JPH09153103A - Method and device for executing traceable electronic money - Google Patents

Abstract

PROBLEM TO BE SOLVED: To trace an electronic money flow under reliable third person's supervison/permission when there is the possibility of money laundering or the like. SOLUTION: In the traceable electronic money execution method, a user US transmits the product N of prime numbers P, Q, a prime number L and a real name IDu to a bank BK, the bank BK generates an assumed name I corresponding the real name IDu, secretly manages correspondence relation between the names IDu, I, signs the values N, L, I based upon a signature function Ω=De B (N, L, I) and transmits the signed result Ω to the user as information including a use permit. The user US generates certification information X based upon the product N and a random number R, transmits information 2 obtained by applying blind signature preprocessing to (X, B) based upon a function Fe C and allows the bank BK to sign the Z by a signature function De C (Z) to obtain electronic money C. If electronic money is illegally used by a certain user, the bank BK opens the correspondence relation between the user's real name IDu and the assumed name I in accordance with an instruction from a court and traces the used electronic money.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method and apparatus for making electronic cash using a telecommunication system.

[0002]

2. Description of the Related Art Electronic cash is widely used in the form of an IC card as a wallet for electronic cash (electronic wallet). In that case, it is desirable that the electronic cash is stored in the electronic wallet in a form that the information itself becomes electronic cash without depending on any physical medium.

One implementation of electronic cash is a method of ensuring security by physical means. For example, a prepaid card using a magnetic card such as a telephone card is based on the fact that it is difficult to physically copy the magnetic state on the card to another card. However, this premise of safety is not always guaranteed due to the progress of science and technology in the world. Further, in this method, electronic cash is always realized integrally with a physical medium (such as a magnetic card), and therefore it cannot be transferred through a communication line like electronic cash in the form of information.

Another solution is to use an electronic ID card such as a credit card (electronic credit card or electronic check) to make a payment at a later date. In an electronic credit card, by using a digital signature instead of a handwritten signature, it is possible to realize completely electronic processing (informatization) and transfer the payment information through a communication line. However, a drawback of this scheme is that it cannot guarantee the privacy of the user (this is also true of current credit cards and checks). In other words, the institution that issues / settles credit cards can obtain the purchase history of the user freely, and also the retailer can know the credit card number and signature of the user.

On the other hand, a blind signature (details will be described later)
And online check at the time of payment (the retail store inquires online to the management center whether the electronic cash information presented by the user is doubled / unauthorized) and the electronic cash described above is combined. Can solve the problems of computerization, security, and privacy. But,
It is realistic for each retailer to access the center when purchasing each user, considering the processing time (user waiting time), communication cost, online processing cost at the management center, database maintenance cost, etc. It is not a good solution. Therefore, it is desirable that the processing at the time of cash payment can be processed offline.

[0006] As an electronic cash system capable of off-line processing with an emphasis on privacy, for example, D.Chaum, A.Fiat an
d M. Naor, “Untraceable Electronic Cash,” Advances
inCryptology-Crypto'88, Lecture Notes in Computer
Science 403, pp.319-327, Springer-Verlag, Berlin (19
88) and T. Okamoto et al. “Disposable Zero-Knowledge Au.
thentications and Their Applications to Untraceabl
e Electronic Cash, ”Advances in Cryptology-Cryto'8
9, Lecture Notes in Computer Science 435, pp.481-4
96, Springer-Verlag, Berlin (1989), Japanese Patent No. 20
No. 27713, "Electronic cash implementation method and its device".

First, the blind signature, which is a basic technique for guaranteeing the privacy of the user, will be described. In blind signatures, the signer signs the document while keeping the contents of the document secret. A blind signature scheme based on the RSA method is disclosed in US Pat. No. 4,759,063 and document D. Chaum,
“Security without Identification: Transaction Sys
tems to Make Big Brother Obsolete, "Comm. of the A
In CM, 28, 10, pp.1030-1044 (1985), a blind signature based on a zero-knowledge dialogue proof was published by T. Okamoto et al. “Div.
ertible Zero-Knowledge Interactive Proofs and Comm
utative RandomSelf-Reducible, "The Proc. of Eurocr
It is shown in ypt'89 (1989).

The blind signature requester (user) disturbs the document m by the random number r by the blind signature preprocessing to generate the blind message x. The signer uses the private key to calculate a temporary signature y corresponding to x. At this time, the signer cannot know the document m because m is disturbed by r. The user removes the influence of the random number r from y by blind sign post-processing, obtains the true signature y ′ for the original document m, and sends the pair of m and y ′ to the verifier. The verifier uses y's m as the signer's public key.
Confirm that the signature is Where the verifiers are y and y '
Can not know the correspondence of. The blind signature procedure A is the signer, U is the signer, and e _A is the public information of the signer A. Let F be a function representing the blind signature preprocessing algorithm, D be a function representing the multiple blind signature algorithm, and G be a function representing the blind signature postprocessing algorithm. The signer A uses the signature function D _eA to tentatively sign the information created by the user U using the preprocessing function F _eA Ω = D _eA
(F _eA (m ₁ ), ..., F _eA (m _k )) is created and the user U
Is subjected to blind signature after treatment G _eA, k-number of messages m _1, ..., a true signature of A to _{m k B = D eA (m} 1, ..., m k) is calculated. This procedure is executed by the signer A and the user US according to the following procedure to create a multiple blind signature.

Step 1: The user US performs k blind messages {m _i | i = 1,2, ..., k} by the blind _signature preprocessing F _eA .
From k blind messages x _i = {F _eA (m _i ) | i = 1,2,
, K} is generated and transmitted to the signer A. Here, each blind message x _i = F _eA (m _i ) is calculated independently, and the function F _eA uses a random number to conceal m _i .

Step 2: Signer A has a tentative signature Ω = D
_eA (F _eA (m ₁ ), ..., F _eA (m _k )) k blind messages
It is generated from F _eA (m ₁ ), ..., F _eA (m _k ), and is transmitted to the user US. Step 3: The user US performs the blind signature post-processing using the function G _eA, and the true digital signature B = D _eA (m ₁ , ..., m) of the signer A corresponding to the message m ₁ , ..., M _{k. k} ) is calculated.

When the RSA method is used for the blind signature, r _i is a random number for perturbation, and blind message (blind signature preprocessing) x _i , tentative signature y, and blind signature postprocessing G _eA are respectively x _i = F _eA (m _i ) = r ^{eA xm} _i mod n, y = Ω = D _eA (x _{1 ,,} ..., x _k ) = Π _{1 < i < k} (x _i ) ^dA mod n, G _eA (y) = Ω / (r ₁ × ... × r _k ) mod n, the signature y is y = B = Π _{1 < i < k} (m _i ) ^dA mod n. At this time, the signature B for the message m ₁ , ..., M _k
The verification V _eA (m _{1 ,,} ..., m _k , B) is determined by whether or not the following expression {Π _{1 < i < k} (m _i )} ^eA ≡ B (mod n) is satisfied. Outputs a pass (OK). Here, (e _A , n) is the public key of the RSA method used by the signer A, and the following equation is satisfied when P and Q are large prime numbers.

N = P × Q e _A × d _A ≡1 (mod L) where L = LCM {(P-1), (Q-1)} where L = LCM {a, b} is a The least common multiple of b is a≡b
(mod n) represents that (ab) is a multiple of n. P, Q
Is a huge prime number, in general, n is factored into P and Q
Is very difficult to ask for. Therefore, even if n is disclosed, the secrets of P and Q can be held. After that d
_A is sometimes expressed as 1 / e _A. Chaum / Fiat / Naor below
In the method, the case of k> 1 is assumed, and in the embodiment of the present invention described later, the case of k = 1 is assumed.

An example of the structure of the RSA encryption is given in the document Rivest, R.
L. et al. “A Method for Obtaining Digital Signature
s and Public-Key Cryptosystems, "Communications of
The ACM, Vol. 21, No. 2, pp. 120-126, (1978). The method of constructing a blind signature is, for example, Chaum,
D. "Blind Signature Systems," US Patent No .: 4,759,0
63 and Ohta, K. et al. “Authentication System and A
pparatus Therefor, "US patent No .: 4,969,189.

The privacy of the user can be guaranteed at the sole responsibility of the user by using the blind signature.
That is, since the user adds and removes the random number r for disturbance, as long as r is kept secret, no one can know the correspondence between y = Ω and y ′ = B. However, the literature S. von So
lms and D. Naccache, “On Blind Signature and Perfec
t Crimes, "Computers and Security, 11, pp.581-583
(1992), this method can make the flow of money completely untraceable, and it has been pointed out that it could be misused for money laundering and complete crimes of kidnappers.

Here, Cha, which is a typical electronic cash system, is used.
This section describes the process of issuing electronic cash between a bank and a user, the payment of electronic cash at a user's retail store, and the approval process between the retail store and a bank under the um / Fiat / Naor method. Electronic cash issuance processing The procedure for the user US to issue the electronic cash C from the bank BK will be described. Here, the ID is the identification information of the user US, e
_A is a bank's digital signature public key corresponding to the amount of electronic cash (for example, 10,000 yen) designated by the user. The procedure for a user to issue an electronic cash from a bank is as follows.

