JP5183401B2 - Aggregate signature generation system, aggregate signature generation method, and aggregate signature generation program - Google Patents

Aggregate signature generation system, aggregate signature generation method, and aggregate signature generation program Download PDF

Info

Publication number
JP5183401B2
JP5183401B2 JP2008251304A JP2008251304A JP5183401B2 JP 5183401 B2 JP5183401 B2 JP 5183401B2 JP 2008251304 A JP2008251304 A JP 2008251304A JP 2008251304 A JP2008251304 A JP 2008251304A JP 5183401 B2 JP5183401 B2 JP 5183401B2
Authority
JP
Japan
Prior art keywords
signature
aggregate
signature generation
aggregate signature
plurality
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
JP2008251304A
Other languages
Japanese (ja)
Other versions
JP2010087590A (en
Inventor
勝樹 稲村
俊昭 田中
Original Assignee
Kddi株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kddi株式会社 filed Critical Kddi株式会社
Priority to JP2008251304A priority Critical patent/JP5183401B2/en
Publication of JP2010087590A publication Critical patent/JP2010087590A/en
Application granted granted Critical
Publication of JP5183401B2 publication Critical patent/JP5183401B2/en
Application status is Active legal-status Critical
Anticipated expiration legal-status Critical

Links

Images

Description

  The present invention relates to an aggregate signature generation system, an aggregate signature generation method, and an aggregate signature generation program.

  Conventionally, various electronic information has been transmitted via a network or a medium. As a mechanism for guaranteeing a source of electronic information, there is an electronic signature. An electronic signature is a signature operation that uses a signature key and electronic information that only a specific person knows as input values, and the verifier uses public information called a verification key and signed data as input values. By performing the verification calculation, it is possible to confirm whether or not the above-mentioned specific person is a data transmission source. According to this electronic signature, since it is difficult to derive a signature key from a verification key, a person who is not a specific person cannot impersonate a specific person to perform the signature. Can guarantee sex.

  Here, depending on the electronic information, a case in which a plurality of people intervene and sign is assumed. Examples of this case include circulation of electronic data and an approval system in a company. Thus, multiple signatures (Non-Patent Document 1) and group signatures (Patent Document 1) have been proposed as methods for performing signatures of a plurality of persons.

However, since the multiple signatures and group signatures described above are signed by a plurality of signers for one message, they cannot be used for circulation of adding a message. Therefore, an aggregate electronic signature (Non-patent Documents 2 and 3) has been proposed as a scheme in which each signer signs different messages and collects the signatures. According to this aggregate electronic signature, it is possible to aggregate the signatures of different messages signed by each signer while keeping the signature size constant regardless of the number of signers. For this reason, the aggregate electronic signature can be used in circulation for adding a message.
Shinpo, "An ElGamal Signature Modification Suitable for Multiple Signatures", Symposium on Cryptography and Information Security (CSS), 2C, IEICE, 1994 Isamu Teranishi, Kazue Sako, Jun Noda, Daigo Taguchi, "RSA-based Sequential Aggregate signature scheme whose signature length is not proportional to the number of signers", CSEC-28, 2005 D. Boneh, C.I. Gentry, B.M. Lynn, and H.M. Shacham, "Aggregate and Verify Encrypted Signatures from Bilinear Map," Advances in Cryptology EUROCRYPT 2003, Springer-Verlag, 2003 JP 2001-166687 A

  However, the above-described aggregate electronic signature method cannot express to which hierarchy the signer belongs.

  Accordingly, the present invention has been made in view of the above-described problems, and provides an aggregate signature generation system, an aggregate signature generation method, and an aggregate signature generation program that can express to which hierarchy a signer belongs. The purpose is to do.

  The present invention proposes the following matters in order to solve the above problems.

