JP4744929B2 - Anonymous authentication system, device and program - Google Patents

Description

  The present invention relates to an anonymous authentication system that applies an authentication method with anonymity, and in particular, when revoking a member, an anonymous authentication system that can reduce the amount of computation and communication compared to a method that uses zero knowledge proof, The present invention relates to an apparatus and a program.

  Conventionally, an authentication method capable of authenticating an anonymous user, such as an authentication method using a group signature method, is known (see, for example, Patent Document 1 and Non-Patent Documents 1 and 2).

  In these authentication methods, the verifier can authenticate that the authentication requester is a member belonging to a certain group, but satisfies the property that individual members cannot be specified. An authentication method that satisfies this property is called an anonymous authentication method.

  On the other hand, not only anonymous authentication but also various authentication methods, member revocation (invalidation) is a function that is practically indispensable for expiration date management, fraudster exclusion, and the like. In general public key infrastructure (PKI) authentication, a certificate revocation list (CRL) that describes the public key certificate of the member to be revoked is published, and at the time of authentication, The revoke is realized by a configuration in which the verifier verifies whether the public key of the authentication requester is described in the CRL.

  However, in the anonymous authentication method, since the authentication requester cannot be identified anonymously, it cannot be verified whether or not the revocation is performed by the CRL.

  Therefore, several revoke methods have been proposed for anonymous authentication methods (see, for example, Non-Patent Documents 3 and 4).

  Non-Patent Document 3 discloses a CRL similar to a member revocation in PKI, but the authentication requester proves to the verifier that the public key is not included in the CRL using a zero knowledge proof protocol. A method for realizing revoke is described.

Non-Patent Document 4 describes a method in which the zero knowledge proof protocol in Non-Patent Document 3 is improved to reduce the amount of calculation.
Japanese Patent Laid-Open No. 2004-054905 G. Ateniese, J. Camenisch, M. Joye, G. Tsudik, A practical and provably secure coalition-resistant group signature scheme, Proceedings of CRYPTO2000, LNCS 1880, Springer-Verlag, pp. 255-270, 2000. D. Chaum, E. van Heyst, Group Signatures, Proceedings of EUROCRYPT'91, LNCS 547, Springer-Verlag, pp.257-265, 1991. G. Ateniese, D. Song, G. Tsudik, Quasi-efficient revocation in group signatures, Financial Cryptography 2002, LNCS 2357, Springer-Verlag, 2002. J. Camenisch, A. Lysyanskaya, Dynamic accumulators and application to efficient revocation of anonymous credentials, Crypto2002, LNCS 2442, Springer-Verlag, pp.61-76, 2002. A. Fiat and M. Naor, Broadcast Encryption. In Advances in Cryptology-Crypto '93, Lecture Notes in Computer Science 773, Springer-Verlag, pp. 480-491. JPO homepage, reference room, standard description collection 2005.3.25, information security technology on clients, D-3-2 decoder revocation, http://www.jpo.go.jp/shiryou/s_sonota/hyoujun_gijutsu/info_sec_tech/ d-3-2.html, accessed on May 10, 2005 M. Naor, B. Pinkas, Efficient trace and revoke schemes, Financial Cryptography 2000, LNCS 1962, Springer-Verlag, pp. 1-20, 2001.

However, the member revocation method in the above anonymous authentication method has the following disadvantages.
The method described in Non-Patent Document 3 realizes a revoke by combining a revoke method using CRL in PKI and an anonymous authentication method using a zero knowledge proof protocol. However, in general, the zero-knowledge proof protocol is not practical because it requires a large amount of calculation. Further, unlike the revocation in PKI, the method described in Non-Patent Document 3 has a problem of increasing the communication amount of the authentication requester because not only the verifier but also the authentication requester must obtain the CRL.

  The method described in Non-Patent Document 4 is a method in which the amount of calculation of zero knowledge proof in Non-Patent Document 3 is reduced. However, the method described in Non-Patent Document 4 still requires a calculation amount proportional to the number of revoked members, and consequently slows down the processing time of the entire authentication, as compared with the anonymous authentication method without the revocation function. Not practical. Further, the method described in Non-Patent Document 4 increases the amount of communication as in Non-Patent Document 3 in that the authentication requester must obtain the CRL.

  As described above, the revoke method in the conventional anonymous authentication method has a drawback that it is not practical because it increases the amount of calculation and the amount of communication due to the zero knowledge proof.

  The present invention has been made in consideration of the above circumstances, and provides an anonymous authentication system, apparatus, and program capable of reducing the amount of calculation and the amount of communication compared to a method using zero knowledge proof when revoking a member. For the purpose.

  First, an outline of the present invention will be described. The outline of the present invention relates to an anonymous authentication method using a broadcast encryption method. Specifically, the verifier of authentication encrypts a random message using a broadcast encryption method encryption key released in advance, and transmits this ciphertext to the authentication requester. The authentication requester who is a member can decrypt the ciphertext using the decryption key distributed in advance, and sends the decrypted message back to the verifier. On the other hand, an authentication requester who is not a member cannot decrypt the ciphertext and fails in authentication. The verifier verifies that the first encrypted random message and the message returned from the authentication requester are the same, and if they match, the verification of the member is successful. As a result, no member information is transmitted to the verifier, and it is possible to verify that the verifier is a member belonging to the group.

  At this time, the authentication requester and the authentication verifier need only perform encryption and decryption of the broadcast encryption method, respectively. The amount of computation for encryption and decryption in the broadcast encryption system is very small to the extent that broadcasting and reproduction can be performed in real time. For this reason, an anonymous authentication method can be realized with a very small calculation amount. Further, in order to revoke a member, it is only necessary to regenerate a public encryption key and make it public so that the decryption key distributed to the revoked member cannot be decrypted. This can be realized with the same effort and traffic as the release of CRL in PKI.

  The above is the outline of the present invention. Next, each invention corresponding to each aspect of the present invention will be described.

  1st invention is an anonymous authentication system provided with the authentication verification apparatus and the authentication request | requirement apparatus, Comprising: As said authentication verification apparatus, it is a broadcast type so that a message can be encrypted so that only a valid decoding key set can be decrypted. An encryption key storage means for storing the broadcast encryption encryption key Kv when the broadcast encryption encryption key Kv generated based on the encryption method is input to the authentication verification device; and the broadcast encryption encryption Message generation means for generating a random message R when the encryption key Kv is input, and ciphertext generation means for generating the ciphertext C by encrypting the message R based on the broadcast encryption encryption key Kv A ciphertext transmitting means for transmitting the ciphertext C to the authentication requesting device, a decryption result receiving means for receiving a decryption result of the ciphertext C from the authentication requesting device, and a decryption result of the ciphertext C as the message. A verification unit that verifies whether or not the sage R matches, and a verification result output unit that outputs the verification result. The authentication requesting device corresponds to the broadcast encryption / encryption key Kv. When a broadcast encryption / decryption key Ki is input to the authentication requesting device, a first decryption key storage means for storing the broadcast encryption / decryption key Ki and a ciphertext for receiving the ciphertext C from the authentication verification device Anonymous authentication system comprising receiving means, ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki, and decryption result transmission means for transmitting the decryption result to the authentication verification device It is.

  According to the first invention, the broadcast encryption method with a small amount of computation and communication is used, the authentication verification device decrypts the ciphertext C generated by the broadcast encryption key Kv, and the decryption result. With the configuration in which the authentication verification apparatus verifies the authentication request apparatus and performs anonymous authentication of the authentication request apparatus, it is possible to provide an anonymous authentication system that can reduce the amount of calculation and the amount of communication when revoking a member, as compared with a method using zero knowledge proof.

  A second invention is an anonymous authentication system comprising an authentication verification device and an authentication requesting device, wherein the authentication verification device is a broadcast type that encrypts a message so that only a valid decryption key set can be decrypted. When the broadcast encryption encryption key Kv generated based on the encryption method is input to the authentication verification device, the encryption key storage means for storing the broadcast encryption encryption key Kv and the group signature method When the group signature verification key KGv generated in this way is input to the authentication verification device, the group signature verification key storage means for storing the group signature verification key KGv, the broadcast type encryption key Kv and the group signature verification When a key KGv is input, a signature target message generating means for generating a signature target message M to be a group signature target, the broadcast encryption key Kv and the group signature Message verification means for generating a random message R when a verification key KGv is input; and ciphertext generation means for encrypting the message R based on the broadcast encryption key Kv and generating a ciphertext C A ciphertext transmitting unit that transmits the ciphertext C and the signature target message M to the authentication requesting device, a group signature receiving unit that receives a group signature GS from the authentication requesting device, and the group signature verification using the group signature GS A verification unit for verifying based on the key KGv; and a verification result output unit for outputting the verification result. The authentication requesting device includes a broadcast encryption / decryption corresponding to the broadcast encryption / encryption key Kv. When the key Ki is input to the authentication requesting device, a first decryption key storage means for storing the broadcast type encryption / decryption key Ki, and the group signature verification key K When a group signature member key KGi corresponding to v is input to the authentication requesting device, a first member key storage means for storing the group signature member key KGi, and a ciphertext C and a signature object from the authentication verification device A ciphertext receiving means for receiving the message M, a ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki, a message R ′ obtained by the decryption and the received signature object Concatenated data generating means for concatenating messages M and generating concatenated data R′‖M, and group signature generating means for generating a group signature GS for the concatenated data R′‖M based on the group signature member key KGi And an anonymous authentication system comprising group signature transmission means for transmitting the group signature GS to the authentication verification device.

  According to the second aspect of the invention, a broadcast encryption method with a small calculation amount and communication amount is used, and the authentication verification device causes the authentication requesting device to decrypt the ciphertext C generated by the broadcast encryption key Kv, and the decryption result The authentication requesting device generates a group signature and the authentication verification device verifies the group signature to perform anonymous authentication of the authentication requesting device, thereby revoking members even in anonymous authentication using the group signature method. In this case, it is possible to provide an anonymous authentication system capable of reducing the amount of calculation and the amount of communication compared to the method using zero knowledge proof.

  As described above, according to the present invention, it is possible to provide an anonymous authentication system, apparatus, and program that can reduce the amount of calculation and the amount of communication when revoking a member as compared with a method using zero knowledge proof.

  Each embodiment of the present invention will be described below, but before that, broadcast encryption and a group signature method, which are elemental technologies of each embodiment, will be described.

<Broadcast encryption method>
There is known a broadcast encryption method that can distribute a decryption key to all members belonging to a group in advance and generate a ciphertext that can be decrypted only after a specific decryption key (for example, Non-Patent Document 5). , 6).

  The broadcast encryption method is widely applied to limited reception of pay broadcasts and limited playback of DVDs to users registered in advance. Specifically, a broadcast encryption key is stored in advance in a broadcast receiver or DVD player, and the contents of a pay broadcast or DVD are encrypted by a broadcast encryption method, so that a specific (for example, registered) The content can be viewed only on a broadcast receiver and a DVD player (for which a viewing fee has been paid). As can be seen from these application examples, the calculation amount of encryption and decryption of the broadcast encryption method is designed to be very small so that broadcast and reproduction can be performed in real time.

  The broadcast encryption method is composed of the following five functions.

  (1) Secret information generation function Init: Security information is input and secret information S necessary for generating an encryption key and a decryption key is output.

  (2) Decryption key generation function DKeyGen: The secret information S is input, and a different decryption key Ki is output for each member.

  (3) Encryption key generation function EKeyGen: Inputs secret information S and information for specifying a decryptable decryption key (or information for specifying a decryption key to be revoked), and outputs an encryption key Kv.

  (4) Encryption function E: Inputs an encryption key and a message, and outputs a ciphertext.

  (5) Decryption function D: Inputs a decryption key and ciphertext, and outputs a decrypted message. However, when the decryption key is revoked, a message different from NG or the original message is output.

  Here, as an example, each function in the broadcast encryption method described in Non-Patent Document 7 will be described in detail.

(1) Secret information generation function Init:
Generate sufficiently large prime numbers p and q (where q is divisible by p−1). Next, v is the maximum number of decryption keys to be revoked, and the following vth order polynomial f (x) is selected.
f (x) = a ₀ + a ₁ x + a ₂ x ² +. . . + A _v x ^v mod q
Thereafter, the coefficients a ₀ , a ₁ ,. . . , A _v and p, q are output as secret information S. The value of v is input in advance as a security parameter.

(2) Decryption key generation function DKeyGen:
A value satisfying v <x _i <q is randomly selected for each user i. Then, for each selected value x _i, based on the secret information S, calculates the following v-degree polynomial.

f (x _i ) = a ₀ + a ₁ x _i + a ₂ x _i ² +. . . + A _v x _i ^v mod q
Then, a unique value <x _i , f (x _i )> for each user i is output as a decryption key Ki.

(3) Encryption key generation function EKeyGen:
The m decryption keys to be revoked are K _i1 = (x _i1 , f (x _i1 )), K _i2 = (x _i2 , f (x _i2 )),. . . , K _im = (x _im , f (x _im )). However, m <v is satisfied.
Hereinafter, y ₁ = x _i1 , y ₂ = x _i2,. . . _{, Y m = x im, y} m + 1 = m + 1, y m + 2 = m + 2 ,. . . , Y _v = v.

Next, f (y ₁ ) mod q, f (y ₂ ) mod q,. . . , F (y _v ) mod q.

Next, based on the secret information S, a generation source g of a group whose order is q in the subgroup of the multiplicative group Zp ^* is randomly generated. Finally,
h ₀ = g ^{f (0)} , h ₁ = g ^{f (y} 1 ⁾ mod p, h ₂ = g ^{f (y} 2 ⁾ mod p,. . . , H _v = g ^{f (y} v ⁾ mod p
<P, q, g, (y ₁ , y ₂ ,..., Y _v ), (h ₀ , h ₁ , h ₂ ,... H _v )> are output as the encryption key Kv.

(4) Encryption function E
A random number r (0 <r <q) is selected where M (where M <p) is the message to be encrypted, and g ^r , M · h ₀ ^r , h ₁ ^r,. . . , H _v ^r is calculated. And
<P, q, g, (y ₁ , y ₂ ,..., Y _v ), (g ^r , M · h ₀ ^r , h ₁ ^r ,..., H _v ^r )> are output as ciphertext To do.

(5) Decoding function D
When an unrevoked decryption key <x _i , f (x _i )> is input, first, h _{v + 1} ^r = (g ^r ) ^{f (x} i ⁾ = (g ^{f (x} i ⁾ ) ^r mod p Calculate Hereinafter referred to as y _{v +} 1 = x _i.

Next, Z = (h ₁ ^r ) ^λ 1 · (h ₂ ^r ) ^λ 2 ^···· (h _v ^r ) ^λ v · (h _{v + 1} ^r ) ^λ v + 1 mod p is calculated.
Here, λ _i (i = 1,..., V + 1) is a Lagrange interpolation coefficient expressed by the following equation.

If the decryption key is not revoked, y _{v + 1} is y ₁ ,. . , Y _v do not match, so λ _i can be calculated. At this time, Z satisfies Z = gr ^{· f (0)} by the Lagrange interpolation method. Therefore, the message M can be decrypted by calculating the following equation.

(M · h ₀ ^r ) / Z = M · g ^{r · f (0)} / g ^{r · f (0)} = M mod p
On the other hand, for a revoked decryption key, y _{v + 1} is y ₁ ,. . In order to match one of y _m, it can not compute the interpolation coefficients of Lagrange, can not be applied Lagrange's interpolation method. Therefore, the message M cannot be decrypted.

<Group signature method>
The group signature is a kind of digital signature method, and various methods have been proposed so far. (For example, refer nonpatent literature 1 and 2.). According to Non-Patent Document 2, the group signature method has the following first to third properties.

  The first property is a property that an arbitrary member belonging to a certain group can generate a signature as a representative of the group. The second property is that the verifier side can verify that the signature is generated by a member of the group, but it is difficult to specify the member that generated the signature (hereinafter referred to as the signer). It is a property with anonymity. The third property is a property that allows the signer to be specified from the group signature by specific information.

Subsequently, as such a group signature method, a group signature method of J. Camenisch et al. Described in Patent Document 1 will be described as a representative example. Here, Table 1 below shows symbols of the group signature scheme of Kamenisch et al.

(Cam.1: Preparation)
The group manager GA discloses the element a, the public key e, n, the prime number L, and the element g. The signer S selects a secret key xε {1,..., 2 ^μ −1} and creates a public key y = a ^x mod n.

(Cam.2: Group participation request)
The signer S selects a random number tε {1,..., 2 ^μ −1} and calculates a knowledge proof SK (y) of the secret key x with respect to the public key y. The knowledge proof SK (y) is a set of the following c ₁ and s ₁ .
^{_{c 1 = h (y‖a‖a t)}} (mod n)
s ₁ = t−xc ₁
Then, the signer S sends the public key y and the knowledge proof SK (y) to the group manager GA.

(Cam.3: Issuing group participation certificate)
The group administrator GA calculates s ₁ ′ = s ₁ (mod λ (n)), and verifies that the signer S holds the correct private key x by the following expression c ₁ .

  Thereafter, the group manager GA confirms the signing authority of the signer S by an appropriate method.

  Thereafter, the group manager GA signs y + δ as shown in the following equation, issues a participation certificate ν, and sends it secretly to the signer S.

ν = (y + δ) ^d (mod n)
Note that δ is 1, for example.

(Cam. 4: Group signature)
The signer S selects k random numbers u _i ε {1,..., 2 ^μ −1} that satisfy u _i > x, and obtains z = g ^y (mod L). Thereafter, the signer S obtains the knowledge proof SK2 (m) = (c ₂ , s _2,1 ,..., S _{2, k} ) of the secret key x as the following equation.

s _{2, i} = u _i −x (when c ₂ (i) = 0)
s _{2, i} = u _i ... (at other times)
However, i = 1, ..., k
Here, c ₂ (i) indicates the i-th (i = 1,..., K) bit from the binary display upper bit of c ₂ .

