₁ , ..., Y _k ).
For any i satisfying 1 ≦ i ≦ k, ID, Y
_When the value obtained from _i and E matches X, the correctness of the device to be verified is confirmed.

[0064]

EXAMPLES Below, a comparison is made between the case where the present invention is applied and the case where the conventional RSA encryption method and the Fiat-Shamir method are used with respect to the processing amount and the redundancy of the message in the signature creation. The results will be described.

1. Since the calculation and addition of the signature creator's processing amount one-way function is faster than the multiplication, the signature creator's processing amount is compared using the number of multiplications (including the remainder calculation by the modulus N).・ Method using RSA encryption: (3log ₂ N) / 2 times ・ Fiat-Shamir method: t (k + 2) / 2 times ・ Invention: (3 kb + 1) times (however, b = log ₂ L _i
Therefore, in the present invention, the processing speed is 40 times or more that of the method using the RSA encryption, and twice or more that of the Fiat-Shamir method.

2. Redundancy of communication text The communication text in the method using RSA encryption is {ID, m,
D (f (m))}, and the communication message in the Fiat-Shamir method is {ID, m, (e _ij ), y ₁ , ..., Y _t }.

Here, the number of bits of D (f (m)) is equal to the number of bits of N, the number of bits of (e _ij ) is (k × t) bits, and the number of bits of y ₁ , ..., Y _t . Is equal to N bits. Further, E is b bits, and the number of bits of Y _i is equal to the number of bits of N (however, b = log ₂ L _i ).

Comparing the number of bits of the signed communication text when N is 512 bits, a method using RSA encryption: 512 + m number of bits-Fiat-Shamir method: 512t + kt + m number of bits-Invention: 512k + b + m number of bits (K = 2
b = 3 is selectable). As a result, the method using RSA encryption <the present invention <Fiat-Shamir method is obtained. Therefore, the redundancy of the communication message of the present invention is Fiat-Sha
It can be seen that it is improved compared to the case where t ≧ 2 by the mir method.

3. Secret Information Amount in Sender In the method using RSA encryption, the secret information amount managed by the sender is about N bits (512 bits).
On the other hand, the amount of secret information in the Fiat-Shamir method and the present invention is k ×
It is about (the number of bits of N) (that is, 512 × k bits). However, in the present invention, k = 2 can be selected, but Fiat-Shami
Since k = 18 is recommended in the r method, the present invention can significantly reduce the amount of confidential information in the user.

4. Security grounds Public information (N, L _i , ID) to secret information (P, Q, S
_i ) can not be calculated because it is difficult to factorize it,
And the fact that the low-order power root (L _i root) can be guaranteed because it is difficult and the signature verifier cannot obtain the secret information of the signature creator. It can be guaranteed by satisfying zero knowledge and non-transferability, which are the research results.

Regarding zero knowledge and non-transferability, for example, Feige, U., Fiat, A. and Shamir, A .: "Zero Kno
wledge Proofs of Identity ", Proceedings of the 19t
h Annual ACM Symposium on Theory of Computing, pp.
See 210-217 (1987).

[0072]

As described above, according to the present invention, in addition to the conventional method, signature components Y ₁ , ..., Y _k are generated and {I
When D, m, E, Y ₁ , ..., Y _k } is a signed communication message, the fact that each value calculated from (Y ₁ , ..., Y _k ) at the time of verification is also added to the inspection condition. If the number of bits of the value X for this verification is set to 6, the safety coefficient can be increased to 2b. Normally, since X is 512 bits, the security can be sufficiently guaranteed even if k = 2 and t = 1, the processing amount in the sender is small, the redundancy of the communication text is small, and the sender manages it secretly. It is possible to reduce the amount of information.

[Brief description of drawings]

FIG. 1 is a diagram for explaining a first principle of the present invention.

FIG. 2 is a diagram for explaining the second principle of the present invention.

FIG. 3 is a principle configuration diagram of the present invention.