  (1) The present invention provides an aggregate signature generation system in which a plurality of signature generation apparatuses used by a signer to form a signature are arranged in a plurality of hierarchies and each signer signs a different message Each of the plurality of signature generation devices includes a key storage unit that stores different private keys, a public key obtained by performing a power operation on the private key with respect to a predetermined parameter, and an own message. The signature generation unit that generates a signature by performing a power operation on the hash of the private key and the signature generated by the signature generation unit with a predetermined value that is different for each hierarchy to which the signature belongs A power calculation unit that performs a power operation, and a predetermined signature generation device among the plurality of signature generation devices calculates a sum of the calculation results of the power operation unit for each layer, and By multiplying the result of the calculation, it has proposed an aggregate signature generation system characterized in that it further comprises an aggregate signature generation unit for generating an aggregate signature.

  According to the present invention, each of the plurality of signature generation apparatuses generates a signature by performing a power operation with its own secret key on the hash of its own message by the signature generation unit. Then, the exponentiation operation unit performs an exponentiation operation on the signature generated by the signature generation unit with a predetermined value different for each hierarchy to which the signature belongs. The predetermined signature generation device among the plurality of signature generation devices calculates the sum of the calculation results of the power calculation unit for each hierarchy by the aggregate signature generation unit, multiplies the calculation results for each hierarchy, and Generate a signature.

  For this reason, the aggregate signature is represented by a structure in which a power operation is performed on the hash of the message by each private key and a predetermined value. And this predetermined value is a value which changes with every hierarchy to which self belongs. Therefore, the hierarchy of the signature generation apparatus can be expressed by the structure of the exponent of the mathematical expression representing the aggregate signature. Therefore, by using different signature generation apparatuses for each signer, it is possible to express to which hierarchy the signer belongs.

  Further, since the aggregate signature is in the same cyclic group as the signatures of the respective signers, the aggregate signature can be stored in a certain size regardless of the number of signers.

  (2) In the aggregate signature generation system according to (1), the predetermined value is a value obtained by performing a power operation on a specific value by a difference in the number of layers between the layer to which the self belongs and the lowest layer. We propose an aggregate signature generation system characterized by

  According to the present invention, the predetermined value is represented by a value obtained by performing a power operation on the specific value by the difference in the number of layers between the layer to which the device belongs and the lowest layer. For this reason, the hierarchy to which the signature generation apparatus belongs can be expressed by a specific value among the exponents of the mathematical expression representing the aggregate signature.

  (3) The present invention further includes a signature verification device for verifying the aggregate signature in the aggregate signature generation system according to (1) or (2), wherein the signature verification device includes the predetermined parameter, the public key And an aggregate signature verification unit that performs a GAP-Diffie-Hellman signature operation using the hash of the message and the aggregate signature as input, and verifies the validity of the aggregate signature. An aggregate signature generation system is proposed.

  According to the present invention, the signature verification apparatus performs the calculation of the GAP-Diffie-Hellman signature using the predetermined parameter, public key, message hash, and aggregate signature as inputs by the aggregate signature verification unit. Verify the validity of the gate signature.

  Here, the calculation of the GAP-Diffie-Hellman signature will be described below. A GAP-Diffie-Hellman (GDH) signature is a signature that uses a decision-difficult-Hellman (DDH) problem that can be solved by using a certain black box function e (P, Q) called pairing. .

  First, the DDH problem will be described. The DDH problem is a problem that determines whether or not ab = c is satisfied when g, ga, gb, and gc are given. For this problem, the function e (P, Q) has the following properties.

  Due to the properties shown in Formula 1, when g, ga, gb, and gc are input to the function e (P, Q), Formulas 2 and 3 are obtained.

  For this reason, whether or not the above-mentioned ab = c is satisfied can be determined based on whether or not the values of Equation 2 and Equation 3 match.

  Next, the GDH signature procedure will be described. In the GDH signature, a key is generated, and the signature is performed using the generated key.

  When generating a key, x is randomly selected from Zp *, and v is calculated such that v = gx. Then, v is a public key and x is a secret key.

