JP4791828B2 - Group signature system, apparatus, program and method - Google Patents

Description

  The present invention relates to a group signature system, apparatus, program, and method, and more particularly to a group signature system, apparatus, and program capable of reducing the amount of calculation and the number of times information is exchanged in a member side apparatus when generating a group signature. And a method.

  A group signature scheme is known as a kind of digital signature scheme (see, for example, Non-Patent Documents 1 and 2). According to Non-Patent Document 1, the group signature method has the following first to third properties.

  The first property is that any member belonging to a certain group can generate a group signature. The second property is that the verifier can verify that the group signature has been generated by the member, and that it is difficult to specify the member that generated the signature (hereinafter referred to as the signer) (anonymous). Sex). The third property is that the signer can be identified from the group signature by specific information.

  As such a group signature method, various methods have been proposed. Among them, the system described in Non-Patent Document 2 (hereinafter referred to as Non-Patent Document 2 system) can be configured using a secure and general digital signature system and public key encryption system. In addition, the non-patent document 2 method has been proven safe.

  However, these group signature schemes require a large amount of calculation to generate a group signature by a signer. For this reason, when a signer uses a device having a low calculation capability, such as a mobile phone, it is practically difficult to perform group signature generation calculation.

  On the other hand, as a technique capable of solving this difficulty, there is a system described in Patent Document 1 (hereinafter referred to as Patent Document 1 system).

  According to the method of Patent Document 1, a tamper resistant device having a low calculation capability and a user terminal having a high calculation capability are used. The user terminal detachably holds the tamper-resistant device, and exchanges information from the tamper-resistant device. The number of information exchanges is 2.5 round trips (one way 5 times) (see FIG. 9 of Patent Document 1, ST35 to ST39). In the method of Patent Document 1, a user terminal having high calculation capability executes most of the group signature generation calculations.

Therefore, according to the method of Patent Document 1, it is practically easy to perform group signature generation calculation even when a tamper resistant device with low calculation capability is used.
D. Chaum, E. van Heyst, Group Signatures, Proceedings of EUROCRYPT'91, LNCS 547, Springer-Verlag, pp.257-265, 1991. M. Bellare, D. Micciancio, B. Warinschi, Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions, Proceedings of Eurocrypt 2003, LNCS 2656, Springer-Verlag, pp.614-629, 2003 . Japanese Patent Laid-Open No. 2004-320562 (in particular, paragraphs 182 to 190, FIGS. 8 and 9, etc.) Osamu Watanabe, Computability / Introduction to Computational Complexity, Modern Science, 1992. U. Feige, D. Lapidot, A. Shamir, Multiple non-interactive zero-knowledge proofs under general assumptions, SIAM Journal of Computing, 29 (1), pp.1-28, 1999. A. Sahai, Non-malleable non-interactive zero-knowledge and adaptive chosen-ciphertext security, FOCS'99, pp.543-553, IEEE Computer Society Press, 1999.

  The above-described Patent Document 1 system usually has no problem. However, according to the inventor's study, it is considered that the method of Patent Document 1 may reduce the amount of calculation in the member side device (tamper resistant device and user terminal) when generating the group signature. . Further, according to the study of the present inventor, it is considered that the method of Patent Document 1 may be able to reduce the exchange of information from five times one way when generating a group signature.

  The present invention has been made in view of the above circumstances, and provides a group signature system, apparatus, program, and method that can reduce the amount of calculation and the number of times information is exchanged when generating a group signature. The purpose is to do.

  A first invention is a group signature system comprising a group management device, a group member device, a proxy group signature generation device, and a signature verification device, wherein the group management device includes a group public key and a group secret key corresponding to each other Means for storing group information, means for receiving a group join request including a member public key from the group member device, means for generating a signature for the received member public key based on the group secret key, Means for transmitting the signature as a member certificate to the group member device. The group member device includes a member public key and a member signature key corresponding to each other and the member certificate associated with each other. Member information storage means stored in response to an external request, Means for generating delegation information for delegating the authority of group signature generation to the proxy group signature generation device based on the member public key, member signature key and member certificate in the information storage means; and the delegation information For transmitting to the proxy group signature generation device, the proxy group signature generation device includes a secret information storage unit for storing a proxy group signature key, and a proxy information received from the group member device. Means for verifying validity based on the group public key; and when the verification result indicates validity, generates a proxy group signing key including the delegation information, and stores the proxy group signing key as the secret information storage means To the plaintext based on a proxy group signature key in the secret information storage means in response to a signature request for the plaintext. And a means for generating a proxy group signature, and the signature verification apparatus includes a means for verifying the proxy group signature generated by the proxy group signature generation apparatus based on the group public key. It is a signature system.

  A second invention is a group signature generation system comprising a group member device and a proxy group signature generation device, wherein the group member device includes a member public key and a member signature key corresponding to each other, and a group disclosure corresponding to each other A member information storage means for storing a member certificate in which the member public key is signed by the group secret key of the group management apparatus holding the key and the group secret key and stored in association with each other; Means for generating delegation information for delegating authority for group signature generation to the proxy group signature generation apparatus based on a member public key, member signature key and member certificate in the member information storage means; Means for transmitting delegation information to the proxy group signature generation device, The signature generation device includes a secret information storage unit that stores a proxy group signature key, a unit that verifies the validity of the delegation information received from the group member device based on the group public key, and the verification result is When indicating validity, the proxy group signing key including the delegation information is generated, the proxy group signing key is written in the secret information storage unit, and the secret information storage unit in response to the signature request for plain text And a means for generating a proxy group signature for the plaintext based on a proxy group signature key.

(Function)
Accordingly, in the first and second inventions, the group member device sends the delegation information of the generation authority of the group signature to the proxy group signature generation device only once by taking the above-described means to generate the proxy group signature. With the configuration in which the device generates the proxy group signature, it is possible to reduce the amount of calculation in the member side device and the number of information exchanges when generating the group signature.

  In each of the first and second inventions, the configuration composed of each device is expressed as “system”. However, the present invention is not limited to this, and the configuration composed of each device or each device is represented as “device”, “program”, “method”. Or “computer-readable storage medium”.

  As described above, according to the present invention, when generating a group signature, it is possible to reduce the amount of calculation in the member side device and the number of times of information exchange.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In the following description, the notation of Sig (x <y>) means a digital signature obtained by signing the signature target y with the key x. Similarly, the notation Enc (x <y>) means a ciphertext obtained by encrypting the encryption target y with the key x. Furthermore, the notation of Vrfy (x <y> z) means the result obtained by verifying that the signature z is the signature for the signature target y with the key x, and if the verification result is correct, 1 If the verification result is not correct, 0 is displayed.

