JP5597075B2 - Signature generation apparatus, verification apparatus, signature generation method, and signature generation program - Google Patents

Description

  The present invention relates to a signature generation apparatus, a verification apparatus, a signature generation method, and a signature generation program for confirming software integrity.

  Conventionally, a lot of software for computers has been created. Some of these have similar functions or evolved. In creating such software, for the purpose of improving work efficiency and shortening development time, existing software such as general-purpose software specialized for basic functions (hereinafter referred to as component software) is incorporated. There is a case in which a method of creating software having a new function (hereinafter referred to as component software) is employed. A development environment for using this method has also been prepared.

  By the way, software may not be used normally because it is tampered without permission or a virus is mixed. As a countermeasure, there has been proposed a method of using an electronic signature to check whether software has been tampered with or malicious software such as a virus has been mixed (for example, Patent Document 1). To 4).

JP-A-3-286334 JP 2003-202931 A JP 2004-2448045 A JP 2004-222330 A

  However, these methods are intended to guarantee the integrity of a piece of software. Therefore, when these methods are applied to the above-described component software, a lot of processing has occurred to check the integrity and generate an electronic signature each time the software is installed.

  An object of the present invention is to provide a signature generation device, a verification device, a signature generation method, and a signature generation program that can efficiently check the integrity of component software.

  The present invention provides the following solutions.

  (1) A signature generation apparatus according to the present invention is a signature generation apparatus that generates public signature information that guarantees the integrity of software, and is provided with a private signature key and a public key corresponding to the software. A storage unit that stores a verification key, a first hash calculation unit that performs a one-way hash function calculation, and a hash value calculated from the software by the first hash calculation unit multiplied by the signature key A signature information generating unit that generates public signature information; and a public unit that publishes the software, the verification key, and the public signature information. The signature information generating unit is a component of which the software constitutes the software When it has software, the signature key is multiplied by the public signature information of the component software and the hash value calculated from the component software. And results, by summing the result obtained by multiplying the signature key to the hash value calculated from the software, to generate the public signature information.

  According to such a configuration, the signature generation device represents the relationship between two nodes that are continuous in the tree structure by the product of the hash value obtained from the component software and the signature key of the component software. The public signature information of the component software is generated using the public signature information. Since the signature generation apparatus can represent the tree structure of the component software that constitutes the component software based on the public signature information, the integrity of the component software can be efficiently confirmed.

  (2) In the signature generation device, the signature key is formed of a predetermined natural number, and the verification key includes a point on an elliptic curve that is an element of a GDH (GAP-Diffie-Hellman) group and the signature key. It consists of points on the elliptic curve generated based on

  According to such a configuration, the signature generation apparatus may make it difficult for a third party who does not know the signature key to obtain the signature key from a point on the elliptic curve that is an element of the GDH group. it can. Even if the number of signers (number of nodes) increases, the generated public signature information is a point on the elliptic curve, so the size (capacity) of the information does not increase and is suppressed to a certain value or less. The generation device can generate signature information efficiently.

  (3) Further, in the signature generation apparatus, the disclosure unit further discloses list data indicating a configuration of a tree structure having the software as a highest node and the component software as a lower node.

  According to such a configuration, the signature generation apparatus further publishes list data indicating a configuration of a tree structure in which component software is the highest node and component software is a lower node. Therefore, when checking the integrity of the component software, the tree structure can be easily grasped, so that the verification processing efficiency is improved.

  (4) In the signature generation device, the disclosure unit further discloses the hash value calculated from the software by the first hash calculation unit.

  According to such a configuration, the signature generation apparatus can reduce the processing load of the one-way hash function calculation for the component software.

  (5) A verification device according to the present invention is a verification device for verifying the public signature information published by the signature generation device, wherein the software or a hash value calculated from the software, and a corresponding verification key, In addition, all the component software constituting the software or the hash value calculated from the component software and the corresponding verification key are collected, and the software collected by the collection unit is unidirectional. Validity of the public signature information based on a second hash calculation unit that performs a hash function calculation, verification keys corresponding to all software collected by the collection unit, and hash values calculated from all the software And a verification unit for verifying.

  According to such a configuration, the verification device verifies the validity of the public signature information for the component software based on the verification key and the hash value of the component software and component software. Therefore, the verification apparatus verifies the public signature information generated for the component software to be verified without verifying the individual signature information generated for each component software. The signature order can be verified. In other words, the verification apparatus can execute the verification process while reducing the processing load.

  (6) The verification device according to the present invention is a verification device for verifying the public signature information published by the signature generation device, and a hash value calculated from the software and all component software constituting the software And a collection unit that collects corresponding verification keys, verification keys corresponding to all software collected by the collection unit, and hash values calculated from all the software, A verification unit for verifying the characteristics.

  According to such a configuration, the verification apparatus can reduce the processing load of the one-way hash function calculation on the component software and the component software that are the verification targets.