In addition, the signer S selects a random number w _i ∈Zn ^*, and obtains the knowledge proof SK3 (m) = (c ₃ , s _3,1 ,..., S _{3, k} ) of the participation certificate ν as follows: Ask.

s _{3, j} = w _j / ν (when c ₃ (j) = 0)
s _{3, j} = w _j ... (at other times)
However, j = 1, ..., k
Eventually, the signature for m is SK2 (m), SK3 (m).

(Cam.5: Group signature verification)
The verifier V verifies the validity of the signer S from z as follows, and accepts m if it is correct.

  The Camenish group signature method as described above realizes non-repudiation because the SK2 (m) is created using the secret key x associated with the group participation certificate ν. Further, by verifying SK3 (m), it is verified that the signer S holds the group participation certificate ν using the group public key e, and thus verification is shown.

Further, since the verifier V verifies using the zero knowledge proof, the personal information of the signer S is not leaked, and anonymity is maintained. Also, since the signature z of the signer S is created from only one secret key x, the user information can be linked between sessions using the same base g. Therefore, if the different basis g is used, the untraceability is satisfied.
The above is the Kamenish group signature scheme, but other group signature schemes have similar properties. Subsequently, the description will proceed to each embodiment of the present invention.

(First embodiment)
FIG. 1 is a schematic diagram showing a configuration of an authentication verification device and an authentication request device according to the first embodiment of the present invention, and FIG. 2 is a schematic diagram showing a configuration of an anonymous authentication system including both devices.

  Here, the authentication verification device 10a is held by a verifier (not shown), and includes an encryption key storage unit 11, a writing unit 12, a challenge information generation unit 13, a ciphertext generation unit 14, a ciphertext transmission unit 15, and a verification unit 16. It has. Here, the authentication verification apparatus 10a can be realized as, for example, a SW (software) module that operates on a PC (personal computer) or an IC card. In this case, each function of the authentication verification apparatus 10a is previously stored from a storage medium or a network. The program for realizing is installed in the computer of the authentication verifier apparatus VR and realized. The same applies to the following embodiments.

  The encryption key storage unit 11 authenticates from the authentication verifier device VR the broadcast encryption key Kv generated based on the broadcast encryption method so as to encrypt the message so that only a valid decryption key set can be decrypted. This is a memory in which the broadcast encryption / encryption key Kv is written from the writing unit 12 when input to the device 10a.

  The writing unit 12 writes the broadcast encryption encryption key Kv input from the authentication verifier device VR into the encryption key storage unit 11.

  The challenge information generation unit 13 has a function of generating a random message R and a message R to the ciphertext generation unit 14 when the broadcast encryption encryption key Kv is input from the authentication verifier device VR to the authentication verification device 10a. Has a function to send.

  The ciphertext generation unit 14 encrypts the message R received from the challenge information generation unit 13 based on the broadcast type encryption key Kv in the encryption key storage unit 11 and generates a ciphertext C (encryption A function E) and a function of sending the ciphertext C and the message R to the ciphertext transmission unit 15.

  The ciphertext transmission unit 15 has a function of transmitting the ciphertext C received from the ciphertext generation unit 14 to the authentication requesting device 30a and a function of transmitting the message R received from the ciphertext generation unit 14 to the verification unit 16. .

  The verification unit 16 verifies whether or not the decryption result (ciphertext C) received from the authentication requesting device 30a matches the message R received from the ciphertext transmission unit 15, and outputs this verification result. It has a function.

The authentication verification device 10a as described above is used by being attached to the authentication verifier device VR. One or more authentication verifier apparatuses VR provided with such an authentication verification apparatus 10a are provided, but for simplification of description, the case of one authentication verifier apparatus will be described here as an example.
The authentication verifier device VR includes an authentication request reception unit 17, a key request transmission unit 18, an encryption key reception unit 19, and an encryption key management unit 20 in addition to the above-described authentication verification device 10a.

  The authentication request receiving unit 17 has a function of receiving an authentication request from the authentication requester apparatus RQ and a function of transmitting the received authentication request to the encryption key management unit 20.

  The key request transmission unit 18 has a function of transmitting an encryption key request to the group management device GM based on the encryption key management unit encryption key acquisition request.

  The encryption key receiving unit 19 has a function of receiving the broadcast encryption encryption key Kv from the group management device GM and sending this broadcast encryption encryption key Kv to the encryption key management unit 20.

  The encryption key management unit 20 has a function of sending an encryption key acquisition request to the key request transmission unit 18 based on the authentication request reception unit authentication request, and a broadcast-type encryption encryption key received from the encryption key reception unit 19. It has a function of storing Kv and a function of inputting the broadcast encryption / encryption key Kv to the authentication verification apparatus 10a.

  However, the encryption key management unit 20 sends an encryption key acquisition request to the key request transmission unit 18 at a timing when the key disclosure unit 57 of the group management apparatus GM discloses the broadcast encryption encryption key Kv, without being based on the authentication request. The broadcast type encryption key Kv received from the encryption key receiving unit 19 may be stored, and the stored broadcast type encryption key Kv is authenticated based on the authentication request receiving unit authentication request. You may input into 10a. The same applies to the following embodiments, and the same applies to the case where a group verification key KGv described later is acquired.

  Supplementally, the authentication verifier apparatus VR may acquire the public broadcast encryption / encryption key Kv based on the authentication request or may not acquire it based on the authentication request. As a case where acquisition is not performed based on an authentication request, for example, there is a case where the broadcast encryption / encryption key Kv is updated only periodically. In this case, the encryption key management unit 20 acquires and stores the broadcast-type encryption / encryption key Kv at regular intervals immediately after the update, and stores the stored broadcast when receiving an authentication request. The configuration in which the type encryption key Kv is input to the authentication verification device 10a is preferable from the viewpoint of minimizing the amount of communication with the group management device GM. As another example, the fact that the group management device GM has released the broadcast encryption encryption key Kv is notified to the authentication verifier device VR by means not shown here, and the encryption key management unit 20 responds to this notification. By adopting a configuration in which the broadcast encryption / encryption key Kv is acquired based on this, the amount of communication with the group management apparatus GM can be minimized as well.

  On the other hand, the authentication requesting device 30a is held by an authentication requester (not shown) and includes a decryption key storage unit 31, a writing unit 32, a ciphertext receiving unit 33, a ciphertext decrypting unit 34, and a transmitting unit 35. Here, the authentication requesting device 30a can be realized as, for example, a SW (software) module that operates on a PC (personal computer) or an IC card. In this case, each function of the authentication requesting device 30a is previously stored from a storage medium or a network. A program to be realized is installed in the computer of the authentication requester apparatus RQ. The same applies to the following embodiments.

  When the broadcast encryption / decryption key Ki corresponding to the broadcast encryption / encryption key Kv is input from the authentication requester device RQ to the authentication requesting device 30a, the decryption key storage unit 31 writes the broadcast encryption / decryption key Ki. This is a memory written from the unit 32.

  The writing unit 32 writes the broadcast encryption / decryption key Ki input from the authentication requester apparatus RQ into the decryption key storage unit 31.

  The ciphertext receiving unit 33 has a function of receiving the ciphertext C from the authentication verification apparatus 10 a and a function of sending the ciphertext C to the ciphertext decryption unit 34.

  The ciphertext decryption unit 34 decrypts the ciphertext C received from the ciphertext reception unit 33 based on the broadcast encryption / decryption key Ki in the decryption key storage unit 31 and the obtained decryption function D And a function for sending the result to the transmitter 35.

  The transmission unit 35 has a function of transmitting the decryption result received from the ciphertext decryption unit 34 to the authentication verification apparatus 10a.

The authenticator request device 30a as described above is used by being attached to the authentication request device RQ. One or more authentication requesting devices RQ provided with such an authentication requesting device 30a are provided. For the sake of simplification of description, a case of only one authentication requesting device RQ will be described here as an example.
The authentication requester device RQ includes a participation request transmission unit 36, a decryption key reception unit 37, a decryption key management unit 38, and an authentication request transmission unit 39 in addition to the above-described authentication request device 30a.

  The participation request transmission unit 36 has a function of transmitting a group participation request to the group management apparatus GM by an operation of the authentication requester.

  The decryption key receiving unit 37 has a function of receiving the broadcast encryption / decryption key Ki from the group management apparatus GM and a function of sending the received broadcast encryption / decryption key Ki to the decryption key management unit 38.

  The decryption key management unit 38 authenticates the broadcast encryption / decryption key Ki when the authentication request transmission unit 39 transmits the authentication request and the function of storing the broadcast encryption / decryption key Ki received from the decryption key reception unit 37. And a function of inputting to the requesting device 30a.

  The authentication request transmission unit 39 transmits an authentication request to the authentication verifier apparatus VR by an operation of the authentication requester.

  On the other hand, the group management device GM includes a secret information management unit 51, a participation request reception unit 52, a broadcast encryption / decryption key generation unit 53, a key transmission unit 54, a revocation information input unit 55, and a broadcast encryption / encryption key generation unit 56. , An encryption key disclosure unit 57 and a control unit 58 are provided.

The secret information management unit 51 has a function (secret information generation function Init) for generating secret information S for generating the broadcast encryption / encryption key Kv and the broadcast encryption / decryption key Ki based on the broadcast encryption method, A function of storing the secret information S. In the example of Non-Patent Document 7 described above, this secret information is stored in the coefficients a ₀ , a ₁ ,. . . , A _v and p, q.

  The participation request receiving unit 52 has a function of receiving a group participation request from the authentication requester device and a function of sending the group participation request to the control unit 58.

  The broadcast type encryption / decryption key generation unit 53 is controlled by the control unit 58 and is specific to the authentication requester apparatus RQ based on the group participation request received from the control unit 58 and the secret information S in the secret information management unit 51. It has a function of generating a broadcast encryption / decryption key Ki (decryption key generation function DKeyGen) and a function of transmitting this broadcast encryption / decryption key Ki to the key transmission unit 54.

  The key transmission unit 54 has a function of transmitting the broadcast encryption / decryption key Ki received from the broadcast encryption / decryption key generation unit 53 to the authentication requester apparatus RQ.

The revocation information input unit 55 has a function of inputting revocation information specifying a subset of the broadcast encryption / decryption key Ki to be revoked to the broadcast encryption / encryption key generation unit 56 by the operation of the group administrator. In the case of the above-mentioned non-patent document 7, the revocation information includes m decryption keys to be revoked: K _i1 = (x _i1 , f (x _i1 )), K _i2 = (x _i2 , f (x _i2 ) ),. . . , K _im = (x _im , f (x _im )).

  When the broadcast encryption / encryption key generation unit 56 revokes a subset of the set of broadcast encryption / decryption keys Ki unique to each authentication requester device, the broadcast encryption / encryption key generation unit 56 creates a secret information management unit 51 based on the broadcast encryption method. And a function (encryption key generation function EKeyGen) for generating a broadcast encryption / encryption key Kv from the revocation information specifying the subset of the secret information S and the revoked broadcast encryption / decryption key Ki. Supplementally, the broadcast encryption / encryption key Ki is generated every time a group is generated and when a new decryption key is revoked. The revocation information is information that specifies a subset of all the decryption keys to be revoked (for example, there may be an empty set without the revocation key to be revoked or a subset including one or more decryption keys). I just need it.

  The encryption key disclosure unit 57 has a function of publicizing the broadcast encryption encryption key Kv generated by the broadcast encryption encryption key generation unit 56 so as to be acquired from the authentication verifier device VR by the operation of the group administrator. .

  The control unit 58 has a function of controlling the units 51 to 54 based on the broadcast encryption method.

Next, the operation of the anonymous authentication method configured as described above will be described.
(Group management method)
The group management device GM holds the secret information S generated in advance using the secret information generation function of the broadcast encryption method in the secret information management unit 51.

  The authentication requester apparatus RQ transmits a group participation request to the group management apparatus GM when participating in a certain group.

  When the group management device GM receives the group participation request, the broadcast encryption / decryption key generation unit 53 inputs the secret information S of the secret information management unit 51 and executes the decryption key generation function MKeyGen of the broadcast encryption method. A different decryption key Ki is generated for each authentication requester.

  The decryption key Ki is transmitted from the key transmission unit 54 to the authentication requester apparatus RQ.

  The authentication requester apparatus RQ stores the received decryption key Ki in the decryption key management unit 38.

  On the other hand, the group management device GM generates an encryption key Kv at the time of group generation and whenever a revocation of the decryption key is required, and makes it public by the key disclosure unit 57. The encryption key Kv is input with the secret information S of the secret information management unit 51 and the revoked decryption key information that can specify all the decryption keys to be revoked by the broadcast type encryption key generation unit 56. Generate by executing the encryption key generation function EKeyGen.

  Here, when the authentication requester authenticates the verifier, the authentication requester apparatus RQ transmits an authentication request to the verifier apparatus VR. At this time, the authentication requester apparatus RQ inputs the broadcast encryption / decryption key Ki stored in the decryption key management section 38 to the authentication request apparatus 30a.

  On the other hand, the authentication verifier apparatus VR uses the group management apparatus by the authentication request reception unit 17, the key request transmission unit 18, and the encryption key reception unit 19 every predetermined period or every time an authentication request is received from the authentication requester device RQ. The disclosed encryption key Kv is acquired and input to the authentication verification apparatus 10a via the encryption key management unit 20. Further, the encryption key management unit 20 stores the encryption key Kv if necessary.

  As described above, when the broadcast encryption / decryption key Ki is input to the authentication requesting device 30a and the broadcast encryption / decryption key Kv key is input to the authentication verification device 10a, anonymous authentication is started between the devices 30a and 10a. The

(Anonymous authentication: Fig. 3)
Next, the operation of anonymous authentication will be described with reference to FIG.
The authentication verification device 10a writes the broadcast encryption key Kv input in accordance with the above-described authentication request in the encryption key storage unit 11 and activates the challenge information generation unit 13.

  The challenge information generation unit 13 generates a random message R (random number) and sends this message R to the ciphertext generation unit 14 (ST1).

  The ciphertext generation unit 14 encrypts this message R with the encryption key Kv to generate ciphertext C = E (Kv, R) (ST2). Here, E is an encryption function of the broadcast encryption method, and the notation E (Kv, R) means that the message R is encrypted using the key Kv. Thereafter, the ciphertext generation unit 14 sends the ciphertext C = E (Kv, R) and the message R to the ciphertext transmission unit 15.

  The ciphertext sending unit 15 sends the ciphertext C to the authentication requesting device 30a (ST3), and sends the message R to the verification unit 16.

  In the authentication requesting device 30 a, the input broadcast encryption / decryption key Ki is written in the decryption key storage unit 31 as described above. Here, the authentication requesting device 30a receives the ciphertext C = E (Kv, R) by the ciphertext receiving unit 33 (ST4). The ciphertext receiving unit 33 sends the ciphertext C = E (Kv, R) to the ciphertext decryption unit 34.

  The ciphertext decryption unit 34 decrypts the ciphertext C based on the decryption key Ki (ST5), and obtains a decrypted message R '= D (Ki, C) (= R) or NG. Here, D is a decryption function of the broadcast encryption method, and D (Ki, C) means that the ciphertext C is decrypted using the key Ki. In addition, when the decryption key Ki is revoked or when no decryption key is input, NG may be output as a decryption result.

  In any case, the ciphertext decryption unit 34 sends the decrypted message R ′ or NG to the transmission unit 35. The transmission unit 35 transmits the decrypted message R ′ or NG to the authentication verification apparatus 10a (ST6).

  In the authentication verification apparatus 10a, the message R 'or NG is received via a receiving unit (not shown). The received message R ′ or NG is sent to the verification unit 16.

  The verifying unit 16 determines whether the message R ′ or NG has been received (ST7), and if NG is received, outputs an authentication failure (NG).

  On the other hand, when the message R ′ is received, the verification unit 16 compares the received message R ′ with the original message R (ST8). If the two messages R ′ and R match, the verification unit 16 outputs authentication success (OK). If the two messages R ′ and R do not match, the verification unit 16 outputs an authentication failure (NG).

  As described above, according to the present embodiment, a broadcast encryption method with a small calculation amount and communication amount is used, and the ciphertext C generated by the authentication verification device 10a using the broadcast encryption key Kv is decrypted to the authentication request device 30a. The authentication verification apparatus 10a verifies the decryption result and performs the anonymous authentication of the authentication request apparatus 30a. Therefore, when revoking a member, the calculation amount and the communication amount can be reduced as compared with the method using zero knowledge proof. Anonymous authentication system can be provided.

  In the above procedure, the information on the broadcast encryption / decryption key distributed to the authentication requester is not transmitted to the verifier, and thus anonymous authentication is possible. Further, since the revoked decryption key always fails to decrypt the ciphertext, the authentication is never successful. Therefore, the verifier can easily authenticate the member only by generating a ciphertext using the encryption key of the broadcast encryption and verifying whether or not the decryption is possible.

  According to the above anonymous authentication system, the member can be easily revoked by updating the encryption key of the broadcast encryption.

(Second Embodiment)
FIG. 4 is a schematic diagram showing a configuration of an authentication verification device and an authentication request device according to the second embodiment of the present invention, and FIG. 5 is a schematic diagram showing a configuration of an anonymous authentication system including both devices, The same parts as those in FIGS. 1 and 2 are denoted by the same reference numerals, and detailed description thereof is omitted. Here, different parts are mainly described. In the following embodiments, the same description is omitted.