(First embodiment)
FIG. 1 is a schematic diagram showing a configuration of a group signature system according to the first embodiment of the present invention, and FIGS. 2 to 4 are schematic diagrams showing a configuration of each storage unit in the system. This group signature system includes a group management device 10, a group member device 20, a proxy group signature generation device 30, and a proxy group signature verification device 40. There may be a plurality of each of the devices 10, 20, 30, and 40, but here, a description will be given assuming that one device is provided.

  Further, in this system, a public key disclosure device 50 is used. The public key disclosure device 50 manages public keys and publishes public keys so that they can be obtained from any third party. The public key public device 50 is generally used in a public key infrastructure (PKI).

  When each device 10, 20, 30, 40 is realized by a computer, a program for causing the computer to realize the function of each device 10, 20, 30, 40 is installed in advance from a storage medium or a network. Yes. The same applies to the following embodiments.

  Here, the group management apparatus 10 includes a group information storage unit 11, a group initialization unit 12, a group information management unit 13, a member certificate generation unit 14, and a group member identification unit 15.

  The group information storage unit 11 is a storage device as a hardware resource that can be read / written from the group information management unit 13. As shown in FIG. 2, the group information storage unit 11 stores a group ID (= g), a group public key PKg, and a group secret key SKg associated with each other. Here, a plurality of sets of group public keys and group secret keys may be associated with one group ID. However, in this case, it is desirable to add an ID so that the group public key and group private key pair can be identified. In addition, member certificates of all members who participate in the corresponding group are stored in association with one group ID.

The group initialization unit 12 has the following functions (f12-1) to (f12-3).
(f12-1) A function of generating a group public key PKg and a group secret key SKg corresponding to each group ID (= g) of the group in accordance with an instruction from the outside.
(f12-2) and a function of sending the generated group public key PKg and group secret key SKg to the group information management unit 13.
(f12-3) A function of sending the group public key PKg to the public key public apparatus 50.

The group information management unit 13 has the following functions (f13-1) to (f13-2).
(f13-1) The group public key PKg and group secret key SKg sent from the group initializing unit 12 and the member certificate cert_u sent from the member certificate generating unit 14 are group information storage unit 11 for each group ID. Ability to write to.
(f13-2) A function of providing the storage contents of the group information storage unit 11 to the request source in response to a request from the member certificate generating unit 14 or the group member specifying unit 15.

The member certificate generation unit 14 has the following functions (f14-1) to (f14-3).
(f14-1) A function for verifying the validity of the zero knowledge proof information proof_u with respect to the member signature key SKu based on the group participation request from the group member device 20. The group participation request includes a member ID (= u), a member public key PKu, and zero knowledge proof information proof_u. (f14-2) A function of generating a signature for the member ID (= u) and the member public key PKu using the group secret key SKg acquired from the group information management unit 13 when the verification is successful.
(f14-3) A function of transmitting this signature to the group information management unit 13 and the group member device 20 as a member certificate cert_u.

Here, the member ID is an ID that is assigned in advance for each group member device 20 and that can identify the group member device 20. However, the member ID may be assigned for each member public key Pku. In this case, the member ID is not received from the group member device 20, and the member certificate generation unit 14 assigns a member ID for each member public key Pku. Then, this member ID is transmitted to the group information management unit 13 together with the member certificate cert_u, written to the group information storage unit 11, and also transmitted to the group member device 20. The group member specifying unit 15 has the following functions (f15-1) to (f15-2).
(f15-1) A function of decrypting the ciphertext C included in the proxy group signature ρ based on the group secret key SKg acquired from the group information management unit 13 with respect to the proxy group signature ρ input from the outside.
(f15-2) A function of outputting the member ID (= u) included in the decryption result.

  The group member device 20 includes a member information storage unit 21, a member registration unit 22, and a group signature generation authority delegation unit 23.

  The member information storage unit 21 is a storage device as a hardware resource that can be written from the member registration unit 21 and can be read from the group signature generation authority delegation unit 23. As shown in FIG. 3, the member information storage unit 21 stores a member ID (= u), a member public key PKu, a member signature key SKu, and a member certificate cert_u in association with each other. The member public key PKu and the member signature key SKu are a pair of public key pairs corresponding to each other.

The member registration unit 22 has the following functions (f22-1) to (f22-5).
(f22-1) A function for generating a member signature key SKu and a member public key PKu in response to an external request.
(f22-2) A function of generating zero knowledge proof information proof_u that proves possession of the member signature key SKu corresponding to the member public key PKu based on the member signature key SKu and the member public key PKu.
(f22-3) A function of transmitting the member ID (= u), the member public key PKu, and the zero knowledge proof information proof_u to the group management apparatus 10.
(f22-4) A function of verifying the validity of the member certificate cert_u received from the group management apparatus 10 based on the group public key PKg acquired from the public key disclosure apparatus 50.
(f22-5) A function of writing the member certificate cert_u, the member signature key SKu, and the member public key PKu, whose validity has been verified, into the member information storage unit 21.

  The member registration unit 22 is not an essential function. For example, when member information is stored in advance in the member information storage unit 21, the member registration unit 22 can be omitted.

The group signature generation authority entrusting unit 23 has the following functions (f23-1) to (f23-5).
(f23-1) In response to an external request, the authority to generate a group signature is delegated based on the member ID (= u), the member certificate cert_u, the member signature key SKu, and the member public key PKu in the member information storage unit 21 A function of generating entrustment information Dlg_u for entrusting to the group signature generation apparatus 30.
(f23-1) A function of transmitting the delegation information Dlg_u to the proxy group signature generation device 30.

  The proxy group signature generation device 30 includes a secret information storage unit 31, a group signature generation authority entrusting unit 32, and a proxy group signature generation unit 33.

  The secret information storage unit 31 is a storage device as a hardware resource that can be written from the group signature generation authority entrusting unit 32 and can be read from the proxy group signature generation unit 33. As shown in FIG. 4A, the secret information storage unit 31 stores the proxy signature key SKp, the proxy public key PKp, and the proxy group signature key SKpg in association with each other. Here, a plurality of proxy group signature keys may be stored in association with one set of proxy signature key SKp and proxy public key PKp.

  Here, the proxy signature key SKp and the proxy public key PKp are input from the outside in advance and are a pair of key data (a key pair for public key cryptography) unique to the proxy group signature generation device 30. The proxy public key PKp is publicized by the public key public device 50 in advance. The proxy group signing key SKpg includes delegation information Dlg_u and a proxy signing key SKp as shown in FIG. The entrustment information Dlg_u includes a member ID (= u), a member public key PKu, a member certificate cert_u, linked entrustment information <PKp, w>, and an entrustment certificate cert_p. The member certificate cert_u is the signature Sig (SKs <PKu>) of the group management apparatus 10 for the member public key PKu. The entrustment certificate cert_p is a signature Sig (SKu <PKp, w>) of the group member device 30 for the concatenation entrustment information <PKp, w>.

