JPH0586699B2 - - Google Patents

Description

[Detailed Description of the Invention] "Industrial Application Field" This invention is a communication system that transmits and receives documents as digital information, so that the person responsible for creating the document and the authenticity of the document can be verified by the recipient and a third party. , relates to a signed document communication method that adds a signature to a document and sends it.

"Prior art" When transmitting a document as digital information,
It is relatively easy to change part of the document, change it to something completely different, or change the signer, and the recipient generally knows that these changes have occurred. I can't.

In view of this, a method has been proposed in which the transmitting side processes the transmitted digital information and the receiving side can verify that the document and signature of the received digital information are valid. This method is called a signed document communication method.

The conventional signed document communication method is a method (SM Matyas
“Digital Signatures−An Overiew”Computer
Networka, Vol.3No.2, pp87-94, 1978) and
A method using public key cryptography represented by the RSA method (RLRivest “AMethod for Obtaining Digital
“Signatures and Public−Key Cryptosiptems”
Communications on ACM, Vol.2No.2, pp120
~126, 1978). However, the former method using conventional cryptography has drawbacks such as complicated signature creation and verification procedures and a large amount of information to be stored on the verification side. On the other hand, the latter method using public key cryptography (hereinafter referred to as the RSA method) is the most typical method in terms of security and procedural simplicity, but it has the drawback of slow processing speed. In order to improve this drawback, a method using data compression (hereinafter referred to as a hybrid method) has been proposed, but (DW
Davics“Applying the RSA Digital Signature
to Electronic Mail”IEEECOMPUTER Fed.
(pp. 55-62, 1983) This method has the disadvantage that it is difficult to improve the processing speed for signing short documents.

The objectives of this invention are security, simplicity of procedure, signature length comparable to that of the conventional RSA method, and a signature that can generate and verify signatures faster than the conventional RSA method. The purpose is to provide a document communication method.

"Means for Solving Problems" According to the present invention, signatures are created and certificates are verified using secret information and public information, similar to the conventional RSA method. The document creator (responsible person) D who is to send the confidential information keeps it secret, creates public information based on the confidential information, and combines the public information with the corresponding document creator (or its identification code) ), for example, are registered in advance in a registry and made public. On the sending side, the document creator uses the random number and the document to be sent as variables, and generates a signature corresponding to the document to be sent based on the secret information and a congruence polynomial that is cubic or higher with respect to the random number. Send the signature and the document. All of these processes are performed as digital signals. In addition, although it is shown as a representative example of transmission, it may also be stored in various digital information storage devices.

On the receiving side, the received signature and received document are
By using the number of consecutive "0" bits from the top of the binary values calculated from the congruence polynomial used in place of the random number and the document to be sent, and the public information, respectively, or by using the corresponding inequality. Verify the authenticity of the document and the author of the document.

In addition, on the sending side, a signature corresponding to the document to be sent is created based on the document to be sent and a random number as variables, and a congruence polynomial whose degree is quadratic or higher and secret information is used as a basis for the random number, and the signature is attached to the document. The receiving side uses the number of consecutive “0” bits from arbitrary bits, excluding the most significant binary value, calculated using a congruence polynomial from public information, or receives it using the corresponding congruence expression. Verify the authenticity of documents and signers.

principle of invention Prime numbers p and q (p>q) are used as secret information.

These prime numbers p and q are the public key n= in the RSA method
It is similar to the prime number of pq. This prime number p, q
Create public information n, δ, ε, and γ based on . These are n=p ² q, 1≦δ≦〓(n ^2/3 ), 〓(B) means the order of B, ε=〓(n ^1/3 ), γ=〓(n/T)
, and T has a value of about 10 ¹⁰ to ^{10 30} . The correspondence between the holder D of the secret information p and q and the public information is made public in advance.

Signature generation is performed as follows. Random number x (1≦
w, which generates x≦pq−1) and satisfies equations (1) and (2).
Find v.

