JPH07261664A - Verification method for protecting privacy - Google Patents

Abstract

PURPOSE:To shorten the execution time in an verification method for protecting privacy by making it possible to check the authenticity of the electronic informa tion signed by a signer and making it impossible to collect the privacy informa tion of the signer therefrom. CONSTITUTION:This verification method for protecting privacy consists of a center signature issuing process for having an authentified signature issued by a certificate issuing center VIC for the multiple signature public key of the tamper-free arithmetic unit OA given to the signer Alice from the certificate issuing center VIC and the signer Alice and a signature forming/verifying process for having the signature verified by the Verifier after the arithmetic unit OA and the signer Alice put the multiple signatures on a message. An RSA blind signing system is directly utilized at the time of issuing the center signature and the number of the multiplicands at the time of signature formation/ verification is decreased, by which the calculation quantity is curtailed.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention makes it impossible for a verifier to confirm the validity of electronic information when the signer signs the electronic information and to collect the privacy information of the signer from this. It relates to a privacy protection authentication method.

[0002]

2. Description of the Related Art Conventionally, D.Ch has been used as an authentication method of this kind.
arm and T. Pedersen “Wallet Databases Observers”
(Advances in Cryptology-CRYPTO'92, Lecture Notes
in Computer Science, pp.90-106, Springer-Verlag, 1
The method described in 993) is known.

In these authentication methods, a tamper-free arithmetic unit given to a signer by a certificate issuing center (hereinafter simply referred to as a center) and a multi-signed public key between the signer and a signature is signed by the center. The process includes a center signature issuing process for issuing a signature, and a signature creating / verifying process in which a computing device and a signer perform multiple signatures on a message and have a verifier verify the message.

[0004]

The above-mentioned methods by Charm et al. Are based on the higher-order residue problem and the one based on the discrete logarithm problem. There is a problem that it takes a long time to execute because the number of data exchanges between the person and the center and between the signer and the verifier is large.

An object of the present invention is to provide a privacy protection authentication method which can reduce the execution time as compared with the method by Charm et al.

[0006]

According to the present invention, in a high-order residue type, an RSA blind signature method (D.Charm "Security Without Identification: Tran
saction Systems to Make Big Brother Obsolete ”Comm
unications of ACM, v.28, n.10, Oct 1985, pp.1030-1
044) was used directly. In the discrete logarithm type, the number of multiplicands at the time of signature creation / verification is reduced.

[0007]

According to the present invention, in the high-order residue type, the calculation amount at the time of issuing the center signature can be reduced, and the number of times of exchanging data between the signer-center and the signer-verifier is minimized. And the discrete logarithm type can reduce the calculation amount at the time of signature creation / verification.

[0008]

FIG. 1 shows a system configuration of the method of the present invention. In the figure, VIC is a center, Alice is a signer, OA is a computing device, and Verifier is a verifier.

2 to 9 show a first embodiment of the method of the present invention, which is an embodiment corresponding to a high-order residue type here.

FIG. 2 shows the flow of processing when the center signature is issued. FIG. 3 shows the flow of processing at the time of signature creation / verification. 4, 5, and 6 are the arithmetic unit OA, the signer Alice, and the center VIC when the center signature is issued, respectively.
2 is a functional block of the above. 7, FIG. 8 and FIG. 9 are respectively the arithmetic unit OA and the signer Ali at the time of signature creation / verification.
This shows functional blocks of ce and verifier Verifier. 4 to 9, RAND is a random number generator, STOC is stock, EXPM is a modular exponentiation multiplier, MULM is a modular multiplier, HASH is a compression function calculator, INVM is a modular divider, and SUBM is a modular subtractor, ADDM is a modular adder.

The symbol "ε _R " used below means that one element is taken out at random.
For example, if r ∈ _R Z, r means an element randomly selected from Z.

In the following, p and q are prime numbers and n = pq, the secret key of the center VIC is d, the public key is e, the secret key of the arithmetic unit OA is r, and the public key is v _OA = r ^L mod n age,
L and n are public information.

[0013] <center signature issuer> computing device OA generates a random number y1 ∈ _R Z _n by a random number generator RAND, modular exponentiation multiplier
X1 = y1 ^L mod n is calculated using EXPM, and signer Ali
Send x1 to ce.

