JP5331028B2 - Signature / verification system, signature / verification method, signature device, verification device, program, recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a signature method, wherein signature length is short and calculation amount of signature generation and signature verification is smaller. <P>SOLUTION: In a signature and verification system, a bilinear map composed of different groups (G<SB>1</SB>, G<SB>2</SB>) is used to assume that mapping from a group G<SB>1</SB>to a group G<SB>2</SB>is difficult and, by using the property where the exponent part of different generators is hard to determine, a message on two different groups is output as a signature. A signature device includes at least a signature recording section, a commitment group element selection section, a commitment random number generation section, a commitment calculation section, a key random number generation section, a key calculation section, a key group element selection section, a key randomizing section, a key generation section, a message acquisition section, a signature random number generation section, a signature calculation section, and a signature output section. A verification device includes a verification input section, a verification confirmation section, and a verification output section. <P>COPYRIGHT: (C)2011,JPO&amp;INPIT

Description

  The present invention relates to a signature / verification system, a signature / verification method, a signature device, a verification device, a program, and a recording medium, which are mainly used when sending and receiving messages via telecommunications.

  The digital signature calculates a value s that can be calculated only when the signer who knows the secret key sk corresponding to the public key pk correctly uses the secret key sk for the message m. It is used as a typical signature. A correct signature can be verified by anyone using the public key pk, and any third party who does not know the secret key sk cannot calculate the valid signature s.

  Digital signatures are used as basic components in various cryptographic protocols such as electronic cash and credential systems. In particular, in applications that require user privacy, it is possible to convince an arbitrary third party that the correct signature s for a message m is retained without revealing the signature s by combining with zero knowledge proof. Advanced usage forms are often seen.

Recent progress in pairing technology has made it possible to construct zero-knowledge proof that efficiently proves the fact that groups of elements satisfy a certain relationship (Non-Patent Document 1). Thus, if the signature s is an element of the group G with efficient pairing, that is, if sεG, the fact that the correct signature s is retained without revealing the signature s as described above It is possible to prove For example, disclosed in Non-Patent Document 2, in the method of so-called CL-Signature, the signature s to the message M∈Z _q is composed of three groups elements (a, b, c) ∈G 3.

  However, with CL-signature, an existing signature method that can prove its security only by number-theoretic assumptions without using idealized components (known as impossible) such as random oracles. , Message m is not an element of group G. Therefore, it is not used for the application of proving that the correct signature is retained for the concealed message in a state where the message is concealed. As a secure signature method even when a message is a group G element, Non-Patent Document 3 shows a method improved from the above-mentioned CL-Signature, which shows that it is safe against random message attacks. However, the security against stronger selective message attacks is unclear.

  As a method in which the message is a group element and proved to be strong against the selective message attack, there is a method shown in Non-Patent Document 4. This method will be described below. FIG. 1 is a diagram showing a configuration example of a signature / verification system, FIG. 2 is a diagram showing a processing flow of the signature device, and FIG. 3 is a diagram showing a processing flow of the verification device. The signature / verification system includes a signature device 700 and a verification device 900 connected to a network 800.

Let v = (q, G, G _T , e, g) be a public parameter. q is large prime numbers, G, G _T is a group of order q, e is G × G → G _T efficient calculations can pairing, g any generator of the group G, F, H, K , T is a generator of group G. Further, it is assumed that the message is limited to a group element pair (M, N) εG ² and satisfying e (M, H) = e (g, N).

  The signature device 700 generates a random integer x not less than 1 and not more than q−1 (S710). Then, X = xg and Y = xH are calculated (S720), (v, xg, xH) is set as the public key pk, and x is set as the secret key sk (S730).

  The signature device 700 generates random numbers c and r of 1 to q−1 (S750),

a ₂ = cg
a ₃ = cF
a ₄ = rg
a ₅ = rH
Is calculated (S760). Then, the five sets (a ₁ , a ₂ , a ₃ , a ₄ , a ₅ ) εG ⁵ are set as a signature σ (S770).

The verification apparatus 900 receives the signature σ via the network 800 (S910). And for message pair (M, N) and signature σ,
e (a ₁ , X + a ₂ ) = e (K + M, g) e (T, a ₄ )
e (a ₂ , F) = e (g, a ₃ )
e (a ₄ , H) = e (g, a ₅ )
e (M, H) = e (g, N)
It is confirmed that e (X, H) = e (g, Y) (S920). If it is confirmed that all the conditions are satisfied, information indicating that the signature is correct is output, and if it is determined that any of the conditions is not satisfied, information indicating that the signature is incorrect is output (S930). .

Jens Groth and AmitSahai, “Efficient Non-interactive Proof Systems for Bilinear Groups”, Eurocrypt 2008, LNCS 2965, pp.415-432. Jan Camenisch and Anna Lysyanskaya, “Signature Schemes and Anonymous Credentials from Bilinear Maps”, Crypto 2004, LNCS 3152, pp.56-72. Matthew Green and Susan Hohenberger, “Universally Composable Adaptive Oblivious Transfer”, IACR e-Print archive, 2008/163 [Search February 5, 2010], Internet <URL: http://eprint.iacr.org/cgi- bin / getfile.pl? entry = 2008/163 & version = 20080806: 150034 & file = 163.pdf>. Georg Fuchsbauer, “AutomorphicSignatures in Bilinear Groups”, IACR e-print 200/320 [searched February 5, 2010], Internet <URL: http://eprint.iacr.org/2009/320.pdf>.

However, in the conventional technique, the signature / verification system has a problem that the signature is composed of five elements of the group G, and the verification is performed because five pairing equations are confirmed. In addition, the message is a group element pair (M, N) ∈ G ² , and there is a restriction that e (M, H) = e (g, N) must be satisfied.

  Therefore, an object of the present invention is to provide a signature method that has a short signature length and a smaller amount of calculation for signature generation and signature verification.

The signature / verification system of the present invention performs signature generation and signature verification for a plurality of messages of group elements. _{First, G 1,} G ₂ a mapping is difficult order p groups from _{G 1} to _{G 2,} bilinear mapping of a group of order p of _{G T,} the _{e G 1 × G 2 → G} T, K Is an integer of 2 or more, and ^ is a symbol indicating a power. The signature / verification system of the present invention includes a signature device and a verification device. The signature device includes a signature recording unit, a commitment group element selection unit, a commitment random number generation unit, a commitment calculation unit, a CRS generation unit, a key random number generation unit, a key calculation unit, a key group element selection unit, a key randomization unit, a key generation unit, A message acquisition unit, a signature random number generation unit, a signature calculation unit, a signature randomization unit, and a signature output unit are provided. The verification apparatus includes a verification input unit, a verification confirmation unit, and a verification output unit. The signature recording unit records p, G ₁ , G ₂ , G _T , and e. The commitment group element selection unit randomly selects the generation sources g ₀ and h ₀ of the group G ₂ . Commitment random number generator, a random integer _x 1 of 1 or more p-1 or less, ..., _{x K} and integer _y 1, ..., and generates a _{y K.} The commitment calculator
For k = 1, ..., K,
g _k = g ₀ ^ x _k ,
h _k = h ₀ ^ y _k ,
Calculate The CRS generator sets ( p ₁ , G ₁ , G ₂ , G _T , e, g ₀ , h ₀ ,..., G _K , h _K ) as a CRS (Common Reference String), and (x ₁ , y ₁ ,..., X _K , y _K ) are trap doors τ. The key random number generation unit, one or more p-1 or less random integer alpha _z, and beta _z, random integer α _0, ..., α _K and integer beta _0, ..., to produce a beta _K. The key calculator is
g _z = g ₀ ^ α _z ,
h _z = g ₀ ^ β _z ,
Calculate Key group element selection unit selects the origin g _s of the group G ₂ at random. The key randomization department