  When signing, a secret key x and a message m are prepared. Then, a hash h is calculated from the message m, and a signature σ is obtained by raising the hash h to the power of x.

  The verification of the signature σ is performed as follows. Here, since the GDH signature uses an element of G *, the hash h is also an element of G *, and as a result, h = ga holds. Therefore, if the signature σ is correct, the following expression is established.

  When (g, v, h, σ) is input to the function e (P, Q), the following equation is established.

  As described above, if the signature σ is correct, the values of Equation 5 and Equation 6 match. Therefore, the signature σ can be verified based on whether the values of Formula 5 and Formula 6 match.

  As described above, the validity of the aggregate signature can be verified by the calculation of the GDH signature.

  (4) The present invention relates to an aggregate signature generation system in which a plurality of signature generation apparatuses used for signing by a signer to form a multi-level hierarchical structure and each signer signs a different message. A method for generating an aggregate signature, wherein each of the plurality of signature generation apparatuses stores a secret key different from each other and a public key obtained by performing a power operation with respect to a predetermined parameter using the secret key. A second step of generating a signature by performing a power operation on the hash of its own message with its own secret key by each of the plurality of signature generation devices, and the plurality of signature generations Third, each device performs a power operation on the signature generated in the second step with a predetermined value that is different for each hierarchy to which the signature belongs. A sum of the calculation results of the third step is calculated for each layer by a predetermined signature generation device among the plurality of signature generation devices, and an aggregate signature is generated by multiplying the calculation result for each layer And a fourth step of providing an aggregate signature generation method.

  According to the present invention, each of the plurality of signature generation devices generates a signature by performing a power operation with the own secret key on the hash of its own message. Then, a power operation is performed on the generated signature with a predetermined value that is different for each hierarchy to which the signature belongs. Then, a predetermined signature generation device among a plurality of signature generation devices calculates the sum of the calculation results of the exponentiation operation for each layer and multiplies the calculation results for each layer to generate an aggregate signature.

  For this reason, the aggregate signature is represented by a structure in which a power operation is performed on the hash of the message by each private key and a predetermined value. And this predetermined value is a value which changes with every hierarchy to which self belongs. Therefore, the hierarchy of the signature generation apparatus can be expressed by the structure of the exponent of the mathematical expression representing the aggregate signature. Therefore, by using different signature generation apparatuses for each signer, it is possible to express to which hierarchy the signer belongs.

  Further, since the aggregate signature is in the same cyclic group as the signatures of the respective signers, the aggregate signature can be stored in a certain size regardless of the number of signers.

  (5) In the aggregate signature generation method according to (4), the predetermined value is a value obtained by performing a power operation on a specific value by the difference in the number of layers between the layer to which the self belongs and the lowest layer. We have proposed an aggregate signature generation method characterized by

  According to the present invention, the predetermined value is represented by a value obtained by performing a power operation on the specific value by the difference in the number of layers between the layer to which the device belongs and the lowest layer. For this reason, the hierarchy to which the signature generation apparatus belongs can be expressed by a specific value among the exponents of the mathematical expression representing the aggregate signature.

  (6) The present invention relates to the aggregate signature generation method according to (4) or (5), wherein the signature verification apparatus for verifying the aggregate signature is further arranged in the aggregate signature generation system. Then, the signature verification device performs an operation of a GAP-Diffie-Hellman signature with the predetermined parameter, the public key, the hash of the message, and the aggregate signature as inputs, thereby validating the aggregate signature. The present invention proposes an aggregate signature generation method comprising a fifth step of verifying the authenticity.

  According to the present invention, the signature verification apparatus performs a GAP-Diffie-Hellman signature operation by inputting predetermined parameters, a public key, a message hash, and an aggregate signature, and verifies the validity of the aggregate signature. To do. Therefore, the validity of the aggregate signature can be verified.