Step 1: The user US generates a predetermined random number a _i (where i = 1, ..., K) and uses the published one-way function g to obtain x _i = g ( a _i ) y _i = g (a _i (+) ID) is calculated. (+) Indicates exclusive OR.

Step 2: The user US calculates W _i = F _eA (f (x _i , y _i )) using the published one-way function f and the blind _signature preprocessing function F _eA. Present to the bank. Step 3: The bank BK randomly selects K / 2 subsets H = {i _j } (where j = 1, ..., K / 2 and 1 from 1 to K).
Select < i _j < K) and send it to the user as a disclosure request. Below, in order to simplify the notation, H = {K / 2 +
Description will be made assuming that 1, K / 2 + 2, ..., K} is specified as the disclosure request. Cut-and-choose (unannounced inspection) a procedure to request disclosure of K / 2 subsets randomly from K
Call it.

Step 4: When the user US receives the disclosure request from the bank BK, the designated K / 2 a _i and W _i are specified.
The random number a _i used in the function F _eA to create is disclosed to the bank BK. Step 5: The bank BK verifies the legitimacy of all the disclosed K / 2 pairs and, if any of the inspections fails, stops the subsequent processing. When all the inspections are passed, the bank BK performs the following procedure for i (here, i = 1, 2, ..., K / 2) that is not a disclosure target.

Step 6: The bank BK calculates Ω = D _eA (W ₁ , ..., W _{K / 2} ) and sends it to the user US. Step 7: The user US calculates the electronic cash C from the received data Ω from the bank as follows.

C = G _eA (Ω) = D _eA (f (x ₁ , y ₁ ), ..., f (x _{K / 2,} y _{K / 2} )) Electronic cash payment A case where payment is made at the retail store SH using the electronic cash C issued by BK will be described. The following processing is executed for each i (where i = 1, 2, ..., K / 2).

Step 1: The user US sends the electronic cash C to the retail store SH. Step 2: The retail store SH generates a random number bit e _i ,
Send to user US. Step 3: a _i and y _i when the user US is the e _i = 1, e _i
When = 0, x _i and a _i (+) ID are transmitted to the retail store SH.

Step 4: The retail store SH uses the public key e _A of the bank BK to transfer the electronic cash C to the message f (x ₁ , y ₁ ),
…, Verify that f (x _{K / 2} , y _{K / 2} ) has the correct signature. Payment Finally, a payment method between the retail store SH and the bank BK will be described. The retail store SH submits a communication history H with the user when using electronic cash to the bank. The bank checks the legitimacy of H, and if it passes the check, it remembers H and pays the corresponding amount to the account of the retail store. Alternatively, the appropriate amount is paid to the retail store by some means. When the bank finds an unauthorized use of electronic cash, it searches for the a _i and a _i (+) ID stored in correspondence with C from the communication history already stored with H, and identifies the identification information ID of the illegal person. To confirm.

The above is the Chaum / Fiat / Naor method. However, the user has a random number bit e _i = 1 generated at the time of payment by electronic cash.
A _i and, for transmitting a _i (+) ID when e _i = 0 to retail V, when the user uses twice illegally C, 1 time and the second time i-th random number bit when the If e _i are different,
The a _i and ai (+) ID are passed to the bank, and the bank BK can detect the ID by calculating a _i (+) (a _i (+) ID) = ID from them. Since the bank queries the K / 2 bit, the probability of not being able to detect double use of C is 2 ^{-K / 2} . Usually K = 2
0 is recommended.

[0024]

Since the electronic cash method using the blind signature described above can unconditionally make the flow of electronic cash untraceable, the privacy of the electronic cash user is guaranteed only at the user's own risk. To be done. That is, since the user adds and removes the random number r for disturbance, as long as r is kept secret, no one can know the correspondence between y and y '. However, this method of unconditionally having anonymity is
Since the cash flow can be made completely untraceable, it could result in the misuse of money laundering and the complete crime of a kidnapper in the literature S. von Solms and D. Naccache, "On
Blind Signature and Perfect Crimes, "Computers an
d Security, 11, pp.581-583, 1992.
The electronic cash system shown in the above-mentioned U.S. Pat. No. 4,977,595 has a similar problem.

The object of the present invention is to make it possible to trace the flow of information under the supervision / permission of a reliable third party (for example, a court) when there is a risk of money laundering. However, it is an object of the present invention to provide a method and a device for carrying out electronic cash in which, in the usual case, the flow of information cannot be traced as usual and the privacy of the user can be protected.

[0026]

The traceable electronic cash implementation method according to the first aspect of the present invention includes the following processing steps: (1) The user corresponds to the real name ID _U and the first secret information. (2) After confirming the identity of the user, the first institution generates a pseudonym I for the user, and the pseudonym I and the public information N are transmitted. At least one and the correspondence between the real name ID _U of managing secret,
(3) The first institution signs the public information N and the pseudonym I, and sends the signature and the pseudonym I to the user. (4) The user receives the signature from the first institution. The license B is obtained from the signature, and the license B is used as the pseudonym I
And (5) the user calculates and holds the second secret information S corresponding to the pseudonym I and the public information N using the first secret information, and (6) the user , (7) The second institution requests the issuance of electronic cash by transmitting information including at least a random number and the above-mentioned license B and the amount A, and (7) the above-mentioned second institution requests the above-mentioned license from the user. (8) In the user, the usage permit B is a signature for the public information N and the pseudonym I. And verifying that the electronic cash C can be used under the license B, and then paying a third party using the random number and the second secret information S, (9) The third party collects all communication information with the user for the second machine in order to settle the electronic cash C. Transmitted to, (10) when the possibility of fraud has occurred, the search and said at least one of said pseudonym I and said public information N for managing the first engine, the correspondence between the real name ID _U Then, the pseudonym I and the public information N can be disclosed to prevent fraud. Further, in order to improve the user's trust in the bank, the role of the bank is divided into a plurality of parts, for example, two parts and the user's identity is confirmed (department 1), and the use permission. The portion that issues the certificate (division 2) is shared, and the association information α is newly introduced as information to be inherited between the divisions 1 and 2, and the division 1 manages the correspondence between the real name ID _U and the association information α, The department 2 may manage the correspondence between the association information α and the pseudonym I. Thereby, only when the two departments cooperate with each other, it is possible to obtain the correspondence between the pseudonym and the real name by using the association information α as a key.

The traceable electronic cash carrying method according to the second aspect of the present invention includes the following processing steps: (1) The user is the real name ID _U and the public information N corresponding to the secret information.
(2) The first institution, after confirming the identity of the user, generates a pseudonym I for the user, and transmits at least one of the pseudonym I and the public information N. the correspondence between the real name ID _U and managed in secret, (3) the first engine performs signature to the public information N and pseudonym I, and sends the signature and the pseudonym I to said user, ( Four)
The user obtains the usage permit B from the signature from the first institution, stores the usage permit B together with the pseudonym I, and (5) the user at least sends the second institution to the second institution. Information including the random number b and the license B and the amount A are transmitted to request the issuance of electronic cash, and (6) the second institution signs the information including the license from the user. And sends the information as electronic cash C to the user. (7) The user must confirm that the license B is a signature for the public information N and the pseudonym I, and the electronic cash C After verifying that it can be used under the license B, the third party pays using the random number b and the secret information. (8) The third party makes a payment for the electronic cash C. Therefore, all communication information with the above user is sent to the above second organization, and (9) If the possibility of occurs,
It is possible to prevent the misconduct by searching the correspondence relationship between the at least one of the pseudonym I and the public information N managed by the first agency and the real name ID _U, and publicizing the pseudonym I and the public information N. To do.

A traceable electronic cash implementing apparatus according to a third aspect of the present invention is an institution for issuing a license and issuing electronic cash, and includes the following: public information N from a user, Received the information including the real name ID _U of the above user,
Kana generation means for generating a Kana I corresponding to the real name ID _U , at least one of the Kana I and the public information N,
Correspondence memory means for holding a correspondence relationship with the real name ID _U, and a signature with the first signature function _DeB using the secret key for the license to the information including the public information N and the pseudonym. And a signature means for transmitting a license to the user as information including the license B and a second signature function _DeC for the information including the license B received from the user. Electronic cash signature means for performing and transmitting to the user as electronic cash information.

[0029]

BEST MODE FOR CARRYING OUT THE INVENTION An embodiment of the present invention will be described below. FIG. 1 shows a block diagram of the principle of the present invention.
The bank BK, the user US, and the retail store SH are connected via, for example, a communication line, but an IC that can record information
The connection may be via a card or the like. First Embodiment First, the bank BK uses a public key such as e _B when the system is constructed.
Then, a private key, for example, d _B is generated, and the public key e _B is made public.
This public key e _B is used for creating / verifying a usage permit when each user subscribes to this electronic cash system. The user has the trust organization issue a permit B for using electronic cash. However, this embodiment is a bank BK
Shows the case where the device also serves as a trust institution that issues the usage permit.