The group signature generation authority entrusting unit 32 has the following functions (f32-1) to (f32-2).
(f32-1) A function of verifying the validity of the delegation information Dlg_u received from the group member device 20 by using the group public key PKg acquired from the public key public device 50.
(f32-2) A function for generating a proxy group signature key SKpg including the delegation information Dlg_u and writing it in the secret information storage unit 31.

The proxy group signature generation unit 33 has the following functions (f33-1) to (f33-2).
(f33-1) A function of generating a proxy group signature ρ using the proxy group signature key SKpg in the secret information storage unit 31 in response to a signature request for plaintext m from the outside.
(f33-2) A function for outputting the proxy group signature ρ.

  The proxy group signature verification device 40 includes a proxy group signature verification unit 41.

The proxy group signature verification unit 41 includes the following functions (f41-1) to (f41-3).
(f41-1) A function of receiving a plaintext m and a proxy group signature ρ in accordance with an external proxy group signature verification request. The proxy group signature verification unit 41 may receive the plaintext m and the proxy group signature ρ from the proxy group signature generation apparatus 30 or from the proxy group signature generation apparatus 30 via a verification request apparatus (not shown). Also good. That is, the transmission / reception path of the plaintext m and the group signature ρ between the proxy group signature generation device 30 and the proxy group signature verification device 40 is not particularly limited.
(f41-2) A function for verifying that the proxy group signature ρ is a proxy group signature of plaintext m using the group public key PKg acquired from the public key disclosure device 50. The group public key PKg may be acquired from the public key public device 50 when a proxy group signature verification request is received and stored in a memory (not shown). The group public key PKg is acquired and stored in advance. You may keep it.

(f41-3) Function to output verification result (OK / NG).

  Next, processing performed in the group signature system configured as described above will be described using a specific method.

(Preparation)
In this system, a signature scheme DS = (Gen_S, Sig, Vrfy) including a key generation algorithm Gen_S, a signature algorithm Sig, and a signature verification algorithm Vrfy is used. The signature scheme DS is, for example, an RSA signature scheme or an ElGamal signature scheme. Furthermore, it is assumed that this signature scheme DS cannot be counterfeited against a selected plaintext attack.

  In this system, a public key cryptosystem AE = (Gen_E, Enc, Dec) including a key generation algorithm Gen_E, an encryption algorithm Enc, and a decryption algorithm Dec is used. The public key encryption method AE is, for example, an RSA public key encryption method or an ElGamal encryption method. Furthermore, it is assumed that the public key cryptosystem AE is an indistinguishable (IND-CCA) scheme against a selected ciphertext attack.

  Furthermore, an NP language determined by an NP-relation σ⊂ {0,1} * × {0,1} * on a domain consisting of a bit string of arbitrary length is L = {x ∈ L | (x, w) ∈σ is satisfied}, and the non-interactive zero knowledge proof system for this σ is (P, V). Here, {0,1} * represents a set of bit strings of arbitrary length, x represents a direct product of the set, and ⊂ represents a subset.

Here, the NP-relation σ is a relationship that satisfies the following condition (NP-i) (NP-ii).
(NP-i) When (x, w) is given, whether or not (x, w) εσ can be determined by the polynomial time of the length of the input x.

(NP-ii) When only x is given, it is difficult to determine in polynomial time whether or not (x, w) εσ is satisfied.

The non-interactive zero knowledge proof system (P, V) for σ is a relationship that satisfies the following conditions (PV-i) (PV-ii).
(PV-i) When input (x, w) is given, if P (x, w, R) = α, V (x, α, R) = 1. Here, R is an input random number common to P and V.
(PV-ii) When only an input x not included in the language L is given, it is difficult to obtain β where V (x, β, R) = 1.

  Here, it is widely known that the NP language L determined by an arbitrary NP-relation σ can be reduced in polynomial time to the language H determined by the Hamiltonian path problem δ of the graph. A language in which an arbitrary NP language can be reduced in polynomial time like this language H is called an NP complete language.

  Here, the Hamiltonian path problem δ of a graph is a problem of determining whether a graph x includes a Hamiltonian path (a path passing through all points on the graph) when the graph x is given. And a set (x, w) of Hamiltonian paths w included in the graph is δ. This δ satisfies the NP-related properties (NP-i) and (NP-ii).

  In addition, polynomial time reducible means that functions f and g that can be calculated in polynomial time of the length of input x satisfying (x, w) ∈σ ⇔ (f (x), g (w)) ∈δ It means that it is configurable. Such a configuration method of the functions f and g is described in Non-Patent Document 3, for example.

  On the other hand, the configuration method of the non-interactive zero knowledge proof system (P, V) for the language H determined by the Hamiltonian path problem δ of the graph is described in Non-Patent Document 4 and Non-Patent Document 5, for example.

From the above, the non-interactive zero knowledge proof system (P ', V') for the NP language L determined by the NP relation σ is the non-interactive zero knowledge proof system (P, V) for the functions f, g and language H described above. Using
P '(x, w, R) = P (f (x), g (w), R), V' (x, α, R) = V (f (x), α, R)
Can be configured.

  In this system, σ is defined as described later, and the non-interactive zero knowledge proof system (P, V) for this σ is configured as described above.

(Assumption)
It is assumed that the secret information storage unit 31 of the proxy group signature generation device 30 stores a proxy public key PKp and a proxy secret key SKp generated in advance using the key generation algorithm Gen_s of the signature scheme DS. Further, it is assumed that the proxy public key PKp is disclosed to the public key disclosure device 50.

(Group initialization process)
The group management apparatus 10 performs initialization processing as follows for each group g in response to an external request.

  The group initialization unit 12 generates two key pairs (PKs, SKs) and (PKe, SKe) using the key generation algorithm Gen_S of the signature scheme DS and the key generation algorithm Gen_E of the public key cryptosystem AE, respectively.

  Further, the group initialization unit 12 generates a random number R that is a common input of the non-interactive zero knowledge proof system (P, V). Then, the group initialization unit 12 sets the group public key as PKg = (R, PKs, PKe) and sets the group secret key as SKg = (SKs, SKe), and sends it to the group information management unit 13.

  The public key public device 50 discloses the group public key PKg.

  The group information management unit 13 writes the group public key PKg and the group secret key SKg to the group information storage unit 11 for each group ID = g.