Z≦wpq+vεδ<Z+δ ...(1) Z=-g(m)-{f(x,m)(modn)} ...(2) m is the document to be sent, and g(m) is an arbitrary Function, f(x,m)= _I 〓 ⁱ⁼⁰ fi(m)・x ⁱ ……(3) I≧2, fi(m) is any function regarding m, that is, f(x,m)(modn ) is a congruence polynomial with a random number x and a document m to be sent as variables, and is quadratic or higher with respect to x, and modn is an operation modulo n, that is, the value of f (x, m) is an integer of n. If it is, it is zero, and 0≦f(x,m)(modn)<
It takes only the value of n. The method for determining w and v will be described later. It is assumed that w satisfies the following conditions, and if this condition is not satisfied, the method for determining w and v, which will be described later, is executed again and repeated until this condition is satisfied.

-(f(x,m)(modn))/(pq) ≦w<p-(f(x,m)(modn))/(pq) Obtaining the above condition w, y=w/f' (x, m) (modp) f′ (x, m) = df (x, m) / dx = _I 〓 ⁱ⁼⁰ fi (m)・i・x ^i-1 ……(4) Furthermore, s=x+ypq (5) is calculated, and s is set as the signature corresponding to the document m to be transmitted.

This document m and signature s are transmitted.

On the receiving side, the received documents m and 2 are verified by calculating equation (6) using the signature s and the public information n, δ, and ε of the signer D of the transmitted document.

〓g(m)+{f(s,m)(modn)}/δ〓=0(modε)...(6) 〓A〓 is the largest integer below A. Equation (6) is 〓
A〓(modε) means zero.

Furthermore, perform the comparison operation of γ≦s≦n−γ ……(7), and if s does not satisfy equation (7),
Ignore the verification result of equation (6). This is because if the signature s is shorter than γ, it becomes easy for a third party to forge the signature s. On the receiving side, in order to perform the verification, the congruence polynomial of equation (3) and the function g(n) are known in advance. In addition, so that anyone can know that the signer is D, when the information indicating the signer D is sent along with the transmitted document m or received by some other method, the receiving side will not be able to receive it from the signer D. Knowing this, the above-mentioned verification is performed, that is, it is verified that the received document is correct from signer D and that the document has not been altered.

Proof of verification of equation (6) Substituting the relationship between equations (5) and (3) into f(s, m) (modn) yields the following.

f(s,m)(modn) =f(x+ypq,m)(modn) = _I 〓 ⁱ⁼⁰ fi(m)・(x+ypq) ⁱ (modn) (Since it is a modulo n operation, n=p ² q (Since all terms including are zero) = _I 〓 ⁱ⁼⁰ fi(m)x ⁱ + _I 〓 ⁱ⁼⁰ fi(m)・i・x ^i-1・ypq(modn) (Equation (3), From formula (4)) = f (x, m) + f' (x, m)・ypq (modn)
...(8) From equation (4), f'(x, m)・y=w(modp),
Multiplying both sides by pq yields f' (x, m) - ypq = wpq (modn). Substituting this into equation (8), we get f(s,m)(modn) =f(x,m)+wpq(modn) ={f(x,m)(modn)}+wpq...(9) . On the other hand, we transform equation (1) as follows: z−vεδ≦wpq<z−vεδ+δ Add g(m)+{f(x,m)(modn)} to each term to obtain the relationship in equation (9) for wpq. When used, the following equation is obtained.