Next, the bank BK generates a public key such as e _C and a secret key such as d _C for creating / verifying electronic cash. These key pairs (e _C , d _C ) are, for example, for each amount of electronic cash,
It differs by 100 yen, 500 yen, 1000 yen, 10,000 yen, etc. Bank BK uses signature generation algorithms D _B and D
Two public keys e _B holding _C and corresponding to these signature methods
And e _C are released. As a signature method, a conventional RSA digital signature method or another blind signature method can be used. Here, e _B is used to check the validity of the license issued by the bank BK, and e _C is used to check the validity of the electronic cash issued by the bank BK. The user US uses the identification information ID _U such as the account number. Issuing process of usage permit First, when the user US opens an account at a bank, the usage permit B is issued from the bank BK. To be exact,
The usage permit is {B, (I, N, L)}, but for simplicity of explanation, B is called a usage permit. The procedure for a user to issue a usage permit from a bank is as follows (see Fig. 2). This procedure is performed by each user only once when opening an account.

Step 1: The user US uses the prime number generator 2
10 is used to generate two large prime numbers P and Q, and the multiplier 211 is used to calculate a composite number N (N = P × Q).
Further, the user US selects and fixes the prime number L using the prime number generator 210. The P, Q, N and L are stored in the memory 20M. Step 2: The user US sends the identification information ID _U together with N and L to the bank BK.

Step 3: The bank BK confirms the identity of the user US corresponding to the identification information ID _U by some method, and if it passes, generates a pseudonym I using the pseudonym generator 110, The correspondence relationship between the identification information (real name) ID _U and the pseudonym I is secretly managed using the correspondence table 11T. Step 4: The bank BK uses the D _eB calculator 112 that executes the signature generation algorithm represented by the function D _eB to generate the signature information Ψ = D _eB (N, L, I) = g (N‖L‖I) ^dB mod n _B (1) is calculated and Ψ and I are transmitted to the user US. Here, the symbol ‖ represents connection.

Step 5: The user US uses the signature information Ψ received from the bank BK as it is in this example, the usage permit B.
As the kana I, it is stored in the memory 20M. Step 6: The user US gives (I, P, Q, L) read from the memory 20M to the power root calculator 212 to calculate secret information S S = I ^{1 / L} mod N (2) Then, it is stored in the memory 20M.

This completes the process of issuing the usage permit.
Here, the user may generate a unique value for L, or may use the same value for the entire electronic cash system. In the latter case, L may be held in a ROM (not shown) and is not a storage target of the memory 20M. When the communication of issuing the usage permit is performed through the communication line, it is better to use encryption processing together. In the kana generator 110, the kana I should be generated by inputting information such as the application time, expiration date, and serial number into the one-way function. Further, since the secret information S in the above-mentioned step 6 is information required when using electronic cash, it is not necessary to calculate it here, and may be calculated in the electronic cash payment procedure described later. Electronic Cash Issuing Process Next, a procedure for the user US to issue the electronic cash C from the bank BK will be described. Here, e _C is the public key for the digital signature of the bank BK corresponding to the amount of electronic cash (for example, 10,000 yen) designated by the user as described above. To be precise, electronic cash is (C, X), but for simplicity of explanation, C is called electronic cash. User US is bank B
The procedure for issuing the electronic cash C from K is as follows (see FIG. 3). In this case, the authentication information X based on the random number R is created, and the information concatenated with the license B is attached with the signature of the bank BK to obtain electronic cash. This signature is the blind signature described above. Use the method.

Step 1: User US uses random number generator 2
A random number R is generated using 20 and stored in the memory 20M, while the random number R and the component (N, L) of the license B are used.
Therefore, the power calculator 221 calculates the authentication information X by the following expression X = ^RL mod N (3). Further, based on the usage permit B and the authentication information X read from the memory 20M, F _eC
The calculator 222 is used to calculate Z = F _eC (X, B) (4), that is, blind signature preprocessing is performed to calculate Z
It is sent to the bank BK together with ID _U (only when necessary) and desired amount of electronic cash information (for example, 10,000 yen).

Step 2: The bank BK uses the secret key d _C corresponding to the amount of electronic cash to obtain Θ = D _eC (Z) (5) using the D _eC calculator 120, that is, for Z A temporary signature is sent to the user US. At the same time, either withdraw the applicable amount from the user's account or receive the applicable amount from the user by some means. In this embodiment, the bank BK does not carry out the unannounced inspection as in the prior art prior to the provisional signature by the formula (5).

Step 3: The user US uses the G _eC calculator 223 to calculate C = G _eC (Θ) ... (6) using the G _eC calculator 223, that is, performs the blind signature post-processing. Get C. Here, the case where the bank BK that issues the usage permit in FIG. 2 also issues electronic cash as shown in FIG. 3 is explained. However, by issuing the electronic cash in FIG. It is possible to further improve the security of electronic money and the safety of electronic cash. Payment by Electronic Cash Next, the following steps are performed for the user US to pay at the retail store SH using the electronic cash C issued by the bank BK (see FIG. 4).

Step 1: The user US uses (N, L, I, B, X,
C) is sent to the retail store SH. Step 2: The retail store SH confirms (N, L, I) of the license B
Justification for V_eBUsing the calculator 310, B is V_eB((N, L, I), B) = OK, that is, B^eB mod N = (N || L || I) (7) is satisfied, that is, B becomes a signature for N, L, and I.
I am convinced that there is an electronic cash C (X, B)
Justification for V_eCUsing the calculator 311, C is V_eC((X, B), C) = OK, that is, C^eC mod N = (X | B) ... (8) is satisfied, that is, C can be used under B.
And confirm respectively. If B and C are legitimate, retail
The store SH uses the question generator 312 to ask the question EεZ. _L=
Generate {0, 1, ..., L-1} and send it to the user US. Disagreement
In some cases, retail SH will stop this protocol.
You.

Step 3: The user US is the retail store 30
In response to the question 0, the secret information S and (N,
R) is read out and passed to the modular exponentiation calculator 231 and the answer Y is calculated by the modular exponentiation calculator 231 as follows,
Send to retail store SH. Y = R · S ^E mod N (9) Step 4: The retail store SH uses the modular exponentiation calculator 313.
X · ^IE mod N is calculated, and the power residue calculator 314 calculates Y ^L
The mod N is calculated, and the two calculation results are compared by the comparator 315. That is, it is checked whether the relation of the following equation is satisfied.

Y ^L ≡X · ^IE (mod N) (10) Since S in the answer Y expressed by the formula (9) is given by the formula (2), the relation of the formula (10) must be satisfied. If this electronic cash is correct, the retail store SH accepts the electronic cash C as 10,000 yen. In the above-mentioned electronic cash payment procedure, in order to prevent the bank BK from illegally paying the amount at the time of settlement due to the collusion between the user US and the retail store SH, step 2
And 3 may be strengthened as follows. That is, in step 2,
The retail store SH generates a random number d and instead of sending E,
The identification information ID _S of the retail store SH, the times t, and d are transmitted to the user US, and the retail store SH sends E = f (ID _S , t, d).
Calculate E with. Here, f is a one-way function. In step 3, the user US also E = f (ID _S , t, d)
Is calculated. Payment Finally, a payment method between the retail store SH and the bank BK will be described (see FIG. 5). The retail store SH receives all the communication history H when using electronic cash with the user, that is, (N, L, I, B, X,
Submit C), E, and Y to bank BK. The bank BK checks the legitimacy of H, that is, whether the expressions (7) and (8) are both satisfied, and if this check is passed, H is stored and the account of the retail store SH is stored. Pay the applicable amount (or pay the applicable amount to the retail store by some means). Bank BK finds fraudulent use of electronic cash,
From the correspondence between the pseudonym I and the identification information ID, the identification information ID of the illicit person
Confirm.

The second process in US Pat. No. 4,977,595 is from the issuance process of electronic cash to the settlement except the above issuance of the license.
In the method described in the embodiment, it is almost the same as the case where the user information V _i is processed as the pseudonym I of the present invention, and from this point, it is described in the second embodiment in US Pat. A method with higher reliability can be similarly applied to the present invention. Second Embodiment In order to improve the user's trust in the bank, the bank B
An example of a case where a plurality of processing functions related to electronic cash of K are executed by different departments will be described. Here, for example, FIG. 6 shows a case in which the department 101 that confirms the user's identity and the department 102 that issues a usage permit share the responsibility. The association information α is newly introduced as information to be handed over between the department 101 and the department 102. The department 101 manages the correspondence between the identification information (hereinafter also referred to as real name) ID of the user and the association information α, and the department 102 manages the association between the association information α and the pseudonym I. As a result, only when the two departments 101 and 102 cooperate with each other, it becomes possible to obtain the correspondence relationship between the pseudonym I and the real name ID by using the association information α as a key. In order to divide it into three or more parts, it is sufficient to add new association information (α, β, γ, ...) In the same manner, so the description is omitted here.

The embodiment is different from the first embodiment only in the processing of issuing the usage permit, and therefore only the processing related to the processing of issuing the usage license will be described in the following. However,
The parameter L is unique within the system. Bank department 1
02 holds the signature generation algorithm D _B. Bank BK
Publishes the public key e _B corresponding to this signature method. Here, e _B is used for checking the validity of the license issued by the bank BK. User US is the identification information ID such as account number
_{Use U.} The association information α is used as information to be handed over between the departments 101 and 102. Process of Issuing Usage Permit First, when the user US opens an account at the bank BK, the usage permit B is issued from the bank BK. To be precise, the license is (B, {I, N}), but for simplicity of explanation, B is called a license. The procedure for the user US to issue the usage permit B from the bank BK is as follows (see FIG. 6). This procedure is performed by each user only once when opening an account.