  That is, the present embodiment is a modification of the first embodiment and is intended to improve the security of authentication. Specifically, the authentication verification apparatus 10b includes a verifier identification information storage unit 21. And a hash value generation unit 22 are added, and an identification information verification unit 40 and a hash value verification unit 41 are added to the authentication requesting device 30b. Accordingly, in the second embodiment, the subscript “b” is added to components whose input / output destinations, processing data, and the like have changed. This type of subscript is also applied to slightly different components in the following embodiments.

  Here, the identification information storage unit 21 is a memory in which verifier identification information IDv unique to the authentication verification apparatus 10b is stored.

  The ciphertext generation unit 14b concatenates the message R received from the challenge information generation unit 13b and the verifier identification information IDv in the verifier identification information storage unit 21 to obtain the concatenated data R‖IDv, and an encryption key storage A function of encrypting the concatenated data R‖IDv based on the broadcast encryption key Kv in the unit 11 to generate a ciphertext C and a function of sending the obtained ciphertext C to the ciphertext transmission unit 15b. Yes.

  The hash value generation unit 22 generates a hash value H (R) of the message R generated by the challenge information generation unit 13b by the one-way function H, and the hash value H (R) is a ciphertext transmission unit. 15b.

  The cipher part transmitting unit 15b includes the ciphertext C obtained by the ciphertext generation unit 14b, the hash value H (R) obtained by the hash value generation unit 22, and the verifier identification information IDv in the verifier identification information storage unit 21. Is transmitted to the authentication requesting device.

  The ciphertext receiving unit 33b receives the ciphertext C, the hash value H (R), and the verifier identification information IDv from the authentication verification apparatus 10b and sends them to the ciphertext decryption unit 34b.

  The ciphertext decryption unit 34b decrypts the ciphertext C received from the ciphertext reception unit based on the broadcast encryption / decryption key Ki in the decryption key storage unit 31, and obtains concatenated data R′‖IDv ′; The concatenated data R′‖IDv ′, the hash value H (R), and the verifier identification information IDv are sent to the identification information verification unit 40.

  The identification information verification unit 40 matches the function that verifies whether the verifier identification information IDv ′ in the concatenated data received from the ciphertext decryption unit 34b matches the received verifier identification information IDv. The message R ′ and the hash value H (R) are sent to the hash value verification unit 41.

  The hash value verification unit 41 determines whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the hash value H (R) received from the authentication verification RQ device. Has a function to verify.

  The transmission unit 35b has a function of transmitting the message R ′ in the concatenated data to the authentication verification device 10b when the verification results of the identification information verification unit 40 and the hash value verification unit 41 indicate a match.

  Next, the operation of the anonymous authentication system configured as described above will be described.

  Now, as described above, it is assumed that the authentication requesting device 30b and the authentication verification device 10b start anonymous authentication. The authentication verification device 10b activates the challenge information generation unit 13b as described above.

  The challenge information generation unit 13b generates a random message R (random number) and sends the message R to the ciphertext generation unit 14b.

  The ciphertext generation unit 14b concatenates the message R and the verifier identification information IDv in the encryption key storage unit 11, encrypts the obtained concatenated data R‖IDv with the encryption key Kv, and generates the ciphertext C = E (Kv, R‖IDv) is generated. Here, ‖ means data concatenation.

  Thereafter, the ciphertext generation unit 14b sends the ciphertext C = E (Kv, R‖IDv), the verifier identification information IDv, and the message R to the ciphertext transmission unit 15b.

  On the other hand, the hash value generation unit 22 generates a hash value H (R) of the message R using the one-way hash function H that has been agreed with the authentication requesting device 30b in advance, and encrypts the hash value H (R). It is sent to the sentence transmitter 15b.

  Then, the ciphertext transmission unit 15b transmits the ciphertext C, the hash value H (R), and the verifier identification information IDv to the authentication requesting device 30b, while sending the message R to the verification unit 16 as described above.

  The authentication requesting device 30b decrypts the received ciphertext C using the decryption key Ki by the ciphertext decryption unit 34b, and calculates R'‖IDv '= D (Ki, C) = R‖IDv.

  In the authentication requesting device 30b, the identification information verification unit 40 further determines that the received IDv is information for identifying the verifier who requested authentication, and when receiving the IDv, the decrypted IDv ′ is the same as the received IDv. Verify that there is, that is, IDv ′ = IDv.

  If the verification fails, the identification information verification unit 40 sends NG to the transmission unit 35b. If the verification succeeds, the identification information verification unit 40 uses the decrypted message R ′ = R and the hash value H (R ′) as a hash value. The data is sent to the verification unit 41.

  The hash value verification unit 41 calculates the hash value H (R ′) of the decrypted message R ′ using the one-way hash function H that has been agreed with the authentication verification apparatus 10b in advance, and the obtained H ( R ′) and the received hash value H (R) are the same, that is, H (R ′) = H (R) is verified.

  The hash value verification unit 41 sends NG to the transmission unit 35b when the verification fails, and sends the decrypted message R 'to the transmission unit 35b when the verification is successful.

  The transmission unit 35b transmits the decrypted message R ′ or NG to the authentication verification apparatus 10b. Thereafter, as described above, the authentication verification apparatus 10b verifies the received content.

  As described above, according to the present embodiment, in addition to the effects of the first embodiment, verification of the verifier identification information IDv by the identification information verification unit 40 and the hash value H (R) of the hash value verification unit 41 By the verification, the authentication requesting apparatus 10b can exclude a ciphertext sent from an unauthorized verifier. As a result, an unauthorized verifier can cause the authentication requesting apparatus 10b to decrypt an unauthorized ciphertext and perform secure authentication against an attack that seeks to obtain information on the decryption key, that is, a so-called selected ciphertext attack.

(Third embodiment)
FIG. 6 is a schematic diagram showing a configuration of an authentication verification device and an authentication request device according to the third embodiment of the present invention, and FIG. 7 is a schematic diagram showing a configuration of an anonymous authentication system including both devices.

  The present embodiment is a modification of the first embodiment, to which an expiration date control function for a decryption key is added. Specifically, an internal clock device 23 is added to the authentication verification device 10c. In addition, an expiration date verification unit 42 is added to the authentication requesting device 30c.

  Here, the internal clock device 23 has a function of generating the current time information T and a function of providing the time information T to the ciphertext generation unit 14c.

  The ciphertext generation unit 14c concatenates the message R and the time information T to generate the concatenated data R‖T and the concatenated data R‖ based on the broadcast encryption encryption key Kv in the encryption key storage unit 11. It has a function of encrypting T and generating a ciphertext C, and a function of transmitting the generated ciphertext C to the ciphertext transmission unit 15c.

  When the broadcast encryption / decryption key Ki and the expiration date Exp corresponding to the broadcast encryption / encryption key Kv are input to the authentication requesting device 30c, the decryption key storage unit 31c stores the broadcast encryption / decryption key Ki and the expiration date Exp. It is stored via the writing unit 32c.

  The expiration date verification unit 42 verifies whether the time information T ′ in the concatenated data decrypted from the ciphertext C by the ciphertext decryption unit 34c has passed the expiration date Exp in the decryption key storage unit 31c, As a result of the verification, when the time information T ′ has not passed the expiration date Exp, the message R ′ in the concatenated data is transmitted to the transmitter 35c.

  Here, the expiry date Exp will be supplementarily described. The expiration date Exp is distributed to the authentication requester in advance together with the broadcast encryption / decryption key Ki. Here, it is desirable that the decryption key Ki and the expiry date Exp are inseparable, and it is desirable to provide a means for inputting the decryption key Ki and the expiry date Exp to the authentication requesting device 30c without falsification. Further, it is desirable that the authentication requesting device 30c be tamper resistant from the viewpoint of properly executing the anonymous authentication procedure and preventing the information being executed from leaking outside.

  As a means for making the decryption key Ki and the expiration date Exp indivisible, for example, a tamper-proof device such as an IC card in which the decryption key Ki and the expiration date Exp are written in advance may be distributed. The expiration date Exp may be distributed in the form of tamper-resistant software. In order for the decryption key Ki and the expiration date Exp to be input to the authentication requesting device 30c without being falsified, for example, they are input through a secure communication path separately prepared between the IC card and the authentication requesting device 30c. Alternatively, only the authentication requesting device 30c may be provided with means for accessing the tamper-resistant decryption key Ki and the expiration date Exp.

  Next, the operation of the anonymous authentication system configured as described above will be described.

(Group management)
Now, as described above, the group management device GMc generates the broadcast encryption / decryption key Ki based on the group participation request. However, the group management device GMc adds the expiration date Exp to the broadcast encryption / decryption key Ki. Then, the group management apparatus GMc transmits the broadcast encryption / decryption key Ki and its expiration date Exp to the authentication requester apparatus RQc.

  Thereby, the authentication requester apparatus RQd receives the broadcast encryption / decryption key and the expiration date Exp and inputs them to the authentication request apparatus 30c.

(Anonymous authentication)
Now, as described above, it is assumed that the authentication requesting device 30c and the authentication verification device 10c start anonymous authentication. However, the decryption key storage unit 31c stores a broadcast encryption / decryption key Ki and an expiration date Exp. The authentication verification apparatus 10c activates the challenge information generation unit 13c as described above.

  The challenge information generation unit 13c generates a random message R (random number) and sends the message R to the ciphertext generation unit 14c.

  The ciphertext generation unit 14c concatenates this message R and the current time information T obtained from the internal clock device 23, encrypts the obtained concatenated data R‖T with the encryption key Kv, and the ciphertext C = E (Kv, R‖T) is generated.

  Thereafter, the ciphertext generation unit 14c sends the ciphertext C = E (Kv, R‖T) and the message R to the ciphertext transmission unit 15c.

  The ciphertext sending unit 15c sends the ciphertext C = E (Kv, R‖T) to the authentication requesting device 30c, and sends the message R to the verification unit 16 as described above.

  The authentication requesting device 30c decrypts the received ciphertext C using the decryption key Ki by the ciphertext decryption unit 34c, and calculates R'‖T '= D (Ki, C) = R‖T.

  The authentication requesting device 30c further compares the decrypted time information T with the expiration date Exp in the decryption key storage unit 31c by the expiration date verification unit 42, and if the expiration date Exp has passed the time information T ′, NG Is sent to the transmission unit 35c, and if not, the decrypted message R ′ is sent to the transmission unit 35c.

  The transmission unit 35c transmits the decrypted message R ′ or NG to the authentication verification apparatus 10c. Thereafter, the authentication verification apparatus 10c verifies the received content as described above.

  As described above, according to the present embodiment, in addition to the operational effects of the first embodiment, the expiration date Exp of the broadcast encryption / decryption key Ki by the expiration date verification unit 42 is verified, so Authentication fails. As a result, the expired decryption key does not need to be revoked, and management of the revoked decryption key information becomes easy.

(Fourth embodiment)
FIG. 8 is a schematic diagram showing a configuration of an authentication verification device and an authentication request device according to the fourth embodiment of the present invention, and FIG. 9 is a schematic diagram showing a configuration of an anonymous authentication system provided with both devices.

  The present embodiment is a modification of the first embodiment, and applies the group signature method together to further improve the safety. Specifically, the authentication verification apparatus 10d includes a verification function. In place of the unit 16, a message input unit 24 and a group signature verification unit 25 are added, and a group signature generation unit 43 is added to the authentication requesting device 30d. Further, a group signature management unit 60, a group key generation unit 61, and a member key generation unit 62 are added to the group management apparatus GMd.

  Here, when the group signature verification key KGv generated based on the group signature scheme is input to the authentication verification apparatus 10d in addition to the broadcast encryption encryption key Kv described above, the encryption key storage unit 11d transmits these broadcasts. This is a memory in which the type encryption key Kv and the group signature verification key KGv are written from the writing unit 12d.

  When the broadcast encryption key Kv and the group signature verification key KGv are input to the authentication verification apparatus 10d, the message input unit 24 generates a signature target message M that is a target of the group signature, and this signature target message M It has a function of inputting to the ciphertext transmission unit 15d.

  The group signature verification unit 25 has a function of verifying the group signature GS received from the authentication requesting device 30d based on the group signature verification key KGv in the encryption key storage unit 11, and a function of outputting a verification result.

  On the other hand, when the group signature member key KGi corresponding to the group signature verification key KGv is input to the authentication requesting device 30d in addition to the broadcast encryption / decryption key Ki described above, the decryption key storage unit 31d receives these broadcast encryption / decryption keys. Ki is a memory in which the group signature member key KGi is written from the writing unit 32d.

  The group signature generating unit 43 concatenates the message R ′ obtained by decryption and the received signature target message M to generate concatenated data R′‖M, and the group signature member key KGi in the decryption key storage unit 31d. And the function of generating the group signature GS for the concatenated data R′‖M and the function of transmitting the group signature GS to the transmitter 35d.

  The group signature management unit 60 executes a group signature method such as the above-described camenish method. For example, an element a, a public key e, n, a prime number L, and an element g are generated in advance, and the key disclosure unit 57 is generated. And the like, a function for generating the group signature verification key KGv by the group key generation unit 61 at the time of group generation, a function for allowing the obtained key signature verification key KGv to be disclosed to the key disclosure unit 57, and a group participation request Based on this, the member key generating unit 62 has a function of generating the group signature member key KGi and a function of transmitting the obtained group signature member key KGi to the key transmitting unit 54.

  The group key generation unit 61 is controlled by the group signature management unit 60, and based on the group signature method, the group public key of the group signature verification key KGv (eg, the above-described camenish method (described in the 41st paragraph of Patent Document 1)). e) and a function of sending the group signature verification key KGv to the group signature management unit 60.

  The member key generation unit 62 is controlled by the group signature management unit 60, and based on the group join request and the group signature method, the group signature member key KGi corresponding to the group signature verification key KGv (eg, the above-mentioned camenish method (patent) Function to generate participation certificate v and private key x) (explained in paragraph 33 of document 1) (for example, Cam.1: preparation private key x generation function described above, and Cam.3: group participation certificate issuance) Function) and a function of sending the group signature member key KGi to the group signature management unit 60. Supplementally, in this example, the group management device GMd generates a member private key x, a public key y, and a participation certificate v by a slightly different operation from the above-described camenish method, and the group signature member key KGi (= secret It is assumed that the key x, the participation certificate v) and the public key y are transmitted to the authentication requester apparatus RQd.

  However, it goes without saying that the same operation as the above-described camenish method is possible. That is, a function (for example, the above-described Cam.1: preparation described above) in which a key generation unit (not shown) in the authentication requester apparatus RQd generates a part of the group signature member key KGi (for example, the above-described camenish secret key x). Information on a part of the group signature member key KGi generated together with the group join request (for example, the aforementioned public key y and knowledge proof SK (y )) Is generated and transmitted to the group management device GMd (for example, the above-described Cam.2: group participation request function), the member key generation unit 62 receives the group signature member received from the authentication requester device RQd. A function for generating a part of the corresponding group signature member key KGi (for example, the above-mentioned participation certificate v of the camenish method) from the information about the part of the key KGi (for example, the above-mentioned Cam .3: Group participation certificate issuing function) and a function of sending the group signature member key KGi to the group signature management unit 60.

  Next, the operation of the anonymous authentication system configured as described above will be described.

(Group management method)
The group management device GMd also executes group signature type group management in parallel with the above-described broadcast type cryptographic group management at the time of group generation.

  That is, the group signature management unit 60 causes the group key generation unit 61 to generate the group signature verification key KGv, and causes the key disclosure unit 57 to disclose the obtained group signature verification key KGv. As a result, the authentication verifier apparatus VRd acquires the broadcast encryption encryption key Kv and the group signature verification key KGv and inputs them to the authentication verification apparatus 10d.

  The group management device GMd also executes group signature-based group management in parallel with the above-described broadcast encryption method group management even when a group join request is received from the authentication requester device RQd.

  That is, in the group management device GMd, the participation request receiving unit 52d receives the group participation request and sends it to the control unit 58d. The control unit 58d activates the group signature management unit 60 to transfer the group participation request so as to execute the group management of the group signature method in parallel with the group management of the broadcast encryption method described above.

  The group signature management unit 60 causes the member key generation unit 62 to generate the group signature member key KGi based on the group participation request received from the control unit 58d.

  Thereafter, the group signature management unit 60 sends the obtained group signature member key KGi to the key transmission unit 54. As a result, the key transmission unit 54 transmits the broadcast encryption / decryption key Ki and the group signature member key KGi to the authentication requester apparatus RQd. The authentication requester apparatus RQd receives the broadcast encryption / decryption key Ki and the group signature member key KGi and inputs them to the authentication request apparatus 30d.

  However, a function for generating a part of the group signature member key KGi (e.g., the above-mentioned camenish secret key x) in the authentication requester apparatus RQd (e.g., the above-mentioned Cam.1: preparation) Information on a part of the group signature member key KGi generated together with the group join request (for example, the aforementioned public key y and knowledge proof SK (y )) Is generated and transmitted to the group management apparatus (for example, the above-described Cam.2: group participation request function), the group signature management unit 60 is based on the group participation request received from the control unit 58d. The member key generation unit 62 generates a part of the group signature member key KGi.

  Thereafter, the group signature management unit 60 sends a part of the obtained group signature member key KGi to the key transmission unit 54. The authentication requester apparatus RQd combines a part of the group signature member key KGi generated internally and a part of the group signature member key KGi received by the decryption key receiving unit 37d to generate a group signature member key KGi (for example, as described above). It is stored in the decryption key management unit 38 as a cameny secret key x and a participation certificate v).

(Anonymous authentication)
Now, as described above, it is assumed that the authentication requesting device 30d and the authentication verification device 10d start anonymous authentication. However, the decryption key storage unit 31d stores a broadcast encryption / decryption key Ki and a group signature member key KGi. The encryption key storage unit 11d stores a broadcast encryption encryption key Kv and a group signature verification key KGv.