(Group membership processing for group members)
Next, a group participation process executed between the group management device 10 and the group member device 20 will be described.
First, the group member device 20 starts a group member (ID = u) participation process in response to an external request.

  First, the member registration unit 22 generates a key pair of the member signature key SKu and the member public key PKu by the key generation algorithm Gen_S of the signature scheme DS.

Next, the member registration unit 22 generates zero knowledge proof information proof_u that proves that the member signature key SKu corresponding to the member public key PKu is indeed owned. For example, in the case of the ElGamal signature scheme, the (non-interactive) zero knowledge proof information proof_u = (c, s) of the secret key x mod q for the public key y = g ^ x mod p can be calculated as follows:
c = H (y‖g‖g ^ r)
s = r-cx mod q
Where p is a prime number, q is a prime number that divides p-1, g is a primitive element of a prime field GF (p) of order q, H is a secure hash function, ^ is a power calculation, and ‖ is data concatenation Represents.

  Then, the member registration unit 22 transmits the member ID u, the member public key PKu, and the zero knowledge proof information proof_u to the group management apparatus 10 as a group participation request.

  In the group management apparatus 10, the member certificate generation unit 14 verifies the validity of the zero knowledge proof information proof_u. For example, in the case of the above-described zero knowledge proof information proof_u = (c, s), it may be verified whether c = H (y‖g‖g ^ s * y ^ c mod p) holds. Here, * represents multiplication.

  Although non-interactive zero knowledge proof is used here, the present invention is not limited to this, and interactive zero knowledge proof may be used. When the interactive zero knowledge proof is used, the group member device 20 surely owns the member signature key SKu corresponding to the member public key PKu by exchanging information between the group member device 20 and the group management device 10. You just have to prove that.

  When the verification of the zero knowledge proof information proof_u is successful, the member certificate generation unit 14 uses the group secret key SKs acquired from the group information management unit 13 and the member ID u and the member public key Pku by the signature algorithm Sig. A signature Sig (SKs <u, PKu>) is generated for the concatenation <u, Pku>. The member certificate generation unit 14 transmits the signature Sig (SKs <u, PKu>) as the member certificate cert_u to the group information management unit 13 and the group member device 20.

  The group information management unit 13 writes the member certificate cert_u into the group information storage unit 11.

  On the other hand, in the group member device 20, the member registration unit 22 verifies the validity of the member certificate cert_u using the PKs of the group public key acquired from the public key public device 50.

  When the verification is successful, the member registration unit 22 writes the member certificate cert_u, the member signature key SKu, and the member public key PKu into the member information storage unit 21.

(Group signature authority delegation process)
Next, group signature generation authority delegation processing executed between the group member device 20 and the proxy group signature generation device 30 will be described.

  In the group member device 20, the group signature generation authority delegation unit 23 generates the delegation information Dlg_u as follows in response to an external request. The delegation information Dlg_u is information for delegating the authority of group signature generation to the proxy group signature generation apparatus 30.

  The group signature generation authority delegation unit 23 reads the member ID u, the member certificate cert_u, the member signature key SKu, and the member public key PKu from the member information storage unit 21.

  Further, the group signature generation authority delegation unit 23 acquires the proxy public key PKp of the proxy group signature generation device 30 from the public key disclosure device 50. Here, the proxy public key PKp may be acquired in advance from the public key disclosure device 50 and stored, or may be acquired every time the authority entrusting process is executed.

  Next, the group signature generation authority delegation unit 23 generates an entrustment document w in which information such as the expiration date of the group signature generation authority to be entrusted and usage restrictions are described in accordance with an external request. The consignment letter w is, for example, information in which character strings such as expiration dates and usage restrictions are concatenated. In particular, when no expiration date or usage restriction is specified, the entrustment w may not be present in the subsequent processing.

  Next, the group signature generation authority entrusting unit 23 concatenates the proxy public key PKp and the entrustment document w to create concatenated entrustment information <PKp, w>. Then, the group signature generation authority delegation unit 23 generates a signature Sig (Sku <PKp, w>) for the concatenation delegation information <PKp, w> by using the member signature key Sku and the signature algorithm Sig. This signature Sig (Sku <PKp, w>) is the delegation certificate cert_p.

  Finally, the group signature generation authority delegation unit 23 transmits the delegation information to the proxy group signature generation apparatus 30 as Dlg_u = (u, PKu, cert_u, w, cert_p).

  In the proxy group signature generation device 30, the group signature generation authority entrusting unit 32 verifies the validity of the member certificate cert_u in the delegation information Dlg_u using the signature verification algorithm Vrfy using the PKs of the group public key PKg. Here, the group public key PKg may be acquired in advance from the public key disclosure device 50 and stored, or may be acquired every time the authority entrusting process is executed.

  Further, the group signature generation authority delegation unit 23 verifies the validity of the delegation certificate cert_p in the delegation information Dlg_u by using the member public key PKu in the delegation information Dlg_u using the signature verification algorithm Vrfy.

  When the verification of both is successful, the group signature generation authority delegation unit 23 writes the proxy group signing key into the secret information storage unit 31 as SKpg = (u, PKu, cert_u, <PKp, w>, cert_p, SKp). .

(Proxy group signature generation process)
Next, a proxy group signature generation process executed in the proxy group signature generation apparatus 30 will be described.

  In the proxy group signature generation device 30, the plaintext m to be signed is input to the proxy group signature generation unit 33 in response to an external request. The proxy group signature generation unit 33 generates a proxy group signature ρ for the plaintext m by the following method.

  First, the proxy group signature generation unit 33 acquires the proxy group signature key SKpg from the secret information storage unit 31. Subsequently, the proxy group signature generation unit 33 uses the proxy signature key SKp in the proxy group signature key SKpg and the signature sigp () for the concatenation <PKu, m> of the member public key PKu and the plaintext m using the signature algorithm Sig. SKp <PKu, m>).

  Next, the proxy group signature generation unit 33 uses the group public key PKe acquired from the public key public device 50 and the ciphertext C = Enc (PKe, <u, PKu, cert_u, cert_p by the encryption algorithm Enc. , sigp>; r). Here, r is a random number used for encryption.

  The proxy group signature generation unit 33 uses P of the non-interactive zero knowledge proof system, α = P ((PKe, PKs, PKp, w, m, C), (u, PKu, cert_u, cert_p, sigp, r ), R). Thereafter, the proxy group signature generation unit 33 outputs the proxy group signature ρ = (PKp, w, C, α). Here, the non-interactive zero knowledge proof system (P, V) is configured as described above on the following NP-relation σ.

