JP7301652B2 - Anonymous authentication method, program, and anonymous authentication system - Google Patents

Description

The present invention relates to anonymous authentication technology, and more particularly to anonymous authentication technology using group signatures.

A group signature (for example, attribute-based group signature (ABGS)) is known as a technology that enables anonymous authentication only for users who have a predetermined attribute (for example, see Patent Document 1). there is For example, in attribute-based group signatures (ABGS), a group administrator generates a group public key, a user private key, and a group management private key using public key cryptography. In attribute-based group signature (ABGS), a user secret key is generated for each group user, and the generated user secret key is passed to each group user. Also, in attribute-based group signature (ABGS), an attribute token is generated for specifying the attribute possessed by each group user, and the generated attribute token is passed to each group user.

Then, in attribute-based group signature (ABGS), a policy is set, and only group users who have attributes that satisfy conditions based on the policy can receive predetermined data (for example, an external user requesting a signature (for example, this). (with the name of an external user as "Alice")). In other words, with attribute-based group signatures, if each group user has the attributes required by the policy, the group user can protect the privacy of the group user (data that identifies the group user (e.g., It is possible to sign (authentic signature) to predetermined data (for example, a document of an external user “Alice” who requests a signature) without leaking the group user’s ID, etc.) to the outside. .

However, with attribute-based group signing, each group user has a user private key, so if, for example, a given group user's attributes are changed and their authority to sign is revoked, they will still be able to sign. Is possible.

To address such problems, attribute-based group signatures require a mechanism for efficient revocation processing (attribute revocation processing). VLR (Verifier-local Revocation) technology is available as a technology for performing efficient revocation processing (attribute revocation processing) in attribute-based group signatures. In VLR technology, a revocation list can be used to determine if a signature is authentic. In other words, in the VLR technology, attributes of group users to be revoked are recorded in the revocation list. In the VLR technology, efficient revocation processing (attribute revocation processing) is performed by determining that a signature by a group user having an attribute recorded in the revocation list is invalid. ) can be realized.

In other words, by using attribute-based group signatures and VLR technology, it is possible to realize attribute-based group signatures capable of efficient revocation processing. Non-Patent Document 1 discloses a technique for attribute-based group signatures using such VLRs.

Here, attribute-based group signature (ABGS) using VLR will be described with reference to drawings.

FIG. 6 is a schematic block diagram of an authentication system 900 for performing attribute-based group signatures (ABGS) using VLRs.

As shown in FIG. 6, the authentication system 900 includes a group management device 91, a group user device 92, an authentication device 93, and a data storage section DB9. The group management device 91, the group user device 92, and the authentication device 93 are connected by, for example, a network, and data communication is possible between the devices.

(Processing 1 (key generation processing (KeyGen))):
In process 1, the group management device 91 executes a key generation process for public key cryptography. Specifically, the group management device 91 stores the public key gpk of the group to be the target of the group signature and the private key gsk of each group user belonging to the group (={gsk[0], gsk[1], . . . , gsk[N-1]}) (N: number of group users) and attribute token grt(={grt[0], grt[1], ..., grt[N-1]}) .

For convenience of explanation, the number of group users N=4 will be explained below.

An attribute token grt (={grt[0], grt[1], . Here, for convenience of explanation, it is assumed that the number of attributes is "3", variables indicating the attributes are att ₁ , att ₂ , and att ₃ , and the attributes represent, for example, the following attributes.
Attribute att ₁ : Belonging to company B Attribute att ₂ : Belonging to the manufacturing team Attribute att ₃ : Being a manager User k (k: natural number, 0≦k≦N−1) is an attribute The notation indicating having att _j (j: natural number, 1≦j≦3) is “grt[k].att _j ”. That is, the attribute of each group user can be identified by the attribute token of each group user.

(Processing 2 (policy setting processing)):
In process 2, a policy is set in the authentication system 900 . For example, a policy is set such that a group user with attributes att ₁ , att ₂ , att ₃ can sign. In the following, for convenience of explanation, attributes att ₁ (for example, attribute indicating belonging to Bob's company), attribute att ₂ (for example, attribute indicating belonging to manufacturing team), It is assumed that group users who have the attribute att ₃ (for example, the attribute indicating that they are managers) are set to be able to sign. The policy set in this way is transmitted from the authentication device 93 to the group user device 92, for example.

(Processing 3 (signature processing (Sign))):
In process 3, a predetermined group of users performs a signature process. Here, for convenience of explanation, it is assumed that group user 3 whose group user ID is "3" (d=3) performs signature processing on document M (message M) of Alice (person requiring signature). ,explain. It is also assumed that the user secret keys and attribute tokens of group users (user 0 to user 3) are set as shown in FIG.

From the set policy (policy requirement), the group users with attributes att ₁ , att ₂ , att ₃ can sign document M of Alice. User 3, as can be seen from FIG. 7, has attribute tokens for _{attributes att1 , att2 , att3} Since it does, it can sign (has the authority to sign) Alice's document M.

Then, on the group user device 92 of user 3, as disclosed in Non-Patent Document 1, (1) prove that the group user (here, user 3) has a valid attribute token and (2) data proving that the attribute token possessed by the group user (here, user 3) is not recorded in the revocation list RL. Generate using proof technology.

Then, group user device 92 of user 3 sends signature data Σ (=(M, Π)) including generated zero-knowledge proof Π and message M (signed document) together with message M to authentication device 93 Send to

(Processing 4 (verification processing (Verify)):
In processing 4, the authentication device 93 executes verification processing. Specifically, the authentication device 93 performs zero-knowledge proof processing using the signature data Σ (=(M, Π)) received from the group user terminal, the message M, and the group public key gpk. That is, the authentication device 93 uses zero-knowledge proof technology to (1) check whether the group user (here, user 3) has a valid attribute token, and (2) revocation By referring to the list RL, it is checked whether or not the attribute token possessed by the group user (here, user 3) is recorded in the revocation list RL.

Then, as a result of the above checks, (1) the group user (here, user 3) has a valid attribute token, and (2) the revocation list RL is referred to, and the group user (here, user 3) , user 3) is not recorded in the revocation list RL, the authentication device 93 determines that the signature (group signature) on the message M by the group user (here, user 3) is "valid". In other cases, the authentication device 93 determines that the signature (group signature) on the message M by the group user (here, user 3) is “Invalid” (Valid). Output a verification result indicating that

6 and 7 (Case 1), since the above requirements (1) and (2) are satisfied, the authentication device 93 allows the group user (here, user 3) to sign the message M (group signature). Outputs a verification result indicating that is "Valid".

(Processing 5 (revocation processing (Revoke)):
Next, invalidation processing in the authentication system 900 will be described. For example, a process of revoking signature authority for a group user whose attribute is changed will be described.

Here, for convenience of explanation, when user 3 (d = 3 group users) no longer satisfies the conditions of attribute att ₂ (for example, user 3 moves from the manufacturing team to another team, the policy in the above case A case where the required condition (the condition of having the attributes att ₁ to att ₃ ) is no longer satisfied will be described below.