  The authentication verification apparatus 10d activates the challenge information generation unit 13 as described above.

  The challenge information generation unit 13 generates a random message R (random number) and sends this message R to the ciphertext generation unit 14.

  The ciphertext generator 14 encrypts the message R with the encryption key Kv to generate a ciphertext C = E (Kv, R), and encrypts the ciphertext C = E (Kv, R‖T) and the message R. It is sent to the sentence transmitter 15c.

  Further, the message input unit 24 inputs the signature target message M of the group signature to the ciphertext transmission unit 15d as required by the operation of the verifier.

  The ciphertext transmitting unit 15d transmits the ciphertext C = E (Kv, R) and the signature target message M to the authentication requesting device 30d.

  The authentication requesting device 30d decrypts the received ciphertext C using the decryption key Ki by the ciphertext decryption unit 34d, and calculates R '= D (Ki, C) = R. Further, when the ciphertext decryption unit 34d cannot decrypt the ciphertext C, the ciphertext decryption unit 34d sends NG to the transmission unit 35d.

The authentication requesting device 30d further concatenates the decrypted message R ′ and the received signature target message M by the group signature generating unit 43 to obtain concatenated data R′ＲM.
Subsequently, the group signature generation unit 43 gives a group signature S = Sig (KGi, R′‖M) to the concatenated data R′‖M based on the group signature member key KGi in the decryption key storage unit 11d. Generate. Here, Sig (KGi, R′‖M) means that a group signature is calculated for R′‖M by the group signature generation function Sig based on the member key KGi. Then, the group signature generation unit 43 sends this group signature S to the transmission unit 35d.

  The transmission unit 35d transmits the group signature S or NG to the authentication verification apparatus 10d.

  The authentication verification apparatus 10d receives the group signature S or NG via a receiving unit (not shown), and sends the received group signature S or NG to the group signature verification unit 25.

  The group signature verification unit 25 uses the group signature verification key KGv in the encryption key storage unit 11d for the group signature S and the concatenated data R‖M obtained by concatenating the original messages R and M, to generate a group signature. The group signature verification operation Verify (KGv, R ， M, S) is executed by the verification function Verify. Here, Verify (KGv, R‖M, S) means verifying that the group signature S is a group signature for R‖M using the group signature verification key KGv.

  The group signature verification unit 25 outputs an authentication success (OK) when the verification of the group signature is successful, and outputs an authentication failure (NG) when the verification fails.

  As described above, according to the present embodiment, a broadcast encryption method with a small amount of calculation and communication is used, and the ciphertext C generated by the authentication verification device 10d using the broadcast encryption key Kv is decrypted to the authentication request device 30d. The authentication requesting device 30d generates a group signature for the decryption result, and the authentication verification device 10d verifies the group signature and performs the anonymous authentication of the authentication requesting device 30d. Also in authentication, it is possible to provide an anonymous authentication system that can reduce the amount of calculation and the amount of communication compared to a method using zero knowledge proof when revoking members.

  In the anonymous authentication method of the present embodiment, the signer (authentication requester) can be specified from the group signature by specific information due to the third property of the group signature. This makes it possible to easily revoke the authentication requester, which was a drawback of anonymous authentication using a group signature.

(Fifth embodiment)
FIG. 10 is a schematic diagram showing a configuration of an authentication verification device and an authentication request device according to the fifth embodiment of the present invention, and FIG. 11 is a schematic diagram showing a configuration of an anonymous authentication system including both devices.

  That is, the present embodiment is a modification of the fourth embodiment, and conceals the signature target message M. Specifically, the message encryption unit 26 is added to the authentication verification apparatus 10e. A message decrypting unit 44 is added to the authentication requesting device 30e.

  Here, the message encryption unit 26 encrypts the signature target message M received from the message input unit 24e based on the message R generated by the challenge information generation unit 13e, and generates the second ciphertext C ′. And a function of sending the second ciphertext C ′ to the ciphertext transmitting unit 15e.

  The message decryption unit 44 decrypts the second ciphertext C ′ based on the message R ′ decrypted by the ciphertext decryption unit 34e, and the group signature generation unit 43e It has a function to send to.

  Next, the operation of the anonymous authentication system configured as described above will be described.

  As described above, in the authentication verification apparatus 10d, the ciphertext generation unit 14 encrypts the message R with the encryption key Kv to generate the ciphertext C = E (Kv, R), and the ciphertext C = E. Assume that (Kv, R‖T) and the message R are sent to the ciphertext transmission unit 15c.

  Here, the message input unit 24 inputs the signature target message M of the group signature to the message encryption unit 26, as described above, according to the operation of the verifier.

  The message encryption unit 26 encrypts the signature target message M of the group signature with the encryption function E ′ of the common key encryption method agreed in advance with the authentication requesting device 30e using the message R generated by the challenge information generation unit 13e as a key. Then, the ciphertext C ′ = E ′ (R, M) is generated. Here, E ′ (R, M) means that M is encrypted using R as a key. The ciphertext C ′ = E ′ (R, M) is sent from the message encryption unit 26 to the ciphertext transmission unit 15 e.

  The ciphertext transmission unit 15e transmits two ciphertexts C = E (Kv, R) and C ′ = E ′ (R, M) to the authentication requesting device 30e.

  The authentication requesting device 30e decrypts the received ciphertext C using the decryption key Ki by the ciphertext decryption unit 34e, and calculates R '= D (Ki, C) = R. Further, the message decrypting unit 44 decrypts C ′ by using the decrypted function D ′ of the common key encryption method agreed with the authentication requesting device 10e in advance using the decrypted R ′ as a key, and M ′ = D ′ (C ′) = Find M.

  The authentication requesting device 30e further applies the group signature S = Sig (KGi, M) to the signature target message M ′ decrypted by the group signature generation unit 43e based on the group signature member key KGi in the decryption key storage unit 31d. '). Then, the group signature generation unit 43e sends this group signature S to the transmission unit 35e.

  The transmission unit 35e transmits the group signature S or NG to the authentication verification apparatus 10d.

  In the authentication verification apparatus 10e, the group signature S or NG is received via a receiving unit (not shown), and the received group signature S or NG is sent to the group signature verification unit 25e.

  The group signature verification unit 25e verifies the group signature by using the group signature verification function Verify using the group signature verification key KGv in the encryption key storage unit 11d for the group signature S and the original message M to be signed. The operation Verify (KGv, M, S) is executed. Here, Verify (KGv, M, S) means verifying that the group signature S is a group signature for M using the group signature verification key KGv.

  The group signature verification unit 25 outputs an authentication success (OK) when the verification of the group signature is successful, and outputs an authentication failure (NG) when the verification fails.

  As described above, according to this embodiment, in addition to the effects of the fifth embodiment, the message encryption unit 26 encrypts the signature target message M and transmits it to the authentication requesting device 30e. Thereby, when it is desired to keep the signature target message M secret outside, even if the authentication requesting device and the authentication verification device do not use a communication path that is concealed by encryption or the like, information related to the signature target message M leaks to the outside. And anonymous authentication can be performed safely.

(Sixth embodiment)
The sixth to eighth embodiments are modifications in which the second embodiment described above and any of the third to fifth embodiments are combined. Hereinafter, description will be made sequentially.

FIG. 12 is a schematic diagram showing a configuration of an authentication verification device and an authentication request device according to the sixth embodiment of the present invention, and FIG. 13 is a schematic diagram showing a configuration of an anonymous authentication system provided with both devices.
This embodiment is an example of a combination of the second and third embodiments, and a verifier identification information storage unit 21, a hash value generation unit 22, and an internal clock device 23 are added to the authentication verification device 10bc. An identification information verification unit 40, a hash value verification unit 41, and an expiration date verification unit 42 are added to the authentication requesting device 30bc. However, the expiration date verification unit 42, in addition to verifying whether the decrypted time information T ′ has passed the expiration date Exp in the first decryption key storage unit 11c,
A function for verifying whether the decrypted time information T ′ and the received time information T match, and a function for sending the decryption result and the received content to the identification information verification unit 40 when the verification result indicates a match. Yes. The same applies to the following embodiments shown in FIGS.

  Each verification 40, 41, 42 is shown here in the case of execution in the order of the expiration date verification unit 42, the identification information verification unit 40, and the hash value verification unit 41 (42 → 40 → 41). Not limited to (42 → 41 → 40), (40 → 42 → 41), (40 → 41 → 42), (41 → 40 → 42), or (41 → 42 → 40). Good. This also applies to the following embodiments shown in FIGS.

  According to the configuration as described above, the operational effects of the second and third embodiments described above can be obtained simultaneously.

(Seventh embodiment)
FIG. 14 is a schematic diagram showing a configuration of an authentication verification device and an authentication request device according to the seventh embodiment of the present invention, and FIG. 15 is a schematic diagram showing a configuration of an anonymous authentication system including both devices.
This embodiment is an example of a combination of the second and fourth embodiments. The authentication verification apparatus 10bd includes a verifier identification information storage unit 21, a hash value generation unit 22, a message input unit 24, and a group signature verification unit 25. And an identification information verification unit 40, a hash value verification unit 41, and a group signature verification unit 43 are added to the authentication request device 30bd. As the group management device GMd, the one described in the fourth embodiment is used.

  According to the above configuration, the operational effects of the second and fourth embodiments described above can be obtained simultaneously.

(Eighth embodiment)
FIG. 16 is a schematic diagram showing a configuration of an authentication verification device and an authentication request device according to the eighth embodiment of the present invention, and FIG. 17 is a schematic diagram showing a configuration of an anonymous authentication system including both devices.
This embodiment is an example of a combination of the second and fifth embodiments. The authentication verification apparatus 10be includes a verifier identification information storage unit 21, a hash value generation unit 22, a message input unit 24e, and a group signature verification unit 25e. And the message encryption unit 26 are added, and an identification information verification unit 40, a hash value verification unit 41, a message decryption unit 44, and a group signature verification unit 43 are added to the authentication requesting device 30be. As the group management device GMd, the one described in the fourth embodiment is used.

  According to the above configuration, the operational effects of the second and fifth embodiments described above can be obtained simultaneously.

(Ninth embodiment)
The ninth to tenth embodiments are modifications in which the third embodiment described above and the fourth or fifth embodiment are combined. Hereinafter, description will be made sequentially.

FIG. 18 is a schematic diagram showing a configuration of an authentication verification device and an authentication request device according to the ninth embodiment of the present invention, and FIG. 19 is a schematic diagram showing a configuration of an anonymous authentication system including both devices.
The present embodiment is an example of a combination of the third and fourth embodiments, and the authentication verification device 10cd is provided with an internal clock device 23, a message input unit 24, and a group signature verification unit 25, and an authentication requesting device. An expiration date verification unit 42 and a group signature verification unit 43 are added to 30cd. As the group management device GMd, the one described in the fourth embodiment is used.

  According to the configuration as described above, the operational effects of the third and fourth embodiments described above can be obtained simultaneously.

(Tenth embodiment)
FIG. 20 is a schematic diagram showing a configuration of an authentication verification device and an authentication request device according to the tenth embodiment of the present invention, and FIG. 21 is a schematic diagram showing a configuration of an anonymous authentication system including both devices.
This embodiment is an example of a combination of the third and fifth embodiments, and an internal clock device 23, a message input unit 24e, a group signature verification unit 25e, and a message encryption unit 26 are added to the authentication verification device 10ce. In addition, an expiration date verification unit 42, a message decryption unit 44, and a group signature verification unit 43 are added to the authentication requesting device 30ce. As the group management device GMd, the one described in the fourth embodiment is used.

  According to the configuration as described above, the operational effects of the third and fifth embodiments described above can be obtained simultaneously.

(Eleventh embodiment)
The 11th to 12th embodiments are modifications in which the second and third embodiments described above are combined with the fourth or fifth embodiment, respectively. Hereinafter, description will be made sequentially.

FIG. 22 is a schematic diagram showing a configuration of an authentication verification device and an authentication request device according to the eleventh embodiment of the present invention, and FIG. 23 is a schematic diagram showing a configuration of an anonymous authentication system including both devices.
The present embodiment is a combination example of the second, third, and fourth embodiments. The authentication verification device 10bcd includes a verifier identification information storage unit 21, a hash value generation unit 22, an internal clock device 23, and a message input. 24 and a group signature verification unit 25 are added, and an identification information verification unit 40, a hash value verification unit 41, an expiration date verification unit 42, and a group signature verification unit 43 are added to the authentication requesting device 30bcd. The group management apparatus GMd has a group signature management unit 60, a group key generation unit 61, and a member key generation unit 62 added to those described in the third embodiment.

  According to the above configuration, the operational effects of the second, third and fourth embodiments described above can be obtained simultaneously.

(Twelfth embodiment)
FIG. 24 is a schematic diagram showing a configuration of an authentication verification device and an authentication request device according to the twelfth embodiment of the present invention, and FIG. 25 is a schematic diagram showing a configuration of an anonymous authentication system including both devices.
The present embodiment is a combination example of the second, third, and fifth embodiments. The authentication verification apparatus 10bce includes a verifier identification information storage unit 21, a hash value generation unit 22, an internal clock device 23, and a message input. 24e, a group signature verification unit 25e, and a message encryption unit 26 are added. The authentication request device 30bce includes an identification information verification unit 40, a hash value verification unit 41, an expiration date verification unit 42, a message decryption unit 44, and A group signature verification unit 43 is added. The group management apparatus GMcd has a group signature management unit 60, a group key generation unit 61, and a member key generation unit 62 added to those described in the third embodiment.

  Each verification unit 40, 41, 42 and message decryption unit 44 can be executed in any order as long as they are between the ciphertext decryption unit 34bce and the group signature generation unit 43e.

  According to the above configuration, the operational effects of the second, third, and fifth embodiments described above can be obtained simultaneously.

  Note that the method described in the above embodiment includes a magnetic disk (floppy (registered trademark) disk, hard disk, etc.), an optical disk (CD-ROM, DVD, etc.), a magneto-optical disk (MO) as programs that can be executed by a computer. ), And can be distributed in a storage medium such as a semiconductor memory.

  In addition, as long as the storage medium can store a program and can be read by a computer, the storage format may be any form.

  In addition, an OS (operating system) running on a computer based on an instruction of a program installed in the computer from a storage medium, MW (middleware) such as database management software, network software, and the like realize the above-described embodiment. A part of each process may be executed.

  Further, the storage medium in the present invention is not limited to a medium independent of a computer, but also includes a storage medium in which a program transmitted via a LAN, the Internet, or the like is downloaded and stored or temporarily stored.

  Further, the number of storage media is not limited to one, and the case where the processing in the above embodiment is executed from a plurality of media is also included in the storage media in the present invention, and the media configuration may be any configuration.

  The computer according to the present invention executes each process in the above-described embodiment based on a program stored in a storage medium, and is a single device such as a personal computer or a system in which a plurality of devices are connected to a network. Any configuration may be used.

  In addition, the computer in the present invention is not limited to a personal computer, but includes an arithmetic processing device, a microcomputer, and the like included in an information processing device, and is a generic term for devices and devices that can realize the functions of the present invention by a program. .

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined.

It is a schematic diagram which shows the structure of the authentication verification apparatus and authentication request | requirement apparatus which concern on the 1st Embodiment of this invention. It is a schematic diagram which shows the structure of the anonymous authentication system in the embodiment. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a schematic diagram which shows the structure of the authentication verification apparatus and authentication request | requirement apparatus which concern on the 2nd Embodiment of this invention. It is a schematic diagram which shows the structure of the anonymous authentication system in the embodiment. It is a schematic diagram which shows the structure of the authentication verification apparatus and authentication request | requirement apparatus which concern on the 3rd Embodiment of this invention. It is a schematic diagram which shows the structure of the anonymous authentication system in the embodiment. It is a schematic diagram which shows the structure of the authentication verification apparatus and authentication request | requirement apparatus which concern on the 4th Embodiment of this invention. It is a schematic diagram which shows the structure of the anonymous authentication system in the embodiment. It is a schematic diagram which shows the structure of the authentication verification apparatus and authentication request | requirement apparatus which concern on the 5th Embodiment of this invention. It is a schematic diagram which shows the structure of the anonymous authentication system in the embodiment. It is a schematic diagram which shows the structure of the authentication verification apparatus and authentication request | requirement apparatus which concern on the 6th Embodiment of this invention. It is a schematic diagram which shows the structure of the anonymous authentication system in the embodiment. It is a schematic diagram which shows the structure of the authentication verification apparatus and authentication request | requirement apparatus which concern on the 7th Embodiment of this invention. It is a schematic diagram which shows the structure of the anonymous authentication system in the embodiment. It is a schematic diagram which shows the structure of the authentication verification apparatus and authentication request | requirement apparatus which concern on the 8th Embodiment of this invention. It is a schematic diagram which shows the structure of the anonymous authentication system in the embodiment. It is a schematic diagram which shows the structure of the authentication verification apparatus and authentication request | requirement apparatus which concern on the 9th Embodiment of this invention. It is a schematic diagram which shows the structure of the anonymous authentication system in the embodiment. It is a schematic diagram which shows the structure of the authentication verification apparatus and authentication request | requirement apparatus which concern on the 10th Embodiment of this invention. It is a schematic diagram which shows the structure of the anonymous authentication system in the embodiment. It is a schematic diagram which shows the structure of the authentication verification apparatus and authentication request | requirement apparatus which concern on the 11th Embodiment of this invention. It is a schematic diagram which shows the structure of the anonymous authentication system in the embodiment. It is a schematic diagram which shows the structure of the authentication verification apparatus and authentication request | requirement apparatus which concern on the 12th Embodiment of this invention. It is a schematic diagram which shows the structure of the anonymous authentication system in the embodiment.

