JPH09251268A - Multiple digital signature system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable the assignment of signature sequence capable of embodying the speed up of calculation and the simplification of a program by managing the public key at a signature certifier which does not depend on the combinations over the entire part of signers and the signature sequence. SOLUTION: The multiple digital signature system consists of n (n is an integer of >=2) persons of the signers U1, U2,..., Un and the signature certifier V. The signers U1, U2,..., Un are provided with a signature forming device 10. The signature certifier V is provided with a signature certifying device 40. Messages are signed by n persons of the signers in the assigned signature sequence of U1*U2*...*Un, by which the multiple digital signatures are formed. The last signer Un transmits the multiple digital signatures to the signature certifier V. The signature certifier V certifies that the multiple digital signatures are the signatures formed by the signers U1, U2,..., Un to the messages and that the signature sequence is U1*U2*...*Un.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a digital signature method, and more specifically, a signature verifier makes a signature when a plurality of signers give one signature to the same electronic text. The present invention relates to a multiple digital signature scheme that can also verify whether the order is correct.

[0002]

2. Description of the Related Art With the spread of various services on a communication network, documents conventionally written on paper have come to be digitized. A seal that indicates the validity of the document
A technique for realizing a signature on an electronic document is a digital signature. In the era when digital signatures are used in offices instead of ordinary seal stamps, digital signatures will be used for "approval documents" and moreover, multiple digital signatures will be used by multiple signers. .

Further, in this multiple digital signature,
In some cases, the order in which the signer signs is important. In fact, the current decision documents are signed by a person below the class. The multiple digital signature method that can specify the signature order realizes such a function on an electronic document. In the following, we describe the conventional multiplex digital signature system that can specify the signature order and clarify the problems.

[0004] FIG. 8: Hiroshi Doi, Eiji Okamoto, Masahiro Mitsubo, Tomohiko Uematsu: "Multiple Signature Schemes with Specifiable Signature Sequence", Cryptography and Information Security Symposium SCIS94 Lecture, 1994, (Reference 1) 3 is a block diagram illustrating the method described in FIG.

This system comprises n (n is an integer of 2 or more) signers U1, U2, ..., Un, a signature verifier V8, and a public key issuing center 9.

Each signer Ui (i = 1, 2, ..., N) is
Each of them defines an integer Xi of 2 or more which is its own secret key. Then, the public key issuance center 9 is requested to create a public key corresponding to the signature order U1 → U2 → ... → Un, and the private key of each signer Ui is sent to the public key issuance center. The public key issuing center 9 first generates large prime numbers p and q, and calculates the product N = p × q. Next, L = 1 cm (p-1, q-1) is calculated. However, 1 cm (α, β) is the least common multiple of α and β. Then, m is m = [{(X1 + 1) × X2 + 1} × ... × X (n-1)
+1] × Xn. Next, Y is selected so that gcd (m + Y, L) = 1. However, gcd (α, β) is the greatest common divisor of α and β. At this time, if Y is changed, the above condition can be satisfied. Then, an integer Z that satisfies the condition of (m + Y) × ZmodL = 1 0 <Z <L is calculated. At this time, since gcd (m + Y, L) = 1, such Z always exists. As for the algorithm for obtaining such Z, Shinichi Ikeno and Kenji Koyama, "Modern Cryptography" (IEICE), 1986
Years (hereinafter referred to as Reference 2), pages 17 to 18 in detail.

The public key issuing center 9 uses the N, Y, Z generated as described above as a public key for a signature generated by the signers U1, U2, ..., Un in the signature order U1 → U2 → ... → Un. If so, it is announced to the signature verifier V8, and N is set to each signer U
publish to i.