The signer Alice uses the random number generator RAND to generate a random number R,
y2 ∈ _R Z _n is generated and x is calculated by using a modular exponentiation multiplier EXPM.
2 = y2 ^L mod n is calculated, and χ
= X1 x2 mod n is calculated, and x * = χR ^eL mod n is calculated using the modular exponentiation multiplier EXPM and the modular multiplication MULM. Further, β = h (x *) is generated by the compression function calculator HASH from x * and sent to the calculator OA.

The arithmetic unit OA generates z1 = y1 r ^β mod n by the modular exponentiation multiplier EXPM and the modular multiplication MULM, and the signer A
send to lice.

The signer Alice computes the ^{z * = z1 y2 R e mod} n by modular exponentiation multiplier EXPM and a remainder multiplier MULM, x *
, Z * are transmitted to the center VIC.

In the center VIC, x * and z * satisfy the verification expression z * ^L ≡x * v _OA ^β (mod n), or the public key v _OA of the arithmetic unit OA is used to calculate the remainder exponentiation multiplier EXPM and the remainder. The verification is performed by using a multiplier MULM, and a logical operation unit C that makes “OK” when the two given numbers are equal and “NG” when they are different. If this is satisfied, the signature of the center VIC for x * σ _vic (x *) =
Issue s * = x * ^d mod n to signer Alice.

The signer Alice _obtains χ from the signature σ _vic (x *)
The center VIC's signature σ _vic (χ) for the remainder divider I
Using NVM and modular exponentiation multiplier EXPM, σ _vic (χ) = s = σ _vic (x *) / ^RL mod n is calculated.

<Signature Creation / Verification> Next, a method in which the signer Alice attaches a multiple signature with the arithmetic unit OA to the message m will be described.

At this time, the arithmetic unit O in this multiple signature
The private keys of A and the signer Alice are y1 and y2, respectively, and the public key is χ. Note that the computing device OA and the signer Alice do not know each other's private key, and therefore cannot be signed without the cooperation of both parties.

Now, it is assumed that the arithmetic unit OA and the signer Alice share the message m.

The arithmetic unit OA is a random number generator RAND with r1 ∈ _R.
Z _n is generated and x1 ′ = r1 is obtained by using the modular exponentiation multiplier EXPM.
Calculate ^mL mod n and send to signer Alice.

The signer Alice uses the random number generator RAND to r2 ∈ _R.
Z _n , ε ∈ _R Z _L is generated, x2 ′ = r2 ^mL mod n is obtained using the modular exponentiation multiplier EXPM, and X = x1′x2′x1 ^−εm mod is calculated using the modular multiplication ^MULM. Find n. Further, the signer Alice obtains β = h (X) by the compression function calculator HASH, and further outputs a logical calculator C that outputs “0” or “−1” depending on the magnitude of the given two numbers.
c, β ′ = β−ε mod L is calculated using the remainder subtractor SUBM, and β ′ is sent to the arithmetic unit OA.

The arithmetic unit OA uses the modular exponentiation multiplier EXPM and the modular multiplication MULM to calculate z1 = r1 y1 ^β'mod n and sends it to the signer Alice.

The signer Alice calculates Z = z1 r2 y2 ^β x1 ^c mod n by using the modular exponentiation multiplier EXPM and the modular multiplication multiplier MULM. However, c is determined to be −1 when β <ε, and 0 otherwise.

Finally, the signer Alice multi-signs (X, Z) the arithmetic unit OA and the signer Alice, the public key χ of the arithmetic unit OA and the signer Alice, and the center signature s (=
σ _{vi c} (χ)) together with message m verifier Verifie
send to r.

Next, a method in which the verifier Verifier verifies whether X and Z are correct signatures by the arithmetic unit OA and the signer Alice for the message m will be described.

The verifier Verifier first determines whether χ is the correct public key of the arithmetic unit OA and the signer Alice.
Center signature σ _{vic (χ)} = _χ ^d than χ≡σ _vic (χ) ^e or (mod n) holds, computing device OA using the public key e of the center
Then, the validity of the multi-signature public key χ of the signer Alice is checked, and if it is valid, “OK” is output, and if not, it is verified using a logical operation unit Cvic that outputs “NG”. When this is satisfied, χ is regarded as the correct public key of the arithmetic unit OA and the signer Alice.