((PKe, PKs, PKp, w, m, C), (u, PKu, cert_u, cert_p, sigp, r)) ∈σ
⇔ Vrfy (PKs, <u, PKu>, cert_u) = 1 and Vrfy (PKu, <PKp, w>, cert_p) = 1 and
Vrfy (PKp, <PKu, m>, sigp) = 1 and Enc (pk_e, <u, PKu, cert_u, cert_p, sigp>; r) = C.

(Proxy group signature verification process)
Next, a proxy group signature verification method performed by the proxy group signature verification apparatus 40 will be described.

  In the proxy group signature verification device, the plain text m and the proxy group signature ρ corresponding thereto are input to the proxy group signature verification unit 41 in response to an external request.

  The proxy group signature verification unit 41 verifies whether or not the proxy group signature ρ complies with the expiration date and the restriction on the plaintext to be signed described in the entrustment document w. When the entrustment document w is not followed, the proxy group signature verification unit 41 outputs NG.

  When the entrustment document w is followed, the proxy group signature verification unit 41 acquires the group public key PKg from the public key public device 50. Here, the group public key PKg may be acquired in advance from the public key disclosure device 50 and stored, or may be acquired every time the verification process is executed.

Next, using the group public key PKg and V of the non-interactive zero knowledge proof system, the proxy group signature verification unit 41 verifies that the following equation holds.
V ((PKe, PKs, PKp, w, m, C), α, R) = 1.

Then, the proxy group signature verification unit 41 outputs this verification result (OK / NG).

(Group member identification process)
Finally, a group member identification method performed by the group management apparatus 10 will be described.

  In the group management apparatus 10, the plaintext m and the proxy group signature σ corresponding thereto are input to the group member specifying unit 15 in response to an external request.

  The group member specifying unit 15 verifies the validity of the proxy group signature σ by the same operation as the proxy group signature verification unit 41 in the proxy group signature verification device 40. At this time, the group member specifying unit 15 acquires the group public key PKg from the group information management unit 13. If the verification fails, the group member specifying unit 15 ends the process.

  Next, the group member specifying unit 15 acquires the specifying secret key SKE in the group secret key SKg from the group information management unit 13. Then, the group member identifying unit 15 decrypts the ciphertext C in the proxy group signature σ by the decryption algorithm Dec using the identifying secret key SKE.

Dec (SKe, C) = <u, pk_u, cert_u, cert_p, sigp>
The group member specifying unit 15 outputs the group member ID (= u) included in the decryption result.

  As described above, according to the present embodiment, the group member device 20 sends the group signature generation authority delegation information Dlg_u to the proxy group signature generation device 30 only once, and the proxy group signature generation device 30 generates the proxy group signature ρ. With the configuration to generate, when generating a group signature, it is possible to reduce the amount of calculation in the member side device and the number of times of information exchange.

  Supplementally, the proxy group signature ρ is generated only by the proxy group signature generation device 30 only by sending the delegation information Dlg_u for delegating the authority of group signature generation to the group member device 20 and the proxy group signature generation device 30 once. be able to. In other words, conventionally, it is necessary to exchange information between the devices 20 and 30 a plurality of times. However, in this embodiment, a group signature can be generated by only one-way information transmission, and the number of information exchanges can be greatly reduced.

  In this case, it is conceivable that the proxy group signature generation device 30 generates a proxy group signature ρ for a message not intended by a group member.

  However, according to the present embodiment, it is possible to verify the restrictions on the expiration date and plain text, etc. according to the consignment letter w, and further to verify the proxy group signature, thereby preventing fraud by the proxy group signature device 30.

  Further, the group signature authority delegation process of the group member device 20 is only one signature generation process of the most general signature scheme, and can be suppressed to one-tenth or less of the calculation amount as compared with the prior art. As described above, the reason why the calculation amount can be reduced to one-tenth or less of the conventional method is that the portion with a large calculation amount is entrusted to the proxy group signature device 30. At present, calculation of a general signature generation process such as an RSA signature has been put into practical use even for a device having a low calculation capability such as a mobile phone or a smart card. For this reason, this embodiment is considered to be sufficiently practical.

(Second Embodiment)
FIG. 5 is a schematic diagram showing the configuration of the group member authentication system according to the second exemplary embodiment of the present invention. The same parts as those in FIG. Is mainly described. In the following embodiments, the same description is omitted.

  That is, the present embodiment is a modification of the first embodiment, and is a group member authentication system to which the group signature system of the first embodiment is applied.

  This group member authentication system includes an authentication request device 200 provided with a group member device 20, a proxy authentication information generation device 300 provided with a proxy group signature generation device 30, and an authentication device 400 provided with a proxy group signature verification device 40. It is composed of

  In this group member authentication system, the proxy authentication information generation device 300 proves to the authentication device 400 that the authentication requesting device 200 holds the member signature key SKu, so that the authentication device 400 authenticates the group member. Do.

  Here, the authentication requesting device 200 includes a group member device 20 and an authentication requesting unit 201.

  The group member device 20 executes the group joining process in the first embodiment, and the member information storage unit 21 stores the member certificate cert_u, the member secret key SKu, and the member public key PKu.

The authentication request unit 201 has the following functions (f201-1) to (f201-5).
(f201-1) A function of transmitting an authentication request to the authentication device 400.
(f201-2) A function of receiving the authentication challenge information c received from the authentication device 400.
(f201-3) A function of sending a request to generate the commission information Dlg_u to the group member device 20 with a restriction that only the authentication challenge information c is a plaintext to be signed.
(f201-4) A function of receiving consignment information Dlg_u from the group member device 20.
(f201-5) A function of transmitting the authentication challenge information c and the entrustment information Dlg_u to the proxy authentication information generation apparatus 300.

  The proxy authentication information generation device 300 includes a proxy group signature generation device 30 and a control unit 301.

The control unit 301 has the following functions (f301-1) to (f301-4).
(f301-1) A function of receiving authentication challenge information c and entrustment information Dlg_u from the authentication requesting device 200.
(f301-2) A function of sending the delegation information Dlg_u to the proxy group signature generation device 30.
(f301-3) A function of sending a proxy group signature generation request for the authentication challenge information c to the proxy group signature generation apparatus 30.
(f301-4) A function of transmitting the proxy group signature ρ output from the proxy group signature generation device 30 to the authentication device 400.

  The authentication device 400 includes a proxy group signature verification device 40 and an authentication unit 401.