A method will be described below in which each of the signers U1, U2, ..., Un generates a signature for a message M in the signature order U1 → U2 → ... → Un. A one-way hash function h is given to each signer Ui (i = 1, 2, ..., N) and the signature verifier V8. This function h
Takes any non-negative integer x and N as input and 0 <h
A function that outputs an integer h (x) such that (x) <N.
It is difficult to infer x from (x). Regarding the existence and feasibility of such a hash function, Eiji Okamoto: "Introduction to Cryptographic Theory" (Kyoritsu Shuppan), 1993,
(Hereinafter referred to as Document 3), pages 138 to 141.

Hereinafter, αmodβ represents the remainder when α is divided by β. (Processing by Signer U1) If the signer U1 agrees with the content of the message M, S1 = H (M) ^X1 modN is calculated. Then, M and S1 are transmitted to U2.

(Processing by Signer Ui [i = 2, ..., N-1]) Signer Ui receives M, S (i-1) transmitted from signer U (i-1). . If you agree with the contents of the message M, Si = {S (i-1) × H (M)} ^Xi modN = H (M) ^{[{(X1 + 1) X2 + 1} *** X (i- 1) +1] Xi} modN is calculated. Then, M and Si are transmitted to U (i + 1).

(Processing by Signer Un) Signer Un receives M, S (n-1) transmitted from signer U (n-1). If you agree with the content of the message M, Sn = {S (n-1) × H (M)} ^Xn modN = H (M) ^{[{(X1 + 1) X2 + 1} *** X (n- 1) +1] Xn} modN is calculated. Then, M and Sn are transmitted to V.

(Processing by Signature Verifier V) Signature Verifier V8
Receives M and Sn transmitted from the signer Un. Using the public keys N, Y, Z of the signature order U1 → U2 → ... → Un, it is checked whether {Sn × H (M) ^Y } ^Z modN = H (M) holds. When this equation holds, the signature Sn has the signature order U1 → U2 → ... of the message M.
→ Assume that it was created by Un.

[0013]

However, in the multiplex digital signature system in the above-mentioned conventional example, one set of public keys N, Y, for the signature order U1 → U2 → ... → Un.
Z is fixed. This public key is issued by a third party called the public key issuing center. Also, if the configuration of the entire signer changes, the public key will of course be different. Even if the signers have the same configuration, the public keys are different if the signing order is different. As described above, in this conventional example, it is difficult for the signature verifier V to manage the public key. In addition, since the divisor N required for signature generation differs depending on the combination of the respective signature orders, the speeding up at the time of implementation by a computer is hindered.

Therefore, the object of the present invention is to realize the management of the public key by the signature verifier V regardless of the combination of all signers and the signature order, and to speed up the calculation by unifying the divisors in the system. It is an object of the present invention to provide a multiple digital signature system capable of designating a signature order, which can realize simplification of a program.

[0015]

