JP4566567B2 - Time stamp system, time stamp request device, time stamp verification device, and computer program - Google Patents

Description

  The present invention relates to a time stamp system, a time stamp requesting device, a time stamp verification device, and a computer program for authenticating the time when digital data existed.

  With the spread of the Internet, opportunities to handle digital documents (hereinafter simply referred to as “documents”) on a computer or to distribute them through a network have increased explosively. This includes not only the distribution of private documents, but also the distribution of documents such as application documents and contracts that are important for daily life and corporate activities. When dealing with such a document, it is very important to show that the document indeed existed at a certain time. For example, when a general contract is created from digital data, it is necessary to guarantee in some way when the contract is established. In addition, when a prior invention principle is adopted in a patent, it is important information that a document indicating the contents of the invention exists at a certain time in order to prove that the invention has been invented earlier. In addition, when the order time affects the transaction result as in stock trading, it is necessary to guarantee the generation time of communication data indicating the order in some form.

In order to satisfy such needs, research and development of time stamp technology for performing time stamp of digital data has been conducted, and some actual services have already been implemented. This is performed by a time stamp protocol performed between a user who is a time stamp requester and a time stamp issuer (TSA). The time stamp protocols proposed so far are roughly classified into two types: a simple protocol (for example, Non-Patent Document 1) and a linking protocol (for example, Patent Document 1 and Patent Document 2). In the simple protocol, the TSA issues a time stamp token (time certificate) with an electronic signature attached to the value obtained by combining the time with the hash value of the document. On the other hand, in the time stamp token issued by the linking protocol, the hash value of the document is incorporated into a hash chain composed of time stamps that have already been issued.
In the simple protocol, the time stamp token is simply an electronic signature of the TSA, and therefore needs to be a trusted third party (TTP) that the TSA can trust. On the other hand, in the linking protocol, an intermediate value of a hash chain is published in a newspaper or the like at regular intervals, so that it is possible for a user to detect fraud in TSA.
Japanese Patent No. 3281881 Japanese Patent No. 3278721 C. Adams, P.A. Kane, D.C. Pincus, R.C. Zuckerato (C. Adams, P. Cain, D. Pinkas and R. Zuccherato) "Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)" , IETF RFC3161, IETF (Internet Engineering Task Force), August 2001

  The conventional time stamp method assumes an application where earlier time is more advantageous, such as protection of intellectual property. In other words, an enemy attack assumed in the conventional time stamp method is an attack that forges a time stamp of a document to a time stamp of an earlier time. This attack is called “Back-dating”. Back-Dating, which has been envisaged so far, is an attack in which the enemy and the TSA collaborate to issue a time stamp of a previous time that can be verified by a third party. The simple protocol is not resistant to this back-dating attack, but the linking protocol can detect the presence or absence of an attack by calculating a hash value when there is a back-dating attack.

On the other hand, as another application in which a time stamp is used, an application in which a document at a later time is more effective is assumed. However, in the conventional time stamp method, a countermeasure against an attack in which an enemy acquires a time stamp token at a later time has not been proposed for a document.
Taking the simple protocol as an example, the TSA gives the user a time stamp for a document that has a possibility of revision, such as a will, for which only the newest document in the series is valid. To request. First to the user, the time t _1, to request the time stamp of the document d, to get the time stamp token of the time t _1. At this time, the user transmits the hash value of the document d to the TSA. Then, at a time _t 2 (> _{t 1)} after the time _{t 1,} a user creates a document d 'which was revised a document d, to get the time stamp token of time _{t 2} from the TSA. In this situation, consider an enemy that can eavesdrop on the communication between the user and the TSA. The enemy is an enemy in which it is desirable that the document d is valid rather than the document d ′, and he wants to validate the document d again. At this time, the enemy sends the hash value of the document d obtained by eavesdropping when the time stamp of the document d is requested at time t ₁ to the TSA at time t ₃ (> t ₂ ) after time t _2. Thus, it is possible to easily obtain a valid time stamp token.

  The present invention has been made in view of such circumstances, and the purpose thereof is a time stamp that can prevent an unauthorized time stamp from being made at a later time by a third party on digital data. A system, a time stamp requesting device, a time stamp verification device, and a computer program are provided.

