JP3668138B2 - Signed ciphertext conversion method, verification method thereof, and apparatus thereof - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to a cipher communication method for confirming the identity of a sender in a telecommunication system and concealing transmission contents, in particular a method for converting a signed ciphertext into a ciphertext that can be verified by any third party, and It relates to the device.
[0002]
[Prior art]
There is a method in which an arbitrary digital signature method and a public key encryption method are combined as a method in which a sender and a receiver communicate securely via a communication network that may be wiretapped, tampered with, or impersonated.
Sender U_SSigning key and signature verification key of x and y, respectively, and recipient U_RLet e and d be the encryption key and decryption key, respectively. y and e are public and the sender U_S, Recipient U_RShall hold these.
[0003]
  The plaintext to send is m, E is the encryption function, and E_e(m) represents a ciphertext obtained by encrypting the message m with the encryption key e, D is a decryption function corresponding to the encryption function E, and D_d(c) represents a plaintext obtained by decrypting the ciphertext c with the decryption key d. That is, m = D_d(E_e(m)) holds. Let S be the signature function and S_x(m) represents the signature with the signature key x for the message m and verifies VfunctionAnd V_y(a, m) represents the result of verifying the signature-message pair (a, m) with the signature verification key y. The verification result is either 1 or 0 and a = S_x(m) and only when_yAssume that (a, m) = 1.
[0004]
When sending plaintext m, sender U_SFirst, plaintext m is encrypted with encryption key e and ciphertext C = E_e(m) is obtained. Next, the signature a = S for the ciphertext C_x(C) is created using the signature key x. The sent message Σ is Σ = (C, a) and the sender U_SWill send Σ to recipient U_RSend to.
Recipient U_RReceives the ciphertext C and the signature a, and first uses the signature verification key y to_yIt is verified that (a, C) is 1. If not 1, the received C and a are regarded as invalid data and discarded. If the verification result is 1, using the decryption key d, m = D_d(C) is calculated and plaintext m is obtained.
[0005]
  A specific method will be described for the case where the Schnorr signature and the El Gamal encryption are used for the signature and the encryption method, respectively. p_s, Q_sIs a large prime number,q _s But (p _s -1)Shall be divisible. g_sZ_ps ^*(Z_ps ^*Is the group of integers 1, 2, ..., ps)_sOf the original. p_r, q_r, g_rIs defined in the same way (subscript p is p_sRepresents the same). H₁(・), H₂(・) Is a one-way hash function, and the binary operator A‖B is a p that represents the combined value of A and B._s, q_s, g_s, p_r, q_r, g_r Will be published.
  Sender U_SZ sign the Schnorr signature key x_qs(Z_qsIs a group of integers 0,1,2, ..., qs-1), and the signature verification key y is y = g_s ^xmod p_sThis y is made public through the calculation of. Recipient U_RUses the decryption key d of ElGamal encryption as Z_qrChoose at random from the encryption key e = g_r ^dmod p_r And e is published.
[0006]
Ciphertext C by ElGamal cipher is C = (G, M) = (g_r ^umod p_r, E_K ^s (m)), and the Schnorr signature a for this C is a = (c, z) = (H₁(g_s ^v‖C), v-cxmod q_s). Where u and v are Z_qrAnd Z_qsRandomly chosen from E, E^sIs an encryption function of a symmetric key encryption such as DES, and K is K = H₂(e^wmod p_r).
The recipient is c = H₁(g_s ^xy^cmod p_sConfirm that (C) holds, then K = H₂(G^dmod p_r), m = D_K ^s Calculate (M) to obtain plaintext m. Where D^sIs E^sIs a decryption function of a symmetric key encryption corresponding to.
[0007]
According to the above prior art, due to the nature of the digital signature, V_yOnly the sender holding the signature key x corresponding to the verification key y can create the signature a with (a, C) = 1, and therefore the receiver can authenticate the creator of C. it can. Also, the creator of C cannot deny the fact of the signature.
[0008]
[Problems to be solved by the invention]
According to the above conventional method, a third party other than the sender and the receiver cannot confirm what kind of message m the signature is. Even if the recipient discloses m to a third-party verifier, the verifier cannot confirm whether m is correctly decrypted from C. For example, if the sender claims to have sent the correct one, but a third party cannot verify that it is correct. Similarly, if the receiver claims the received text is illegal The third party cannot verify whether the claim is correct.
[0009]
The present invention provides a method for converting a signature that can be verified only by a specific verifier created by a signed encryption method into a normal digital signature that can be verified by any third party, its verification method, and these An object is to provide an apparatus.
[0010]
[Means for Solving the Problems]
According to the present invention, the session key K for decrypting the transmitted ciphertext C or the key information W corresponding thereto is disclosed, and a non-interactive zero knowledge proof that proves that K is a correct session key is transmitted. These are used as a signature for the document m obtained by decrypting the ciphertext C with the key K.
When the receiver terminal performs the above conversion, a non-interactive zero knowledge proof that certifies that the session key K is in a correct relationship with the decryption key corresponding to the encryption key of the receiver terminal is attached to the ciphertext C.
[0011]
  When the sender terminal performs the above conversion, a non-interactive zero knowledge proof that proves that the session key K is in a correct relationship with the random number used for encryption by the sender terminal is attached to the ciphertext C.
  The verifier terminal verifies that the non-interaction zero knowledge proof is correct and that the signature on the transmitted ciphertext is correct.
  The non-interactive zero knowledge proof allows the receiver or sender to convince any third party that the public session key is the correct session key for the transmitted signed ciphertext. Since an arbitrary third party verifier terminal can obtain the plaintext m using the session key, it can verify that the assigned signature is for the document m as required.
DETAILED DESCRIPTION OF THE INVENTION
Embodiment 1
  E^sIs a secret key cryptography function and E_K ^s (m) represents a ciphertext obtained by encrypting plaintext m with the key K. Similarly, D_sE_sA secret key decryption function corresponding to_K ^s (C) represents a plaintext obtained by decrypting the ciphertext C with the key K. For example, as the functions E and D, an encryption function and a decryption function in the CBC mode and OFB mode of block cipher such as Triple-DES and IDEA may be used. Alternatively, when the message m is short, the functions E and D may be K and m, K and C, respectively, or a group operation with mod p.
[0012]
  H₁(・), H₂(·) Is a one-way hash function, and the binary operator a‖b represents a value obtained by combining a and b. For example, SHA-1 may be used as the hash function.
  p_s, Q_sIs a large prime number,q _s But (p _s -1)Shall be divisible. g_sZ_ps ^*Order q in_sOf the original. p_r, q_r, g_rIs defined similarly.