Explanation of symbols

  10a to 10e ... authentication verification device, 11, 11d ... encryption key storage unit, 12, 12d ... writing unit, 13, 13b to 13e ... challenge information generation unit, 14, 14b, 14c ... ciphertext generation unit, 15, 15b to 15d: Ciphertext transmission unit, 16: Verification unit, VR, VRb ... Authentication verifier device, 17 ... Authentication request reception unit, 18 ... Key request transmission unit, 19 ... Encryption key reception unit, 20 ... Encryption key Management unit, 21 ... verifier identification information storage unit, 22 ... hash value generation unit, 23 ... internal clock device, 24, 24e ... message input unit, 25 ... group signature verification unit, 26 ... message encryption unit, 30a-30e ... Authentication requesting device 31, 31c, 31d ... Decryption key storage unit, 32-32d ... Writing unit, 33, 33b-33e ... Ciphertext receiving unit, 34, 34b-34e ... Ciphertext decryption unit, 35-35c ... Transmitter, Q, RQb: Authentication requester device, 36: Participation request transmission unit, 37, 37c, 37d ... Decryption key reception unit, 38, 38c, 38d ... Decryption key management unit, 39 ... Authentication request transmission unit, 40 ... Identification information verification 41: Hash value verification unit, 42 ... Expiration date verification unit, 43 ... Group signature generation unit, 44 ... Message decryption unit, GM, GMc ... Group management device, 51 ... Secret information management unit, 52 ... Participation request reception unit 53, 53c ... broadcast encryption / decryption key generation unit, 54, 54c ... key transmission unit, 55 ... revocation information input unit, 56 ... broadcast encryption / encryption key generation unit, 57 ... encryption key disclosure unit, 58 ... control , 60... Group signature management unit, 61... Group key generation unit, 62.

Claims (41)