The present invention has been made to solve the above-mentioned problems. The invention according to claim 1 is directed to a time stamp requesting device for requesting a time stamp token for authenticating a time when digital data existed, and the time stamp request. A time stamp system comprising a time stamp device for issuing a time stamp token, which is data certifying the time when digital data existed by a request from the device, wherein the time stamp request device is unidirectional with respect to an initial value . Means for storing a value obtained by conversion using a function having reliability and difficulty of collision at least once as commit information for proving the seriality of a series of revisions of digital data, and digital data requiring a time stamp token When, and said committed information read from the storage unit, one-way and A time stamp request data obtained by conversion using a function having a突困flame resistance is transmitted to the time stamp device, a time stamp request means for requesting a time stamp token for the digital data, said response to said request A time stamp token receiving means for receiving a time stamp token returned from the time stamp device, the time stamp device based on the time stamp request data received from the time stamp request device. e Bei timestamp token generating means for returning to generate a stamp token, the time stamp request means, when requesting a plurality of times a time stamp token for the digital data, as the required performed after, obtained by conversion of a small number of in front Obtaining the time stamp token request data by using the commit information is a time stamp system characterized by.

The invention according to claim 2 is the time stamp system according to claim 1, wherein the storage means assumes a maximum time stamp request assumed by using a function having a one-way characteristic and a collision difficulty as an initial value. The commit information, which is each value recursively converted up to n times, is stored, and the time stamp requesting means has a j (1 ≦ j ≦ n) number of times to request a time stamp token , Commit information which is a value obtained by recursively converting the initial value with a function having one-way and collision difficulty up to the assumed maximum time stamp request number n−the time stamp request number j + 1) Time stamp request data is obtained by converting digital data using a function having unidirectionality and collision difficulty.

  The invention according to claim 3 is the time stamp system according to claim 1 or 2, wherein the time stamp system further comprises a time stamp verification device for verifying a time stamp token, and the time When there is a time stamp token of the digital data that proves a different time, the stamp verification device uses the function having one-way and collision difficulty to determine commit information corresponding to the time stamp token that proves a later time. Of each value obtained by recursively converting, the time stamp token that proves the later time depending on whether there is a value that matches the commit information corresponding to the time stamp token that proves the previous time. A verification means for verifying validity is provided.

According to a fourth aspect of the present invention, there is provided a time stamp requesting device for requesting a time stamp token for authenticating a time at which digital data existed, and data for proving the time at which the digital data existed by a request from the time stamp requesting device. a the time stamp request apparatus for use in a time stamp system including a time stamp unit for issuing a certain timestamp token, transformation functions with one-way and collision resistance against initial value using one or more times Storage means for storing the obtained value as commit information that proves the continuity of a series of revisions of digital data, digital data that requests a time stamp token , and the commit information read from the storage means. Data obtained by transformation using functions with directionality and collision difficulty Sends a stamp request data to the time stamp device, the time stamp request means for requesting a time stamp token for digital data, the time stamp for receiving the return time stamp token from the time-stamping device in response to the request Token request means, and when the time stamp request means requests the time stamp token for the digital data a plurality of times, the time stamp using the commit information obtained by a smaller number of conversions as a later request is made. A time stamp requesting device characterized by obtaining token request data .

According to the fifth aspect of the invention, a value obtained by converting the initial value by using a function having unidirectionality and collision difficulty at least once is used to prove the continuity of a series of revisions of digital data. Used as information, the time stamp request data obtained by converting the digital data requesting the time stamp token and the commit information using a function having one-way and collision difficulty is transmitted to the digital data. When requesting a time stamp token and requesting a time stamp token for the digital data a plurality of times, a time stamp request for obtaining the time stamp token request data using the commit information obtained by a smaller number of conversions as a later request is made Device and the time stamp request received from the time stamp requesting device A time stamp system comprising a time stamp device that generates and returns a time stamp token that is data certifying the time when the digital data existed based on the data, and a time stamp verification device that verifies the time stamp token In the time stamp verification apparatus used in the present invention, when there is a time stamp token of the digital data that proves a different time, the commit information corresponding to the time stamp token that proves a later time is unidirectionally and collided. Of the respective values obtained by recursively converting by the difficult function, the subsequent time depends on whether there is a value that matches the commit information corresponding to the time stamp token that proves the previous time. A verification means for verifying the validity of the time stamp token certifying A time stamp verification device, characterized in that it comprises.

According to a sixth aspect of the present invention, there is provided a time stamp requesting device for requesting a time stamp token for authenticating a time at which digital data existed, and data for certifying the time at which the digital data existed by a request from the time stamp requesting device. A computer program used in the time stamp requesting device of a time stamp system comprising a time stamp device that issues a time stamp token, wherein the function having a one-way characteristic and a collision difficulty with respect to an initial value is once or more Storing the value obtained by conversion in the storage means as commit information for proving the seriality of a series of revisions of the digital data, the digital data requesting a time stamp token , and the commit read from the storage means Information, unidirectionality and collision difficulty Sends a time stamp request data obtained by conversion using a function to the time-stamping device having a step of requesting a time stamp token for the digital data, returned from the time stamp unit in response to the request Receiving the time stamp token, and requesting the time stamp token for the digital data a plurality of times, the step of requesting the time stamp token requires less conversion than the subsequent request. obtaining the time stamp token request data using the commit information obtained by a computer program characterized and this.