  (7) The present invention relates to an aggregate signature generation system in which a plurality of signature generation apparatuses used for signing by a signer to form a multi-layered hierarchical structure and each signer signs a different message An aggregate signature generation program for causing a computer to execute an aggregate signature generation method that performs a secret key that is different from each other by each of the plurality of signature generation devices and a predetermined parameter. A first step of storing a public key that has been exponentiated with a key; and each of the plurality of signature generation devices performs a power operation with its own secret key on a hash of its own message, thereby obtaining a signature. A second step of generating the signature generated by the second step by each of the plurality of signature generation devices; A third step of performing a power operation with a different predetermined value for each layer to which the device belongs, and a predetermined signature generation device among the plurality of signature generation devices to calculate a sum of the operation results of the third step An aggregate signature generation program for causing a computer to execute a fourth step of generating an aggregate signature by calculating for each layer and multiplying a calculation result for each layer is proposed.

  According to the present invention, by causing the computer to execute the aggregate signature generation program, the signature is generated by performing a power operation with the own secret key on the hash of the own message. Then, a power operation is performed on the generated signature with a predetermined value that is different for each hierarchy to which the signature belongs. Then, the sum of the operation results of the power operation is calculated for each layer, and the calculation result for each layer is multiplied to generate an aggregate signature.

  For this reason, the aggregate signature is represented by a structure in which a power operation is performed on the hash of the message by each private key and a predetermined value. And this predetermined value is a value which changes with every hierarchy to which self belongs. Therefore, the hierarchy of the signature generation apparatus can be expressed by the structure of the exponent of the mathematical expression representing the aggregate signature. Therefore, by using different signature generation apparatuses for each signer, it is possible to express to which hierarchy the signer belongs.

  Further, since the aggregate signature is in the same cyclic group as the signatures of the respective signers, the aggregate signature can be stored in a certain size regardless of the number of signers.

  (8) In the aggregate signature generation program according to (7), the predetermined value is a value obtained by performing a power operation on a specific value by a difference in the number of layers between the layer to which the program belongs and the lowest layer. We have proposed an aggregate signature generation program characterized by

  According to this invention, by causing the computer to execute the aggregate signature generation program, the predetermined value is expressed as a value obtained by performing a power operation on the specific value by the difference in the number of layers between the layer to which the computer belongs and the lowest layer. The For this reason, the hierarchy to which the signature generation apparatus belongs can be expressed by a specific value among the exponents of the mathematical expression representing the aggregate signature.

  (9) The present invention relates to the aggregate signature generation program in the aggregate signature generation system in which the signature verification device for verifying the aggregate signature is further arranged for the aggregate signature generation program of (7) or (8). Then, the signature verification device performs an operation of a GAP-Diffie-Hellman signature with the predetermined parameter, the public key, the hash of the message, and the aggregate signature as inputs, thereby validating the aggregate signature. This invention proposes an aggregate signature generation program comprising a fifth step for verifying the authenticity.

  According to the present invention, by causing the computer to execute the aggregate signature generation program, the GAP-Diffie-Hellman signature is calculated using the predetermined parameters, public key, message hash, and aggregate signature as inputs, Verify the validity of the aggregate signature. Therefore, the validity of the aggregate signature can be verified.

  According to the present invention, the aggregate signature is represented by a structure in which a power operation is performed on the hash of the message by each private key and a predetermined value. And this predetermined value is a value which changes with every hierarchy to which self belongs. Therefore, the hierarchy of the signature generation apparatus can be expressed by the structure of the exponent of the mathematical expression representing the aggregate signature. Therefore, by using different signature generation apparatuses for each signer, it is possible to express to which hierarchy the signer belongs.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
Note that the constituent elements in the present embodiment can be appropriately replaced with existing constituent elements and the like, and various variations including combinations with other existing constituent elements are possible. Therefore, the description of the present embodiment does not limit the contents of the invention described in the claims.