An anonymous authentication system comprising an authentication verification device and an authentication request device,
The authentication verification device includes:
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption First encryption key storage means for storing the key Kv;
Message generating means for generating a random message R when the broadcast encryption key Kv is input;
Ciphertext generating means for encrypting the message R based on the broadcast encryption key Kv and generating a ciphertext C;
Ciphertext transmitting means for transmitting the ciphertext C to the authentication requesting device;
Decryption result receiving means for receiving a decryption result of the ciphertext C from the authentication requesting device;
Verification means for verifying whether the decryption result of the ciphertext C matches the message R;
A verification result output means for outputting the verification result;
With
The authentication requesting device includes:
A first decryption key storage means for storing a broadcast encryption / decryption key Ki when a broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv is input to the authentication requesting device;
Ciphertext receiving means for receiving ciphertext C from the authentication verification device;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki;
Decryption result transmitting means for transmitting the decryption result to the authentication verification device;
An anonymous authentication system characterized by comprising: In the anonymous authentication system according to claim 1,
A group management device capable of communicating with the authentication verification device and the authentication requesting device;
One or more authentication verifier devices holding the authentication verification device;
One or more authentication requester devices holding the authentication requesting device,
The group management device
Secret information generating means for generating secret information S for generating the broadcast encryption / encryption key Kv and the broadcast encryption / decryption key Ki based on a broadcast encryption scheme;
Secret information storage means for storing the secret information S;
Participation request receiving means for receiving a group participation request from the authentication requester device;
Broadcast encryption / decryption key generation means for generating a broadcast encryption / decryption key Ki unique to the authentication requester apparatus based on the group participation request and the secret information S in the secret information storage means;
Decryption key transmitting means for transmitting the broadcast encryption / decryption key Ki to the authentication requester apparatus;
When revoking a subset of the set of broadcast encryption / decryption keys Ki unique to each authentication requester device, the secret information S in the secret information storage means and the expired broadcast are based on the broadcast encryption scheme. Broadcast encryption / encryption key generation means for generating a broadcast encryption / encryption key Kv from revocation information specifying a subset of the encryption / decryption key Ki;
An encryption key disclosing means for publishing the broadcast encryption encryption key Kv so as to be obtainable from the authentication verifier device;
With
The authentication verifier device is:
Authentication request receiving means for receiving an authentication request from the authentication requester device;
Encryption key acquisition means for acquiring the broadcast encryption encryption key Kv published by the group management device based on this authentication request or based on the disclosure of the broadcast encryption encryption key Kv by the group management device; ,
A second encryption key storage means for storing the broadcast encryption encryption key Kv;
An encryption key input means for inputting the broadcast encryption encryption key Kv to the authentication verification device;
With
The authentication requester device is:
Decryption key receiving means for receiving a broadcast encryption / decryption key Ki from the group management device;
Second broadcast-type decryption key storage means for storing the broadcast-type encryption / decryption key Ki;
An authentication request transmitting means for transmitting an authentication request to the authentication verifier device when making an authentication request to the authentication verifier device;
Decryption key input means for inputting the broadcast encryption / decryption key Ki to the authentication requesting device when transmitting the authentication request;
An anonymous authentication system characterized by comprising: An anonymous authentication system comprising an authentication verification device and an authentication request device,
The authentication verification device includes:
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption First encryption key storage means for storing the key Kv;
Verifier identification information storage means for storing verifier identification information IDv unique to the authentication verification device;
Message generating means for generating a random message R when the broadcast encryption key Kv is input;
Concatenated data generating means for concatenating the message R and the verifier identification information IDv to generate concatenated data R‖IDv;
Ciphertext generating means for generating the ciphertext C by encrypting the concatenated data R‖IDv based on the broadcast encryption key Kv;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the ciphertext C, the hash value H (R) and the verifier identification information IDv to the authentication requesting device;
Decryption result receiving means for receiving a message R ′ included in the decryption result of the ciphertext C from the authentication requesting device;
Verification means for verifying whether or not the received message R ′ matches the generated message R;
A verification result output means for outputting the verification result;
With
The authentication requesting device includes:
A first decryption key storage means for storing a broadcast encryption / decryption key Ki when a broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv is input to the authentication requesting device;
Ciphertext receiving means for receiving ciphertext C, hash value H (R) and verifier identification information IDv from the authentication verification device;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖IDv ′
Identification information verification means for verifying whether the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
Hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
Decryption result transmission means for transmitting a message R ′ in the concatenated data to the authentication verification device when each verification result of the identification information verification means and the hash value verification means indicates a match;
An anonymous authentication system characterized by comprising: An anonymous authentication system comprising an authentication verification device and an authentication request device,
The authentication verification device includes:
An internal clock device for generating current time information T;
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption First encryption key storage means for storing the key Kv;
Message generating means for generating a random message R when the broadcast encryption key Kv is input;
Concatenated data generating means for concatenating the message R and the time information T to generate concatenated data R‖T;
Ciphertext generating means for encrypting the concatenated data R‖T based on the broadcast encryption key Kv and generating a ciphertext C;
Ciphertext transmitting means for transmitting the ciphertext C to the authentication requesting device;
Decryption result receiving means for receiving a message R ′ included in the decryption result of the ciphertext C from the authentication requesting device;
Verification means for verifying whether or not the received message R ′ matches the generated message R;
A verification result output means for outputting the verification result;
With
The authentication requesting device includes:
When the broadcast encryption / decryption key Ki and the expiration date Exp corresponding to the broadcast encryption / encryption key Kv are input to the authentication requesting device, the broadcast encryption / decryption key Ki and the expiration date Exp are stored. Decryption key storage means;
Ciphertext receiving means for receiving ciphertext C from the authentication verification device;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖T ′;
Expiration date verification means for verifying whether the time information T ′ in the concatenated data has passed the expiration date Exp in the first decryption key storage means;
As a result of this verification, when the time information T ′ has not passed the expiration date Exp, decryption result transmission means for transmitting the message R ′ in the concatenated data to the authentication verification device;
An anonymous authentication system characterized by comprising: An anonymous authentication system comprising an authentication verification device and an authentication request device,
The authentication verification device includes:
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption First encryption key storage means for storing the key Kv;
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input to the authentication verification device;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Ciphertext generating means for encrypting the message R based on the broadcast encryption key Kv and generating a ciphertext C;
Ciphertext transmitting means for transmitting the ciphertext C and the message to be signed M to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
With
The authentication requesting device includes:
A first decryption key storage means for storing a broadcast encryption / decryption key Ki when a broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv is input to the authentication requesting device;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input to the authentication requesting device;
Ciphertext receiving means for receiving the ciphertext C and the signature target message M from the authentication verification device;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki;
Concatenated data generating means for concatenating the message R ′ obtained by the decryption and the received message to be signed M to generate concatenated data R′‖M;
Group signature generating means for generating a group signature GS for the concatenated data R′‖M based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
An anonymous authentication system characterized by comprising: An anonymous authentication system comprising an authentication verification device and an authentication request device,
The authentication verification device includes:
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption First encryption key storage means for storing the key Kv;
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input to the authentication verification device;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
First ciphertext generating means for encrypting the message R based on the broadcast encryption key Kv and generating a first ciphertext C;
Second ciphertext generating means for encrypting the signature target message M based on the message R and generating a second ciphertext C ′;
Ciphertext transmitting means for transmitting the first and second ciphertexts C and C ′ to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
With
The authentication requesting device includes:
A first decryption key storage means for storing a broadcast encryption / decryption key Ki when a broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv is input to the authentication requesting device;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input to the authentication requesting device;
Ciphertext receiving means for receiving the first and second ciphertexts C and C ′ from the authentication verification device;
First ciphertext decryption means for decrypting the first ciphertext C based on the broadcast encryption / decryption key Ki;
Second ciphertext decryption means for decrypting the second ciphertext C ′ based on the message R ′ obtained by the decryption;
Group signature generation means for generating a group signature GS for the signature target message M ′ obtained by the decryption based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
An anonymous authentication system characterized by comprising: An anonymous authentication system comprising an authentication verification device and an authentication request device,
The authentication verification device includes:
An internal clock device for generating current time information T;
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption First encryption key storage means for storing the key Kv;
Verifier identification information storage means for storing verifier identification information IDv unique to the authentication verification device;
Message generating means for generating a random message R when the broadcast encryption key Kv is input;
Concatenated data generating means for concatenating the message R, the verifier identification information IDv and the time information T to generate concatenated data R‖IDv‖T;
Ciphertext generating means for encrypting the concatenated data R‖IDv‖T based on the broadcast encryption encryption key Kv and generating a ciphertext C;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the ciphertext C, the hash value H (R), the verifier identification information IDv, and the time information T to the authentication requesting device;
Decryption result receiving means for receiving a message R ′ included in the decryption result of the ciphertext C from the authentication requesting device;
Verification means for verifying whether or not the received message R ′ matches the generated message R;
A verification result output means for outputting the verification result;
With
The authentication requesting device includes:
When the broadcast encryption / decryption key Ki and the expiration date Exp corresponding to the broadcast encryption / encryption key Kv are input to the authentication requesting device, the broadcast encryption / decryption key Ki and the expiration date Exp are stored. Decryption key storage means;
Ciphertext receiving means for receiving the ciphertext C, hash value H (R), verifier identification information IDv, and time information T from the authentication verification device;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖IDv′‖T ′;
It is verified whether or not the time information T ′ in the concatenated data matches the received time information T, and whether or not the time information T ′ has passed the expiration date Exp in the first decryption key storage means. Expiry date verification means,
Identification information verification means for verifying whether the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
Hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
As a result of the verification by the expiration date verification unit, when the time information T ′ does not exceed the expiration date Exp, the verification results of the expiration date verification unit, the identification information verification unit, and the hash value verification unit match. A decryption result transmitting means for transmitting the message R ′ in the concatenated data to the authentication verification device;
An anonymous authentication system characterized by comprising: An anonymous authentication system comprising an authentication verification device and an authentication request device,
The authentication verification device includes:
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption First encryption key storage means for storing the key Kv;
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input to the authentication verification device;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Verifier identification information storage means for storing verifier identification information IDv unique to the authentication verification device;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R and the verifier identification information IDv to generate concatenated data R‖IDv;
Ciphertext generating means for generating the ciphertext C by encrypting the concatenated data R‖IDv based on the broadcast encryption key Kv;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the ciphertext C, the hash value H (R), the verifier identification information IDv, and the signature target message M to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
With
The authentication requesting device includes:
A first decryption key storage means for storing a broadcast encryption / decryption key Ki when a broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv is input to the authentication requesting device;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input to the authentication requesting device;
Ciphertext receiving means for receiving the ciphertext C, hash value H (R), verifier identification information IDv, and signature target message M from the authentication verification device;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖IDv ′
Identification information verification means for verifying whether the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
Hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
When the verification results of the identification information verification unit and the hash value verification unit indicate a match, the message R ′ obtained by the decryption and the received signature target message M are concatenated, and concatenated data R′‖M is obtained. Connected data generation means to generate;
Group signature generating means for generating a group signature GS for the concatenated data R′‖M based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
An anonymous authentication system characterized by comprising: An anonymous authentication system comprising an authentication verification device and an authentication request device,
The authentication verification device includes:
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption First encryption key storage means for storing the key Kv;
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input to the authentication verification device;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Verifier identification information storage means for storing verifier identification information IDv unique to the authentication verification device;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R and the verifier identification information IDv to generate concatenated data R‖IDv;
First ciphertext generating means for encrypting the concatenated data R‖IDv based on the broadcast encryption key Kv and generating a first ciphertext C;
Second ciphertext generating means for encrypting the signature target message M based on the message R and generating a second ciphertext C ′;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmission means for transmitting the first and second ciphertexts C and C ′, the hash value H (R) and the verifier identification information IDv to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
With
The authentication requesting device includes:
A first decryption key storage means for storing a broadcast encryption / decryption key Ki when a broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv is input to the authentication requesting device;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input to the authentication requesting device;
Ciphertext receiving means for receiving the first and second ciphertexts C and C ′, the hash value H (R), the verifier identification information IDv, and the signature target message M from the authentication verification device;
Ciphertext decryption means for decrypting the first ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖IDv ′;
Identification information verification means for verifying whether the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
Hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
A second cipher that decrypts the second ciphertext C ′ based on the message R ′ obtained by the decryption when the verification results of the identification information verification unit and the hash value verification unit respectively match. Sentence decryption means;
Group signature generation means for generating a group signature GS for the signature target message M ′ obtained by decrypting the second ciphertext C ′ based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
An anonymous authentication system characterized by comprising: An anonymous authentication system comprising an authentication verification device and an authentication request device,
The authentication verification device includes:
An internal clock device for generating current time information T;
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption First encryption key storage means for storing the key Kv;
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input to the authentication verification device;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R and the time information T to generate concatenated data R‖T;
Ciphertext generating means for encrypting the concatenated data R‖T based on the broadcast encryption key Kv and generating a ciphertext C;
Ciphertext transmitting means for transmitting the ciphertext C and the message to be signed M to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
With
The authentication requesting device includes:
When the broadcast encryption / decryption key Ki and the expiration date Exp corresponding to the broadcast encryption / encryption key Kv are input to the authentication requesting device, the broadcast encryption / decryption key Ki and the expiration date Exp are stored. Decryption key storage means;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input to the authentication requesting device;
Ciphertext receiving means for receiving the ciphertext C and the signature target message M from the authentication verification device;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖T ′;
Expiration date verification means for verifying whether the time information T ′ in the concatenated data has passed the expiration date Exp in the first decryption key storage means;
As a result of this verification, when the time information T ′ has not passed the expiration date Exp, the message R ′ obtained by the decryption and the received signature target message M are concatenated to generate concatenated data R′‖M. Concatenated data generation means;
Group signature generating means for generating a group signature GS for the concatenated data R′‖M based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
An anonymous authentication system characterized by comprising: An anonymous authentication system comprising an authentication verification device and an authentication request device,
The authentication verification device includes:
An internal clock device for generating current time information T;
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption First encryption key storage means for storing the key Kv;
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input to the authentication verification device;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R and the time information T to generate concatenated data R‖T;
First ciphertext generating means for encrypting the concatenated data R‖T based on the broadcast encryption key Kv and generating a first ciphertext C;
Second ciphertext generating means for encrypting the signature target message M based on the message R and generating a second ciphertext C ′;
Ciphertext transmitting means for transmitting the first and second ciphertexts C and C ′ to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
With
The authentication requesting device includes:
A first decryption key storage means for storing a broadcast encryption / decryption key Ki when a broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv is input to the authentication requesting device;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input to the authentication requesting device;
Ciphertext receiving means for receiving the first and second ciphertexts C and C ′ from the authentication verification device;
Ciphertext decryption means for decrypting the first ciphertext C to obtain concatenated data R ′ 鍵 T ′ based on the broadcast encryption / decryption key Ki;
Expiration date verification means for verifying whether the time information T ′ in the concatenated data has passed the expiration date Exp in the first decryption key storage means;
As a result of this verification, when the time information T ′ has not passed the expiration date Exp, a second ciphertext decryption that decrypts the second ciphertext C ′ based on the message R ′ obtained by the decryption. Means,
Group signature generation means for generating a group signature GS for the signature target message M ′ obtained by the decryption based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
An anonymous authentication system characterized by comprising: An anonymous authentication system comprising an authentication verification device and an authentication request device,
The authentication verification device includes:
An internal clock device for generating current time information T;
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption First encryption key storage means for storing the key Kv;
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input to the authentication verification device;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Verifier identification information storage means for storing verifier identification information IDv unique to the authentication verification device;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R, the verifier identification information IDv and the time information T to generate concatenated data R‖IDv‖T;
Ciphertext generating means for encrypting the concatenated data R‖IDv‖T based on the broadcast encryption encryption key Kv and generating a ciphertext C;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the ciphertext C, the hash value H (R), the verifier identification information IDv, the time information T, and the signature target message M to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
With
The authentication requesting device includes:
When the broadcast encryption / decryption key Ki and the expiration date Exp corresponding to the broadcast encryption / encryption key Kv are input to the authentication requesting device, the broadcast encryption / decryption key Ki and the expiration date Exp are stored. Decryption key storage means;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input to the authentication requesting device;
Ciphertext receiving means for receiving the ciphertext C, the hash value H (R), the verifier identification information IDv, the time information T and the signature target message M from the authentication verification device;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖IDv′‖T ′;
It is verified whether or not the time information T ′ in the concatenated data matches the received time information T, and whether or not the time information T ′ has passed the expiration date Exp in the first decryption key storage means. Expiry date verification means,
Identification information verification means for verifying whether the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
Hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
As a result of the verification by the expiration date verification unit, when the time information T ′ does not exceed the expiration date Exp, the verification results of the expiration date verification unit, the identification information verification unit, and the hash value verification unit match. A concatenated data generating means for concatenating the message R ′ obtained by the decryption and the received signature target message M to generate concatenated data R′‖M;
Group signature generating means for generating a group signature GS for the concatenated data R′‖M based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
An anonymous authentication system characterized by comprising: An anonymous authentication system comprising an authentication verification device and an authentication request device,
The authentication verification device includes:
An internal clock device for generating current time information T;
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption First encryption key storage means for storing the key Kv;
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input to the authentication verification device;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Verifier identification information storage means for storing verifier identification information IDv unique to the authentication verification device;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R, the verifier identification information IDv and the time information T to generate concatenated data R‖IDv‖T;
First ciphertext generating means for encrypting the concatenated data R‖IDv‖T based on the broadcast encryption key Kv and generating a first ciphertext C;
Second ciphertext generating means for encrypting the signature target message M based on the message R and generating a second ciphertext C ′;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the first and second ciphertexts C and C ′, the hash value H (R), the verifier identification information IDv, and the time information T to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
With
The authentication requesting device includes:
When the broadcast encryption / decryption key Ki and the expiration date Exp corresponding to the broadcast encryption / encryption key Kv are input to the authentication requesting device, the broadcast encryption / decryption key Ki and the expiration date Exp are stored. Decryption key storage means;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input to the authentication requesting device;
Ciphertext receiving means for receiving the first and second ciphertexts C and C ′, the hash value H (R), the verifier identification information IDv and the time information T from the authentication verification device;
Ciphertext decryption means for decrypting the first ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖IDv′‖T ′;
It is verified whether or not the time information T ′ in the concatenated data matches the received time information T, and whether or not the time information T ′ has passed the expiration date Exp in the first decryption key storage means. Expiry date verification means,
Identification information verification means for verifying whether the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
Hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
As a result of the verification by the expiration date verification unit, when the time information T ′ does not exceed the expiration date Exp, the verification results of the expiration date verification unit, the identification information verification unit, and the hash value verification unit match. A second ciphertext decryption means for decrypting the second ciphertext C ′ based on the message R ′ obtained by the decryption,
Group signature generation means for generating a group signature GS for the signature target message M ′ obtained by decrypting the second ciphertext C ′ based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
An anonymous authentication system characterized by comprising: In the anonymous authentication system according to claim 3,
A group management device capable of communicating with the authentication verification device and the authentication requesting device;
One or more authentication verifier devices holding the authentication verification device;
One or more authentication requester devices holding the authentication requesting device,
The group management device
Secret information generating means for generating secret information S for generating the broadcast encryption / encryption key Kv and the broadcast encryption / decryption key Ki based on a broadcast encryption scheme;
Secret information storage means for storing the secret information S;
Participation request receiving means for receiving a group participation request from the authentication requester device;
Broadcast encryption / decryption key generation means for generating a broadcast encryption / decryption key Ki unique to the authentication requester apparatus based on the group participation request and the secret information S in the secret information storage means;
Decryption key transmitting means for transmitting the broadcast encryption / decryption key Ki to the authentication requester apparatus;
When revoking a subset of the set of broadcast encryption / decryption keys Ki unique to each authentication requester device, the secret information S in the secret information storage means and the expired broadcast are based on the broadcast encryption scheme. Broadcast encryption / encryption key generation means for generating a broadcast encryption / encryption key Kv from revocation information specifying a subset of the encryption / decryption key Ki;
An encryption key disclosing means for publishing the broadcast encryption encryption key Kv so as to be obtainable from the authentication verifier device;
With
The authentication verifier device is:
Authentication request receiving means for receiving an authentication request from the authentication requester device;
Encryption key acquisition means for acquiring the broadcast encryption encryption key Kv published by the group management device based on this authentication request or based on the disclosure of the broadcast encryption encryption key Kv by the group management device; ,
A second encryption key storage means for storing the broadcast encryption encryption key Kv;
An encryption key input means for inputting the broadcast encryption encryption key Kv to the authentication verification device;
With
The authentication requester device is:
Decryption key receiving means for receiving a broadcast encryption / decryption key Ki from the group management device;
Second broadcast-type decryption key storage means for storing the broadcast-type encryption / decryption key Ki;
Decryption key input means for inputting the broadcast encryption / decryption key Ki to the authentication requesting device when transmitting the authentication request;
An anonymous authentication system characterized by comprising: In the anonymous authentication system according to claim 4 or claim 7,
A group management device capable of communicating with the authentication verification device and the authentication requesting device;
One or more authentication verifier devices holding the authentication verification device;
One or more authentication requester devices holding the authentication requesting device,
The group management device
Secret information generating means for generating secret information S for generating the broadcast encryption / encryption key Kv and the broadcast encryption / decryption key Ki based on a broadcast encryption scheme;
Secret information storage means for storing the secret information S;
Participation request receiving means for receiving a group participation request from the authentication requester device;
Broadcast encryption / decryption key generation means for generating a broadcast encryption / decryption key Ki unique to the authentication requester apparatus based on the group participation request and the secret information S in the secret information storage means;
Decryption key transmitting means for transmitting the broadcast encryption / decryption key Ki to the authentication requester apparatus together with an expiration date Exp;