Step 1: The user US uses the prime number generator 2
Generate two large prime numbers P and Q using 10 and multiply
The composite number N (N = P × Q) is calculated using the device 211.
The P, Q and N are stored in the memory 20M. Step 2: User US is F_eBN'using the calculator 213
= F_eBCalculate (N) and ID_U And N'to the bank department 101
I do.

Step 3: The bank department 101 confirms the identity of the user US by some method, and if the result is acceptable, the related information generator 113 is used to generate the related information α, and the real name ID _U Correspondence table 11 and the corresponding information α
It is managed secretly using T ₁ , and α and N ′ are assigned to the bank department 102.
give. Step 4: The bank department 102 generates the pseudonym information I using the pseudonym generator 110, and secretly manages the correspondence relationship between the related information α and the pseudonym I using the correspondence table 11T ₂ .

Step 5: The bank department 102 _obtains Ψ = D _eB (N ′ × I) (11) using the D _eB calculator 112 and transmits Ψ and I to the user US. Step 6: User US receives data Ψ from the bank
_{Is transferred} to the G _eB calculator 214, the usage permit B is calculated with B = G _eB (Ψ), and stored in the memory 20M together with the pseudonym I.

Step 7: The user US has the memory 20M
The (I, P, Q) read from the above is attracted to the power root calculator 212, the secret information S is calculated so as to satisfy S = I ^{1 / L} mod N, and stored in the memory 20M. Note that signature B satisfies V _eB (N × I, B) = OK.

When the above-mentioned exchange is carried out through a communication line, it is better to use encryption processing together. Kana generation 110
Then, for example, the pseudonym I should be generated by inputting information such as the application time of the license, the expiration date, and the serial number into the one-way function. In addition, in the first and second embodiments, FIG.
The correspondence table 11T of _{No. 1} shows the case where the user's identification information IDU and the pseudonym are held in correspondence with each other. The principle of the present invention is D _eB
Calculator 112 together so as not to include the identification information ID _U of users themselves subject to bank signature by, certain correspondence between the sign of the target and the identification information ID _U that holds the correspondence table 11T . Therefore, as the information held in the correspondence table 11T, instead of the correspondence between the identification information ID _U and the pseudonym I, the correspondence between the identification information ID _U and N may be held. Third Embodiment In the third embodiment shown in FIG. 7, US Pat.
The case where the present invention is applied to the electronic cash that can be divided and used as shown in o.5,224,162 is shown. This embodiment also uses the same principle as the first embodiment, and the bank BK uses the user US
In response to the request, the pseudonym I corresponding to the identification information ID _U is generated, the correspondence relationship is kept secret in the correspondence table, and the usage certificate is issued using the pseudonym I. After that, the bank BK
Issues a certain amount of electronic cash to the user according to the request of the user US. The user can use the electronic cash for payment of various third parties, for example, the retail store SH, until the face value is reached. Finally, each retailer makes a payment at the bank for each payment made by the user. Also in this embodiment, the information held in the correspondence table may hold the correspondence between ID _U and N instead of the correspondence between ID _U and I.

The bank BK uses the signature generation algorithms D _B and D
Hold _C As shown in FIG. 7, the bank BK discloses two public keys e _B and e _C used in the signature procedure used when issuing the license and when issuing the electronic cash. In this embodiment, a case where a conventional RSA digital signature method is used as a blind signature method will be described. here,
The public key e _B is used for checking the validity of the license issued by the bank BK, and the public key e _C is used for checking the validity of the electronic cash issued by the bank BK. The user US uses the identification information ID _U such as an account number.

For example, when the bank BK uses an RSA digital signature as the information corresponding to the license, a pair of private key (d _A , n _A ) and public key (e _A , n _A ) is created. Every
In order to check the validity of the license, (e _A , n _A ) is published as the above public key e _B , and the private key (d _A , n _A ) is held as the above secret key d _B. deep. In addition, as the information bank BK corresponding to the amount of electronic cash, secret key _{(d 'A, n' A} ) in the case of using the RSA digital signature and public key (e _'A,
'Leave create _A) pairs for testing the validity of the electronic cash (e' n keep the _A, n _'A) to the public with the amount as the public key e _C above.

In the following embodiment, the signature generation for the license is used.
Algorithm D_BIs D_B(x) ＝ x^dAmod n_A Signature generation algorithm D for electronic cash_CIs D_C(x) ＝ x^d'Amod n '_A  And Also, the blind signature preprocessing function F_eIs x = F_e(m) = r^eA× m mod n where r is a random number for perturbation, blind signature post-processing
G_eIs G_eLet (Ψ) = Ψ / r mod n.

In this embodiment, in order to efficiently realize the split availability (electronic cash issued once can be used any number of times until the face value is reached), the above-mentioned US Patent No. Introduce a tree-structured table called a hierarchical structure table shown in .5,224,162. Bank BK
Is a one-way function g and three random functions fΓ, fΛ,
Define fΩ and make it public. These three functions are used to determine the value of each node in the hierarchical structure table (Γ table and Λ table).

This hierarchical structure table is determined corresponding to the amount of electronic cash and the minimum unit of use (for example, one yen unit). For example, FIGS. 8A and 8B show a hierarchical structure table in the case of using electronic cash of 100 yen in units of 25 yen. Here, for example, when using 75 yen,
The node "00" (equivalent to 50 yen) and the node "010" (equivalent to 25 yen) are the corresponding nodes. This corresponding node is determined by the following rules.

(A) The sum of the applicable amounts of the child nodes immediately below a certain node is the applicable amount of the node. (b) After a node has been used once, all parent (ancestor) and child (descendant) nodes connected to the node must not be used. (c) Each node may not be used more than once.

According to this rule, after the node "00" and the node "010" are used, only the node "011" (equivalent to 25 yen) can be used. In other words, by following the above rules, the total amount of money that can be used is 100 yen at face value, and any usage can be made in units of 25 yen. In this hierarchical structure table, if the face value of the electronic cash is increased and the usage unit amount is further reduced, the hierarchy is increased. For example, the face value is 10
In the case of electronic cash that can be used in units of 1 yen for 0,000 yen, the number of layers is about 20 (log ₂ 1,000,000 ≒ 20).

Here, it is assumed that the Γ table has a hierarchy of t or more, and the node corresponding to the amount paid by the user US at the retail store SH is Γ _{j1 ·· jt} (and Λ _{j1 ·· jt} ). And Here, j ₁ , ..., J _t ε {0,1}. Normally, there are a plurality of nodes corresponding to the payment amount (for example, there were two nodes corresponding to 75 yen in the above example), but the payment processing at the time of multiple nodes is the payment processing at the time of a single node. Since it suffices to simply execute in parallel, only the payment process for a single node will be described below.

The meanings of the symbols used in the following procedure are summarized here.

[0057]

(Equation 20) <z> _QR = dz mod N, d ∈ {± 1, ± 2}, and dz mod N is the quadratic residue. In <z> ₁ = d'z mod N, d'∈ {1, 2} and (d'z / N) = 1. <z> _-1 = d "z mod N, d" ∈ {1, 2}, and (d "z / N) = -1.

In the above, (a / b) means the Jacobi symbol. The method of calculating the Jacobi symbol is, for example, Fujisaki,
Morita and Yamamoto: "The departure to number theory (mathematics seminar special issue)"
(Nippon Hyoronsha). Issuing Process of Usage License First, the user US has the bank BK issue the usage license B. This procedure is the same as the procedure shown in FIG. 2 in the first embodiment in principle, but the prime number L is not used here. Therefore, the license is {B, (I, N)},
For ease of explanation, B is called a license. Further, in this embodiment, the user secret information S used in the first embodiment is not used when using electronic cash.

The procedure for a user to issue a usage permit from a bank is as follows (see FIG. 9). This procedure is performed by each user only once when opening an account. Step 1: User US uses prime number generator 210
Two large prime numbers P and Q satisfying P≡3 (mod 8) and Q≡7 (mod 8) are generated, and a composite number N (N = P × Q) of these prime numbers is calculated using a multiplier 211. To do. The P, Q and N are stored in the memory 20M.

Step 2: User US identifies his ID
Send _U and N to bank BK. Step 3: After confirming the identity of the user US by some method, the bank BK generates a pseudonym I using the pseudonym generator 110 when it passes, and the identification information (real name) ID.
The correspondence relationship between _U and Kana I (or N) is recorded in the correspondence table 11T and secretly managed.

Step 4: The bank BK uses the D _eB calculator 11
2 is used to obtain the following signature Ψ = D _eB (N, I) = g (N / I) ^dB mod n _B (12), and Ψ and I are transmitted to the user US. Step 5: The user US uses the received data Ψ from the bank BK as the usage certificate B and the memory 20M together with the pseudonym I.
To memorize.

When the above-mentioned user US and the bank BK are exchanged through a communication line, it is preferable to use an encryption process together. Further, in the kana generator 110, the kana I should be generated by inputting information such as the application time, the expiration date, and the serial number into the one-way function. Electronic Cash Issuing Process Next, a procedure for the user US to issue the electronic cash C from the bank BK will be described. Here, e _C is a public key for digital signature of the bank BK corresponding to the amount of electronic cash (for example, 10,000 yen) designated by the user. To be exact, electronic cash is
Although it is (C, b, B), C is called electronic cash for simplicity of explanation. The procedure by which the user US issues the electronic cash C from the bank BK is as follows (see FIG. 10).