  (7) A signature generation method according to the present invention is a signature generation method in which a computer generates public signature information that guarantees the integrity of software. A storage step for storing the verification key, a hash calculation step for performing a one-way hash function calculation, and multiplying the hash value calculated from the software in the hash calculation step by the signature key A signature information generation step for generating information; and a disclosure step for releasing the software, the verification key, and the public signature information. In the signature information generation step, the software includes component software constituting the software. If so, the component software public signature information and the component software The public signature information is generated by summing a result obtained by multiplying the hash value calculated from a by the signature key and a result obtained by multiplying the hash value calculated from the software by the signature key. .

  According to such a configuration, the same effect as in (1) can be expected when the computer executes the signature generation method.

  (8) A signature generation program according to the present invention is a signature generation program that causes a computer to generate public signature information that guarantees the integrity of software. A storage step for storing the verification key, a hash calculation step for performing a one-way hash function calculation, and multiplying the hash value calculated from the software in the hash calculation step by the signature key A signature information generation step for generating information, and a disclosure step for publishing the software, the verification key, and the public signature information. In the signature information generation step, component software that constitutes the software The component software public signature information and The sum of the result of multiplying the hash value calculated from the component software by the signature key and the result of multiplying the hash value calculated from the software by the signature key to obtain the public signature information Generate.

  According to such a configuration, the same effect as in (1) can be expected by causing the computer to execute the signature generation program.

  According to the present invention, it is possible to efficiently confirm the integrity of component software.

It is a block diagram which shows the structure of the signature production | generation apparatus concerning 1st Embodiment. It is a block diagram which shows the structure of the verification apparatus which concerns on 1st Embodiment. It is a flowchart which shows the method of publishing the public signature information which concerns on 1st Embodiment. It is a flowchart which shows the method to verify the correctness of the public signature information which concerns on 1st Embodiment. It is a figure where it uses for description about operation | movement of the signature production | generation apparatus which concerns on 1st Embodiment. It is a block diagram which shows the structure of the signature production | generation apparatus concerning 2nd Embodiment. It is a block diagram which shows the structure of the verification apparatus which concerns on 2nd Embodiment.

<First Embodiment>
Hereinafter, a first embodiment, which is an example of an embodiment of the present invention, will be described. The signature generation apparatus 1 according to the present embodiment generates public signature information for guaranteeing software integrity. Here, when the signature target is component software, this component software is composed of one or a plurality of component software. These component software may be composed of lower component software. In this way, the signature generation apparatus 1 generates public signature information for guaranteeing software integrity in each node configured in a tree structure with the component software as the highest node and the component software as the lower node. To do. Further, the validity of the public signature information generated for the software of each node is verified by the verification device 2 and the integrity of the software is confirmed.

  Note that the tree structure refers to all tree structures having an arbitrary structure, whether symmetrical or asymmetric. The present invention can be applied to a tree structure having this arbitrary structure.

  By the way, a private signature key and a public verification key are assigned to each node (component software or component software) by a certificate authority (CA). The signature key is composed of a predetermined natural number (x), and the verification key is based on the point (g) on the elliptic curve that is an element of the GDH (GAP-Diffie-Hellman) group (G) and the signature key (x). It is preferable to consist of points (v = xg) on the elliptic curve generated in the above. With this configuration, it is difficult for a third party who does not know the signature key (x) to obtain the signature key (x) from the values of “v” and “g”.

  Here, a specific signature scheme employed in the present embodiment will be described. The signature generation device 1 employs a GAP-Diffie-Hellman (GDH) signature as a base signature scheme. The GDH signature is a signature that utilizes the fact that the Decision-Diffie-Hellman (DDH) problem can be solved by using a certain black box function e (P, Q) called pairing.

  Next, the GDH signature using the pairing operation will be described. A GDH group has been defined in connection with the Diffie-Hellman problem on an elliptic curve. The GDH group will be briefly described. Let G be a set of points on an elliptic curve. When “g” is an element of the set G, the Decision Diffie-Hellman (DDH) problem and the Computational Diffie-Hellman (CDH) problem on the elliptic curve in the set G are defined as follows.

DDH problem: A problem of determining whether c = ab when there are natural numbers a, b, and c and g, ag, bg, and cg are given.
CDH problem: A problem of calculating abg when there is a natural number of a, b, and c, and g, ag, and bg are given.

  At this time, the DDH problem is simple in terms of calculation amount, but if the CDH problem is difficult in terms of calculation amount, this set G is defined as a GDH group.

On the other hand, there are those that can define a black box function e (P, Q) called pairing that can have the following properties depending on P and Q as points on a certain elliptic curve. To do.
e (P, Q ₁ + Q ₂ ) = e (P, Q ₁ ) e (P, Q ₂ ) (1)
e (P ₁ + P ₂ , Q) = e (P ₁ , Q) e (P ₂ , Q) (2)
e (aP, bQ) = e (bP, aQ) = e (abP, Q) = e (P, abQ) = e (P, Q) ^ab (3)

Therefore, when g is a point on an elliptic curve that can be paired, if g, ag, bg, and cg are input to the equation (3) from the above property,
e (ag, bg) = e (g, g) ^ab (4)
e (g, cg) = e (g, g) ^c (5)
Thus, whether or not “ab = c” can be determined depending on whether or not both values match, and g can be an element of the GDH group G.