g(m)+{f(x,m)(modn)}+z−vεδ ≦g(m)+{f(s,m)・(modn)} <g(m)+{f(x,m)・(modn)} +z−vεδ+δ Substituting the relationship in equation (2) into this equation, −vεδ≦g(m)+{f(s,m)(modn)} <−vεδ+δ, and both sides of the equation are expressed as δ. When divided, -vε≦g(m)+{f(s,m)(modn)}/δ<-vε+1. Since the middle side of this equation is between −vε and −vε+1, the largest integer after the decimal point is 〓g(m)+{f(s,m)(modn)}/δ〓=−v
ε. Therefore, when we perform the modulus ε calculation on this, we get 〓g(m)+{f(s,m)(modn)}/δ〓=0(modε), and the verification result of equation (6) becomes 0. If so, the validity of the signature s is verified if it is by the signer D who corresponds to the public information n, δ, ε, γ, and the received document has not been altered. In other words, the only person who can create the signature s is the person D who has the secret information pq, and since the signature s is created in correspondence with the document to be sent, different secret information may be used. or the document to be transmitted is changed, the above relationship will no longer be obtained, that is, the verification result of equation (6) will not become 0.

``Example'' First, a signature is created based on a congruence polynomial of degree 3 or higher, and the signature is verified using the number of consecutive "0" bits from the most significant binary value or the corresponding inequality. This invention will be explained below. This example is f(x, m) = f(x), (f(x) is x
), g(m)=M=
h(m) (M is the data compressed version of document m) δ=
This is the case when 〓(n ^2/3 ).

First, the sender (signature creator) generates the following information prior to communication.

Using already known prime number generation algorithms (for example, Hideo Wada's "High-speed Multiplication Method and Prime Number Testing Method" Sophia University Mathematics Lecture Record No. 15),
Generate prime numbers p and q of about 50 to 100 decimal digits.
However, it is assumed that p>q (the number of digits of p-q is approximately the same).

Furthermore, n, δ, and γ are generated using the following equations.

n=P ² q δ=〓(n ^2/3 ) γ=〓(n/T) Here, T is a value of about 10 ¹⁰ to ^{10 30.} Of the information generated by the above procedure, sender D The secret information held in the database is p and q, and the public information registered in the public register is n, δ, and γ. In addition, the public list includes n,
δ and γ are registered together with sender D's identification number (ID). Once you have performed the above procedure once, you generally do not need to do it again.

Next, the signature creation procedure according to the first invention will be explained with reference to FIG. First, the values p and q are set in the setters 11 and 12, respectively, the multiplier 13 multiplies by pq, and the multiplier 14 multiplies n=p ² q. Instead of the multiplier 14, n may be set in the setter. A document m to be transmitted from a document source 15 is generated as digital information. In this example, the compressor 16 compresses the data of document m into a positive integer M. 0≦M≦n-1.

The compressor 16 is configured, for example, as shown in FIG. The document m input to the register 17 is divided into m ₁ , m ₂ , . . . m _k so as to satisfy the following equation.

0≦m _i ≦n-1 (i=1, 2, . . . k) The compressed document M=h(m) is determined from the following relationship.

C ₀ = I ₀ C _i = (m _i ○ + C _i-1 ) ² (modn) M = h (m) = C _k ○ + I ₁ ) ² (modn) I ₀ and I ₁ are determined by the system or sender. is the value given. To obtain this compressed document M=h(m),
Each divided document m ₁ ... m _h is supplied from the register 17 to the exclusive logical sum circuit 1 ₁ ... 1 _k , and the output of each exclusive logical sum circuit 1 ₁ ... 1 _k is the congruence square of the modulus n. The outputs C _{1 ... Ch} of these congruent square calculators 2 ₁ ... 2 _k are respectively supplied to exclusive OR circuits 2 ₂ ... 2 _k+1. . Exclusive OR circuit 1 ₁ is given I ₀ as C ₀ , exclusive OR circuit 1 _k+1 is given I ₁ , and its output is modulo n
A congruence square calculator 2k ₊₁ performs a square operation of the modulus n, and the compressed document M=h(m) is obtained as its output.

Returning from the explanation of FIG. On the sending side, random number generator 1
8, obtain a random number x that satisfies the following conditions.

1≦x≦pq−1 (However, x is an integer coprime to n.) Here, f(x, m)=f ₁ (x), expressed by equation (10), and the system or each It shall be a public function predefined by the sender.

f ₁ (x)= _I 〓 ⁱ⁼⁰ giX ⁱ (i=1, 2...I) ...(10) 0≦gi≦n-1 gi: integer Here I≧3 (gi≠0). Congruent polynomial operator 1 calculates (f ₁ (x) (modn)) for random number x.
9, and from the calculation result and the compressed document M, the subtractor 21 is used to obtain Z=M-(f ₁ (x) (modn)) (11). The Z is divided by pq by the divider 22, and the division result is rounded up using the calculator 23 as W=〓Z/(pq)〓...(12) (here, 〓A〓 is the minimum ).
is required. On the other hand, for random number x (f1′(x)
(modp)) is calculated by the congruent polynomial arithmetic unit 24, which outputs W, and the congruent divider 25 divides W by the result to obtain y=W/(f1'(x)(modp))(modp).
Here, f1'(x)= _I 〓 ⁱ⁼⁰ ig _i X ^i-1 (13) Furthermore, the joint divider 25 is constructed using the extended Euclidean mutual division method. For information on the extended Euclidean algorithm, see “The
Art of Computer Programming, Vol.2”
Detailed in Addison Weslay (1969).

This division result y is multiplied by pq in the multiplier 26,
A random number x is added to the multiplication result by an adder 27 to obtain s=x+ypq (14).

The signature s obtained as described above is sent to the receiving side together with the document m and the sender's identification number (ID).

Next, referring to FIG. 3, a verification procedure on the receiving side that receives (m, s) will be explained. First, on the receiving side, the public information (n, δ, γ) of the sender is read by referring to the public list based on the received identification number ID, and set in the setting devices 28, 29, and 31, respectively. Next, using the congruence polynomial operator 32 for the received signature s, (f ₁
(s) (modn)). Also, the compressor 33 performs data compression on the received document m, and compressed document M=h
Find (m). These f ₁ (s) (modn) and M=h
Using (m) and δ, the comparator 34 verifies whether the following inequality holds true, and if it holds true, the result is affirmative.

M≦ _f1 (s)(modn)<M+δ...(15) On the other hand, the subtracter 35 calculates n−γ, and the comparator 36
Compare s with γ and n-γ, and if γ≦s≦n-γ (16), then it is affirmed. If the outputs of the comparators 34 and 36 are both positive, it is assumed that the received (m, s) has been correctly created by the person who registered (n, δ, γ) in the public list.

Subtracting M from each side of the verification formula of equation (15) and dividing by δ yields 0≦−M+f ₁ (s) (modn)/δ<1, and take the largest integer less than or equal to the value of the middle side. Then, 〓−M＋f ₁ (s) (modn)／δ〓=0 ...(17) This formula matches the verification formula of formula (6), and (15)
It is understood that the validation of the expression is correct.

Furthermore, in this embodiment, instead of verifying equations (15) and (16), it will be shown that verification can be performed using the number of consecutive bits "0" from the top of the binary value (decimal number). In other words, the public information δ and γ are defined in the form of these powers as shown below.

δ=2 ^d =〓( ^2/3 ) γ=2 ^r =〓(n/T) At this time, it can be seen from these and equation (17) that verification can be performed using the following binary values. In other words, if both equations (18) and (19) hold true, the reception (m,
S) is considered valid.

[(f ₁ (s) (modn)) - h (m)] ^d =≠……(18) [s] ^r ≠0/, [n-s] ^r ≠0/ …(19) Here [ A] ^d means consecutive (|n|-d) bits from the most significant bit of A expressed in binary.
(｜n｜=〓1og ₂ n〓), and 〓 is all “0”
A bit string of arbitrary length consisting of

The details of the embodiment corresponding to the first invention have been described above, but if the quadratic expression regarding the polynomial f ₁ (x) is used and the other aspects are the same as in the above embodiment, this is an embodiment of what is shown in claim 3. is obtained.

Second Example Next, a signature is created based on a congruence polynomial of degree 2 or higher, and the number of successive "0" bits from any bit other than the most significant bit of the binary value, etc., or the corresponding equation, etc. are used to create a signature. This section explains the method for performing signature verification. This is an embodiment of the second invention, and
This is a case where f(x, m)=f(x) and (f(x) is a quadratic or higher degree congruence polynomial for x) y(M)=-M.

First, the sender (signature creator) generates the following information prior to communication.

Select prime numbers p and q of about 50 to 100 decimal digits, Positive integers n, δ, and ε are generated using the following equations.

n=p ₂ q 1≦δ<pq ε=〓(n ^1/3 ) γ=〓(n/T) Here, T is a value of about 10 ¹⁰ to 10 ³⁰ , but the function
If the order of f ₂ is sufficiently large (n ^1/t <1; t is the order of f ₂ ), γ=1 may be used.

Among the information generated through the above procedure, the secret information kept secret by the sender is p and q, and the public information registered in the public register is n, δ, ε, and γ. Note that n, δ, ε, and γ are registered in the public list together with the sender's identification number (ID). Once you have performed the above procedure once, you generally do not need to do it again.

Next, referring to FIG. 4, a signature creation procedure in this embodiment of the second invention will be explained. 1 in Figure 4
Parts corresponding to those in the figure are given the same reference numerals. First, the sender uses the compressor 16 to perform data compression on a document m to which a signature is to be attached, and obtains a positive integer M=n(m). A random number x that satisfies the following conditions is obtained from the random number generator 18. 1≦x≦pq−1, x is an integer coprime to m. Further, let the function f ₂ be a public function determined in advance by the system or each sender.

f(x)= _I 〓 ⁱ⁼⁰ giX ⁱ (i=1,2...I) 0≦gi≦n-1 gi: Integer Here, I≧2 (g _I ≠0).

Using the congruence polynomial operator 19 and subtractor 21 that output (f ₂ (x) (modn)) for random number x, Z=M-(f ₂ (x) (modn)) ...(20) This Z, pq of the multiplier 13, ε of the setter 37, setting ε and δ of the setter 38 are input to the w calculator 39, and integers w, v that satisfy equation (21) are obtained.
seek.

Z≦wpq+vεδ<Z+δ (21) An example of an algorithm for determining w and v is shown in FIG. This algorithm was obtained using the Extendates-Euclifian algorithm to find the greatest common divisor of A and B. First step
In S ₁ , the larger pq and δ are A, the smaller ones are B, Z is C, a ₁ and a ₂ are 1 and 0, respectively, b ₁ and b ₂ are 0 and 1, and c ₁ ,
Let c ₂ be 0 and 0, respectively.

In step S ₂ , determine the magnitude of A and B, and if A>B, in step S ₃ , set 〓A/B〓 to K, and set 〓C/B〓 as K.
Let 〓 be L. Let a ₁ −Kb ₁ be the next a ₁ , and a ₂ −Kb ₂
Let be the following a ₂ , and these things (a ₁ , a ₂ )←
It is expressed as (a ₁ , a ₂ )−K(b ₁ , b ₂ ). Similarly (c ₁ ,
c ₂ )+L(b ₁ , b ₂ ), respectively, and set them as the next c ₁ and c ₂ , and further set A-KB as the next A and C-LB as the next C. On the other hand, if B > A at step S ₂ , step S ₄
Let 〓B/A〓 be K and 〓C/A〓 as L, and use these to make (b ₁ , b ₂ )−K(a ₁ , a ₂ ) the following (b ₁ , b ₂ ), respectively. , (c ₁ , c ₂ )+L (a ₁ , a ₂ ) are respectively the next (c ₁ , c ₂ ), and further B−KA is the next B,
Let C-LA be the next C. After step S ₃ or S ₄ , in step S ₅ the larger of A and B is compared with δ, and if they are equal or δ is smaller, return to step S ₂ , and if δ is larger, proceed to step S A and B at ₆
Compare with. If A>B, pq and εδ are compared in step _S7 , and if pq>εδ, a ₁ +c ₁ is calculated in step _S8 .
is set to w, a ₂ +c ₂ is set to v, and if pq<εδ, a ₂ +c ₂ is set to w and a ₁ +c ₁ is set to v in step _S9 . If B > A in step S ₆ , compare pq < εδ in step S ₁₀ , and compare b ₁ + c ₁ with w in step S ₁₁ if pq < εδ.
and b ₂ + c ₂ is v, and if pq<εδ, b ₂ + c ₂ is w
and let b ₁ + c ₁ be v.

In FIG. 4, for w obtained from the w arithmetic unit 39 in this way and the random number
Using the congruent polynomial calculator 24 which outputs (modp)) and the congruent divider 25, y=w/(f2'(x)(modp))(modp) is obtained.
Here, f2'(x)= _I 〓 ⁱ⁼⁰ i・gi・X ^i-1 ...(22) Furthermore, using the multiplier 26 and adder 27, s=x+ypq ...(23) seek.

The signature s obtained as described above is sent to the receiving side together with the document m and the sender's identification number (ID).

Next, referring to FIG. 6, the verification procedure on the receiving side that receives (m, s) will be explained. First, on the receiving side, the public information (n, δ, ε, γ) of the sender is read from the public list using the received identification number ID, and set in the setting devices 28, 29, and 31, respectively. Next, (f ₂ (s) (modn)) is calculated for the received signature s using the congruence polynomial calculator 32. Furthermore, data compression is performed on the received document m by the compressor 33, and the compressed document M
Find =h(m). Subtractor 41, divider 42,
Truncation calculator 43, remainder calculator 44, comparator 4
5 to verify whether the following equation (24) holds true, and if it holds true, the result is affirmative.

〓(f ₂ (s) (modn))−M/δ〓=0(modε)……(2
4) (Here 〓A〓 is the largest integer less than or equal to A.)
Also, the value of s and γ,
It is compared with the value of n-γ, and if γ≦s≦n-γ (25), it is affirmed. If the comparators 36 and 45 are both affirmative, it is assumed that the reception (m, s) was correctly created by the person who registered the public information (n, δ, ε, γ) in the public list.

Next, we will show that instead of verifying equation (24), verification can be performed using the number of consecutive bits "0" starting from any bit except the most significant bit of the binary value. Note (25)
The method for verifying the formula is the same as described above, and public information δ and ε are defined in the form of powers of 2 as shown below to verify the formula (19).

1≦δ=2 ^d <pq ε=2 ^e =〓(n ^1/3 ) At this time, it is understood from these and equation (24) that verification can be performed using the following binary values.
In other words, if equation (26) holds, it is considered to be equivalent to equation (24) holding. If both equations (26) and (19) hold true, reception (s, m) is considered valid.

[f ₂ (s) (modn)) - h (m)] ^d _e = 0/ ...(26) Here, [A] ^d is consecutive from the (d+1)th bit counting from the lower part of A expressed in binary. means e-bit.

"Effects of the Invention" As explained above, according to the present invention, the main amount of calculation required for signature creation is data compression.
times, one congruent polynomial operation, one truncation division, or one operation of the w operator 39 (computational amount less than the Euclidean algorithm of the order of size p), one congruent division (the amount of calculation less than the Euclidean algorithm of the order of size p) The main calculation amount required for signature verification is one data compression, one congruence polynomial operation, and one truncation division (only for the method explained in Figure 6). If the degree of the congruence polynomial is made sufficiently smaller than the degree of the RSA method, there is an advantage that faster signature creation/verification than the RSA method becomes possible. For example, the order of the RSA method is about 10 ²⁰⁰ , whereas if the order of the congruence polynomial of the present invention is set to about 10 ² or less, processing speeds of about 100 times or more can be expected.