According to a first aspect of the invention, there are n signers (n is an integer of 2 or more) and a signature verifier, and the signature verifier generates the signature. A multiple digital signature system capable of verifying whether or not the order is a specified order, wherein F is an addition operation from a first non-commutative ring R1 in which an addition operation is "+" and a multiplication operation is "x". Is “*”, and the multiplication operation is “·”, the second non-commutative ring R2 is mapped, and F is from x to F.
It is easy to find (x), but it is difficult to find x from F (x). F (x + y) = F (x) * F (y), F (x × y) = As the mapping satisfying the condition F (x) · F (y), the i-th map (i is 1 ≦ i
The secret information of the signer of (≦ n) is Xi, the public information Yi of the i-th signer is calculated by Yi = F (Xi), and the public information is released. Using the random number information K1 of 1 and the mapping F, the first converted random number information T1
To calculate the first converted random number information T1 as the first non-commutative ring R
The first signature information S1 is converted into the first signature creation information T1 ′, which is the source of 1, and the first signature information S1 and the first random number information K1 of the message M to be signed. When,
Created using the first signature creation information T1 ′, the message M, the first converted random number information T1, and the first signature information S1 are transmitted to the second signer, and the m-th (m is 2 ≦ m ≦
The (M-1) integer signer is the message M transmitted from the (m-1) th signer, the first conversion random number information T1, ..., The (m-1) th conversion random number. Information T (m-
1) receives the (m-1) th signature information S (m-1),
The m-th converted random number information Tm is calculated using the m-th random number information Km and the mapping F, and the m-th converted random number information Tm is the m-th signature creation information Tm that is the source of the first non-commutative ring R1. ', And with respect to the message M, the mth signature information Sm, the mth signer secret information Xm, and the mth random number information Km,
The message M, the first converted random number information T1, ..., The mth converted random number information Tm, and the mth signature information Sm are created using the mth signature creation information Tm ′ and the (m + 1) th signature. , The nth signer sends the message M sent from the (n-1) th signer, the first converted random number information T1, ..., The (n-1) th converted random number information. T (n-
1) receives the (n-1) th signature information S (n-1),
The nth converted random number information Tn is calculated using the nth random number information Kn and the mapping F, and the nth converted random number information Tn is the nth signature creation information Tn that is the source of the first non-commutative ring R1. ', And with respect to the message M, the nth signature information Sn, the secret information Xn of the nth signer, and the nth random number information Kn,
The message M, the first converted random number information T1, ..., The nth converted random number information Tn, and the nth signature information Sn are transmitted to the signature verifier by using the nth signature generation information Tn ′. ,
The signature verifier receives the message M, the first conversion random number information T1, ..., The nth conversion random number information Tn, the nth signature information Sn transmitted from the nth signer, and the ith random number. The conversion information Ti is converted into the i-th signature verification information Ti ″ that is the source of the first non-commutative ring R1, and the i-th conversion random number information Ti and
The i-th signature verification information Ti ″, the i-th signer's public key information Yi, the n-th signature information Sn, and the message M
When the signature verification expression is satisfied, and only then, the nth signature information Sn is a signature generated by the first signer to the nth signer in the specified order. Certify.

According to a second aspect of the present invention, in the first aspect of the invention, the first converted random number information T1 is T1 = F (T
1), the first signature information S1 is S1 = M × K1 + X1 ×
T1 ′, the mth converted random number information Tm is Tm = F (K
m), the mth signature information Sm is Sm = S (m−1) ×
{M × Km + Xm × Tm ′}, nth transformed random number information Tn
Is Tn = F (Kn), and the nth signature information Sn is Sn =
S (n-1) × {M × Kn + Xn × Tn ′}, respectively, and the signature verification formula is F (Sn) = {F (M) · T1 * Y1 · F (T1 ″)}
・ …… ・ {F (M) ・ Tm * Ym ・ F (Tm ”)} ・ ・ ・ ・
.. {F (M) .Tn * Yn.F (Tn ")}.

The invention according to claim 3 is the invention according to any one of claims 1 and 2, wherein p is a large prime number and g is 1 <g <.
Let the first non-commutative ring R1 be an integer satisfying p (Equation 1)
Then, the operation “+” is set to (Equation 2) (where αmodβ is the remainder when α is divided by β), the operation “×” is set to (Equation 3), and the non-commutative ring R2 is set to (Equation 4). , The operation “*” is (Equation 5), the operation “·” is (Equation 6), the mapping F is (Equation 7), and the i-th (i is an integer that satisfies 1 ≦ i ≦ n) converted random number information When Ti is (Equation 8), i-th signature creation information Ti ′ is (Equation 9), and i-th signature verification information T
i ″ is set to (Equation 10).

The invention according to claim 4 is the invention according to any one of claims 1 to 3, when H is a hash function,
When the i-th (i is an integer that satisfies 1 ≦ i ≦ n) signature information is created and in the signature verification formula, the message M is replaced with H (M) for calculation.

According to the invention of claim 5, in the invention of claim 4, when h1, h2, h3 are hash functions whose output values are integers from 1 to p-2, H
(M) is set to (Equation 11).