A combination (a _1k , a _2k ) other than (g _k , g _s ^ α _k ) and a combination (b _1k , b _2k ) other than (h _k , g _s ^ β _k ) are obtained. Key generating _{unit, (g s, α z,} β z, α 0, β 0, ..., α K, β K) was used as a secret key _{sk, (g z, h z} , {a 10, a 20, b ₁₀ , b ₂₀ },..., {A _1K , a _2K , b _1K , b _2K }) are used as verification keys vk, and the verification keys vk are disclosed. The message acquisition unit receives messages m ₁ ,..., M _K that are elements other than 1 on the group G ₂ . Signature random number generation unit, one or more p-1 or less random integer _{ζ, η 1, ..., η} K, ξ 1, ..., to generate the xi] _K. The signature calculator is

Calculate The signature randomization department

Become _{(r 'k, s' k} ) except combinations _{(r k, s} k) and obtains the _{(u 'k, v' k} ) except combinations _{(u k, v} k). The signature output unit outputs (z, t, w, {r ₁ , s ₁ , u ₁ , v ₁ },..., {R _K , s _K , u _K , v _K }) as a signature σ. The verification input unit of the verification device receives the messages m ₁ ,..., M _K and the signature σ. The verification confirmation part

For A and B obtained by

Make sure that The verification output unit outputs information indicating that the signature is correct when the verification confirmation unit confirms that all conditions are satisfied, and indicates that the signature is incorrect when it is confirmed that any of the conditions is not satisfied. Output information.

The signature / verification system of the present invention uses a bilinear mapping composed of different groups (G ₁ , G ₂ ), assumes that it is difficult to map from the group G ₁ to the group G ₂ , and uses different generation sources. Using the property that it is difficult to find the exponent part, messages on two different groups are used as signature output.

  Therefore, according to the signature / verification system of the present invention, the signature length can be shortened and the amount of calculation required for signature generation and signature verification can be reduced compared to the case where signatures are generated for a plurality of group element messages. .

The figure which shows the structural example of the conventional signature and verification system. The figure which shows the processing flow of the conventional signature apparatus. The figure which shows the processing flow of the conventional verification apparatus. The figure which shows the function structural example of the signature and verification system of Example 1, Example 1 modification 1, Example 1 modification 2. FIG. The figure which shows the processing flow of the signature apparatus of Example 1, Example 1 modification 1, Example 1 modification 2. FIG. The figure which shows the processing flow of the verification apparatus of this invention. FIG. 9 is a diagram illustrating a functional configuration example of a signature / verification system according to a second embodiment. FIG. 10 is a diagram illustrating a processing flow of the signature device according to the second embodiment.

  Hereinafter, embodiments of the present invention will be described in detail. In addition, the same number is attached | subjected to the structure part which has the same function, and duplication description is abbreviate | omitted.

  FIG. 4 shows a functional configuration example of the signature / verification system of the first embodiment, FIG. 5 shows a processing flow of the signature apparatus of the first embodiment, and FIG. 6 shows a processing flow of the verification apparatus of the first embodiment. This signature / verification system includes a signature device 100 and a verification device 200 connected by a network 800, and performs signature generation and signature verification for a plurality of group element messages. When the signature generated by the signature device 100 is transferred to the verification device 200 using a recording medium, the signature device 100 and the verification device 200 do not need to be connected via the network 800.

G _{1, G 2} a mapping is difficult order p groups from _{G 1} to _{G 2,} a group of order p of _{G T,} bilinear mapping of _{e G 1 × G 2 → G} T, the K 2 The above integers and ^ are symbols indicating powers. The signature device 100 includes a commitment group element selection unit 110, a commitment random number generation unit 115, a commitment calculation unit 120, a CRS generation unit 125, a key random number generation unit 130, a key calculation unit 135, a key group element selection unit 140, and a key randomization unit 145. A key generation unit 150, a message acquisition unit 155, a signature random number generation unit 160, a signature calculation unit 165, a signature randomization unit 170, a signature output unit 175, and a signature recording unit 190. The verification apparatus 200 includes a verification input unit 210, a verification confirmation unit 220, and a verification output unit 230.

The signature recording unit 190 records p, G ₁ , G ₂ , G _T , and e in advance. The commitment group element selection unit 110 randomly selects the generation sources g ₀ and h ₀ of the group G ₂ (S110). Commitment random number generator 115, a random integer _x 1 of 1 or more p-1 or less, ..., _{x K} and integer _y 1, ..., and generates a _{y K} (S115). The commitment calculation unit 120
For k = 1, ..., K,
g _k = g ₀ ^ x _k ,
h _k = h ₀ ^ y _k ,
Is calculated (S120). The CRS generation unit 125 sets the commitment key ck ( p , G ₁ , G ₂ , G _T , e, g ₀ , h ₀ ,..., G _K , h _K ) as a CRS (Common Reference String), and (x ₁ , y ₁ ,..., X _K , y _K ) are set as trap doors τ (S125). The key random number generation unit 130, one or more p-1 or less random integer alpha _z, and beta _z, random integer α _0, ..., α _K and integer beta _0, ..., to produce a β _K (S130).

The key calculation unit 135
g _z = g ₀ ^ α _z ,
h _z = g ₀ ^ β _z ,
Is calculated (S135). The key group element selection unit 140 randomly selects the generation source g _s of the group G ₂ (S140). The key randomization unit 145

A combination (a _1k , a _2k ) other than (g _k , g _s ^ α _k ) and a combination (b _1k , b _2k ) other than (h _k , g _s ^ β _k ) are obtained (S145). The key generation unit 150, and _{(g s, α z, β} z, α 0, β 0, ..., α K, β K) and a secret key _{sk, (g z, h z} , {a 10, a 20, b ₁₀ , b ₂₀ },... {a _1K , a _2K , b _1K , b _2K }) are used as verification keys vk, and the verification keys vk are disclosed (S150).

The message acquisition unit 155 receives messages m ₁ ,..., M _K other than 1 on the group G ₂ (S155). Note that "Message _m 1, ..., receives the _{m K} ', a message _m 1 in some way, ..., _{m K} is to is ready, a message _m 1 is inputted from the outside, ..., m _{This includes} receiving _K , reading out messages m ₁ ,..., M _K recorded in advance in the signature recording unit 190 and the like. Signature random number generation unit 160, one or more p-1 or less random integer _{ζ, η 1, ..., η} K, ξ 1, ..., to produce a ξ _K (S160). The signature calculation unit 165

Is calculated (S165). The signature randomizing unit 170

Become _{(r 'k, s' k} ) except combinations _{(r k, s} k) and obtains the _{(u 'k, v' k} ) except combinations _{(u k, v k) (} S170). The signature output unit 175 outputs (z, t, w, {r ₁ , s ₁ , u ₁ , v ₁ },..., {R _K , s _K , u _K , v _K }) as a signature σ ( S175).