Next, by using χ, it is determined whether or not X and Z satisfy the verification expression Z ^mL ≡X χ ^mβ (mod n), by using the compression function calculator HASH, the modular exponentiation multiplier EXPM, the modular multiplication MULM. , Using the logical operation unit C. If this is satisfied, it is considered that the message m has a valid signature by the signer Alice guaranteed by the center VIC and the arithmetic unit OA.

FIGS. 10 to 17 show a second embodiment of the method of the present invention, which is an embodiment corresponding to the discrete logarithm type here.

FIG. 10 shows the flow of processing when the center signature is issued. FIG. 11 shows the flow of processing at the time of signature creation / verification. 12, 13, and 14 show functional blocks of the arithmetic unit OA, the signer Alice, and the center VIC at the time of issuing the center signature, respectively. 15,
16 and 17 show functional blocks of the arithmetic unit OA, the signer Alice, and the verifier Verifier at the time of signature creation / verification, respectively. 12 to 17, RAND is a random number generator, STOC is stock, EXPM is a modular exponentiation multiplier, MULM is a modular multiplier, HASH is a compression function calculator, INVM is a modular divider,
SUBM is a remainder subtractor, and ADDM is a remainder adder.

In the following, p, q and P are prime numbers (however,
It is assumed that p = (P-1) / 2 and q can divide p-1. ), The order of g ∈ _R Z _p * is q, and m ∈ _R Z
Let p be the order of _P *. Further, Arufa∈ the private key of the center VIC _R Z _q, the public key ^v _vic = g α mod p, computing device O
Δ∈ _R Z _q the secret key of A, and the public key and v _OA = g δ mod ^p.

[0033] <center signature issuer> computing device OA generates a random number y1 ∈ _R Z _q at random number generator RAND, modular exponentiation multiplier
X1 = g ^y1 mod p is calculated using EXPM, and signer Alice
Send x1 to.

The signer Alice uses the random number generator RAND to generate a random number t,
y2 ∈ _R Z _q is generated, and x is calculated by using the modular exponentiation multiplier EXPM.
2 = g ^y2 mod p is calculated and χ =
x1x2 mod p is calculated, and x * = χ ^t mod p is calculated using the modular exponentiation multiplier EXPM. Furthermore, β * = h (x *) is generated from x * by the compression function calculator HASH, and the remainder divider
INVM generates β = β * / t mod p and sends it to the arithmetic unit OA.

The arithmetic unit OA generates z1 = y1 + βδmod p by the remainder multiplier MULM and the remainder adder ADDM, and the signer Ali
send to ce.

The signer Alice calculates z * = t (z1 + y2) mod p with the remainder adder ADDM and the remainder multiplier MULM, and x *
, Z * are transmitted to the center VIC.

In the center VIC, x * and z * satisfy the verification expression g ^{z *} ≡x * v _OA ^{β *} mod p, or the public key v _OA of the arithmetic unit OA is used to calculate the modular exponentiation multiplier EXPM and the modular multiplication. Verification is performed by using the unit MULM and the logical operation unit C. If this is satisfied, the signature of the center VIC for x * σ _vic (x *) = (a *, b *, c *,
s *, z *) is issued to the signer Alice by the following procedure.

The center VIC is a random number generator RAND and a random number ωε
Generate _R Z _q , and use a modular exponentiation multiplier EXPM to obtain a * = g
^ω mod p, b * = x * ^ω mod p, s * = x * ^α is calculated, and a *, b *, and s * are transmitted to the signer Alice.

The signer Alice uses the random number generator RAND to generate a random number vε
Generates _R Z _q , modulo divider INVM, modulo exponentiator EXP
M, using the modular multiplier MULM, s = s * ^{1 / t} , a = a * ^{1 / t} g ^v , To calculate.

Further, the signer Alice is the compression function calculator HA.
Find c = h (χ, s, a, b) in SH, and find the remainder multiplier MULM
Calculates c * = tcmod q and sends c * to the center VIC.