In this case, as shown in FIG. 8, the group management device 91 performs revocation processing (Revoke). That is, the attribute token grt[3] . Record (add) att ₂ to the revocation list RL.

Then, for example, a case where user 3 performs signature processing in the same manner as described above will be described.

In this case, a signature process similar to the above process 3 is executed, and the signature data Σ(=(M, Π)) generated by the group user device 92 of user 3 and the message M are transferred to the group of user 3. It is transmitted from the user device 92 to the authentication device 93 .

The authentication device 93 executes the verification process in the same manner as the process 4 described above. Specifically, the authentication device 93 performs zero-knowledge proof processing using the signature data Σ (=(M, Π)) received from the group user terminal, the message M, and the group public key gpk. That is, the authentication device 93 uses zero-knowledge proof technology to (1) check whether the group user (here, user 3) has a valid attribute token, and (2) revocation By referring to the list RL, it is checked whether or not the attribute token possessed by the group user (here, user 3) is recorded in the revocation list RL.

Then, as a result of the above check, (1) the group user (here, user 3) has a valid attribute token, and (2) the revocation list RL is referred to, and the group user (here, user 3) has an attribute token (attribute token grt[3].att ₂ of user 3 (a group user of d=3)) is recorded in the revocation list RL.

Then, the authentication device 93 outputs a verification result indicating that the signature (group signature) on the message M by the group user (here, user 3) is "Invalid". That is, as shown in the lower diagram of FIG. 9, in the case of FIG. 8 (this is case 2), the user 3 uses the attribute token grt[3].att ₁ , the attribute token grt[3].att ₂ , the attribute Since we have the token grt[3] _.att3 , we can sign the message M, but since the attribute token grt[3] _.att2 is recorded in the revocation list RL, the user As a result of verification, the signature generated by the signature processing by 3 is judged to be "invalid".

As described above, the authentication system 900 simply records (adds) the attribute token to be revoked to the revocation list RL, and outputs a verification result indicating that the signature of the group user whose signature authority has been revoked is invalid. be able to. Therefore, in the authentication system 900, while ensuring the privacy of each group user (while ensuring the confidentiality of information identifying each group user), revocation processing (revocation) accompanying changes in group user attributes can be performed appropriately and can be done efficiently.

JP 2011-114504 A

Y. Zhang, Y. Gan, Y. Yin, and H. Jia, Attribute-Based VLR Group Signature Scheme from Lattices: 18th International Conference, ICA3PP 2018, Guangzhou, China, November 15-17, 2018, Proceedings, Part IV, 11 2018, pp. 600-610.

However, with the above technology, if an attribute token is not encrypted and a malicious third party acquires the attribute token, the malicious third party will illegally rewrite the revocation list RL, resulting in the following: User anonymity and attribute anonymity may be compromised.

For example, in the technique of Non-Patent Document 1, as described in Non-Patent Document 1, a user secret key is generated by lattice cryptography as follows.
gsk[d]={e _i,1 ,e _i,2 } _{iε{1,2, . . . , u}}
u: number of attributes In the above description, e _i,1 and e _i,2 are data constituting a secret key obtained by lattice-based cryptography.

Then, in the technique of Non-Patent Document 1, the attribute token grt is
grt[d]={u′ _d }
u′ _d =(u′ _d,i ) _{iε{1,2, . . . , u}} =(A·e _i,1 mod q) _{iε{1,2, . . . , u}}
A∈Z ^n×m _q
Generated by

In other words, in the technique of Non-Patent Document 1, when the user secret key gsk[d] is leaked, ei _,1 can be obtained from the user secret key gsk[d], and from ei _,1 , the above calculation is performed. By doing so, the attribute token grt can be obtained.

That is, the technique of Non-Patent Document 1 is based on the premise that the user secret key is not leaked. Using grt, the revocation list RL may be tampered with, resulting in loss of user anonymity and attribute anonymity.

Therefore, in view of the above-mentioned problems, the present invention solves the problem that even if the user private key is leaked, the attribute token grt is illegally obtained, the revocation list RL is illegally rewritten, and as a result, the user's anonymity and attributes are compromised. It is an object of the present invention to realize an anonymous authentication method and an anonymous authentication system that do not impair anonymity, that is, an anonymous authentication method and an anonymous authentication system that achieve full anonymity.

In order to solve the above problems, the first invention is an anonymous authentication method for performing attribute-based group signature with revocation function for a group including a plurality of group users, comprising a setup step and a key generation step , a signature step, a verification step, and a revocation step.

The setup step consists of (1) identifying the group users to be included in the group and the maximum number of group users to be included in the group, (2) defining a universal set of attributes, and (3) key generation and signature processes. , and the parameters used in the verification process.

The key generation step uses public key cryptography to (1) generate a group public key and a group management secret key, (2) generate a user secret key for all attributes of one group user, perform the first step of assigning bogus data for attributes in a universal set of attributes not owned by the group user, and (3) generating tokens for attributes owned and not owned by the group user; (4) for all group users included in the group, by repeatedly performing the first step and the second step for all group users included in the group; Generate a user private key and an attribute token separately.

The signing step uses the group public key, the assigned user private key, and the attribute token to sign data for the message to be signed, if the conditions for permitting the signing authority set by the policy are satisfied. by (1) encrypting the attribute token; (2) verifying the validity of the group user, that the revocation list does not contain the attribute token, and that the attribute token has not been modified since it was generated; (3) generate signature data including the message to be signed, an encrypted attribute token, and the zero-knowledge proof;

In the verification step, for the signature data, a condition specifying the signing authority set in the policy, a group public key, and a revocation list containing data specifying revoked attributes for a given group user. , zero-knowledge proof, and the verification process is performed on the signature data to determine whether the signature applied to the message is valid.

The revocation step revokes the no longer owned attributes of the group user by adding the no longer owned attributes of the group user to a revocation list, if any attributes are no longer owned by the group user.

This anonymous authentication method uses an encrypted attribute token (for example, an attribute token sampled by a lattice cryptography algorithm) obtained by performing encryption processing by public key cryptography (for example, lattice cryptography) on the attribute token. Therefore, even if the user private key is leaked, the risk of the attribute token being illegally acquired and the revocation list being illegally rewritten can be eliminated. In this anonymous authentication method, data (encrypted data) obtained by encrypting an attribute token by public key cryptography (for example, lattice cryptography) is included in the signature data, and verification processing is performed on the signature data. Therefore, verification processing with high security strength can be executed.

That is, in this anonymous authentication method, (1) user anonymity can be completely realized, and (2) attribute anonymity can be completely realized. That is, in this anonymous authentication method, (1) full anonymity for user anonymity and (2) full anonymity for attribute anonymity ) can be realized.