Here, specific examples of the key randomizing unit 145 and the signature randomizing unit 170 will be described. Here, combinations of input numerical values are (x ₁ , y ₁ ), (x ₂ , y ₂ ),..., (X _K , y _K ), and combinations of numerical values to be output are (x ′ ₁ , y ′). ₁ ), (x ′ ₂ , y ′ ₂ ),..., (X ′ _K , y ′ _K ). That is, in this description, the key randomizing unit 145 and the signature randomizing unit 170 are e (x ₁ , y ₁ ) e (x ₂ , y ₂ )... E (x _K , y _K ) = e (x ′ ₁ , y A combination (x ′ _k , y ′ _k ) other than (x _k , y _k ) which becomes “ _1” e (x ′ ₂ , y ′ ₂ )... E (x ′ _K , y ′ _K ) is obtained. In this specific example, y ′ ₁ = y ₁ and x ′ _K = x _K. The key randomizing unit 145 and the signature randomizing unit 170 include randomized random number generating means 146 and 171 and randomizing executing means 147 and 172. The randomized random number generating means 146, 171 generates random integers γ ₁ ,..., Γ _K−1 that are 1 or more and p−1 or less (S146, S171). The randomizing execution units 147 and 172 perform the following processing in order from k = 1 to k = K−1.

(1) Confirm that y ′ _k ≠ 1, x _{k + 1} ≠ 1. When y ′ _k = 1, the value of y ′ _k after processing is set to a value other than 1, for example, by replacing (x _k , y ′ _k ). Also in the case of x _{k + 1} = 1, the value of x _{k + 1} after processing is set to a value other than ₁ by a process of exchanging (x _{k + 1} , y _{k + 1} ).

(2) e (x _{k + 1} ^ −γ _k , y ′ _k ) e (x _{k + 1} , y ′ _k ^ γ _k ) between e (x _k , y ′ _k ) and e (x _{k + 1} , y _{k + 1} ) By inserting
e (x ′ ₁ , y ′ ₁ )... e (x _k , y ′ _k ) e (x _{k + 1} , y _{k + 1} )... e (x _K , y _K )
_{e (x '1, y'} 1) ... e (x k x k + 1 ^ -γ k, y 'k) e (x k + 1, (y' k ^ γ k) y k + 1) ... e (x K, y K ), And e (x ′ ₁ , y ′ ₁ )... E (x ′ _k , y ′ _k ) e (x _{k + 1} , y ′ _{k + 1} )... E (x _K , y _K )
And

By such processing, (x ₁ , y ₁ ), (x ₂ , y ₂ ),..., (X _K , y _K ) are changed to (x ′ ₁ , y ′ ₁ ), (x ′ ₂ , y ′ _2). ),..., (X ′ _K , y ′ _K ). Note that randomization is rewriting to a combination of different numerical values so that the calculation results are the same. Randomized random number generation means 146, 171 randomly generates integers γ ₁ ,..., Γ _K−1 so as not to be biased (selected as uniform), so that pairing e (x ′ _k , y ′ _k ) is also a group. it can be distributed uniform over the G _T.

Next, the verification apparatus 200 will be described. The verification input unit 210 acquires the messages m ₁ ,..., M _K and the signature σ (S210). For example, when connected to the network 800 as shown in FIG. 4, the verification input unit 210 receives the messages m ₁ ,..., M _K and the signature σ. If not connected to the network, the message m ₁ ,..., M _K and the signature σ are received from the recording medium. The verification confirmation unit 220

For values A and B obtained by

(S220). The calculation of Expression (1) may be calculated by the verification confirming unit 220 in step S220, or may be calculated in advance using an element of the verification key vk. Alternatively, the key generation unit 150 may obtain the values A and B using the expression (1) in step S150, and disclose the values A and B as part of the verification key vk. The verification output unit 230 outputs information indicating that the signature is correct when the verification confirmation unit confirms that all the conditions are satisfied, and confirms that the signature is incorrect when it is confirmed that any of the conditions is not satisfied. The information shown is output (S230). For example, “1” may be output as information indicating that the signature is correct, and “0” may be output as information indicating that the signature is not correct.

The signature / verification system of the first embodiment uses a bilinear map composed of different groups (G ₁ , G ₂ ), assumes that it is difficult to map from the group G ₁ to the group G _2, and generates different sources. Taking advantage of the fact that it is difficult to determine the exponent part of the message, messages on two different groups are used as signature output. Therefore, according to the signature / verification system of the first embodiment, the signature length can be shortened and the amount of calculation required for signature generation and signature verification can be reduced as compared with the case where signatures are generated for a plurality of group element messages. it can.

The simulation key generation unit 150 includes the reference signature σ ₀ for the default message m = {1, 1,..., 1} composed of K “1” s in the verification key vk. Then, the reference signature σ ₀ is extracted from the verification key vk, and (z, t, w, {r ₁ , s ₁ , u ₁ , v ₁ },..., {R _K , s _K , u _K , v _K }) Each value of And

And (z, t ′, w ′, {r ₁ , s ₁ , u ₁ , v ₁ },..., {R _K , s _K , u _K , v _K }) are converted into messages m ₁ ,. and outputs as the signature σ for m _K.

  As described above, the signature / verification system according to the present invention provides an effect that it is possible to execute a “simulation” necessary for performing higher security certification.

[Modification 1]
In this modification, a change is made to reduce the processing of the signature device. Only the changes will be described with reference to FIGS. The signature device 100 ′ is different from the signature device 100 of the first embodiment in a key random number generation unit 130 ′, a key randomization unit 145 ′, and a key generation unit 150 ′.

Instead of generating random integers α ₀ ,..., Α _K and integers β ₀ ,..., Β _K , the key random number generator 130 ′ generates random integers α ₁ , β ₁ and α _k = β _k = 0. (K = 0, 2,..., K) are generated (S130 ′). The key randomization unit 145 ′

Become _{(a 10, a 20),} ..., (a 1K, a 2K) and _{(b 10, b 20),} ..., (b 1K, b 2K) Request (S145 '). The key generation unit 150 ', a secret key _{sk (g s, α z,} β z, α 1, β 1) to (S150'). Other components and processing flow are the same as those in the first embodiment.

In the signature device of this modification, the amount of calculation can be reduced by setting α _k = β _k = 0 (k = 0, 2,..., K). Therefore, the signature / verification system of the present modification can achieve the same effects as those of the first embodiment and can reduce the processing of the signature device.

[Modification 2]
In the first modification, α ₁ and β ₁ in random integers α ₀ ,..., Α _K and integers β ₀ ,..., Β _K are set to other than 0, but other integers may be set to other than 0. In this modification, α _j and β _j are other than 0, and α _k = β _k = 0 (k = 0,..., K, where k ≠ j). Only the changes will be described with reference to FIGS. The signature device 100 ″ is different from the signature device 100 of the first embodiment in a key random number generation unit 130 ″, a key randomization unit 145 ″, and a key generation unit 150 ″.