Step 1: The user US uses the random number generator 2
Random numbers b and r are generated using 20 and b is stored in the memory 20M.
On the other hand, from the random number b and the license B read from the memory 20M, the g calculator 2 which is a one-way function
21 is used to calculate g (B | b), and the F _eC calculator 22
2 is used to calculate Z = F _eC (g (B ‖b)) = r ^eC g (B ‖b) mod n _C (13), Z is ID _U (only when necessary), and amount information of electronic cash It is sent to the bank BK together with A (for example, 10,000 yen).

Step 2: Bank BK pays the amount of electronic cash
Private key d corresponding to A_C Using D _eCBy calculator 120
R Θ = D_eC(Z) = Z^eCmod n_C Request (14) and send to user US. At the same time, for the user US
Withdraw the applicable amount A from your account, or use some means
Receives the corresponding amount A from the user.

Step 3: The user US uses the G _eC calculator 223 to calculate the electronic cash C of the designated amount A by C = G _eC (Θ) = Θ / r mod n _C (15). Payment by Electronic Cash Next, a case where the user US pays at the retail store SH using the electronic cash C issued by the bank BK will be described (see FIGS. 11 and 12).

Step 1: The user US first calculates the following equation from C, N, P, Q read from the memory 20M using the Γ calculator 236, that is, fΓ (C‖0‖N) And calculate
And, with respect to this value, either of ± 1 or ± 2 is corrected using P and Q to obtain the square residue Γ ₀ on N.

[0067]

(Equation 21) Next, the node j ₁ ... j _q corresponding to the electronic cash C and the usage amount
And N are input to the Ω calculator 237 and Ω _{j1 ... jq} (q = 1, ..., t)
Generate

[0068]

(Equation 22) Further, a power calculator 232 _{obtains a} power of j _{q + 1 of} Ω _{j1 ·· jq} (q = 1, ..., T), and a remainder multiplication of this result and Γ ₀ on N is obtained by a remainder multiplier 233. 1 / on mod N of the multiplication result
2 ^t root, that is, the value j ₁ ... j _{t of} the node corresponding to the usage amount A
A power root calculator 234 calculates a power root X of P using P and Q.

[0069]

(Equation 23) Step 2: The user US sends I 1, N, X, B, b, C read from the memory 20M and j ₁ , ..., J _t corresponding to the usage amount to the retail store SH. Step 3: The retail store SH _verifies the validity of the signature B with respect to (I, N) using the V _eB calculator 310, where B is V _eB ((N, I), B) = OK, that is, B ^eB mod N = It is confirmed that (N | I) (19) is satisfied, that is, B is a signature for (N, I), and the validity of the signature C for (B, b) is determined by g calculator 331 and V _{Using eC} calculator 332, C satisfies V _eC (g (B / b), C) = OK, that is, C ^eC mod N = g (B / b) (20), that is, C is under B Check that it can be used in. If this check fails, the subsequent processing is stopped Step 4: The retail store SH uses the Jacobian symbol calculator 333 and the comparator 334 to verify whether X satisfies the following relation. If this inspection fails, the subsequent processing is stopped.

(X / N) = − 1 Next, using the Γ calculator 322 from C and N,

[0071]

(Equation 24) Is calculated. Also, from C, j ₁ ... j _q , N, the Ω calculator 316
_Is used to calculate Ω _{j1 ... jq} (q = 1, ..., t).

[0072]

(Equation 25) The power of the calculation result is calculated by the power calculator 318, and Ω
^2j _{j1 ... jq} is obtained. Further, fΓ (C from the Γ calculator 322
A multiplier 319 multiplies the remainder of the power calculation result from the power calculator 318 with the multiplier 319. On the other hand, it performs a multiply-2 ^t of X a power calculator 317, which modular multiplier 319
The remainder is divided by the remainder divider 320, and the result is ± 1,
Comparison of ± 2 is performed by the comparator 321, and it is verified whether X satisfies the following relationship. If this inspection fails, the subsequent processing is stopped.

[0073]

(Equation 26) Here, d is a value of either ± 1 or ± 2. Step 5: If the retail store SH passes this check, the retail store SH uses the question generator 312 to obtain the question value E _i ε {0,1} (i = 1, ...,
Select K ') and send to user US. Step 6: The user US calculates Λ _i (i = 1, ..., K ′) from C, i, j ₁ ... J _t , N, P, Q using the Λ calculator 235 by the following equation. That is, using P and Q for fΛ (), ± 1, ±
The square residue Λ _i on N is obtained by performing any correction of 2.

[0074]

[Equation 27] i = 1 ,.
And then send Y _i to the retail store SH.

[0075]

[Equation 28] Step 7: The retail store SH uses the Jacobian symbol calculator 323 and the comparator 324 to verify whether Y _i satisfies the following relationship. If this inspection fails, the subsequent processing is stopped. _{(Y i / N) = (} - 1) Ei (25) information _{C, i, j 1 ... j} t, the N type to the Λ calculator 325, and Y _i ² the Y _i in power calculator 326, the Y _i ² is Λ calculator 3
The remainder division is performed by the remainder division unit 327 with the output of 25, and the result d ′ is compared with ± 1 and ± 2 using the comparator 328 to verify whether the following relationship is satisfied.

[0076]

(Equation 29) i = 1, ..., K ′ Here, d ′ is one of ± 1 and ± 2. If this verification is passed, the retail store SH determines that the node j _{1 of the} user US.
… Just considers and accepts payment of the amount of money that corresponds to _t .

In order to prevent the retail store SH from colluding with the user US and illegally using it in the above electronic cash payment, the retail store SH sends a question E _i sent from the question generator 312 to the user US. You may strengthen as follows. Retailers SH generates a random number E _i ', and sends it together with the identifier ID _S and the time stamp T retail SH to the user US as an alternative to the E _i. The retail store SH and the user US are respectively
Calculate E _i = h (ID _S ‖T‖E _i '). Here, h is a one-way function. Payment Finally, a payment method between the retail store SH and the bank BK will be described (see FIG. 13). The retail store SH has a history of all communications H = {I, N, X, B, b, C, j ₁ when using electronic cash with the user US.
Submit j _t , E _i , Y _i (i = 1, ..., K ')} to the bank. Bank H
If it passes the inspection, it stores H and pays the corresponding amount to the account of the retail store SH (or pays the relevant amount to the retail store by some means). When banks find fraudulent use of electronic cash, they
The I (or N) can be obtained from the information of (1), the ID corresponding to the I (or N) can be known under the permission of a third party (for example, a court), and an illicit person can be specified.

In the above description, the user cannot double use any node in the hierarchical structure table. Because E _i is
By being randomly selected from {0,1} (i = 1, ..., K '),
If the user double-uses any of the nodes, the bank can factorize N from H with probability 1- (1/2) ^{K '} , which leads to the confidential information P, P of the user. You can get Q. The bank uses the prime factors P and Q of the composite number N as evidence of unauthorized use. Note that only user US knows P and Q. Therefore, some penalty can be imposed on the user as evidence of double usage.

Next, the user US cannot use any upper and lower nodes after using a node in the hierarchical structure table. Here, for simplicity, an example of the hierarchical structure table of FIG. 8B will be described. First, when the user US uses the node "00", the user US

[0080]

[Equation 30] To the retail store SH (finally to the bank BK). After that, if the lower node "000" is used, the user US

[0081]

(Equation 31) Must be sent to the retail store SH. At this time,

[0082]

(Equation 32) Therefore, the bank BK can factorize N using the information of X ₀₀ and X ² ₀₀₀ mod N, and can calculate the secret information P and Q of the user US from this. Similarly, node "0
After using "0", its upper node "0" and lower node "001"
When using, the secret information P and Q of the user US is obtained by the bank BK.

In the above embodiment, the correspondence between the real name and the pseudonym is realized as one bank BK, but the function of the bank BK is divided into a plurality of departments as described with reference to FIG. And only when these departments cooperate
It may be possible to know the correspondence between the real name and the kana. In the above description, the signature Ψ is used as it is as the usage permit B, but the signature Ψ may be subjected to some processing as the usage permit B. Fourth Embodiment In the third embodiment shown in FIGS. 7 to 13 described above, when the user uses electronic cash, the amount of information communicated between the user and the retail store shown in FIGS. 11 and 12 is reduced. 15 and 16 show the configurations of the user US and the retail store 300 improved so as to do so, and the electronic cash payment procedure.

Step 1: The user US first calculates the following equation from C, N, P, Q read from the memory 20M by using the Γ calculator 236, that is, fΓ (C‖0‖N) And calculate
Then, with respect to this value, correction of either ± 1 or ± 2 is performed using P and Q, and the quadratic residue Γ ₀ on N is obtained by the above-mentioned equation (16). Next, the node corresponding to the electronic cash C and the usage amount
j ₁ ... j _q and N are input to the Ω calculator 237 and the above equation (17) is entered.
_Generates Ω _{j1 ··· jq} (q = 1,…, t). Furthermore, Ω
_A power calculator 232 _{obtains the} power of j _{q +1 of j1 ··· jq} (q = 1, ..., T), and the remainder multiplication on N of Γ ₀ is obtained by the remainder multiplier 233, and the multiplication result 1/2 ^t root on mod N,
That is, the power root X of the node value j ₁ ... J _t corresponding to the usage amount A is calculated by the power root calculator 234 using P and Q.
Calculate according to (18).