The authentication unit 401 has the following functions (f401-1) to (f401-4).
(f401-1) A function for generating authentication challenge information c including random numbers and time information in response to an authentication request from the authentication requesting apparatus 200.
(f401-2) A function of transmitting the authentication challenge information c to the authentication requesting apparatus 200.
(f401-3) A function of receiving the proxy group signature ρ from the proxy authentication information generating apparatus 300.
(f401-4) A function of sending the proxy group signature ρ and the authentication challenge information c transmitted to the authentication requesting device 200 to the proxy group signature verification device 40.
(f401-5) A function of outputting the validity verification result of the proxy group signature ρ output from the proxy group signature verification device 40 as the authentication result of the group member.

  Next, an authentication method realized in the group member authentication system configured as described above will be described.

  First, in the authentication request device 200, the authentication request unit 201 transmits an authentication request to the authentication device 400 in accordance with an external authentication execution request.

  In the authentication device 400, the authentication unit 401 generates authentication challenge information c including a random number and time information in response to the authentication request, and returns the authentication challenge information c to the authentication request device 200.

  In the authentication requesting device 200, the authentication requesting unit 201 sends this authentication challenge information c, restriction information that uses only this authentication challenge information c as a plaintext to be signed, and a group signature generation authority delegation information generation request. Enter.

  The group member device 20 describes in the consignment letter w that the plaintext to be signed is limited to the authentication challenge information c only. The group member device 20 generates the delegation information Dlg_u including the delegation w and outputs the delegation information Dlg_u to the authentication request unit 201.

  The authentication request unit 201 transmits the authentication challenge information c and the entrustment information Dlg_u to the proxy authentication information generation device 300.

  In the proxy authentication information generation device 300, the control unit 301 inputs the commission information Dlg_u to the proxy group signature generation device 30.

  As described above, the proxy group signature generation device 30 generates the proxy group signature key SKpg and writes it in the secret information storage unit 31.

  Next, the control unit 301 inputs the received authentication challenge information c and the proxy group signature generation request to the proxy group signature generation device 30.

  The proxy group signature generation device 30 generates a proxy group signature ρ and outputs it to the control unit 301 as described above. However, in the process of generating the proxy group signature ρ, authentication challenge information c is used instead of the plaintext m described above.

  The control unit 301 transmits this proxy group signature ρ to the authentication device 400.

  In the authentication device 400, the authentication unit 401 inputs a request for verifying the validity of the proxy group signature ρ to the proxy group signature verification device 40.

  As described above, the proxy group signature verification device 40 verifies the validity of the proxy group signature and outputs a verification result (OK / NG) to the authentication unit 401.

  The authentication unit 401 outputs an authentication success (OK) if the output result is OK, and outputs an authentication failure (NG) if the output result is NG.

  As described above, according to the present embodiment, due to the nature of the group signature system described in the first embodiment, even a device such as a mobile phone or a smart card having a low calculation ability is a group member without specifying a member. This can be proved to the authentication device 400.

(Third embodiment)
FIG. 6 is a schematic diagram showing a configuration of a group signature generation system according to the third exemplary embodiment of the present invention. This embodiment is a modification of the first embodiment, and is configured to realize a revocation process of the member signature key SKu.

  The revocation (revocation) of the member signature key SKu in the group signature system is a function that is practically indispensable for realizing expiration date management, unauthorized person exclusion, and the like.

  However, the revocation of the member signature key SKu is difficult to realize because there are conditions such as maintaining the anonymity of the past proxy group signature ρ. For example, the conventionally proposed revocation method has the disadvantage that the signature generation processing and signature verification processing are complicated and impractical, and the anonymity is impaired. Thus, an effective revocation method for the member signing key SKu is not known.

  In the present embodiment, in addition to the first embodiment, the proxy group signature generation device 30 performs revocation of the member signature key SKu when authority is delegated, so that the same level of processing as revocation in conventional PKI is performed. Describes how to execute revocation of the member signing key SKu.

  Specifically, the group management apparatus 10 includes a member certificate revocation information generation unit 16 in addition to the functions described above.

  The proxy group signature generation apparatus 30 includes a member certificate revocation information acquisition unit 34 and a member certificate verification unit 35 in addition to the functions described above.

  Accordingly, the group signature generation authority entrusting unit 32 has the following functions (f32-3) to (f32-4) in addition to the functions (f32-1) to (f32-2) described above.

(f32-3) A function of sending a member certificate cert_u verification request to the member certificate verification unit 35.

(f32-4) A function of writing the aforementioned proxy group signature SKpg in the secret information storage unit 31 when the verification result is OK (valid).

Here, the member certificate revocation information generation unit 16 has the following functions (f16-1) to (f16-3).
(f16-1) A function for generating a signature Sig (SKs <CertList>) based on the secret key SKs in the group secret key SKg for a list CertList composed of all revoked member certificates cert_u by an external request. Here, instead of the revoked member certificate cert_u, information that can specify cert_u, for example, when an ID is assigned to cert_u, a list including these IDs may be used as CertList.

(f16-2) A function to generate a member certificate revocation list crl composed of this list CertList and signature Sig (SKs <CertList>).
(f16-3) A function of disclosing the member certificate revocation list crl only to the proxy group signature generation apparatus 30.

On the other hand, the member certificate revocation information acquisition unit 34 has the following functions (f34-1) to (f34-3).
(f34-1) A function of acquiring the member certificate revocation list crl from the group management apparatus 10 via a secure communication path when requested by the member certificate verification unit 35 or periodically.
(f34-2) A function of verifying the validity of the signature Sig (SKs <CertList>) of the acquired member certificate revocation list crl using the PKs of the group public key PKg acquired from the public key public device 50.
(f34-3) A function of sending the verification result (OK / NG) to the group signature generation authority entrusting unit 32.
The member certificate verification unit 35 has the following functions (f35-1) to (f35-3).
(f35-1) In response to the request for verification of the member certificate cert_u from the group signature generation authority entrusting unit 32, the member certificate cert_u is added to the member certificate revocation list crl acquired by the member certificate revocation information acquisition unit 34. A function to verify whether it is included.
(f35-2) A function of returning NG (revocation) to the group signature generation authority entrusting unit 32 if it is included as a result of the verification.
(f35-3) A function of returning OK (valid) to the group signature generation authority entrusting unit 32 if it is not included as a result of verification.
Next, revocation processing of the member signature key SKu at the time of group signature generation realized in the group signature system configured as described above will be described with reference to the schematic diagram of FIG.

  First, group initialization processing and group member group participation processing are executed in the same manner as in the first embodiment.

  Next, in the group management apparatus 10, the member certificate revocation information generation unit 16 applies the secret key SKs of the group secret key SKg to the list CertList including all the member certificates cert_u that are revoked in response to an external request. Generates a signature Sig (SKs <CertList>). In addition, the member certificate revocation information generation unit 16 generates a member certificate revocation list crl composed of the list CertList and the signature Sig (SKs <CertList>).