According to the seventh aspect of the invention, a value obtained by converting the initial value by using a function having unidirectionality and collision difficulty at least once is used to verify the continuity of a series of revisions of digital data. Used as information, the time stamp request data obtained by converting the digital data requesting the time stamp token and the commit information using a function having one-way and collision difficulty is transmitted to the digital data. When requesting a time stamp token and requesting a time stamp token for the digital data a plurality of times, a time stamp request for obtaining the time stamp token request data using the commit information obtained by a smaller number of conversions as a later request is made Device and the time stamp request received from the time stamp requesting device A time stamp system comprising a time stamp device that generates and returns a time stamp token that is data certifying the time when the digital data existed based on the data, and a time stamp verification device that verifies the time stamp token A computer program used for the time stamp verification apparatus of claim 1, wherein when there is a time stamp token of the digital data that proves a different time, commit information corresponding to the time stamp token that proves a later time is one-way Of the respective values obtained by recursively transforming by the function having the property and the difficulty of collision, whether or not there is a value that matches the commit information corresponding to the time stamp token that proves the previous time. Time stamp token proof that proves later time A computer program, characterized in that to execute step of verifying sex, to the computer.

  According to the present invention, an enemy attempting to perform an unauthorized time stamp on a document owned by an authorized user can obtain an authorized user's document, and the enemy and the time stamp issuer can collaborate. Even in such a case, it is possible to prevent a time stamp after a correct time from being applied to a document owned by the user.

Hereinafter, an embodiment of the present invention will be described with reference to the drawings.
FIG. 1 is a diagram showing an overall configuration of a time stamp system according to an embodiment of the present invention. The time stamp system includes a terminal device 1 as a time stamp requesting device of a user U connected via a network N such as a public network or a private network, a time stamp issuer (hereinafter referred to as “TSA”, TSA: Time Stamp). Authority) time stamp device 2, enemy A terminal device 3, and verifier V time stamp verification device 4. The user U is a valid user who requests a time stamp, which is proof that a digital document (hereinafter simply referred to as “document”) as digital data exists at a certain time, that is, time authentication. By requesting a time stamp, a time stamp token, that is, data proving that the document exists at a certain time, that is, a time certificate can be acquired. A document that requires a time stamp is a document that includes a possibility of revision, such as a will, for example, and is a type of document in which only the newest document in a series of revisions is valid. Further, the enemy A is a person who tries to acquire a time stamp token of an illegal time in the document of the user U, and the verifier is a person who verifies the validity of the time stamp token. The digital data may be any data (file) such as a document (document), an image, a sound, a program, a database, and an electronic signature.

  Here, the enemy A tries to stamp the time of an incorrect time on the document of the user U by Forward-dating. Forward-dating is a time stamp protocol executed between the user U and the TSA. After the user U obtains a time stamp token for the document d at time t, a time t ′ (> t) after the time t. The enemy A (≠ user U) obtains a verifiable (valid) time stamp token at the time t ′ issued by the TSA for the document d, and can be verified at the time t ′. When the time stamp token can be obtained, Enemy A is said to have successfully forward-dated.

  Next, the enemy A model will be described. As a basic operation of the enemy A assumed in this embodiment, data on the network N (communication path) can be wiretapped, and at the same time, a time stamp for an arbitrary document is requested from the TSA, A device capable of receiving stamp tokens shall be possessed. In addition, it is assumed that the device possessed by the enemy A has a probabilistic polynomial time calculation capability. This is a round-robin conversion of the data assumed as the original data when conversion data obtained by converting certain data using a function having one-way and collision difficulty is known. This indicates that it is practically difficult to identify the original data.

  Then, information on the possibility that the enemy A can be obtained additionally will be considered. The first is whether or not a document to be time stamped can be obtained. In a general time stamp protocol, the data for requesting the time stamp is a hash value of the document, and it is impossible to obtain the document itself. However, there is a possibility that a document to be time stamped can be known by anyone other than the requester of the time stamp, and the enemy A may obtain it. Therefore, as a viewpoint of the classification of the enemy A, presence / absence of acquisition of the document itself can be mentioned.

Another aspect is collusion with other protocol participants. In the forward-dating assumed in the present embodiment, the collusion between the original user U and the enemy A requires the latest time stamp for a document for which the user U has already requested a time stamp. Therefore, the collusion between the user U and the enemy A is not assumed. Another collusion is with the TSA. It is possible to envisage that this enemy A and TSA collide, and in this case, it is possible to obtain confidential information for issuing a time stamp token, and the TSA time can also be altered. The enemy A can obtain a verifiable time stamp token at an arbitrary time for arbitrary data generated by the enemy A.
In the present embodiment, even when the enemy A and the TSA collide and the enemy A can obtain the document subject to the time stamp of the user U, the enemy A performs forward-dating on the document of the user U. Assume to do.