The invention according to claim 6 is the invention according to any one of claims 1 and 2, wherein p is a large prime number, q is a prime factor of (p-1), and g ^satisfies g ^q modp = 1. As an integer in the range of <g <p, the first non-commutative ring R1 is (Equation 12), and the operation “+” is (Equation 13) (where αmodβ is the remainder when α is divided by β). , The operation “×” is (Equation 14), the non-commutative ring R2 is (Equation 15), the operation “*” is (Equation 16), the operation “·” is (Equation 17), and the mapping F is (Equation 16). 7) and the i-th
When the conversion random number information Ti of (i is an integer satisfying 1 ≦ i ≦ n) is (Equation 8), the i-th signature creation information Ti ′ is (Equation 18), and the i-th signature verification information Ti ″ is (Equation 19) In the invention according to claim 7, in the invention according to claim 6, when H is a hash function, the i-th
When the signature information of (where i is an integer satisfying 1 ≦ i ≦ n) is created and in the signature verification formula, the message M is set to H
It is characterized in that it is replaced with (M) for calculation.

According to the invention of claim 8, in the invention of claim 7, when h1, h2, h3 are hash functions whose output values are integers from 1 to q-1, H
(M) is set to (Equation 11).

[0022]

1 is a block diagram showing the configuration of a multiple digital signature system according to an embodiment of the present invention. The multiple digital signature system according to the present embodiment has n (n is an integer of 2 or more) signers U1 and U.
2, ..., Un and the signature verifier V. Also, in the multiple digital signature system of the present embodiment, the n signers sign the message M in the designated signature order of U1 → U2 → ... → Un, and the multiple digital signature S
, And the final signer Un sends the multiple digital signature S to the signature verifier V. The signature verifier V recognizes that the multiple digital signature S is the signers U1, U for the message M.
2, ..., Un, the signature order is U1
→ U2 → ... → Unverify.

In FIG. 1, signers U1, U2, ..., U
A signature generation device 10 is provided in n. The signature verifier V is provided with a signature verification device 40. Also U1
, U2, U2 and U3, ..., U (n-1) and Un, Un and V are connected by communication lines.

FIG. 2 shows the signers Ui (i = i) shown in FIG.
1, 2, ..., N-1) is a block diagram showing an example of a configuration of a signature generation device 10 provided in (1) to (n-1). In FIG. 2, the signature generation device 10 includes a control unit 101 and a ROM 102.
The RAM 103, the private key storage unit 104, the input operation unit 105, the display unit 106, the random number generator 107, and the communication unit 108.

Program data is stored in the ROM 102, and the control unit 101 operates according to the program data. The RAM 103 stores various data necessary for the operation of the control unit 101. The private key storage unit 104 is configured to store the private key Xi of the signer Ui, which is the signature generation device, and cannot be read from the outside. The input operation device 105 includes a keyboard and a mouse operated by the signer Ui, and inputs various data and instructions to the control unit 101. The display device 106 includes a CRT display or a liquid crystal display device, and includes a control unit 101.
The image data given by is displayed. Random number generator 10
7 generates a random number required for signature generation. Communication unit 108
Is connected to other signers and signature verifiers V via a communication line, and sends and receives various data.

FIG. 3 is a block diagram showing an example of the configuration of the signature verification device 40 provided in the signature verifier V shown in FIG. In FIG. 3, the signature verification apparatus 20 includes a control unit 201, a ROM 202, a RAM 203, a public key storage unit 204, an input operation unit 205, a display unit 206,
The communication unit 207 is provided.

Program data is stored in the ROM 202, and the control unit 201 operates according to the program data. The RAM 203 stores various data necessary for the operation of the control unit 201. The public key storage unit 204 stores the public keys Yi of all signers Ui. Input operation device 2
Reference numeral 05 includes a keyboard, a mouse and the like operated by the signature verifier V, and inputs various data and instructions to the control unit 201. The display 206 is composed of a CRT display or a liquid crystal display, and displays the image data given from the control unit 201. The communication unit 207 is connected to the signer Un via a communication line and transmits / receives various data.

In this system, signature generation and signature authentication are performed using the one-way non-commutative ring homomorphism. The unidirectional non-commutative ring homomorphism will now be described. p is 5
It is a large prime number of about 12 bits.

At this time, a, b, u, v, x, and y are integers satisfying the inequality 0 ≦ a, b, u, v, x, y <(p-1), and the following two values are given. Consider quadratic square matrices A and B (Equation 20).

[0030]

(Equation 20)

Here, the operation "+" and the operation "x" are defined as follows for the second-order square matrices A and B (Equation 2).
1).

[0032]

(Equation 21)

However, smodt indicates the remainder when s is divided by t. At this time, in general, A × B ≠ B
It can be easily confirmed that it is × A. That is, the operation "x" is a non-commutative operation.

Next, let α and β be inequalities 0 ≦ α and β <
Consider the following two quadratic square matrices U and V as integers that satisfy p (Equation 22).

[0035]

(Equation 22)

Here, the operation “*” and the operation “·” are defined as follows for the quadratic square matrices U and V (Equation 2)
3).

[0037]

(Equation 23)

At this time, generally, it is easily confirmed that U · V ≠ V · U. That is, the operation “·” is a non-commutative operation.

At this time, the set R1 (Equation 1), R2 (Equation 4)
think of. At this time, the operations "+" and "x" are closed in the set R1 and have (Equation 24). Since "+" and "x" satisfy the distributive law, R1 is a non-commutative ring. Further, since the operations “*” and “·” are closed in the set R2 and have (Equation 25), and “*” and “·” satisfy the distribution law, R2 is a non-commutative ring. Further, since p is a prime number and α is an integer satisfying 1 ≦ α <p, α
There always exists an integer γ (1 ≦ γ <p) such that γmodp = 1. This γ is represented as α ^-1 modp. The algorithm for obtaining such γ is described in detail on pages 17 to 18 of Document 2. For the definition of non-commutative rings, etc., see page 12 of "Algebra" by Akira Nagao (Asakura Shoten), 1983 (Reference 4, below).
See page 13 for details.

[0040]

(Equation 24)

[0041]

(Equation 25)

Next, the mapping F from the non-commutative ring R1 to the non-commutative ring R2 is defined as (Equation 7), where g is an integer that satisfies the inequality 1 <g <p. At this time, F has the following property (Equation 26).

[0043]

(Equation 26)

Because, (Equation 27),

[0045]

[Equation 27]

For an arbitrary integer t satisfying 0 <t <p, t ^p-1 modp = 1 holds. Regarding this, the second in the reference 2
This is detailed on page 42. Moreover, (x + y) mod (p-1) = (x + y) + m (p-
1) (m is an integer). Therefore, g ^{(x + y) mod (p-1)} modp = g ^{(x + y) + m (p-1)} modp = g ^{(x + y)} g ^{m (p-1)} modp = g ^{(x + y)} (g ^(p-1) ) ^m modp = g ^{(x + y)} 1 ^m modp = g ^{(x + y)} modp, and it can be seen that the addition operation is saved by F.

From (Equation 28),

[0048]

[Equation 28]

For the same reason as above, g ^{(ay + vx) mod (p-1)} modp = g ^{(ay + vx)} modp, and it can be seen that the multiplication operation is saved by F. From this, F is a "non-commutative ring homomorphism" from R1 to R2.
Is called a map. The definition of “ring homomorphism” is described in detail on page 87 of Reference 4.