Step 2: The user US uses the memory 20M
I, N, X, B, b, C read from j and the corresponding j ₁ ,
..., j _t is sent to the retail store SH. Step 3: The retail store SH _verifies the validity of the signature B with respect to (I, N) by using the V _eB calculator 310, that B satisfies the above equation (19), that is, B is a signature with respect to (N, I). And the validity of the signature C for (B, b),
Using g calculator 331 and V _eC calculator 332, it is confirmed that C satisfies the above equation (20), that is, C can be used under B. If this inspection fails, the subsequent processing is stopped.

Step 4: The retail store SH uses the Jacobi symbol calculator 333 and the comparator 334 to determine that X is (X / N) =-1.
Verify whether the relationship of is satisfied. If this inspection fails, the subsequent processing is stopped. Next, from C, N to Γ
Using the calculator 322, f.GAMMA. (C | 0 || N) is calculated. Further, from C, j ₁ ... j _q , N, using the Ω calculator 316,
_{j1 ... jq} (q = 1, ..., t) is calculated by the above equation (21).

The exponentiation calculator 31 calculates the exponentiation of the calculation result.
8 to obtain Ω ^2j _{j1 ··· jq} . Furthermore, Γ calculator 322
In the multiplier 319, the modular multiplication of f Γ (C /////) and the power calculation result from the power calculator 318 is performed. On the other hand, X is raised to the power of 2 ^t in the power calculator 317, divided by the output of the remainder multiplier 319 in the remainder divider 320, and the result is compared with ± 1 and ± 2 in the comparator 321. It is verified whether or not satisfies the relation of the above equation (22). If this inspection fails, the subsequent processing is stopped.

The processing steps 1 to 4 up to this point are as shown in FIG.
This is exactly the same as the processing steps 1 to 4 described in steps 1 and 12. In the modified examples of FIGS. 14 and 15, the following processing steps 5 to 7 are improved so as to reduce the amount of communication information between the user US and the retail store SH, but the basic procedure is as shown in FIG. This is the same as the processing steps 5 to 7 of 12.

Step 5: The retail store SH uses the question generator 312 if the validity of the signature of the bank BK on the license B checked in step 4 and the availability of the electronic cash C have passed. One question value E ∈ Z _u = {0,1,2, ..., u
-1} (u is a security parameter) is randomly selected and sent to the user US. Step 6: User US reads from memory 20M
Using {C, j ₁ , ..., j _t , N, P, Q}, Λ calculator 235
Calculate _j1..jt . That is, for fΛ (), ± 1, ± 2
Then, any one of the corrections is performed using P and Q to obtain a remainder square Λ _j1..jt on N.

[0090]

[Equation 33] Next, using the remainder multiplier 238 and the power root calculator 231, the answer Y _j1..jt is calculated from N, P, Q, Λ _j1..jt and the question E from the retail store SH, and the retail store is calculated. Send to SH.

[0091]

(Equation 34) Step 7: The retail store SH uses the Jacobian symbol calculator 323 and the comparator 324 to verify whether Y _j1..jt satisfies the following relationship. If this inspection fails, the subsequent processing is stopped. (Y _{j1 ·· jt} / N) = 1 (29) C, j ₁ ... j _t , N from the user US is input to the Λ calculator 325, and its output and E, N are input to the remainder multiplier 327. Y _j1..jt , N are input to the power calculator 326, the output of the power calculator 326 is divided by the output of the remainder multiplier 327 by the remainder divider 328, and the result is used by the comparator 329. Verifies whether the following relationship is satisfied by comparing with ± 1 and ± 2.

[0092]

(Equation 35) Here, d'is either one of ± 1 and ± 2. If this verification is passed, the retail store SH determines that the node j _{1 of the} user US.
… Just considers and accepts payment of the amount of money that corresponds to _t . As in the case of FIGS. 11 and 12, in order to prevent the retail store SH from colluding with the user US and illegally using the electronic cash payment, the retail store SH uses the question generator 312 to send the user US. Question E to send to
May be enhanced as follows. The retail store SH generates a random number E ′ and sends it as a substitute for E to the user US together with the identifier ID _S of the retail store SH and the time stamp T. The retail store SH and the user US each have E = h (ID _S ‖T‖E ')
Is calculated. Here, h is a one-way function.

The settlement method between the retail store SH and the bank BK shown in FIG. 16 is basically the same as that shown in FIG. Retail store SH
Is the communication history H = {I, when using electronic cash with the user US
Submit N, X, B, b, C, j ₁ ··· j _t , E, Y} to the bank. Bank H
If it passes the inspection, it stores H and pays the corresponding amount to the account of the retail store SH (or pays the relevant amount to the retail store by some means). When banks find fraudulent use of electronic cash, they
The I (or N) can be obtained from the information of (1), the ID corresponding to the I (or N) can be known under the permission of a third party (for example, a court), and an illicit person can be specified.

Also in the embodiments of FIGS. 14, 15 and 16, the user cannot double use any node in the hierarchical structure table. Because E is randomly selected from Z _u = {0,1, ..., u-1}, if the user double-uses any node, the bank will get the probability (1 N can be factorized by (1 / u), whereby the secret information P and Q of the user can be obtained. The bank uses the prime factors P and Q of the composite number N as evidence of unauthorized use (only the user US knows P and Q). Therefore, some penalty can be imposed on the user as evidence of double usage.

As described above, in the embodiment of FIGS. 11 and 12, the user US responds to K ′ with respect to K ′ questions E ′ at the retail store SH.
It was necessary to generate the individual answers Y _i and send them to the retail store SH. On the other hand, in the modified embodiment shown in FIGS.
The retail store SH randomly selects one question E and selects the user U.
S, and user US responds to this with one reply Y _j1.
.. Since it is only necessary to generate _jt and give it to the retail store SH, the amount of communication information can be reduced. Further, the amount of information of the communication history H transmitted to the bank BK is reduced, and the memory capacity required for the bank BK to store the communication history is small.

For example, in the Chaum / Fiat / Naor method, as a part of the communication history H to be stored by the bank for detecting double use, the retail store SH has the following K / 2 = 10 sets of signature data ( a _i , y _i ) or (a _i (+) ID, x _i ), i = 1, ..., K / 2 must be passed to bank BK. Its size is 1280
Is a bit. On the other hand, in the embodiments of FIGS. 14 and 15, only one _piece of signature data Y _j1..jt has to be passed. The amount of information stored in the communication history H that the bank must store is 512 bits.
It can be less than 1/2 of the aum / Fiat / Naor method.

In the above-mentioned first to fourth embodiments, the user U
Although the same bank BK issues both the license B and the electronic cash C to S, the license B is issued in a trust different from that of the bank, for example. Alternatively, the bank BK may only issue and settle electronic cash. For example, in the first embodiment, the bank BK issues the usage permit B as the information Ψ in FIG. 2, but this is performed by the trust institution 40T as shown in FIG. Since the processing function configurations in the user US and the trust organization 40T are exactly the same as the configurations in the user US and the bank BK shown in FIG. 2, only the correspondence table 41T is shown in FIG. Similarly, the trust agency may perform the process of issuing the usage permit B in the third and fourth embodiments shown in FIG. In this way, the issuance of the license is performed by an organization other than the bank, so that the user's real name (identification information)
It is possible to prevent the correspondence relationship between _U and the public information N or I from being leaked to the outside for being abused or being stolen from the outside by a hacker.

Further, as in the second embodiment shown in FIG.
As shown in FIG. 18, the inside of the trust institution 40T shown in FIG.
Divided into multiple departments 401 and 402, ID_U And related information α
And the correspondence between the associated information α and N, I.
Correspondence table 41T₁, 41T_TwoMay be held at. Change
In addition, these departments 401 and 402 of the trust organization 40T are
As shown in 19, even if they are independent trust institutions,
The good thing is clear. In the example of FIG. 19,
Issued by three trust institutions 40T₁, 40T_Two, 40T_ThreeDone via
Correspondence table 40T₁, 40T_Two, 40T_ThreeNiso
ID of each_U Against α ₁, Α₁Against α_Two, Α_TwoCorrespondence between N'and I
Hold. That is, ID_U Correspondence between N and I is 3 trust machines
Seki holds as a whole. According to court order
All trust institutions 40T₁, 40T_Two, 40T_ThreeHave each in cooperation
ID when you submit the correspondence_U And N, I pair
The relationship becomes clear.

[0099]

The effects of the present invention are as follows. (a) Countermeasures against crime At the request of a reliable third party (eg court),
The bank discloses the relationship between ID and (I, N). This gives (I,
Trading by N) will be suspended. Alternatively, the criminal can be arrested by tracking the transaction by (I, N). (b) Privacy Privacy cannot be guaranteed with a credit card because the user's identification information ID is directly visible to the retail store. In this invention, only the pseudonym I can be seen as a retail store, so privacy is enhanced. In the Chaum-Fiat-Naor method, blind signatures are used, so only users can protect privacy. (However, it is pointed out that this is a hotbed of crime.) In the first embodiment, the bank can invade the privacy of the user, but in the second embodiment, a plurality of Unless the department colludes, it is difficult to break privacy. (c) This invention is compared with the Chaum-Fiat-Naor method, which can guarantee the privacy of communication volume and stored information volume.