[Brief explanation of the drawing]

FIG. 1 is a block diagram showing an example of the configuration of the signature creation procedure in the first invention, FIG. 2 is a block diagram showing an example of the configuration of the compressor 16, and FIG. 3 is a block diagram showing an example of the configuration of the signature verification procedure in the first invention. 4 is a block diagram showing an example of the configuration of the signature creation procedure in the second invention, FIG. 5 is a flowchart showing an example of the calculation procedure in the w calculator 39, and FIG. 6 is the signature creation procedure in the invention shown in FIG. 2. FIG. 2 is a block diagram showing a configuration example of a verification procedure. 16, 33... Compressor, 18... Random number generator,
19, 24, 32...Congruent polynomial operator, 21,
35, 41... subtractor, 22, 42... divider,
23... Round-up operator, 25... Joint divider,
26... Multiplier, 27... Adder, 34, 36,
45... Comparator, 39... W arithmetic unit, 43... Truncation arithmetic unit, 44... Remainder arithmetic unit.

Claims (1)

[Claims] 1 Prime numbers p and q (p>q) are prepared as secret information on the transmitting side, and using these prime numbers p and q, public information n=p ² , q, δ (1≦δ≦ 〓(n ^2/3 ), 〓(B) is B
), γ=〓(n/T) (T means the order of
Create a ^random number x ( ¹ ≦x≦pq−1, x is an integer coprime to n), and for that random number x, f(x)
(modn) (f(x)= _I 〓 ⁱ⁼⁰ gi x ⁱ (i=1, 2,...I), 0
<gi≦n−1, gi is an integer I≧3), and the difference between the result of the calculation and the document m to be sent is Z=m
−(f(x)(modn)), divide Z by pq, round up the division result to find W= Z/ (pq), and calculate f′( x)modp(f′(x)= _I 〓 ⁱ⁼⁰ i・
gi・x ^i-1 ), divide the above W by the result, multiply this result y by the above pq, add a random number x to this to obtain the signature s, and this signature s and The above document m and the above identification number ID
The public information n, δ, γ is obtained from the public register using the above-mentioned identification number ID received on the receiving side, and f(s) (modn) is calculated for the received above-mentioned signature s. Verify whether m ≦f(s)(modn)<m+δ holds using the calculation result, the above document m, and the above δ, and use the above n, the above γ, and the above signature s to verify that γ≦
Verify whether s≦n−γ holds, and if both of the above verifications hold, the received m and s are created by the person who registered (n, δ, γ) in the public register. A signed document communication method that uses 2 Prime numbers P, q (p>q) are prepared as secret information on the sending side, and public information n=p ² , q, δ=2 ^d =〓(n ^2/3 ), γ=2 ^r =〓
(n/T) (T is a value of about 10 ¹⁰ to 10 ³⁰ ), register these public information n, δ, and γ together with the identification number (ID) of sender D in the public register, and calculate the random number x ( 1≦x≦pq−1, x is an integer coprime to n), and for that random number x, f(x)
(modn) (f(x)= _I 〓 ⁱ⁼⁰ gi x ⁱ , i=1,2,...I,0
<gi≦n−1, gi is an integer I≧3), and the difference between the result of the calculation and the document m to be sent is Z=m
-(f(x)(modn)), divide Z by pq, round up the division result to find W= Z/ (pq), and calculate f'( x)modp(f′(x)= _I 〓 ⁱ⁼⁰ i・
gi・x ^i-1 ), divide the above W by the result, multiply this result y by the above pq, add a random number x to this to obtain the signature s, and this signature s and The above document m and the above identification number ID
The public information n, δ, γ is obtained from the public register using the above-mentioned identification number ID received on the receiving side, and f(s) (modn) is calculated for the received above-mentioned signature s. Using the calculation result, the above received document m, the above received signature s, the above d, and the above r, [(f(s)
(modn))-m] ^d = 0/, [S] ^r = 0/, [n-s]
^r ≠0/
([A] means (|n|-d) consecutive bits from the most significant bit of A expressed in ^d binary , |n|=
Verify whether "1og ₂ n", 0/ means a bit string of arbitrary length consisting of all "0") is true, and if both are true, the received m and s are as above. A signed document communication method that assumes that (n, δ, γ) is created by a person who has registered it in a public register. 3 Prepare prime numbers p, q (p>q) as secret information on the sending side, and use these prime numbers to send public information n.
=p ² q, δ (1≦δ<pq), ε= 〓 (n ^1/3 ), γ=
〓 θ(n/T) (T is a value of about 10 ¹⁰ to 10 ³⁰ ) and register these public information n, δ, ε, γ together with the identification number (ID) of sender D in the public register. , generate a random number x (1≦x≦pq−1, x is an integer coprime to n documents to be sent), and for that random number x, f(x) (modn) (f(x)= _I 〓 ⁱ⁼⁰ gi x ⁱ , i=1,2,
...I,0<gi≦n-1, gi is an integer I≧2), and calculate the difference Z between the result of the calculation and the document m to be sent above.
=m-(f(x)(modn)), and its Z and the above
From pq, the above ε, and the above δ, Z≦wpq+vεδ<
Find integers w and v that satisfy Z + δ, and for the above random number x, f'(x) (modp) (f'(x)= _I 〓 ⁱ⁼⁰
i・gi・x ^i-1 ), and use this calculation result to calculate the above W
Find y by dividing y, multiply this y by the above pq, add it to the above random number x to find the signature s, and combine this signature s and the above document m,
Send the above identification number ID, obtain the public information n, δ, γ from the public list above using the received identification number ID on the receiving side, calculate f(s) (modn) for the received signature s, The calculation result, the received document m, and the above δ
and the above ε to verify whether 〓(f(s)(mod n))−m/δ〓=0(modε) (〓 A” is the largest integer less than or equal to A) holds, and the above Verifying whether γ≦s≦n−γ holds from the received signature s, the above γ, and the above n,
If both of these verifications are established at the same time, the received s and m are the public information n, δ, ε, and
A signed document communication method that assumes that γ was created by the person who registered it. 4 Prime numbers p, q (p>q) are prepared as secret information on the sending side, and using these prime numbers, public information n
=p ² q, δ=2 ^d (1≦δ<pq), ε=2 ^e =〓
(n ^1/3 ), γ=2 ^r = 〓(n/T) (T is a value of about 10 ¹⁰ to 10 ³⁰ ), and these public information n, δ, ε, γ
is registered in the public register along with sender D's identification number ID, generates a random number x (1≦x≦pq−1, x is an integer coprime to the document m to be sent), and f(x) (modn) (f(x)= _I 〓 ⁱ⁼⁰ gix ⁱ , i=1,2,
...I, 0<gi≦n-1, gi is an integer, I≧2), and calculate the difference Z between the result of the calculation and the document m to be sent above.
=m-(f(x)(modn)), and its Z and the above
From pq, the above ε, and the above δ, Z≦wpq+vεδ<
Find the integers w and v that satisfy Z + δ, and for the above random number x, f'(x) (modp) (f'(x)= _I 〓 ⁱ⁼⁰ i・
gi x ^i-1 ), divide the above W by this calculation result to find y, multiply this y by the above pq, add it to the above random number x to find the signature s, and calculate the signature s. , the above document m and the above identification number ID, the receiving side obtains the public information n, δ, γ from the above public register using the received identification number ID, and calculates f(s) (mod n) for the received signature s. ), and from the calculation result, the received document m, the above d, the above e, and the above r, [(f(s)(modn))-m] ^d _e
=0/, [S] ^r ≠0/, [ns] ^r ≠0/([A] ^d _e
means consecutive e bits from the (d+1)th bit counting from the lower bit of A expressed in binary, and 0/ means a bit string of arbitrary length consisting of all “0”) at the same time. A signature document communication method in which it is verified whether or not this holds true, and if it holds true at the same time, the received s and m are assumed to have been created by the person who registered the public information n, δ, ε, and γ in the public register. .