JPH0373065A - Method and device for executing electronic cashing - Google Patents

Abstract

PURPOSE:To detect double use by respectively separately executing blind sign to user information, which are made form secret information including identification information, and to information for certification made from random number information. CONSTITUTION:A user generates user information Vi from secret information Si including naked identification information IDp of the user and generates disturbed user information Wi by disturbing the user information Vi in a blind sign preprocessor and transmitted to a bank. The bank signs the disturbed user information Wi by using a signing device and transmits disturbed user information with signature to the user. The user generates the information for certification by using a first communication message computer and generates the disturbed information for certification by disturbing the information for certification or information including the information in a blind signature preprocessor. Then, the generated information are sent to the bank. The bank signs the disturbed information for certification by using the signing device and sends disturbed certification information with signature to the user. Thus, the illegal double use of electronic cashing can be detected.

Description

DETAILED DESCRIPTION OF THE INVENTION [Field of Industrial Application] The present invention relates to an electronic cash implementation method and apparatus for implementing electronic cash using an electronic communication system.

(Prior Art) Electronic fund transfers using electronic communication systems are becoming popular. In general, instruments such as bills and checks that can be exchanged for cash at financial institutions (in the following explanations, all are represented by banks) have a symbolic function (the person who holds the instrument has a message written on the instrument). certain rights). When a certificate is handled by a telecommunications system, the certificate is digitized data and can be easily copied and redeemed for cash multiple times. Such problems also arise when implementing electronic cash such as prepaid cards. In other words, by copying a prepaid card,
It is possible to fraudulently exchange money or purchase products multiple times.

As a solution to this problem, a method has been proposed that detects double use of a card by devising the data exchange between the card reader and the card when exchanging money with a card equipped with a calculation function (for example, , Chaus, Fia
t, Naor: Untraceable E
iec-tric Cath' Proc of C
RYPTO' 88).

The outline of the above-mentioned method of Chaum et al. is as follows.

In addition, from now on, the user's identification information (account number, etc.) will be used as ID.
It is expressed as

First, the procedure for a user to have a bank issue electronic cash of a certain amount is as follows.

Step 1: The user selects k random numbers al (+=1,...
. , k) and using the published one-way function g, Xi and y'i are determined by the following formula.

Here, ■ represents exclusive OR.

Step 2: The user calculates the product Bi of the value f(xi,)'i) calculated using the published one-way function f and the random number r to the 0th power using the following formula. , calculate it and present it to the bank. This process is f (
This is preprocessing for a blind signature that prevents the bank from reading the contents of (Xi, 3'i) and, as a result, obtains the bank's signature on f(x+, yi). Here -i to a l
1od b represents the remainder when the integer a is divided by the integer sum.

Step 3: The bank verifies that the user has performed steps 1 and 2 correctly by having the user disclose their ID and /2 ai and r′i respectively (in the following:
(Explanation will be made assuming that i=l, ..., /2 is undisclosed)
.

Step 4: The bank is undisclosed/2 Bs.

Take the product of , raise it to the d power, and calculate the signature as shown below.

At the same time, the corresponding amount will be debited from the user's account.

D=rl Btmodn Step 5: The user calculates electronic cash C by removing the influence of the random number ri from D using the following formula.

This temporal formula holds true.

C-Hf (Xt, )'i)' mad
nThe electronic cash C obtained by this process is f(x,.

y=) with the bank's signature directly attached. where e, d and n are generated by the bank and satisfy the following equation:

n=PXQ (P and Q are prime numbers) eXd=1 (sod ff1) However, z=t, cM ((p-1), (Q-1)1, and LCM (a, bl are a and b The bank discloses information e corresponding to the face value of electronic cash and key n, which represents the least common denominator, and secretly manages key d.

The procedure for a user to pay using electronic cash C at a retail store is as follows.

Step 6: The user submits C to the retailer.

Step 7: The retailer generates a random bit string Ei,
..., generates Ek/l and sends it to the user.

Step 8: The user presents al and yi at E8-1 for undisclosed target i where l≦i≦/2, and Xi and (atΦID) when Ei=0 to the retailer. .

Step 9: The retail store uses the user's response and public information e and n to confirm that the validity of C is satisfied by the following equation.

However, 1, Xi = g (ai) yt = g (at el D) The payment methods between retailers and banks are as follows.

Step 10: At a later date, the retailer stores C, bit string Ei,
..., Ei7□ and the response from the user (ai and 3'i
s or Xi and (az691D)) to the bank,
Proposing the following blind signature technique using payment of the corresponding amount from the bank, Step 11: The bank signs C.
, bit string Ei, ...E k/2 and a i (E
When i = 1) or (a6 ID) (Ei = O
).

The method shown here has the following characteristics: (1) it can guarantee user privacy, and (2) it can detect double use.

First, we will explain the guarantee of user privacy.

Information B is obtained by perturbing f (x, y) with random numbers, so
Banks and third parties cannot estimate f(xy) from B.

Furthermore, even if banks and retailers collude, it is impossible to know the correspondence between electronic cash C and signatures. Therefore, it is impossible to know who issued C. As a result, in the method of Chaum et al., the issuer (user) of the electronic cash C cannot be estimated, so the privacy of the user's consumption trends and the like can be protected. Hereinafter, the signature technique used here will be referred to as "blind signature."

As a blind signature technique, for example, Chaum describes the R3A cryptosystem in US Pat. No. 4,759,063.

The user applies the following formula % formula % (
1) Disturb the document M using the one-way functions F and A expressed by the following to create a disrupted document W, and send it to the bank. Processing using this function is called blind signature preprocessing.

The bank has a signature function expressed by the following equation (2). A signs the disturbed document W, obtains a signed disturbed document Ω, and sends it to the user.

Ω=D, A(W)−WdAIIIOdn (2) The user processes the signed disturbed document Ω using the blind signature post-processing function H6A expressed by the following equation (3).

! (, A(Ω)-Ω/rIIOdn...(3) where eA+dA in formulas (1), (2), and (3),
It is assumed that n satisfies the following conditions.

eAXdA= l (sod jri f=LcM((P-1), (Q-1,))n=PX
Q P and Q are prime numbers, and LCM (a, bl represent the least common multiple of a and b. dA is a private key, and eA and n are public keys.

The above equation (3) can be transformed as follows.

H-A (Ω) = H, A (D, A (F, A (M)
) 1mi(r″＾×M)4＾/r BreAXd＾X M d＾/r =M” (n+od n) ・ ・ ・(4) The right side of equation (5) is clearly k equation (2) This is the result in which W is replaced with M. Therefore, the following formula % formula % (5) holds true. These equations (1), (2), and (3) show the blind signature procedure, and equation (4) proves that the blind signature is possible. That is, by processing the signed perturbed document Ω using the blind signature post-processing function H1, it is possible to remove the influence of the perturbation random number r from the signed perturbed document Ω, and therefore the document M is directly signed by the bank using the signature function DaA. The same signed document. (
M) is obtained.

Next, detection of double use will be explained. The bank compares the C sent by the retailer with all the Cs already stored in memory and checks to see if the same C is used twice. If the user illegally uses C twice, an E will be issued in response to the first C.

When =1, a! Since the time when Ei=0 (atOID) is stored in the bank's memory, if the first E8 and the second Ei are different, atO (atOID) is calculated to find the ID. Since the bank makes an inquiry for /2 bits, the probability that the first and second Ei match in all bits (i = 1 to /2), that is, the user who used it from C that was used twice. The probability that the ID of cannot be calculated is 2-/
It becomes 2.

[Problem to be solved by the invention]

In the method of Chaum et al. mentioned above, in addition to the functions f and g being unidirectional in order to ensure safety against double use, the non-interference of the two precepts, that is, Z-f(χ, y
) = f (x', y') and (x, y) and (
It is necessary that it is difficult to find X・, y・). However, there is currently no known method for constructing a unidirectional function that satisfies such two-component incoherence.

The present invention has been made in view of the above, and its purpose is to be able to detect double usage without using a function f with special conditions, and to protect user privacy. An object of the present invention is to provide a method and device for implementing electronic cash that can be guaranteed.

[Means for Solving the Problems] The electronic cash system of the present invention is an electronic cash process in which a user uses electronic cash issued by a bank, and a retail store receives this electronic cash and settles payments with the bank. An electronic cash implementation method in which a user generates user information (■,) from confidential information (Si) that includes the user's identification information (IDr) in an undisclosed form,
The user information (Vi) or the information containing the same (Ml) is disturbed by a blind signature preprocessor to generate disturbed user information (Wi), and the disturbed user information (Wi) is transmitted to the bank.

The bank uses a signature device to sign the disrupted user information (Wi) and sends the signed disrupted user information (Ω,) to the user.

The user uses a blind signature post-processor to remove the disturbance from the signed and disturbed user information received from the bank, thereby obtaining the signed user information (B□ or Bi or B) with the bank's signature. obtain.

The user generates authentication information (Xi) from the random number information (Ri) using the first message calculator, and disturbs the authentication information or information m containing it using a blind signature preprocessor. Generate the disrupted authentication information (Zi or Z) and send it to the bank.

The bank uses a signature device to sign the disrupted authentication information (Zi or Z), and sends the signed disrupted authentication information (■i or e) to the user.

The user obtains signed authentication information (Bii or C) with the bank's signature by removing disturbances from the signed disturbed authentication information using a blind post-processor.

When making a payment at a retail store, the user presents user information, authentication information, signed user information, and signed authentication information as electronic cash.

The retail store uses a tester to test the validity of the signed user information and the signed authentication information. In addition, an inquiry message qi created using the retailer's own information is sent to the user. Users must provide confidential information (Si) in response to inquiries from retailers.
A response sentence (
Yi) and present it to retailers.

By inspecting the response text, the retail store confirms that the user information and authentication information belong to the user, and determines that the electronic cash is legitimate. The retail store sends an inquiry and a response to the inquiry together with the information provided by the user to the bank for payment.

The bank uses a tester to check the validity of the signed user information and signed authentication information, and if it passes, the same set of user information and authentication information received is already in memory. Check if it is in the stored information, and if it is, calculate the user's secret information from the inquiry text and response text corresponding to the user information and authentication information in 2&[l] and identify the user. If the same pair does not exist, the information received from the retailer is stored in memory.

[Effect]

As described above, according to the present invention, blind signatures are applied separately to user information created from secret information including identification information and authentication information created from random number information, so that user information and authentication information are created from random number information. The problem of non-interference of components does not arise in the function for creating authentication information. Therefore, a desired function can be constructed.

Furthermore, the signed user information obtained once is used as a usage permit (Br or B) issued by the bank, and whenever necessary, the bank signs a blind signature on the information that combines the authentication information Xi and the usage license. By using the above-mentioned signed authentication information obtained by the bank as an electronic coin issued by a bank, the electronic coin issuance procedure can be simplified, and the electronic coin can be transferred and/or used multiple times. is also possible.

Hereinafter, the present invention will be explained in detail using the drawings.

FIG. 1 is a configuration diagram showing the relationship among a bank (RAN), a user (USER), and a retail store (SHOP) to which an electronic cash system according to each embodiment of the present invention is applied.

In FIG. 1, a bank 100, a user 200, and a retail store 300 are connected via, for example, a communication line, but they may also be connected via, for example, an IC card that can record information.

[First Embodiment] In response to the user 200's electronic cash issuance request, the bank 100 verifies the identity of the user 200 and debits the amount corresponding to the electronic cash from the user's account, or
After receiving the cash from the user, the user 200 uses a blind signature technique to provide evidence (signed user information and signed authentication information, which are part of the information constituting electronic cash, which will be described later) to prove the fact. will be issued.

The user 200 submits evidence to the retailer 300 when making a payment to the retailer 300, and uses the secret information and random number information used to generate user information and authentication information in response to an inquiry from the retailer 300. Generate a response and submit it to the retailer for payment.

Next, the user 20 who uses IDP as user identification information
The case where 0 has electronic cash issued by the bank 100 will be explained in detail.

First, since the bank uses R5A encryption here for the blind signature technique used in the electronic cash issuance procedure, various necessary parameters are determined so as to satisfy the following conditions.

n=PXQ eXdmi1 (sod f) However, f=LcM ((P-1), (Q-1)) and e,
d and n, publish the key e and key n, and release the key d
to be managed secretly. The face value of electronic cash issued by a bank is constant, and the public key e corresponds to that amount.

Here, LCM (a, b) represents the least common multiple of integers a and b, and P and Q are two different large prime numbers. Also, a mi b (aaod j ri) indicates that ab is an integral multiple of l.How to determine such various parameters is, for example, R, L.

Rjvest etal, “A Method jo”
r Obtaining DigitalSignat
ures and Publickey Crypto
systems communications of
the ACM Vol, 21. Nn2. pp12
0126, 1978.

Next, the user 200 enters his or her identification information 10. The user information Vi is generated from the secret information Si embedded in the naked form according to the first one-way function determined in advance, and the authentication information Xi is generated from the random number information R, according to the second one-way function. Intimidate. The user has the bank sign Vl and Xi using a blind signature technique. The reason why blind signatures are used here is to ensure the privacy of users even if the retail store and bank collude. One of the important points in this invention is that the secret information Si includes raw identification information IDP.

4,759,063 describes a blind signature in the transaction between a bank and a user described below.
Similar to the blind signature technique disclosed in R3A
This is the case when using encryption (see the paper by Rivest et al. mentioned above), but even when using a blind signature using an interactive authentication method (see, for example, US application No. 367.650 (filed June 19, 1989)). good.

The second step is for the user to have the bank issue electronic cash.
Block diagrams showing the configurations of the user 200 and the bank 100 shown in FIG. A are shown in FIGS. 3 and 4, respectively. In addition,
In the following explanation, it is assumed that i-1, . . . k.

Step S2: The user uses a random number generator (RANDOM).
Generate the random number a8 using the SLG EGI 211 and supply it to the signature device (SLG EGI) 212 along with the identification information IDP. The signature device 212 is a! The user's signature is attached to the concatenation of and IDp, and the signed output g! isgi
=c (aa II IDp), and G is a signature function. The symbol 11 represents a connection, for example 01
11011110=01110110.

Step S2: Concatenate the output a of the random number generator 211 and the output gr of the signature device 212 together with the ID a (cONG).
Enter 213 for confidential information S! Create. The secret information Si is an IDp, a random number a, and a signature g as shown in the following formula.
, and therefore includes the identification information IDp as is.

Si ”” I Dr If at II g=
・=(6) Also, prime number generator (PRIM GEN)
221 is used to generate two prime numbers P, , Q'i, and a multiplier 222 is used to obtain the product Ni of the prime numbers P and Ql.

Step S3: Prime number 8. The output Si of the concatenator 213 and the prime number product N that is the output of the multiplier (MUL) 222.

From, exponentiation calculator with remainder (MOD-POWER)
223, the user information Vi −Siguchi −od Nl is given by the following equation, which is the first one-way function.
- Calculate (7).

On the other hand, from the secret random number information R4 generated using the random number generator (RANDOM GEN) 224, the output N of the multiplier 222, and the prime number L,
D-PO ER) 225 is used to calculate the second one-way function, which is the authentication information It is called parameter information because it is used as a parameter constituting the one-way function expressed by (7) and (8).

Step S4: Vl and Xi as blind signature preprocessing
The preprocessing functions for perturbing with the perturbation random numbers ri and r·1, respectively, are one-way functions and are generally expressed as follows below, but they do not necessarily have to be in the same form.

wt =F* (ri, vt)...
(9) Zi =Fll (r'i, X+ l
-00 In the embodiment shown in FIGS. 2A and 3, this preprocessing is performed as follows. That is, a random number generator (RAND
OM GBN) 226 generated perturbation random number ri, remainder exponentiation calculator 223 generated Vl and public key e
and n to remainder multiplication/power calculator (MODMOL/PO
WER) 227, the disturbed user information W! is expressed by the following formula. =F*(rt, Vt)
=rt xvi +wod n -Q
Calculate υ.

On the other hand, the random number r'i generated by the random number generator 226, Xi generated by the exponentiation calculator 225 with remainder, and the public keys e and n.
From, the remainder multiplication/power calculator (MOD-MυL/PO
WER) 22B, the disturbance authentication information Zt=F* (rZ+Xt)=r′iXX+mod expressed by the following formula
Calculate n-...07J.

Send the calculated Wi and ZI to the bank.

Here, the random number generator 226, the remainder multiplication/power calculator 2
27 and 228 constitute a blind signature preprocessing function 2OA.

Step Si: When the bank receives Wi and 2'i from the user 200, it sends the mail (MEM) 101, 1(
12 (see FIG. 4).

Next, the bank 100 sends the user to /2 sets (Si.

Ri + ri yr co, Li, Ni)
The following procedure confirms that the user recognizes that he/she has correctly entered his or her identification information ■DP into each secret information Si and correctly executes steps S3 to S4.

Step Si: Banks will request disclosure from users/2
Set information (S8. R4, ri r 't + 3.
iJ group U=(j=1,...k
/2), and its i, group U = (ijl = l
, ..., ni/2) is sent to the user (in the following, i=l,
..., ni/2) will be explained assuming that it has not been disclosed).

Step Si: Upon receiving the disclosure request from the bank, the user selects the /2 set (Si, R) corresponding to i specified by the bank.
Send i, ri, r'i, Li, Nil to the bank.

When i is the subject of disclosure, the bank performs the following Stenobu S.

- Perform the steps from Si°.

Step Ss: When i is targeted for disclosure, it is confirmed that IDp is included in a predetermined position in Si, and the user 2
Received from 0 (Sl, Ri, Li.

Ni ), from the remainder exponentiation calculator (MOD-POER
) 111 and 121 to calculate y', = Si mod Ni Kr = Ri mad Ni .

Step Si: From the outputs i, + ri of the remainder exponentiation calculators 111 and 121, the received ri, r'i, and public keys e and n, the remainder multiplier and exponentiation calculator (MOD-
MUL/POIIER) 112. Using 122,
Wi = r, XV'i mod nZ'r
=r! Calculate XX'+ sod n.

Step S+o: The value Wi in the memory 101 and the output Wi of the remainder multiplication/power calculator 112 are
) Compare in 113. Further, the value Z! in the memory 1 (12) and the output Zi of the remainder multiplication/power calculator 122 are compared in a comparator (GOMP) 1.23.

In this way, the bank checks all k/2 i's, and if any of the checks fails, it stops the subsequent processing. When all the tests pass, the bank debits the corresponding amount from the user's account or receives the corresponding amount from the user, and then performs the following procedure for i, which is not subject to disclosure.

Step Si: Public key n, secret wld, and memory 1.01
, 1 (from Wi, , Zi on 12, the remainder exponentiation calculator (
MOD-POWEI+) 131 and 141, calculate the signed disrupted user information Ωi and the signed disrupted authentication information e'i, which are expressed by the following formulas, and calculate Ω□ and 8'
Send i to the user.

Ri −De (W+) = Wi mod
n −...O3) @+ −De (Li
) =Zi nod n =・QaHere, the process represented by 203) and 04) is
and 21, and D'i is called a signature function. The remainder exponentiation calculators 131 and 141 are the signer 1. OA
Configure.

When the StempSi□2 user receives Ω□ and 0゜ from the bank, it removes the influence of the random random numbers rl and r゛ from Ω and 08, and creates a signature user whose bank signature remains. Ω,,e received from the bank to calculate the information Bv, and the signed authentication information BXI.

and the disturbance random number ri generated by the random number generator 226.

From ri1 and public key n, the remainder divider (MOD-ro IV
) Using 23L232, Bvi-Ha (rt, Ωi)=Ωi/rt
mod n...0 Bxi=Ha b't, et l-er/r cosod n...(16) Calculate.

Here, substitute formula 00 and θ into formula 05), and
By substituting 2) and α, the following equation holds true.

MiVil1od n,=Da (Vt) MiXI
+mod n = De (Xi) The above two equations are expressed as follows: When the signed disrupted user information Ω received from the bank and the signed disrupted authentication information e′i are processed by the function H, the bank directly responds to Vi and Xi. The result of processing using the signature function RI is (Vi).

D, (Xi) is obtained. That is, the function Ho removes the influence of the disturbance random numbers rm, r゛ from Ωiii. The process of removing the influence of the disturbance random numbers ri, r' is called a blind signature post-processing, and the function Hl is called a post-processing function.The dividers 231 and 232 constitute a blind signature post-processing 20B. The user has a set of information (Vz,
Use Bvi, XiBxil as electronic cash.

Next, a case where a user pays at a retail store using electronic cash will be described. An example of a processing procedure between a user and a retail store is shown in FIG. 2B.A block configuration of the retail store 200 is shown in FIG. 5.

Step Si. 2 Users can use electronic cash (V8.
Xi, BXi) and parameter information (Ni, Li
) to the retailer.

Stenbu S [4: Retail stores use electronic cash (Vi, Bvi)
.

When χi, Bxil and information (Ni, Li) are received, they are stored in the memory (MEM) 301 and the remainder exponentiation calculator (MOD-POWER) 3
11. The following verification formula VF using 312.

Vi =VFa (Bvil =Bv4 no
d nX't −VFa (Bxi) =Bx
Calculate t nod n.

Step 5157 Comparator (cOMP) 313. 314
For each /2 calculation results 2. It is checked whether Vi and Xi received from the user are equal to each other (t=l, . . . , k/2). As a result, it can be determined whether the signatures attached to the signed user information By□ and the signed authentication information BXi are the signatures of Bank k.

SteSob SI6: When /2 tests are passed, the random number γ3 is generated using the random number generator (RANDOM G[!N) 321 and stored in the memory 301, and store IDv and time are generated. Also, the random number γ'i is sent to the user as an inquiry text qi. At the same time, Ei -'f (IDV, t, γ3) is calculated using the f-calculator (f-CAL) 322 that calculates the published one-way function f.

From now on, it is assumed that 0<Ei<Li.

Step SI□: The user receives qi=(IDV
it, γ, ), the published one-way function f
- Using the calculator (f-CAL) 241, Ei = r (Qi) = f (IDv + t, T
I).

Step 5Ill: Output S8 of concatenator 213, multiplier 2
22 output N1, random number generator 224 output R4 and f
- The output Ei of the calculator 241 is applied to the remainder multiplication/power calculator (
Question D-POWER) 242 and use the following formula, which is a one-way function, to calculate Y t = Rr × S 1 mod Ni ・0
7) Calculate the response sentence Yi and send it to the retailer (i=1
,...,ni/2).

Step Si. :Response Y from the user at the retail store.

When receiving , the validity of Yi is determined using the remainder multiplication/power calculator (MOD-MUL/POWEII) 331 as AH-XHXVL @od Nl ・=0
8) Calculate the remainder power calculator (MOD-POWER)
332, A'1=Yi mod Ni, ・0
Calculate 9.

Step S2°: A using a comparator (cOMP>333).

Confirm that and A'r match. (i=l,...
k/2).

Here, remainder exponentiation calculators 311, 312, comparator 31
3, 31.4 comprises a tester 30A that tests the validity of user information Vi and authentication information Xi, and an f-calculator 322.
, remainder multiplication/power calculator 331 , remainder power calculator 3
32 and the comparator 333 constitute a tester 30B that tests the validity of the response sentence Yi. In the above, each step SI6~
In S2°, all i (i”1...., k
/2), however, the processing may be performed by repeating steps Sl& to S2° for each i.

Finally, we will explain payment methods between retailers and banks. An example of the processing procedure between the retail store and the bank is shown in FIG. 2C.

Step S21: The retail store later stores the electronic cash information {Vi, Xt, Bvi, Bxt) in the memory 301, the parameter information (Nt, Li), and the inquiry statement (rI).
v, t,, Ti) and the response sentence Yi to the bank (N=l, ..., k/2).

Step Szz: 1! Lines are from retail stores (Nt, L
i.

Vi, Xt, Bvi, Bvi, IDv, t, ri
.

Upon receiving the public keys e and n, the remainder exponentiation calculator (MOD-POWEI?) 1.51, 152
and enter the following verification formula VF.

Zo+ -VF* (Bv+l = Byt mod
nX'+ =VF, (Bxi) =Bxi s
Calculate od n.

Step S0: Comparator (cOMP) 1 to determine whether the calculated V'i and X't are equal to the received Vi and Xi, respectively.
56°157 (i=l,..., k
/2). If these are equal, it is determined that the signature shown in Bvi+BXi is definitely that of bank k. Therefore, the information,v,′,x,with a signature attached is also determined to be reliable.

Step S! 4: If all tests pass, use the “-calculator (f-CAL)” to calculate the published one-way function f.
) 1.53, E(=f (IDy, t, r
i) and use the remainder multiplication/power calculator (MOD-MUL).
/POWEI+) 154, calculate At =x, xv, l1od Nt,
Remainder power calculator (MOD-POWBR) 1.55
Using A′i = Y! Calculate IIod N6.

Step Szs: Using the comparator (GO?IP) 15B, confirm that A and Ai match (i=1°..., k/2). This shows that Ei and Yi are also reliable.

Step Sn: Submitted by the retailer (Ni).

L+, Vr, Xt, Et, Yi)H=',・
= /2) is stored in the memory (MEM) 161,
Pay the corresponding amount to the store IDv account.

Above, we have described an implementation example of a method based on an interactive authentication method based on the difficulty of calculating the power root of a higher order root.
nda end 5elf-Reducibility and
Zero Knowledge Interacti
ve Proofs of Processeston
of InformationThe Proc, o
A similar method can be realized in other interactive proof methods such as those shown in FOC3, 1987pp, 472-482.

Note that interactive authentication methods generally require soundness (one set of Vi
and Xi, there are two correct pairs of Ei and Y.

can be calculated, the secret information Si corresponding to ■, can be calculated), so if the same set of ■ and Xi is used more than once, the user's IDp will be exposed.

Next, we will demonstrate the detection of illegal double use of electronic cash.

As described above, when the user 200 uses electronic cash at the retail store 300, the retail store 300 sends the inquiry message Qi =
(il:h, t, 14) is given to the user 200. The contents of this inquiry text qi include identification information rD,
, time and random number γ are used, the IDV will be different for different retail stores, and t will be different even for the same retail store at different times. Therefore, if a user fraudulently uses the same electronic cash twice, the inquiry text (tpv, t, TI) given by the retailer will always be different, so Ez = f (IDv, t , Tt) can also be expected to be different. Therefore, as is clear from equation 0'I), the response sentences Yi are also different. As a result, if electronic cash is used twice, the bank will be able to use the same V
Different Ei and Yi of 2&Il are obtained for the set of i and Xi. These two sets (Ei.

Yi), (E'l, Y'l), these are all step S+*, Si6 inspection hole 08), 0
9) is satisfied, the following formula % is obtained, and furthermore, since Si mi Vi (Peng odNt) is established, the following formula is obtained.

Here, since Li is a prime number, Ei and E′i are mutually prime, α×L+βX (EiE′i) = 1...
Integers α and β that satisfy (24) can be calculated using Euclidean algorithm. Therefore, J.M.
xL*I x l! j-! '1)V(x (Y
= X'y'+ ) Mi5i=3+ (sod Nt
)...(25), so Si can be calculated. Since the secret information sl includes the naked IDp, it is possible to identify the user who has fraudulently used electronic cash.

The above-mentioned double use detection procedure is performed, for example, in step S of FIG. 2C.
It is inserted between 4S and sit, and its procedure will be explained with reference to FIGS. 2D and 4.

Step Sc - The bank searches for the same one as the received (Vi, Xi) in the memory 161, and if not, steps S4 in FIG. 2C. If there is one, move on to the next one.

Step Si2: Read out (E'i, zo,) corresponding to {Vi, Xi} already stored in the memory 161.

Step SC3 Neucrid algorithm calculator (EUC)
LTD'S ALGORITHM) 172
Find α and β that satisfy '2〇gl.

α×L+β(Ei-E′i) = 1 Step Sea: Remainder divider (MOD-[11V)
Enter Yi, 'Y' and Ni in 171 to enter Yi
/ Vi 110d N L and the result is α
, β and Nt with remainder multiplication and exponentiation (MOD-MUL/
POWER) 173 and calculates the previous equation (25) to obtain Sl.

Step ses: Extract IDp from s+.

As explained above, according to the present invention, the information Vi created based on the secret information SL that includes the user's IDp as is.
, random number information Ri, and information Xi are separately subjected to blind signature preprocessing (second A
Since step S4) in the figure is applied, there is no problem with the two-component non-interference condition required for the unidirectional function f(Xi, )', ) such as Chaum et al. Conversely, in electronic cash schemes such as Chaun+, the same one-way function f contains parameters for both information Xi based on random numbers and information y based on ID, and information y is the random number. is associated with the ID by y,
It can be said that the fact that is associated with Xl creates a non-interference problem.