When revoking a subset of the set of broadcast encryption / decryption keys Ki unique to each authentication requester device, the secret information S in the secret information storage means and the expired broadcast are based on the broadcast encryption scheme. Broadcast encryption / encryption key generation means for generating a broadcast encryption / encryption key Kv from revocation information specifying a subset of the encryption / decryption key Ki;
An encryption key disclosing means for publishing the broadcast encryption encryption key Kv so as to be obtainable from the authentication verifier device;
With
The authentication verifier device is:
Authentication request receiving means for receiving an authentication request from the authentication requester device;
Encryption key acquisition means for acquiring the broadcast encryption encryption key Kv published by the group management device based on this authentication request or based on the disclosure of the broadcast encryption encryption key Kv by the group management device; ,
A second encryption key storage means for storing the broadcast encryption encryption key Kv;
An encryption key input means for inputting the broadcast encryption encryption key Kv to the authentication verification device;
With
The authentication requester device is:
Decryption key receiving means for receiving a broadcast encryption / decryption key Ki and an expiration date Exp from the group management device;
A second broadcast-type decryption key storage means for storing the broadcast-type encryption / decryption key Ki and the expiration date Exp;
Decryption key input means for inputting the broadcast encryption / decryption key Ki and expiration date Exp to the authentication requesting device when transmitting the authentication request;
An anonymous authentication system characterized by comprising: In the anonymous authentication system according to claim 5, claim 6, claim 8 or claim 9,
A group management device capable of communicating with the authentication verification device and the authentication requesting device;
One or more authentication verifier devices holding the authentication verification device;
One or more authentication requester devices holding the authentication requesting device,
The group management device
Secret information generating means for generating secret information S for generating the broadcast encryption / encryption key Kv and the broadcast encryption / decryption key Ki based on a broadcast encryption scheme;
Secret information storage means for storing the secret information S;
Group signature verification key generating means for generating the group signature verification key KGv based on a group signature scheme;
Participation request receiving means for receiving a group participation request from the authentication requester device;
Broadcast encryption / decryption key generation means for generating a broadcast encryption / decryption key Ki unique to the authentication requester apparatus based on the group participation request and the secret information S in the secret information storage means;
Group signature member key generating means for generating a group signature member key KGi corresponding to the group signature verification key KGv based on the group participation request and the group signature scheme;
Decryption key transmitting means for transmitting the broadcast encryption / decryption key Ki and group signature member key KGi to the authentication requester apparatus;
When revoking a subset of the set of broadcast encryption / decryption keys Ki unique to each authentication requester device, the secret information S in the secret information storage means and the expired broadcast are based on the broadcast encryption scheme. Broadcast encryption / encryption key generation means for generating a broadcast encryption / encryption key Kv from revocation information specifying a subset of the encryption / decryption key Ki;
An encryption key disclosing means for disclosing the broadcast encryption encryption key Kv and the group signature verification key KGv so as to be retrievable from the authentication verifier device;
With
The authentication verifier device is:
Authentication request receiving means for receiving an authentication request from the authentication requester device;
Based on this authentication request or based on the disclosure of the broadcast encryption / encryption key Kv by the group management apparatus, the broadcast encryption / encryption key Kv and the group signature verification key KGi disclosed by the group management apparatus are acquired. An encryption key obtaining means;
A second encryption key storage means for storing the broadcast encryption encryption key Kv and the group signature verification key KGi;
An encryption key input means for inputting the broadcast encryption encryption key Kv and the group signature verification key KGi to the authentication verification device;
With
The authentication requester device is:
Decryption key receiving means for receiving a broadcast encryption / decryption key Ki and a group signature member key KGi from the group management device;
A second broadcast-type decryption key storage means for storing the broadcast-type encryption / decryption key Ki and the group signature member key KGi;
Decryption key input means for inputting the broadcast encryption / decryption key Ki and group signature member key KGi to the authentication requesting device when transmitting the authentication request;
An anonymous authentication system characterized by comprising: The anonymous authentication system according to any one of claims 10 to 13,
A group management device capable of communicating with the authentication verification device and the authentication requesting device;
One or more authentication verifier devices holding the authentication verification device;
One or more authentication requester devices holding the authentication requesting device,
The group management device
Secret information generating means for generating secret information S for generating the broadcast encryption / encryption key Kv and the broadcast encryption / decryption key Ki based on a broadcast encryption scheme;
Secret information storage means for storing the secret information S;
Group signature verification key generating means for generating the group signature verification key KGv based on a group signature scheme;
Participation request receiving means for receiving a group participation request from the authentication requester device;
Broadcast encryption / decryption key generation means for generating a broadcast encryption / decryption key Ki unique to the authentication requester apparatus based on the group participation request and the secret information S in the secret information storage means;
Group signature member key generating means for generating a group signature member key KGi corresponding to the group signature verification key KGv based on the group participation request and the group signature scheme;
A decryption key transmitting means for transmitting the broadcast encryption / decryption key Ki, an expiration date Exp of the broadcast encryption / decryption key Ki, and a group signature member key KGi to the authentication requester apparatus;
When revoking a subset of the set of broadcast encryption / decryption keys Ki unique to each authentication requester device, the secret information S in the secret information storage means and the expired broadcast are based on the broadcast encryption scheme. Broadcast encryption / encryption key generation means for generating a broadcast encryption / encryption key Kv from revocation information specifying a subset of the encryption / decryption key Ki;
An encryption key disclosing means for disclosing the broadcast encryption encryption key Kv and the group signature verification key KGv so as to be retrievable from the authentication verifier device;
With
The authentication verifier device is:
Authentication request receiving means for receiving an authentication request from the authentication requester device;
Based on this authentication request or based on the disclosure of the broadcast encryption / encryption key Kv by the group management apparatus, the broadcast encryption / encryption key Kv and the group signature verification key KGi disclosed by the group management apparatus are acquired. An encryption key obtaining means;
A second encryption key storage means for storing the broadcast encryption encryption key Kv and the group signature verification key KGi;
An encryption key input means for inputting the broadcast encryption encryption key Kv and the group signature verification key KGi to the authentication verification device;
With
The authentication requester device is:
Decryption key receiving means for receiving a broadcast encryption / decryption key Ki, an expiration date Exp, and a group signature member key KGi from the group management device;
A second broadcast-type decryption key storage means for storing the broadcast-type encryption / decryption key Ki, the expiration date Exp, and the group signature member key KGi;
Decryption key input means for inputting the broadcast encryption / decryption key Ki, expiration date Exp, and group signature member key KGi to the authentication requesting device when transmitting the authentication request;
An anonymous authentication system characterized by comprising: When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption key Kv is stored. First encryption key storage means,
Message generating means for generating a random message R when the broadcast encryption key Kv is input;
Ciphertext generating means for encrypting the message R based on the broadcast encryption key Kv and generating a ciphertext C;
Ciphertext transmitting means for transmitting the ciphertext C;
Decryption result receiving means for receiving a decryption result of the ciphertext C from a destination of the ciphertext;
Verification means for verifying whether the decryption result of the ciphertext C matches the message R;
A program for use in a computer of an authentication requesting apparatus capable of communicating with the authentication verification apparatus for an authentication verification apparatus provided with a verification result output means for outputting the verification result,
The computer,
A writing means for writing the broadcast encryption / decryption key Ki into the memory when the broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv is input;
Ciphertext receiving means for receiving ciphertext C from the authentication verification device;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki in the memory;
Decryption result transmission means for transmitting the decryption result to the authentication verification device;
Program to function as. When a broadcast-type encryption / decryption key Ki corresponding to a broadcast-type encryption / decryption key Kv generated based on the broadcast-type encryption method is encrypted so that only a valid set of decryption keys can be decrypted, this broadcast First decryption key storage means for storing the type encryption / decryption key Ki;
Ciphertext receiving means for receiving a ciphertext C obtained by encrypting a random message R based on the broadcast encryption key Kv;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki;
A program used for a computer of an authentication verification apparatus capable of communicating with the authentication requesting apparatus for an authentication requesting apparatus provided with a decryption result transmitting means for transmitting the decryption result to the ciphertext transmission source,
The computer,
A writing means for writing the broadcast encryption / encryption key Kv into a memory when the broadcast encryption / encryption key Kv is input;
Message generating means for generating a random message R when the broadcast encryption / encryption key Kv is input;
A ciphertext generating unit that encrypts the message R based on the broadcast encryption key Kv in the memory and generates a ciphertext C;
Ciphertext transmitting means for transmitting the ciphertext C to the authentication requesting device;
Decryption result receiving means for receiving the decryption result of the ciphertext C from the authentication requesting device;
Verification means for verifying whether or not the decryption result of the ciphertext C matches the message R;
Verification result output means for outputting the verification result,
Program to function as. When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption key Kv is stored. First encryption key storage means,
A verifier identification information storage means for storing a unique verifier identification information IDv;
Message generating means for generating a random message R when the broadcast encryption key Kv is input;
Concatenated data generating means for concatenating the message R and the verifier identification information IDv to generate concatenated data R‖IDv;
Ciphertext generating means for generating the ciphertext C by encrypting the concatenated data R‖IDv based on the broadcast encryption key Kv;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the ciphertext C, the hash value H (R) and the verifier identification information IDv;
Decryption result receiving means for receiving a message R ′ included in a decryption result of the ciphertext C from a transmission destination of the ciphertext C, the hash value H (R) and the verifier identification information IDv;
Verification means for verifying whether or not the received message R ′ matches the generated message R;
A program for use in a computer of an authentication requesting apparatus capable of communicating with the authentication verification apparatus for an authentication verification apparatus provided with a verification result output means for outputting the verification result,
The computer,
A writing means for writing the broadcast encryption / decryption key Ki into the memory when the broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv is input;
A ciphertext receiving means for receiving the ciphertext C, the hash value H (R) and the verifier identification information IDv from the authentication verification device;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki in the memory to obtain concatenated data R′‖IDv ′;
Identification information verification means for verifying whether or not the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
A hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
Decryption result transmission means for transmitting a message R ′ in the concatenated data to the authentication verification device when each verification result of the identification information verification means and the hash value verification means indicates a match;
Program to function as. When a broadcast-type encryption / decryption key Ki corresponding to a broadcast-type encryption / decryption key Kv generated based on the broadcast-type encryption method is encrypted so that only a valid set of decryption keys can be decrypted, this broadcast First decryption key storage means for storing the type encryption / decryption key Ki;
Based on the broadcast encryption key Kv, a ciphertext C in which concatenated data R デ ー タ IDv of a random message R and verifier identification information IDv is encrypted is generated from the message R by a one-way function H. Ciphertext receiving means for receiving the hash value H (R) and the verifier identification information IDv;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖IDv ′
Identification information verification means for verifying whether the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
Hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
When each verification result of the identification information verification unit and the hash value verification unit indicates a match, the message R ′ in the concatenated data is converted into the ciphertext C, the hash value H (R), and the verifier identification information IDv. A program used for a computer of an authentication verification apparatus capable of communicating with the authentication requesting apparatus for an authentication requesting apparatus comprising a decryption result transmitting means for transmitting to the transmission source of
The computer,
A writing means for writing the broadcast encryption / encryption key Kv into a memory when the broadcast encryption / encryption key Kv is input;
Verifier identification information writing means for writing the unique verifier identification information IDv into the memory;
Message generating means for generating a random message R when the broadcast encryption / encryption key Kv is input;
A concatenated data generating means for concatenating the message R and the verifier identification information IDv to generate concatenated data R‖IDv;
Ciphertext generating means for generating the ciphertext C by encrypting the concatenated data R 暗号 IDv based on the broadcast encryption key Kv;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the ciphertext C, the hash value H (R) and the verifier identification information IDv to the authentication requesting device;
Decryption result receiving means for receiving a message R ′ included in the decryption result of the ciphertext C from the authentication requesting device;
Verification means for verifying whether or not the received message R ′ matches the generated message R;
Verification result output means for outputting the verification result,
Program to function as. An internal clock device for generating current time information T;
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption key Kv is stored. First encryption key storage means,
Message generating means for generating a random message R when the broadcast encryption key Kv is input;
Concatenated data generating means for concatenating the message R and the time information T to generate concatenated data R‖T;
Ciphertext generating means for encrypting the concatenated data R‖T based on the broadcast encryption key Kv and generating a ciphertext C;
Ciphertext transmitting means for transmitting the ciphertext C;
Decryption result receiving means for receiving a message R ′ included in the decryption result of the ciphertext C from a destination of the ciphertext;
Verification means for verifying whether or not the received message R ′ matches the generated message R;
A program for use in a computer of an authentication requesting apparatus capable of communicating with the authentication verification apparatus for an authentication verification apparatus provided with a verification result output means for outputting the verification result,
The computer,
A writing means for writing the broadcast encryption / decryption key Ki and the expiration date Exp into the memory when the broadcast encryption / decryption key Ki and the expiration date Exp corresponding to the broadcast encryption / encryption key Kv are input;
Ciphertext receiving means for receiving ciphertext C from the authentication verification device;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki in the memory to obtain concatenated data R′‖T ′;
An expiration date verification means for verifying whether or not the time information T ′ in the linked data has passed the expiration date Exp in the memory;
As a result of this verification, when the time information T ′ has not passed the expiration date Exp, a decryption result transmitting means for transmitting the message R ′ in the concatenated data to the authentication verification device;
Program to function as. The broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv generated based on the broadcast encryption method and the expiration date Exp are input so that only a valid decryption key set can be decrypted. A first decryption key storage means for storing the broadcast encryption / decryption key Ki and the expiration date Exp;
Ciphertext receiving means for receiving ciphertext C obtained by encrypting concatenated data R‖T of a random message R and current time information based on the broadcast-type cryptographic encryption key Kv;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖T ′;
Expiration date verification means for verifying whether the time information T ′ in the concatenated data has passed the expiration date Exp in the first decryption key storage means;
As a result of this verification, when the time information T ′ has not passed the expiration date Exp, decryption result transmission means for transmitting the message R ′ in the concatenated data to the source of the ciphertext;
Is a program used for a computer of an authentication verification device capable of communicating with the authentication requesting device.
The computer,
An internal clock device for generating current time information T;
A writing means for writing the broadcast encryption / encryption key Kv into a memory when the broadcast encryption / encryption key Kv is input;
Message generating means for generating a random message R when the broadcast encryption / encryption key Kv is input;
Concatenated data generating means for concatenating the message R and the time information T to generate concatenated data R‖T,
Ciphertext generating means for encrypting the concatenated data R‖T based on the broadcast encryption key Kv in the memory and generating a ciphertext C;
Ciphertext transmitting means for transmitting the ciphertext C to the authentication requesting device;
Decryption result receiving means for receiving a message R ′ included in the decryption result of the ciphertext C from the authentication requesting device;
Verification means for verifying whether or not the received message R ′ matches the generated message R;
Verification result output means for outputting the verification result,
Program to function as. When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption key Kv is stored. First encryption key storage means,
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Ciphertext generating means for encrypting the message R based on the broadcast encryption key Kv and generating a ciphertext C;
Ciphertext transmitting means for transmitting the ciphertext C and the signature target message M;
A group signature receiving means for receiving a group signature GS from the source of the ciphertext C and the message to be signed M;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
Is a program used in a computer of an authentication requesting device capable of communicating with the authentication verification device.
The computer,
A first writing means for writing, when a broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv is input, into the memory;
Second writing means for writing the group signature member key KGi into the memory when the group signature member key KGi corresponding to the group signature verification key KGv is input;
A ciphertext receiving means for receiving the ciphertext C and the signature target message M from the authentication verification device;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki in the memory;
Concatenated data generation means for concatenating the message R ′ obtained by the decryption and the received signature target message M to generate concatenated data R′‖M,
Group signature generating means for generating a group signature GS for the concatenated data R′‖M based on the group signature member key KGi in the memory;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
Program to function as. When a broadcast-type encryption / decryption key Ki corresponding to a broadcast-type encryption / decryption key Kv generated based on the broadcast-type encryption method is encrypted so that only a valid set of decryption keys can be decrypted, this broadcast First decryption key storage means for storing the type encryption / decryption key Ki;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input;
A ciphertext receiving means for receiving a ciphertext C obtained by encrypting a random message R based on the broadcast encryption key Kv and a signature target message M;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki;
Concatenated data generating means for concatenating the message R ′ obtained by the decryption and the received message to be signed M to generate concatenated data R′‖M;
Group signature generating means for generating a group signature GS for the concatenated data R′‖M based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the transmission source of the ciphertext C and the signature target message M;
Is a program used for a computer of an authentication verification device capable of communicating with the authentication requesting device.
The computer,
A first writing means for writing the broadcast encryption / encryption key Kv into a memory when the broadcast encryption / encryption key Kv is input;
A second writing means for writing the group signature verification key KGv into the memory when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
A ciphertext generating unit that encrypts the message R based on the broadcast encryption key Kv in the memory and generates a ciphertext C;
Ciphertext transmitting means for transmitting the ciphertext C and the message to be signed M to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
Verification result output means for outputting the verification result,
Program to function as. When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption key Kv is stored. First encryption key storage means,
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
First ciphertext generating means for encrypting the message R based on the broadcast encryption key Kv and generating a first ciphertext C;
Second ciphertext generating means for encrypting the signature target message M based on the message R and generating a second ciphertext C ′;
Ciphertext transmitting means for transmitting the first and second ciphertexts C and C ′;
Group signature receiving means for receiving a group signature GS from the destination of the ciphertexts C and C ′;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
Is a program used in a computer of an authentication requesting device capable of communicating with the authentication verification device.
The computer,
A first writing means for writing, when a broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv is input, into the memory;
Second writing means for writing the group signature member key KGi into the memory when the group signature member key KGi corresponding to the group signature verification key KGv is input;
Ciphertext receiving means for receiving first and second ciphertexts C and C ′ from the authentication verification device;
First ciphertext decryption means for decrypting the first ciphertext C based on the broadcast encryption / decryption key Ki;
Second ciphertext decryption means for decrypting the second ciphertext C ′ based on the message R ′ obtained by the decryption;
Group signature generating means for generating a group signature GS for the signature target message M ′ obtained by the decryption based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
Program to function as. When a broadcast-type encryption / decryption key Ki corresponding to a broadcast-type encryption / decryption key Kv generated based on the broadcast-type encryption method is encrypted so that only a valid set of decryption keys can be decrypted, this broadcast First decryption key storage means for storing the type encryption / decryption key Ki;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input;
A first ciphertext C in which a random message R is encrypted based on the broadcast encryption encryption key Kv, and a second cipher in which the signature target message M is encrypted based on the message R Ciphertext receiving means for receiving two ciphertexts C and C ′ with the text C ′;
First ciphertext decryption means for decrypting the first ciphertext C based on the broadcast encryption / decryption key Ki;
Second ciphertext decryption means for decrypting the second ciphertext C ′ based on the message R ′ obtained by the decryption;
Group signature generation means for generating a group signature GS for the signature target message M ′ obtained by the decryption based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the transmission sources of the first and second ciphertexts C and C ′;
Is a program used for a computer of an authentication verification device capable of communicating with the authentication requesting device.
The computer,
A first writing means for writing the broadcast encryption / encryption key Kv into a memory when the broadcast encryption / encryption key Kv is input;
A second writing means for writing the group signature verification key KGv into the memory when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
First ciphertext generating means for encrypting the message R based on the broadcast encryption key Kv in the memory and generating a first ciphertext C;
Second ciphertext generating means for encrypting the signature target message M based on the message R and generating a second ciphertext C ′;
Ciphertext transmitting means for transmitting the first and second ciphertexts C and C ′ to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv in the memory;
Verification result output means for outputting the verification result,
Program to function as. An internal clock device for generating current time information T;
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption key Kv is stored. First encryption key storage means,
A verifier identification information storage means for storing a unique verifier identification information IDv;
Message generating means for generating a random message R when the broadcast encryption key Kv is input;
Concatenated data generating means for concatenating the message R, the verifier identification information IDv and the time information T to generate concatenated data R‖IDv‖T;
Ciphertext generating means for encrypting the concatenated data R‖IDv‖T based on the broadcast encryption encryption key Kv and generating a ciphertext C;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the ciphertext C, the hash value H (R), the verifier identification information IDv, and the time information T;
Decryption result receiving means for receiving a message R ′ included in the decryption result of the ciphertext C from a transmission destination of the ciphertext C, the hash value H (R), the verifier identification information IDv, and the time information T;
Verification means for verifying whether or not the received message R ′ matches the generated message R;
A verification result output means for outputting the verification result;
Is a program used in a computer of an authentication requesting device capable of communicating with the authentication verification device.
The computer,
A writing means for writing the broadcast encryption / decryption key Ki and the expiration date Exp into the memory when the broadcast encryption / decryption key Ki and the expiration date Exp corresponding to the broadcast encryption / encryption key Kv are input;
The ciphertext C obtained by encrypting the concatenated data R‖IDv さ れ T in which the random message R, the verifier identification information IDv, and the current time information T are concatenated based on the broadcast encryption key Kv, the message A ciphertext receiving means for receiving a hash value H (R), verifier identification information IDv, and time information T generated from R by a one-way function;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki in the memory to obtain concatenated data R′‖IDv′‖T ′;
Expiration date verification means for verifying whether or not the time information T ′ in the concatenated data matches the received time information T, and whether or not the time information T ′ has passed the expiration date Exp in the memory. ,
Identification information verification means for verifying whether the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
A hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
As a result of the verification by the expiration date verification unit, when the time information T ′ does not exceed the expiration date Exp, the verification results of the expiration date verification unit, the identification information verification unit, and the hash value verification unit match. A decryption result transmitting means for transmitting the message R ′ in the concatenated data to the authentication verification device,
Program to function as. The broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv generated based on the broadcast encryption method and the expiration date Exp are input so that only a valid decryption key set can be decrypted. A first decryption key storage means for storing the broadcast encryption / decryption key Ki and the expiration date Exp;
The ciphertext C obtained by encrypting the concatenated data R‖IDv さ れ T in which the random message R, the verifier identification information IDv, and the current time information T are concatenated based on the broadcast encryption key Kv, the message Ciphertext receiving means for receiving a hash value H (R) generated from R by a one-way function, verifier identification information IDv, and time information T;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖IDv′‖T ′;
It is verified whether or not the time information T ′ in the concatenated data matches the received time information T, and whether or not the time information T ′ has passed the expiration date Exp in the first decryption key storage means. Expiry date verification means,
Identification information verification means for verifying whether the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
Hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
As a result of the verification by the expiration date verification unit, when the time information T ′ does not exceed the expiration date Exp, the verification results of the expiration date verification unit, the identification information verification unit, and the hash value verification unit match. Decryption result transmission means for transmitting the message R ′ in the concatenated data to the transmission source of the ciphertext C, hash value H (R), verifier identification information IDv, and time information T;
Is a program used for a computer of an authentication verification device capable of communicating with the authentication requesting device.
The computer,
An internal clock device for generating current time information T;
A writing means for writing the broadcast encryption / encryption key Kv into a memory when the broadcast encryption / encryption key Kv is input;
Verifier identification information writing means for writing verifier identification information IDv unique to the authentication verification apparatus in a memory;
Message generating means for generating a random message R when the broadcast encryption / encryption key Kv is input;
Concatenated data generating means for concatenating the message R, the verifier identification information IDv and the time information T to generate concatenated data R‖IDv‖T;
A ciphertext generating means for encrypting the concatenated data R‖IDv‖T based on the broadcast encryption key Kv and generating a ciphertext C;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the ciphertext C, the hash value H (R), the verifier identification information IDv, and the time information T to the authentication requesting device;
Decryption result receiving means for receiving a message R ′ included in the decryption result of the ciphertext C from the authentication requesting device;
Verification means for verifying whether or not the received message R ′ matches the generated message R;
Verification result output means for outputting the verification result,
Program to function as. When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption key Kv is stored. First encryption key storage means,
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
A verifier identification information storage means for storing a unique verifier identification information IDv;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R and the verifier identification information IDv to generate concatenated data R‖IDv;
Ciphertext generating means for generating the ciphertext C by encrypting the concatenated data R‖IDv based on the broadcast encryption key Kv;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the ciphertext C, the hash value H (R), the verifier identification information IDv, and the signature target message M;
A group signature receiving means for receiving a group signature GS from a transmission destination of the ciphertext C, the hash value H (R), the verifier identification information IDv, and the signature target message M;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
Is a program used in a computer of an authentication requesting device capable of communicating with the authentication verification device.
A first writing means for writing, when a broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv is input, into the memory;
Second writing means for writing the group signature member key KGi into the memory when the group signature member key KGi corresponding to the group signature verification key KGv is input;
A ciphertext receiving means for receiving the ciphertext C, hash value H (R), verifier identification information IDv, and signature target message M from the authentication verification device;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki in the memory to obtain concatenated data R′‖IDv ′;
Identification information verification means for verifying whether or not the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
A hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
When the verification results of the identification information verification unit and the hash value verification unit indicate a match, the message R ′ obtained by the decryption and the received signature target message M are concatenated, and concatenated data R′‖M is obtained. Connected data generation means to generate,
Group signature generating means for generating a group signature GS for the concatenated data R′‖M based on the group signature member key KGi in the memory;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
Program to function as. When a broadcast-type encryption / decryption key Ki corresponding to a broadcast-type encryption / decryption key Kv generated based on the broadcast-type encryption method is encrypted so that only a valid set of decryption keys can be decrypted, this broadcast First decryption key storage means for storing the type encryption / decryption key Ki;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input;
A ciphertext C in which concatenated data RＣT of a random message R and verifier identification information IDv is encrypted based on the broadcast encryption key Kv, is generated from the message R by a one-way function. A ciphertext receiving means for receiving a hash value H (R), a verifier identification information IDv and a signature target message M;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖IDv ′
Identification information verification means for verifying whether the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
Hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
When the verification results of the identification information verification unit and the hash value verification unit indicate a match, the message R ′ obtained by the decryption and the received signature target message M are concatenated, and concatenated data R′‖M is obtained. Connected data generation means to generate;
Group signature generating means for generating a group signature GS for the concatenated data R′‖M based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the transmission source of the ciphertext C, the hash value H (R), the verifier identification information IDv, and the signature target message M;
Is a program used for a computer of an authentication verification device capable of communicating with the authentication requesting device.
The computer,
A first writing means for writing the broadcast encryption / encryption key Kv into a memory when the broadcast encryption / encryption key Kv is input;
A second writing means for writing the group signature verification key KGv into the memory when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Verifier identification information writing means for writing verifier identification information IDv unique to the authentication verification apparatus main body into a memory;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
A concatenated data generating means for concatenating the message R and the verifier identification information IDv to generate concatenated data R‖IDv;
Ciphertext generating means for encrypting the concatenated data R‖IDv based on the broadcast encryption key Kv in the memory and generating a ciphertext C;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the ciphertext C, the hash value H (R), the verifier identification information IDv, and the signature target message M to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv in the memory;
Verification result output means for outputting the verification result,
Program to function as. When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption key Kv is stored. First encryption key storage means,
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
A verifier identification information storage means for storing a unique verifier identification information IDv;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R and the verifier identification information IDv to generate concatenated data R‖IDv;
First ciphertext generating means for encrypting the concatenated data R‖IDv based on the broadcast encryption key Kv and generating a first ciphertext C;
Second ciphertext generating means for encrypting the signature target message M based on the message R and generating a second ciphertext C ′;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the first and second ciphertexts C and C ′, the hash value H (R), and the verifier identification information IDv;
Group signature receiving means for receiving a group signature GS from a transmission destination of the first and second ciphertexts C and C ′, the hash value H (R) and the verifier identification information IDv;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
Is a program used in a computer of an authentication requesting device capable of communicating with the authentication verification device.
The computer,
A first writing means for writing, when a broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv is input, into the memory;
Second writing means for writing the group signature member key KGi into the memory when the group signature member key KGi corresponding to the group signature verification key KGv is input;
Ciphertext receiving means for receiving the first and second ciphertexts C and C ′, the hash value H (R), the verifier identification information IDv, and the signature target message M from the authentication verification device;
A ciphertext decryption means for decrypting the first ciphertext C based on the broadcast encryption / decryption key Ki in the memory to obtain concatenated data R′‖IDv ′;
Identification information verification means for verifying whether or not the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
A hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
A second cipher that decrypts the second ciphertext C ′ based on the message R ′ obtained by the decryption when the verification results of the identification information verification unit and the hash value verification unit respectively match. Sentence decryption means,
Group signature generation means for generating a group signature GS for the signature target message M ′ obtained by decrypting the second ciphertext C ′ based on the group signature member key KGi in the memory;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
Program to function as. When a broadcast-type encryption / decryption key Ki corresponding to a broadcast-type encryption / decryption key Kv generated based on the broadcast-type encryption method is encrypted so that only a valid set of decryption keys can be decrypted, this broadcast First decryption key storage means for storing the type encryption / decryption key Ki;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input;
A message to be signed based on the first ciphertext C obtained by encrypting the concatenated data R‖IDv of the random message R and the verifier identification information IDv based on the broadcast encryption encryption key Ki and the message R Two ciphertexts C and C ′ with a second ciphertext C ′ obtained by encrypting M, a hash value H (R) generated from the message R by a one-way function, verifier identification information IDv, and A ciphertext receiving means for receiving the signature target message M;
Ciphertext decryption means for decrypting the first ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖IDv ′;
Identification information verification means for verifying whether the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
Hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
A second cipher that decrypts the second ciphertext C ′ based on the message R ′ obtained by the decryption when the verification results of the identification information verification unit and the hash value verification unit respectively match. Sentence decryption means;
Group signature generation means for generating a group signature GS for the signature target message M ′ obtained by decrypting the second ciphertext C ′ based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the transmission source of the ciphertexts C and C ′, the hash value H (R), the verifier identification information IDv, and the message to be signed M;
Is a program used for a computer of an authentication verification device capable of communicating with the authentication requesting device.
The computer,
A first writing means for writing the broadcast encryption / encryption key Kv into a memory when the broadcast encryption / encryption key Kv is input;
A second writing means for writing the group signature verification key KGv into the memory when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Verifier identification information writing means for writing the unique verifier identification information IDv into the memory;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
A concatenated data generating means for concatenating the message R and the verifier identification information IDv to generate concatenated data R‖IDv;
First ciphertext generating means for encrypting the concatenated data R‖IDv based on the broadcast encryption key Kv in the memory and generating a first ciphertext C;
Second ciphertext generating means for encrypting the signature target message M based on the message R and generating a second ciphertext C ′;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the first and second ciphertexts C and C ′, the hash value H (R), and the verifier identification information IDv to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv in the memory;
Verification result output means for outputting the verification result,
Program to function as. An internal clock device for generating current time information T;
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption key Kv is stored. First encryption key storage means,
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R and the time information T to generate concatenated data R‖T;
Ciphertext generating means for encrypting the concatenated data R‖T based on the broadcast encryption key Kv and generating a ciphertext C;
Ciphertext transmitting means for transmitting the ciphertext C and the signature target message M;
Group signature receiving means for receiving a group signature GS from the transmission destination of the ciphertext C and the message to be signed M;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
Is a program used in a computer of an authentication requesting device capable of communicating with the authentication verification device.
The computer,
A first writing means for writing the broadcast encryption / decryption key Ki and the expiration date Exp into the memory when the broadcast encryption / decryption key Ki and the expiration date Exp corresponding to the broadcast encryption / encryption key Kv are input;
Second writing means for writing the group signature member key KGi into the memory when the group signature member key KGi corresponding to the group signature verification key KGv is input;
A ciphertext receiving means for receiving the ciphertext C and the signature target message M from the authentication verification device;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki in the memory to obtain concatenated data R′‖T ′;
An expiration date verification means for verifying whether or not the time information T ′ in the linked data has passed the expiration date Exp in the memory;
As a result of this verification, when the time information T ′ has not passed the expiration date Exp, the message R ′ obtained by the decryption and the received signature target message M are concatenated to generate concatenated data R′‖M. Concatenated data generation means,
Group signature generating means for generating a group signature GS for the concatenated data R′‖M based on the group signature member key KGi in the memory;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
Program to function as. The broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv generated based on the broadcast encryption method and the expiration date Exp are input so that only a valid decryption key set can be decrypted. A first decryption key storage means for storing the broadcast encryption / decryption key Ki and the expiration date Exp;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input;
A ciphertext receiving means for receiving a ciphertext C and a signature target message M in which concatenated data R デ ー タ T of a random message R and current time information T is encrypted based on the broadcast encryption key Kv; ,
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖T ′;
Expiration date verification means for verifying whether the time information T ′ in the concatenated data has passed the expiration date Exp in the first decryption key storage means;
As a result of this verification, when the time information T ′ has not passed the expiration date Exp, the message R ′ obtained by the decryption and the received signature target message M are concatenated to generate concatenated data R′‖M. Concatenated data generation means;
Group signature generating means for generating a group signature GS for the concatenated data R′‖M based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the transmission source of the ciphertext C and the signature target message M;
Is a program used for a computer of an authentication verification device capable of communicating with the authentication requesting device.
The computer,
An internal clock device for generating current time information T;
A first writing means for writing the broadcast encryption / encryption key Kv into a memory when the broadcast encryption / encryption key Kv is input;
A second writing means for writing the group signature verification key KGv into the memory when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R and the time information T to generate concatenated data R‖T,
Ciphertext generating means for encrypting the concatenated data R‖T based on the broadcast encryption key Kv in the memory and generating a ciphertext C;
Ciphertext transmitting means for transmitting the ciphertext C and the message to be signed M to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv in the memory;
Verification result output means for outputting the verification result,
Program to function as. An internal clock device for generating current time information T;
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption key Kv is stored. First encryption key storage means,
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R and the time information T to generate concatenated data R‖T;
First ciphertext generating means for encrypting the concatenated data R‖T based on the broadcast encryption key Kv and generating a first ciphertext C;
Second ciphertext generating means for encrypting the signature target message M based on the message R and generating a second ciphertext C ′;
Ciphertext transmitting means for transmitting the first and second ciphertexts C and C ′;
Group signature receiving means for receiving a group signature GS from the transmission destinations of the first and second ciphertexts C and C ′;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
Is a program used in a computer of an authentication requesting device capable of communicating with the authentication verification device.
The computer,
A first writing means for writing, when a broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv is input, into the memory;
Second writing means for writing the group signature member key KGi into the memory when the group signature member key KGi corresponding to the group signature verification key KGv is input;
Ciphertext receiving means for receiving first and second ciphertexts C and C ′ from the authentication verification device;
A ciphertext decryption means for decrypting the first ciphertext C based on the broadcast cipher / decryption key Ki in the memory to obtain concatenated data R′‖T ′;
An expiration date verification means for verifying whether or not the time information T ′ in the linked data has passed the expiration date Exp in the memory;
As a result of this verification, when the time information T ′ has not passed the expiration date Exp, the second ciphertext decryption that decrypts the second ciphertext C ′ based on the message R ′ obtained by the decryption. means,
Group signature generating means for generating a group signature GS for the signature target message M ′ obtained by the decryption based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
Program to function as. When a broadcast-type encryption / decryption key Ki corresponding to a broadcast-type encryption / decryption key Kv generated based on the broadcast-type encryption method is encrypted so that only a valid set of decryption keys can be decrypted, this broadcast First decryption key storage means for storing the type encryption / decryption key Ki;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input;
A first ciphertext C obtained by encrypting concatenated data R‖T of a random message R and current time information T based on the broadcast encryption key Kv, and the signature based on the message R Ciphertext receiving means for receiving two ciphertexts C and C ′ with the second ciphertext C ′ obtained by encrypting the target message M;
Ciphertext decryption means for decrypting the first ciphertext C to obtain concatenated data R ′ 鍵 T ′ based on the broadcast encryption / decryption key Ki;
Expiration date verification means for verifying whether the time information T ′ in the concatenated data has passed the expiration date Exp in the first decryption key storage means;
As a result of this verification, when the time information T ′ has not passed the expiration date Exp, a second ciphertext decryption that decrypts the second ciphertext C ′ based on the message R ′ obtained by the decryption. Means,
Group signature generation means for generating a group signature GS for the signature target message M ′ obtained by the decryption based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the transmission source of the ciphertexts C and C ′;
Is a program used for a computer of an authentication verification device capable of communicating with the authentication requesting device.
The computer,
An internal clock device for generating current time information T;
A first writing means for writing the broadcast encryption / encryption key Kv into a memory when the broadcast encryption / encryption key Kv is input;
A second writing means for writing the group signature verification key KGv into the memory when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R and the time information T to generate concatenated data R‖T,
First ciphertext generating means for encrypting the concatenated data R‖T based on the broadcast encryption key Kv in the memory and generating a first ciphertext C;
Second ciphertext generating means for encrypting the signature target message M based on the message R and generating a second ciphertext C ′;
Ciphertext transmitting means for transmitting the first and second ciphertexts C and C ′ to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv in the memory;
Verification result output means for outputting the verification result,
Program to function as. An internal clock device for generating current time information T;
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption key Kv is stored. First encryption key storage means,
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
A verifier identification information storage means for storing a unique verifier identification information IDv;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R, the verifier identification information IDv and the time information T to generate concatenated data R‖IDv‖T;
Ciphertext generating means for encrypting the concatenated data R‖IDv‖T based on the broadcast encryption encryption key Kv and generating a ciphertext C;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the ciphertext C, the hash value H (R), the verifier identification information IDv, the time information T, and the signature target message M;
Group signature receiving means for receiving a group signature GS from a transmission destination of the ciphertext C, the hash value H (R), the verifier identification information IDv, the time information T, and the signature target message M;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
Is a program used in a computer of an authentication requesting device capable of communicating with the authentication verification device.
The computer,
A first writing means for writing the broadcast encryption / decryption key Ki and the expiration date Exp into the memory when the broadcast encryption / decryption key Ki and the expiration date Exp corresponding to the broadcast encryption / encryption key Kv are input;
A second writing means for writing the group signature member key KGi when the group signature member key KGi corresponding to the group signature verification key KGv is input;
A ciphertext receiving means for receiving the ciphertext C, the hash value H (R), the verifier identification information IDv, the time information T, and the signature target message M from the authentication verification device;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki in the memory to obtain concatenated data R′‖IDv′‖T ′;
Expiration date verification means for verifying whether or not the time information T ′ in the concatenated data matches the received time information T, and whether or not the time information T ′ has passed the expiration date Exp in the memory. ,
Identification information verification means for verifying whether the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
A hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
As a result of the verification by the expiration date verification unit, when the time information T ′ does not exceed the expiration date Exp, the verification results of the expiration date verification unit, the identification information verification unit, and the hash value verification unit match. A concatenated data generating means for concatenating the message R ′ obtained by the decryption and the received signature object message M to generate concatenated data R′‖M,
Group signature generating means for generating a group signature GS for the concatenated data R′‖M based on the group signature member key KGi in the memory;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
Program to function as. The broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv generated based on the broadcast encryption method and the expiration date Exp are input so that only a valid decryption key set can be decrypted. A first decryption key storage means for storing the broadcast encryption / decryption key Ki and the expiration date Exp;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input;
The ciphertext C obtained by encrypting the concatenated data R‖IDv さ れ T in which the random message R, the verifier identification information IDv, and the current time information T are concatenated based on the broadcast encryption key Kv, the message Ciphertext receiving means for receiving a hash value H (R) generated from R by a one-way function, verifier identification information IDv, time information T and signature target message M;
Ciphertext decryption means for decrypting the ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖IDv′‖T ′;
It is verified whether or not the time information T ′ in the concatenated data matches the received time information T, and whether or not the time information T ′ has passed the expiration date Exp in the first decryption key storage means. Expiry date verification means,
Identification information verification means for verifying whether the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
Hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
As a result of the verification by the expiration date verification unit, when the time information T ′ does not exceed the expiration date Exp, the verification results of the expiration date verification unit, the identification information verification unit, and the hash value verification unit match. A concatenated data generating means for concatenating the message R ′ obtained by the decryption and the received signature target message M to generate concatenated data R′‖M;
Group signature generating means for generating a group signature GS for the concatenated data R′‖M based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the transmission source of the ciphertext C, the hash value H (R), the verifier identification information IDv, the time information T, and the signature target message M;
Is a program used for a computer of an authentication verification device capable of communicating with the authentication requesting device.
The computer,
An internal clock device for generating current time information T;
A first writing means for writing the broadcast encryption / encryption key Kv into a memory when the broadcast encryption / encryption key Kv is input;
A second writing means for writing the group signature verification key KGv into the memory when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Verifier identification information writing means for writing the unique verifier identification information IDv into the memory;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R, the verifier identification information IDv and the time information T to generate concatenated data R‖IDv‖T
A ciphertext generating means for encrypting the concatenated data R‖IDv‖T based on the broadcast encryption key Kv in the memory and generating a ciphertext C;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the ciphertext C, the hash value H (R), the verifier identification information IDv, the time information T, and the signature target message M to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv in the memory;
Verification result output means for outputting the verification result,
Program to function as. An internal clock device for generating current time information T;
When the broadcast encryption encryption key Kv generated based on the broadcast encryption method is encrypted so that only a valid decryption key set can be decrypted, the broadcast encryption encryption key Kv is stored. First encryption key storage means,
Group signature verification key storage means for storing the group signature verification key KGv when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
A verifier identification information storage means for storing a unique verifier identification information IDv;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R, the verifier identification information IDv and the time information T to generate concatenated data R‖IDv‖T;
First ciphertext generating means for encrypting the concatenated data R‖IDv‖T based on the broadcast encryption key Kv and generating a first ciphertext C;
Second ciphertext generating means for encrypting the signature target message M based on the message R and generating a second ciphertext C ′;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the first and second ciphertexts C and C ′, the hash value H (R), the verifier identification information IDv, and the time information T;
Group signature receiving means for receiving a group signature GS from a transmission destination of the ciphertext C, C ′, the hash value H (R), the verifier identification information IDv, and the time information T;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
A verification result output means for outputting the verification result;
Is a program used in a computer of an authentication requesting device capable of communicating with the authentication verification device.
The computer,
A first writing means for writing the broadcast encryption / decryption key Ki and the expiration date Exp into the memory when the broadcast encryption / decryption key Ki and the expiration date Exp corresponding to the broadcast encryption / encryption key Kv are input;
Second writing means for writing the group signature member key KGi into the memory when the group signature member key KGi corresponding to the group signature verification key KGv is input;
Ciphertext receiving means for receiving the first and second ciphertexts C and C ′, the hash value H (R), the verifier identification information IDv, and the time information T from the authentication verification device;
Ciphertext decryption means for decrypting the first ciphertext C based on the broadcast ciphertext decryption key Ki in the memory to obtain concatenated data R′‖IDv′‖T ′;
Expiration date verification means for verifying whether or not the time information T ′ in the concatenated data matches the received time information T, and whether or not the time information T ′ has passed the expiration date Exp in the memory. ,
Identification information verification means for verifying whether the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
A hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
As a result of the verification by the expiration date verification unit, when the time information T ′ does not exceed the expiration date Exp, the verification results of the expiration date verification unit, the identification information verification unit, and the hash value verification unit match. , Second ciphertext decryption means for decrypting the second ciphertext C ′ based on the message R ′ obtained by the decryption,
Group signature generation means for generating a group signature GS for the signature target message M ′ obtained by decrypting the second ciphertext C ′ based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the authentication verification device;
Program to function as. The broadcast encryption / decryption key Ki corresponding to the broadcast encryption / decryption key Kv generated based on the broadcast encryption method and the expiration date Exp are input so that only a valid decryption key set can be decrypted. A first decryption key storage means for storing the broadcast encryption / decryption key Ki and the expiration date Exp;
First member key storage means for storing a group signature member key KGi when a group signature member key KGi corresponding to the group signature verification key KGv is input;
A first ciphertext C obtained by encrypting concatenated data R‖IDv‖T of a random message R, verifier identification information IDv, and current time information T based on the broadcast-type encryption key Kv; Two ciphertexts C and C ′ with a second ciphertext C ′ obtained by encrypting the signature target message M based on the message R, a hash value H generated from the message R by a one-way function (R), a ciphertext receiving means for receiving verifier identification information IDv and time information T;
Ciphertext decryption means for decrypting the first ciphertext C based on the broadcast encryption / decryption key Ki to obtain concatenated data R′‖IDv′‖T ′;
It is verified whether or not the time information T ′ in the concatenated data matches the received time information T, and whether or not the time information T ′ has passed the expiration date Exp in the first decryption key storage means. Expiry date verification means,
Identification information verification means for verifying whether the verifier identification information IDv ′ in the concatenated data matches the received verifier identification information IDv;
Hash value verification means for verifying whether or not the hash value H (R ′) generated based on the message R ′ in the concatenated data matches the received hash value H (R);
As a result of the verification by the expiration date verification unit, when the time information T ′ does not exceed the expiration date Exp, the verification results of the expiration date verification unit, the identification information verification unit, and the hash value verification unit match. A second ciphertext decryption means for decrypting the second ciphertext C ′ based on the message R ′ obtained by the decryption,
Group signature generation means for generating a group signature GS for the signature target message M ′ obtained by decrypting the second ciphertext C ′ based on the group signature member key KGi;
Group signature transmission means for transmitting the group signature GS to the transmission source of the ciphertext C, C ′, the hash value H (R), the verifier identification information IDv, and the time information T;
Is a program used for a computer of an authentication verification device capable of communicating with the authentication requesting device.
The computer,
An internal clock device for generating current time information T;
A first writing means for writing the broadcast encryption / encryption key Kv into a memory when the broadcast encryption / encryption key Kv is input;
A second writing means for writing the group signature verification key KGv into the memory when the group signature verification key KGv generated based on the group signature method is input;
Signature target message generating means for generating a signature target message M to be a target of a group signature when the broadcast type encryption key Kv and the group signature verification key KGv are input;
Verifier identification information writing means for writing the unique verifier identification information IDv into the memory;
Message generating means for generating a random message R when the broadcast encryption key Kv and the group signature verification key KGv are input;
Concatenated data generating means for concatenating the message R, the verifier identification information IDv and the time information T to generate concatenated data R‖IDv‖T
First ciphertext generating means for encrypting the concatenated data R‖IDv‖T based on the broadcast encryption key Kv and generating a first ciphertext C;
Second ciphertext generating means for encrypting the signature target message M based on the message R and generating a second ciphertext C ′;
A hash value generating means for generating a hash value H (R) of the message R by a one-way function H;
Ciphertext transmitting means for transmitting the first and second ciphertexts C and C ′, the hash value H (R), the verifier identification information IDv, and the time information T to the authentication requesting device;
Group signature receiving means for receiving a group signature GS from the authentication requesting device;
Verification means for verifying the group signature GS based on the group signature verification key KGv;
Verification result output means for outputting the verification result,
Program to function as.

Images