Instead of generating random integers α ₀ ,..., Α _K and integers β ₀ ,..., Β _K , the key random number generator 130 ″ generates random integers α _j , β _j and α _k = β _k = 0. (K = 0,..., K, where k ≠ j) is generated (S130 ″). The key randomization section 145 "

Become _{(a 10, a 20),} ..., (a 1K, a 2K) and _{(b 10, b 20),} ..., (b 1K, b 2K) Request (S145 "). The key generation unit 150" in the secret key _{sk (g s, α z,} β z, α j, β j) to (S150 "). and the other components the processing flow is the same as in example 1.

In the signature device of this modification, the amount of calculation can be reduced by setting α _k = β _k = 0 (k = 0,..., K, k ≠ j). Therefore, the signature / verification system of the present modification can achieve the same effects as those of the first embodiment and can reduce the processing of the signature device.

  FIG. 7 shows a functional configuration example of the signature / verification system of the second embodiment, FIG. 8 shows a processing flow of the signature apparatus of the second embodiment, and FIG. 6 shows a processing flow of the verification apparatus of the second embodiment. This signature / verification system includes a signature device 300 and a verification device 400 connected via a network 800, and performs signature generation and signature verification for a plurality of group element messages. When the signature generated by the signature device 300 is transferred to the verification device 400 using a recording medium, the signature device 300 and the verification device 400 do not need to be connected via the network 800.

G _{1, G 2} a mapping is difficult order p groups from _{G 1} to _{G 2,} a group of order p of _{G T,} bilinear mapping of _{e G 1 × G 2 → G} T, the K 2 The above integers and ^ are symbols indicating powers. The signature device 300 includes a commitment group element selection unit 110, a commitment random number generation unit 115, a commitment calculation unit 120, a key random number generation unit 330, a key calculation unit 135, a key group element selection unit 140, a key randomization unit 345, and a key generation unit 350. , A message acquisition unit 155, a signature random number generation unit 360, a signature calculation unit 365, a signature output unit 375, and a signature recording unit 390. The verification apparatus 400 includes a verification input unit 410, a verification confirmation unit 420, and a verification output unit 230.

The signature recording unit 390 records p, G ₁ , G ₂ , G _T , and e in advance. The commitment group element selection unit 110 randomly selects the generation sources g ₀ and h ₀ of the group G ₂ (S110). Commitment random number generator 115, a random integer _x 1 of 1 or more p-1 or less, ..., _{x K} and integer _y 1, ..., and generates a _{y K} (S115). The commitment calculation unit 120
For k = 1, ..., K,
g _k = g ₀ ^ x _k ,
h _k = h ₀ ^ y _k ,
Is calculated (S120). The key random number generator 330
Random integers α _z and β _{z of} 1 or more and p−1 or less and random integers α ₁ and β ₁ are generated (S330). The key calculation unit 135
g _z = g ₀ ^ α _z ,
h _z = g ₀ ^ β _z ,
Is calculated (S135). The key group element selection unit 140 randomly selects the generation source g _s of the group G ₂ (S135). Key randomization part is 345,
e (g _k , g _s ^ α _k ) = e (a ₁₀ , a ₂₀ ) e (a ₁₁ , a ₂₁ )
e (h _k , g _s ^ β _k ) = e (b ₁₀ , b ₂₀ ) e (b ₁₁ , b ₂₁ )
(A ₁₀ , a ₂₀ ), (a ₁₁ , a ₂₁ ) and (b ₁₀ , b ₂₀ ), (b ₁₁ , b ₂₁ ) are obtained (S345). The key generation unit 350 includes (g _z , h _z , {g ₀ , h ₀ },..., {G _K , h _K }, {a ₁₀ , a ₂₀ , b ₁₀ , b ₂₀ }, {a ₁₁ , a ₂₁ , b ₁₁ , b ₂₁ }) as the verification key vk, (vk, g _s , α _z , β _z , α ₁ , β ₁ ) as the secret key sk, and the verification key vk is made public (S350).

The message acquisition unit 155 receives messages m ₁ ,..., M _K other than 1 on the group G ₂ (S155). Note that "Message _m 1, ..., receives the _{m K} ', a message _m 1 in some way, ..., _{m K} is to is ready, a message _m 1 is inputted from the outside, ..., m _{This includes} receiving _K , reading out messages m ₁ ,..., M _K recorded in advance in the signature recording unit 390 and the like. The signature random number generation unit 360 generates random integers ζ, η, ξ, ρ, δ of 1 or more and p−1 or less (S360). The signature calculation unit 365

Is calculated (S365). The signature output unit 375 outputs (z, t, w, r, s, u, v) as a signature σ.

Next, processing of the verification apparatus 400 will be described. The verification input unit 410 acquires the messages m ₁ ,..., M _K and the signature σ (S410). The verification confirmation unit 420

(S420). The verification output unit 230 outputs information indicating that the signature is correct when the verification confirmation unit confirms that all the conditions are satisfied, and confirms that the signature is incorrect when it is confirmed that any of the conditions is not satisfied. The information shown is output. For example, “1” may be output as information indicating that the signature is correct, and “0” may be output as information indicating that the signature is not correct.

The signature / verification system of the second embodiment also uses a bilinear map composed of different groups (G ₁ , G ₂ ), assumes that mapping from the group G ₁ to the group G ₂ is difficult, and generates different sources. Taking advantage of the fact that it is difficult to determine the exponent part of the message, messages on two different groups are used as signature output. Therefore, according to the signature / verification system of the second embodiment, the signature length can be shortened and the amount of calculation required for signature generation and signature verification can be reduced compared to the case where signatures are generated for a plurality of group element messages. it can.

Program, Recording Medium When the above-described configuration is realized by a computer, the processing contents of functions that each device should have are described by the program. The processing functions are realized on the computer by executing the program on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

  The present invention can be used to prove the validity of electronic data.

100, 100 ′, 100 ″, 300, 700 Signature device 110 Commitment group element selection unit 115 Commitment random number generation unit 120 Commitment calculation unit 125 CRS generation unit 130, 130 ′, 130 ″, 330 Key random number generation unit 135 Key calculation unit 140 Key group element selection unit 145, 145 ′, 145 ″, 345 Key randomization unit 146, 171 Randomized random number generation unit 147, 172 Randomization execution unit 150, 150 ′, 150 ″, 350 Key generation unit 155 Message acquisition unit 160, 360 Signature Random number generation unit 165, 365 Signature calculation unit 170 Signature randomization unit 175, 375 Signature output unit 190, 390 Signature recording unit 200, 400, 900 Verification device 210, 410 Verification input unit 220, 420 Verification confirmation unit 230 Verification output unit 800 Net work

Claims (22)