The center VIC uses the remainder multiplier MULM and the remainder adder ADDM to generate z * = ω + c * αmod q and sends it to the signer Alice.

The signer Alice obtains z = z * / t + vmod q using the remainder divider INVM and the remainder adder ADDM. As a result, the signer Alice has the signature σ _vic (x *) = (a *, b
From *, c *, s *, z *), the signature σ _vic (χ) = (a, b, c, s, z) of the center VIC for χ is obtained.

<Signature Creation / Verification> Next, a method in which the signer Alice attaches a multiple signature with the arithmetic unit OA to the message m will be described.

At this time, the arithmetic unit O in this multiple signature
The private keys of A and the signer Alice are y1 and y2, respectively, and the public key is χ. Note that the computing device OA and the signer Alice do not know each other's private key, and therefore cannot be signed without the cooperation of both parties.

Now, it is assumed that the arithmetic unit OA and the signer Alice share the message m.

The arithmetic unit OA is a random number generator RAND and r1 ∈ _R.
Z _q is generated and x1 ′ = g ^r1 is obtained by using the modular exponentiation multiplier EXPM.
mod p, x1 ″ = m ^{x1 ′} mod P is calculated and x1 ″ is sent to the signer Alice.

The signer Alice uses the random number generator RAND to e, r2
Ε _R Z _q is generated, the modular exponentiation multiplier EXPM, the modular multiplication MU
X2 '= ^gr2 mod p is calculated using LM, and from this Ask for. Further, the signer Alice obtains β = h (X) with the compression function calculator HASH, and further uses the remainder subtractor SUBM
β ′ = β-emod q is calculated and β ′ is sent to the arithmetic unit OA.

The arithmetic unit OA uses the remainder multiplier MULM and the remainder adder ADDM to calculate z1 = r1 + β'y1 mod q and sends it to the signer Alice.

The signer Alice calculates Z = z1 + r2 + βy2 mod q using the remainder multiplier MULM and the remainder adder ADDM.

Finally, the signer Alice multi-signs (X, Z) the arithmetic unit OA and the signer Alice, the public key χ of the arithmetic unit OA and the signer Alice, and the center signature σ _vic for the public key χ.
(Χ) is transmitted to the verifier Verifier together with the message m.

Next, a method in which the verifier Verifier verifies whether X and Z are correct signatures for the message m by the arithmetic unit OA and the signer Alice will be described.

The verifier Verifier first determines whether χ is the correct public key of the arithmetic unit OA and the signer Alice.
From the center signature σ _vic (χ) = (a, b, c, s, z), g ^{z *} ≡ a * v _vic ^{c *} (mod p) x * ^{z *} ≡ b * s * ^{c *} (mod p) It is verified whether they are satisfied at the same time by using the logical operation unit Cvic. When this is satisfied, χ is regarded as the correct public key of the arithmetic unit OA and the signer Alice.

Next, X and Z are verification expressions using χ. Whether or not is satisfied is verified by using the compression function calculator HASH, the modular exponentiation multiplier EXPM, the modular multiplier MULM, and the logical calculator C. If this is satisfied, it is considered that the message m has a valid signature by the signer Alice guaranteed by the center VIC and the arithmetic unit OA.

[0054]

As the execution time at the time of issuing the center signature and at the time of creating / verifying the signature of the present invention, the time required for various calculations and the data exchange between the signer-center and the signer-verifier. The time required can be considered.

First, regarding the time required for various calculations, when the calculation amount of the modular exponentiation multiplication is 1, the calculation amounts of the modular addition, the modular subtraction, and the modular multiplication are almost 0. Therefore, the computational amount of the modular exponentiation multiplication is performed. (Number of times) can be compared. The present invention can reduce the amount of calculation from 11 to 9 when compared with the conventional Charm method at the time of high-order residue type center signature, while it can be reduced to the conventional Charm method at the time of discrete logarithmic signature creation / verification. In comparison, the present invention can reduce the calculation amount from 10 to 9, and the execution time can be shortened accordingly.