A GDH signature is constructed using this property. The set G is a GDH group, and g is a point that is an element of the set G. In addition, unlike the method in which the one-way hash function H is mapped and converted into numerical data having an arbitrary bit length size that is normally used, the numerical data having a fixed bit length size,
H: {0,1} ^* → G
It is defined that this is a method in which numerical data of an arbitrary bit length size is mapped and converted to elements of the GDH group G expressed as points on an elliptic curve.

At this time, the GDH signature is defined as follows.
Key generation: A natural number x is selected, and v = xg is calculated from g. Let x be the signature key and point v on the elliptic curve be the verification key.
Signature: The signer calculates h = H (m) for the message “mε {0,1} ^* ”, and further calculates σ = xh using his signature key. Publish σ as a signature for m.
Verification: The verifier calculates h = H (m) from the message m, and prepares g, v, h, and σ. e (g, σ) and e (v, h) are calculated, and if both values match, the signature σ is determined to be a correct signature.

At this time, since the value of h becomes an element of the set G, it can be expressed as h = yg using a certain natural number y. As a result, if the signature is correctly performed, (g, v, h, σ) = (g, xg, yg, xyg). Therefore, if the signature is valid, the pairing operation in the above verification is e (g, σ) = e (g, xyg) = e (g, g) ^xy = e (xg, yg) = e (v , H) and the values match, so that verification is possible. Note that due to the difficulty of the CDH problem that is a condition of the GDH group, it is impossible for a third party who does not know the signature key x to derive the signature σ from the values of g, v, and h.

FIG. 1 is a block diagram showing the configuration of the signature generation apparatus 1 according to this embodiment.
The signature generation device 1 includes a storage unit 11, a reception unit 12, a one-way hash function calculation unit 13, a signature information generation unit 14, and a disclosure unit 15.

The storage unit 11 stores a signature key (x _up ) and a verification key (v _up = x _up g) assigned to the software (m _up ) created by its own node (signer u _up ). To do.

Receiver 12, if its software is signature subject has parts software as a component, one or a plurality of lower nodes and (signer u _low) component software that created the (m _low), these components Software On the other hand, the public signature information (σ _low ) released by the later-described public unit 15 is received. Further, the receiving unit 12 receives the list data indicating the configuration of the tree structure having the component software as the highest node, which is similarly disclosed by the disclosure unit 15.

The one-way hash function calculation unit 13 performs a one-way hash function calculation on each of the component software (m _low ) received by the reception unit 12 and its own software (m _up ) that is a signature target.

The signature information generation unit 14 _adds its signature key (x _up ) to the public signature information (σ _low ) of the component software and the hash value (h _low = H (m _low )) calculated from each of the component software (m _low ). ) To calculate the result (multiply on the elliptic curve) (x _up h _low ) and the hash value (h _up = H (m _up )) calculated from its own software (m _up ) _{(x Stay up-)} by calculation (multiplication on the elliptic curve) the result of the _(x Stay _{up-h Stay up-),} and summing the public signature information for its own software _{(σ up = Σ low (σ} low + x up h low ) + X _up h _up ) (Σ _low indicates the sum of all the nodes immediately below).

Incidentally, the signature information generation section 14, if there is no component software, own software _{(m Stay up-)} calculated from the hash value _{(h Stay up-)} in its own signature key _{(x Stay up-)} computed by (multiplication on the elliptic curve) Only the result of performing (x _up h _up ) is used as public signature information (σ _up = x _up h _up ) for its own software.

The public unit 15 publishes its own software (m _up ), verification key (v _up ), and public signature information (σ _up ) generated by the signature information generation unit 14.

According to such a configuration, the signature generation apparatus 1 generates component software public signature information using component software and component software public signature information at each node. This public signature information expresses a tree structure up to its own node and is generated only by points on the elliptic curve. That is, even if the number of signers (the number of component software) increases, the signature size does not increase and is suppressed to a certain value or less. Also, the signature generation apparatus 1 uses the public signature information (σ _up ) generated for its own software as a software user (verification apparatus 2) or a higher-level component software creator (signature generation apparatus 1). Can be provided.

Further, the disclosure unit 15 further discloses list data (L) indicating the structure of the tree structure having its own software as the highest node and component software as the lower node.
This list data is, for example,
_{L = {(u p, {} u p1, u p2, ···}, ID (m p)),
(U _p1 , {}, ID (m _p1 )),
(U _p2 , {}, ID (m _p2 )), ...}
It is configured like this. Here, the signer u _p generates the public signature information of the component software m _p , and the component software (m _p1 , m _p2 ,...) Constituting the m _p is the signer (u _p1 , u _p2). , ...), public signature information is generated. The ID (m _α ) is an identifier (ID) of the software m _α .

  According to such a configuration, the processing efficiency when generating the public signature information of the component software in the upper node and the verification processing efficiency in the verification device 2 described later are improved.