  In the first embodiment, as shown in FIG. 1, the signed ciphertext received by the receiver terminal 300 from the sender terminal 100 via the public communication network 200 is converted into a normal digital signature that can be verified by a third party. In this case, the data is transmitted to the third-party verifier terminal 400 via the public communication network 200 so that the verifier terminal 400 can verify and decrypt the signature.
[0013]
  In the sender terminal 100, the signature key x of the Schnorr signature is set to Z_qsRandomly select from the signature verification key y = g_s ^x mod p_sAnd y is disclosed. The recipient terminal 300 uses the decryption key d of ElGamal encryption as Z_qrSelect at random from the encryption key e = g_r ^dmod p_rAnd e is published.
  Ciphertext C by ElGamal cipher is C = (G, M) = (g_r ^umod p_r, E_K ^s (m)) and the Schnorr signature a for this C is a = (c, z) = (H₁(g_s ^v‖C), v-cx mod q_s). Where u and v are Z_qrAnd Z_qsRandomly chosen from K, K is K = H₂(e^wmod p_r). The sender terminal 100 generates the ciphertext C and the signature, and transmits the transmission text (C, a) to the receiver terminal 300.
[0014]
The receiver terminal 300 receives c = H for the received sentence (C, a).₁(g_s ^xy^cmod p_sConfirm that (C) holds, then W = G^d mod p_r, K = H₂(W), m = D_K ^sCalculate (M) to obtain plaintext m.
A method of converting the ciphertext Σ = (C, a) with a signature based on the ElGamal cipher and the Schnorr signature into a signature that can be verified by any third party in the receiver terminal 300 and a method for verifying the signature will be described.
FIG. 2 shows only a part of the receiver terminal 300 necessary for this signature conversion. In this part, G in the ciphertext with signature Σ = (C, a), C = (G, M) to be converted and the decrypted plaintext m are input. Random number generator 305 to Z_qrA random number u belonging to, and the random number u, the G in the ciphertext C = (G, M) to be converted, and the p from the memory 302_rAre input to the power-residue calculator 306 and G^umod p_rAnd u and g from memory 302_r, p_rTo the power residue calculator 307 and enter g_r ^u mod p_rAnd G and d, p from the memory 302 are calculated._rIs input to the power residue calculator 308 and W = G^d mod p_rAnd the calculation results of the power-residue calculators 306, 307, and 308, and G and the decrypted plaintext m are input to the hash unit 309, and i = H_Three(G‖W‖G^umod p_r‖G_r ^umod p_rCalculate ‖m). The calculation result i, the random number u, and q from the memory 302_r, d to the remainder multiplier / subtractor 311 and j = u-idmod q_rCalculate The ciphertext Σ with signature to be converted and the calculated W, i, and j are transmitted from the transmitter 312 to the verifier terminal 400 as a transmitted text (Σ, W, i, j).
[0015]
Since verifier terminal 400 is a terminal of an arbitrary third party, W is made public, and one-way hash function H₁Since (・) is open to the public, third parties are K = H₁The session key K can be obtained by calculating (W). That is, it is substantially the same as the session key K being released. Therefore, W is written as public key information. (W, i, j) is a non-interactive zero knowledge proof that proves that K is the correct session key K.
Each unit in FIG. 2 is processed by the control unit 313 sequentially or in parallel.
[0016]
The verifier terminal 400 receives the converted signed text (Σ, W, i, j) transmitted from the receiver terminal 300 by the receiver 401, and inputs the received W to the hash unit 402. K = H₂(W) is calculated and the session key K is output, and the received K and the received M are input to the decryptor 403._K ^sCalculate (M) and output plaintext m. Received a = (C, z) and g from memory 404_s, p_s, y is input to the power-residue calculator 405, and V = g_s ^zy^cmod p_sAnd V is output, and the received C and the received C = (M, G) are input to the hash unit 406 and c = H₁(V‖C) is calculated, and the comparator 407 checks whether c of the calculation result matches c in the received a.
[0017]
Furthermore, i, j received and g from memory 404_r, p_r, e are input to the power-residue calculator 408 and g_r ^jeⁱmod p_rAnd G of received C = (G, W), W, a = (C, z), p from the memory 404_rTo the power-residue calculator 409 and G^jWⁱmod p_rCalculate The received G and W, the output m of the decoder 403, and the outputs of the power-residue calculators 408 and 409 are input to the hash unit 411 and H_Three(G‖W‖G^jWⁱmod p_r‖G_r ^jeⁱmod p_r‖M) is calculated, and this calculation result is compared with the received i by the comparator 412 to check whether or not they match. If the comparison results of the comparators 407 and 412 match, the signature is correct, and the output m of the decoder 403 can be recognized as a correct plain text. If any of the comparisons by the comparators 407 and 412 does not match, the signature on the received ciphertext C can be made illegal.
[0018]
In other words, in the comparator 412, H_ThreeComparing the variable to be calculated in (·) with the same variable in the formula of i, the former G^jWⁱmod p_rAnd the latter G^umod p_rAre equal and the former g_r ^jeⁱmod p_rAnd the latter g_r ^umod p_rIf they are equal, the comparator 412 determines that both inputs match. G^jWⁱmod p_r ・ J = u-idmod q_rAnd W = G^dmod p_rSubstituting G^(u-id)G^idmod p_r= G^umod p_rAnd also g_r ^jeⁱmod p_rJ = u-idmod q_rAnd e = g_r ^d mod p_rSubstituting g_r ^u mod p_rIt becomes. Therefore, if the comparators 412 match, the one having the decryption key d is (W, i, j) created without revealing the decryption key d.
[0019]
This means that the non-interactive zero knowledge proof (W, i, j) in the received sentence is the relational log_gre = log_GW, e = g_r ^dmod p_r And W = G^dmod p_rTherefore, it is proved that both sides of the logarithmic relational expression are d, and if this verification expression is satisfied, W (= G^d mod p_r) But G and decryption key d = log_grIt is guaranteed that it is correctly created from e. For details on this non-interactive zero knowledge proof, see, for example, D.L.Chaan & T.R.Polersen. “Wallet Database with observers” pp.89-105, CRYPTO '92, LNCS740, Springer-Verlag, 1993. Only a legitimate recipient who knows the secret decryption key d can create (W, i, j) that satisfies the above-described verification expression for a signature a.