G _{1, G 2} a mapping is difficult order p groups from _{G 1} to _{G 2,} a group of order p of _{G T,} bilinear mapping of _{e G 1 × G 2 → G} T, the K 2 The above integer, ^ is a symbol indicating a power,
a signature recording unit for recording p, G ₁ , G ₂ , G _T , e;
A commitment group element selector that randomly selects generators g ₀ and h ₀ of group G ₂ ;
1 or p-1 random integer _x 1 below, ..., _{x K} and integer _y 1, ..., and commitment random number generation unit for generating a _{y K,}
For k = 1, ..., K,
g _k = g ₀ ^ x _k ,
h _k = h ₀ ^ y _k ,
A commitment calculation unit for calculating
_{(P, G 1, G 2} , G T, e, g 0, h 0, ..., g K, h K) was set as _CRS, the _{(x 1, y 1, ...} , x K, y K) A CRS generator for trap door τ;
1 or p-1 or less random integer alpha _z, and beta _z, random integer α _0, ..., α _K and integer β _0, ..., a key the random number generation unit for generating a beta _K,
g _z = g ₀ ^ α _z ,
h _z = g ₀ ^ β _z ,
A key calculation unit for calculating
A key group element selection unit that randomly selects a generator g _s of the group G ₂ ;

A key randomization unit for obtaining a combination (a _1k , a _2k ) other than (g _k , g _s ^ α _k ) and a combination (b _1k , b _2k ) other than (h _k , g _s ^ β _k ) ,
_{(G s, α z, β} z, α 0, β 0, ..., α K, β K) was used as a secret key _{sk, (g z, h z} , {a 10, a 20, b 10, b 20} ,..., {A _1K , a _2K , b _1K , b _2K }) as a verification key vk, and a key generation unit that discloses the verification key vk;
A message acquisition unit that receives messages m ₁ ,..., M _K that are elements other than 1 on the group G ₂ ;
1 or p-1 or less random integer _{ζ, η 1, ..., η} K, ξ 1, ..., a signature random number generation unit for generating xi] _K,

A signature calculation unit for calculating

Become _{(r 'k, s' k} ) except combinations _{(r k, s} k) and a signature randomizing unit for obtaining the _{(u 'k, v' k} ) except combinations _{(u k, v} k),
A signature output unit that outputs (z, t, w, {r ₁ , s ₁ , u ₁ , v ₁ },..., {R _K , s _K , u _K , v _K }) as a signature σ. Equipment,
A verification input unit for obtaining the messages m ₁ ,..., M _K and the signature σ;

For A and B obtained by

A verification and confirmation unit to confirm that
When the verification confirmation unit confirms that all conditions are satisfied, information indicating that the signature is correct is output, and when it is determined that any condition is not satisfied, information indicating that the signature is incorrect is output. A signature / verification system comprising: a verification device comprising: a verification output unit. The signature / verification system according to claim 1,
The key randomization part and the signature randomization part are:
_{e (x 1, y 1)} e (x 2, y 2) ... e (x K, y K) = e (x '1, y' 1) e (x '2, y' 2) ... e (x When obtaining a combination (x ′ _k , y ′ _k ) other than (x _k , y _k ) that becomes “ _K , y ′ _K ),
Randomized random number generating means for generating random integers γ ₁ ,..., Γ _K−1 of 1 or more and p−1 or less;
inserting e (x _{k + 1} ^ −γ _k , y ′ _k ) e (x _{k + 1} , y ′ _k ^ γ _k ) between e (x _k , y ′ _k ) and e (x _{k + 1} , y _{k + 1} ). so,
e (x ′ ₁ , y ′ ₁ )... e (x _k , y ′ _k ) e (x _{k + 1} , y _{k + 1} )... e (x _K , y _K )
_{e (x '1, y'} 1) ... e (x k x k + 1 ^ -γ k, y 'k) e (x k + 1, (y' k ^ γ k) y k + 1) ... e (x K, y K )
E (x ′ ₁ , y ′ ₁ )... E (x ′ _k , y ′ _k ) e (x _{k + 1} , y ′ _{k + 1} )... E (x _K , y _K )
And a randomization executing means for sequentially performing the processing of k = 1 to k = K−1. The signature / verification system according to claim 1,
The key the random number generator, a random integer α _0, ..., α _K and integer beta _0, ..., instead of generating a beta _K, random integer alpha _1, and _{β 1, α k = β k} = 0 ( k = 0, 2, ..., K),
The key randomization part

(A ₁₀ , a ₂₀ ), ..., (a _1K , a _2K ) and (b ₁₀ , b ₂₀ ), ..., (b _1K , b _2K )
The key generation unit, a signature-verification system, characterized by a secret key sk and _{(g s, α z, β} z, α 1, β 1). The signature / verification system according to claim 1,
j is an integer between 0 and K,
The key the random number generator, a random integer α _0, ..., α _K and integer beta _0, ..., instead of generating a beta _K, random integer alpha _j, and _{β j, α k = β k} = 0 ( k = 0,..., K where k ≠ j)
The key randomization part

(A ₁₀ , a ₂₀ ), ..., (a _1K , a _2K ) and (b ₁₀ , b ₂₀ ), ..., (b _1K , b _2K )
The key generation unit, a signature-verification system, characterized by a secret key sk and _{(g s, α z, β} z, α j, β j). The signature / verification system according to any one of claims 1 to 4,
The key generation unit

And a signature / verification system characterized by including A and B in the public key. G _{1, G 2} a mapping is difficult order p groups from _{G 1} to _{G 2,} a group of order p of _{G T,} bilinear mapping of _{e G 1 × G 2 → G} T, the K 2 The above integer, ^ is a symbol indicating a power,
a signature recording unit for recording p, G ₁ , G ₂ , G _T , e;
A commitment group element selector that randomly selects generators g ₀ and h ₀ of group G ₂ ;
1 or p-1 random integer _x 1 below, ..., _{x K} and integer _y 1, ..., and commitment random number generation unit for generating a _{y K,}
For k = 1, ..., K,
g _k = g ₀ ^ x _k ,
h _k = h ₀ ^ y _k ,
A commitment calculation unit for calculating
A random number α _z , β _{z of} 1 to p−1 and a key random number generator for generating random integers α ₁ , β ₁ ;
g _z = g ₀ ^ α _z ,
h _z = g ₀ ^ β _z ,
A key calculation unit for calculating
A key group element selection unit that randomly selects a generator g _s of the group G ₂ ;
e (g _k , g _s ^ α _k ) = e (a ₁₀ , a ₂₀ ) e (a ₁₁ , a ₂₁ )
e (h _k , g _s ^ β _k ) = e (b ₁₀ , b ₂₀ ) e (b ₁₁ , b ₂₁ )
(A ₁₀ , a ₂₀ ), (a ₁₁ , a ₂₁ ), and (b ₁₀ , b ₂₀ ), (b ₁₁ , b ₂₁ ) to obtain a key randomization unit,
_{(G z, h z, {} g 0, h 0}, ..., {g K, h K}, {a 10, a 20, b 10, b 20}, {a 11, a 21, b 11, b ₂₁ }) as a verification key vk, (vk, g _s , α _z , β _z , α ₁ , β ₁ ) as a secret key sk, and a key generation unit that publishes the verification key vk;
A message acquisition unit that receives messages m ₁ ,..., M _K that are elements other than 1 on the group G ₂ ;
A signature random number generator for generating random integers ζ, η, ξ, ρ, δ of 1 or more and p−1 or less;