  The aggregate signature system includes a plurality of nodes provided for each signer who performs a signature, and a signature verification apparatus that verifies signatures generated by the plurality of nodes. Each node includes a key storage unit that stores a signature key (secret key) and a verification key (public key), a signature generation unit that generates a signature, and a hierarchy to which the node belongs to the signature generated by the signature generation unit And a power calculation unit for performing power calculation with different predetermined values. In addition, a predetermined node of these nodes includes an aggregate signature generation unit that generates an aggregate signature. The signature verification apparatus includes an aggregate signature verification unit that verifies the validity of the aggregate signature.

  As shown in FIG. 1, a plurality of nodes are arranged to form a hierarchy of d layers (d is an integer satisfying 4 ≦ d). In the first layer, which is the highest layer, p nodes (p is an integer satisfying 1 ≦ p) are arranged, and in the (d−2) layer, o nodes (o is 1 ≦ o). (Integer integer) nodes are arranged, n nodes (n is an integer satisfying 1 ≦ n) are arranged in the (d−1) layer, and m is arranged in the d layer, which is the lowest layer. Nodes (m is an integer satisfying 1 ≦ m) are arranged. In the present embodiment, each signer signs a different message using his / her node.

<Generation of an aggregate signature when a hierarchy of d layers is formed>
Hereinafter, a case where an aggregate signature is generated by the node of FIG. 1 will be described.

  Here, the pair of the signature key (private key) and the verification key (public key) is the same as that of the node (1-l) in the first layer as shown in Equation 7, but the node (( d-2) -k) is represented by Equation 8, the (d-1) -th layer node ((d-1) -j) is represented by Equation 9, and the d-th layer is numbered. It is expressed as 10. In Equation 7, l is an integer satisfying 1 ≦ l ≦ p, in Equation 8, k is an integer satisfying 1 ≦ k ≦ o, and in Equation 9, j satisfies 1 ≦ j ≦ n. It is set as an integer, and in Expression 10, i is an integer satisfying 1 ≦ i ≦ m.

  First, each node (d-i) in the d-th layer performs a GDH signature as shown in Equation 11 and performs a power operation with its signature key xd-i on the hash hd-i of the message md-i. To make the signature σd-i belonging to the d-th layer.

  Next, each node ((d-1) -j) in the (d-1) layer performs a GDH signature, as shown in Equation 12, and a hash h () of the message m (d-1) -j After performing a power operation on d-1) -j with its own signature key x (d-1) -j, it further performs a power operation on the first value and belongs to the (d-1) layer. Let it be its own signature σ (d−1) -j. Here, the first value is a value obtained by raising “2” to the power of “1” times equal to the difference in the number of layers between the (d−1) layer and the d layer, which is the lowest layer. 2 (= 21) ".

  Next, each node ((d-2) -k) in the (d-2) layer performs a GDH signature, as shown in Equation 13, and a hash h () of the message m (d-2) -k d-2) -k is subjected to a power operation with its own signature key x (d-2) -k and then a power operation is further performed with the second value to belong to the (d-2) layer. It is assumed that its signature σ (d−2) −k. Here, the second value is a value obtained by raising “2” to the power of “2” times equal to the difference in the number of layers between the (d−2) th layer and the dth layer that is the lowest layer. 4 (= 22) ".

  For each node belonging to a layer higher than the (d-2) -th layer, signatures are sequentially generated in the same manner as in Equations 12 and 13 above.

  For example, each node (1-l) in the first layer, which is a layer higher than the (d-2) layer, performs GDH signature as shown in Equation 14, and the hash h1- of the message m1-l After performing a power operation on l with its own signature key x1-l, it further performs a power operation with a predetermined value to obtain its own signature σ1-l belonging to the first layer. Here, the predetermined value is a value obtained by raising “2” to the power of “d−1” times equal to the difference in the number of layers between the first layer and the d-th layer that is the lowest layer. "

  Next, after all nodes in all layers generate their own signatures, a predetermined node such as the node that finally generated their signatures is the signature of all nodes in all layers as shown in Equation 15. And the product of these is used as the aggregate signature σ.

  Next, (g, h, σ) is disclosed.