[0020]
Each unit in FIG. 3 is processed by the control unit 413 sequentially or in parallel.
Embodiment 2.
A method of converting the signed ciphertext Σ with the ElGamal cipher and the Schnorr signature described in the first embodiment into a signed ciphertext that can be verified by any third party at the sender terminal 100 and a signature verification method thereof will be described.
FIG. 4 shows only a part for converting the signed ciphertext Σ = (C, a), C = (G, M) in the sender terminal 100. The random number w used to encrypt the ciphertext C from the memory 102, the encryption key e, and p_rIs input to the power-residue calculator 103, and W = e^wmod p_rAnd W is output. Z by random number generator 104_qrA random number v belonging to, and v and g from the memory 102_r, p_rIs input to the power-residue calculator 105 and g_r ^vmod p_rAnd output v and memory 102 e, p_r Is input to the power-residue calculator 106 and e^vmod p_rIs calculated and output.
[0021]
The power residue calculator 103 output V is input to the hash unit 107, and K = H₂(W) is calculated to generate a session key K, and the K and M in the ciphertext C are input to the decryptor 108 and the decryption function m = D_k ^sCalculate (M) and output the decrypted plaintext m.
The G in the ciphertext C, the plaintext m from the decryptor 108, and the calculation results of the power-residue computing units 103, 105, 106 are input to the hash unit 109.
i = H3 (G‖W‖g_r ^vmod p_r‖E^vmod p_r‖M) (1)
And i is output. This i, random number v, w, q from memory 102_rAnd input to the remainder multiplier / subtractor 111
j = v-iwmod q_r                                             (2)
And output j. Signed ciphertext Σ = (C, a) to be converted, output i of hash unit 109, output j of power multiplier / subtractor 111, output W of power residue arithmetic unit 103, and converted ciphertext with signature ( (Σ, W, i, j) is transmitted from the transmitter 112 to the verifier terminal 400.
[0022]
Here, (W, i, j) is a non-interaction zero knowledge proof that proves that the session key K for decrypting C is correct. Each part in FIG. To be processed.
Next, signature verification processing at the verifier terminal 400 will be described with reference to FIG. The parts corresponding to those in FIG. 3 in FIG. 5 are assigned the same reference numerals, and K = H is obtained by the hash unit 402 using W in (Σ, W, i, j) received by the receiver 401.₂ The session key is obtained by calculating (W), and the uppercase letter M in the ciphertext C is obtained by the key K by the decryptor 403 and m = D_K ^sDecoded as (M). The received signature a = (c, z) is calculated by the exponentiation remainder calculator 405 with V = g_s ^zy^cmod p_s
Is calculated, and then H₁(V‖C) is calculated and this H₁The comparator 407 verifies whether (V‖C) matches c in the received a. These are the same as the example shown in FIG.
[0023]
In this embodiment, the received i, j, G and pr, gr from the memory 404 are input to the power residue calculator 421.
g_r ^jGⁱmod p_r                                                (3)
Is calculated and also received j, W and e, p from memory 404_rIs entered,
e^jWⁱmod p_r                                                 (Four)
Is calculated. The received G and W, the decrypted plaintext m, and the calculation results of the power-residue computing units 421 and 422 are input to the hash unit 423.
H_Three(G‖W‖g_r ^jGⁱmod p_r‖E^jWⁱmod p_r‖M) (5)
Is calculated, and the comparator 424 verifies whether or not the calculation result matches the received i.
[0024]
Formula (3) into Formula (2) and G = g_r ^wSubstituting_r ^vmod p_rSimilarly, Equation (4) is replaced by Equation (2) and W = e^wSubstituting^vmod p_r It becomes. That is, if these relationships hold, the calculation result of Equation (5) becomes equal to the calculation result of Equation (1).
This means that the non-dialog zero knowledge proof (W, i, j)_gG = log_eIf this verification formula is satisfied, it is guaranteed that the base W for creating the decryption key is correctly created from g and the random number w. Only a legitimate sender who knows W can create (W, i, j) that satisfies the above-described verification formula in this way for a certain sent message Σ.
[0025]
  If any one of the comparators 407 and 424 does not match, the signature is invalid, and if both match, the signature is correct.
Embodiment 3
  In the present invention, parameters p, q, and g constituting a part of a public key are made common to a signature and encryption, and a random number used for signature generation and a random number used for ciphertext generation are made common, so that calculation time and transmission text This is a case where the length is reduced and signature verification by a third party is enabled.
  First, a presumed cryptographic communication method with a signature will be described.
Let p, q be large prime numbers,q But (p-1)Is a divisible object. g to Z_p ^*Is an element of the order q at. H₁(・), H₂(·) Is a one-way hash function, and the binary operator A‖B represents a value obtained by combining A and B. p, q, g and hash function are disclosed as system common parameters.
[0026]
The sender terminal 100 sets the signature key x to Z_qRandomly select from the signature verification key y = y^xCalculate mod p and publish y. Recipient terminal 300 sets decryption key d to Z_qChoose at random from the encryption key e = g^dCalculate mod p and publish e.
When transmitting the plain text m, the sender terminal 100 creates a transmission text Σ by the following means. First, the random number w is Z_qSelect a random session key from K = H₁(e^wmod p) and plaintext m is E^sC = E_K ^sEncrypt (m) to obtain ciphertext C. Then V = g^wmod p, b = H₂(V‖C), a = w-bxmod q is calculated sequentially to obtain signatures a and b. The transmitted sentence Σ is Σ = (C, a, b).
[0027]
Receiving terminal 300 receiving this transmitted text Σ verifies and decrypts the received cipher text by the following means. First, V = g^ay^bcalculate mod p, b = H₂Verify that (V‖C) holds, and if not, discard the received sentence Σ. If so, K = H₁((V)^d mod p) and using that K, m = D_K ^sCalculate (C) to obtain plaintext m.
An example of processing in the receiver terminal 300 for converting the decrypted encrypted ciphertext Σ into a ciphertext that can be verified by a third party will be described with reference to FIG. In FIG. 6, parts corresponding to those in FIG.
[0028]
  PreviousRecordAn unconverted sentence Σ and its decrypted plaintext m are input. Power residue calculator 323 V = g^a y^bmod p is calculated, and the power residue calculator 324 further calculates W = V^dmod p is calculated. Power residue calculator 325 V^u mod p is calculated, and the power residue calculator 326 g^uCalculate mod p. Decrypted plaintext m and the calculation results of exponentiation remainder calculators 324, 325, and 326 are input to the hash unit 327.
  i = H_Three(W‖V^umod p‖g^umod p‖m) (6)
Calculate Furthermore, the remainder multiplier / subtractor 328
  j = u-idmodq
And the converted ciphertext (Σ, W, i, j) with the signature is transmitted from the transmitter 312 to the verifier terminal 400.