A signature calculation unit for calculating
A signature device comprising: a signature output unit that outputs (z, t, w, r, s, u, v) as a signature σ;
A verification input unit for obtaining the messages m ₁ ,..., M _K and the signature σ;

A verification and confirmation unit to confirm that
When the verification confirmation unit confirms that all conditions are satisfied, information indicating that the signature is correct is output, and when it is determined that any condition is not satisfied, information indicating that the signature is incorrect is output. A signature / verification system comprising: a verification device comprising: a verification output unit. A signature / verification method in a signature / verification system including a signature device and a verification device,
G _{1, G 2} a mapping is difficult order p groups from _{G 1} to _{G 2,} a group of order p of _{G T,} bilinear mapping of _{e G 1 × G 2 → G} T, the K 2 The above integer, ^ is a symbol indicating a power,
In the signature device,
In the signature recording part, p, G ₁ , G ₂ , G _T , e are recorded in advance,
A commitment group element selection unit that randomly selects the generators g ₀ and h ₀ of the group G _{2 in} the commitment group element selection unit;
In commitment random number generation unit, a random integer _x 1 of 1 or more p-1 or less, ..., _{x K} and integer _y 1, ..., and commitment random number generation step of generating a _{y K,}
In the commitment calculator, for k = 1, ..., K,
g _k = g ₀ ^ x _k ,
h _k = h ₀ ^ y _k ,
A commitment calculation step for calculating
In the CRS generator, ( p , G ₁ , G ₂ , G _T , e, g ₀ , h ₀ ,..., G _K , h _K ) are set as CRS, and (x ₁ , y ₁ ,..., X _K , Y _K ) as a trapdoor τ, a CRS generation step;
The key the random number generation unit, one or more p-1 or less random integer alpha _z, and beta _z, random integer α _{0, ...,} α _K and integer beta _0, ..., a key the random number generation step of generating a beta _K ,
In the key calculator,
g _z = g ₀ ^ α _z ,
h _z = g ₀ ^ β _z ,
A key calculation step for calculating
A key group element selection unit for randomly selecting a generation source g _s of the group G _{2 by} a key group element selection unit;
In the key randomization department,

A key randomization step for obtaining a combination (a _1k , a _2k ) other than (g _k , g _s ^ α _k ) and a combination (b _1k , b _2k ) other than (h _k , g _s ^ β _k ) ,
In the key generation unit, (g _s , α _z , β _z , α ₀ , β ₀ ,..., Α _K , β _K ) is set as a secret key sk, and (g _z , h _z , {a ₁₀ , a ₂₀ , b ₁₀ , b ₂₀ },..., {A _1K , a _2K , b _1K , b _2K }) as a verification key vk, and a key generation step for publishing the verification key vk;
A message acquisition step of receiving messages m ₁ ,..., M _K that are elements other than 1 on the group G ₂ in the message acquisition unit;
In the signature random number generation unit, one or more p-1 or less random integer _{ζ, η 1, ..., η} K, ξ 1, ..., a signature random number generation step of generating xi] _K,
In the signature calculator,

A signature calculation step for calculating
In the signature randomization department,

Become _{(r 'k, s' k} ) except combinations _{(r k, s} k) and, a signature Randomized determining a _{(u 'k, v' k} ) except combinations _{(u k, v} k),
The signature output unit outputs (z, t, w, {r ₁ , s ₁ , u ₁ , v ₁ },..., {R _K , s _K , u _K , v _K }) as a signature σ. Steps and
In the verification device,
A verification input step of acquiring messages m ₁ ,..., M _K and a signature σ at the verification input unit;
In the verification check section,

For A and B obtained by

A verification confirmation step to confirm that
When the verification output unit confirms that all the conditions are satisfied in the verification check step, it outputs information indicating that the signature is correct, and when it is confirmed that any of the conditions is not satisfied, the signature is not correct. And a verification output step for outputting information indicating the signature / verification method. The signature / verification method according to claim 7,
The key randomizing step and the signature randomizing step are:
_{e (x 1, y 1)} e (x 2, y 2) ... e (x K, y K) = e (x '1, y' 1) e (x '2, y' 2) ... e (x When obtaining a combination (x ′ _k , y ′ _k ) other than (x _k , y _k ) that becomes “ _K , y ′ _K ),
1 or p-1 random integer gamma _{1 below,} ..., a randomizing random number generation substep of generating a gamma _K-1,
inserting e (x _{k + 1} ^ −γ _k , y ′ _k ) e (x _{k + 1} , y ′ _k ^ γ _k ) between e (x _k , y ′ _k ) and e (x _{k + 1} , y _{k + 1} ). so,
e (x ′ ₁ , y ′ ₁ )... e (x _k , y ′ _k ) e (x _{k + 1} , y _{k + 1} )... e (x _K , y _K )
_{e (x '1, y'} 1) ... e (x k x k + 1 ^ -γ k, y 'k) e (x k + 1, (y' k ^ γ k) y k + 1) ... e (x K, y K )
E (x ′ ₁ , y ′ ₁ )... E (x ′ _k , y ′ _k ) e (x _{k + 1} , y ′ _{k + 1} )... E (x _K , y _K )
And a randomization execution sub-step for performing the processing in order from k = 1 to k = K−1 in order. The signature / verification method according to claim 7,
The key the random number generation step, random integer α _0, ..., α _K and integer beta _0, ..., instead of generating a beta _K, random integer alpha _1, and _{β 1, α k = β k} = 0 ( k = 0, 2, ..., K),
The key randomizing step includes

(A ₁₀ , a ₂₀ ), ..., (a _1K , a _2K ) and (b ₁₀ , b ₂₀ ), ..., (b _1K , b _2K )
The key generating step, the secret key _{sk (g s, α z,} β z, α 1, β 1) signature and verification method which is characterized in that a. The signature / verification method according to claim 7,
j is an integer between 0 and K,
The key the random number generation step, random integer α _0, ..., α _K and integer beta _0, ..., instead of generating a beta _K, random integer alpha _j, and _{β j, α k = β k} = 0 ( k = 0,..., K where k ≠ j)
The key randomizing step includes

(A ₁₀ , a ₂₀ ), ..., (a _1K , a _2K ) and (b ₁₀ , b ₂₀ ), ..., (b _1K , b _2K )
The key generating step, the secret key _{sk (g s, α z,} β z, α j, β j) signature and verification method which is characterized in that a. The signature / verification method according to any one of claims 7 to 10,
The key generation step includes:

And a signature / verification method characterized by including A and B in the public key. A signature / verification method in a signature / verification system including a signature device and a verification device,
G _{1, G 2} a mapping is difficult order p groups from _{G 1} to _{G 2,} a group of order p of _{G T,} bilinear mapping of _{e G 1 × G 2 → G} T, the K 2 The above integer, ^ is a symbol indicating a power,
In the signature device,
In the signature recording part, p, G ₁ , G ₂ , G _T , e are recorded in advance,
A commitment group element selection unit that randomly selects the generators g ₀ and h ₀ of the group G _{2 in} the commitment group element selection unit;
In commitment random number generation unit, a random integer _x 1 of 1 or more p-1 or less, ..., _{x K} and integer _y 1, ..., and commitment random number generation step of generating a _{y K,}
In the commitment calculator, for k = 1, ..., K,
g _k = g ₀ ^ x _k ,
h _k = h ₀ ^ y _k ,
A commitment calculation step for calculating
A key random number generation unit for generating random integers α _z and β _{z of} 1 to p−1 and random integers α ₁ and β ₁ ;
In the key calculator,
g _z = g ₀ ^ α _z ,
h _z = g ₀ ^ β _z ,
A key calculation step for calculating
A key group element selection unit for randomly selecting a generation source g _s of the group G _{2 by} a key group element selection unit;
In the key randomization department,
e (g _k , g _s ^ α _k ) = e (a ₁₀ , a ₂₀ ) e (a ₁₁ , a ₂₁ )
e (h _k , g _s ^ β _k ) = e (b ₁₀ , b ₂₀ ) e (b ₁₁ , b ₂₁ )
(A ₁₀ , a ₂₀ ), (a ₁₁ , a ₂₁ ) and (b ₁₀ , b ₂₀ ), (b ₁₁ , b ₂₁ ) to obtain a key randomization step,
In the key generation unit, (g _z , h _z , {g ₀ , h ₀ },..., {G _K , h _K }, {a ₁₀ , a ₂₀ , b ₁₀ , b ₂₀ }, {a ₁₁ , a ₂₁ , B ₁₁ , b ₂₁ }) as a verification key vk, (vk, g _s , α _z , β _z , α ₁ , β ₁ ) as a secret key sk, and a key generation step for publicizing the verification key vk;
A message acquisition step of receiving messages m ₁ ,..., M _K that are elements other than 1 on the group G ₂ in the message acquisition unit;
A signature random number generation unit for generating random integers ζ, η, ξ, ρ, δ of 1 or more and p−1 or less;
In the signature calculator,

A signature calculation step for calculating
A signature output unit that outputs (z, t, w, r, s, u, v) as a signature σ, and
In the verification device,
A verification input step of acquiring messages m ₁ ,..., M _K and a signature σ at the verification input unit;
In the verification check section,

A verification confirmation step to confirm that
The verification output unit outputs information indicating that the signature is correct when the verification confirmation step confirms that all conditions are satisfied, and confirms that the signature is incorrect when it is confirmed that any of the conditions is not satisfied. And a verification output step for outputting information indicating the signature / verification method. G _{1, G 2} a mapping is difficult order p groups from _{G 1} to _{G 2,} a group of order p of _{G T,} bilinear mapping of _{e G 1 × G 2 → G} T, the K 2 The above integer, ^ is a symbol indicating a power,
a signature recording unit for recording p, G ₁ , G ₂ , G _T , e;
A commitment group element selector that randomly selects generators g ₀ and h ₀ of group G ₂ ;
1 or p-1 random integer _x 1 below, ..., _{x K} and integer _y 1, ..., and commitment random number generation unit for generating a _{y K,}
For k = 1, ..., K,
g _k = g ₀ ^ x _k ,
h _k = h ₀ ^ y _k ,
A commitment calculation unit for calculating
_{(P, G 1, G 2} , G T, e, g 0, h 0, ..., g K, h K) was set as _CRS, the _{(x 1, y 1, ...} , x K, y K) A CRS generator for trap door τ;
1 or p-1 or less random integer alpha _z, and beta _z, random integer α _0, ..., α _K and integer β _0, ..., a key the random number generation unit for generating a beta _K,
g _z = g ₀ ^ α _z ,
h _z = g ₀ ^ β _z ,
A key calculation unit for calculating
A key group element selection unit that randomly selects a generator g _s of the group G ₂ ;

A key randomizing unit for obtaining a combination (a _1k , a _2k ) other than (g _k , g _s ^ α _k ) and a combination (b _1k , b _2k ) other than (h _k , g _s ^ β _k ) ,
_{(G s, α z, β} z, α 0, β 0, ..., α K, β K) was used as a secret key _{sk, (g z, h z} , {a 10, a 20, b 10, b 20} ,..., {A _1K , a _2K , b _1K , b _2K }) as a verification key vk, and a key generation unit that discloses the verification key vk;
A message acquisition unit that receives messages m ₁ ,..., M _K that are elements other than 1 on the group G ₂ ;
1 or p-1 or less random integer _{ζ, η 1, ..., η} K, ξ 1, ..., a signature random number generation unit for generating xi] _K,

A signature calculation unit for calculating

Become _{(r 'k, s' k} ) except combinations _{(r k, s} k) and a signature randomizing unit for obtaining the _{(u 'k, v' k} ) except combinations _{(u k, v} k),
A signature output unit that outputs (z, t, w, {r ₁ , s ₁ , u ₁ , v ₁ },..., {R _K , s _K , u _K , v _K }) as a signature σ. apparatus. 14. The signature device according to claim 13, comprising:
The key randomization part and the signature randomization part are:
_{e (x 1, y 1)} e (x 2, y 2) ... e (x K, y K) = e (x '1, y' 1) e (x '2, y' 2) ... e (x When obtaining a combination (x ′ _k , y ′ _k ) other than (x _k , y _k ) that becomes “ _K , y ′ _K ),
Randomized random number generating means for generating random integers γ ₁ ,..., Γ _K−1 of 1 or more and p−1 or less;
inserting e (x _{k + 1} ^ −γ _k , y ′ _k ) e (x _{k + 1} , y ′ _k ^ γ _k ) between e (x _k , y ′ _k ) and e (x _{k + 1} , y _{k + 1} ). so,
e (x ′ ₁ , y ′ ₁ )... e (x _k , y ′ _k ) e (x _{k + 1} , y _{k + 1} )... e (x _K , y _K )
_{e (x '1, y'} 1) ... e (x k x k + 1 ^ -γ k, y 'k) e (x k + 1, (y' k ^ γ k) y k + 1) ... e (x K, y K )
E (x ′ ₁ , y ′ ₁ )... E (x ′ _k , y ′ _k ) e (x _{k + 1} , y ′ _{k + 1} )... E (x _K , y _K )
And a randomization execution means for sequentially performing the following processing from k = 1 to k = K−1. 14. The signature device according to claim 13, comprising:
The key the random number generator, a random integer α _0, ..., α _K and integer beta _0, ..., instead of generating a beta _K, random integer alpha _1, and _{β 1, α k = β k} = 0 ( k = 0, 2, ..., K),
The key randomization part

(A ₁₀ , a ₂₀ ), ..., (a _1K , a _2K ) and (b ₁₀ , b ₂₀ ), ..., (b _1K , b _2K )
The key generating unit, a secret key _{sk (g s, α z,} β z, α 1, β 1) and the signature device, characterized by. 14. The signature device according to claim 13, comprising:
j is an integer between 0 and K,
The key the random number generator, a random integer α _0, ..., α _K and integer beta _0, ..., instead of generating a beta _K, random integer alpha _j, and _{β j, α k = β k} = 0 ( k = 0,..., K where k ≠ j)
The key randomization part