By the way, as I just mentioned, (Vi, Wi) and (xi,
zm) are processed independently from each other, and the information Ωi obtained as a result of the blind signature using equations θ and (h)
and 81 are also processed independently of each other. Furthermore, the signed information Bvi and BXi obtained by post-processing these using 2051.00 are also processed independently of each other.

In other words, in the processing process from when a user requests issuance of electronic cash to when the user obtains electronic cash, the information series (Vi, Wi
,, Ri, Bvt) and information series (Xi, Zz, eo
, BX are processed independently from each other. In the processing process in which the user uses the electronic cash shown in FIG.
.

For the first time, the secret information SL and the random number information Ri are related by one function at the stage of creation. This fact is reflected in the information sequence (vi) in the processing process shown in FIG. 2A.

Wi, Ω= , Bvi) and information series (X
This means that the processes related to i, Zi, et, B□) may be separated from each other and executed at different times and situations. Next, the 6th A took advantage of this fact.
This is a second embodiment described with reference to FIGS. -6D and FIGS. 7A-7D.

[Second Embodiment] In the second embodiment, the bank issues a usage permit once upon a user's request, and the user issues the usage license whenever the user wants the bank to issue electronic cash. By presenting information generated from random number information to the bank and having them certify it, the processing procedure for issuing electronic cash is simplified.

In the procedure for issuing this license, the information series (Vi, Wt, Ri,
In the procedure for issuing electronic cash based on the usage permit issued in this way, an information series corresponding to the random number information Ri (Xz, Z*, 8i, B111) is generated. An information series corresponding to is generated. Here, electronic cash issued by the simplified procedure will be referred to as an electronic coin and will be represented by C.

First, the processing flow shown in FIG. 6A and the apparatus I! shown in FIG. 7A! A case will be described in which a user 200 who has opened an account at a bank 100 has the bank 100 issue a use permit with reference to the function block diagram. Here, IDp is identification information such as the account number of the user 200.

The bank 100 creates a pair of a private key d and a public key e used in the blind signature as information corresponding to the usage permit, and makes eA public.

Here, according to the blind signature, as already proven, the user 200 who wants to have the bank 100's blind signature attached to a certain document Disturb the document M using the name processing function W = F eA (rM) to make it a disturbed document W that cannot be read by others, and send it to Bank 1.
Send to 00. The bank 100 signs (blind signature) the perturbed document W using the blind signature creation process Ω=D−a(W) using the private key d'i, and sends the signed perturbed document Ω to the user 200. The user 200 who received Ω is W
The effect of the random number r in Ω is removed using the random number removal function HlA(Ω) using the random number r used to create the signature. . (M) can be obtained. Here, F for disturbance processing. is a blind signature pre-processing function which is a one-way function, D and A are blind signature creation functions, Hl is a blind signature post-processing function for random number component removal processing, I
)ea(M) means a document signed by the bank corresponding to the public key eA. The method for realizing blind signature is the above-mentioned R3.
Any of the methods of Chau+w using the A cipher and the method disclosed in Japanese Patent Application No. 156-1988 (120) by the inventors of this application may be used.

The user 200 extracts V, which is referred to as user information in this embodiment, from the secret information Si in which his identification information IDp is embedded as is.
i, and the user 200 has the bank 100 sign Vi using the blind signature technique. V8 with this signature, ie, A(■1), is called a usage permit. Here, the reason for using the blind signature is to ensure the privacy of the user 200 even if the retail store 300 and the bank 100 collude.

The procedure for the user 200 to receive a usage permit from the bank 100 shown in FIG.
This will be explained with reference to the block diagram of the user 200 and the bank lOO shown in the figure. In the following, it is assumed that i=l, . . . .

Step SI: The user 200 uses a random number generator (RAND
OM GBN) 203 to generate a random number a'i and input it together with IDp to a concatenator (cONC) 204, and its output IDpHa+ is sent to a signature generator (DIG 5IGG).
BN) 218, gi = Q (I Dp II a t )
...Find (26).

Step Sz: The output of the signature generator 218 (IDp1
lai) to the concatenator 204 and secret information Si = I Dp It a i II gi
-(27) is determined and stored in the memory 211. Also, a prime number generator (PRr?IE GEN) 201 is used to generate a pair of prime numbers (P8゜Q+), and a multiplier (MUL
) 2(12) to find and store the product Nl of P and Ql.

Step Si: Prime number generator (PRIME GEN)
213 to generate a prime number Li (for example, a prime number of 3 or more), and from Li, Si, and NH, the remainder power (MOD-P) is generated.
User information Vz = Si 1wod Nt - (
28) and store Li and Vi in memory (ME)I)
211.

Step Si: Connect N1, Vi, and Li to the coupler (cON
G) 206, sono output Mi = (Ni I
I v, ++Li) is input into the blind signature preprocessor (BSPRE-PI?0CESS) 207 together with the key eA for creating a usage license published by the bank 100,
Disruption user information Wi = F eA (r i , Mt
) -(29) and send it to the bank 100.

Here, the blind signature preprocessing function FaA may be similar to Chaum's equation (+) using the R3A encryption system, or may be the one proposed in Japanese Patent Application No. 156-120 by the inventors of this application.

Next, the bank 100 sends the user 200 to
, Li, Pi, Q= , r+), and the user 200 adds his/her identification information IDp' to each secret information Si.
Make sure that you have entered i correctly, and then proceed to step Si.
Confirm that step S4 is executed correctly using the following procedure.

Step Si: The bank 100 uses a random selector (1?AN
DOM 5EL) 101 is used to randomly select /2 different i's from 1 to 2 i, and request disclosure of the set of i's (iJ I J=l,..., k/
2) is sent to the user 200. Here, to simplify the notation, bank 100 is k/2+1, k/2+
2,...k is selected as i. Therefore i
=l, . . . k/2 is not subject to disclosure.

Step S6; When the user 200 receives the disclosure request U from the bank lOo, the user 200 sends the disclosure controller (Dl5CLO3UR
ECONT) 208 is used to direct the bank 100 to two sets of (Sl, LH, Pi, Qi, ri
) to disclose. Here, r is the blind signature preprocessing function F to create Wi in step S4. This is the random number used for

Step s::m line 100 is executed when i is the disclosure target, that is, /2+1. When S j≦, I at a predetermined position in Si
fiIgl that Dp is included and received from user 200 (S+, Li, P r, Qi,
Multiplier (MUL) 1 (N using 12) from rt l
! = P5 x Q.

Find the remainder power calculator (MOD-POWER)
105, V (= 31 nod N (−(30) and Vi
Calculate.

Step S4: Output ■0 of the remainder exponentiation calculator 105,
Concatenator (cONC) 1 from the received ri and public key eA
04 and Blind Signature Preprocessor (BS PREPR
v/1=F−s (ri, (Ni II vi
II L+ )) to calculate W.

Step Si: The previously received value of Wt and the value of Wi are compared by the comparator (cOMP) l06, and if they match, it is determined to be a pass, and if not, the process is interrupted.

In this way, the bank 100 performs the above inspection for all /2 i, and if any of the inspections fails, the subsequent processing is discontinued. If all tests are passed, the bank 100 is not subject to disclosure t (i=l,...
, k/2), perform the following signature procedure.

Step S4゜: w, and the private key dA for blind signature of the bank 100 is sent to the blind signature generator (BSGUN).
108, and the following blind signature Ω,=D−a
(Wt) ...(31) is obtained and sent to the user 200. Function. is the bank signature function, for example, the Chaua+ equation (2
) may be similar.

Step S4: When the user 200 receives the blind signature Ω'i from the bank 100, the blind signature post-processor ( Using BS PO3T-PROCESS) 209, Bi = Ham (rt, Ωi) ・=
By calculating (32), the influence of the disturbance random number ri is removed from Ω. This function Hl is Chaum's formula (3)
Something similar to this is fine. The signed user information Bi obtained from equation (32) is expressed by the following equation B+ = D-a (M+) = (3
3) is satisfied as in Chaull's equation (5).

Therefore, Bi obtained from equation (32) is obtained when the bank uses the private key dA corresponding to the public key eA to create a document Mi = (Ni II Vi II Li ) containing user information ■'i.
This is the one signed directly and the one handed over. The user 200 can use the signed user information B obtained in this manner as an electronic coin usage permit any number of times thereafter.

In addition, in the above-mentioned STEMB SIO, separate Ωi was obtained for /2 Wi, and /2 Bi was obtained in step Si1, but the message MI, ・
. . . It is also possible to add a signature to Mkyt all at once. That is, step S'+o: Bank 100 is not subject to disclosure/2 i (i=l
,..., k/2) all disturbance user information Wi
, one blind signature Ω is calculated using the following formula (%) for the multiplexed disturbed user information multiplexed and sent to the user 200.

Step S'+-2 The user 200 is from the bank 100...
- (31') From the received Ω, random number r, and public key eA, one piece of signed user information B is calculated using the blind signature post-filling 209 according to the following formula % formula % (32). The signed user information obtained by this equation (32') satisfies the following equation (33).

For example, the function D*A+H@A such that equations (31'), (32°), and (33°) hold is the equation (1) in Chauw's blind signature using the R3A encryption method.
), (2) and (3) can be realized by respectively transforming them as follows.

Wi = F *a (Mi) −r = ×M
Isod n-(1')Ω-ri. (Wi...
Ww/l )−(rI Wt ) sod
n = (2') HIIA (r I +
”'+ rk/! + Ω) 工Ω/IT
ri sod n −(
3') When each function is determined in this way, the following equation holds true.

B-H-a (Do(Wi, ..., Wki
z).

r　l　　＋　　”’+　r　k／2　　　　　　mi M.

mad n =D-a (M+, -, Mi/l) In the following explanation, a dash will be added to the number in the formula for the case where the license consists of one piece B created by bulk signature as described above. However, the processing procedure and functional block diagram shown in the figure only show the case where a use permit consisting of 72 pieces of Bi is used.

Next, the procedure for the user 200 to have the bank 100 issue electronic coins will be described. In this procedure, user 20
0 creates authentication information Xi based on random number information Ri,
The bank 100
have it signed and used as an electronic coin. In this case as well, the blind signature technique is used for the signature. First, the bank 100 obtains a private key d's and a public key e used in the blind signature as information corresponding to the amount of electronic coin.
'. A pair is created and the public key eh is made public.

Here, an example of a processing procedure between the bank 100 and the user 200 is shown in FIG. 6B, and a block diagram of the user 200 and the bank 100 is shown in FIG. 7B.

In the following, 1=l, . . . /2.

Step Sl□: The user 200 uses a random number generator (RAND
Random number information R generated using OM GEN) 214
, and the parameter information NI taken out from the memory (MEM) 211, and the remainder power (MOD-POWE)
il) 215, the authentication information X+=Ri mad N+...(3
4) Calculate X! and R, are stored in the memory 211.

Step Si,: For all of i-1,..., to/2, X! and usage permit Bi retrieved from the memory 211 are input to a coupler (cONC) 216 and connected, and the output m −X + II −II X *yt It B
IIt - If B */z... (35) Or - When using one piece license B with collective signature, m-X=lI-11XmzgllB ---(35
) is the public fi1g'm corresponding to the amount of electronic coin.
and a random number rp along with a blind signature preprocessor (BS PR
E-PROCESS) 217, and its output is the disturbed authentication information Z = Fe'A (rp, m) ・ = (3
6) is calculated and sent to the bank 100 along with the electronic coin amount information.
send to

Step SI4: Upon receiving Z, the bank 100 inputs Z and the secret 1d'a corresponding to the amount of the electronic coin into the blind signature generator (BS GEN) 109, and generates the signed perturbation authentication information e=D e' h (Z) ... (3
7) and sends it to the user 200. At the same time, the corresponding amount is debited from the user 2000 account or received from the user 200.

Step S0. :The user 200 who has received the signature disturbance authentication information e from the bank 100 performs blind signature preprocessing 2.
The disturbance random number rp used in step 17, the information e received from Ginj Te 100, and the public key e7. A blind signature post-processor (
BS POST-PROCESS) 219,
The following formula % formula % (38) is calculated and stored in the memory 211. The calculation result of equation (38) satisfies the following equation (39). That is, C is equivalent to information m directly signed by the bank. The C thus obtained is used as an electronic coin.

Next, the user 200 uses the electronic coin C to
The case where payment is made with 0 will be explained.

An example of the processing procedure between the user 200 and the retail store 300 is shown in Section 6C.
As shown in the figure. A block diagram of the retail store 300 and the user 200 is shown in FIG. 7C. Below, i-1, ..., I2
shall be.

Step Si. :User 200 is memory (11E gate) 2
Electronic coin C1 use permit Bu taken out from 11, user information v, 2 certificate information X8, parameter information Ni,
Li is sent to the retail store 300.

Step S0: The retail store 300 uses a digital signature verifier (
DIG SIG VERIFIER) 319 A,
319 B to obtain the public key e′ true from Mi”” (Ni If V+ I
I Li) and the validity of the bank's signature on the public key el.
m-(XI II
= It Xk/zll B+ If -11Bh
The validity of the bank's signature for z□) is checked by calculating whether the following verification formulas vF and A hold true. If this inspection fails, subsequent processing is stopped.

(Njll Vill t, t) =VFsa (Bl
)=Br mod n・
...(40) (Xil...If Xvzz II B
I II...If Bb7g) =VF, A(c
) =Cmod n...(41) or 1M1
=V F,A (Bl =B” 1iod n-(40
) (XI II ・II L/211 B) =V
F,, A (c) = Step S+, 1: Retail store 300
is the time t taken out from the timer (74 gate ER) 321,
Random number T1 extracted from the random number generator (RANDOM GEN) 303 and identification information ID of the retail store 300
v is sent to the user 200 as an inquiry text qi, and a predetermined response based on this information is requested. At the same time, using that information, we use the one-way function vector (f − (:AL
)322, Et=f(qi) =f(TDv, t, r i)
...(42) is calculated.

Step Si9; The user 200 receives the received IDv.

Tart'i is manually input to the one-way function calculator (f-CAL) 221 to perform a similar calculation f(10v, t, I1),
The output value Ei and the information Si retrieved from the memory 211
, Surplus visit using Ni (MOD-POW[R)2
22, 3't=Si sod Ni is calculated, and using the result y and Ri and N read out from the memory 211, Yi=3'1XRt sod N= is calculated by the remainder multiplier (M
Calculated using OD-MUL) 223, Y+=Rt ・Si +wod Nt ・・
- Obtain (43). This Yi is sent to the retail store as a response sentence.

Step S2゜: The retail store 300 uses the one-way function generator 322
The output value Ei and Ni given earlier by the user 200
, Vi to Surplus Visit (MOD-POWER) 304
y 1 = V (sod N i is calculated, and the remainder multiplication of the result ym and
×■-odNi is obtained. On the other hand, the received Y+ and Li
, Ntwo surplus comes to my house (MOD-POW [iR) 30
5 inputs 2, calculates Yi nod Nr, and compares the result with the output of the remainder multiplier 313 to a comparator (cOMP) 3
06, YH=)(, Hvl (mod Nr
) ...Check whether (44) holds true. If this test is passed, the retail store 300 considers the electronic coin C to be legitimate and receives it.

Finally, a payment method between retail store 300 and bank 100 will be explained. An example of the processing procedure between the retail store 300 and the bank 100 is shown in FIG. 6D, and a block diagram of the ii-line 100 and the retail store 300 is not shown in FIG. 7D.

Stemp S2. : The retail store 300 will store the memory ({Ni, Li, Vi, Xi, Bi, y, , c in the ME old 311) at a later date.
.

I Dv, t, r=) (i=L...
・, ni/2) is submitted to the bank 100, and the corresponding amount is paid from the bank 100.

Step Szz: Upon receiving the information from the retail store 300, the bank 100 uses a digital signature verification device (DIG 5IGVE).
RIFrER) 1.1.9 A, 119 B is used to obtain the M indicated in the usage license B1 by the public key eA.
, = (Ni, II Li II Vi), and the validity of the bank's signature for m = (X + II ・= II
χwyz II B + II −It B k/z)
Although equations (40) and (41) hold true, the validity of the bank's signature is checked from k. Or when using 1-piece use permit B, use formulas (40') and (41')
Inspect with. Proceed to the next step only when this inspection is passed.

Step S. : TDv, t, 7i as a one-way function vector (f
-CAL) 112 and its output value E; -f (
IDv, t, rr). Surplus should come (
)100-PO匈ER) Using 113, Yi, Ni,
Calculate YimodNi from Li. Also, using the remainder power multiplier (MOD-POWER) 114, Ei, Vi
, N□, and further uses the remainder multiplier (MOD-MUD) 115 to calculate the remainder exponent 11
4 output and Ni.

Calculate XH-VHmod Nr from Xi. The output results of the remainder exponent 113 and the remainder multiplier 115 are sent to a comparator (
cOMP) 116, Yi = Xi −V
Check whether i (mod Nr) holds.

Step SZ4: If the above inspection is passed, user 200
Submitted by (Nr, Li, Vt, Xi, Bl.

Yi, C, IDv, t, rr) Nrl, ,,, k
/2) is stored in the memory (MEM) 111, and the corresponding amount is paid into the account LIDv) of the retail store 300.

Above, we have described an example of a method based on an interactive authentication method (Patent Application No. 63-36391) based on the difficulty of calculating the power root of a higher-order root, but other interactive authentication methods can also be used. A similar method can be implemented.

Note that the interactive authentication method satisfies soundness (when two correct Yi are found for the same pair of If used more than once, the user's IDp will be exposed. In other words, if a user fraudulently uses an electronic coin twice, two sets that satisfy the test formula (44) for the same pair of (Ei and Yi) and (E'i, Vi) are obtained by (Yi /\i) Limi'l/, E''-''' (mo
d Nz) holds, and from this, (Yi/zoI)=SLil-11(IIlodNi) is obtained. On the other hand, S i = V (sod N = holds true. Here, is a prime number, and E.

Since −E′i is relatively prime, 38 can be calculated.

Since Si contains the user 200's IDp as is, an unauthorized user will be exposed.

As explained in detail above, the second embodiment, like the first embodiment, has the following characteristics: (a) it can guarantee user privacy; and (b) it can detect double use. . Regarding (a), since a blind signature is used, the privacy of users' consumption trends, etc. can be protected. Regarding (b), if an electronic coin is used more than once, the secret information used to generate the usage permit will be exposed due to the nature of the interactive authentication method.

By the way, when issuing a license, you send 2 pieces of data to the bank, and the bank selects 2 pieces of data from that data and makes you disclose 2 sets of parameters that were used to create each of them. It requires a number of steps and is a heavy processing burden. However, in this invention, this process is only performed when a user opens an account. On the other hand, although the process of issuing electronic coins is considered to be relatively frequent, the process of issuing electronic coins basically requires only one blind signature creation procedure and is less burdensome in terms of processing. However, the first
In this example, the usage permit and electronic coin are treated as integrated electronic cash, so in the procedure for issuing each electronic cash, data is sent to the bank, and one or two items are selected from among them. This requires a procedure for disclosure, which imposes a heavy processing burden.

As mentioned above, in the second embodiment, electronic coins C can be easily issued at any time using the usage permit Bi (i=l,..., k/2) or B that was originally issued by the bank. Can be executed as many times as you like. The electronic coin according to the method of the present invention, which separates the issuance of a use permit and the issuance of an electronic coin, can be used in several more convenient ways. The first form of use is to transfer electronic coins to other users. The second usage pattern is to use the same electronic coin multiple times. The third usage mode is to transfer the electronic coin to another user or use it multiple times.

An electronic coin that implements these functions in a second embodiment will be described below.

[Transfer of electronic coins]

A case will be described in which the user 200a transfers the electronic coin C issued by the processing procedure shown in FIG. 6B to the user 200b. However, it is assumed that the user 200b also has a usage permit obtained from a bank in the same manner as the user 200a. An example of the processing procedure between the user 200a and the user 200b is shown in FIG. 8A. A block diagram of the user 200a and the user 200b is shown in FIG. 9A. In the following, it is assumed that i-1°2, . . . , ni/2. Furthermore, in the following, all the variables with .
It is related to. In addition, unless otherwise specified, the meanings of variables shall follow the meanings defined so far.

Step S2: User 200a uses memory (MEM)
Usage permit Bi or Bi electronic coin C1 user information retrieved from 211 V8. Authentication information Xi.

Parameter information Ni and Li are transmitted to the user 200b.

Step S2: The user 200b uses a digital signature verifier (DIG SIG VERIFIER) 519
Mi = (Ni II Vi II
The validity of the bank's signature on Li) and the public key e
m= (Xll
L・llX+=zzllB111...i13/z)
The following verification formula (4
5) Calculate and check whether (46) holds true. 1
When using Peace Use Permit B, 2 (45') and (
46'). If this inspection fails, subsequent processing is canceled.

(Ni II Vi II Li) =V FaA(B
i) =B= mod n ・
...(45)(Xi11...II X1=zz II
B + It...tlBhz□)=VF, A(c1
=C”Amodn ・ ・ ・(46)・ ・ ・
(45') (x, II...1[χ+zzll B) =V F
,・A(c)=C1A mod n
・ ・ ・ (46′) Stenbu Si: In order to confirm whether the user information Vi and authentication information Xi sent from the transferor user 200a are the ones of the transfer hole, the user 200b Random number generator (RANII
The value ε5 extracted from OM GEN) 503 is sent to the user 200a as a question.

Step S4: The user 200a uses the received C1 and his own information Si retrieved from the memory (MEM) 211.
, Surplus from Ni (?l0D-POWER) 2
SiIIod N! using 22! Y+=Ri' using the remainder multiplier (MOD-MUL) 223 from the result and Ri and Ni read from the memory 211.
Si■odNt is obtained and Yi is sent to the user 200b as a response sentence.

Step S5: The user 200b receives εi and the received Vi
, Nr should be the remainder (MOD-POWEI?) 5
04 and enter Vi mod N.

This result and the received XI and Ni are manually input to the remainder multiplier (MOD-MUL) 513 to calculate X(-Vl s
od Nt is calculated, and on the other hand, the received Yi, Li and Ni are input into the modulus power visit (MOD-PCVER) 505 to calculate Yr.
sod N1 is calculated, and this result and the output of the remainder multiplier 513 are input to a comparator (cOMP) 506 to check whether they match. If they match, it is determined that Vi and X□ belong to the transfer hole 200a itself.

Step Si: The user 200b who accepts the transfer provides his/her usage permission testimony,..., 1i,... (or government)
The government, in order to have the signature of the transfer hole 200a attached.

...IL/□ (or official) is sent to the user 200a.

Step Si: The transfer hole 200a is the sent official.
・・r'fl＊y□ (or government), for example, the following formula (47)
Alternatively, using a signature device (DIG SIG GEN) 233 that calculates the digital signature function (47'), the user adds his/her own signature and sends it as a transfer certificate T to the transfer receiver 200b.

T= (f+ II -tl 13+/*)"'mod
Ni...(47)T-official1'31IlodNi・
(47') However, Ni uses a predetermined value for one i in the range 1≦i≦/2.

Step Sil: The user 200b uses the public key Ni of the user 200a and the received T to a digital signature checker (DI
G SIG VERIFIER) 51.9 Input to G and check the validity of T from k, although the following equation holds true. However, Ni is the value for one predetermined i mentioned above.

(f, II *yz in one mouth) =T' l1od
Nr...(48) Official-T' + l1od Nt
(48') If the user 200b passes this test, the user 200b considers the electronic coin C to be legitimate and receives it.

Next, a case will be described in which the user 200b makes a payment at the retail store 300 using the electronic coins transferred from the user 200a. An example of the processing procedure between the user 200b and the retail store 300 is shown in FIG. 8B. Retail store 300 and user 2
A block diagram of 00b is shown in FIG. 9B. Below, i
=l, . . . k/2.

Step Si2 user 200b has memory (MUM) 51
Reception information group (N.

Li, Vi, X□, Bi, Yi, C, T,) and their own information group (Ri, f:
i+, gt, εi) to the retail store 300.

Step Si゜: The retail store 300 uses a digital signature verifier (DIG SIG VERIFIER) 319A,
Publication 1 using 319 B! User 20 by e^
(Nt It vt
II The validity of the bank's signature on Lri r, = is also shown on the electronic coin C by the public key e/A (x, I
I...Xl+/□lB, II...1lB=z
The validity of the bank's signature on z) is expressed by both equations (45) and (
46). When using 1-piece usage permit B, it will be inspected by (45');(46'). Furthermore, it is shown on the transfer document T (f, ll...
The second official verified the validity of the user 200a's signature for 2) using a digital signature verifier (DIG) according to both formulas (4 days).
SIG VEi? IFIEi+) 319 Inspect from Cd. When using B, use the formula (48"I) to check.

Step Si: The retail store 300 further receives the received t i+
vi, Ni surplus visit (MOD-POWER)
314 to calculate Vl mod Ni, and the result and the received Xi and Ni are input to the remainder multiplier (MOD-MU
L) Input to 313 and calculate Xi·vjIlodNi. On the other hand, the received Yi, Ni, and Li are the remainder (
Moil-POWER) 315 and enter Y Hsod
Nt is calculated, and a comparator (cOMP) checks whether the result and the output of the remainder multiplier 313 are satisfied. If this formula holds true, the received information Vi and Xi are certain to be k
It is determined that the transfer hole belongs to user 20.0a himself.

Step Si: The retail store 300 further uses a digital signature verifier (DIG SIG VERIFIER) 319 D
The user 200 who accepts the transfer with the public key eA using
Q = = (FJr I
The validity of the bank's signature for f Vi Itfl't) is checked according to the following equation (50), which is similar to both equations (45). For 1 piece usage permit B, use (50”).

(t3i It'?III Ut) = V F
-a fofficial i 1-official l1lOdn... (50) rout = VF, A (f) = official #Amod n
・ ・ ・ (50') If this inspection fails, the subsequent processing is canceled.

Step Si3: The retail store 300 uses a timer (TI?
) The time taken from 321 is also calculated using a random number generator (RAN).
The value T retrieved from DO gate GEN) 303 and the identification information IDv of the retail store 300 are sent to the user 200b as an inquiry text qi. At the same time, the one-way function vector (f
-CAL) 322 inquiry statement q! Component Dv, t,
7. Input E=f (qt)=f (IDv, t,
ri).

Step S0: The user 200b receives the received qi=(ID
v, t, γ1) as a one-way function operator (f-CAL)5
22, and its output value E5-f (IDv, t,
Yt) and own information room retrieved from memory 511 =,
Surplus from Ri (MOD-POWER) 523
is used to calculate 3 h sod Q 1, and the remainder multiplier (
Using MOD-MOL) 524, Vi =? i
・Gi mad\Ji' --- Find (51), ? 'i is sent to the retailer as a response text.

Note that the lid 1 has a value that satisfies the relationship of the following equation (52),
After receiving electronic coin C from user 200a,
=) (, l1od pi ・ ・ ・
(52) Here, 1/death is t in the remainder N1! It is the inverse of the exponential component of , and satisfies the following formula. 1/″f:i is calculated from P i + Qi + f:8 by inverse calculation.

Step s+5: The retail store 300 uses the one-way function unit 322
The output value Ei of
POWER) 304 manually calculates ='Pod starvation, and the result and Xi, 'FJ'i are used in the remainder multiplier (MO
D-MUL) Enter x in 313, -Hsod f;
Get j+. Did you receive it on the other hand? Input 5, Q=, t= into the remainder power (MOD-POWER) 305 and press 9+
modRi is calculated, the result and the output of the remainder multiplier 313 are input to the comparator (GOMP) 306, and 9i
:Xi-= (mood 'Fjl) ...(
54) is established. If this test is passed, the information is recognized as belonging to the user 200b who is accepting the transfer, and the retail store 300 considers the electronic coin C to be legitimate and accepts it.

In this way, instead of using its own random number information Ri in step SI4, the use 42 o o b uses the lid 8 given by equation (52), which is a function of Xz, to write the response sentence of (45)? 'i is created, so the calculation of the test formula (54) in step SI5 performed by the retail store 300 requires the user 200a
authentication information Xi can be used.

In other words, the user 200b who uses the transferred electronic coin
There is no need for the user to present his or her authentication information Yt to the retail store 300.

Finally, a payment method between retail store 300 and bank 100 will be explained. An example of the processing procedure between the retail store 300 and the bank 100 is shown in FIG. 8C. A block diagram of the bank 100 and retail store 300 is shown in FIG. 9C.

Step S4: The retail store 300 stores memory (MEM) at a later date.
) 11.1, the information group regarding the user 200a (Nt, Li, Vt, Xi, Bi, Yi, C, T) and the information group regarding the user 200b and the retail store 300 (Q+, Ui, Vi, lit, 9+ ,ε!,
IDv, t+rt) to the bank 100 (i=
l,...,ni/2).

Step S+y: i! Row i 100 is a digital signature verifier (DIG SrG VERIFIER) 119
A, 119 User 2 with public key eA using B
00a usage permit Bi (Nt II Vi
The validity of the bank's signature on It L is also disclosed! (Xil+・
...lIX*z Spirit If B! 11...1lBhz
The validity of the bank's signature on □) is expressed by the previous equation (45), (
46). Furthermore, the validity of the signature of the user 200a for ([, II...1lfi,, □) shown on the transfer certificate T is verified using a digital signature verifier (DIG SIG VERrFIER) according to both equations (48).
119C. In the case of 1-piece usage permit B, the formulas (45'), (46'') and (4
8').

Step Si: Input εi, V i, N i as the remainder (MOD-POWER) 117 and enter vl
Calculate l1OdNi, and manually input the result, Ni, and Xi into the remainder multiplier (MOD-MUL) 118 to obtain Xi.
・Calculate Vi sod Ni. On the other hand, Yi, Ni, L
i is the remainder (Mol) - POWER) 103
V4 mad N( is calculated by inputting it to
The following formula Y+ =) (, Hvi
It is checked whether (mod Ni) holds. If this formula holds, the information Vi and Xi are definitely k transfer hole 20
It is determined that it belongs to 0a itself.

Step S4. : Indicated by the public key e using the digital signature test tool 119D in the use permission testimony of the transferee 200b, ? , : (Ni II Vi II Ui
) The validity of the bank's signature on both is checked using the same formula as both formulas (50). In the case of l-piece usage permit B, use the formula (
50'). Also, ql=(IDv.

t, r+) as a one-way function operator (f-CAL) 112
and calculate Ei=f (IDv, t, Tr).

Its output (IiE i and 1.Ri is the remainder of the visit (M
(ODPOWER) 11.4 and enter (nod Qr
is calculated, and the result and Xi, p+ are used in a remainder multiplier (MO
D-MUL) 115 to obtain Xi・, mod Q=.

direction? t, pi, i) i is the remainder (MOD-P
OWER) 113 to calculate 9(l1od
It is checked whether the following equation, which is the same as 54), holds true. If this formula holds true, it is determined that the information is definitely the k transfer acceptance 200b's own information.

Step S2゜: If the above inspection is passed, the user becomes 200.
Information submitted by a {Ni, Li, Vi, Xi.

Bi, Yi, C, T), user 200b and retail store 3
Information regarding 00 (Ni, deceased 1, 8. government, 9I, ε)
.

Note IDv, t, rtl (t-1,-, ni/2)! J 111 and pay the corresponding amount to the account IDv of the retail store 300.

In addition, the user 200a explained in the above-mentioned transfer of electronic coins
If the electronic coin is used illegally twice, as explained above, there will be two sets of Xi), and the double use will be detected by the processing flow of FIG. 2D in the bank 100. and the user is identified. On the other hand, in order to detect that the user 200b to whom the electronic coins have been transferred has illegally used the electronic coins twice, the bank must already store the same value in the received set (91.Xi). 111. If there are (7t, ,.

ViX (Yi/Y'i) = + Mimiya i (mod Ka,) It is possible to calculate the term ′i from .

(Repeated use of electronic coins) User 2 follows the steps in Figure 6B in the second embodiment.
A method for using the electronic coins obtained by 00 multiple times will be explained. Here, the usage procedure when the user 200 uses the electronic coin, which is allowed to be used k times, for the jth time (j≦K) is shown. This can be done either when transferring to another user 200 or when making a payment to the retail store 300, but here, the case where it is used for payment at the retail store 300 will be explained as an example. Here, an example of a processing procedure between the user 200 and the retail store 300 is shown in FIG. 10, and a block diagram of the user 200 and the retail store 300 is shown in FIG. 11. In the following, i=l, . . . /2.

Step Si: The user 200 sends (Ni, L+, ■+, Bi, Xt, C) retrieved from the memory 211 to the retail store 300.

Step S = The retail store 300 uses a digital signature verification device (DIG SIG VERIjrER) 319 A
and 319B, and the public key e is indicated in the license Bi of the user 200 (Nt II Vl I
The validity of the bank's signature on the electronic coin C (Xil...
・11L/z II B I II...llB*z□
) is expressed by both equations (40) and (4).
Inspect according to 1).

When using 1-piece use permit B, use the formula (40”) and (
41'). If this inspection fails, subsequent processing is canceled.

Step Si: Retail store 300 uses a timer (Tl gate Ei?)
The time t extracted from 321, the random number generator (RANDO
Random value γ extracted from M GEN) 303.

and retail store identification information IDp are sent to the user 200 as an inquiry text qi. At the same time, that information is input to the one-way function generator (f-CAL) 322 and E(=f
Calculate (I Dv, t, r+).

Step S4: The user 200 receives the iDv.

t T'i is inputted to the one-way function unit (f-CAL) 221, and the output value EI=f (IDv, t, it) information Si, Ni taken out from the memory 211 is expressed as the modulus east circuit (MOD- POWER) 222 and Simo
Calculate dNi. The calculation result, Ni, and later are obtained, and Yi and j are sent to the retail store 300 as a response to the retail store's inquiry. This is the eastern episode (M
Calculate it in advance using OD-P(lW[!R) 253 (you can also calculate it in advance and store it in memory (
b).

1/Li is the backlight as an exponential component of li in the remainder Ni, and is expressed as
Read from 1 and use the backlight calculator (rNV ELEM CAL
) 252 and calculate 1/L1. Also Xl
The function f, (Xi) is a one-way function operator (f-CAL)2
It is a one-way function with j as a parameter, which is executed by 51, and there are examples of implementation as follows, for example.

Here, f is an appropriate one-way function.

r, (X) = f (xll j) ・・−(
58) Step Si: The retail store 300 inputs the received j and the Xl read from the memory (MEM) 311 into the one-way function unit f-(cAL) 350, and uses the same formula as in equation (58) with j as a parameter. Calculate the function fj(Xi).

The output value Ei of the one-way function unit 322 and the received Vi, N
Input i to the modulus power (MOD-POWER) 304 to calculate Vl mod Nl, and use the result and fj
(Xi) and N1 as remainder multiplier (MOD-MOL) 3
13 and input f+(Xt) ・Vi (sod N
t) is obtained.

In addition, Yi, Nt, and Li are modulus East times (MOD-POW)
ER) 305 to calculate YillOdNi.

The outputs of the remainder exponentiation unit 305 and the remainder multiplier 313 are input to a comparator (GOMP) 306, and it is checked whether the following formula (%) holds true. If this formula holds true, the user 200 determines that he has correctly created the response sentence Yi using his own secret information Si, and the retail store 300 considers the electronic coin to be legitimate and receives it.

The processing procedures and functional block diagrams between the retail store 300 and the bank 100 are almost the same as in FIGS. 6D and 7D, respectively, so detailed explanation thereof will be omitted.

The difference from the processing procedure in FIG. 6D is that the number of uses j of the electronic coin C is added to the information sent from the retail store 300 to the bank 100 in step S4l. or,
In order to detect unauthorized double use of electronic coins in the bank 100, the received (
The set of values that are the same as Vl, Xi, j) is stored in memory 11.1.
(1≦j≦K),
The following processing is the same as SCt to SC5. In other words, information of the same value (Vi, Xi, j
), there are two sets of different other information corresponding to them &u(Ei.

yt) and (E', zo8) exist, and it becomes possible to calculate the corresponding secret information Si as described above. Since the SI contains identification information IDp, dual users can be identified.

[Transfer of electronic coin during j-th use] According to the second embodiment, it is also possible to combine the above-described electronic coin transfer and multiple uses.

A case will be described below in which the user 200a transfers the electronic coin C to the user 200b at the j-th use, and the user 200b uses it for payment at the retail store 300.

User 200a who is a transfer hole and user 2 who is a transfer acceptor
00b is shown in Figure 1.2A, and the functional block diagram of users 200a and 200b in that case is shown in Figure 1.2A.
Shown in Figure 3A. In the following, it is assumed that i=1°..., ni/2.

Step S2: First, the transfer hole 200a is a memory (MHM)
) 211 (Ni,
Li, Vt, Bl, Xi, C) are transmitted to the assignee 200b.

Step S2: The transferee 200b uses a digital signature verification device (DIG SIG VEi?TFIER) 519
A. Using 519B, the public key e is used to transfer the transfer hole 200a usage license BiC or M indicated in B).
,=Ni II vi II r, i or Ml,...
, M, k2, using the pre-verification formula (45) or (45'), and the public me'
X111...I shown in electronic coin C by a
I X++zz II B I II...IIB-/
- or Xil...11 X -y-II Pre-verify the validity of the bank's signature on
) to check each. If this inspection fails, subsequent processing is canceled.

Step S3: The transferee 200b uses a random number generator (RAN).
The random number εi generated from DOM GBN) 503 is sent to the transfer hole 200a as an inquiry text.

Step S4: The transfer hole 200a receives ε.

and inputs own information S+ and Nt read from the memory 211 into the modulus power (MOD-POWER) 222 and obtains ε.

Calculate SHl1od N4. The calculation results, Ni and Mon read out from the memory 211, and the remainder multiplier (MOD)
-MOL) 223 and enter <J> ε profit Yr ='? It is the same as that which was explained to the transferee mermaid by calculating r ・Si sod N1 and using YI as a response sentence along with j, and formulas (56) and (57).

It is stored in 211.

Step Si: The assignee 200b uses the received j and memory
Xi read out from the (MEM) 511 is input to a one-way function unit (f-CAL) 521, and a function fj (Xl) similar to the above-mentioned equation (58) with j as a parameter is calculated. On the other hand, the random number εi generated from the random number generator 503 and the received Vi, Ni are used as the remainder (MOD-POltE).
R) 504 to calculate VllodNi, and input the result and the outputs rj (xt) and Ni of the one-way function unit 521 to the remainder multiplier (MOD-MOL) 513 to calculate f i (Xi) ・Vi Obtain sod Nt. In addition, the received response sentence Yi and Ni read from the memory 511
, Li should be the remainder (?1OD-POER)505
Calculate Yi sod Ni by inputting . The comparator (
cOMP) Manually input to 506 Yimi f j (Xt) -
Vi (mod Ni)...(60) is checked to see if it holds true. If this formula holds, transfer hole 20
0a determines that k has correctly created the response sentence Yi using its own secret information Si.

Step Si: The transferee 200b then stores his/her usage permission testimony,..., government, 7□ (or government) in the memory 511.
, and send it to the transfer hole 200a.

Step Si: The transferor 200a is the receiving official,...g
, k2, <or government), for example, a signature device (DIG SIG
GBN) 233 to add his signature, and then sends the resulting T back to the transferee 200b as a certificate of transfer.

Step S2: The m-receiver 200b transfers the public key Ni of the transfer hole 200a and the received transfer certificate T to a digital signature checker (
DIG SIG VERIFIER) 519 C to check whether both formulas (48) hold true. In the case of a 1-piece use permit officer, the inspection is performed using formula (48”).

If this test is passed, the transferee 200b considers the j-th used electronic coin C to be legitimate and receives it.

Next, a case where the user 200b who is the transferee makes a payment at the retail store 300 using the electronic coin C transferred from the user 200a will be described. An example of the processing procedure between the user 200b and the retail store 300 is shown in FIG. 12B. In addition, the functional block diagram of the user 200b and the retail store 300 is shown in 13B.
As shown in the figure. In the following, it is assumed that i-1, . . . , and /2.

Step Si: User 200b uses memory (MEM)
The received information group (Ni, LiVH) read from 511
, XH, B (, Yh, C, T, j) and their own information group (F3r, death i, 9=-u positive, et) to the retail store 300.

Step Si゜: The retail store 300 uses a digital signature verification device (DIG SIG VEI?FIER) 319
Transfer hole 200a with public key eA using A and 319B
(Ni II V! It
The validity of the bank's signature on Li) and the public key e
(Xl It-It
xi,zzll B.

11... The validity of the bank's signature on IIB-/□) is verified according to both equations (45) and (46). In the case of 1 piece usage permit B, formula (45'), (46'
) to check. Furthermore, it was indicated on the transfer document T (Li
Digital signature verifier (DIGSIG VERIFIER) according to formula (48) 3 L 9 C
Inspect by. In the case of 1-piece usage permit B, use the formula (4
8').

Step Si1: The retail store 300 further receives the received εi.
Vi, come to my house to surplus NZ (MOD-POWEI?)
314 manually calculates V81IlodNI, and uses the result and the received Ni and Xl in a remainder multiplier (gate OD-Mtl).
L) Input to 313 to calculate Xi・VHmod Nr. On the other hand, the received Yi, Ni, and Li are manually transferred to the surplus power source (MooPOWER) 315.
N□ is calculated, and the result and the output of the remainder multiplier 313 are input to a comparator (GOMP) 316, and it is checked whether the following formula (%) holds true. If this formula holds true, it is determined that the received information Vi, Xi belongs to the user 200a, who is definitely the k transfer hole.

Step SI! : The retail store 300 also has a digital signature verification device (DIG SIG VEI? IFrER) 319
The public key e was shown in the user 200b's permission statement using D (R5If v″11i'f:+)
The validity of the bank's signature is checked according to formulas similar to both formulas (50). When using a one-piece license officer, a formula similar to formula (50') is used for inspection. If this inspection fails, subsequent processing is stopped.

Step Si. :The retail store is the user 200b who is the transferee.
A timer (T
IMER) 321 output time, random number generator (RAN)
DOM Gll! N) Random number T output from 303,
and the retail store identification information IDv are sent to the user 200b as an inquiry text qi. At the same time, the one-way function vector (f
- CAL) Input lDv and tTl to 322 and Ei -
Calculate f (IDv, t, It).

Step Si4: The user 200b receives the received 10°t,
γ'i is input to the one-way function generator (f, -CAL) 522, and its output EH=f (I Dv, t+ r
+) and my information room read from memory (MEM) 511.

R, is the remainder (MOD-POI4EI+) 52
3 to calculate gr sod 'f3i. Input the calculation result into the memo device (MOD-MUL) 524 and calculate the following formula, ? Let 'i be the response sentence, and satisfy the following formula with j in the same way as the retail store, calculate in advance and store it in memory 5.
It is stored in 11.

Step S+s: The retail store 300 uses the one-way function unit 322
Input the output Ei and the received v direct, ¥Ji to the remainder power (column 0D-POWER) 304 and get □-Od'Ri.
Calculate. On the other hand, received j and memory (?lEM)3
11 is read from
350 to calculate fJ(Xt), and the result and N
i and the output of the remainder exponent 304 are applied to the remainder multiplier (MO
D-MOL) Input to 313 fJ(Xi) ・
Obtain vIIIOd □. Did you receive it again? 1 and It・t
Is l given to the remainder (珂0O-PO匈ER) 305? , -0dN+ are calculated. This calculation result and the output of the remainder multiplier 313 are input to a comparator (cOMP) 306, and it is checked whether the following equation holds true. If this formula holds true, it is determined that the information belongs to the transferee 200b, and the retail store 30
0 considers the electronic coin C to be legitimate and receives it.

The processing procedures between the bank 100 and the retail store 300 and their functional block diagrams are not shown because they are almost the same as in FIGS. 8C and 9C. The difference is that the usage count information j received from the user 200b is also added to the group of information sent to the bank 100 in step Si6 of FIG. 8C. In order to detect unauthorized double use, the bank 100 checks whether the same set of values as the received information (Vi, Xi, j) exists in the memo 'J 111 in step S of FIG. 2D.
i6, and the following process is step Sc! -3cS is the same. In this way, the same information (Vi, Xi,
If there are two sets of information (Ei, Yi) and (E'i, Y'+) with different values corresponding to them, the corresponding secrets are Information S
Since it becomes possible to calculate i, dual users can be identified.

〔Effect of the invention〕

From the above, in this invention, by devising the protocol between the bank, the user, and the retailer, the function f, which was a problem with the conventional method, can be
It is possible to implement electronic cash that has the same functions as the conventional system without assuming non-interference between the two precepts.

In addition, if a usage permit is issued in advance and electronic coins are issued using that usage permit, the electronic coin issuance process only requires one blind signature creation procedure, reducing the processing burden. .

Furthermore, the present invention allows electronic coins to be transferred between users, which was not possible with conventional methods. In other words, a user who has been issued an electronic coin can transfer the electronic coin to another user. Here, if a user transfers used electronic coins to another user or transfers the same electronic coin to multiple users, the same coin may be transferred to
As in the case of repeated use, the confidential information of users who have fraudulently processed electronic coins will be exposed.

Furthermore, a method is also possible in which one electronic coin can be used multiple times within a certain number of times. Using this method, the user can reduce the amount of information held (equivalent to the amount of information when holding one coin) and obtain the same effect as holding a large number of coins.

[Brief explanation of drawings]

FIG. 1 shows a bank 100 and a user 20 to which this invention is applied.
FIG. 2A is a flowchart showing the electronic cash issuance processing procedure between the bank 100 and the user 200 in the first embodiment of the present invention, and FIG. 2B is the first embodiment. FIG. 2C is a flow diagram showing the processing procedure for using electronic cash between the user 200 and the retail store 300 in the first embodiment; FIG. 2D is a flow diagram showing the processing procedure between the bank 100 and the retail store 300 in the first embodiment. The figure is a flow diagram showing the double usage detection procedure performed by the bank 100 in FIG. 2C, and FIG. 3 is a functional block diagram of the user 200 in the first embodiment.
FIG. 4 is a functional block diagram of the bank 100 in the first embodiment, FIG. 5 is a functional block diagram of the retail store 300 in the first embodiment, and FIG. 6A is a functional block diagram of the bank 100 and users in the second embodiment of the present invention. 6B is a flowchart showing the processing procedure for issuing a usage permit between the bank 100 and the user 200 in the second embodiment, and FIG. 6C is a flowchart showing the processing procedure for issuing an electronic coin between the bank 100 and the user 200 in the second embodiment. FIG. 6D is a flowchart showing the electronic coin usage processing procedure between the user 200 and the retail store 300 in the second embodiment.
00 and the retail store 300, FIG. 7A is a functional block diagram of the bank 100 and the user 200 in FIG. 6A, and FIG. 7B is the bank 10 in FIG. 6B.
Functional block diagram of 0 and user 200, Figure 7C is 6C
The functional block diagram of the user 200 and the retail store 300 in FIG. 7D is the bank 100 and the retail store 3 in FIG. 6D.
00, FIG. 8A is a flow diagram showing the procedure for transferring electronic coins between users 200a and 200b in the second embodiment, and FIG. FIG. 8C is a flowchart showing the processing procedure of electronic coins transferred between the bank 100 and the retail store 300, and FIG. 9A is a flowchart showing the user 200a in FIG. 8A. The functional block diagram of 200b, FIG. 9B is the user 2 in FIG. 8B.
00b and a functional block diagram of the retail store 300, FIG. 9C is a functional block diagram of the bank 100 and the retail store 300 in FIG. 8C, and FIG. 11 is a flowchart showing the usage procedure for the user 200 in FIG. 10.
FIG. 12A is a functional block diagram of the retail store 300, and FIG.
．． Figure 2B is a flow diagram showing the procedure for using the transferred electronic coin that can be used multiple times, Figure 13A is a functional block diagram of users 200a and 200b in Figure 12A, and
Figure 3B shows user 200b and retail store 3 in Figure 12B.
00 is a functional block diagram. Patent application method

Claims (54)

[Claims] (1) A bank issues electronic cash to a user, the user uses the electronic cash to make a payment to a third party, and the bank has a relationship with the last party that has the used electronic cash. An electronic cash implementation method for making payments, which includes the following steps: A user (a) creates user information from confidential information including his or her identification information using a first one-way function; (b) a bank; (c) create authentication information using a second one-way function from the random number information; (d) send a blind signature to the information including the user information; (c) create authentication information from the random number information using a second one-way function; obtaining the signed authentication information by blindly signing the information including the authentication information; (e) the user information, the signed user information, the authentication information, and the signed authentication information; (f) The electronic cash information including the signed user information and the signed authentication information in the received electronic cash information is delivered to a third party as electronic cash issued by the bank; verify the validity of the information; (g) if the validity is verified, create a query and give it to the user; and (h) at least the confidential information created by the user and the Third
A response text is created using the inquiry text received from the person and is given to the third party, and the third party (i) collects the user information and the authentication information in the received electronic cash information; (j) if necessary, at least the electronic cash information and the third party; The inquiry text and the response text of the user are passed to a fourth party. (2) The bank includes the electronic cash information from the last party holding the used electronic cash, the inquiry text created by the third party, and the response text created by the user. When information is received for payment, the validity of the signed user information and the signed authentication information in the electronic cash information, and the validity of the user's response to the third party's inquiry. The electronic cash dispensing method according to claim 1, further comprising the step of inspecting the electronic cash dispensing method. (3) In the step for payment, it is checked whether a set of values that is the same as the set of the user information and the authentication information in the electronic cash information is in the information stored in the memory of the bank. 3. The electronic cash register according to claim 2, further comprising the step of: detecting fraudulent use of the electronic cash by the user; and storing information including the electronic cash information, the inquiry text, and the response text in the memory. Cash implementation method. (4) The user retains the signed user information as a usage permit issued by the bank, and the user sends information including the authentication information and the usage license to the bank whenever necessary. The user signs a blind signature, uses the signed authentication information obtained as an electronic coin issued by the bank, and when using the electronic coin, the user provides at least the usage permit to the third party, A set of information including the electronic coin, the user information, and the authentication information is provided as the electronic cash, and each third party and the bank receive the signed user information and the signed authentication information. 3. The electronic cash implementation method according to claim 2, further comprising the step of verifying the validity of the usage permit and the electronic coin. (5) The last party is the third party, the fourth party is the bank, and the inquiry text created by the third party includes identification information and time information of the third party. The electronic cash implementation method described in Section 4. (6) The third party has his own confidential information and his own usage license, and if the response from the user is valid, the third party can use his own usage license. 5. The electronic cash according to claim 4, further comprising the step of giving the electronic cash to the third party, the user signing the third party's use permit, and giving the signed use permit to the third party as a transfer document. Method of implementation. (7) The last party is the fourth party, and the fourth party receives at least the usage permit issued by the user, the electronic coin, the user information, and the third party. The fourth party receives the authentication information, the response text, the user's license issued by the third party, the user's user information, and the inquiry text, and the fourth party: verifying the validity of each of the permit and the electronic coin; verifying the validity of the response text of the user to the inquiry text of the third party; and verifying the validity of the usage permit of the third party; , the fourth party creates its own inquiry text and gives it to the third party, and the third party: verifies the inquiry text received from the fourth party and the third party's own confidential information. and information created from the authentication information of the user, and give it to the fourth party, and the fourth party: The fourth party verifies the validity of the response text of the third party using the inquiry text of the fourth party and the authentication information of the user, and the fourth party: , verifying the validity of the response text of the third party using the inquiry text of the fourth party and the authentication information of the user; the user's response text, the third party's usage permit, the third party's user information, the fourth party's inquiry text, and the third party's response text. 7. The electronic cash implementation method of claim 6, wherein information is provided to the bank. (8) The bank further includes a step of verifying the validity of the third party's response to the fourth party's inquiry, and the bank verifies the authentication information of the user and the third party's The method includes the step of detecting fraudulent use of the electronic coin by the third party by checking whether a set of values that is the same as a set of user information exists in the information stored in the memory of the bank. The electronic cash implementation method according to claim 7. (9) The bank permits the use of the electronic coin a predetermined number of times, and the user receives a request from the third party for the j-th use of the electronic coin, where i≦j≦k. In response to the inquiry text, the response text is created from the secret information of the user and information calculated from the authentication information of the user by a one-way function that changes with the value j as a parameter, and The response sentence is the value j
and the third party verifies the validity of the response text using the inquiry text, the authentication information of the user, the user information of the user, and the value j. 5. The electronic cash implementation method according to claim 4, further comprising the step of verifying and providing the value j in the information provided to the fourth party. (10) When the third party verifies that the response text from the user is valid, it gives the third party's use permit to the user, and the user receives the third party's use permit. 10. The electronic cash implementation method according to claim 9, further comprising the step of signing a certificate and giving it to the third party as a transfer certificate, and the third party verifying the validity of the transfer certificate. (11) The bank also receives the value j from the last party, and the bank stores in the memory of the bank a set of values that is the same as the set of the user information, the authentication information, and the value j. 11. The electronic cash implementation method according to claim 9, further comprising the step of detecting fraudulent use of the electronic coin by the user by checking whether the electronic coin is among the information that is being used. (12) The step of applying the blind signature to the information including the user information is: The user processes the information including the user information using a one-way blind signature preprocessing function using a disturbance random number as a variable to disturb the information. a step of providing the bank with user information; a step of the bank signing a part of the disrupted user information using a signature function and returning it to the user as the signed disrupted user information; The electronic cash implementation according to claim 1, 2 or 4, comprising: obtaining the signed user information by removing the influence of the random random number from the signed disturbed user information using a blind signature post-processing function. Method. (13) The user creates k pieces of secret information, where k is an integer of 2 or more, and creates k pieces of user information and disrupted user information corresponding to each of the k pieces of secret information. When the bank receives the k pieces of disrupted user information, it calculates a predetermined number of pieces of the disrupted user information and the secret information and the random number that were used to create the disrupted user information, respectively. The user is requested to give a set of creation data that includes the user, and the corresponding disturbance user information is calculated based on the set of creation data obtained from the user, and these calculation results indicate the disturbance received from the user. 13. The method of implementing electronic cash according to claim 12, further comprising the step of verifying that the respective pieces of user information match each other. (14) The part of the disrupted user information is used for a predetermined second number of disrupted user information other than those used in the verification among the k pieces of disrupted user information that the bank has received from the user. and the bank adds a signature to the predetermined second number of pieces of disrupted user information using the signature function, creates the signed disrupted user information, and provides it to the user. 14. The method of implementing electronic cash according to claim 13. (15) The step of blindly signing the information including the user information and the step of blindly signing the information including the authentication information include the following steps: The user: Each includes the identification information ID_p. The secret information S
Create k pieces of _i, where k is an integer of 2 or more, create k pieces of the random number information R_i, and use the first and second one-way functions from the k pieces of the secret information and the k pieces of the random number information. By creating k pieces of user information V_i and k pieces of authentication information X_i, respectively, and giving each of the k pieces of user information V_i as a variable to a unidirectional first blind signature preprocessing function, The k pieces of perturbed user information W_i that have been subjected to the perturbation process are created, and a unidirectional second
The corresponding k pieces of perturbed authentication information Z_, each of which has been perturbed by giving it to a blind signature preprocessing function.
i, and create these k pieces of disrupted user information W_i,
and k pieces of the perturbed authentication information Z_i to the bank, and the bank: Upon receiving each k set of the perturbed use information W_i and the perturbed authentication information Z_i, each of the k pieces of perturbed authentication information Z_i is preliminarily selected from among them. Decided first number k_1
select the disturbed user information and the disturbed authentication information,
The first information containing the secret information S_i and the random number information R_i used by the user to create the selected perturbed user information and the perturbed authentication information, respectively.
the user: specifies the first number k_1 of information sets specified by the bank and requests the user; the user: gives the bank the first number of information sets specified by the bank; calculate perturbed user information W_i corresponding to the first number k_1 and perturbed authentication information Z_i corresponding to the first number from the set of information obtained;
It is verified that the calculated perturbed user information W_i and the calculated perturbed authentication information Z_i match the corresponding ones of the selected perturbed user information W_i and the perturbed authentication information Z_i, and received. It is confirmed that the identification information ID_p of the user is included in all the secret information S_i in the information set, and the k pieces of the disturbed user information W_i received from the user are Among them, a predetermined second number k_2 of the disrupted user information other than the selected k information is signed using a first signature function to create the second number k_2 of signed disrupted user information Ω_i. and a second signature function for each of the second number k_2 pieces of perturbed authentication information other than the selected k_1 pieces of the k pieces of perturbed authentication information Z_i received from the user. , the second number of pieces of signed perturbed authentication information ■_i are created and given to the user, and the user: The received signed perturbed user information Ω
_i and the signed disturbed authentication information ■_i are subjected to disturbance removal processing using the first and second blind signature post-processing functions, respectively, and k_2 pieces of the signed user information B are obtained.
_v_i and the signed authentication information B_x_i, all processes related to the signed user information and the signed authentication information in the use of the electronic cash are the signed use of the second number k_2. claim 1, wherein the method is executed for user information and the signed authentication information of the second number k_2.
Electronic cash implementation method described in section. (16) The user has k prime numbers L_i, k pairs of secret prime numbers P_i, Q_i, and k prime number products P_i×Q_i.
= N_i, and create the user information V_i and the authentication information X_ from the secret information S_i and the random number information R_i.
Claim 15 includes the step of calculating i by the first and second one-way functions represented by the following formulas ▲ There are mathematical formulas, chemical formulas, tables, etc. electronic cash implementation method. (17) The last party is the third party, the fourth party is the bank, and the user uses k_2 sets of {V_
i, B_v_i, Query information E_i is calculated for k_2 i's, and the user calculates k_2 query information E_i from the received query q_i by the query function E_i=f(q_i), which is expressed by the following formula. k_2 response sentence Y_i=R_i・S_i＾E＾imodN_i
The third party uses the received response sentence Y_i to formulate a verification formula expressed by the following formula, Y_i≡X_i・V_i＾E＾i (modNi) is k_
17. The method for implementing electronic cash according to claim 16, further comprising the step of verifying the validity of the response sentence Y_i by verifying that the response sentence Y_i is true for all two i's. (18) The third party is responsible for the payment of electronic cash.
The electronic cash information for all _2 i {V_
i, B_v_i, Formula Y_i^L^i≡X_i・V_i^E^i (modN_
18. The electronic cash implementation method according to claim 17, further comprising the step of verifying the validity of the response sentence Y_i to the inquiry sentence q_i by verifying that i) holds true for all k_2 i's. (19) The bank checks whether a set of the same values as the set of the user information and the authentication information {V_i, X_i} received from the third party exists in the bank's memory, and if not; stores the information received from the third party in the memory, reads out the corresponding inquiry sentence q'_i and response sentence Y'_i stored in the memory, if any, and uses the read inquiry sentence q '_i to inquiry information E'_
Calculate i=f(q′_i), solve the integers α and β that satisfy the following formula α・L_i+β(E_i−E′_i)=1 using Euclidean algorithm,
Furthermore, the following formula V_i^α・(Y_i/Y'_i)^βmodN_i=
19. The electronic cash implementation method according to claim 18, further comprising the step of calculating secret information S_i from S_i, and obtaining identification information ID_p of the user who fraudulently used the electronic cash from the calculated secret information S_i. (20) The step of obtaining the use permit is for the user to: create k pieces of secret information S_i, each of which includes the identification information, where k is an integer of 2 or more; Disruption processing is performed by creating k pieces of user information V_i using a first unidirectional function, and giving information M_i including each of the user information V_i as a variable to a unidirectional first blind signature preprocessing function. The corresponding k disturbed user information W_i
and gives it to the bank, and when the bank receives the k pieces of the disturbed user information W_i, a first predetermined number k_1 of the disturbed user information W_i smaller than k is selected from among them. and requests the user to specify a set of information including the secret information S_i used by the user to create the selected disrupted user information, and the user: the bank; The specified first number k_
1 of the information sets to the bank, and the bank: calculates the first number k_1 of corresponding disrupted user information W_i based on the received information set, and calculates the calculated disrupted user information W_i. is the selected disrupting user information W
verifying that the identification information ID_p of the user is included in all the secret information S_i in the received information set; k pieces of disturbed user information W received from users
A predetermined second number k_2 of the disturbed user information other than the selected k_i pieces of _i is signed using the first signature function to create k_2 pieces of signed disturbed user information Ω_i, and the above-mentioned The user: performs disturbance removal processing on each of the received k_2 pieces of the signed disturbed user information Ω_i by a first blind signature post-processing function to obtain k_2 pieces of the signed user information B_v_i. 5. The electronic cash implementing method according to claim 4, further comprising the step of obtaining the k_2 pieces of signed user information as the usage permit issued by the bank. (21) The electronic coin is issued when the user creates k_2 pieces of random number information R_i, and from the second number k_2 of the random number information R_i, the second
Create k_2 pieces of authentication information X_i using a one-way function, and use information m including k_2 usage permits B_i and k_2 pieces of authentication information X_i as variables before performing a unidirectional second blind signature. The disturbed authentication information Z is created by giving it to a processing function and is given to the bank, and the bank performs a second process on the given disturbed authentication information Z.
Sign using the signature function and create the above-mentioned signed disturbance authentication information■
is created and given to the user, and the user performs disturbance removal processing on the signature-attached disturbance authentication information (2) using a second blind post-processing function, and transfers the signature mound authentication information to the electronic coin C. 21. The electronic cash dispensing method according to claim 20, comprising the step of obtaining as: (22) The user has k prime numbers L_i, k pairs of secret prime numbers P_i, Q_i, and k prime number product N_i=P_i
×Q_i is created, and k pieces of user information V_i are calculated from k pieces of secret information S_i by the first one-way function V_i=S_i^L^imodN_i, i=l,...・
, k. (23) In the following, the k_2 i's are i=l,...
・, k_2, the user has the authentication information X_
i is expressed as follows: X_i=R_i^L^imodNi, i=l,...
k_2 by the second unidirectional function represented by k_2
23. The electronic cash implementation method according to claim 22, including the step of creating two electronic cash. (24) The last party is the third party, the fourth party is the bank, and the user uses the electronic coin C and k_2 usage permits B_i. and k_2 pieces of said user information V_i
, the electronic cash information including the k_2 pieces of the authentication information X_i, the k_2 pieces of the prime number L_i, and the k_2 pieces of N
_i to the third party, and the third party creates k_2 query sentences q_i and gives them to the user, and also generates k_2 query information E_i using the query function E_i=f(q_i). The user creates query text information E_i from the given query text q_i using the query text function, and uses the query text information E_i, the secret information S_i, and the random number information R_i to form the following formula Y_i. =R_i・S_i^E^imodN_
i, i=l, . . . , k_2, k_2 response sentences Y_i are created and the third
and the third party receives the inquiry text information E_i created by himself and the user information V given by the user.
Using __i and the authentication information X_i, the following formula Y_i^L^i≡X_i・V_i^E^i (modN_
24. The electronic cash implementation according to claim 23, further comprising a step of verifying the validity of the response sentence Y_i by establishing i), i=l,..., k_2, and authenticating the electronic coin as valid. Method. (25) The third party sends information including the electronic cash information V_i, X_i, B_i, C, N_i, the prime number L_i, the inquiry text q_i, and the response text Y_i for the payment of the electronic coin. The bank uses the verification formula Y_i^L^i≡X_i・V_i^E^i (modN_
25. The electronic cash implementation method according to claim 24, further comprising the step of verifying the validity of the response sentence Y_i to the inquiry sentence q_i by establishing i), i=l, . . . , k_2. (26) The bank checks whether a set of values identical to the set of the user information and the authentication information {V_i, X_i} received from the fourth party exists in the memory of the bank, and if it does not stores the information received from the fourth party in the memory, reads out the corresponding inquiry sentence q'_i and response sentence Y'_i stored in the memory, if any, and uses the read inquiry sentence q '_i to inquiry information E'_
Calculate i=f(q'_i), solve the integers α and β that satisfy the following formula α・L_i+β(E_i−E′_i)=1 by Euclidean mutual elimination method, and further calculate the following formula V_i^α・(Y_i/ Y′_i) mod N_i=S_
26. The electronic cash implementation method according to claim 25, further comprising the step of calculating secret information S_i from i, and obtaining identification information ID_p of the user who fraudulently used the electronic coin from the calculated secret information S_i. (27) The last party is the fourth party, and the user provides the electronic cash information {V_i, X_i, B_i, C
}, N_i, and the prime number L_i are given to the third party, the third party creates k_2 of the query sentences ε_i and gives them to the user, and the user receives the query sentences ε_i and the random number information R_
Using i and the secret information S_i, the following formula Y_i=R_i
・S_i^ε^imodN_i, i=l,..., k_
2, create k_2 response sentences Y_i and write the third response sentence Y_i.
and the third party gives the following formula Y_i^L^i≡X_i・V_i^ε^i (modN_
i), i=l, ..., k_2 is established, the validity of the response sentence Y_i is verified, and the user is given the k_2 use licenses ■_i that he/she owns, and 28. The electronic computer according to claim 27, further comprising the step of: the person attaching a signature to the third party's use permit ■_1, ..., ■_k_z received, creating a transfer certificate T, and giving it to the third party. Cash implementation method. (28) When using the electronic coin, the third party collects N_i, L_i, and the electronic cash information {V_i,
_i, B_i, C}, the transfer certificate T, the inquiry text ε_i, the response text Y_i, the third party's use permit ■_i, and the third party's use permit ■_i. Public prime number product ■_i, prime number ■_i, of the third party involved in
The user information ■_i is given to the fourth party, and the fourth party uses the following formula Y_i^L^i≡X_i・V_i^ε^i (modN_
i), i=l, . f(q_i) to calculate the query sentence information E_i, and the third party calculates the query sentence function E_i from the given query sentence q_i.
=f(q_i) to calculate the query information E_i and use the following formula: ■_i=X_i^1^/■^imod■_i■_i=■
A response sentence ■_i is created from ___i・■_imod■_i, i=l, ..., k_2 and given to the fourth party, and the fourth party uses the user's authentication information X_i to formulate the following formula: ■＿i≡X_i・■＿i (mod ■＿i), i=l,・
28. The electronic cash implementation method according to claim 27, further comprising the step of verifying the validity of the third party's response text ■_i by establishing k_2. (29) The fourth party provides the electronic cash information {V_i, X_i, B_i
, C}, the user's information N_i, L_i, Y_i, the transfer certificate T, and the third party's information {■_i, ■_i
, ■_i, ■_i, ε_i, ■_i} and the inquiry text q_i from the fourth party are given to the bank, and the bank creates a verification formula expressed by the following formula ▲ There are mathematical formulas, chemical formulas, tables, etc. ▼ ▲ Mathematical formula, 29. The electronic cash implementation method according to claim 28, further comprising the step of verifying the validity of the user's response Y_i and the third party's response ■_i by establishing ▼. (30) The bank checks whether a set of the same values as the set of the user information and the authentication information {V_i, X_i} received from the fourth party exists in the memory of the bank, and if it does not exist. stores the information received from the fourth party in the memory, reads out the corresponding inquiry sentence q'_i and response sentence Y'_i stored in the memory, if any, and uses the read inquiry sentence q '_i. Calculate the inquiry information E′_i=f(q′_i) from
Solve the integers α and β that satisfy the following formula α・L_i+β(E_i−E′_i)=1 using the Euclidean algorithm, and further calculate the secret information S_i from the following formula V_i・(Y_i/Y′_i) mod N_i=S_i. , the calculated secret information S_
30. The electronic cash implementation method according to claim 29, further comprising the step of obtaining identification information ID_p of the user who fraudulently used the electronic coin from among the users i. (31) Said bank receives said third party from said fourth party.
It is checked whether a set of the same value as the set of the user information ■_i of the user and the authentication information X_i of the user {■_i, X_i} is stored in the memory of the bank, and if not, storing the received information in the memory, and storing the corresponding fourth information stored in the memory, if any;
The third party's inquiry sentence q'_i and the third party's response sentence ■_i are read out, and the read inquiry sentence q'_
Calculate the inquiry information E′_i=f(q′_i) from i, solve the integers α and β that satisfy the following equation α・■_i+β・(E_i−E′_i)=1 using Euclidean algorithm,
Furthermore, the following formula ■_i^α・(■_i/■_i) mod ■_i=■_i
Calculate the secret information ■_i from, and calculate the secret information ■
31. The electronic cash implementation method according to claim 29 or 30, further comprising the step of obtaining identification information of the third party who fraudulently used the electronic coin from _i. (32) The bank allows the use of the electronic coin a predetermined number of K times, the last party is the third party, the fourth party is the bank, and the user is j-th time of the electronic coin, where 1≦j≦
k, to the third party in the use of the electronic cash information {V
_i, X_i, B_i, C} and information {N_i, L_i}
and the third party creates the query sentence q_i and gives it to the user, and also creates the query sentence function E_i=f(q_i)
The user calculates the query sentence information E_i from the query sentence q_i by calculating the query sentence function E_i=
Calculate the query information E_i using f(q_i), create the response text Y_i from the following formula ▲ There are mathematical formulas, chemical formulas, tables, etc. ▼, ▲ There are mathematical formulas, chemical formulas, tables, etc. ▼ and send it to the third party. where f_j(X_i) is a function of X_i that changes with j as a parameter, and the third party is expressed by the following formula Y_i^L^i≡f_J(X_i)・V_i^E^i(
24. The electronic cash implementing method according to claim 23, further comprising the step of verifying the validity of the response sentence Y_i by establishing the following: modN_i), i=l, . . . , k_2. (33) The bank permits the use of the electronic coin a predetermined number of K times, and the user uses the electronic coin for the j-th time, where 1≦j≦k,
the electronic cash information {V_i, X_i, B_i, C}
and the information {N_i, L_i}, the third party creates the query ε_i and gives it to the user, and the user uses the query ε_i to calculate the following formula ▲ mathematical formula, chemical formula, table, etc. There are ▼, ▲There are mathematical formulas, chemical formulas, tables, etc.▼ Create the response sentence Y_i and give it to the third party together with j, where f_j (X_i) is a function of X_i that changes with j as a parameter, The third party verifies the validity of the response sentence Y_i by establishing the following formula ▲ There are mathematical formulas, chemical formulas, tables, etc.
1, . 24. The method of implementing electronic cash according to claim 23, including the step of providing the electronic cash to a person. (34) The last party is the fourth party, and the third party uses the electronic cash information {V_i, X_i, B_i, C} and the user information {N_i, L_i, T, Y_i, j} and the information of the third party {■_i, ■_i, ■_i, ε_i} are given to the fourth party, and the fourth party gives the following formula ▲ There are mathematical formulas, chemical formulas, tables, etc. ▼ is established, the validity of the user's response sentence Y_i is verified, a query sentence q_i is created and given to the third party, and query sentence information E_i is calculated using the query sentence function E_i=f(q_i). , the third party calculates the query statement function E from the query statement q_i from the fourth party.
Calculate the query information E_i using _i=f(q_i) and create the response sentence ■_i using the following formula ▲ There are mathematical formulas, chemical formulas, tables, etc. ▼, ▲ There are mathematical formulas, chemical formulas, tables, etc. ▼ Claim 33, further comprising the step of verifying the validity of the third party's response statement ■_i by providing the fourth party with the following formula ▲There is a mathematical formula, a chemical formula, a table, etc.▼. electronic cash implementation method. (35) The bank receives the electronic cash information {V_i, X_i,
B_i, C) and the user's information {N_i, L_i
Yi, j) and the third party's query q_i, the query function E_i=f(q_
Inquiry information E_i is calculated according to i), and a set of the user information V_i, the authentication information X_i, and the j is set {V_
i,
_i and the user's response sentence Y_i are read out, and inquiry sentence information E'_i=f(q'i) is calculated from the read inquiry sentence q'_i, and the following formula α・L_i+β・(E_i−E '_i)=1, i=1,
..., k_2 The integers α and β that satisfy k_2 are solved by Euclidean algorithm, and further the following formula V_i^α・(Y_i/Y′_i) mod N_i=S_
Calculate secret information S_i from i, i=1, ..., k_2, and use the calculated secret information S
33. The method for distributing electronic cash according to claim 32, further comprising the step of obtaining identification information ID_p of the user who fraudulently used the electronic coin from _i. (36) The step of applying the blind signature to information including the user information includes: the user creating k pieces of the secret information S_i, each of which includes the identification information, where k is an integer of 2 or more; Create k pieces of user information V_i from the k pieces of secret information S_i using the first unidirectional function, and use the information M_i including each user information V_i as a variable to create the unidirectional first
The corresponding k pieces of perturbed user information W_ which have been perturbed by giving them to the blind signature pre-processing function.
i and give it to the bank, and when the bank receives the k pieces of disrupted user information W_i, a predetermined first
selects k_1 pieces of the perturbation use information, and requests the user to specify a set of information including the secret information S_i used by each user to create the selected perturbation user information. , the first number k_1 specified by the bank by the user
providing said set of information to said bank, and calculating said first number k_1 of corresponding disrupted user information W'_i by said set of information received by said bank;
It is verified that the calculated disrupted user information W′_i matches the corresponding one of the selected disrupted user information W_i, and all of the secret information S_i in the received set of information are The identification information ID_ of the user
p is included, and from the predetermined second number k_2 of the disturbed user information other than the selected k_1 among the k pieces of disturbed user information W_i received from the user. The obtained multi-disturbed user information is signed using the first signature function to obtain signed disrupted user information Ω.
creating and giving to the user, and performing a disturbance removal process on the signed disturbed user information Ω received by the user using a first blind signature post-processing function to obtain the signed user information B. 5. The electronic cash implementation method according to claim 4, wherein the user uses the signed user information B as the usage permit issued by the bank. (37) The electronic coin is issued by the user creating k_2 pieces of the random number information R_i, creating k_2 pieces of the authentication information X_i from them using a second one-way function, and generating the k_2 pieces of the authentication information X_i. Information for X_i
and information m including the usage permit B as variables to a unidirectional second blind signature preprocessing function to create the disrupted authentication information Z and give it to the bank, and the bank Second for disturbance authentication information Z
Sign using the signature function and create the above-mentioned signed disturbance authentication information■
is created and given to the user, and the user performs disturbance removal processing on the signed disturbed authentication information, ■, using a second blind signature post-processing function, and converts the signed authentication information into the electronic 37. The method of implementing electronic cash according to claim 36, comprising the step of obtaining as coin C. (38) The user has k prime numbers L_i, k pairs of secret prime numbers P_i, Q_i, and k prime number product N_i=P_i
xQ_i, and calculate k pieces of user information V_i from k pieces of secret information S_i using the following formula V_i=S_i^L^imodN_i, i=1,...
, k. (39) In the following, the k_2 i's are i=1,...
・If k_2, the user uses the authentication information X_i
The following formula X_i=R_i^L^imodNi, i=1,...
39. The electronic cash implementation method of claim 38, comprising the step of creating the second unidirectional function represented by k_2. (40) The last party is the third party, the fourth party is the bank, and in using the electronic coin C, the user receives the electronic coin C and the usage permit B, k_2 the electronic cash information including k_2 pieces of the user information V_i and k_2 pieces of the authentication information X_i;
The two prime numbers L_i and k_2 N_i are
and the third party creates the query sentence q_i and gives it to the user, and also generates the query sentence function E_i=f(q_i).
The user calculates k_2 pieces of query information E_i by using the query function from the given query q_i, and calculates the query information E_i, the secret information S_i, and the secret. Using the random number information R_i, the following formula Y_i=R_i・S_i
^E^imodNi, i=1, ..., k_2 to create k_2 response sentences Y_i and write the third response sentence Y_i.
and the third party provides the query information E_i that he or she has created,
Using the user information V_i given by the user and the authentication information X_i, the following formula Y_i^L^i≡X_i・V_i^E^i (modN_
40. The electronic cash implementation method according to claim 39, further comprising the step of verifying the validity of the response sentence Y_i by establishing i), i=1, . . . , k_2. (41) The third party provides the bank with information including the electronic cash information V_i, X_i, B, C, N_i, the inquiry text q_i, and the response text Y_i in order to settle the electronic coin. , the bank uses the following verification formula Y_i^L^i≡X_i・V_i^E^i(modN_
41. The electronic cash implementation method according to claim 40, further comprising the step of verifying the validity of the response sentence Y_i to the inquiry sentence q_i by establishing i), i=1, . . . , k_2. (42) The bank checks whether a set of values identical to the set of the user information and the authentication information {V_i, X_i} received from the fourth party exists in the memory of the bank, and if it does not stores the information received from the fourth party in the memory, reads out the corresponding inquiry sentence q'_i and response sentence Y'_i stored in the memory, if any, and uses the read inquiry sentence q '_i to inquiry information E'_
Calculate i=f(q'_i), solve the integers α and β that satisfy the following equation, α・L_i+β(E_i−E′_i)=1, using the Eurid algorithm, and then solve the following equation, V_i^α・( Y_i/Y′_i)^βmodNi=S
42. The electronic cash implementation method according to claim 41, further comprising the step of calculating secret information S_i from the calculated secret information S_i and obtaining identification information ID_p of the user who fraudulently used the electronic coin from the calculated secret information S_i. (43) The last party is the fourth party, and in giving the electronic coin to the third party, the user provides the electronic cash information {V_i, X_i, B, C}, N_i, and the The third party is provided with information including the prime number L_i, and the third party creates k_2 of the query sentences ε_i and gives them to the user, and the user combines the query sentences ε_i and the secret random number information R_i. Using the secret information S_i, the following formula Y_i=R
_i・S_i^ε^imodN_i, i=1,...
k_2 creates k_2 response sentences and gives them to the third party, and the third party uses the following formula Y_i≡X_i・V_i^ε^i (mod N_i), i
= 1, ..., k_2 is established to verify the validity of the response sentence,
Give the usage permit ■ that you own to the user, and the user attaches his signature to the third party's usage license ■ that he has received, creates a transfer document T, and gives it to the third party. 40. The electronic cash dispensing method of claim 39, comprising the steps of: (44) When using the electronic coin, the third party collects N_i, L_i, and the electronic cash information {V_i, X_
i, B, C}, the transfer certificate T, and the inquiry text ε_
i, the response text Y_i, and the third party's license■
and the prime number product ■_i, prime number ■_i, and user information ■_i of the third party who was involved in the creation of the third party's use permit ■ to the fourth party, and the fourth party The validity of the user's response Y_i is verified by establishing the formula ▲There are mathematical formulas, chemical formulas, tables, etc.▼, and a query sentence q_i is created and given to the third party, and the query sentence function E_i= f(q_i) to calculate the query sentence information E_i, and the third party calculates the query sentence function E_i from the given query sentence q_i.
Calculate the query information E_i using =f(q_i) and use the following formula: ■_i=X_^1^/^■^imod■_i■_i=■
＿i・■＿i＾E＾imod■＿i, i=1,...
A response sentence ■_i is created from k_2 and given to the fourth party, and the fourth party uses the user's authentication information ), i
=1,...,k_2 The electronic cash implementing method according to claim 43, further comprising a step of verifying validity. (45) The fourth party provides the electronic cash information {V_i, X_i, B, C
}, the user's information N_i, L_i, Y_i, the transfer certificate T, and the third party's information {■_i, ■_i, ■
＿i, ■, ε_i, ■_i} and the information of the fourth party are given to the bank, and the bank calculates the following formula ▲ There are mathematical formulas, chemical formulas, tables, etc. ▼, ■＿i≡X_i・■＿i＾E＾i( 45. The electronic cash implementation method according to claim 44, further comprising the step of verifying the validity of the user's response Y_i and the third party's response Y_i by establishing mod ■_i). (46) The bank checks whether a set of values that are the same as the set of the user information and the authentication information {V_i, X_i} received from the fourth party exists in the memory of the bank, and if not; stores the information received from the fourth party in the memory, reads out the corresponding inquiry sentence q'_i and response sentence Y'_i stored in the memory, if any, and uses the read inquiry sentence q '_i to inquiry information E'_
Calculate i=f(q'_i), solve the integers α and β that satisfy the following formula α・L_i+β(E_i−E′_i)=1 by Euridian algorithm, and further calculate the following formula V_i^α・(Y_i/Y ′_i)^βmodN_i=
Claim 45, further comprising the step of calculating secret information S_i from S_i and obtaining identification information ID_p of the user who fraudulently used the electronic coin from the calculated secret information S_i.
Electronic cash implementation method described in section. (47) Said bank received said 13 from said fourth party.
It is checked whether a set of the same value as the set {V_i, X_i} of the user information ■_i of the user and the authentication information stored in the memory the corresponding fourth information stored in the memory, if any;
The third party's inquiry sentence q'_i and the third party's response sentence ■_i are read out, and the read inquiry sentence q'_i is read out.
Calculate the inquiry information E′_i=f(q′_i) from
Solve the integers α and β that satisfy the following formula α・■_i+β・(E_i−E′_i)=1 using Euclidean algorithm, and then use the following formula ■_i^α・(■_i/■_i)^βmod ■＿i =
Claim 45 or 46, comprising the step of calculating secret information ■_i from ■_i and obtaining identification information of the third party who fraudulently used the electronic coin from the calculated secret information ■_i.
Electronic cash implementation method described in section. (48) The bank allows the electronic coin to be used a predetermined number of times, the last party is the third party, the fourth party is the bank, and the user is j-th time of the electronic coin, where 1≦j≦
k, to the third party in the use of the electronic cash information {V
_i,
The user calculates the query sentence information E_i from the query sentence q_i by calculating the query sentence function E_i=
Calculate the query information E_i using f(q_i), create the response text Y_i from the following formula ▲ There are mathematical formulas, chemical formulas, tables, etc. ▼, ▲ There are mathematical formulas, chemical formulas, tables, etc. ▼ and send it to the third party. j, where f_j (X_i) is a function of X_i that changes with j as a parameter, and the third party is the following formula ▲ There are mathematical formulas, chemical formulas, tables, etc. ▼. 40. The method of implementing electronic cash according to claim 39, further comprising the step of verifying the validity of the electronic cash. (49) The bank allows the use of the electronic coin a predetermined number of k times, and the user does not use the electronic coin for the j-th time, 1≦j≦k, and
the third party provides the electronic cash information {V_i, Using the sentence information ε_i, create the response sentence Y_i using the following formula ▲There are mathematical formulas, chemical formulas, tables, etc.▼, ▲There are mathematical formulas, chemical formulas, tables, etc.▼ and give it to the third party together with j, where f_j (X_i) is a function of X_i that changes with j as a parameter, and the third party verifies the validity of the response sentence Y_i by establishing the following formula ▲ There are mathematical formulas, chemical formulas, tables, etc. ▼, Give the usage license ■ held by the third party to the user, and the user uses his own prime number product N_i to attach his signature to the usage license ■ of the third party and transfer it as a transfer document T. 40. The method of implementing electronic cash according to claim 39, including the step of providing to said third party. (50) The last party is the fourth party, and the third party uses the electronic cash information {V_i, X_i, B, C} and the user information {
N_i, L_i, T, Y_i, j} and the third party's information {■_i, ■_i, ■, ε_i} are given to the fourth party, and the fourth party converts the following formula ▲ mathematical formula, chemical formula, table, etc. If ▼ is established, the validity of the user's response sentence Y_i is verified, a query sentence q_i is created and given to the third party, and the query sentence information E_i is generated using the query sentence function E_i=f(q_i). The third party calculates the query statement function E from the query statement q_i from the fourth party.
Calculate the query information E_i using _i=f(q_i) and create the response sentence ■_i using the following formula ▲ There are mathematical formulas, chemical formulas, tables, etc. ▼, ▲ There are mathematical formulas, chemical formulas, tables, etc. ▼ and the fourth party has the following formula ■_i≡X_i, ■_i^E^i (mod ■_i), i
50. The electronic cash implementation method according to claim 49, further comprising the step of verifying the validity of the third party's response text ■_i by establishing the following: =1, . . . , k_2. (51) The bank receives the electronic cash information {V_i, X_i,
B, C} and the user's information {N_i, L_i, Y_
i, j} and the third party's inquiry sentence q_i, the inquiry sentence function E_i=f(q_i
) to calculate the query information E_i, and calculate the set of the user information V_i, the authentication information X_i, and the j {V_i
,
_i and the user's response sentence Y_i thereto are read, and inquiry sentence information E'_i is obtained from the read inquiry sentence.
= f(q'_i) is calculated and the following formula α・L_i+β・(E_i−E′_i)=1i=1,・
..., k_2 The integers α and β that satisfy k_2 are solved by Euclidean algorithm, and further the following formula V_i^α・(Y_i/Y'_i)^β mod N_i
Claim 4 comprising the step of calculating secret information S_i from =S_i and obtaining identification information ID_p of the user who fraudulently used the electronic coin from the calculated secret information S_i.
The electronic cash implementation method described in Section 8. (52) Creating confidential information including identification information in a user device that implements electronic cash in which a bank issues electronic cash to a user and the user uses the electronic cash to pay a third party. secret information creation means; user information creation means for creating user information from the secret information output from the secret information creation means using a first one-way function; a first blind signature preprocessing means for generating perturbed user information by performing unidirectional blind signature preprocessing on information including the user information that has been obtained; and a signed perturbation in which the bank signs the perturbed user information. blind signature post-processing means for removing disturbances from user information to create signed user information; secret random number information generation means for generating secret random number information; and said secret random number information output from said secret random number information generation means. authentication information creation means for creating authentication information using a second one-way function from the above, and one-way blind signature preprocessing for information including the authentication information output from the authentication information creation means. a second blind signature pre-processing means for generating perturbed authentication information by performing the following steps; A user device comprising: blind signature post-processing means; and response text creation means for creating a response text using at least the secret information in response to the inquiry text from the third party. (53) The second blind signature preprocessing means includes a connecting means for connecting the authentication information and the signed user information to create a connected sentence, and perturbing the connected sentence with a random number to use the perturbed sentence. 53. The user device according to claim 52, further comprising a unidirectional preprocessing function unit for creating user information. (54) The user device according to claim 53, further comprising a one-way signature function unit for the user to add a signature to the signed user information provided by the third party.