Therefore, with this anonymous authentication method, even if the user private key is leaked, the attribute token is illegally obtained, and the revocation list is illegally rewritten, the anonymity of the user and the anonymity of the attribute will be compromised. It is possible to realize a system with high security strength (a system that executes attribute-based group signatures that can be dynamically revoked).

The second invention is the first invention, wherein the public key cryptosystem is lattice cryptography.

A group public key is a matrix for defining a lattice of lattice cryptography, and is generated from an n×m matrix whose elements are integers defined by a remainder system modulo a prime number q, and a set of attribute data. data to be used.

This makes it possible to implement an anonymous authentication method using lattice cryptography.

A third invention is a program for causing a computer to execute the anonymous authentication method of the first or second invention.

Accordingly, it is possible to realize a program for causing a computer to execute the anonymous authentication method having the same effect as the first or second invention.

A fourth invention is an anonymous authentication system for performing an attribute-based group signature with a revocation function for a group including a plurality of group users, comprising: a group management device; a group user device; an authentication device; a network;

A network is connected to the group management device, the group user device, and the authentication device.

The group management device (1) identifies the group users included in the group and the maximum number of group users included in the group, (2) defines a universal set of attributes, and (3) processes key generation and signing. a set-up step defining parameters to be used in the processing and verification process;
By public key cryptography, (1) group public key and group management secret key are generated, (2) user secret key is generated for all attributes of one group user, and owned by the group user. performing a first step of assigning bogus data for attributes contained in a universal set of attributes not owned by the group user; and (3) generating tokens for attributes owned and not owned by the group user. and (4) repeatedly executing the first step and the second step for all group users included in the group to obtain user secret keys and attribute tokens for all group users included in the group. a separately generated key generation step;
to run.

If the group user device satisfies the conditions for permitting the signing authority set by the policy, the group user device uses the group public key, the assigned user private key, and the attribute token to sign the message to be signed. generating signature data comprising: (1) encrypting the attribute token; (2) verifying the validity of a group user, the revocation list not including the attribute token, and the attribute token being generated; and (3) performing a signing step of generating signature data including the message to be signed, an encrypted attribute token, and said zero-knowledge proof. .

For the signature data, the authentication device stores the conditions specifying the signature authority set in the policy, the group public key, and the revocation list in which the data specifying the revoked attributes of the specified group user are recorded. , a zero-knowledge proof, and a verification step of determining whether or not the signature applied to the message is valid by performing verification processing on the signature data.

In addition, if there is an attribute that the group user no longer owns, the group management device adds the attribute that the group user no longer owns to the revocation list so that the group user no longer owns the attribute. Execute the revocation step to revoke the attribute.

Thereby, an anonymous authentication system having the same effect as the first invention can be realized.

According to the present invention, even if the user private key is leaked, the attribute token grt is illegally obtained, and the revocation list RL is illegally rewritten, user anonymity and attribute anonymity are compromised. It is possible to realize an anonymous authentication method, an anonymous authentication system that has no possibility, that is, an anonymous authentication method, an anonymous authentication system that achieves full anonymity.

1 is a schematic configuration diagram of an anonymous authentication system 1000 according to the first embodiment; FIG. 4 is a flowchart of setup processing executed in the anonymous authentication system 1000; 4 is a flowchart of key generation processing executed in the anonymous authentication system 1000; 4 is a flowchart of signature processing executed in the anonymous authentication system 1000; 4 is a flowchart of verification processing executed by the anonymous authentication system 1000; Schematic configuration diagram of an authentication system 900 for performing attribute-based group signature (ABGS) using VLR (case 1). FIG. 10 is a diagram showing group user secret keys, a list of attributes, and a revocation list RL set for each attribute (case 1); Schematic configuration diagram of an authentication system 900 for performing attribute-based group signature (ABGS) using VLR (case 2). FIG. 10 is a diagram showing a group user's secret key, a list of attributes, and a revocation list RL set for each attribute (cases 1 and 2); FIG. 4 is a diagram showing a CPU bus configuration;

[First embodiment]
A first embodiment will be described below with reference to the drawings.

<1.1: Configuration of authentication system>
FIG. 1 is a schematic configuration diagram of an anonymous authentication system 1000 according to the first embodiment.

The anonymous authentication system 1000 includes, as shown in FIG. 1, a group management device 1, a group user device 2, an authentication device 3, and a data storage section DB1. The group management device 1, the group user device 2, and the authentication device 3 are connected by, for example, a network, and data communication is possible between the devices.

The group management device 1 is a device implemented using a computer or a server, and executes key generation processing, revocation processing, and the like by public key cryptography. The group management device 1 is also connected to the data storage unit DB1, and can read/write data from/to the data storage unit DB1. The group management device 1 stores and retains data such as group user IDs, attributes to be set by the policy, attribute tokens, etc., in the data storage unit DB1, and reads out the data at desired timing.

Also, the group management device 1 outputs (transmits) the revocation list RL acquired by the revocation process to the authentication device 3 .

The data storage unit DB1 is a data storage device and is connected to the group management device 1. FIG. The data storage unit DB1 performs read/write processing of predetermined data according to commands from the group management device 1 .

The group user device 2 is a device implemented using a computer or a server, holds data such as a user secret key and attribute token assigned to each group user, and uses the user secret key and attribute token. to perform signature processing, etc. The group user device 2 may be provided individually for each group user ((the number of group user devices 2) may be equal to (the number of group users)), or a plurality of group users may be provided. (The number of group user devices 2 may be less than the number of group users).

The authentication device 3 is a device implemented using a computer or a server, and includes a group public key gpk, a signature generated by the group management device 1, a message to be signed, and managed by the group management device 1. Verification processing is executed using the revocation list RL or the like.

<1.2: Operation of Anonymous Authentication System>
The operation of the anonymous authentication system 1000 configured as above will be described below.

FIG. 2 is a flow chart of setup processing executed in the anonymous authentication system 1000. As shown in FIG.

FIG. 3 is a flowchart of key generation processing executed in the anonymous authentication system 1000. FIG.

FIG. 4 is a flow chart of signature processing executed in anonymous authentication system 1000 .

FIG. 5 is a flowchart of verification processing executed by the anonymous authentication system 1000. FIG.

Below, the operation of the anonymous authentication system 1000 is divided into (1) setup processing, (2) key generation processing, (3) signature processing, (4) verification processing, and (5) revocation processing. Description will be made with reference to flowcharts.

(1.2.1: Setup processing)
First, the setup process (Setup(1 ^λ )) will be described.

(Steps S101-S102):
In step S101, the group management device 1 sets a security parameter λ.

Then, as disclosed in Non-Patent Document 1, the group management device 1 sets each parameter based on the security parameter λ so that processing can be performed in polynomial time as follows ( step S102).
N = 2 ^L = poly(λ)
n = poly (λ)
m=ceil(2n*log(q))
q=O( ^Ln2 )
σ = ω (log(m))
β=O(sqrt(Ln))
ceil(x): ceiling function (function to obtain the minimum integer greater than or equal to x)
sqrt(x): Function for obtaining the square root of x Note that O() and ω() are Landau symbols.

また、グループ管理装置１は、ハッシュ関数Ｈを以下のように設定する。
ハッシュ関数Ｈ：｛０，１｝^＊→｛１，２，３｝^ｔ
ｔ＝ω（ｌｏｇ（ｎ））
（ステップＳ１０４）：
ステップＳ１０４において、グループ管理装置１は、上記により取得したデータから公開パラメータＰＰ＝（ｐａｒａ，Ａｔｔ，ａｔｔＬ，Ｈ）（ｐａｒａ：ステップＳ１０２で取得したパラメータを含むデータ）を取得し、取得した公開パラメータＰＰを出力する。 (Step S103):
In step S103, the group management device 1 defines (regulates) the attribute set Att as follows.

Also, the group management device 1 sets the hash function H as follows.
Hash function H: {0,1} ^* →{1,2,3} ^t
t = ω(log(n))
(Step S104):
In step S104, the group management device 1 acquires the public parameter PP=(para, Att, attL, H) (para: data including the parameter acquired in step S102) from the data acquired above, and Output PP.

(1.2.2: Key generation processing)
Next, key generation processing (KeyGen (PP, N)) will be described.

(Step S201):
In step S201, the group management device 1 inputs the public parameter PP (=(para, Att, attL, H)) acquired in the setup process and the maximum number of group users N= ^2L .

（ステップＳ２０２～Ｓ２１３）：
ステップＳ２０２～Ｓ２１３において、グループ管理装置１は、グループユーザー用秘密鍵ｇｓｋ［ｄ］と、暗号化属性トークンｇｒｔ［ｄ］とを取得する。 Then, the group management device 1, for example, similarly to the method disclosed in the following prior art document (prior art document A), verifies keys (verification matrices) A, A ₀ , A for modified Boyen's signature scheme. A ₁ , . . . , A _L εZ ^n×m _q (where Z is the set of all integers) and a trapped door T ^A εZ ^n×m _q .
(Prior art document A):
D. Micciancio and C. Peikert, “Trapdoors for lattices: Simpler, tighter, faster, smaller.” in EUROCRYPT 2012, LNCS, vol. 7237. Springer Berlin Heidelberg, 2012, pp. 700-718.
Then, the group management device 1 sets the group public key gpk and the group management secret key gmsk as follows.
gpk=(A, _A0 , _A1 ,..., _{AL, u1} , _u2 ,..., _uu )
gmsk = T _A
It _should ^be noted _that the anonymous authentication system 1000 is premised on the use of lattice cryptography ^. is defined as

(Steps S202-S213):
In steps S202 to S213, the group management device 1 acquires the group user secret key gsk[d] and the encrypted attribute token grt[d].

Let dε{0, 1, . . . , N−1}. For a group user whose group user ID (index) is d,
d[i]. . . d[L]⊆{0,1} ^L
Let denote the binary representation form of d, and
S _d ={u _a1 , u _a2 , . . . , u _as }⊆Att(|S _d |=s)
Let be the set of attributes of d.

Then, the group management device 1 executes the following process for each group user's d (the initial value of d is "0"; step S202).

（ｂ）
グループ管理装置１は、上記で取得した検証キーＡ_ｄを用いて、データｚ_ｄ，ａｊを、下記を満たすようにサンプル取得する。

つまり、ＩＤがｄであるグループユーザーが属性ｕ_ｊを有している場合（ステップＳ２０６で「Ｙｅｓ」の場合）、グループ管理装置１は、上記処理を行う。 (a)
The group management device 1 uses a verification key (verification matrix) A for a group user (ID=d)._dis obtained by processing corresponding to the following.

(b)
The group management device 1 uses the verification key A obtained above._dusing the data z_{d, aj}is sampled so as to satisfy the following.

In other words, the group user whose ID is d has attribute u_j(Yes in step S206), the group management device 1 performs the above process.

(c)
On the other hand, if the group user whose ID is d does not have the attribute _uj ("No" in step S206), the group management device 1 performs the following processing.

（先行技術文献Ｂ）：
R. El Bansarkhani and A. El Kaafarani, “Post-quantum attribute-based signatures from lattice assumptions.” IACR Cryptology ePrint Archive, vol. 2016, p. 823, 2016.
（ｄ）
次に、グループ管理装置１は、下記数式に相当する処理を実行して、データＡ’_ｄを取得する。

すなわち、グループ管理装置１は、上記のＡ_ｄを取得する数式において、ＡおよびＡ_０をゼロ行列に置換することで、データＡ’_ｄを取得する。 That is, the group management device 1 obtains samples of fake credentials fd _{and fj} for attributes us other than the above (process (b)) so as to satisfy the following (see prior art document B below: reference).

(Prior art document B):
R. El Bansarkhani and A. El Kaafarani, “Post-quantum attribute-based signatures from lattice assumptions.” IACR Cryptology ePrint Archive, vol. 2016, p. 823, 2016.
(d)
Next, the group management device 1 acquires data _A'd by executing processing corresponding to the following formula.

That is, the group management device 1 acquires the data _A'd by replacing A and _A0 with zero matrices in the above formula for acquiring _Ad .

（ｆ）
次に、グループ管理装置１は、上記処理で取得したｖ_ｄｊを用いて、ｄのグループユーザーの全ての属性（正規の属性データｚ_ｄ，ａｊ、および、偽の属性データｆ_ｄ，ｆｊ）について、格子暗号サンプル処理ＳａｍｐｌｅＤ（Ｔ_Ａ，Ａ，ｕ_ｊ－ｖ_ｄｊ，σ）を実行して、データｔ_ｄｊを取得する。 (e)
Next, the group management device 1 uses A′ _d acquired in the above process to determine all the attributes of the group users of d (regular attribute data z _d,aj and fake attribute data f _d,fj ). , a process corresponding to the following formula is executed to obtain data _{v_dj} .

(f)
Next, the group management device 1 uses v _dj acquired in the above process to determine all attributes of group users of d (regular attribute data z _d,aj and fake attribute data f _d,fj ). , perform the lattice cryptographic sample processing SampleD(T _A , A, u _j −v _dj , σ) to obtain the data t _dj .

（ｇ）
そして、グループ管理装置１は、ＩＤがｄであるグループユーザーの秘密鍵であるグループユーザー用秘密鍵ｇｓｋ［ｄ］と、暗号化属性トークンｇｒｔ［ｄ］とを、以下の通り、取得する。

上記のようにして、グループ管理装置１は、ＩＤがｄであるグループユーザーについて、（１）グループユーザー用秘密鍵ｇｓｋ［ｄ］、および、（２）暗号化属性トークンｇｒｔ［ｄ］を取得する（ステップＳ２０５～Ｓ２１１）。 Note that the lattice cryptographic sample processing SampleD(T _A , A, u _j −v _dj , σ) is a matrix A defining a lattice and a vector u _j −v in image A (a lattice defined by matrix A). _dj , trap door _TA , and standard deviation σ=sqrt(n×log(q)×log(n)) are input, and data x (x∈Z ^m ) that satisfies the following formula is converted to discrete Obtained (output) by sampling from Gaussian distribution.

(g)
Then, the group management device 1 acquires the group user secret key gsk[d], which is the secret key of the group user whose ID is d, and the encrypted attribute token grt[d], as follows.

As described above, the group management device 1 acquires (1) the group user secret key gsk[d] and (2) the encrypted attribute token grt[d] for the group user whose ID is d. (Steps S205 to S211).

Then, the group management device 1 executes the above processing for all group users (by repeatedly executing the processing of steps S205 to S211 from d=0 to d=N−1), thereby all group users Acquire (1) group user secret key gsk[d] and (2) encrypted attribute token grt[d] for the user (steps S203 to S213).

Then, the group management device 1 processes the key acquired by the above process as follows.
(1) The group management device 1 secretly holds the group management secret key gmsk= _TA .
(2) The group management device 1 secretly delivers the group user secret key gsk[d] and the encrypted attribute token grt[d] to the group user whose ID is d (for example, the group user device 2 secretly (so as not to leak to others)).
(3) Group management device 1 transmits group public key gpk to authentication device 3 .

(1.2.3: signature processing)
Next, signature processing (Sign(PP, Γ, gpk, gsk[d], grt[d], S _d , M)) will be described.

(Step S301):
In step S301, a group user who intends to sign acquires a policy (policy for determining requirements for attributes) and a message M (data to be signed) by, for example, the group user device 2. . Then, the group user device 2 checks whether or not there is an authority to sign the message M. check processing (attribute check processing) to determine whether or not the required conditions for the attributes (attributes that must be possessed in order to sign) are satisfied.

(Step S302):
In step S302, as a result of the attribute check process, it is determined whether or not the group user (ID=d) who is about to sign can use the requested attribute (has the requested attribute). is executed. As a result of the determination process, if it is determined that the group user (ID=d) who is about to sign does not have the requested attribute ("No" in step S302), the signature process is terminated. Let On the other hand, if it is determined that the group user (ID=d) who is about to sign has the requested attribute ("Yes" in step S302), the process proceeds to step S303.

(Step S303):
In step S303, the group user device 2 executes encryption processing of the attribute token and acquires encrypted data b. This process will be specifically described below. For convenience of explanation, it is assumed that a group user with ID=d (hereinafter referred to as “group user d”) is about to sign message M.

The group user device 2 acquires the set of attributes S _d ⊆ Att of the group user d, and the attribute requirements set by the policy (conditions specifying the attributes that must be possessed in order to sign). Obtain threshold predicate Γ=(t, S={u ₁ , u ₂ , . . . , _up }⊆Att) for specifying . Note that 1≤t≤|S|=p.

Then, a set Sm representing attributes owned by the group user d and matching attributes of the set S is set _Sm . in short,
S _m ⊆ (S ∩ S _d ) ⊆ Att, |S _m |=t
is.

In addition, group user d has fake credentials for the attributes that are the sources of set S \ S _m excluding the elements (sources) of set _S from the elements (sources) of set S. It is assumed that there is

Then, the group user device 2 executes the following processing for all attributes where iεp.

The group user device 2 is
ρ _i ← {0, 1} ⁿ
Set ρ _i to data randomly sampled from {0,1} ⁿ .

なお、Ａ・ｔ_ｄｉは、グループユーザーｄのｉ番目の属性の暗号化属性トークンｇｒｔ［ｄ］．ａｔｔ_ｉ（＝Ａ・ｔ_ｄｉ）である。 Then, the group user device 2 acquires the encrypted data _bi by the following processing.

Note that A·t _di is the encrypted attribute token grt[d] . att _i (=A·t _di ).

The group user device 2 obtains the encrypted data b by performing the above processing for all attributes where iεp.

(Step S304):
Next, the group user device 2 performs a process of generating a zero-knowledge proof Π (zero-knowledge proof data Π).

That is, the group user device 2 is such that the group user d (certifier) has (1) at least t attributes (S _m ⊆ (S ∩ S _d ) ⊆ Att, |S _m |=t). and (2) generate a zero-knowledge proof Π to prove that the signing authority has not been revoked.

In addition, the above (1) and (2) are the processing by the protocol specified by the enhanced zero-knowledge argument of knowledge proof (for example, refer to the following prior art documents C and D), Public data (=(A, A ₀ , A ₁ ,..., A _L, u ₁ , u ₂ ,..., _up , B ₁ , B ₂ ,..., B _p , b ₁ , b _{. _ _ _ _ _ _ _} = ω(log(n)) times can be proven (zero knowledge can be proven).

Then, by executing the above process using the Fiat-Shamir heuristic method, a zero-knowledge proof Π=({CMT ^(k) } ^tk ₌₁ ,CH,{RSP ^(k) } ^tk ₌₁ } is acquired.

In addition, the challenge CH is
CH=({Ch ^(k) } ^tk ₌₁ )=H(M,A,{ _Ai } ^Li ₌₀ ,{ _ui } ^pi ₌₁ ,{Bi _} ^pi ₌₁ ,{b _i } ^p _{i = 1} , {CMT ^(k) } ^t _{k = 1} )
is. Note that H( ) is a hash function.

The above zero-knowledge proof protocol processing is executed with the group user device 2 (group user d) as the prover and the authentication device 3 as the verifier.

The zero-knowledge proof Π obtained by the above process includes the following proof (proof data).
(1) proof that group user d possesses a valid attribute (2) proof that the attribute token is valid (3) proof that the attribute token is not recorded in the revocation list RL (prior art Document C):
R. El Bansarkhani and A. El Kaafarani, “Post-quantum attribute-based signatures from lattice assumptions.” IACR Cryptology ePrint Archive, vol. 2016, p. 823, 2016.
(Prior art document D):
S. Ling, K. Nguyen, and H. Wang, “Group signatures from lattices: simpler, tighter, shorter, ring-based,” in PKC 2015, LNCS, vol. 9020. Springer Berlin Heidelberg, 2015, pp. 427- 449.
(Step S305):
Group user device 2 uses zero-knowledge proof Π generated by the above process to generate signature Σ=(M, {ρ _i } ^pi ₌₁ , {b _i } ^pi ₌₁ , Π), The generated signature Σ (signature data) is output together with the message M to the authentication device 3 .

(1.2.4: Verification processing)
Next, verification processing (Verify (PP, Γ, gpk, RL, M, Σ)) will be described.

(Step S401):
In step S401, the authentication device 3 acquires a policy (policy for determining requirements for attributes). Then, the authentication device 3 obtains threshold predicate data (threshold predicate) Γ=(t, Get S={u ₁ ,u ₂ ,..., _up }⊆Att).

Further, the authentication device 3 receives the message M (data to be signed) and the signature Σ(=(M, {ρ _i } ^p _{i =1} , {b _i } ^p _{i =1)} transmitted from the group user device 2 , Π)).

In addition, the group management device 1 transmits the revocation list RL acquired by the revocation process (the revocation list RL managed by the group management device 1) to the authentication device 3.

The authentication device 3 receives the revocation list RL transmitted from the group management device 1 .

なお、ａ＜ｕ（＝｜Ａｔｔ｜）である。 Assume that the authentication device 3 acquires the revocation list RL as the following data.

Note that a<u (=|Att|).

Also, the authentication device 3 receives the group public key gpk generated by the group management device 1 and generates the group public key gpk (=(A, A ₀ , A ₁ , . . . , _AL, u ₁ , u ₂ , . . . , u _u )) are stored.

Also, the authentication device 3 acquires the public parameter PP (=(para, Att, attL, H)).

(Steps S402, S403):
In step S402, the authentication device 3 executes a check process of the zero-knowledge proof Π.

First, the authentication device 3 analyzes the acquired signature Σ (=(M, {ρ _i } ^pi ₌₁ , {b _i } ^pi ₌₁ , Π)), and extracts each data included in the signature Σ. get.

そして、認証装置３は、ゼロ知識証明Πを用いて、以下の検証処理を実行する。
（検証処理１）：
Π＝（｛ＣＭＴ^（ｋ）｝^ｔ _ｋ＝１，｛Ｃｈ^（ｋ）｝^ｔ _ｋ＝１，｛ＲＳＰ^（ｋ）｝^ｔ _ｋ＝１｝
認証装置３は、ｔ個のチェレンジ｛Ｃｈ^（ｋ）｝^ｔ _ｋ＝１に、１つでも、ハッシュ関数Ｈにより取得された値（すなわち、Ｈ（Ｍ，Ａ，｛Ａ_ｉ｝^Ｌ _ｉ＝０，｛ｕ_ｉ｝^ｐ _ｉ＝１，｛Ｂ_ｉ｝^ｐ _ｉ＝１，｛ｂ_ｉ｝^ｐ _ｉ＝１，｛ＣＭＴ^（ｋ）｝^ｔ _ｋ＝１）の値）が一致しないものがある場合、検証処理（検証処理１）の結果（戻り値）を「０」にする。
（検証処理２）：
認証装置３は、ｉ＝０からｔにおいて、後述のゼロ知識証明プロトコルによる処理を実行し、公開データ（＝（Ａ，Ａ_０，Ａ_１，．．．，Ａ_Ｌ，ｕ_１，ｕ_２，．．．，ｕ_ｐ，Ｂ_１，Ｂ_２，．．．，Ｂ_ｐ，ｂ_１，ｂ_２，．．．，ｂ_ｐ）を入力としたときに、コミットメントＣＭＴ_ｉ、および、チャレンジＣｈ_ｉに対するレスポンスＲＥＳ_ｉの有効性をチェックし、後述のゼロ知識証明プロトコルで規定した条件の１つでも満たさないものが存在する場合、検証処理（検証処理２）の結果（戻り値）を「０」にする。 Next, the authentication device 3 uses A, u _i , M, and ρ _i to perform processing by the function G (the function G shown in the above (Formula 10)). That is, the authentication device 3 acquires the data _Bi by executing the process corresponding to the following formula.

Then, the authentication device 3 uses the zero-knowledge proof Π to execute the following verification process.
(Verification process 1):
Π=({CMT ^(k) } ^tk ₌₁ ,{Ch ^(k) } ^tk ₌₁ ,{RSP ^(k) } ^tk ₌₁ }
^The authentication device 3 assigns even _one value obtained by the ^hash function H (that is, H(M, A, {A _i } ^L _i=0 , {u _i } ^pi ₌₁ , {B _i } ^pi ₌₁ , {b _i } ^pi ₌₁ , {CMT ^(k) } ^t _k=1 ) values) do not match, The result (return value) of the verification process (verification process 1) is set to "0".
(Verification process 2):
The authentication device 3 executes processing according to the zero-knowledge proof protocol described later from i=0 to t, and obtains public data (=(A, A ₀ , A ₁ , . . . , A _L, u ₁ , u ₂ , , up _, B _{1 , B 2 ,..., B p , b 1 , b 2 ,} . The validity of the response RES _i is checked, and if even one of the conditions specified in the zero-knowledge proof protocol described later is not met, the result (return value) of the verification process (verification process 2) is set to "0". do.

In step S403, the authentication device 3
(1) The result (return value) of verification processing 1 is not "0", and
(2) the result (return value) of verification process 2 is not "0";
If so, the zero-knowledge proof Π is determined to be valid (“Yes” in step S403), and the process proceeds to step S404.

On the other hand, in cases other than the above, the zero-knowledge proof Π is determined to be invalid ("No" in step S403), and the process proceeds to step S407.

(Steps S404, S405):
In step S404, the authentication device 3 checks the attribute token.

そして、上記処理の結果、下記数式を満たすｅ’_ｉが存在する場合、認証装置３は、ｕ_ｉに相当する属性データが失効リストＲＬに含まれていると判定する。すなわち、この場合、認証装置３は、属性トークンに対応する属性が失効リストＲＬに含まれていると判定する。

ステップＳ４０５において、認証装置３は、上記の判定結果に基づいて、属性トークンが失効リストＲＬに含まれていると判定した場合（ステップＳ４０５において「Ｙｅｓ」の場合）、処理をステップＳ４０７に進める。 Specifically, the authentication device 3 executes processing corresponding to the following formula for each attribute data u _a =(u _a1 , . . . , u _au )εRL, a<N.

As a result of the above process, if e' _i satisfying the following formula exists, the authentication device 3 determines that the revocation list RL includes attribute data corresponding to u _i . That is, in this case, the authentication device 3 determines that the revocation list RL includes the attribute corresponding to the attribute token.

If the authentication device 3 determines in step S405 that the attribute token is included in the revocation list RL based on the above determination result ("Yes" in step S405), the process proceeds to step S407.

On the other hand, when the authentication device 3 determines that the attribute token is not included in the revocation list RL (“No” in step S405), the process proceeds to step S406.

(Step S406):
In step S406, the authentication device 3 outputs verification result data indicating that the signature Σ is valid (“Valid”).

(Step S407):
In step S407, the authentication device 3 outputs verification result data indicating that the signature Σ is invalid (“Invalid”).

(1.2.5: Revocation processing)
Next, revocation processing (Revoke (PP, gpk, gmsk, RL, d, S _r )) will be described.

なお、ｒ＜ｕ（＝｜Ａｔｔ｜）である。 The group management device 1 uses the revocation attribute set Sr (the revocation attribute set _Sr represented by the following formula) of the group user d (valid group user) with signing authority and the revocation list RL to perform the following: Revocation processing is performed by performing processing.

Note that r<u(=|Att|).

If u ^t _dj does not exist in the revocation list RL and u ^t _dj is included in the revocation attribute set S _r of group user d, the group management device 1 Add an attribute u ^t _dj to the revocation list RL.

This adds the attribute u ^t _dj to be revoked to the revocation list RL.

Then, the group management device 1 stores and holds the revocation list generated (updated) as described above, and outputs it to the authentication device 3 .

≪Zero-knowledge proof≫
Next, the details of the zero-knowledge proof processing method will be described below.

Attributes S _d ={u ₁ ,u ₂ , . . . u _a }, and from the policy, the threshold predicate data (threshold predicate) Γ for specifying the attribute requirements (conditions specifying the attributes that must be possessed in order to sign) is as follows: Suppose it is a thing.
Γ={t out of S⊆Att, t∈N(S=u ₁ , u ₂ , . . . , _up )}
It is also assumed that S _m =S∩S _d , S _r =S\S _m , |S _m |=t, |S|=pt.

なお、ｌ（小文字のエル）＝Ｌである（以下、同様）。
（２）ベクトルのセット：｛ｕ_ｉ｝^ｐ _ｉ＝１
（３）閾値述語データΓ＝（ｔ，Ｓ）
（４）行列｛Ｂ_ｉ∈Ｚ^ｍ×ｎ _ｑ｝^ｐ _ｉ＝１
（５）ベクトル｛ｂ_ｉ∈Ｚ^ｍ _ｑ｝^ｐ _ｉ＝１
証明データｗｉｔｎｅｓｓ：
（１）ｉｄ
（２）ｔ個のベクトルｚ_ｉ
（３）ｐ－ｔ個のベクトルｚ_ｉ
（４）ｐ個のベクトルｔ_ｉ
（５）ｐ個のベクトルｅ_ｉ∈Ｚ^ｍ
証明者の目的は、検証者に以下のことをゼロ知識証明により確認させることである。

そして、証明者と検証者は、ともに、以下の計算を行う。

そして、以下の処理を実行する。
（１）Ｓ_ｍについて、証明者は、分解拡張テクニック（Decomposition Extension technique）をｚ_ｉに適用して、検証者が、下記数式によるチェックができるように、マスキングターム（Masking term）｛ｒ^ｊ _ｚ（ｉ）｝、ｉ∈［ｔ］、ｊ∈［ｋ］を生成する。

（２）Ｓ_ｒについて、証明者は、ｆ_ｉに対して、分割、拡張を行い、検証者が、下記数式によるチェックができるように、マスキングターム（Masking term）｛ｒ^ｊ _ｚ（ｉ）｝、ｉ∈［ｐ－ｔ］、ｊ∈［ｋ］を生成する。

（３）Ｓについて、証明者は、ｔ_ｉおよびｅ_ｉに対して、分割、拡張を行い、検証者が、下記数式によるチェックができるように、マスキングターム（Masking term）｛ｒ^ｊ _ｔ（ｉ）｝、ｉ∈［ｐ］、ｊ∈［ｋ］、｛ｒ^ｊ _ｅ（ｉ）｝、ｉ∈［ｐ］、ｊ∈［ｋ］、を生成する。

また、同様に、検証者が、下記数式によるチェックができるようにする。

次に、ゼロ知識証明のプロトコルについて、説明する。
（Ａ）コミットメント（Ｃｏｍｍｉｔｍｅｎｔｓ）は、下記により実行する。

そして、証明者は、コミットメントＣＭＴ＝（ｃ_１，ｃ_２，ｃ_３）を生成し、検証者に送信うする。なお、ｃ_１，ｃ_２，ｃ_３は、下記の通りである。

（Ｂ）チャレンジ（Ｃｈａｌｌｅｎｇｅ）は、下記により実行する。 At this time, the underlying protocol is as follows.
Public parameters:
(1) Matrix defined by the following formula

Note that l (lowercase letter L)=L (same below).
(2) A set of vectors: {u _i } ^p _{i = 1}
(3) Threshold predicate data Γ=(t, S)
(4) Matrix {B _i εZ ^m×n _q } ^p _i=1
(5) Vector {b _i εZ ^m _q } ^p _i=1
Proof data witness:
(1) id
(2) t vectors z _i
(3) pt vectors z _i
(4) p vectors t _i
(5) p vectors e _i εZ ^m
The purpose of the prover is to have the verifier confirm the following with a zero-knowledge proof.

Then, both the prover and the verifier perform the following calculations.

Then, the following processing is executed.
(1) For S _m , the prover applies the Decomposition Extension technique to _zi , and the verifier uses Masking term {r ^j _{z (i)} }, iε[t], jε[k].

(2) For S _r , the prover divides and expands f _i , and the masking term {r ^j _{z (i)} } so that the verifier can check by the following formula , i ∈ [pt], j ∈ [k].

(3) For S, the prover divides and expands t _i and e _i , and masking terms {r ^j _{t (i )} }, iε[p], jε[k], {r ^j _e(i) }, iε[p], jε[k].

Similarly, the verifier should be able to check using the following formula.

Next, the zero-knowledge proof protocol will be described.
(A) Commitments are executed as follows.

The prover then generates a commitment CMT=(c ₁ ,c ₂ ,c ₃ ) and sends it to the verifier. Note that c ₁ , c ₂ and c ₃ are as follows.

(B) Challenge is performed as follows.

The verifier randomly selects a challenge CH←{1,2,3} and sends the selected challenge to the prover.
(C) Response is executed as follows.

（Ｃ２）ＣＨ＝２の場合、以下の処理により応答する。

（Ｃ３）ＣＨ＝３の場合、以下の処理により応答する。

（Ｄ）検証（Ｖｅｒｉｆｉｃａｔｉｏｎ）は、下記により実行する。 According to the value of CH, the prover responds as follows.
(C1) If CH=1, respond by the following processing.

(C2) If CH=2, respond by the following processing.

(C3) If CH=3, respond by the following processing.

(D) Verification is performed by the following.

（Ｄ２）ＣＨ＝２の場合、検証者は、下記のチェックを行う。

（Ｄ３）ＣＨ＝３の場合、検証者は、下記のチェックを行う。

そして、検証者は、上記の全ての条件を満たすとき「１」を返信し、それ以外のときは、「０」を返信する。 The verifier checks the received response RSP as follows.
(D1) If CH=1, then the verifier is w_d*∈B_2L, w^j _z(i)is at least t vectors (t sets) and all j∈[k], w^j _t(i)∈B_m, w^j _e(i)∈B_3mabout and_d*is valid. The verifier then performs the following checks.

(D2) If CH=2, the verifier performs the following checks.

(D3) If CH=3, the verifier performs the following checks.

Then, the verifier returns "1" when all the above conditions are met, and returns "0" otherwise.

As described above, the anonymous authentication system 1000 performs zero-knowledge proof.