<Verification of the aggregate signature generated when the hierarchy of the d layer is formed>
The case where the aggregate signature generated at the node of FIG. 1 is verified will be described below.

  First, the signature verification apparatus inputs (g,..., Vf-q,..., Hf-q,...) To a function e (P, Q) as shown in equations 16 and 17. , GDH signature calculation is performed. Here, vf-q represents the verification key of the node (fq) of the f-th layer (f is an integer satisfying 1 ≦ f ≦ d), and hf-q represents the f-th layer (f is 1 The hash of the message mf-q in the node (f-q) of ≦ f ≦ d is shown. Q is an integer satisfying 1 ≦ q <f.

  The aggregate signature σ is verified by verifying whether the value of Expression 16 and the value of Expression 17 match. Specifically, if the value of Expression 16 and the value of Expression 17 match, it is determined that the aggregate signature σ is correct, and if the value of Expression 16 does not match the value of Expression 17, the aggregate signature σ is Judge that it is not correct.

  As described above, the aggregate signature σ can be expressed by performing a power operation with a predetermined value on the hash hf-q of the message mf-q, as shown in Equation 15. Here, the predetermined value is expressed by multiplying each signature key by a different value for each hierarchy to which the node belongs.

  The different value for each layer to which this node belongs is “1” in the d-th layer, “2” in the (d−1) -th layer, and “4” in the (d-2) -th layer. In the first layer, “2d−1” is obtained. Therefore, the hierarchy to which the node belongs can be distinguished by a multiple of the signature key. Therefore, since the nodes belonging to each hierarchy can be distinguished by the structure of the exponent of the mathematical expression representing the aggregate signature σ, it is possible to express which hierarchy the signer belongs to.

  Further, since the aggregate signature σ is in the same cyclic group as the signatures of each signer, the aggregate signature σ can be stored in a certain size regardless of the number of signers.

  The processing of the node and signature verification device of the present invention is stored in a computer-readable recording medium, and the program recorded on these recording media is read and executed by the node and signature verification device (both are computer systems). By doing so, the present invention can be realized.

  Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW (World Wide Web) system is used. Further, the above-described program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.

  Further, the above-described program may be for realizing a part of the above-described function. Furthermore, what can implement | achieve the above-mentioned function in combination with the program already recorded on the computer system, what is called a difference file (difference program) may be sufficient.

  The embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the embodiments, and includes designs and the like that do not depart from the gist of the present invention.

It is a figure which shows arrangement | positioning of the some node which concerns on embodiment of this invention.

Explanation of symbols

x1-l, x (d-1) -j, x (d-2) -k, xd-i ... signature key (secret key)
v1-l, v (d-1) -j, v (d-2) -k, vd-i ... verification keys (public keys)
σ ・ ・ ・ Aggregate signature

Claims (9)