Next, the internal configuration of each device will be described.
FIG. 2 is a block diagram showing a configuration of the terminal device 1, and only functional blocks related to the present invention are extracted and shown. The terminal device 1 is a computer terminal such as a personal computer, for example, and transmits / receives data to / from other devices via the network N. The terminal device 1 includes a control unit 11, a communication unit 12, a storage unit 13, a commit information generation unit 14, a time stamp request unit 15, and a time stamp token reception unit 16.
The control unit 11 includes a CPU (central processing unit) and various memories, and controls each unit, temporarily stores data, transfers data, and the like. The communication unit 12 transmits / receives data to / from other devices via the network N. The storage unit 13 stores a document that requests a time stamp and commit information that is information that can prove the continuity of a series of revisions of the document. The commit information generation unit 14 generates commit information and writes it to the storage unit 13. The time stamp requesting means 15 transmits the time stamp request data generated from the document stored in the storage means 13 and the commit information corresponding to the number of times of the time stamp request in this document to the time stamp device 2, and the time stamp of the document Request. The time stamp token receiving means 16 receives the time stamp token transmitted from the time stamp device 2 in response to the time stamp request and writes it in the storage means 13.

FIG. 3 is a block diagram showing a configuration of the terminal device 3, and only functional blocks related to the present invention are extracted and shown. The terminal device 3 is, for example, a computer terminal such as a personal computer that has a probabilistic polynomial time calculation capability, and includes a control unit 31, a communication unit 32, a storage unit 33, a time stamp requesting unit 34, and a time stamp token receiving unit. 35.
The control unit 31, the communication unit 32, and the time stamp token receiving unit 35 have the same functions as the control unit 11, the communication unit 12, and the time stamp token receiving unit 16 of the terminal device 1, respectively. The storage unit 33 stores a document to be requested for an invalid time stamp and commit information used for requesting the time stamp of the document. This commit information is generated by analogizing from time stamp request data and time stamp tokens transmitted and received between the terminal device 1 of the user U and the time stamp device 2 of the TSA. The time stamp request means 34 generates time stamp request data from the document and commit information in the storage means 33 and transmits it to the time stamp device 2 to request a time stamp.

FIG. 4 is a block diagram showing the configuration of the time stamp apparatus 2, and only functional blocks related to the present invention are extracted and shown. The time stamp device 2 is, for example, a server, and includes a control unit 21, a communication unit 22, a time acquisition unit 23, and a time stamp token generation unit 24.
The control means 21 and the communication means 22 have the same functions as the control means 11 and the communication means 12 of the terminal device 1, respectively. The time stamp token generating unit 24 uses the existing time stamp based on the accurate time acquired by the time acquiring unit 23 from an external device or a clock provided therein and the time stamp request data received from the terminal device 1 or the terminal device 3. It has a function of generating and returning a time stamp token using a protocol.

FIG. 5 is a block diagram showing the configuration of the time stamp verification apparatus 4, and only functional blocks related to the present invention are extracted and shown. The time stamp verification device 4 is a personal computer, for example, and includes a control unit 41, a data reading unit 42, and a verification unit 43.
The control unit 41 has the same function as the control unit 11 of the terminal device 1. The data reading means 42 has a function of reading data from a portable computer-readable recording medium or a computer terminal connected by a network N or a cable. If there are time stamp tokens proving different times for the same document, the verification means 43 verifies the validity of these time stamp tokens.

Here, the existing time stamp protocol will be described. The time stamp protocol is divided into a time stamp issue phase and a verification phase.
FIG. 9 shows a flow of a time stamp issue phase according to a simple protocol. The user terminal device calculates the hash value h (d) of the document d held by the user U by using the hash function h (·) having unidirectionality and collision difficulty, and sends the hash value h (d) to the TSA time stamp device. To do. When receiving the hash value h (d) from the user terminal device, the time stamp device 2 of the TSA calculates the time stamp token TT and returns it to the user together with information on the current time t. The user's terminal device confirms the validity of the received time stamp token TT and the current time t, and stores it locally. The time stamp token TT in the simple protocol is calculated as an electronic signature for the combination of the current time t and the hash value h (d) of the document d by the following (Equation 1).

  TT = {t, Sig <SKT> (h (d) ‖t)} (Formula 1)

  Here, SKT represents a secret key of TSA, A‖B represents a combination of data A and data B, and Sig <SK> (M) represents an electronic signature created for the message M using the secret key SK.