Further, F has the following properties. g, p
Even if the value of p is known, if the value of p is large (in this embodiment, the value is about 512 bits), the element A of R1 cannot be obtained from F (A) which is the element of R2. difficult. This is because when there is a relation of Y = g ^x modp, the problem of finding x from Y, g, p is called “discrete logarithm problem”, and it is extremely difficult when the value of p is a large prime number. . "Discrete logarithm problem"
The difficulty of solving is described in detail on pages 175 to 176 of Document 2. Thus, it is easy to calculate F (A) from A
It is a function called “one-way function” which has a property that it is difficult to calculate A from (A). From the above two properties, F is a function called "one-way non-commutative ring homomorphism". The multiple digital signature system using this F will be described below.

First, p is a large prime number of about 512 bits, is predetermined as a fixed value in the system, and is given to each signer Ui (i = 1, 2, ..., N) and the signature verifier V. An integer g that satisfies the inequality 1 <g <p is commonly used and given to each signer Ui (i = 1, 2, ..., N) and the signature verifier V. Furthermore, the functions h1, h2,
Let h3 be 0 <h1 (x), h2 from any non-negative integer x
A one-way hash function that generates an integer value that satisfies (x), h3 (x) <(p-1). However, h1
The function is such that it is difficult to estimate x from a plurality of values of (x), h2 (x), and h3 (x). Also h1 (x),
It is assumed that h2 (x) and h3 (x) are different functions, and are given to each signer Ui (i = 1, 2, ..., N) and the signature verifier V.

When each signer Ui (i = 1, 2, ..., N) joins the system, 0 <xi [1], xi
An integer xi that satisfies [2], xi [3] <(p-1)
[1], xi [2], xi [3] are randomly generated,
The original matrix of R1 (Equation 29) having these components is used as its own secret key.

[0053]

(Equation 29)

Further, Yi = F (Xi) is calculated, and the original matrix of R2 (Equation 30) is disclosed to V as its own public key.

[0055]

[Equation 30]

At this time, from the definition formula of F, the secret key Xi of Ui
Of these, xi [1] and xi [3] are found from Yi,
As described above, since F is “one-way non-commutative ring homomorphism”, the value of xi [2] cannot be obtained, and Yi
Not all values of Xi are known from the value of. Each signer Ui
The private key Xi is stored in the private key storage unit 104, and the signature verifier V stores the public key Yi of each signer Ui in the public key storage unit 2.
Keep it in 04.

A procedure for generating a signature whose signature order is U1 → U2 → ... → Un will be described below.

(Processing by Signer U1) If the signer U1 agrees with the content of the message M displayed on the display unit 106 of the signature generation apparatus 10, the signer U1 signs the control unit 101 using the input operation unit 105. Generate instructions. The control unit 101 uses the random number generator 107 to generate random numbers k1 [1], k1.
[2] and k1 [3] are generated. At this time, the random number k1
[1], k1 [2], k1 [3] are integers that satisfy 0 <k1 [1], k1 [2], k1 [3] <(p-1). The original matrix (Formula 31) of R1 having these components is a random number matrix (step S1 in FIG. 4).
01).

[0059]

(Equation 31)

Next, the control unit 101 controls the random number matrix K1.
On the other hand, the original matrix T1 of R2 is calculated by T1 = F (K1) (step S102). And the control unit 101
Is a one-way hash function h1, h for the message M
By using 2, h3, w1 [1] = h1 (M), w1 [2] = h2 (M), w1 [3] = h3 (M) are calculated. At this time, w1 [1], w1 [2], w1
[3] is an integer that satisfies 0 <w1 [1], w1 [2], w1 [3] <(p-1). Next, the control unit 101 calculates the original matrix (Equation 32) of R1 having these components (step S103).

[0061]

(Equation 32)

Then, the control unit 101, with respect to the original matrix of R2 (Equation 33),

[0063]

[Equation 33]

Let T1 'be (Equation 34) (step S1)
04).

[0065]

(Equation 34)

At this time, T1 'is the original matrix of R1. Next, the control unit 101 sends U1 from the secret key storage unit 104.
The private key X1 is read, and the signature matrix S1 is calculated by S1 = H (M) × K1 + X1 × T1 ′ (step S105). Then, it writes its own name in the signature order list ORD1 which describes the signature order (step S106). And the control unit 101
Through the communication unit 108 to the signer U2, M, T1,
S1 and ORD1 are transmitted (step S107).