As described above, in the anonymous authentication system 1000, signature processing is performed using the encrypted attribute token grt, which is obtained by performing encryption processing using lattice cryptography on attribute tokens. Even in such a case, it is possible to eliminate the risk that the attribute token grt is illegally acquired, the revocation list RL is illegally rewritten, and as a result the anonymity of the user and the anonymity of the attributes are compromised. In addition, in the anonymous authentication system 1000, the data (encrypted data) b obtained by encrypting the attribute token using the lattice cryptography is included in the signature Σ and output from the group user device 2 to the authentication device 3, so security is ensured. A strong zero-knowledge proof can be executed, and a verification process with a high security strength can be executed.

In other words, the anonymous authentication system 1000 can (1) completely realize user anonymity and (2) completely realize attribute anonymity. That is, in the anonymous authentication system 1000, (1) full anonymity for user anonymity, and (2) full anonymity for attribute anonymity. ) can be realized.

Therefore, even if the user secret key is leaked, the anonymous authentication system 1000 has a high security strength (dynamic A system that executes attribute-based group signatures that can be revoked immediately) can be realized.

[Other embodiments]
In the above embodiment, the case of using lattice cryptography as a public key cryptosystem has been described, but the present invention is not limited to this, and other public key cryptosystems may be used.

Also, for the zero-knowledge proof, a method other than the above may be adopted.

Further, in the anonymous authentication system 1000 described in the above embodiment, each block may be individually integrated into one chip by a semiconductor device such as LSI, or may be integrated into one chip so as to include part or all of the block. .

Although LSI is used here, it may also be called IC, system LSI, super LSI, or ultra LSI depending on the degree of integration.

Further, the method of circuit integration is not limited to LSI, and may be implemented by a dedicated circuit or a general-purpose processor. An FPGA (Field Programmable Gate Array) that can be programmed after the LSI is manufactured, or a reconfigurable processor that can reconfigure connections and settings of circuit cells inside the LSI may be used.

Also, part or all of the processing of each functional block in each of the above embodiments may be implemented by a program. Part or all of the processing of each functional block in each of the above embodiments is performed by a central processing unit (CPU) in a computer. A program for performing each process is stored in a storage device such as a hard disk or ROM, and is read from the ROM or RAM and executed.

Further, each process of the above embodiments may be implemented by hardware, or may be implemented by software (including cases where it is implemented together with an OS (operating system), middleware, or a predetermined library). Furthermore, it may be realized by mixed processing of software and hardware.

For example, when each functional unit of the above embodiment is implemented by software, the hardware configuration shown in FIG. may be used to realize each functional unit by software processing.

Also, the execution order of the processing methods in the above embodiments is not necessarily limited to the description of the above embodiments, and the execution order can be changed without departing from the gist of the invention.

A computer program that causes a computer to execute the method described above and a computer-readable recording medium that records the program are included in the scope of the present invention. Examples of computer-readable recording media include flexible disks, hard disks, CD-ROMs, MOs, DVDs, DVD-ROMs, DVD-RAMs, large-capacity DVDs, next-generation DVDs, and semiconductor memories. .

The computer program is not limited to being recorded on the recording medium, and may be transmitted via an electric communication line, a wireless or wired communication line, a network represented by the Internet, or the like.

The specific configuration of the present invention is not limited to the above-described embodiment, and various changes and modifications are possible without departing from the gist of the invention.

1000 anonymous authentication system 1 group management device 2 group user device 3 authentication device

Claims (4)

An anonymous authentication method for attribute-based group signing with revocation capabilities for groups containing multiple group users,
Executed using an anonymous authentication system comprising a group management device, a group user device, an authentication device, and a network connected to the group management device, the group user device, and the authentication device An anonymous authentication method comprising:
The group management device (1) identifies group users included in a group and the maximum number of group users included in the group, (2) defines a universal set of attributes, and (3) performs a key generation process. , a setup step defining parameters used in the , signing and verification processes;
The group management device generates (1) a group public key and a group management secret key, and (2) generates a user secret key for all attributes of one group user, using a public key cryptosystem. , performing a first step of assigning bogus data for attributes in said universal set of attributes not owned by said group user, and (3) tokenizing for attributes owned and not owned by said group user. (4) for all group users included in the group, by repeatedly performing the first step and the second step, for all group users included in the group a key generation step of separately generating the user private key and attribute token of
If the group user device satisfies the conditions under which the signing authority set in the policy is permitted, the message to be signed is signed using the group public key, the assigned user private key, and attribute tokens. comprising: (1) encrypting the attribute token; (2) validating group users, not including the attribute token in a revocation list, and verifying that the attribute token is generated (3) a signing step of generating signature data including the message to be signed, an encrypted attribute token, and the zero-knowledge proof; ,
The authentication device stores, for the signature data, a condition specifying the signing authority set in the policy, the group public key, and data specifying an attribute revoked for a predetermined group user. a verification step of determining whether the signature made to the message is valid by performing verification processing on the signature data based on the revocation list and the zero-knowledge proof;
If there is an attribute that the group user no longer owns , the group management device adds the attribute that the group user no longer owns to the revocation list, so that the group user no longer owns the attribute. a revocation step of revoking the
An anonymous authentication method comprising: The public key cryptosystem is lattice cryptography,
The group public key is a matrix for defining the lattice of the lattice cryptography, and is an n×m matrix whose elements are integers defined by a remainder system modulo a prime number q, and a set of the attribute data. is the data generated by
Anonymous authentication method according to claim 1. A program for causing a computer to execute the anonymous authentication method according to claim 1 or 2. An anonymous authentication system for attribute-based group signing with revocation capability for a group containing multiple group users, comprising:
a group management device;
a device for group users;
an authentication device;
a network connected to the group management device, the group user device, and the authentication device;
with
The group management device (1) identifies group users to be included in a group and the maximum number of group users to be included in the group, (2) defines a universal set of attributes, and (3) performs a key generation process. , a setup step defining parameters used in the , signing and verification processes;
By public key cryptography, (1) group public key and group management secret key are generated, (2) user secret key is generated for all attributes of one group user, and owned by the group user. (3) a second step of generating tokens for attributes owned and not owned by the group user; (4) by repeatedly executing the first step and the second step for all group users included in the group, the user secret key and a key generation step that separately generates attribute tokens;
and run
The group user device uses the group public key, the assigned user private key, and the attribute token to use the message to be signed if the conditions for permitting the signing authority set in the policy are satisfied. comprising: (1) encrypting the attribute token; (2) validating group users, not including the attribute token in a revocation list, and verifying that the attribute token is generated (3) generating signature data including the message to be signed, an encrypted attribute token, and the zero-knowledge proof; run,
The authentication device stores, in the signature data, a condition specifying the signing authority set in the policy, the group public key, and data specifying an attribute revoked for a predetermined group user. performing a verification process on the signature data based on the revocation list and the zero-knowledge proof to determine whether the signature applied to the message is valid; ,
If there is an attribute that the group user no longer owns, the group management device adds the attribute that the group user no longer owns to the revocation list, so that the group user no longer owns the attribute perform a revocation step that revokes the
Anonymous authentication system.

Images