In the Chaum-Fiat-Naor method, since the user embeds the ID in the electronic cash, in order to inspect that the user operates as determined, the "unannounced inspection technique" (K information Must be presented and K / 2 disclosure requests must be answered), which increases the amount of communication in the process of issuing the usage permit. In addition, there is a problem that the amount of information stored in the communication history H to be stored by the bank becomes large in order to detect double use.

In the prior art, K = 20 is usually recommended, whereas in the present invention (first to fourth embodiments),
Since K can be set to 1, the amount of communication and the amount of stored information can be reduced to 1/20, and these problems can be solved. (d) Double use When a user uses electronic cash C more than once, the bank can detect this fact by searching the communication history file using C as a key. Since the communication history information includes I as well as C, the bank can know the ID corresponding to I and can identify the fraudulent person under the permission of a third party (for example, a court). (e) Double Use In the third and fourth embodiments, when the user uses the electronic cash C contrary to the node rule for divided use, the bank uses the power root X of the node as a key, This fact can be detected by searching the communication history file. Since the communication history information includes I (or N) together with C, the bank can know the ID corresponding to I or N) with the permission of a third party (for example, a court). Can identify fraudulent persons. (f) Others This invention is an existing method using a license, for example, T.
Okamoto et al. "Universal Electronic Cash," Advance
s in Cryptology-Crypto'91, Lecture Notes in Comput
er Science 576, pp.324-337, Springer-Verlag, Berli
n (1991), and US Patent No. 5,224,162, and can realize a transfer function and a divided use function that cannot be realized by the Chaum / Fiat / Naor method.

The present invention is an existing method using a license, for example, T.Okamoto et al. “Disposable Zero-Knowle.
dge Authentications and Their Applications to Untr
aceable Electronic Cash, ”Advances in Cryptology-C
rypto'89, Lecture Notes in Computer Science 435, p
p.481-496, Springer-Verlag, Berlin (1989) and U.S. Pat. It can be used like a coupon.

In the third and fourth embodiments, it is necessary to set K '= 10 for the amount of information stored in the communication history H to be stored by the bank for detecting double use.
It is equivalent to K / 2 = 10 in iat ・ Naor method.

[Brief description of the drawings]

FIG. 1 is a block diagram showing the principle configuration of the present invention.

FIG. 2 is a block diagram showing a license issuance process (basic form) between a user and a bank.

FIG. 3 is a block diagram showing an electronic cash issuing process between a user and a bank.

FIG. 4 is a block diagram showing electronic cash payment processing at a user and a retail store.

FIG. 5 is a block diagram showing a settlement process between a retail store and a bank.

FIG. 6 is a block diagram showing another example (functional division type) of the license issuance processing between the user and the bank.

FIG. 7 is a block diagram showing the principle configuration of a third embodiment according to the present invention.

FIG. 8A is a structural diagram of a hierarchical table of usage amounts that defines divided usage of electronic cash, and FIG. 8B is a diagram for explaining a usage example of nodes in the hierarchical table.

9 is a block diagram showing a process of issuing a usage permit between the user and the bank in FIG. 7. FIG.

10 is a block diagram showing an electronic cash issuing process between a user and a bank in FIG. 7. FIG.

11 is a block diagram showing processing by the user in FIG. 7 and processing by the user regarding payment processing by electronic cash at a retail store.

FIG. 12 is a block diagram showing processing of a retail store regarding payment processing by electronic cash at the user and the retail store in FIG. 7.

13 is a block diagram showing a settlement process between a retail store and a bank in FIG. 7.

FIG. 14 is a block diagram showing processing by the user in the modification of the payment processing by electronic cash at the retail store and the user in FIGS. 11 and 12;

FIG. 15 is a block diagram showing a process of a retail store in a modification of the payment process using electronic cash at the user and the retail store of FIGS.

FIG. 16 is a block diagram showing a settlement process between a retail store and a bank for the electronic cash payment process of FIGS.

FIG. 17 is a block diagram showing an example in which a trust organization issues a usage permit.

18 is a block diagram showing an example in which a plurality of departments in the trust organization in FIG. 17 hold the correspondence between ID and N, I by interposing association information α.

FIG. 19 is a block diagram when a plurality of departments of a trust institution are configured as independent trust institutions in FIG.

─────────────────────────────────────────────────── ─── Continuation of the front page (51) Int.Cl. ⁶ Identification number Internal reference number FI Technical display location G06F 15/30 350 (72) Inventor Masayuki Abe 1-6 Uchisaiwaicho, Chiyoda-ku, Tokyo Nihonhon Telegraph and Telephone Corporation

Claims (18)