  In the time stamp verification phase, the time stamp verifier V of the time stamp verifier V verifies the signature of the time stamp token TT to confirm its validity.

In the case of the linking protocol, the time stamp token TT is calculated as a hash chain of a series of time stamp requests. If the timestamp token TT imparting the i-th time stamp request a timestamp token TT _i, a simple linear linking protocol among linking protocol, timestamp token TT _i is calculated as (Equation 2).

TT _i = {t, Sig <SKT> (TT _i-1 ‖h (d) ‖t)} (Expression 2)

  In the time stamp verification phase of the linking protocol, the verifier sends the time stamp token TT to the TSA, verifies the validity of the hash value in the TSA, and returns the verification result to the verifier V.

Next, the operation of the time stamp system according to the embodiment of the present invention will be described.
When the enemy A and the TSA collide, the enemy A can obtain a time stamp token at an arbitrary time for arbitrary digital data transmitted to the TSA. Therefore, when the user U side commits information that can prove the continuity of a series of revisions of the same document by the time stamp issuing protocol, the user U and the enemy A contend which document is the latest. In addition, verification is possible. Here, the information to be committed (commit information) is created by a chain of functions having unidirectionality and collision difficulty. As a function having one-way property and collision difficulty, there are a hash function and a conversion using secretly held key information. Here, it is assumed that a non-complex hash function that keeps the key information secret is used.

FIG. 6 shows a method for creating this commit information. The commit information generation means 14 of the terminal device 1 of the user U creates the initial value IV at random. A hash function having unidirectionality and collision difficulty with respect to the initial value IV for all i (1 ≦ i ≦ n), where n is the maximum number of time stamp requests expected for a document. A hash value h ⁱ (IV) in which h (•) (also simply referred to as “h”) is applied i times is calculated, and each value is held internally as commit information. When the terminal device 1 of the user U actually requests a time stamp, the commit information of the hash value h ⁿ (IV) is committed for the first time stamp request, and the hash value is used for the jth time stamp request. Commit the commit information of h ^{n−j + 1} (IV). That is, the hash chain from h (IV) to h ⁿ (IV) is used as commit information in the reverse order of n. As long as the terminal device 1 of the user U correctly executes this protocol and keeps the initial value IV and unused commit information secretly, the enemy A is newer than the time stamp request data of the time stamp token that has already been issued. Version time stamp request data cannot be created. Here, in FIG. 6, an arrow indicated by a solid line indicates that the calculation can be easily performed, and an arrow indicated by a broken line indicates that the calculation is practically difficult.
The detailed procedure of the time stamp system will be described below.

<Setup procedure>
The commit information generation means 14 of the terminal device 1 first randomly generates an initial value IV that differs for each document. Here, the initial value IV for the document d to the initial value IV _d. Furthermore, when the maximum number n of revisions assumed for the document d is assumed to be the maximum number of time stamp requests, a hash value h ⁱ (IV) is calculated for all i (1 ≦ i ≦ n). The commit information generation means 14 keeps the commit information having the initial value IV _d and the hash value h ⁱ (IV _d ) (1 ≦ i ≦ n) secretly in the storage means 13.

<Time stamp token issuing procedure>
FIG. 7 shows a time stamp token issuing procedure of the time stamp system.
Step 1: The time stamp requesting means 15 of the terminal device 1 stores the document d ₁ that is the original (first version) of the document d, or the time stamp request for the TSA of j (1 ≦ j ≦ n) times in the revision. The commit information having a value of h ^{n−j + 1} (IV _d ) is read from the means 13. It is assumed that the revised document of the document d ₁ that makes a j (1 ≦ j ≦ n) time stamp request is a document d _j . Timestamp request means 15, the document _{d j} and ^{h n-j + 1 (IV} d) value is the binding of commit information with ^{_{{d j ‖h n-j +}} 1 (IV d)} time stamp request data by the hash value of Is generated. The time stamp requesting means 15 transmits time stamp request data h (d _j ‖h ^{n−j + 1} (IV _d )) to the time stamp device 2 of the TSA and requests a time stamp. Here, the value h ^{n−j + 1} (IV _d ) of the commit information may be disclosed. Further, the value h ^{n−j + 1} (IV _d ) of the commit information may be calculated every time a time stamp request is made.

Step 2: The time stamp device 2 of the TSA receives the time stamp request data h (d _j ‖h ^{n−j + 1} (IV _d )) from the terminal device 1 of the user U, and accepts the time stamp request. Then, the time stamp token generating unit 24 of the time stamp apparatus 2 performs the time stamp request data h (d _j ‖h ^{n−j + 1} (IV _d )) based on the current time acquired by the time acquiring unit 23. The time stamp token TT _j is calculated and returned to the terminal device 1 of the user U by the same method as the existing time stamp protocol. For example, in the case of a simple protocol, the time stamp token TT _j is generated as in (Equation 3).