  Next, the verification device 2 that verifies the public signature information (σ) disclosed by the signature generation device 1 will be described. Note that the verification device 2 may be integrated with the signature generation device 1.

FIG. 2 is a block diagram showing the configuration of the verification apparatus 2 according to this embodiment.
The verification device 2 includes a collection unit 21, a one-way hash function calculation unit 22, and a verification unit 23.

  The collection unit 21 collects the software to be verified and the corresponding verification key, and all the component software and the corresponding verification key that are located in nodes lower than the software. At this time, the collection unit 21 acquires the list data (L) published together with the software to be verified, and in accordance with the configuration of the tree structure indicated by the list data, the component software of each node and the corresponding verification key To collect.

The one-way hash function calculation unit 22 performs a one-way hash function calculation on each software (m _i ) collected by the collection unit 21 (h _i = H (m _i )).

  The verification unit 23 includes verification keys corresponding to the software of all nodes collected by the collection unit 21, hash values calculated from the software of all nodes obtained by the one-way hash function calculation unit 22, and a list. The validity of the public signature information (σ) is verified based on the arrangement of each node (signer) obtained from the data (L) and the information on the correspondence between each signer and the software that signed the signature. .

Specifically, the verification unit 23 _calculates “{Π _i∈all-node (e (v _i , h _i ))} {Π (e (v _up , h _low )” from the verification key and the hash value of each node. ))} ”And the validity of the public signature information (σ) is verified by confirming that the calculation result matches the value of“ e (g, σ) ”. In the expression, the directly connected nodes are represented as “up” (upper node) and “low” (lower node), respectively.

  In this way, the verification device 2 can perform only the numerical calculation on the public signature information disclosed for the component software to be verified without verifying the individual signature information generated for the software of each node. Can be verified. Thereby, the verification apparatus 2 can reduce the memory cost and the processing load, and can efficiently confirm the integrity of the component software configured by the tree structure. Further, since the verification device 2 can also confirm the completeness of each component software that constitutes the component software, it is possible to easily identify a location where falsification or virus contamination has occurred.

  Next, a method for generating software public signature information at each node in the signature generation apparatus 1 and a method for verifying the validity of the public signature information in the verification apparatus 2 will be described.

  As shown in FIG. 3, the signature generation apparatus 1 includes a storage step S1, a reception step S2, a one-way hash function calculation step S3, a signature information generation step S4, and a disclosure step S5. Publish public signature information (σ).

  In the storing step S1, the storage unit 11 acquires and stores a signature key that is secret information and a verification key that is public information corresponding to the software to be signed.

In the reception step S2, when there is a node immediately below (part software of the signer u _low ), the receiving unit 12 generates the disclosure generated for the part software (m _low ) and the part software of the node immediately below. Signature information (σ _low ) is received.

In the one-way hash function calculation step S3, the one-way hash function calculation unit 13 applies the one-way hash function to the component software (m _low ) of the node immediately below and the software (m _up ) of its own node, respectively. Perform the operation.

In the signature information generation step S4, the signature information generation unit 14 determines that the result obtained by multiplying the hash value (h _up ) obtained by calculation from the software of its own node by its signature key (x _up ) and In some cases, the result of multiplying the hash value (h _low ) obtained from the component software of the node immediately below by its own signature key (x _up ) and the public signature information (σ _low) received from the node immediately below ) To generate public signature information (σ _up ) for the software of its own node.

  In the publication step S5, the publication unit 15 publishes the public signature information generated in the signature information generation step S4 and the list data indicating the structure of the tree structure together with the software and the verification key, and the signature generation apparatus 1 of the immediately above node. Alternatively, it can be referred to by the verification device 2.

  As described above, according to the signature generation method according to the signature generation apparatus 1, in each node of the tree structure, the hash value obtained from the component software of the node immediately below, and the hash value obtained from the software of its own node, On the other hand, the calculation is performed with the signature key assigned to the own node, and the public signature information is generated using the public signature information generated for the component software of the node immediately below. This public signature information retains the signature path leading to its own node and is generated only by points on the elliptic curve. That is, even if the number of signers (number of nodes) increases, the signature size does not increase and can be suppressed to a certain value or less.

  Further, as shown in FIG. 4, the verification device 2 verifies the validity of the public signature information (σ) by the collection step S11, the one-way hash function calculation step S12, and the verification step S13.

In the collecting step S11, the collecting unit 21 collects the software (m _i ) of all the nodes for which the signature has been performed, and the verification keys (v _i ) of all the nodes.

  In the one-way hash function calculation step S12, the one-way hash function calculation unit 22 performs a one-way hash function calculation on each of the software collected in the collection step S11.

  In the verification step S13, the verification unit 23 is based on the verification keys of all the nodes collected in the collection step S11, the hash values obtained in the one-way hash function calculation step S12 from the software of all the nodes, and the list data. To verify the validity of the public signature information (σ).

  In this way, in the verification method according to the verification device 2, the public signature information published for the verification target software is not verified without verifying the individual public signature information generated for the software of each node. It can be verified only by numerical operations. Thereby, the verification apparatus 2 can reduce the memory cost and the processing load, and can efficiently confirm the integrity of the component software configured by the tree structure.

[Example]
Here, the operation of the signature generation apparatus 1 of each node in the case where the tree structure is composed of three levels of the triple tree will be specifically described with reference to FIG. The first layer is a root node that is the creator and signer of the final component software. The second layer is an intermediate node that is a creator and a signer of the intermediate component software constituting the final component software. The third layer is a leaf node that is the creator and signer of the part software that constitutes the intermediate component software.

That is, one root node is arranged in the first layer. The second layer, three intermediate node is _arranged, is _{u 3} are arranged from _{u 1} immediately below the _{u root.} Further, the third layer is disposed leaf nodes nine is, _{u 13} from _{u 11} immediately below the _{u 1} are arranged, _{u 23} is arranged from the _{u 21} immediately below the _{u 2,} u directly below the _{u 3 31} to u ₃₃ are arranged.

The certificate authority (CA) assigns a signature key and a verification key to each node in advance as follows. Note that s and t are integer signs such that 1 ≦ s ≦ 3 and 1 ≦ t ≦ 3, respectively.
Layer 1: (signature key, verification key) = ( _xroot , _vroot ) = ( _xroot , _xroot g)
2nd layer: (signature key, verification key) = (x _s , v _s ) = (x _s , x _s g)
3rd layer: (signature key, verification key) = (x _st , v _st ) = (x _st , x _st g)

The nine leaf nodes (signer u _st ) of the third layer obtain the hash value (h _st = H (m _st )) for the component software (m _st ) created by the signature target itself, and the hash value _Is multiplied by its own signature key x _st to generate public signature information (σ _st = x _st h _st ). Further, the leaf node (signer u _st ) publishes the generated public signature information (σ _st ) and the component software (m _st ).

The three intermediate nodes (signer u _s ) in the second layer first obtain a hash value (h _s = H (m _s )) from the intermediate component software (m _s ) created by the user as a signature target.
Next, the intermediate node (signer u _s ) obtains the hash value (h) from the component software (m _s1 , m _s2 , m _s3 ) received from the leaf node (signer u _s1 , u _s2 , u _s3 ) immediately below. _s1 = H (m _s1 ), h _s2 = H (m _s2 ), h _s3 = H (m _s3 )).

Further, the intermediate node (signer u _s ) uses the public signature information (σ _s1 , σ _s2 , σ _s3 ) received from the leaf node immediately below,
σ _s = σ _s1 + x _sh h _s1 + σ _s2 + x _sh h _s2 + σ _s3 + x _sh h _s3
+ X _sh h _s (6)
= X _s1 h _s1 + x _s h _s1 + x _s2 h _s2 + x _s h _s2
+ X _s3 h _s3 + x _s h _s3 + x _s h _s (7)
Calculate Then, the intermediate node (signer u _s ) releases the generated public signature information (σ _s ) and the intermediate component software (m _s ).

The root node (signer u _root ) of the first layer first obtains a hash value (h _root = H (m _root )) from the final component software (m _root ) created by itself as a signature target.
Next, the root node (signer u _root ) obtains a hash value (m ₁ , m ₂ , m ₃ ) from the intermediate component software (m ₁ , m ₂ , m ₃ ) received from the immediately lower intermediate node (signers u ₁ , u ₂ , u ₃ ). h ₁ = H (m ₁ ), h ₂ = H (m ₂ ), h ₃ = H (m ₃ )).

Further, the root node (signer u _root ) uses the public signature information (σ ₁ , σ ₂ , σ ₃ ) received from the immediate intermediate node,
σ = σ ₁ + x _root h ₁ + σ ₂ + x _root h ₂ + σ ₃ + x _root h ₃
+ X _root h _root (8)
_{= X 11 h 11 + x 1} h 11 + x 12 h 12 + x 1 h 12
+ X ₁₃ h ₁₃ + x ₁ h ₁₃ + x ₁ h ₁ + x _root h ₁
+ X ₂₁ h ₂₁ + x ₂ h ₂₁ + x ₂₂ h ₂₂ + x ₂ h ₂₂
+ X ₂₃ h ₂₃ + x ₂ h ₂₃ + x ₂ h ₂ + x _root h ₂
+ X ₃₁ h ₃₁ + x ₃ h ₃₁ + x ₃₂ h ₃₂ + x ₃ h ₃₂
+ X ₃₃ h ₃₃ + x ₃ h ₃₃ + x ₃ h ₃ + x _root h ₃
+ X _root h _root (9)
Calculate Then, the root node (signer u _root ) publishes the generated public signature information (σ) and final component software (m _root ).

  In this way, the signature generation device 1 can express the tree structure by expressing the relationship between two nodes that are continuous (adjacent) on the tree structure by the product of the signature key and the hash value. Even when the number of nodes increases, the public signature information (σ) generated for the signature target component software is released. Since this signature information is a point on an elliptic curve, the size (capacity) of the information does not increase and is suppressed to a certain value or less. Therefore, the signature generation apparatus 1 can generate signature information efficiently.

  The verification device 2 verifies the validity of the public signature information (σ) through the following verification process 1 to verification process 3.

(Verification process 1) The verification device 2 includes software (m _root , m ₁ , m ₂ , m ₃ , m ₁₁ , m ₁₂ , m ₁₃ , m ₂₁ , m ₂₂ ) that all nodes that have signed the signatures. , M ₂₃ , m ₃₁ , m ₃₂ , m ₃₃ ) and hash values (h _root = H (m _root ), h ₁ = H (m ₁ ), h ₂ = H (m ₂ ) , H ₃ = H (m ₃ ), h ₁₁ = H (m ₁₁ ), h ₁₂ = H (m ₁₂ ), h ₁₃ = H (m ₁₃ ), h ₂₁ = H (m ₂₁ ), h ₂₂ = H (M ₂₂ ), h ₂₃ = H (m ₂₃ ), h ₃₁ = H (m ₃₁ ), h ₃₂ = H (m ₃₂ ), h ₃₃ = H (m ₃₃ )).

(Verification Process 2) verification device 2, verification key _(v root of all the nodes were _{signed, v 1, v 2, v} 3, v 11, v 12, v 13, v 21, v 22, v 23 , V ₃₁ , v ₃₂ , v ₃₃ ).

(Verification process 3) The verification apparatus 2 verifies the validity of the publicly available public signature information (σ). Specifically, the verification device 2 uses the hash value obtained in the verification process 1 and the verification keys of all the collected nodes,
e (v ₁₁ , h ₁₁ ) · e (v ₁ , h ₁₁ )
_{· E (v 12, h 12} ) · e (v 1, h 12)
_{· E (v 13, h 13} ) · e (v 1, h 13)
E (v ₁ , h ₁ ) e (v _root , h ₁ )
_{· E (v 21, h 21} ) · e (v 2, h 21)
E (v ₂₂ , h ₂₂ ) e (v ₂ , h ₂₂ )
E (v ₂₃ , h ₂₃ ) e (v ₂ , h ₂₃ )
E (v ₂ , h ₂ ) e (v _root , h ₂ )
_{· E (v 31, h 31} ) · e (v 3, h 31)
E (v ₃₂ , h ₃₂ ) e (v ₃ , h ₃₂ )
E (v ₃₃ , h ₃₃ ) e (v ₃ , h ₃₃ )
E (v ₃ , h ₃ ) e (v _root , h ₃ )
・ E (v _root , h _root ) (10)
And confirm that this value matches the value of e (g, σ). If these values match, the verification device 2 determines that the public signature information (σ) is valid.

Here, when “e (g, σ)” in (Verification process 3) is expanded,
e (g, σ)
= E (g, x ₁₁ h ₁₁ ) · e (g, x ₁ h ₁₁ )
_{· E (g, x 12 h} 12) · e (g, x 1 h 12)
_{· E (g, x 13 h} 13) · e (g, x 1 h 13)
E (g, x ₁ h ₁ ) e (g, x _root h ₁ )
_{· E (g, x 21 h} 21) · e (g, x 2 h 21)
_{· E (g, x 22 h} 22) · e (g, x 2 h 22)
_{· E (g, x 23 h} 23) · e (g, x 2 h 23)
E (g, x ₂ h ₂ ) e (g, x _root h ₂ )
E (g, x ₃₁ h ₃₁ ) e (g, x ₃ h ₃₁ )
E (g, x ₃₂ h ₃₂ ) e (g, x ₃ h ₃₂ )
E (g, x ₃₃ h ₃₃ ) e (g, x ₃ h ₃₃ )
E (g, x ₃ h ₃ ) e (g, x _root h ₃ )
E (g, x _root h _root ) (11)
= E (x ₁₁ g, h ₁₁ ) · e (x ₁ g, h ₁₁ )
_{· E (x 12 g, h} 12) · e (x 1 g, h 12)
E (x ₁₃ g, h ₁₃ ) e (x ₁ g, h ₁₃ )
E (x ₁ g, h ₁ ) e (x _root g, h ₁ )
E (x ₂₁ g, h ₂₁ ) e (x ₂ g, h ₂₁ )
E (x ₂₂ g, h ₂₂ ) e (x ₂ g, h ₂₂ )
E (x ₂₃ g, h ₂₃ ) e (x ₂ g, h ₂₃ )
E (x ₂ g, h ₂ ) e (x _root g, h ₂ )
E (x ₃₁ g, h ₃₁ ) e (x ₃ g, h ₃₁ )
E (x ₃₂ g, h ₃₂ ) e (x ₃ g, h ₃₂ )
E (x ₃₃ g, h ₃₃ ) e (x ₃ g, h ₃₃ )
E (x ₃ g, h ₃ ) e (x _root g, h ₃ )
・ E (x _root g, h _root ) (12)
= E (v ₁₁ , h ₁₁ ) · e (v ₁ , h ₁₁ )
_{· E (v 12, h 12} ) · e (v 1, h 12)
_{· E (v 13, h 13} ) · e (v 1, h 13)
E (v ₁ , h ₁ ) e (v _root , h ₁ )
_{· E (v 21, h 21} ) · e (v 2, h 21)
E (v ₂₂ , h ₂₂ ) e (v ₂ , h ₂₂ )
E (v ₂₃ , h ₂₃ ) e (v ₂ , h ₂₃ )
E (v ₂ , h ₂ ) e (v _root , h ₂ )
_{· E (v 31, h 31} ) · e (v 3, h 31)
E (v ₃₂ , h ₃₂ ) e (v ₃ , h ₃₂ )
E (v ₃₃ , h ₃₃ ) e (v ₃ , h ₃₃ )
E (v ₃ , h ₃ ) e (v _root , h ₃ )
・ E (v _root , h _root ) (13)
Thus, if the signature process is correctly performed, the expression (10) is satisfied. Therefore, it is possible to verify the public signature information from the publicly available verification key of the software creator and the hash values obtained from all the component software, intermediate component software, and final component software.

Here, paying attention to the value of sigma, the signer _{u st} is performed signature processing only _{h st (the} calculation of _x st _{h st),} the other _{h s} and _{h root} performing such signature process Not. Thereby, it is understood that the signer u _st is the first, that is, the signer of the leaf node in the tree structure.

Also, the "x _s h _st" section, since it has been expressed that the this first signer is performing the signature process on h _st signed process is user u _s, the signer it can be seen u _s is the signer of the second (intermediate nodes). Signer _{u s} is doing a signature processing on _{h s (x s h s)} at the same time. Similarly, the section “x _root h _s ” indicates that it is the signer u _root that has signed the h _s , so this signer u _root is the third signature. It can be seen that

Furthermore, since there is no signer who is performing the signature processing for h _root and the signer u _root has converged, it can be seen that this third signer is the root node.

Further, in the equation (11), a third party who does not know the signature key that is the secret information from the CDH problem or the discrete logarithm problem on the elliptic curve can change each term (x _α h _β or x _β h _β ) on the right side. Since it cannot be removed arbitrarily, it is impossible to change the order by a third party. That is, according to the present signature method, the signature order in the tree structure can be expressed by the product of the signature key and the hash value.

  Even if the number of signers (the number of nodes) increases, the public information is only the public signature information (σ). Since this public signature information (σ) is a point on one elliptic curve, the size (capacity) of the information does not increase and is suppressed to a certain value or less.

  Further, the verification device 2 can prove in what order the nodes have been signed by performing verification only by the numerical operation shown in the verification process 3. Therefore, the verification apparatus 2 can reduce the memory cost and the processing load, and can efficiently check the integrity of the component software configured with a tree structure.

Second Embodiment
Hereinafter, a second embodiment which is an example of an embodiment of the present invention will be described. In addition, about the structure similar to 1st Embodiment, the same code | symbol is attached | subjected and description is abbreviate | omitted or simplified.

FIG. 6 is a block diagram showing a configuration of the signature generation device 1a according to the present embodiment.
The signature generation device 1a is different from the first embodiment in the configuration of the reception unit 12a, the one-way hash function calculation unit 13a, and the disclosure unit 15a.

That is, the receiving unit 12a receives the hash value (h _low ) from the node immediately below instead of the software (m _low ) and supplies it to the signature information generating unit 14. This eliminates the need for the one-way hash function calculation unit 13a to perform one-way hash function calculation on the software (m _low ) of the node immediately below.

In addition to the software (m _up ), the verification key (v _up ), the public signature information (σ _up ), and the list data (L _up ), the public unit 15 a has its own signature by the one-way hash function calculation unit 13 a. The hash value calculated from the target software is further disclosed. As a result, the signature generation apparatus 1a or the verification apparatus 2a of the node immediately above uses the public hash value instead of the software itself.

FIG. 7 is a block diagram showing the configuration of the verification apparatus 2a according to this embodiment.
The verification device 2a is different from the first embodiment in the configuration of the collection unit 21a. Furthermore, the verification device 2a does not require the one-way hash function calculation unit 22 in the first embodiment.

That is, the collecting section 21a, supplied from each node, the hash value instead of software _{(m i) (h i)} received by the verification unit 23. This eliminates the need for the verification device 2a to perform a one-way hash function operation on the software ( _mi ) of each node.

According to this embodiment, the processing load of the one-way hash function calculation in the signature generation device 1a and the verification device 2a can be reduced.
Specifically, the processing load of the one-way hash function calculation step S3 in the signature generation device 1 of the first embodiment is reduced, and the one-way hash function calculation step S12 in the verification device 2 becomes unnecessary.

In the signature processing in each node, it is only necessary to receive either software (m _i ) or hash value (h _i ) from the node immediately below, and even if it is not unified in the signature generation device 1a and the verification device 2a. Good.

  As mentioned above, although embodiment of this invention was described, this invention is not restricted to embodiment mentioned above. Further, the effects described in the present embodiment are merely a list of the most preferable effects resulting from the present invention, and the effects of the present invention are not limited to those described in the present embodiment.