  Thereafter, the member certificate revocation information generation unit 16 discloses the member certificate revocation list crl only to the proxy group signature generation device 30. Here, the same effect can be obtained by using a member public key revocation list instead of the member certificate revocation list crl. It is assumed that the member public key revocation list includes a list PubkeyList and a signature Sig (SKs <PubkeyList>) that can identify the member public key PKu to be revoked.

  Next, in the group signature authority delegation process, the group member device 20 generates delegation information Dlg_u for group signature generation authority as described above. Then, the group member device 20 transmits the commission information Dlg_u to the proxy group signature generation device 30.

  In the proxy group signature generation device 30, the group signature generation authority entrusting unit 32 performs the verification process described in the first embodiment on the received commission information Dlg_u, and then the member certificate cert_u in the commission information Dlg_u. Is sent to the member certificate verification unit 35. This verification request is a request to verify whether or not the member certificate cert_u has expired.

  The member certificate verification unit 35 requests the member certificate revocation list crl from the member certificate revocation information acquisition unit 34 based on the verification request.

  The member certificate revocation information acquisition unit 34 acquires the member certificate revocation list crl from the group management apparatus 10 via a secure communication path when requested by the member certificate verification unit 35 or periodically.

  The member certificate revocation information acquisition unit 34 verifies the validity of the signature Sig (SKs <CertList>) of the member certificate revocation list crl by using the group public key PKs acquired from the public key disclosure device 50. As a result of the verification, if there is validity, the member certificate revocation information acquisition unit 34 sends the member certificate revocation list crl to the member certificate verification unit 35.

  The member certificate verification unit 35 verifies whether or not the member certificate cert_u is included in the member certificate revocation list crl. As a result of this verification, the member certificate verification unit 35 outputs NG to the group signature generation authority entrusting unit 32 if it is included, and OK if it is not included.

  If the output of the member certificate verification unit 35 is NG, the group signature generation authority entrusting unit 32 outputs NG without executing the verification process described in the first embodiment, and ends the process.

  If the output of the member certificate verification unit 35 is OK, all subsequent processing is executed in the same manner as in the first embodiment.

  As described above, according to the present embodiment, in addition to the effects of the first embodiment, revocation of the member signature key can be reliably executed before generating the group signature.

  In addition to this, the revocation process of the member signature key in the proxy group signature generation apparatus 30 is the same as the revocation process in the conventional PKI, and therefore can be easily put into practical use. .

  Note that the method described in the above embodiment includes a magnetic disk (floppy (registered trademark) disk, hard disk, etc.), an optical disk (CD-ROM, DVD, etc.), a magneto-optical disk (MO) as programs that can be executed by a computer. ), And can be distributed in a storage medium such as a semiconductor memory.

  In addition, as long as the storage medium can store a program and can be read by a computer, the storage format may be any form.

  In addition, an OS (operating system) running on a computer based on an instruction of a program installed in the computer from a storage medium, MW (middleware) such as database management software, network software, and the like realize the above-described embodiment. A part of each process may be executed.

  Furthermore, the storage medium in the present invention is not limited to a medium independent of a computer, but also includes a storage medium in which a program transmitted via a LAN or the Internet is downloaded and stored or temporarily stored.

  Further, the number of storage media is not limited to one, and the case where the processing in the above embodiment is executed from a plurality of media is also included in the storage media in the present invention, and the media configuration may be any configuration.

  The computer according to the present invention executes each process in the above-described embodiment based on a program stored in a storage medium, and is a single device such as a personal computer or a system in which a plurality of devices are connected to a network. Any configuration may be used.

  In addition, the computer in the present invention is not limited to a personal computer, but includes an arithmetic processing device, a microcomputer, and the like included in an information processing device, and is a generic term for devices and devices that can realize the functions of the present invention by a program. .

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined.

It is a schematic diagram which shows the structure of the group signature system which concerns on the 1st Embodiment of this invention. It is a schematic diagram which shows the structure of the group information storage part in the embodiment. It is a schematic diagram which shows the structure of the member information storage part in the embodiment. It is a schematic diagram which shows the structure of the secret information storage part in the embodiment. It is a schematic diagram which shows the structure of the group signature system which concerns on the 2nd Embodiment of this invention. It is a schematic diagram which shows the structure of the group signature system which concerns on the 3rd Embodiment of this invention. It is a schematic diagram for demonstrating the member authentication method in the embodiment.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 10 ... Group management apparatus, 11 ... Group information storage part, 12 ... Group initialization part, 13 ... Group information management part, 14 ... Member certificate production | generation part, 15 ... Group member identification part, 16 ... Member certificate revocation information production | generation Group member device, 21 Member information storage unit, 22 Member registration unit, 23 Group authority generation authority delegation unit, 30 Proxy group signature generation device, 31 Secret information storage unit, 32 Group signature generation Authority entrusting unit 33 ... Proxy group signature generating unit 34 ... Member certificate revocation information obtaining unit 35 ... Member certificate verifying unit 40 ... Proxy group signature verifying device 41 ... Proxy group signature verifying unit 50 ... Public key Disclosure device, 200 ... authentication request device, 201 ... authentication request unit, 300 ... proxy authentication information generation device, 301 ... control unit, 400 ... authentication device, 401 Authentication unit.

Claims (10)