[0029]
Next, verification at the verifier terminal 400 is performed, for example, as shown in FIG. 7. In FIG. 7, parts corresponding to those in FIG. When the receiver 401 receives the receiver (Σ, W, i, j), the hash unit 431 receives K = H₁(W) is calculated, and with the key K, m = D at the decoder 403 for C in Σ = (C, a, b)_k ^s(C) is calculated and plaintext m is output. Power residue calculator 432 V = g^ay^b mod p is calculated and H and the hash machine 433₂(V‖C) is calculated and this H₂The comparator 434 verifies whether (V‖C) and b match.
Power residue calculator 435 V^jWⁱ mod p is calculated and the power residue calculator 436 g^jeⁱ mod p is calculated. With hash machine 437
H_Three(W‖V^jWⁱ mod p‖g^jeⁱ mod p‖m) (7)
Is calculated, and the comparator 438 verifies whether or not the calculation result matches j. If any of the comparators 434 and 438 detects a mismatch, the signature is determined to be invalid, and if both match, the signature is considered correct.
[0030]
V^jWⁱ For mod p, the formula of j and W = V^dSubstituting the relation of V^u mod p then g^jeⁱ mod p, j and e = g^dSubstituting^u If mod p and W is correctly created by a person who knows d, the calculated value of equation (7) is equal to the calculated value of equation (6). Again, (W, i, j) constitutes a non-interactive zero knowledge proof that proves that K is the correct key.
Embodiment 4.
An embodiment in which the ciphertext Σ with the signature described in the third embodiment is converted into a signature that can be verified by any third party at the sender terminal 100 will be described below.
[0031]
In FIG. 8, parts corresponding to those in FIG. The sentence to be converted Σ = (C, a, b) is input, the remainder multiplier / adder 121 calculates w = a + bxmod q, and the power residue calculator 122 is W = e^wmod p is calculated, and further K = H with hash machine 127₁(W) is calculated to obtain a session key K. M = D at decoder 124_K ^s(C) is calculated to obtain the decrypted plaintext m.
The power residue calculator 125^vmod p is calculated and the power residue calculator 126 g^v Calculate mod p. Input the calculation results of plaintext m and power-residue calculators 122, 125, 126 to the hash calculator 127,
H_Three(W‖e^vmod p‖g^vmod p‖m) (8)
And j = v-iwmod q is calculated by the remainder multiplier / subtracter 128. A signature sentence (Σ, W, i, j) obtained by converting sentences Σ and W and i and j is transmitted to verifier terminal 400 by transmitter 112.
[0032]
Verification of the signature text (Σ, W, i, j) received by the verifier terminal 400 at the receiver 401 is performed as shown in FIG. 9, for example. In FIG. 9, parts corresponding to those in FIG.
As in the case of FIG. 7, the key K = H is first used by the hash unit 431.₁(W) is calculated, and the ciphertext C is decrypted by the decryptor 403 using the key K to obtain the plaintext m. The power-residue calculator 432 calculates V and the hash unit 433 calculates H.₂(V‖C) is calculated, and the comparator 434 verifies whether this matches b. In this example, the power residue calculator 441^jwⁱmod p is calculated, and the power residue calculator 442 g^jVⁱmod p is calculated, m, W, and the calculation results of the power-residue computing units 441 and 442 are input to the hash unit 443,
H_Three(W‖e^jWⁱmod p‖g^jvⁱmod p‖m)
And the comparator 438 verifies whether the calculation result and i match. If either of the comparators 434 and 438 does not match, it is determined as an illegal signature, and if both match, it is determined as a correct signature.
Embodiment 5.
In Embodiment 3, b = H instead of b = H2 (V‖C)₂(K‖C), b = H₂(W‖C) or b = H₂(W‖C‖K) or b = H₂(W‖C‖m) or b = H₂(C‖m) may be used. In these cases, in order to convert the signature into a third-party verifiable signature at the receiver terminal 300, it may be exactly the same as that of the third embodiment (FIG. 6). 7 in Hasher 433 in accordance with the change of b₂(K‖C), H₂(W‖C), H₂(W‖C‖K), H₂(W‖C‖m), H₂It is only necessary to change to the one corresponding to (C で m), and in order to convert it into a signature that can be verified by the third party at the sender terminal 100, it may be exactly the same as that of the fourth embodiment (FIG. 8). In the verification process in the verifier terminal 400, the calculation in the hash unit 433 in FIG.₂(K‖C), H₂(W‖C), H₂(W‖C‖K), H₂(W‖C‖m), H₂Change to the one corresponding to (C‖m).
[0033]
  In any of Embodiments 1 to 5, the one-way hash function H_ThreeAlthough plaintext m is used as part of the input variable of (・), C may be used instead of m, and the function H_ThreeAn arbitrary character string, for example, a conversion time may be added to the input variable of (•).
Embodiment 6
  When transmitting plaintext m by the same method as in the third embodiment, m is made redundant in the sender terminal 100 by, for example, the following means. Ie H_Four, H_FiveIs a hash function and m is m '=m (+) (H _Five (H _Four (m)) ‖ H _Four (m)Convert to Here, (+) represents an exclusive OR for each bit. Next, m ′ is encrypted by the same procedure as in Embodiment 3 to obtain a ciphertext C. In this example b = H₂(C), a = w-bxmod q is calculated to obtain signatures a and b. The transmitted sentence Σ is Σ = (C, a).
[0034]
  A method for converting the signed ciphertext Σ into a signature that can be verified by an arbitrary third party by the receiver terminal 300 and a method for verifying the signature will be described.
  The receiver terminal is V = g as shown in FIG.^ay^bmod p, W = V^dCalculate mod p. Then the random number u is Z_qChoose at random, i = H_Three(W‖V^umod p‖g^umod p‖m) and j = u-idmod q are calculated, and (Σ, W, i, j) is output to the verifier terminal 400 as a signature.
  For the converted digital signature (Σ, W, i, j), the verifier terminal 400 starts with the session key K = H, as shown in FIG.₁(W) And m '= D_K ^sM 'is obtained as (C).
[0035]
  This m ', B is H_FourIs divided into A and B so that m ′ = A‖B. B = H₂(C), V = g^ay^bcalculate mod p and H_Five(B) (+) A = m as H_Four(H_Five(B)(+)A) = B and i = H_Three(W‖V^jWⁱmod p‖g^jeⁱmod p‖m) is verified, and if both are true, the signature is correct, and if none is true, the signature is invalid.
Embodiment 7.
A method for converting the ciphertext Σ with signature in the sixth embodiment into a signature that can be verified by an arbitrary third party by the sender terminal 100 and a method for verifying the signature will be described.
[0036]
In the sender terminal 100, w = a + bx mod q, W = e as shown in FIG.^wmod p then random number v is Z_qChoose at random, i = H_Three(W‖e^vmod p‖g^vmod p‖m) and j = v-iw mod q are calculated, and (Σ, W, i, j) is converted into a converted signature and transmitted to the verifier terminal 400.
For the converted signature (Σ, W, i, j), the verifier terminal 400 starts with K = H as shown in FIG.₁Calculate (W), m '= D_K ^sThe plaintext m ′ is obtained as (C). This m ', B is H_FourIs divided into A and B such that m ′ = A‖B.
[0037]
Then b = H₂(C), V = g^ay^bcalculate mod p and H_Five(B) (+) A = m, H_Four(H_Five(B) (+) A) = B and i = H_Three(W‖e^jWⁱmod p‖g^jVⁱWe verify that mod p‖m) holds. If both are true, the signature is correct, and if neither is true, the signature is invalid.
In Embodiments 6 and 7 above, H_ThreeAlthough some of the input variables of are set to message m, C may be used instead of m. H_ThreeAn arbitrary character string (for example, the time of conversion) may be added to the input variable. The order of input to the hash function in any of the above embodiments may be arbitrarily changed.
[0038]
Each of the sender terminal 100, the receiver terminal 300, and the verifier terminal 400 described above can be caused to function by causing a computer to execute a program. In each verifier terminal 400 described above, only the validity of the public key information W, that is, verification by the comparators 412, 424, and 438 may be performed.
[0039]
【The invention's effect】
As described above, according to the present invention, a signed ciphertext that can be verified only by a specific receiver terminal can be used without any cooperation from the sender or receiver of the ciphertext. A third party can convert it into a digital signature. Therefore, when the receiver claims that the signed ciphertext is invalid, the sender must verify that the transmitted signature is correct for any third party by converting the signed ciphertext. Can be shown. Conversely, if the sender denies the transmitted signed ciphertext, the receiver converts the signed ciphertext so that the received signature is sent by the sender to any third party. It becomes possible to show that it is.
[Brief description of the drawings]
FIG. 1 is a diagram showing a system configuration example to which the present invention is applied.
FIG. 2 is a diagram showing a functional configuration example of a main part of a receiver terminal according to the present invention.
3 is a diagram illustrating an example of a functional configuration of a verifier terminal for a signature converted by the receiver terminal illustrated in FIG. 2;
FIG. 4 is a diagram showing a functional configuration example of a main part of a sender terminal according to the present invention.
5 is a diagram illustrating a functional configuration example of a verifier terminal for a signature converted by the sender terminal illustrated in FIG. 4;
FIG. 6 is a diagram showing a functional configuration of another example of a recipient terminal according to the present invention.
7 is a diagram showing a functional configuration example of a verifier terminal for the signature converted by the receiver terminal shown in FIG. 6;
FIG. 8 is a diagram showing a functional configuration of another example of a sender terminal according to the present invention.
9 is a diagram showing a functional configuration example of a verifier terminal for a signature converted by the sender terminal shown in FIG. 7;

Claims (17)

Let p _s , q _s be a large prime number, and q _s Is divisible by (p _s -1) , g _s is the element of q _s of the order in Z _ps ^* , and p _r , q _r , and g _r are similarly defined and randomly selected from the above Z _qs , to the signature key x, the public verification key y and g _s ^x mod p _s, randomly selected from the above-mentioned Z _qr, for the decrypt key d, a public encryption key e and g _r ^d mod p _r, plain text The ciphertext C for m is (G, M) = ( g _r ^u mod p _r , E _k ^s (m)), and the signature for C is a = (c, z) = (H ₁ (g _s ^v ‖C _{), v-cx mod q s} ) and then, the ^{_{K = H 2 (e w mod}} p r), and a random number chosen to w from Z _qr, and H a (-) and one-way hash function, g _s , p _s , q _r , g _r , y , e are published, Σ = ( C , a) , G and m are input,
From the recipient terminal q _r signed ciphertext sigma (C, a) and the decoded plaintext m, a third party the sigma any is a method of converting into a verifiable signature,
g _s , p _s , g _r , p _r , y, e are stored in memory,
A random number u is formed from Z _qr by a random number generator ,
G and u and p _r from the memory are input to a power-residue calculator to calculate G ^u mod p _r ,
u and g _r and p _r from the memory are input to the power-residue calculator to calculate g _r ^u mod p _r ,
G and d and p _r from the memory are input to the power-residue computing unit to calculate W = G ^d mod p _r ,
G , W , G ^u mod p _r , g _r ^u mod p _r and m are input to the hash unit and i = H ₃ (G ‖ W ‖ G ^u mod p _r ‖ g _r ^u mod p _r ‖ m) Calculate
Input u , i and q _r from memory to the remainder multiplier / subtractor to calculate j = u-idmod q _r
(Σ, W, i, j ) the converted output to Rukoto method features and be that with signing the ciphertext conversion as a signature. Let p _s, q _s be a large prime number, and q _s There shall be divisible the (p _s -1), the g _s is the original of the order q _s in ^{_{Z ps *, p r, q}} g, g r is defined in the same way, randomly selected from the Z _qs , to the signature key x, the public verification key y and g _s ^x mod p _s, selected from the Z _qr, to the decryption key d, the public encryption key e and g _r ^d mod p _r, the g _{s, p s, g r, q r} , y, the ciphertext for e is the public plaintext m C = (G, M) = a ^{_{(g r u mod p r,}} E k s (m)), a signature for C a = (c, z) = (H 1 (g s v ‖C), v-cxmod q s) and then, the ^{_{K = H 2 (e w mod}} p r), the random number selected to w from Z _qr and then, to H and (·) and one-way hash function, sigma = (C, a) and, G and M are inputted,
The sender terminal q _r signed ciphertext Σ = (C, a) a method of the third party of any is converted into a verification signature,
g _s , p _s , g _r , p _r , y, e are stored in memory,
The random number v is formed from Z _qr by the random number generator ,
Input v and p _r , e from the memory to the power-residue computing unit to calculate e ^v mod p _r ,
Input v and g _r p _r from memory to the exponentiation remainder calculator to calculate g _r ^v mod p _r ,
Input w and e and p _r from the memory to the power-residue calculator to calculate W = e ^w mod p _r ,
G , W , e ^v mod p _r , g _r ^v mod p _r and m are input to the hash unit and i = H ₃ (G ‖ W ‖ e ^v mod p _r ‖ g _r ^v mod p _r ‖ m) Calculate
Input v , i , w and q _r from memory to the remainder multiplier / subtractor to calculate j = u-iwmod q _r
(Σ, W, i, j ) the converted output to Rukoto method features and be that with signing the ciphertext conversion as a signature. A method for verifying a signature sentence (Σ, W, i, j) converted by the conversion method according to claim 1 at a verifier terminal,
g _s , p _s , g _r , p _r , y, e are stored in memory,
Enter the received W into the hash machine and calculate K = H ₂ (W) to generate the session key K ,
Make a C in Σ received with the session key K is input to the decoder m = D _K ^s (C) plaintext m obtained by decoding to a ciphertext C Get,
G in the ciphertext C , received W , j , i, and p _r from the memory are input to a power-residue computing unit to calculate G ^j W ⁱ mod p _r ,
Input j , i and g _r , e, p _r from memory to the exponentiation remainder calculator to calculate g _r ^j e ⁱ mod p _r ,
^{G, W, G j W i} mod p r, g j e i mod p r, to input m to the hash unit ^{_{H 3 (G‖W‖G j W i mod}} p r ‖g j e i mod p r ‖M)
A signature verification method characterized in that it is verified by a comparator whether or not the calculation result matches i, and that the signature is correct if they match. A method for verifying a signature sentence (Σ, W, i, j) converted by the conversion method according to claim 2 at a verifier terminal,
g _s , g _r , p _s , p _r , y, e are stored in memory,
Enter W into the hash machine and calculate K = H ₂ (W) to generate the session key K ,
Enter the C in receiving the session key K sigma to the decoder to calculate the m = D _K ^s (C) decrypts the ciphertext C to make a plaintext m, the
j, a p _r from i and G and the memory in the ciphertext C is input to the exponentiation remainder operator calculates the ^{_{g r j G i mod p r}} ,
j, i, and input from the W and memory e, and p _r in exponentiation remainder operator calculates a e ^j W ⁱ mod p _r,
G , W , g _r ^j G ⁱ mod p _r , e ^j w ⁱ mod p _r , m are input to the hash machine and H ₃ (G‖W‖ g _r ^j G ⁱ mod p _r ‖e ^j w ⁱ mod p _r ‖m)
A signature verification method characterized in that a comparator verifies whether the calculation result matches i, and if the result matches, the signature is correct. The signature a = (c, z) of the ciphertext C and g _s , y , p _s from the memory are input to a power-residue computing unit to calculate V = g _s ^z y ^c mod p _s ,
Enter the calculation result V and C to the hash unit calculates the H ₂ (V‖C), verified by the comparator whether the calculation result H ₂ (V‖C) matches is c, the coincidence 5. The signature verification method according to claim 3 or 4 , wherein the signature for C is correct when the above is established. p, q are large prime numbers , q is divisible by (p-1) , g is an element of q in the order of Z _p ^k , H (•) is a one-way hash function, and randomly from Z _q For the selected signature key x, the public verification key y is g ^x mod p, for the decryption key d randomly selected from Z _q , the public encryption key e is g ^d mod p, and randomly from Z _q to selected random number w, the W and e ^w mod p, the session key is H ₁ and ^{(W), V = g a} y b mod and p, the ciphertext against plaintext ^{_{m C = E K s (m}} ) And the signature for C is (a, b) = (w-bx mod q, H ₂ (X‖C) (where X is one of V, W, m, K, W‖K, W‖m),
g , y , p , q , and e are made public , and the signed ciphertext Σ = ( C, a, b ) is inputted at the receiver terminal, and the decrypted plaintext m and V are inputted, and from these , Σ is arbitrarily set A method for converting a signature into a verifiable third party,
The g, y, p, q, d is Yes stored in the memory,
The random number u is generated by the random number generator from Z _q,
Input u and V and p from memory to the power-residue computing unit to calculate V ^u mod p,
Calculate g ^u mod p by inputting g and p from u and memory to the exponentiation remainder calculator.
Input d and p from V and memory to a power-residue calculator to calculate W = V ^d mod p,
W, V ^u mod p , g ^u mod p , m are input to the hash machine to calculate i = H ₃ (W‖V ^u mod p‖g ^u mod p‖m)
Calculate j = u-idmod q by inputting d and q from u and i and memory to the remainder multiplier / subtractor ,
(Σ, W, i, j ) the converted output to Rukoto method features and be that with signing the ciphertext conversion as a signature. Let p, q be a large prime number , q be divisible by (p-1) , q be an element of the order q in Z _p ^t , H (・) be a one-way hash function, and randomly from Z _q to selected signature key x, the public verification key y and g ^x mod p _s, to the decryption key d randomly chosen from Z _q, the public encryption key e and g ^d mod p, the encryption for the plaintext m The sentence is C = E _K ^s (m), w is a random number selected from Z _q , W = e ^w mod p, the session key K is H ₁ (W), and the signature for C is (a, b ) = (w-bxmod q, H ₂ (X ‖ C) (X is one of V, W, m, K, W ‖ K, W ‖ m), and the above q , p , g , y , e are A signature that is publicly available and Σ = (C, a, b) , m is input, and from which a signed ciphertext Σ = ( C, a, b ) can be verified by any third party To convert to
q , p , g , e , x are stored in memory,
Input x and q from the above a and b and memory to the remainder multiplier / adder to calculate w = a + bxmod q,
From the w and memory, e and p are input to a power-residue computing unit to calculate W = e ^w mod p,
Generate random number v from Z _{q with} random number generator ,
Calculate e ^v mod p by inputting e and p from v and memory into a power-residue computing unit ,
Calculate g ^v mod p by inputting g and p from v and memory to a power-residue calculator ,
W, e ^v mod p , g ^v mod p , m are input to the hash machine i = H ₃ (W‖e ^v mod p‖g ^v mod p‖m)
Input q from the u, i, w and memory to the remainder multiplier / subtractor to calculate j = u-iwmod q,
(Σ, W, i, j ) the converted output to Rukoto method features and be that with signing the ciphertext conversion as a signature. A method for verifying a signature sentence (Σ, W, i, j) converted by the conversion method according to claim 6 at a verifier terminal, wherein g , p , y , e are stored in a memory,
Enter W into the hash machine and calculate K = H ₁ (W) to generate session key K ,
The session key K and the ciphertext C are input to the decryptor, m = D _K ^s (C) is calculated, and the ciphertext C is decrypted to produce a plaintext m.