In the above-described embodiment, the two arguments that are inputs to the pairing function are expressed as a scalar multiple of the point g on the elliptic curve that can be paired. The second argument may not be common. That is, two points (g ₁ or g ₂ ) on different elliptic curves (G ₁ or G ₂ ) may be given for the first argument and the second argument of the pairing function, respectively.
In this case, g appearing in the first argument of the pairing function in the description of the foregoing embodiments the g _1, g appearing in the second argument is read as g _2. Whether the various public information (verification key, hash value, public signature information) generated using the points on the elliptic curve is input to the first argument or the second argument of the pairing function. Accordingly, _one type is generated using either G ₁ or G ₂ , or two types are generated using both.
As a result, the number of public information, that is, the number of operations may increase, but since the processing can be performed in parallel in the calculation of the pairing function, the calculation time can be expected to be shortened.

  A series of processing by the signature generation apparatus 1 (or 1a) and the verification apparatus 2 (2a) can also be performed by software. When a series of processing is performed by software, a program constituting the software is installed in a general-purpose computer or the like. The program may be recorded on a removable medium such as a CD-ROM and distributed to the user, or may be distributed by being downloaded to the user's computer via a network.

1, 1a Signature generation device 2, 2a Verification device 11 Storage unit 12, 12a Reception unit 13, 13a Unidirectional hash function calculation unit (first hash calculation unit)
14 Signature information generation unit 15, 15a Disclosure unit 21, 21a Collection unit 22 One-way hash function calculation unit (second hash calculation unit)
23 Verification Department

Claims (8)

A signature generation device that generates public signature information that guarantees the integrity of software,
Corresponding to the software, a storage unit that stores a private signature key and a public verification key;
A first hash calculation unit for performing a one-way hash function calculation;
A signature information generation unit that generates the public signature information by multiplying the hash value calculated from the software by the first hash calculation unit by the signature key;
The software, the verification key, and a public unit that publishes the public signature information,
The signature information generation section, said the software can Ru already composed of one or more components software is published, the public signature information of the component software, the signature to the hash value calculated from the component software A signature generation device that generates the public signature information by summing a result obtained by multiplying a key and a result obtained by multiplying the hash value calculated from the software by the signature key. The signing key consists of a predetermined natural number,
The signature according to claim 1, wherein the verification key includes a point on the elliptic curve generated based on a point on the elliptic curve that is an element of a GDH (GAP-Diffie-Hellman) group and the signature key. Generator.   The signature generation apparatus according to claim 1 or 2, wherein the disclosure unit further discloses list data indicating a configuration of a tree structure having the software as a highest node and the component software as a lower node.   The signature generation device according to any one of claims 1 to 3, wherein the disclosure unit further discloses the hash value calculated from the software by the first hash calculation unit. A verification device that verifies the public signature information published by the signature generation device according to claim 1,
A collection unit that collects the software or a hash value calculated from the software and a corresponding verification key, and all component software constituting the software or a hash value calculated from the component software and a corresponding verification key; ,
A second hash operation unit that performs a one-way hash function operation on each of the software collected by the collection unit;
A verification apparatus comprising: a verification key corresponding to all software collected by the collection unit; and a verification unit that verifies validity of the public signature information based on hash values calculated from all the software. A verification device that verifies the public signature information published by the signature generation device according to claim 4,
A collection unit that collects the hash values calculated from the software and all component software constituting the software, and a corresponding verification key;
A verification apparatus comprising: a verification key corresponding to all software collected by the collection unit; and a verification unit that verifies validity of the public signature information based on hash values calculated from all the software. A signature generation method in which a computer generates public signature information that guarantees the integrity of software,
A storage step of storing a private signature key and a public verification key in the storage unit of the computer corresponding to the software;
A hash calculation step for causing the computer to function as a first hash calculation unit for performing a one-way hash function calculation;
Said computer for calculating hash values from the software in the hash calculation step, the signature information generation step to function as the signature information generation unit configured to generate the public signature information by multiplying the signature key,
A public step of causing the computer to function as a public unit for publicizing the software, the verification key, and the public signature information,
In the signature information generation step, wherein if the software is the Ru already composed of one or more components software is published, and the component software public signature information, the signature to the hash value which the computed from the component software A signature generation method for generating the public signature information by summing a result obtained by multiplying a key and a result obtained by multiplying a hash value calculated from the software by the signature key. A signature generation program that causes a computer to generate public signature information that guarantees software integrity,
A storage step of storing a private signature key and a public verification key in the storage unit of the computer corresponding to the software;
A hash calculation step for causing the computer to function as a first hash calculation unit for performing a one-way hash function calculation;
Said computer for calculating hash values from the software in the hash calculation step, the signature information generation step to function as the signature information generation unit configured to generate the public signature information by multiplying the signature key,
Causing the computer to function as a public unit that publishes the software, the verification key, and the public signature information, and
In the signature information generation step, wherein if the software is the Ru already composed of one or more components software is published, and the component software public signature information, the signature to the hash value which the computed from the component software A signature generation program for generating the public signature information by summing a result obtained by multiplying the key and a result obtained by multiplying the hash value calculated from the software by the signature key.

Images