TT _j = {t, Sig <SKT> (h (d _j ‖h ^{n−j + 1} (IV _d )) ‖t)} (Expression 3)

Step 3: The terminal device 1 of the user U receives the time stamp token TT _j from the time stamp device 2. The time stamp token receiving means 16 of the terminal device 1 verifies the validity (time, electronic signature of the time stamp apparatus 2 etc.) of the time stamp token TT _j by the same method as the existing time stamp protocol, and stores it in the storage means 13. Save to.

<Time stamp token validity verification procedure>
The verification protocol for a single time stamp token is the same as the verification protocol in the existing time stamp protocol.

<Procedure for verification before and after dispute>
FIG. 8 shows a procedure for verifying the anteroposteriority when the time stamp system is disputed.
Here, the legitimate user U, there is an enemy A subjected to attack Forward-dating, and k-th timestamp token TT _k at time t _k which the terminal device 1 of the user U acquired, the adversary A terminal among the timestamp token TT _a device 3 is acquired time t _k time later than t _{a (>} t _k), which one is a valid time stamp token of time after, the time stamp verification of the verifier V The determination is made using the device 4.

Step 1: The time stamp verification device 4 of the verifier V receives the following information held by the user U from the data reading means 42, that is, the time stamp token at time t ₁ for the original document d ₁ and the original document d ₁ . TT ₁ and a commit information ^h n (IV _d) used in the original time stamp request document _{d 1,} revised document _{d k,} a time stamp token TT _k for revision document _{d k,} and the revision document _{d k} The commit information h ^{n−k + 1} (IV _d ) used for the time stamp request is read and stored therein. Hereinafter, it is assumed that the commit information h ⁿ (IV _d ) is h ₁ and the commit information h ^{n−k + 1} (IV _d ) is h _k .

d ₁ , h ⁿ (IV _d ) (= h ₁ ), TT ₁
d _k , h ^{n−k + 1} (IV _d ) (= h _k ), TT _k

Step 2: The time stamp verification device 4 of the verifier V reads the document d held by the enemy A, the time stamp token for the document d, and the commit information used for the time stamp request for the document d from the data reading means 42. , Memorize inside. Here, adversary A, as shown below, original document _{d 1,} the time stamp token at time _{t a} to the document _{d 1} TT _a, and the input of the commit information _{h a} using the timestamp request document _{d 1} And memorize it inside.

d ₁ , h _a , TT _a

Step 3: The verification means 43 of the time stamp verification device 4 verifies the validity of each of the time stamp tokens TT ₁ , TT _k , TT _{a in the same} manner as the verification phase of the existing time stamp protocol. Here, the time stamp token for which the verification has failed is determined to be invalid.

Step 4: When the validity of each of the time stamp tokens TT ₁ , TT _k , TT _a is verified, the verification means 43 of the time stamp verification device 4 uses the commit information h ₁ and h obtained from the terminal device 1 of the user U. The continuity and longitudinality of _k are verified by the following (Equation 4). If the verification fails, the time stamp token TT _k is determined to be invalid.

Step 5: When the continuity and anteroposteriority of the commit information h ₁ and h _k are verified, the time stamp verification device 4 of the verifier V uses the commit information h _k presented by the user U and the commit presented by the enemy A. The continuity of the information h _a and whether the commit information h _a is a commit value after the commit information h _k are verified by the following (formula 5).

The above (formula 5) is verified from m = 1 to m = n, and if there is an equality sign, it is determined that the time stamp token TT _a is valid, and the enemy A determines that the document d ₁ is a document It can be claimed that the version is later than d _k . If no equal sign holds, the time stamp token TT _a is determined to be invalid, and the enemy A's claim that the document d ₁ is a version later than the document d _k is rejected.

According to the above embodiment, it can be claimed that the time stamp token TT _a acquired by the terminal device 3 of the enemy A is newer than the time stamp token TT _k acquired by the terminal device 1 of the user U. is adversary a, there is a need to provide a commit information h _a such equality is established to the verifier V in (equation 5). The information obtained by the enemy A is only the value of the commit information on the hash chain that has already been released, and even if the commit information h _k is the latest value that has been released, the hash function h (. ) Has unidirectionality and collision difficulty, so if the output of the hash function is sufficiently long for the terminal device 3 of the enemy A having the calculation capability of the stochastic polynomial time, ) it is difficult to find the commit information h _a satisfying. Therefore, the above embodiment is safe against the forward-dating attack.