[Claims] 1. A traceable electronic cash implementation method comprising the following processing steps: (1) The user sends the public name N corresponding to the real name ID _U and the first secret information to the first institution. (2) The first organization, after confirming the identity of the user, generates a pseudonym I for the user and associates at least one of the pseudonym I and the public information N with the real name ID _U. (3) The first institution signs the public information N and the pseudonym I, and sends the signature and the pseudonym I to the user, and (4) the user The license B is obtained from the signature from the first institution, and the license B is stored together with the pseudonym I. (5) The user uses the pseudonym I as the pseudonym I using the first secret information. Calculating and retaining the second secret information S corresponding to the public information N, (6) Requesting the issuance of electronic cash by transmitting at least the information including the random number and the license B and the amount A, and (7) the second institution signs the information including the license from the user. (8) The user's license B is the public information N.
After verifying that it is a signature for the pseudonym I and that the electronic cash C can be used under the license B, a third is obtained by using the random number and the second secret information S. (9) The third party mentioned above makes payment for the electronic cash C,
All the communication information with the user is transmitted to the second institution, and (10) if there is a possibility of misconduct, the above pseudonym I and the above described public information N managed by the above first institution Correspondence between at least one of them and the real name ID _U is searched for, and the pseudonym I and the public information N are disclosed to prevent fraud. 2. The method according to claim 1, wherein the first secret information is prime numbers P and Q having a relation of N = P × Q, and in the step (5), the second secret information S is L.
S = I ^{I / L} mod N as a prime number, and in the step (6), the user generates (6-1) the random number R, the public information N, the prime number L, and the random number. The authentication information X is calculated from R by the following expression X = ^RL mod N, and (6-2) blind authentication preprocessing Z = F represented by a function F _eC for the authentication information X and the usage certificate B. _eC (X, B) is performed, and the information Z obtained as a result is transmitted to the second institution together with the amount information A of the electronic cash C as the information including the above-mentioned usage permit B. The second institution uses the secret key corresponding to the amount A of the electronic cash C to perform the blind signature Θ = D _eC (Z) represented by the function D _{eC on the} information Z, and obtains the obtained information Θ. The information including the electronic cash C is transmitted to the user, and in the step (8), the user Signature Θ
To, after blind signature represented by a function G _eC processing C = G _eC
Perform (Θ) to obtain the electronic cash C, and the third party verifies the validity of the information (N, I) of the license B and the validity of the electronic cash C of (X, B). Then, if it is justified, the third party asks the question E ∈ Z _L = {0,
1, ..., L-1} is sent to the user, and the user answers from the second secret information S, the information (N, R), and the question E Y Y = R · S ^E mod Calculated from N, send this answer Y to the third party, and the third party calculates Y ^L and X · ^IE (mod N) to obtain Y ^L ≡X · ^IE It is verified whether (mod N) is satisfied, and if this verification is passed, the electronic cash C is accepted as the cash of the amount information A. 3. The real name ID of the user according to claim 1, wherein the plurality of departments in the first institution use the association information α of different pairs sequentially associated with each other.
_{The U} and at least one of the Kana I and the public information N are sequentially managed in association with each other, and only when the plurality of departments cooperate with each other, at least one of the Kana I and the public information N and the real name. The correspondence relationship of ID _U can be obtained through the association information α between them. 4. A traceable electronic cash implementation method, including the following processing steps: (1) The user has a real name ID _U and public information N corresponding to confidential information.
(2) The first institution, after confirming the identity of the user, generates a pseudonym I for the user, and outputs at least one of the pseudonym I and the public information N. the correspondence between the real name ID _U and managed in secret, (3) the first engine performs signature to the public information N and pseudonym I, and sends the signature and the pseudonym I to said user, ( 4) The user obtains the license B from the signature from the first institution, stores the license B together with the pseudonym I, and (5) the user tells the second institution. At least random number b
And request the issuance of electronic cash by transmitting the information including the license B and the amount A. (6) The second institution signs the information including the license from the user and The information including electronic cash C is transmitted to the user.
After verifying that the above-mentioned pseudonym I is a signature and that the electronic cash C can be used under the license B, payment is made to a third party using the random number b and the secret information. (8) Since the third party is to settle the electronic cash C,
All communication information with the user is sent to the second institution, and (9) If there is a possibility of misconduct, the above pseudonym I and public information N under the control of the above first institution will be sent. Correspondence between at least one of them and the real name ID _U is searched, and the pseudonym I and the public information N are disclosed to prevent fraud. 5. The method according to claim 4, wherein the secret information is prime numbers P and Q having a relation of N = P × Q, and in the step (5), the user is the random number b.
And the above-mentioned license B, the one-way function g (B | b) is calculated, and blind signature preprocessing Z = F is calculated for this g (B | b).
_eC (g (B | b)) is calculated, and the information Z obtained as a result is used as the information including the electronic cash C together with the amount information A and the second information.
Then, in the step (6), the second institution uses the secret key corresponding to the amount A of the electronic cash to transmit the information Z.
Signature theta = calculates the D _eC (Z) for sending to the user, in step (7), the user, after a blind signature to the signature theta received treated C = G _eC (Θ) To obtain the electronic cash C of the amount A, and the processing for payment to the third party includes the following steps: (7-1) The user has the information C, N, P, From Q [Formula 1] Is calculated, and from the electronic cash C and the nodes j ₁ ... j _q and N corresponding to the usage amount, _Is generated, and further, Γ ₀ , Ω _{j1 ... jq} (q = 1, ..., t), N,
Power root of the value of the node corresponding to the usage amount from P and Q [Equation 3] (7-2) The above user transmits I, N, X _j1 ··· _jt , B, b, C and j ₁ , ..., j _t to the above third party, and (7-3) ) The third party is the license B for information (I, N)
The validity of B is confirmed by satisfying V _eB ((N, I), B) = OK, and the validity of C for the information (B, b) of the electronic cash C is V _eC (g ( Confirm by satisfying B ‖b), C) = OK, and if B and C are valid, (a /
If b) is a Jacobian symbol, it is verified whether (X / N) = -1 is satisfied. Then, from C and N, And calculate from C, j ₁ ... j _q , N And f Γ (C‖0‖N), Ω _j1 .. _jq (q = 1,…,
From t) and N, it is verified whether X satisfies the following relation, where d is one of ± 1 and ± 2, and (7-4) If all of these tests are passed,
The question E _i ε {0,1}, i = 1, ..., K ′ is generated and transmitted to the user, (7-5) the user is electronic cash C, the value of the node corresponding to the amount of money used. _{(i, j 1 ... j t} ), N, [Equation 7] from the secret information P, Q From N, P and Q, Λ _i and E _i, Is calculated and transmitted to the third party, and (7-6) the third party verifies whether (Yi / N) = (-1) ^Ei is satisfied, and C, i, j ₁ ... j _t , N and Y _i
Against, d '= verifies that the ± 1OR ± 2, the node j ₁ is the third party if they pass, ..., the I as an amount corresponding to _{j t, N, X, B} , b, C,
Accept j ₁ , ..., j _t , E _i , Y _i , where the meanings of the symbols are defined as follows: <z> _QR = dz mod where d ∈ {± 1, ± 2} and dz mod N is the quadratic _{^{residue, [x 1/2 mod N] 1}} = y ' in ^{y' 2 = xmod N, (} y '/ N) = 1 and 0 <y'<N / 2,1 ≦ t [x ^1/2 mod N] _-1 = y ", y" ² = xmod N, (y "/ N) =-1 and 0 <y"<N / 2, 1≤
t. 6. The method according to claim 4, wherein the secret information is prime numbers P and Q having a relation of N = P × Q, and in the step (5), the user is the random number b.
And the above-mentioned license B, the one-way function g (B | b) is calculated, and blind signature preprocessing Z = F is calculated for this g (B | b).
_eC (g (B | b)) is calculated, and the information Z obtained as a result is used as the information including the electronic cash C together with the amount information A and the second information.
Then, in the step (6), the second institution uses the secret key corresponding to the amount A of the electronic cash to transmit the information Z.
Signature theta = calculates the D _eC (Z) for sending to the user, in step (7), the user, after a blind signature to the signature theta received treated C = G _eC (Θ) To obtain the electronic cash C of the amount A, and the processing for payment to the third party includes the following steps: (7-1) The user has the information C, N, P, From Q [Formula 10] From the nodes j ₁ ... j _q and N corresponding to the electronic cash C and the usage amount, _Is generated, and further, Γ ₀ , Ω _{j1 ... jq} (q = 1, ..., t), N,
Power root of the value of the node corresponding to the usage amount from P and Q (7-2) The above user transmits I, N, X _j1 ··· _jt , B, b, C and j ₁ , ..., j _t to the above third party, and (7-3) ) The third party is the license B for information (I, N)
The validity of B is confirmed by satisfying V _eB ((N, I), B) = OK, and the validity of C for the information (B, b) of the electronic cash C is V _eC (g ( Confirm by satisfying B ‖b), C) = OK, and if B and C are valid, (a /
It is verified whether (X / N) = -1 is satisfied when b) is a Jacobian symbol, and then from C and N, And calculate from C, j ₁ ... j _q , N And f Γ (C‖0‖N), Ω _j1 .. _jq (q = 1,…,
From t) and N, it is verified whether X satisfies the following relation (where d is one of ± 1 and ± 2), and (7-4) If all of these tests are passed,
The question E ∈ Z _u = {0,1, ..., u-1} is generated and transmitted to the user, (7-5) the user is electronic cash C, and the value j of the node corresponding to the amount of money used. _{From 1} ... j _t , N, secret information P, Q, And further from N, P and Q, Λ _j1 .. _jt and E, Is calculated and transmitted to the third party, and (7-6) the third party verifies whether (Y _j1 .. _jt / N) = 1 is satisfied, and C, j ₁ ... j _t , N and Y _ji ..
_{For jt} , d '= verifies that the ± 1OR ± 2, the node j ₁ is the third party if they pass, ..., the I as an amount corresponding to _{j t, N, X, B} , b, C,
Accepts j ₁ , ..., j _t , E, Y _j1 .. _jt , where the meanings of the symbols are defined as follows: <z> _QR = dz mod N where d ∈ {± 1, ± 2} and dz mod N is the quadratic residue, and 7. The method according to claim 5 or 6, wherein the public key of the RSA method used by the first institution is (e _B , n _B ), and n _B = P × Q, e _B × d _B ≡1 (mod L), L = LCM {(P-1), (Q-1)}, the signature of the information (N, I) by the first institution in the step (3) is D _eB (N, I) = (N, I) ^dB mod n _B is calculated, and the correctness of the information (N, I) of the license B in step (7-3) above is confirmed (N, I) ≡. If B ^eB (mod n _B ) is satisfied, the result is a pass (OK). 8. The method according to claim 5 or 6, wherein:
The public key of the RSA method used by the two institutions is (e_C, n_C) And n_C= P × Q, e_C× d_C≡1 (mod L), L = LCM {(P-1), (Q-1)}
Blind signature preprocessing F _eCThe function of Z = F_eC(m) = r^eC× m mod n_C And by the above-mentioned second organization in step (6) above.
Signature D_eCΘ = D_eC(Z) = Z^dC modn_C And the above by the user in step (7) above.
Blind signature post-processing G _eCThe function of C = G_eC(Θ) = Θ / r mod n_C And by the third party in step (7-3) above.
Confirm the validity of the electronic cash C to the above information (B, b) (B, b) ≡C^eC(mod n_C) Is established, it is considered a pass (OK). 9. The method of claim 1, 3 or 4, wherein the first and second institutions are each part of the same bank. 10. The method according to claim 1, 3 or 4,
The first agency is a trust agency, and the second agency is a bank different from the trust agency. 11. The method according to claim 1 or 4, wherein the plurality of departments in the first institution use the real name ID _U of the user and the real name ID _U of the user by the association information α of different pairs sequentially associated with each other. At least one of the pseudonym I and the public information N is managed in association with each other in sequence, and at least one of the pseudonym I and the public information N is associated with the real name ID _U only when the above-mentioned plural departments cooperate. The relationship can be obtained through the association information α between them. 12. The method according to claim 3 or 11, wherein the plurality of departments of the first institution are a plurality of trust institutions,
The second institution is a bank other than the plurality of trust institutions. 13. An institutional device that issues a usage permit and issues electronic cash according to a method of performing traceable electronic cash, including: public information N from the user and the real name of the user. receiving information including the ID _U, holds a pseudonym generating means for generating a pseudonym I corresponding to said real name ID _U, and at least one of said pseudonym I and said public information N, the correspondence between the real name ID _U The correspondence memory means and the information including the public information N and the pseudonym are signed by the first signature function _DeB using the secret key for the license, and the information is used as the information including the license B. And the information including the license B received from the user is signed by the second signature function D _eC and transmitted to the user as electronic cash information. Electronic cash signature means to do. 14. The engine apparatus according to claim 13 includes a first engine and a second engine, wherein the first engine includes the kana generation means,
The correspondence relationship memory means and the usage permit signature means are included, and the second institution includes the electronic cash signature means. 15. The engine according to claim 14, wherein the first
The institution includes a plurality of departments, and the plurality of departments are provided with the real name ID _U of the user and at least one of the pseudonym I and the public information N by the association information α of different pairs sequentially associated with each other. It has an association memory for sequentially associating and managing the spaces, and only when the plurality of departments cooperate with each other, the correspondence relationship between at least one of the pseudonym I and the public information N and the real name ID _U is defined between them. It can be obtained through the association information α. 16. The engine according to claim 14 or 15,
The first and second institutions are each part of the same bank. 17. The engine according to claim 14 or 15,
The first agency is a trust agency, and the second agency is a bank different from the trust agency. 18. The engine according to claim 15, wherein the first
The departments of the institution are trust institutions, and the second institution is a bank separate from the trust institutions.