(A ₁₀ , a ₂₀ ), ..., (a _1K , a _2K ) and (b ₁₀ , b ₂₀ ), ..., (b _1K , b _2K )
The key generating unit, a secret key _{sk (g s, α z,} β z, α j, β j) the signature apparatus which is characterized in that a. The signature device according to any one of claims 13 to 16,
The key generation unit

A signature apparatus characterized in that A and B are also included in the public key. G _{1, G 2} a mapping is difficult order p groups from _{G 1} to _{G 2,} a group of order p of _{G T,} bilinear mapping of _{e G 1 × G 2 → G} T, the K 2 The above integer, ^ is a symbol indicating a power,
a signature recording unit for recording p, G ₁ , G ₂ , G _T , e;
A commitment group element selector that randomly selects generators g ₀ and h ₀ of group G ₂ ;
1 or p-1 random integer _x 1 below, ..., _{x K} and integer _y 1, ..., and commitment random number generation unit for generating a _{y K,}
For k = 1, ..., K,
g _k = g ₀ ^ x _k ,
h _k = h ₀ ^ y _k ,
A commitment calculation unit for calculating
A random number α _z , β _{z of} 1 to p−1 and a key random number generator for generating random integers α ₁ , β ₁ ;
g _z = g ₀ ^ α _z ,
h _z = g ₀ ^ β _z ,
A key calculation unit for calculating
A key group element selection unit that randomly selects a generator g _s of the group G ₂ ;
e (g _k , g _s ^ α _k ) = e (a ₁₀ , a ₂₀ ) e (a ₁₁ , a ₂₁ )
e (h _k , g _s ^ β _k ) = e (b ₁₀ , b ₂₀ ) e (b ₁₁ , b ₂₁ )
(A ₁₀ , a ₂₀ ), (a ₁₁ , a ₂₁ ), and (b ₁₀ , b ₂₀ ), (b ₁₁ , b ₂₁ ) to obtain a key randomization unit,
_{(G z, h z, {} g 0, h 0}, ..., {g K, h K}, {a 10, a 20, b 10, b 20}, {a 11, a 21, b 11, b ₂₁ }) as a verification key vk, (vk, g _s , α _z , β _z , α ₁ , β ₁ ) as a secret key sk, and a key generation unit that publishes the verification key vk;
A message acquisition unit that receives messages m ₁ ,..., M _K that are elements other than 1 on the group G ₂ ;
A signature random number generator for generating random integers ζ, η, ξ, ρ, δ of 1 or more and p−1 or less;

A signature calculation unit for calculating
A signature output unit that outputs (z, t, w, r, s, u, v) as a signature σ. G _{1, G 2} a mapping is difficult order p groups from _{G 1} to _{G 2,} a group of order p of _{G T,} bilinear mapping of _{e G 1 × G 2 → G} T, the K 2 more integer, ^ symbol indicating the power, _{g 0} and _{h 0} the generator of the group _{G 2, x 1, ...,} x K and _y 1, ..., 1 or more _{y K} p-1 an integer,
For k = 1,..., K, g _k = g ₀ ^ x _k , h _k = h ₀ ^ y _k ,
_{(P, G 1, G 2} , G T, e, g 0, h 0, ..., g K, h K) the _{CRS, (x 1, y 1} , ..., x K, y K) a trap door τ ,
The alpha _z and beta _z 1 or p-1 an integer, α _0, ..., α _K and beta _0, ..., a beta _K integers,
g _z = g ₀ ^ α _z , h _z = g ₀ ^ β _z ,
g _s is the generator of group G ₂ and (a _1k , a _2k )

A combination other than (g _k , g _s ^ α _k ), (b _1k , b _2k )

A combination other than (h _k , g _s ^ β _k ), (g _s , α _z , β _z , α ₀ , β ₀ ,..., Α _K , β _K ) is assigned to the secret key sk, (g _z , h _{z, {a 10, a 20} , b 10, b 20}, ..., {a 1K, a 2K, b 1K, b 2K}) the verification key _vk, m _{1, ...,} a _{m K} on a group _{G 2} of 1 other messages are _{original, ζ, η 1, ...,} η K, ξ 1, ..., a xi] _K is 1 or more p-1 an integer,

Calculate

And becomes _{(r 'k, s' k} ) except combinations _{(r k, s} k), was generated by obtaining the _{(u 'k, v' k} ) except combinations _{(u k, v k) (} z , T, w, {r ₁ , s ₁ , u ₁ , v ₁ },..., {R _K , s _K , u _K , v _K }) are verification devices for confirming that they are correct signatures σ. And
A verification input unit for obtaining the messages m ₁ ,..., M _K and the signature σ;

For A and B obtained by

A verification and confirmation unit to confirm that
When the verification confirmation unit confirms that all conditions are satisfied, information indicating that the signature is correct is output, and when it is determined that any condition is not satisfied, information indicating that the signature is incorrect is output. A verification device comprising: a verification output unit. G _{1, G 2} a mapping is difficult order p groups from _{G 1} to _{G 2,} a group of order p of _{G T,} bilinear mapping of _{e G 1 × G 2 → G} T, the K 2 or greater, the symbol indicating the power of ^, _g 0, _{h 0} of origin group _{G 2, x 1, ...,} x K and _y 1, ..., 1 or more _{y K} p-1 an integer,
For k = 1,..., K, g _k = g ₀ ^ x _k , h _k = h ₀ ^ y _k ,
α _z and β _z are integers from 1 to p−1, α ₁ and β ₁ are integers,
g _z = g ₀ ^ α _z , h _z = g ₀ ^ β _z ,
g _s is the generator of group G ₂ and (a ₁₀ , a ₂₀ ) and (a ₁₁ , a ₂₁ )
e (g _k , g _s ^ α _k ) = e (a ₁₀ , a ₂₀ ) e (a ₁₁ , a ₂₁ )
A combination of (b ₁₀ , b ₂₀ ) and (b ₁₁ , b ₂₁ )
e (h _k , g _s ^ β _k ) = e (b ₁₀ , b ₂₀ ) e (b ₁₁ , b ₂₁ )
The combination (vk, g _s , α _z , β _z , α ₁ , β ₁ ) is a secret key sk, (g _z , h _z , {g ₀ , h ₀ }, ..., {g _K , h _K }, {A ₁₀ , a ₂₀ , b ₁₀ , b ₂₀ }, {a ₁₁ , a ₂₁ , b ₁₁ , b ₂₁ }) are verification keys vk, m ₁ ,..., M _K are other than 1 on the group G ₂ The message, ζ, η, ξ, ρ, δ, which is the element of, is an integer between 1 and p-1,

A verification device for confirming that (z, t, w, r, s, u, v) obtained by calculation as follows is a correct signature σ,
A verification input unit for obtaining the messages m ₁ ,..., M _K and the signature σ;

A verification and confirmation unit to confirm that
When the verification confirmation unit confirms that all conditions are satisfied, information indicating that the signature is correct is output, and when it is determined that any condition is not satisfied, information indicating that the signature is incorrect is output. A verification device comprising: a verification output unit.   A program that causes a computer to function as the signature device according to any one of claims 13 to 18 or the verification device according to claim 19 or 20.   A recording medium on which the program according to claim 21 is recorded.

Images