In addition, when compared with the existing time stamp protocol, the terminal device 1 of the user U has to calculate a hash function at most n times (n is the maximum number of times of time stamp requests assumed). However, it is considered that the value of n is practically not so large, and further, the calculation time of the hash function is very short, so that it does not have a great impact on the execution time of the time stamp.
Further, in the verification at the time of dispute, it is necessary to verify the time stamp token three times and execute the hash function m + k−1 times. This is also due to the same reason as described above. The load is not considered high.
In the above embodiment, the process executed by the time stamp device 2 of the TSA is the same as the existing time stamp protocol, and the configuration of the time stamp request data created in the terminal device 1 of the user U is changed. Since the range of change is limited only to this, it has a high affinity for existing systems.

In the above embodiment, the commit information is generated in the terminal device 1. However, commit information generated by a TSA or a reliable third party may be stored in the storage unit 13 of the terminal device 1.
In the above embodiment, the terminal device 1 is configured to request a time stamp from the time stamp device 2 and obtain a time stamp token when the document is revised. It is also possible to make a time stamp request for a document at regular intervals and acquire a time stamp token instead of the timing of revision.

  The terminal devices 1 and 3, the time stamp device 2, and the time stamp verification device 4 described above have a computer system therein. The operation processes of the terminal devices 1 and 3, the time stamp device 2, and the time stamp verification device 4 described above are stored in a computer-readable recording medium in the form of a program. The above processing is performed by reading and executing. The computer system here includes an OS and hardware such as peripheral devices.

  In addition to ROM, “computer-readable recording medium” refers to a portable medium such as a magnetic disk, a magneto-optical disk, a CD-ROM, a DVD-ROM, or a storage device such as a hard disk built in a computer system. That means. Furthermore, the “computer-readable recording medium” refers to a volatile memory (RAM) inside a computer system that becomes a client or a system when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.
The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

It is a block diagram which shows the whole structure of the time stamp system by one embodiment of this invention. It is a block diagram which shows the internal structure of the terminal device of the user U by the embodiment. It is a block diagram which shows the internal structure of the terminal device of the enemy A by the embodiment. It is a block diagram which shows the internal structure of the time stamp apparatus by the embodiment. It is a block diagram which shows the internal structure of the time stamp verification apparatus by the embodiment. It is a figure for demonstrating the creation method of the commit information by the embodiment. It is a figure which shows the time stamp issue procedure of the time stamp system by the embodiment. It is a figure which shows the front-back property verification procedure at the time of dispute of the time stamp system by the embodiment. It is a figure which shows the operation | movement procedure of a simple protocol.

Explanation of symbols

1, 3... Terminal device (time stamp requesting device)
2 ... Time stamp device 4 ... Time stamp verification device 11, 21, 31 ... Control means 12, 22, 32 ... Communication means 13, 33 ... Storage means 14 ... Commit information generation means 15, 34 ... Time stamp request means 16, 35 ... Time stamp token receiving means 23 ... Time acquisition means 24 ... Time stamp token generating means 42 ... Data reading means 43 ... Verification means

Claims (7)