  1. An aggregate signature generation system in which a plurality of signature generation apparatuses used by a signer to form a signature is arranged in a plurality of layers to form a hierarchical structure, and each signer signs a different message,
    Each of the plurality of signature generation devices includes:
    A key storage unit for storing different secret keys, and a public key obtained by performing a power operation with the secret key for the predetermined parameter;
    A signature generation unit that performs a power operation on the hash of its own message with its own secret key and generates a signature;
    A power calculation unit that performs a power operation with a predetermined value different for each hierarchy to which the signature belongs, with respect to the signature generated by the signature generation unit;
    With
    The predetermined signature generation device among the plurality of signature generation devices calculates an aggregate sum of calculation results by the power calculation unit for each layer, and multiplies the calculation results for each layer to generate an aggregate signature. An aggregate signature generation system further comprising a generation unit.
  2.   2. The aggregate signature generation system according to claim 1, wherein the predetermined value is a value obtained by performing a power operation on a specific value by a difference in the number of layers between a layer to which the predetermined value belongs and a lowest layer.
  3. A signature verification device for verifying the aggregate signature;
    The signature verification device verifies the validity of the aggregate signature by performing a GAP-Diffie-Hellman signature calculation using the predetermined parameter, the public key, the hash of the message, and the aggregate signature as inputs. The aggregate signature generation system according to claim 1, further comprising an aggregate signature verification unit configured to perform the aggregate signature verification.
  4. Aggregate signature generation method in which each signer signs a different message in an aggregate signature generation system in which a plurality of signature generation apparatuses used for signing by a signer to form a multi-level hierarchical structure are arranged Because
    A first step of storing, by each of the plurality of signature generation devices, a different private key and a public key obtained by performing a power operation with respect to a predetermined parameter using the private key;
    A second step of generating a signature by performing a power operation on the own hash of the message with the secret key of each of the plurality of signature generation devices;
    A third step of performing a power operation with a predetermined value different for each hierarchy to which the signature belongs by each of the plurality of signature generation devices;
    A sum of the calculation results of the third step is calculated for each hierarchy by a predetermined signature generation apparatus among the plurality of signature generation apparatuses, and an aggregate signature is generated by multiplying the calculation result for each hierarchy. And the steps
    An aggregate signature generation method comprising:
  5.   5. The aggregate signature generation method according to claim 4, wherein the predetermined value is a value obtained by performing a power operation on a specific value by a difference between the number of layers to which the layer belongs and the lowest layer.
  6. An aggregate signature generation method in the aggregate signature generation system, further comprising a signature verification device for verifying the aggregate signature,
    The signature verification device performs a GAP-Diffie-Hellman signature operation by inputting the predetermined parameter, the public key, the hash of the message, and the aggregate signature, and verifies the validity of the aggregate signature. The aggregate signature generation method according to claim 4, further comprising: a fifth step.
  7. Aggregate signature generation method in which each signer signs a different message in an aggregate signature generation system in which a plurality of signature generation apparatuses used for signing by a signer to form a multi-level hierarchical structure are arranged Is an aggregate signature generation program for causing a computer to execute
    A first step of storing, by each of the plurality of signature generation devices, a different private key and a public key obtained by performing a power operation with respect to a predetermined parameter using the private key;
    A second step of generating a signature by performing a power operation on the own hash of the message with the secret key of each of the plurality of signature generation devices;
    A third step of performing a power operation with a predetermined value different for each hierarchy to which the signature belongs by each of the plurality of signature generation devices;
    A sum of the calculation results of the third step is calculated for each hierarchy by a predetermined signature generation apparatus among the plurality of signature generation apparatuses, and an aggregate signature is generated by multiplying the calculation result for each hierarchy. And the steps
    Aggregate signature generation program for causing a computer to execute.
  8.   8. The aggregate signature generation program according to claim 7, wherein the predetermined value is a value obtained by performing a power operation on a specific value by a difference in the number of layers between a layer to which the predetermined value belongs and a lowest layer.
  9. An aggregate signature generation program in the aggregate signature generation system in which a signature verification device for verifying the aggregate signature is further arranged,
    The signature verification device performs a GAP-Diffie-Hellman signature operation by inputting the predetermined parameter, the public key, the hash of the message, and the aggregate signature, and verifies the validity of the aggregate signature. The aggregate signature generation program according to claim 7 or 8, further comprising a fifth step.
JP2008251304A 2008-09-29 2008-09-29 Aggregate signature generation system, aggregate signature generation method, and aggregate signature generation program Active JP5183401B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2008251304A JP5183401B2 (en) 2008-09-29 2008-09-29 Aggregate signature generation system, aggregate signature generation method, and aggregate signature generation program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2008251304A JP5183401B2 (en) 2008-09-29 2008-09-29 Aggregate signature generation system, aggregate signature generation method, and aggregate signature generation program

Publications (2)

Publication Number Publication Date
JP2010087590A JP2010087590A (en) 2010-04-15
JP5183401B2 true JP5183401B2 (en) 2013-04-17