Input g , y , and p from memory a , b, and memory to the exponentiation remainder calculator to calculate V = g ^a y ^b mod p ,
The calculation result V , j , i , W and p from the memory are input to the power-residue computing unit to calculate V ^j W ⁱ mod p,
g ^j e ⁱ mod p is calculated by inputting g , e , and p from memory j and i to the power-residue computing unit ,
W 3 , V ^j W ⁱ mod p , g ^j e ⁱ mod p , m are input to the hash machine to calculate H ₃ (W‖V ^j W ⁱ mod p‖g ^j e ⁱ mod p‖m)
A signature verification method characterized in that a comparator verifies whether the calculation result matches i, and if the result matches, the signature is correct. A method for verifying a signature sentence (Σ, W, i, j) converted by the conversion method according to claim 7 at a verifier terminal,
g , p , y , e are stored in memory,
Enter W into the hash machine and calculate K = H ₁ (W) to generate session key K,
The session key K and the ciphertext C in Σ are input to a decryptor, m = D _K ^s (C) is calculated, and the ciphertext C is decrypted to produce a plaintext m.
Input g , y , and p from memory a , b and memory to the exponentiation remainder calculator to calculate V = g ^a y ^b mod p,
The calculation result V , j, i, and g, p from the memory are input to the power-residue computing unit to calculate g ^j V ⁱ mod p,
j , i , W and e , p from memory are input to the power-residue computing unit to calculate e ^j W ⁱ mod p,
^{W, g j V i mod p} , e j W i mod p, to input m to the hash unit calculates the ^{_{H 3 (W ‖g j V i}} mod p‖e j W i mod p‖m),
A signature verification method characterized in that a comparator verifies whether the calculation result matches i, and if the result matches, the signature is correct. p, and q, and a large prime number q is divides the (p-1), and g is the original of order q in Z _p ^*, and H a (-) and one-way hash function, the signature selected from Z _q and with respect to key x and public signature verification key y = g ^x mod p, Z for the decryption key d which is selected from the group consisting of _q as a public encryption key e = g ^d mod p, random number selected from Z _q w, W = e ^w mod p, session key K = H ₁ (W), plaintext m is ciphertext C = E _K ^s (m), V = g ^w mod p, b = H ₂ (X‖C) (X is V, W, m, K, W‖K, or W‖m), a = w-bxmod q, and a signed ciphertext Σ = (C, a, b) can be verified by a third party A recipient terminal to convert to a signature,
a memory for storing p, g, y, d;
a, b, g, y, p are input, g ^a y ^b mod p is calculated and the result V is output, and the calculation result V, d, p is input, V a second power residue calculator that calculates ^d mod p and outputs the result W;
A random number generator for generating a random number u belonging to Z _q ;
A third power residue calculator that receives the calculation result V, u, p, calculates V ^u mod p, and outputs the result;
a fourth power residue calculator that receives g, u, p, calculates g ^u mod p, and outputs the result;
a hasher that receives m, W, V ^u mod p, g ^u mod p, calculates H ₃ (W‖V ^u mod p‖g ^u mod p‖m), and outputs the result i;
u / i, d, p is input, and u-idmod p is calculated, and the result is a modular multiplication / subtractor that outputs j,
A receiver terminal comprising: a transmitter that outputs (Σ, W, i, j) as a converted signature. Let A (+) B be the exclusive OR operation of A and B,
The plaintext m is converted to m ′ = m (+) (H ₅ (H ₄ (m)) ‖ H ₄ (m) by the hash unit and exclusive OR operator, and the ciphertext C is converted to the above. 11. The receiver terminal according to claim 10, wherein the plaintext m ′ is an encrypted sentence C = E _K ^S (m ′), and the signed ciphertext is Σ = (C, a). p, and q, and a large prime number q is divides the (p-1), and g is the original of order q in Z _p ^*, and H a (-) and one-way hash function, the signature selected from Z _q For the decryption key d selected from the keys x and Z _q , the public encryption key e = g ^d mod p is set, and the random number w selected from Z _q
W = e ^w mod p, session key K = H ₁ (W), plaintext m ciphertext C = E _K ^s (m), V = g ^w mod p, b = H ₂ (X ‖ C) (X Is V, W, m, K, W‖K, or W‖m), and a = w-bx mod q signed ciphertext Σ = (C, a, b) can be verified by a third party A sender terminal to convert to a signature,
a memory for storing q, p, g, x, e;
a surplus / subtractor that inputs a, b, x, q, calculates a + bx mod q, and outputs the result w;
Input the calculation result w, e, p, calculate e ^w mod p and output W and input W, calculate W ₁ (W), and result session A first hasher that outputs a key K, a decoder that outputs C and K of the calculation result, calculates a decryption function D _K ^s (C), and outputs a decrypted plaintext m as a result,
A random number generator that generates and outputs a random number u belonging to Z _q ;
a second power residue calculator that inputs e, v, p, calculates e ^v mod p, and outputs the result;
a third power residue calculator that inputs v, g, p, calculates g ^v mod p, and outputs the result;
Input the calculated W, decrypted plaintext m, e ^v mod p and g ^v mod p, and calculate H ₃ (M‖e ^v mod p‖g ^v mod p‖m) a second hasher that outputs i;
Multiplicative surplus / subtracter that inputs i, v, calculation result W, q, calculates v-iwmod q, and outputs the result j;
A transmitter terminal comprising: a transmitter that outputs Σ, M, i, j as a converted signature. Let A (+) B be the exclusive OR operation of A and B,
The plaintext m is converted to m ′ = m (+) (H ₅ (H ₄ (m)) ‖ H ₄ (m) by the hash unit and exclusive OR operator, and the ciphertext C is converted to the above. The plaintext m ′ is an encrypted sentence C = E _K ^S (m ′), and the signed ciphertext is Σ = (C, a),
The decoder calculates the decryption function D _K ^S (C) and obtains the converted plaintext m ′ as a result, and m ′ is equal to the number of output bits of H ₄ (•) so that m ′ = 13. The sender terminal according to claim 12 , wherein A ‖ B is divided into A and B, and H ₅ (B) (+) A = m is calculated to output a decrypted plaintext m. p, and q, and a large prime number q is divides the (p-1), and g is the original of order q in Z _p ^*, and H a (-) and one-way hash function, the signature selected from Z _q Public verification key y = g ^d mod p for key x, public encryption key e = g ^d mod p for decryption key d selected from Z _q , ciphertext C, its signature (a, b), public A verifier terminal that inputs the signature (i, j) for the key W, (C, a, b) and verifies the validity of the signature (i, j),