FIG. 4 is a system configuration diagram of the present invention.

FIG. 5 is a configuration diagram of a center of the present invention.

FIG. 6 is a flowchart of an initial information setting process at the time of system construction on the center side of the present invention.

FIG. 7 is a flowchart of a process at the time of joining the center side of the present invention.

FIG. 8 is a configuration diagram of a signature generation device of the present invention.

FIG. 9 is a block diagram of a signature verification device of the present invention.

FIG. 10 is a diagram showing an example of a communication sequence in the digital signature of the present invention.

FIG. 11 is a flowchart for explaining the signature creation processing of the present invention.

FIG. 12 is a flowchart for explaining the operation of signature authentication of the present invention.

FIG. 13 is a sequence chart in user verification of the present invention.

[Explanation of symbols]

100 centers 110 prime number generator 120 multiplier 130 One-way function calculator 140 Inverse calculator 150 L root calculation device 200 Signature generation device 210 random number generator 220 Joint power calculator 230 One-way function calculator 240,250 Joint power calculator 300 signature verification device 310,340 One-way function calculator 320 Joint power calculator 330,350 coincidence tester

─────────────────────────────────────────────────── ─── Continuation of front page (72) Inventor Hiroki Ueda 3-19-2 Nishishinjuku, Shinjuku-ku, Tokyo Nihon Telegraph and Telephone Corporation (56) References Japanese Patent Laid-Open No. 8-146874 (JP, A) Kai 63-101987 (JP, A) JP 1-209834 (JP, A) JP 1-133092 (JP, A) (58) Fields investigated (Int.Cl. ⁷ , DB name) H04L 9 / 32 G09C 1/00 640 JISST file (JOIS)

Claims (4)

(57) [Claims] 1. When the user device operates as a signature generation device, the signature verification device analyzes the content of the signature information transmitted by the user device together with the document information, and confirms the validity of the document information. In the method of authenticating the authenticity of document information, the center device generates a prime number (P, Q) and keeps it secretly as an initial information setting process at the time of system construction, and a product N of the prime numbers (P, Q). (= P × Q) and k (k ≧
2) The integer {L ₁ , ..., L _k } of 2) is disclosed, and when the user who uses the ID as an identifier joins the system, the center device k secret information {S ₁ , , S _k } is calculated using the integers {L ₁ , ..., L _k } and the secret prime number (P, Q), and is transmitted to the user device of the user, and the user device is , As the signature generation process, random numbers R to N
The random number R is set to L (L = L ₁ ×
Generates ... × L _k) th power more common value X to Get E = f (m, X) using a one-way function f and document information m to be signed to the common value X and, wherein said random number _{R {L 1, ..., L} k} seek R _i from the ^{_{R i = R L / Li (}} mod N) (1 ≦ i ≦ k), further, the secret information {S _1, … 、
S _k } and the R _i and E are used to calculate (Y ₁ , ..., Y _k ) by Y _i = R _i × S _i ^E (mod N) (1 ≦ i ≦ k), and the signed document information { ID, m, E, (Y ₁ , ..., Y _k ) is transmitted to the signature verification device, and the signature verification device outputs ID, Y _i and E from any i satisfying 1 ≦ i ≦ k. When all values obtained by the modulo N modulo match and the matching value is Z, and E = f (m, Z) is satisfied, the legitimacy of the document information transmitted by the user device is confirmed. A legitimacy authentication method for document information, which is characterized by confirming the validity. 2. When the user device operates as a device to be verified, the verification device analyzes the content transmitted from the user device to the verification device to confirm the validity of the user device. in validity authentication method of the user device, as initial information setting process at the time of system construction, the center device, prime number (P, Q) and kept secret to generate the product N of the prime (P, Q) (= P × Q) and k (k ≧
2) The integers {L ₁ , ..., L _k } of 2) are disclosed, and when the user who uses the ID as an identifier joins the system, the center device k secret information {S ₁ , ..., L about the ID. S _k } is calculated using the integers {L ₁ , ..., L _k } and the secret prime number (P, Q), and is transmitted to the user device of the user, and the user device is As the authentication process, the verification device verifies by generating a random number R and multiplying the random number R by L (= L ₁ × ... × L _k ) under a remainder operation modulo N from the random number R. The common value X to be used is calculated and transmitted to the verification device, the verification device generates a random number E and transmits it to the user device, and the user device receives the random number R and {L ₁ , ... from L _k}, seek R _i by ^{_{R i = R L / Li (}} mod N) (1 ≦ i ≦ k), the secret information {S _1, ..., and S _k} Serial from the random number R _i and the random number E by _{Y i = R i × S i} E (mod N) (1 ≦ i ≦ k) (Y 1, ..., Y k) to calculate and send to the verification device, In any of i satisfying 1 ≦ i ≦ k, when the values obtained by the remainder calculation modulo ID, Y _i and E to N all match the common value X, the verification device is used by the user. A legitimacy authentication method for a user device characterized by confirming the legitimacy of the device. 3. In the initial information setting at the time of system construction, a prime number (P, Q) is generated and kept secretly, and a product N (= P × Q) of the prime numbers (P, Q) and k pieces (k). ≧ 2) a means for disclosing integers {L ₁ , ..., L _k }, and when a user who uses an ID as an identifier joins the system, k pieces of secret information {S ₁ , ..., S _k } is calculated by using the integers {L ₁ , ..., L _k } and secret prime numbers P and Q, and a center device having means for transmitting to the user device is generated. the random number R under the remainder operation modulo _{L (= L 1 × ... ×} L k) th power more common value X to
Is generated , the one-way function is applied to the document information m and the common value X to calculate E = f (m, X), and R _i = R ^{L /} from R and {L ₁ , ..., L _k }. R _i is obtained from ^Li (mod N) (1 ≦ i ≦ k) and Y _i = R _i × S _i ^E (mod N) from the secret information {S ₁ , ..., S _k } acquired from the center device. ) (1 ≦ i ≦ k) by (Y _1, ..., by calculating the Y _k), signed communication text (ID, m, E, Y 1, ..., a signature generation device for generating a Y _k), For any i satisfying 1 ≦ i ≦ k, ID, Y _i
, And when all the values obtained by the modulo modulo E to N match, and the matching value is set to Z, if E = f (m, Z) An authentication system, comprising: a signature verification device that verifies the validity of a signed communication message (ID, m, E, Y ₁ , ..., Y _k ). 4. A validity authentication system for a user device when the user device operates as a device to be verified, wherein a prime number (P,
Q) is generated and kept secret, and the product N (= P × Q) of the prime numbers (P, Q) and k (k ≧ 2) integers {L ₁ , ..., L
a means for disclosing _k }, and when a user who uses an ID as an identifier joins the system, k for that ID
The secret information {S ₁ , ..., S _k } is set to the integer {L ₁ ,
, L _k } and a secret prime number P, Q, and a center device having means for transmitting to the user device, and a random number R, which is generated by a remainder operation modulo N. A means for calculating a common value X used for verification by multiplying R by L (= L ₁ × ... × L _k ) and transmitting the calculation result, and the random number R and {L ₁ , ..., L _k } to R R _i is obtained from _i = ^{RL / Li} (mod N) (1≤i≤k), and Y _i = R _i × S from the secret information {S ₁ , ..., S _k } and the random number R _i and E. means for calculating and transmitting (Y ₁ , ..., Y _k ) by _i ^E (mod N) (1 ≦ i ≦ k),
And a means for generating a random number E and transmitting the random number E to the user device, at any i satisfying 1 ≦ i ≦ k,
ID, Y _i and means for verifying that the user device is valid when all the values obtained by the remainder operation modulo N from E match the common value X. A user device legitimacy authentication system characterized by the following.