Further, the time required for exchanging data between the signer-center and between the signer-verifier should be compared with the number of times of exchanging data between the signer-center and between the signer-verifier. You can In the high-order residue type, according to the present invention, the number of data exchanges between the signer and the center is 5 to 2, and the number of data exchanges between the signer and the verifier is greater than that of the conventional Charm method. Can be reduced from 3 times to 1 time, and the execution time can be reduced accordingly.

[Brief description of drawings]

FIG. 1 is a block diagram of the system of the method of the present invention.

FIG. 2 is a flowchart of processing when issuing a center signature corresponding to a higher-order residue type.

FIG. 3 is a flow chart of processing at the time of signature creation / verification corresponding to a high-order residue type

FIG. 4 is a functional block diagram of an arithmetic unit when issuing a center signature corresponding to a higher-order residue type.

FIG. 5 is a functional block diagram of a signer when issuing a center signature corresponding to a higher residue type

FIG. 6 is a functional block diagram of a center when issuing a center signature corresponding to a high-order residue type

FIG. 7 is a functional block diagram of an arithmetic unit at the time of signature creation / verification corresponding to a higher-order residue type.

FIG. 8 is a functional block diagram of a signer when creating / verifying a signature corresponding to a higher-order residue type

FIG. 9 is a functional block diagram of a verifier when creating / verifying a signature corresponding to a higher-order residue type

FIG. 10 is a flowchart of processing when issuing a center signature corresponding to the discrete logarithm type.

FIG. 11 is a flowchart of a process at the time of signature creation / verification corresponding to the discrete logarithm type.

FIG. 12 is a functional block diagram of an arithmetic unit when issuing a center signature corresponding to the discrete logarithm type.

FIG. 13 is a functional block diagram of a signer when issuing a center signature corresponding to the discrete logarithm type.

FIG. 14 is a functional block diagram of a center when issuing a center signature corresponding to the discrete logarithm type.

FIG. 15 is a functional block diagram of a computing device at the time of signature creation / verification corresponding to the discrete logarithm type.

FIG. 16 is a functional block diagram of a signer at the time of signature creation / verification corresponding to the discrete logarithm type

FIG. 17 is a functional block diagram of a verifier at the time of signature creation / verification corresponding to the discrete logarithm type

[Explanation of symbols]

VIC ... Center, Alice ... Signer, OA ... Calculator, V
erifier ... Verifier, RAND ... random number generator, STOC ... stock, EXPM ... modulo exponentiation multiplier, MULM ... modulo multiplication, HASH ...
Compression function calculator, INVM ... modulo divider, SUBM ... modulo subtractor, ADDM ... modulo adder, C, Cc, Cvic ... logical calculator.

Claims (1)

[Claims] 1. A center signature issuing step in which a certificate issuing center issues a sanctioned signature to a multi-signature public key of a tamper-free computing device and a signer given to the signer by the certificate issuing center. In a privacy protection authentication method consisting of a signature creation / verification process in which a computing device and a signer perform multiple signatures on a message and a verifier verifies the message, the computing device extracts the public key x1 from the private key y1 of the computing device itself. The signer calculates the public key x2 from the signer's own private key y2, calculates the multi-signature public key χ by the computing device and the signer from x1 and x2, and further calculates the multi-signature public key χ by x * , And the computing device and the signer sign the computing device signature σ for x *
_OA (x *) is calculated, and this is sent to the certificate issuing center together with x *. The certificate issuing center confirms the validity of the signature σ _OA (x *) of the arithmetic unit with respect to x * by the verification formula, and is satisfied. X *
A center signature σ _vic (x *) is issued to the signer, and the signer _obtains a center signature σ _vic (χ) for the multi-signature public key χ from the center signature σ _vic (x *); The device and the signer use the multi-signature public key χ to calculate the multi-signatures X and Z for the message m, and use this to calculate the message m, the multi-signature public key χ and its center signature σ.
_vic (χ) is sent to the verifier, and the verifier verifies the validity of the multi-signature public key χ with the center signature σ _vic
After confirming with (χ), the verification formula and the multi-signature public key χ
The signature creation / verification step of verifying the validity of the multiple signatures X and Z with respect to the message m, and if satisfied, considers the message m as a legally signed message by the computing device guaranteed by the certificate issuing center and the signer. A privacy protection authentication method comprising: