JPH0643809A - Digital signature system based on elliptic curve and signer device and verifier device for this system - Google Patents

Abstract

PURPOSE:To improve the safety more than DSA (digital signature). CONSTITUTION:A signature device is used to input a message (m) to a hash function 26, and a hash value H is calculated and is inputted to a remainder multiplier/divider 27. Random numbers (k) are generated by a random number generator 28 and are inputted to an elliptic curve multiplier 29 together with open information (p), (a), and G, and R=(rx, ry)=k.G is calculated on an elliptic curve, and the result is inputted to a divider 27. The divider 27 calculates S1= rxmodq' and S2=(k(H(m)+zi.S1))modp. S1 and S2 are given as a signatures to a verifier. The verifier calculates u1=H(m)S2modq and u2=S1.S2modp and calculates R'=(rx', ry')=u1.G.TjoverEp and confirms whether congruence S1=rx'(modp') is true or not.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a digital signature system for electronically signing / imprinting electronic documents by electronic discussion / settlement, electronic voting system, etc., particularly a system based on an elliptic curve on a finite field, and The present invention relates to a signer device and a verifier device used therefor.

[0002]

2. Description of the Related Art In 1991, the US NIST (Nati
onal Institute of Standard
s and Technology) is a digital signature standard proposal (DSA: Digital Signature).
re Standard) (Federal
Register of NIST, "Digital
l Signature Algorithm "Aug
ust 30, 1991. ). The DSA has a shorter signature length, and thus the ElGamal signature method (EIGamal, T .: “A
Public key cryptosystem
and a signature scheme ba
sed on discrete logarithm
s ", IEEE Transaction on In
formation Theory, Vol. IT-3
1, No. 4, pp. 469-472, 1991. ) Is an improved version of. The DSA and ElGamal signature methods are based on the difficulty of discrete logarithmic computation over the finite field F _p . However, a more secure signature scheme is desired.

The digital signature system of the present invention is based on an elliptic curve on a finite field, and makes the DSA more secure. First, the outline of the elliptic curve will be described.
A set obtained by adding a point at infinity Ο to a set of points satisfying the following expressions for a prime number p and parameters a and b is called an elliptic curve E _p (Koblitz, N .: A Coursein N).
number Theory and Cryptogr
aphy, Berlin: Springer-Verl
ag, 1987. ). Here, for convenience, the affine coordinate system is used.

E _p : y ² ≡x ³ + ax + b (modp). The addition P ₃ = P ₁ + P ₂ on the elliptic curve is defined as follows. x ₃ = λ ² −x ₁ −x ₂ y ₃ = λ (x ₁ −x ₃ ) −y ₁ λ = (y ₂ −y ₁ ) / (x ₂ −x ₁ ): (P ₁ ≠ P ₂ ). λ = ((3x ₁ ² + a) / 2y ₁ : (P ₁ = P ₂ ), where P _i = (x _i , y _i ).

It should be noted that the F
_It is possible to define addition on an elliptic curve without performing division on _p (calculation of the inverse element by the extended Euclidean algorithm).
The d-fold point (d · P) of the point P is calculated by the binary method using the above addition. In the signature system of this invention,
An elliptic curve whose order (the number of points (x, y) on the curve) is not a prime number but has a prime factor of an appropriate size is used. As an example of an elliptic curve whose order is determined, a = 0, b ≠ 0 and p≡
It may be 2 (mod3), and the order is always p + 1. )

[0006]

According to the invention of claim 1, in the center, an elliptic curve E _p (y ² ≡ on a finite field F _p )
x ³ + ax + b (modp)), the order of the group (#
E _p ) is a non-prime number, and the selected elliptic curve E
One point on _p V = (v _x , v _y ), ({v _x , v _y } ∈F
_p ), and a prime number q that divides the order #E _p and a positive integer q ′ that does not exceed q, and G = (# E _p / q) · V is calculated on the elliptic curve E _p . The above p, a, q,
q'and the following public key T _i unique to each signer _i are disclosed as public information.

Signer i has his private key z_i(Random number) and public
Elliptic curve E using open information p, a, G_pPublished above
Key T_i= Z_i・ Calculate G and then T_iTo the center,
Publish. When signing, generate a random number k and
Elliptic curve E using open information and _pWhere R = (r_x, R_y)
= K · G is calculated, and the message m is substituted for the variable
The hash function H (m) is calculated, and then s₁= R_xmod
compute q ', then own private key z_iUsing s₂=
(K / (H (m) + z_is₁)) Calculate modq
Sage m and signature (s₁, S₂) And are sent to the verifier.

The verifier receives the received m and (s₁, S₂)When,
Using public information and u₁= H (m) s₁modq, u₂
= S₁s₂modq is calculated, and further elliptic curve E_pAbove
R '= (r_x′, R_y′) = U₁・ G + u₂・ T_iTotal
Then, the inspection formula s₁≡r _x'(Modq') is
Confirm whether to stand. )

[0009]

FIG. 1 shows an example of a system to which the present invention is applied. The center device 11, the signer device 12 and the verifier device 13 are connected by communication paths 14 and 15, respectively, and the signer device 12 and the verifier device 13 are connected by communication path 16. FIG. 2 shows a configuration example of the center device 11, FIG. 3 shows a configuration example of the signer device 12, and FIG. 4 shows a configuration example of the verifier device 13.

In the center device 11, a prime number generator 17
It generates a prime number P from the elliptic curve parameter generator 18, an elliptic curve over a finite field ^{_{F p E p: y 2 ≡x}} 3 + a
Among x + b (modp), a group whose order #E _p is not a prime number is selected, and one point V = (v on the selected elliptic curve
_x , v _y ), ({v _x , v _y } εF _p ), and a prime number q that divides the selected order #E _p , and q ′ ≦ q
We choose a positive integer q ′ such that
#E _p , q, q ′ are output. #E _p / q in multiplier 19
Perform calculations, the results and parameters a, and a V type elliptic curve multiplier 21, G = (# E _p on an elliptic curve E _p
/ Q) · V is calculated. At the center, the parameters p, a, G, q, q'obtained by the center device 11 and the public key T _i received from the signer _i are disclosed as public information.

(1) Key Generation The signer i uses the signer device 12 shown in FIG. 3 to generate a random number z _i from the random number generator 23 as its own secret key, and public information p, from the center. The elliptic curve multiplier 24 uses a and G to calculate T _i = z _i · G on the elliptic curve E _p , and sends this T _i as a public key to the center. Further, the secret key z _i is stored in the key storage unit 25.

(2) Signature Creation The signer i uses the signer device 12 shown in FIG. 3 to input the message m to the hash function calculator 26 to calculate the hash value H (m) and to calculate the modular exponentiation divider. Enter in 27. A random number k is generated from the random number generator 28, and the public information p, a, and G are input to the elliptic curve multiplier 29, and R = (r _x , r _y ) = k · on the elliptic curve E _p. G is calculated, and the result is input to the modular multiplication / division unit 27. The modular multiplication / division unit 27 calculates s ₁ = r _x modq ′, s ₂ = (k / (H (m) + z _i · s ₁ )) modp. This (s ₁ , s ₂ ) is sent to the verifier together with the message m as a signature.

(3) Verification of Signature The verifier uses the verifier device 13 shown in FIG. 4 to determine whether the received signatures (s ₁ , s ₂ ) are correct signatures for the simultaneously received message m. To verify.
Message m received using the hash function calculator 31
Into a variable to calculate the hash value H (m). The calculation result H (m), the received signatures (s ₁ , s ₂ ) and the public information q are input to the remainder multiplier 32, and u ₁ = H (m) s ₂ modq, u ₂ = s ₁ s ₂ m
Calculate odq. The calculation results u ₁ , u ₂ and public information p,
The following elliptic curve E _p is calculated by the elliptic curve adder / multiplier 33 using a, G, and T _i .

R ′ = (r _x ′, r _y ′) = u ₁ · G + u ₂ · T _i The calculated result r _x ′ and the received signature s ₁ are compared by a comparator 34.
It is confirmed whether or not the congruence expression s ₁ ≡r _x ′ (modq ′) is satisfied by inputting to the signature, and if it is satisfied, the signature (s ₁ , s
₂ ) outputs that the message m has a correct signature, and otherwise outputs an invalid signature.

The digital signature method is realized by the above three steps. By the way, when the signature and the message are correct, the check formula on the elliptic curve Ep is as follows. R '= u ₁ · G + u ₂ · T _i = (H (m) s ₂ + cq ₁ ) · G + (s ₁ s ₂ + c′q ₁ ) · (z _i · G) = ((H (m) + s ₁ z _i ) s ₂ ) · G = k · G = R where q ₁ · G is the zero element O of the elliptic curve E _p . Also,
c and c'are certain integers. From the _{above, r x ≡r x '(modp} ), r y ≡r y' (mod
p) _{The, 0 <r x, r x} ', r y, r y' ≦ p-1, and more _{r x ≡r x '(modq'} ), r y ≡r y '(mod
q ') holds. For the signature confirmation, the coincidence of the x-coordinates by the modulus q'is checked.

In the above digital signature scheme, the signature size is (| q | + | q '|) bits. Where | q
| Is the bit length of q. The size of the modulus q is determined in consideration of the security of the hash function against intermediate match attacks.
The size of the prime number p is determined in consideration of the difficulty of discrete logarithm calculation on E _p .

[0017]

The digital signature system of the present invention is more secure than DSA when the size of the prime number p is the same. Because this safety system of the present invention is based on the difficulty of discrete logarithm calculation on an elliptic curve E _p, harder than the discrete logarithm problem on the finite field E _p in the discrete logarithm problem is generally on the elliptic curve E _p Because.

[Brief description of drawings]

FIG. 1 is a block diagram showing a system to which the present invention is applied.

FIG. 2 is a block diagram showing a configuration example of a center device 11.

FIG. 3 is a block diagram showing a configuration example of a signer device 12 according to the invention of claim 2.

FIG. 4 is a block diagram showing a configuration example of a verifier device 13 according to the invention of claim 3.

Claims (3)

[Claims] 1. A finite field F at the center_pElliptic curve on
Line E_p(Y²≡ x³Of + ax + b (modp)
Order (#E_p) Is not a prime number and its elliptic curve
E_pTop point V = (v_x, V_y), ({V_x, V_y} ∈
F_p), And the order #E_pThe prime number q that divides and exceeds q
Select each positive integer q ′ and select the elliptic curve E_pUp
And G = (# E_p/ Q) · V is calculated, and the above p, a, q,
q ', G and the following public key T_iAnd are disclosed as public information, and the signer i own private key (random number) z_iAbove ellipse using
Curve E_pT on_i= Z _i・ Calculate G_iThe above
Public key T_iSent to the above center as
Choose a few k and select the elliptic curve E_pWhere R = (r_x, R_y)
= K · G, and then s₁= R_xCalculate modq '
And also his own secret key z_iAnd use the hash function H (.)
S for message m₂= (K / (H (m) + z
_is₁)) Modq is calculated and the signature (s₁, S₂)
Sent to the verifier with the message m, and the verifier receives (s₁, S₂), M and the above
Using information, u₁= H (m) s₁modq, u₂= S
₁s₂modq is calculated, and the above elliptic curve E is calculated. _pAbove
R '= (r_x′, R_y′) = U₁・ G + u₂・ T_iTotal
Calculation, inspection formula s₁≡r_xWhether to satisfy '(modq')
To confirm. Based on an elliptic curve
Tal signature method. 2. An elliptic curve E _p using first random number generating means for generating a random number z _i as a secret key, public information p, a, G and the above z _i.
First elliptic curve multiplication means for calculating the public key T _i = z _i · G above, means for storing the secret key z _i , and a hash function for calculating a hash function H (m) with the message m as a variable R = (r _x , r _y ) = k · G is calculated on the elliptic curve E _p using the calculation means, the second random number generation means for generating the random number k, and the k and the p, a and G. S ₁ = r _a modq ′ and s ₂ = (k / using the second elliptic curve multiplication means for performing the above, z _i , H (m), R, k, and public information q ′.
(H (m) + z _i s ₁ )) modulo multiplication / division means for calculating modq, the message m, and the signature (s) as the signature for the message m.
₁ , s ₂ ) and a means for transmitting to the verifier, and a signer device for digital signature, comprising: 3. A hash function calculating means for calculating a hash function H (m) using the received message m as a variable, the H (m), public information q, and the signatures s ₁ , s received together with the message m. ₂ ) and using u ₁ = H
(M) s ₁ modq, u ₂ = s ₁ s ₂ modulo multiplication means for calculating, q ₁ and u ₂ , the public information p, a and G, and the public key T _i corresponding to the signer. On the elliptic curve E _p using R ′ = (r
_x ′, r _y ′) = u ₁ · G + u ₂ · T _i , elliptic curve addition / multiplication means, and comparison means for comparing whether or not r _x ′ and s ₁ match. A digital signature verifier device provided.