A time stamp requesting device for requesting a time stamp token for authenticating the time at which digital data existed, and a time stamp for issuing a time stamp token as data for proving the time at which the digital data existed by a request from the time stamp requesting device A time stamp system comprising a device,
The time stamp requesting device includes:
Storage means for storing a value obtained by converting a function with a one-way and collision resistance by using one or more times as the commit information to prove the longitudinal resistance of a series of revised digital data with respect to the initial value,
Time stamp request data obtained by converting digital data for requesting a time stamp token and the commit information read from the storage means using a function having unidirectionality and collision difficulty is sent to the time stamp device. A time stamp requesting means for transmitting and requesting a time stamp token for the digital data;
A time stamp token receiving means for receiving a time stamp token returned from the time stamp device in response to the request,
The time stamp device is:
Based on the time stamp request data received from the time stamp request apparatus, Bei example timestamp token generating means for returning to generate a time stamp token for the digital data,
The time stamp requesting unit obtains the time stamp token request data by using the commit information obtained by a smaller number of conversions, as the subsequent request is made, when requesting a time stamp token for the digital data a plurality of times.
A time stamp system characterized by this. The storage means stores commit information which is a value obtained by recursively converting the initial value up to n times of the maximum time stamp request count assumed using a function having unidirectionality and collision difficulty.
When the number of times of requesting the time stamp token is j (1 ≦ j ≦ n) times, the time stamp requesting unit is up to (the estimated maximum time stamp request number n−the time stamp request number j + 1) times. Commit information, which is a value obtained by recursively converting the initial value by a function having one-way and collision difficulty, and the digital data are converted using a function having one-way and collision difficulty. Time stamp request data,
The time stamp system according to claim 1. The time stamp system further comprises a time stamp verification device for verifying a time stamp token,
The time stamp verification device
If there is a time stamp token of the digital data that proves a different time, the commit information corresponding to the time stamp token that proves a later time is recursively converted by the one-way and collision-resistant functions. The validity of the time stamp token that proves the later time is verified based on whether or not there is a value that matches the commit information corresponding to the time stamp token that proves the previous time among the values obtained in the above. With verification means,
The time stamp system according to claim 1 or 2, characterized by the above. A time stamp requesting device for requesting a time stamp token for authenticating the time at which digital data existed, and a time stamp for issuing a time stamp token as data for proving the time at which the digital data existed by a request from the time stamp requesting device A time stamp requesting device used in a time stamp system comprising:
Storage means for storing a value obtained by converting a function with a one-way and collision resistance by using one or more times as the commit information to prove the longitudinal resistance of a series of revised digital data with respect to the initial value,
Time stamp request data obtained by converting digital data for requesting a time stamp token and the commit information read from the storage means using a function having unidirectionality and collision difficulty is sent to the time stamp device. A time stamp requesting means for transmitting and requesting a time stamp token for the digital data;
Time stamp token receiving means for receiving a time stamp token returned from the time stamp device in response to the request;
Equipped with a,
The time stamp requesting unit obtains the time stamp token request data by using the commit information obtained by a smaller number of conversions, as the subsequent request is made, when requesting a time stamp token for the digital data a plurality of times.
A time stamp requesting device. Using a value obtained by converting a function with a one-way and collision resistance by using one or more times to the initial value as the commit information to prove the longitudinal resistance of a series of revised digital data, request a timestamp token Transmitting the time stamp request data obtained by converting the digital data and the commit information using a function having a one-way property and a collision difficulty to request a time stamp token for the digital data , When requesting a time stamp token for data a plurality of times, a time stamp requesting device that obtains the time stamp token request data using the commit information obtained by a smaller number of conversions as a later request;
A time stamp device that generates and returns a time stamp token, which is data certifying the time when the digital data existed, based on the time stamp request data received from the time stamp request device;
The time stamp verification device used in a time stamp system comprising a time stamp verification device for verifying the time stamp token,
If there is a time stamp token of the digital data that proves a different time, the commit information corresponding to the time stamp token that proves a later time is recursively converted by the one-way and collision-resistant functions. The validity of the time stamp token that proves the later time is verified based on whether or not there is a value that matches the commit information corresponding to the time stamp token that proves the previous time among the values obtained in the above. Verification means,
A time stamp verification apparatus comprising: A time stamp requesting device for requesting a time stamp token for authenticating the time at which digital data existed, and a time stamp for issuing a time stamp token as data for proving the time at which the digital data existed by a request from the time stamp requesting device A computer program used for the time stamp requesting device of a time stamp system comprising:
Storing a value obtained by converting a function having unidirectionality and collision difficulty at least once with respect to an initial value in a storage means as commit information that proves the seriality of a series of revisions of digital data; ,
Time stamp request data obtained by converting digital data for requesting a time stamp token and the commit information read from the storage means using a function having unidirectionality and collision difficulty is sent to the time stamp device. Transmitting and requesting a time stamp token for said digital data;
Receiving a time stamp token returned from the time stamp device in response to the request;
To the computer ,
When requesting a time stamp token for the digital data a plurality of times, in the step of requesting a time stamp token, the time stamp token request data is obtained using the commit information obtained by a smaller number of conversions as the subsequent request is made. obtain,
Computer program, wherein a call. Using a value obtained by converting a function with a one-way and collision resistance by using one or more times to the initial value as the commit information to prove the longitudinal resistance of a series of revised digital data, request a timestamp token Transmitting the time stamp request data obtained by converting the digital data and the commit information using a function having a one-way property and a collision difficulty to request a time stamp token for the digital data , When requesting a time stamp token for data a plurality of times, a time stamp requesting device that obtains the time stamp token request data using the commit information obtained by a smaller number of conversions as a later request;
A time stamp device that generates and returns a time stamp token, which is data certifying the time when the digital data existed, based on the time stamp request data received from the time stamp request device;
A computer program used in the time stamp verification device of a time stamp system comprising a time stamp verification device for verifying the time stamp token,
If there is a time stamp token of the digital data that proves a different time, the commit information corresponding to the time stamp token that proves a later time is recursively converted by the one-way and collision-resistant functions. The validity of the time stamp token that proves the later time is verified based on whether or not there is a value that matches the commit information corresponding to the time stamp token that proves the previous time among the values obtained in the above. Step,
A computer program for causing a computer to execute.

Images