a memory storing g, p, y, e,
A first hasher that inputs W, calculates H ₁ (W), and outputs a session key K as a result;
A decoder that inputs K and C, calculates D _K ^s (C), and outputs a decrypted plaintext m as a result;
a first power residue calculator that inputs a, b, g, y, p, calculates g ^a y ^b mod p, and outputs the result V;
A second power residue calculator that inputs W, V, i, j, p, calculates V ^j W ⁱ mod p, and outputs the result;
input g, e, i, j, p, calculate g ^j e ⁱ mod p, and output the result;
Input each calculation result of m, W, V ^j W ⁱ mod p and g ^j e ⁱ mod p and calculate H ₃ (W‖V ^j W ⁱ mod p‖g ^j e ⁱ mod p‖m). A fourth power residue calculator that outputs the result,
A verifier terminal comprising a comparator that verifies whether i is equal to a calculation result of the fourth power residue calculator. p, and q, and a large prime number q is divides the (p-1), and g is the original of order q in Z _p ^*, and H a (-) and one-way hash function, the signature selected from Z _q Public verification key y = g ^d mod p for key x, public encryption key e = g ^d mod p for decryption key d selected from Z _q , ciphertext C, its signature (a, b), public A verifier terminal that inputs a signature (i, j) for key information W, (C, a, b) and verifies the validity of the signature (i, j),
a memory storing g, p, y, e,
A first hasher that inputs W, calculates H ₁ (W), and outputs the session key K as a result;
A decoder that inputs D and C, calculates D _K ^s (C), and outputs a decrypted plaintext m as a result;
a first power residue calculator that inputs a, b, g, y, p, calculates g ^a y ^b mod p, and outputs the result V;
A second power residue calculator that inputs W, e, i, j, p, calculates e ^j W ⁱ mod p, and outputs the result;
g, V, i, j, p is input, g ^j V ⁱ mod p is calculated, and a third power residue calculator that outputs the result,
Input each calculation result of m, W, e ^j W ⁱ mod p and g ^j V ⁱ mod p and calculate H ₃ (W‖e ^j W ⁱ mod p‖g ^j V ⁱ mod p‖m). A fourth power residue calculator for outputting the result,
A verifier terminal comprising: a comparator that verifies whether i is coincident with a calculation result of the fourth power residue calculator. p, and q, and a large prime number q is divides the (p-1), and g is the original of order q in Z _p ^*, and H a (-) and one-way hash function, A a (+) B A and the exclusive OR operation B, and Z _q public to signing key x selected from the verification key y = g ^d mod p, the public encryption key to the decryption key d selected from Z _q e = g ^d mod p, the signature for the ciphertext C is (a, b), the signature (i, j) for the public key W, (C, a) is input, and the signature (i, j), (a, b) ) Verifier terminal that verifies the validity of
a memory storing g, p, y, e,
A first hasher that inputs W, calculates H ₁ (W), and outputs a session key K as a result;
Input K and C, calculate D _K ^s (C), and obtain the converted plaintext m ′ as a result, so that M ′ is the same as the number of output bits of H ₄ (•) a decoder that divides A and B as m ′ = A‖B, calculates H ₅ (B) (+) A = m, and outputs plaintext m;
A second hasher that inputs C, calculates H ₂ (C), and outputs the result b;
a first power residue calculator that inputs a, b, g, y, p, calculates g ^a y ^b mod p, and outputs the result V;
A second power residue calculator that inputs W, V, i, j, p, calculates V ^j W ⁱ mod p, and outputs the result;
g, e, i, j, p is input, g ^j e ⁱ mod p is calculated, and a third power residue calculator that outputs the result,
Input each calculation result of m, W, V ^j W ⁱ mod p and g ^j e ⁱ mod p and calculate H ₃ (W‖V ^j W ⁱ mod p‖g ^j e ⁱ mod p‖m). A fourth power residue calculator for outputting the result,
A first comparator for verifying whether the calculation result of the fourth power-residue calculator and i match;
a third hasher that inputs m and calculates H ₄ (m);
A second comparator for verifying whether the calculation result of the third hash unit matches the above B;
A verifier terminal comprising: p, and q, and a large prime number q is divides the (p-1), and g is the original of order q in Z _p ^*, and H a (-) and one-way hash function, A a (+) B A and the exclusive OR operation B, and Z _q public to signing key x selected from the verification key y = g ^d mod p, the public encryption key to the decryption key d selected from Z _q e = g ^d mod p, the signature for the ciphertext C is (a, b), the public key information W, the signature (i, j) for (C, a) is input, and the signature (a, b) (i, j) Verifier terminal that verifies the validity of
a memory storing g, p, y, e,
A first hasher that inputs W, calculates H ₁ (W), and outputs a session key K as a result;
D, C is input, D _K ^s (C) is calculated, and as a result, the converted decrypted plaintext m ′ is obtained, so that B ′ is equal to the number of output bits of H ₄ (•). a decoder that divides A and B as m ′ = A‖B, calculates H ₅ (B) (+) A = m, and outputs plaintext m;
A second hasher that inputs C, calculates H ₂ (C), and outputs a calculation result b;
a first power residue calculator that inputs a, b, g, y, p, calculates g ^a y ^b mod p, and outputs the result V;
A second power residue calculator that inputs W, e, i, j, p, calculates e ^j W ⁱ mod p, and outputs the result;
g, V, i, j, p is input, g ^j V ⁱ mod p is calculated, and a third power residue calculator that outputs the result,
Input each calculation result of m, W, e ^j W ⁱ mod p and g ^j V ⁱ mod p and calculate H ₃ (W‖e ^j W ⁱ mod p‖g ^j V ⁱ mod p‖m). A fourth power residue calculator for outputting the result,
A comparator for verifying whether the calculation result of the fourth power-residue computing unit matches i;
a third hasher that inputs m and calculates H ₄ (m);
A second comparator for verifying whether the calculation result of the third hasher and B match,
A verifier terminal comprising:

Images