JP3435472B2 - Security authentication method and system - Google Patents

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a confidentiality authentication method and system, and more particularly to a confidentiality authentication method and system used in protocols such as secret / signature exchange and electronic cash in a telecommunications system.

[0002]

2. Description of the Related Art Brickell et al. (“Gradual and Verifiable Release of a Secret,” P.
roc. of Crypto'87, LNCS, Springer Verlag, 1988) and Damgard (“Practical and Provably Secure Releas
e of a Secret and Exchange of Signatures, ”Proc.
of Eurocrypt'93, LNCS, Springer Verlag, 1994). In these papers, the range authentication method is used for secret / signature exchange.

On the other hand, Okamoto ("An Efficient Divisible C
ash Scheme, ”Proc. of Crypto'95, LNCS, Springer V
erlag, 1995) applies such a confidentiality authentication method to an electronic cash method.

[0004]

However, in any of the above-mentioned conventional confidentiality authentication methods, it is necessary to repeat the basic protocol having three exchanges a large number of times (for example, 40 times), and the communication amount and calculation There is a problem that the amount becomes huge.

The present invention has been made in view of the above points, and provides a confidentiality authentication method and system capable of realizing an efficient range authentication method that requires less communication and calculation than conventional methods. With the goal.

[0006]

FIG. 1 is a diagram for explaining the principle of the present invention. The present invention provides a confidentiality authentication method verification side apparatus authenticates the secret prover is the private information holder, prover prover side device is secret information s, a remainder operation f from R When I = f (s, R) is generated by using it, I is disclosed (registered) (step 1), and the prover side device sets the safety coefficient m and modulo remainder to N, , Two random numbers t ₁ and t related by the N
₂ and similarly, the random number u associated with the m and the N
₁ , u ₂ and four random numbers r _{i, j} (i = 1,2; j =
1, 2) is generated (step 2), and N is calculated from those random numbers.
Four values T _ij = f _N (t _i , u _j , r _{i, j} ) are generated using the remainder operation f _N modulo (step 3), and the generated values are used as the verifier side device < sent to br /> (step 4), the verifier side apparatus generates a random number e of m bits (step 5), and sends to the prover side device (step 6), the prover side apparatus, operation Using h, select one of y ₁ = h (s, e, t ₁ ), y ₂ = h (s, e, t ₂ ), whichever falls within a certain range defined by m and N. , Y _i (step 7), calculation h ′
By using z ₁ = h ′ (R, e, u ₁ ) z ₂ = H ′ (R, e, u ₂ ), one having a certain range defined by m and N is selected as z _j (step 8), (y _i ,
z _j , r _{i, j} ) is transmitted to the verifier side device (step 9), and the verifier side device uses v (y _i ,
If z _j , r _{i, j} , T _{i, j} , I, e, N) = 0 is satisfied, it is authenticated that the prover side device holds the secret information s, R (step 10). .

FIG. 2 is a block diagram showing the principle of the present invention. The present invention includes a testimony inventor side apparatus 1 00, consisting of the verifier side apparatus 200. authenticating the secret information of the prover side apparatus 100 a confidentiality authentication system, the prover side apparatus 100 includes a random number t _{The first} random number generating means 101 for generating ₁ , t ₂ , u ₁ , u ₂ , r _{i, j} and the remainder operation f from the secret information s, R
When I = f (s, R) is generated, the registration means 110 for registering the I and the safety coefficient are m and the modulus of the remainder operation is N, the m and the N are associated with each other. Two random numbers t ₁ , t ₂ and u ₁ , u ₂
And the remainder operation value T _{i, j} = f _N (t _i , u) from the four random numbers r _{i, j} (i = 1,2; j = 1,2) modulo _N modulo _{N. j} , r _{i, j} ), and a verifier side device 200
Y ₁ = h (s, e, t ₁ ), y based on a predetermined first operation h using the random number e received from T and t ₁ and t ₂ generated by the first random number generation means. _{2 = h (s, e,} t 2) at one of a first selection means 120 to y _i select the person who enters a predetermined range determined by the safety factor m and the remainder operation of law N, Using the random number e received from the verifier side device 200 and the random number u ₁ u ₂ generated by the first random number generation means 120, based on a predetermined second operation h ′, z ₁ = h ′ ( R , E, u ₁ ), z ₂ = h '( R , e, u
In either of the _two), and the second selection means 130 for the z _j to select the person to enter a predetermined range determined by the safety factor m and the remainder operation of law N, determined by the remainder calculation unit 130 residue The calculated value T _{i, j} and the first selection means 120,
Y _i , z _j acquired by the second selection means 130, the first
Random random number r _i generated by the generating means _101, and transmits to the verifier apparatus 200 the _j as the verification information, and a first transmitting and receiving means 140 for receiving information from the verifier side apparatus 200, the verifier side apparatus 200 includes a second random number generating means 201 for generating a random number e, transmits a random number e which is generated by the second random number generation unit 201 to the prover side apparatus, the witness inventor side device Second transmitting / receiving means 210 for receiving the information of the verification information, the verification information y _i , z _j , r _{i, j} received from the prover side device 100, and the remainder calculating means 103.
The remainder calculation value T _{i, j} obtained by the above, I registered by the registration means 110, the modulus N of the remainder calculation, and the random number e generated by the second random number generation means 201 are converted into a predetermined verification expression v.
Using, v Check satisfies _{(y i, z j, r} i, j, T i, j, I, e, N) and, if satisfied, the prover side apparatus 100 is secret information It has an authentication means 220 for authenticating that it holds s and R.

Conventionally, in the basic three-time exchange protocol, the verifier only sends one bit to the prover, and therefore it is necessary to repeatedly execute the protocol in order to enhance security. However, in the present invention, the verifier can send m bits (for example, m = 50) to the prover in three basic exchanges, and sufficient security can be guaranteed without repeated execution. Therefore, it is not necessary to repeatedly execute the basic protocol. As a result, the processing amount and the communication amount can be overwhelmingly reduced.

[0009]

FIG. 3 shows the system configuration of the present invention. The system shown in the figure shows the case where the prover side device 100 and the verifier side device 200 are connected via a communication line 300 or the like. FIG. 4 shows the configurations of the prover side device and the verifier side device of the present invention. In the figure, the certifier side device 1
00 is a random number generator 101, a subtractor 102, a remainder calculator 103, a multiplier 104, an adder 105, and a comparator 106.
It is composed of The verifier side device 200 includes the random number generator 2
01, remainder calculator 203, and comparator 204.

The random number generator 101 generates a random number t ₁ ε [0,2
^m N), u ₁ ∈ [0, 2 ^m N, r _{i, j} ∈ [0, N) (i
Ε {1,2}) is generated. However, m is a safety factor,
N is a multiplication method (N = pq) (where p and q are prime numbers). The subtractor 102 subtracts 2 ^m N from the random number t ₁ generated by the random number generator 101 to obtain t _2, and the random number t ₂
2 ^m N is subtracted from this to obtain u ₂ .

The residue calculator 103 is a random number generator 101,
Using the result subtracted by the subtractor 102, f _N (t _i , u _j , r _{i, j} ) = T _{i, j} = g ^ti G _a ^uj G _b
Residue calculation is performed using ^{ri, j} mod N. However, g ∈ [1, N), G _a ∈
[1, N), G _b ∈ [1, N) (also [1, N) is
Shall mean a set of integers greater than or equal to 1 and less than N).

The multiplier 104 uses the secret information s, R and the random number e transmitted from the verifier side device 200 to calculate s * e.
And R * e are calculated and transferred to the adder 105. The adder 105 obtains the multiplication results se and R acquired by the multiplier 104.
The following calculation is performed for i = 1, 2, j = 1, 2 using e.

Compute h (s, e, t _i ) = y _i = t _i + se, h (R, e, t _i ) = z _i = u _i + Re, The comparator 106 includes y ₁ , y ₂ , z ₁ , z ₂
Among them, those satisfying the following conditions are selected, and these are set as y _i and z _j, and are transferred to the verifier device 200 together with r _{i, j} .

Y _i ε [0,2 ^m N) z _j ε [0,2 ^m N) The verifier side device 200 is composed of a random number generator 201, a remainder calculator 203, and a comparator 204.

The random number generator 201 generates a random number e ∈ [0,
2 ^m ) is generated and sent to the prover side device 100. The remainder calculator 203 performs the following calculation. _{^{g yi G a zj G b ri}} , j ≡T i, j I e (mod N) where, I is a f generated by the remainder operation by the prover side apparatus 100 (s, R) (I = f ( s, R)) has been published.

The comparison unit 204 determines whether the prover side device 100 holds s and R using a predetermined verification expression v.

[0017]

Embodiments of the present invention will be described below with reference to the drawings. FIG. 5 shows the configuration of a confidentiality authentication system according to an embodiment of the present invention. In the figure, the same components as those in FIGS. 2 and 4 are designated by the same reference numerals, and the description thereof will be omitted.

The prover side device 100 includes a random number generator 10
1, subtractor 102, remainder calculator 103, multiplier 104,
The adder 105, the comparator 106, the transmitting / receiving unit 140, and the data holding unit 150 are included. The transceiver 140 is
The verification information T generated by the remainder calculator for registering the public information I in the verifier side device 200 in the verifier side device 200
_The result y compared by the comparator 106, which transmits _{i, j
i} , z _j is transmitted, or the random number e is received from the verifier side device 200.

The data holding unit 150 holds public information N, g, G _a , G _b , m in addition to the secret information s, R. The verifier side device 200 includes a verification unit 220 having a random number generator 201, a remainder calculator 203, and a comparator 204, a transmission / reception unit 210, a result output unit 230, and a data holding unit 24.
It consists of zero.

The transmitting / receiving unit 210 receives the public information and the verification information T _{i, j} , y _i , z _j from the prover side device 100, and also transmits the random number e to the prover side device 100. The result output unit 230 outputs the result verified by the verification unit 220. The data holding unit 240 holds publicly available information.

The public information held in the data holding units 150 and 240 is as follows. m: safety factor N: modulo remainder calculation (= pq: where p and q are prime numbers) gε [1, N) G _a ε [1, N) G _b ε [1, N) where [x, y) means a set of integers of x or more and less than y.

FIG. 6 is a sequence chart showing the operation of the confidentiality authentication method of an embodiment of the present invention. As a premise of the processing described below, it is assumed that the above-described public information has been published in the system.

Step 101) Prover apparatus 100
Generates a public key I from the data holding unit 150 by the following remainder calculation and publishes I. f (s, R) = I = g ^s G _a ^R mod N For the above remainder calculation, etc., see Ikeno, Koyama, "Modern Cryptographic Theory," Institute of Electronics, Information and Communication Engineers, etc.

Step 102) Prover apparatus 100
Uses the random number generator 101 to generate a random number t ₁ ∈ [0, 2 ^m
N), u ₁ ∈ [0, 2 ^m N), r _{i, j} ∈ [0, N) (i
Ε {1,2}, jε {1,2}) to generate a subtractor 1
02, the remainder calculator 103 is used to perform the following calculations.

T ₂ = t ₁ −2 ^m N, u ₂ = u ₁ −2 ^m N, f _N (t _i , u _j , r _{i, j} ) = T _{i, j} = g ^ti G _a ^uj G
_b ^{ri, j} mod N Step 103) Transmission / reception unit 14 of the prover side apparatus 100
0 is the result T output from the remainder calculator 103.
₁ , ₁ , T _1,2 , T _2,1 and T _2,2 are transmitted to the verifier side device 200 in a random order.

Step 104) The random number generator 201 of the verifier side device 200 generates a random number eε [0,2 ^m ) and transmits it to the prover side device 100 via the transmitting / receiving section 210. Step 105) The prover apparatus 100 has i = 1,
For 2, j = 1, 2, the multiplier 104 and the adder 105 are used to calculate h and h ′.

H (s, e, t _i ) = y _i = t _i + se, h ′ (R, e, u _j ) = z _j = u _j + Re y ₁ , y ₂ , z ₁ obtained above , Z ₂ , a comparator 104 is used to select one satisfying y _i ε [0,2 ^m N) z _i ε [0,2 ^m N). Let the selected one be y _i , z
_{Let j} .

Step 106) The transmission / reception unit 140 sends the selected y _i , z _j and the random number r _{i, j} to the verifier side device 2
To 00. In addition, the four T _1,1 , T _1,2 , and T transmitted in random order in step 103 described above.
Also transmitted is information indicating which number of _2,1 , T _2,2 corresponds to T _{i, j} .

Step 107) Verifier device 200
Uses the remainder calculator 202 and the comparator 204 based on the information received from the prover side device 100 to determine whether or not the following verification formula is satisfied. _{^{g yi G a zj G b ri}} , j ≡T i, j I e (mod N) the verifier side apparatus 200 satisfies the above equation, that is, if passed, prover holds secret information s, R Certify that

[0030] Incidentally, in the verification _{process, v (y i, z j} , r i, j, T i, j I, e, N) = g yi G a zj G b ri, j -T i, j I You may confirm using the verification formula of ^e (mod N) = 0.

The present invention is not limited to the above embodiment, but various modifications and applications are possible within the scope of the claims.

[0032]

For example, in the conventional method of Damgrd et al., In the basic three times of exchange, since the respective calculation amounts of the prover and the verifier need to perform the modular exponentiation operation at least twice, If the number of times is 40,
It is necessary to perform the modular exponentiation operation at least 40 times.

As described above, according to the confidentiality authentication method and system of the present invention, both the prover and the verifier are
The power-residue calculation is performed about twice. Therefore, it is several tens of times faster than the conventional method, and at the same time, the communication amount is several tens of times.

[Brief description of drawings]

FIG. 1 is a diagram for explaining the principle of the present invention.

FIG. 2 is a principle configuration diagram of the present invention.

FIG. 3 is a system configuration diagram of the present invention.

FIG. 4 is a configuration diagram of a prover side device and a verifier side device of the present invention.

FIG. 5 is a configuration diagram of a confidentiality authentication system according to an embodiment of the present invention.

FIG. 6 is a sequence chart showing the operation of the confidentiality authentication method according to the embodiment of the present invention.

[Explanation of symbols]

100 authentication means, authenticator side device 101 First Random Number Generating Means, Random Number Generator 102 Subtractor 103 remainder computing means, remainder computing unit 104 multiplier 105 adder 106 comparator 110 registration method 120 First selection means 130 Second selection means 140 First transmission / reception means, transmission / reception unit 150 data storage 200 Verification means, verifier device 201 random number generator 203 Residue calculator 204 comparator 210 Transmitter / receiver 220 Authentication means, authentication unit 230 Result output part 240 data storage

─────────────────────────────────────────────────── ─── Continuation of the front page (56) References Practical and Pro-Valy Secure Release of a Secret and Exchange of Signatures, Lecture Notes in Computer, Sc. 765, p. 200-217 Gradual and Verifiable Release of a Secret, Right Notes in Computer Science, Vol. 293, p. 156-166 (58) Fields investigated (Int.Cl. ⁷ , DB name) H04L 9/32 JISST file (JOIS)

Claims (2)

(57) [Claims] 1. A secret holding authentication method in which a verifier side device authenticates secret information of a prover who is a secret information holder, wherein the prover side device of the prover calculates a remainder operation f from certain secret information s, R. Is used to generate I = f (s, R), I is disclosed (registered), and the certifier side device sets the safety factor m and the modulus of the remainder to N, two random numbers t _1, t ₂ and which are related by N, likewise, the m, a random number u ₁ that is associated with the N, u _2, and four random numbers r _i, j _(i = 1,2 ;
j = 1, 2) is generated, and four values T _ij = f _N (t _i , u _j , r _{i, j} ) are generated from the random number by using a remainder operation f _N modulo _N , It transmits the generated value to the verifier device, the verifier side apparatus, the prover side random number e of m bits
To the device , and the prover device , using the operation h, _one of y ₁ = h (s, e, t ₁ ) and y ₂ = h (s, e, t ₂ ) Select one that falls within a certain range defined by m and the above N, set it as y _i, and use the operation h ′: z ₁ = h ′ (R, e, u ₁ ) z ₂ = H ′ (R, e, u ₂ ), one having a certain range defined by the m and the N is selected as z _j, and (y _i , z _j ,
Send r _{i, j)} to the verifier device, the verifier side apparatus uses the verification equation v, v (y _i, z
_j , r _{i, j} , T _{i, j} , I, e, N) = 0, the certifier side device authenticates that it holds the secret information s, R. Confidentiality authentication method. 2. A proof side apparatus, a confidentiality authentication system comprising a verifier device for authenticating the secret information of the prover side apparatus, the prover side apparatus, the random number t _1, t ₂ , U ₁ , u ₂ , r _{i, j,} and a random number generation means for generating secret value s, R using f to generate I = f (s, R). And a safety coefficient m and a modulus modulo N, the two random numbers t ₁ and t ₂ associated with the m and the N, and
u ₁ , u ₂ and four random numbers r _{i, j} (i = 1,2; j =
1) to remainder calculation means for generating a remainder calculation value T _{i, j} = f _N (t _i , u _j , r _{i, j} ) by using a remainder calculation f _N modulo _N , and the verification Y ₁ = h (s, e, t) based on a predetermined first calculation h using the random number e received from the user side device and t ₁ and t ₂ generated by the first random number generating means. ₁ ), y ₂ = h (s, e, t ₂ ), the first selection to be y _i by selecting the one within a certain range determined by the safety factor m and the modulus N of the remainder calculation And a random number e received from the verifier side device and the random numbers u ₁ and u ₂ generated by the first random number generating means, based on a predetermined second operation h ′, z ₁ = h '(R, e, u 1), z 2 = h' (R, e, u
₂ ) In any one of ₂ ), the one that falls within a certain range determined by the safety factor m and the modulus N of the remainder calculation is selected and z _j
A second selection means for a remainder calculation value T _i obtained by the residue calculating _{means, j} and the first selecting means, said second obtained by the selection means y _i, z _j, the first 1 random random number r _i generated by the generation _means, and transmits to the verifier device _j as the verification information, and a first receiving means for receiving information from the verifier side apparatus, wherein verifier side apparatus, a second random number generating means for generating a random number e, transmits the random number e which is generated by the second random number generating means to said prover side apparatus, whether the prover side apparatus second transmitting / receiving means for receiving the information, and the verification information y _i , z received from the prover side device.
_j , r _{i, j} , the remainder operation value T _{i, j} obtained by the remainder operation means, I registered by the registration means, the modulus N of the remainder operation, and the second random number generation means. It is confirmed whether the random number e satisfies v (y _i , z _j , r _{i, j} , T _{i, j} , I, e, N) by using a predetermined verification formula v , and if it satisfies, For example, the certifier side
Confidentiality authentication system characterized by the device having the authentication means for authenticating that holds the secret information s, R.