Family

ID=42251143

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2008251304A Active JP5183401B2 (en) 2008-09-29 2008-09-29 Aggregate signature generation system, aggregate signature generation method, and aggregate signature generation program

Country Status (1)

Country Link
JP (1) JP5183401B2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10469266B2 (en) 2016-10-06 2019-11-05 Cisco Technology, Inc. Signature method and system

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5597075B2 (en) * 2010-09-13 2014-10-01 Kddi株式会社 Signature generation apparatus, verification apparatus, signature generation method, and signature generation program
JP2012175634A (en) * 2011-02-24 2012-09-10 Kddi Corp Aggregate signature system, verification system, aggregate signature method, and aggregate signature program

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1497948A4 (en) * 2002-04-15 2007-03-21 Ntt Docomo Inc Signature schemes using bilinear mappings
WO2004021638A1 (en) * 2002-08-28 2004-03-11 Docomo Communications Laboratories Usa, Inc. Certificate-based encryption and public key infrastructure
US7664957B2 (en) * 2004-05-20 2010-02-16 Ntt Docomo, Inc. Digital signatures including identity-based aggregate signatures
JP4477678B2 (en) * 2008-01-21 2010-06-09 富士通株式会社 Electronic signature method, electronic signature program, and electronic signature device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10469266B2 (en) 2016-10-06 2019-11-05 Cisco Technology, Inc. Signature method and system

Also Published As

Publication number Publication date
JP2010087590A (en) 2010-04-15

Similar Documents

Publication Publication Date Title
Li et al. Hidden attribute-based signatures without anonymity revocation
JP4548737B2 (en) Signature generation apparatus and signature verification apparatus
JP2008500776A (en) Apparatus and method for providing direct certification signature denial
Camenisch Better privacy for trusted computing platforms
Danezis et al. Pinocchio coin: building zerocoin from a succinct pairing-based proof system
Chow et al. Ring signatures without random oracles
TWI497972B (en) Method, transmitting entity, receiving entity, and system for providing an assertion message from a proving party to a relying party
Wang et al. Identity-based proxy-oriented data uploading and remote data integrity checking in public cloud
Herranz Deterministic identity-based signatures for partial aggregation
McGrew Fundamental elliptic curve cryptography algorithms
US8458471B2 (en) Digital signature generation apparatus, digital signature verification apparatus, and key generation apparatus
US8433897B2 (en) Group signature system, apparatus and storage medium
US8127140B2 (en) Group signature scheme
KR101273465B1 (en) Apparatus for batch verification and method using the same
Bernstein et al. Dual EC: A standardized back door
US8225098B2 (en) Direct anonymous attestation using bilinear maps
JP4390570B2 (en) Multistage signature verification system, electronic signature adding apparatus, data adding apparatus, and electronic signature verification apparatus
US8281131B2 (en) Attributes in cryptographic credentials
Islam et al. A provably secure identity-based strong designated verifier proxy signature scheme from bilinear pairings
Chen et al. Efficient generic on-line/off-line (threshold) signatures without key exposure
Xiaofeng et al. Direct anonymous attestation for next generation TPM
JP4776906B2 (en) Signature generation method and information processing apparatus
JP5446453B2 (en) Information processing apparatus, electronic signature generation system, electronic signature key generation method, information processing method, and program
Wang et al. On the knowledge soundness of a cooperative provable data possession scheme in multicloud storage
Hwang et al. Generalization of proxy signature based on elliptic curves

Legal Events

Date Code Title Description
A621 Written request for application examination

Effective date: 20110228

Free format text: JAPANESE INTERMEDIATE CODE: A621

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Effective date: 20130115

Free format text: JAPANESE INTERMEDIATE CODE: A01

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20130115

R150 Certificate of patent (=grant) or registration of utility model

Free format text: JAPANESE INTERMEDIATE CODE: R150

FPAY Renewal fee payment (prs date is renewal date of database)

Year of fee payment: 3

Free format text: PAYMENT UNTIL: 20160125