A group signature system comprising a group management device, a group member device, a proxy group signature generation device, and a signature verification device,
The group management device
Group information storage means for storing a group public key and a group secret key corresponding to each other;
Means for receiving a group join request including a member public key from the group member device;
Means for generating a signature for the received member public key based on the group private key;
Means for transmitting the signature as a member certificate to the group member device,
The group member device
Member information storage means for storing member public keys and member signature keys corresponding to each other and the member certificate in association with each other;
Delegation information for entrusting the authority of group signature generation to the proxy group signature generation device based on the member public key, member signature key and member certificate in the member information storage means in response to an external request Means for generating;
Means for transmitting the entrustment information to the proxy group signature generation device,
The proxy group signature generation device includes:
Secret information storage means for storing the proxy group signing key;
Means for verifying the legitimacy of the commission information received from the group member device based on the group public key;
When the verification result indicates validity, a means for generating a proxy group signing key including the delegation information and writing the proxy group signing key in the secret information storage means;
Means for generating a proxy group signature for the plaintext based on a proxy group signature key in the secret information storage means in response to a signature request for the plaintext,
The signature verification device includes:
Means for verifying the proxy group signature generated by the proxy group signature generation device based on the group public key;
A group signature system characterized by comprising: A group signature generation system comprising a group member device and a proxy group signature generation device,
The group member device
A member public key and a member signature key corresponding to each other are associated with a member certificate obtained by signing the member public key with the group secret key of the group management apparatus that holds the corresponding group public key and group private key. Member information storage means stored and stored,
Delegation information for entrusting the authority of group signature generation to the proxy group signature generation device based on the member public key, member signature key and member certificate in the member information storage means in response to an external request Means for generating;
Means for transmitting the entrustment information to the proxy group signature generation device,
The proxy group signature generation device includes:
Secret information storage means for storing the proxy group signing key;
Means for verifying the legitimacy of the commission information received from the group member device based on the group public key;
When the verification result indicates validity, a means for generating a proxy group signing key including the delegation information and writing the proxy group signing key in the secret information storage means;
Means for generating a proxy group signature for the plaintext based on a proxy group signature key in the secret information storage means in response to a signature request for the plaintext;
A group signature generation system characterized by comprising: The group signature generation system according to claim 2,
The proxy group signature generation device includes:
Means for acquiring from the group management device a member certificate revocation list formed by listing information capable of specifying all member certificates to be revoked before verifying the validity of the entrusted information;
Means for verifying whether the member certificate revocation list includes information that can identify the member certificate received from the group member device;
As a result of the verification, when information that can identify the received member certificate is included, means for ending the process without verifying the validity of the entrusted information;
A group signature generation system characterized by comprising: A proxy group signing key including delegation information for delegating the authority to generate a group signature is generated, and the delegation information is generated for the proxy group signature generation device that generates a proxy group signature for plaintext based on the proxy group signature key. A group member device capable of transmitting
A member public key and a member signature key corresponding to each other are associated with a member certificate obtained by signing the member public key with the group secret key of the group management apparatus that holds the corresponding group public key and group private key. Member information storage means stored and stored,
Delegation information for entrusting the authority of group signature generation to the proxy group signature generation device based on the member public key, member signature key and member certificate in the member information storage means in response to an external request Means for generating;
A group member device comprising: A member public key and a member signature key corresponding to each other and a member certificate obtained by performing signature processing on the member public key with the group secret key of the group management apparatus holding the corresponding group public key and group private key are associated with each other. It is possible to generate the delegation information for delegating the authority to generate the group signature based on the member public key, the member signature key and the member certificate by an external request and transmit the delegation information A proxy group signature generation device capable of receiving the entrustment information for a group member device,
Secret information storage means for storing the proxy group signing key;
Means for verifying the legitimacy of the commission information received from the group member device;
When the verification result indicates validity, a means for generating a proxy group signing key including the delegation information and writing the proxy group signing key in the secret information storage means;
Means for generating a proxy group signature for the plaintext based on a proxy group signature key in the secret information storage means in response to a signature request for the plaintext;
Means for transmitting the generated proxy group signature to a signature verification apparatus capable of verifying the proxy group signature with the group public key;
A proxy group signature generating apparatus comprising: In the proxy group signature generation device according to claim 5,
Means for obtaining a member certificate revocation list from the group management device before verifying the validity of the entrustment information;
Means for verifying whether or not the member certificate revocation list includes information that can identify the member certificate;
As a result of the verification, when information that can identify the member certificate is included, means for ending the process without verifying the validity of the entrusted information;
A proxy group signature generating apparatus comprising: A proxy group signing key including delegation information for delegating the authority to generate a group signature is generated, and the delegation information is transmitted to the proxy group signature generation device that performs a proxy group signature on plaintext based on the proxy group signature key. A program used for a possible group member device,
A computer of the group member device;
A member public key and a member signature key corresponding to each other are associated with a member certificate obtained by signing the member public key with the group secret key of the group management apparatus that holds the corresponding group public key and group private key. Member information storage means to be stored
Delegation information for entrusting the authority of group signature generation to the proxy group signature generation device based on the member public key, member signature key and member certificate in the member information storage means in response to an external request Means to generate,
Program to function as. A member public key and a member signature key corresponding to each other and a member certificate obtained by performing signature processing on the member public key with the group secret key of the group management apparatus holding the corresponding group public key and group private key are associated with each other. It is possible to generate the delegation information for delegating the authority to generate the group signature based on the member public key, the member signature key and the member certificate by an external request and transmit the delegation information A program used for a proxy group signature generation device capable of receiving the delegation information for a group member device,
A computer of the proxy group signature generation device;
Secret information storage means for storing the proxy group signing key;
Means for verifying the validity of the commission information received from the group member device based on the group public key;
Means for generating a proxy group signature key including the delegation information and writing the proxy group signature key in the secret information storage means when the verification result indicates validity;
Means for generating a proxy group signature for the plaintext based on a proxy group signature key in the secret information storage means in response to a signature request for the plaintext;
Means for transmitting the generated proxy group signature to a signature verification apparatus capable of verifying the proxy group signature with the group public key;
Program to function as. The program according to claim 8, wherein
A computer of the proxy group signature generation device;
Means for acquiring a member certificate revocation list from the group management device before verifying the validity of the entrustment information;
Means for verifying whether or not the member certificate revocation list includes information capable of specifying the member certificate;
As a result of the verification, when information that can identify the member certificate is included, means for terminating the processing without verifying the validity of the entrusted information;
Program to function as. A group signature method executed by a group management device, a group member device, a proxy group signature generation device, and a signature verification device,
A group information storage step in which the group management device stores a group public key and a group secret key corresponding to each other in a group information storage device;
The group management device receiving a group join request including a member public key from the group member device;
The group management device generating a signature for the received member public key based on the group secret key;
The group management device transmitting the signature as a member certificate to the group member device;
A member information storage step in which the group member device stores a member public key and a member signature key corresponding to each other and the member certificate in association with each other in a member information storage device;
The group member device entrusts authority to generate a group signature to the proxy group signature generation device based on a member public key, member signature key, and member certificate in the member information storage device in response to an external request. A process of generating consignment information for
The group member device transmitting the entrustment information to the proxy group signature generation device;
The proxy group signature generation device stores a proxy group signature key in a secret information storage device;
The proxy group signature generation device verifies the validity of the commission information received from the group member device based on the group public key;
When the verification result indicates validity, the proxy group signature generation device generates a proxy group signature key including the proxy information, and writes the proxy group signature key in the secret information storage device;
The proxy group signature generating device generating a proxy group signature for the plaintext based on a proxy group signature key in the secret information storage device in response to a signature request for the plaintext;
The signature verification device verifies the proxy group signature generated by the proxy group signature generation device based on the group public key;
A group signature method characterized by comprising:

Images