(Processing by Signer Ui [2.ltoreq.i.ltoreq. (N-1)]) The signature generation device 10 of the signer Ui
-1), M, T1, ..., T (i-1), S (i-
1) and ORD (i-1) are received via the communication unit 108 (step S201 in FIG. 5). And the signer Ui
If the user agrees with the content of the message M displayed on the display device 106 of the signature generation device 10, the input operation device 105 is used to instruct the control unit 101 to generate a signature. Control unit 101
Uses the random number generator 107 to generate random numbers ki [1], ki
[2] and ki [3] are generated. At this time, the random number ki
[1], ki [2], ki [3] are integers that satisfy 0 <ki [1], ki [2], ki [3] <(p-1). The original matrix (Formula 35) of R1 having these components is a random number matrix (step S20).
2).

[0068]

(Equation 35)

Next, the control unit 101 controls the random number matrix K2
On the other hand, the original matrix Ti of R2 is calculated by Ti = F (Ki) (step S203). And the control unit 101
Is a one-way hash function h1, h for the message M
Using 2 and h3, wi [1] = h1 (M), wi [2] = h2 (M), and wi [3] = h3 (M) are calculated. At this time, wi [1], wi [2], wi
[3] is an integer that satisfies 0 <wi [1], wi [2], wi [3] <(p-1). Next, the control unit 101 calculates the original matrix (Equation 36) of R1 having these components (step S204).

[0070]

[Equation 36]

Then, the control unit 101 sets Ti 'to (Equation 9) for the original matrix (Equation 8) of R2 (step S2).
05). At this time, Ti 'is the original matrix of R1. Next, the control unit 101 reads the secret key Xi of Ui from the secret key storage unit 104, and Si = S (i−1) × {H (M) × Ki + Xi × T
i ′} is used to calculate the signature matrix Si (step S206). Then, the signature order list ORDi that describes the signature order is ORD (i-
It is generated by concatenating your name to 1) (step S2).
07). Then, the control unit 101 notifies the signer U (i + 1) of M, T1, ..., Ti, S via the communication unit 108.
i and ORDi are transmitted (step S208).

(Processing by Signer Un) The signature generation apparatus 10 of the signer Un is M, T1, from the signer U (n-1).
, T (n-1), S (n-1), ORD (n-1) are received via the communication unit 108 (step S30 in FIG. 6).
1). Then, if the signer Un agrees with the content of the message M displayed on the display unit 106 of the signature generation apparatus 10, the signer Un instructs the control unit 101 to generate a signature using the input operation unit 105. The control unit 101 uses the random number generator 107 to generate random numbers kn [1], kn [2], kn [3]. At this time, random numbers kn [1], kn [2], kn
[3] is an integer that satisfies 0 <kn [1], kn [2], kn [3] <(p-1). The original matrix (Formula 37) of R1 having these components is a random number matrix (step S30).
2).

[0073]

(37)

Next, the control unit 101 makes the random number matrix K2
On the other hand, the original matrix Tn of R2 is calculated by Tn = F (Kn) (step S303). And the control unit 101
Is a one-way hash function h1, h for the message M
Using 2, h3, wn [1] = h1 (M), wn [2] = h2 (M), wn [3] = h3 (M) are calculated. At this time, wn [1], wn [2], wn
[3] is an integer that satisfies 0 <wn [1], wn [2], wn [3] <(p-1). Next, the control unit 101 calculates the original matrix (Equation 38) of R1 having these components (step S304).

[0075]

(38)

Then, the control unit 101, with respect to the original matrix of R2 (Equation 39),

[0077]

[Equation 39]

Let Tn 'be (Equation 40) (step S3).
05).

[0079]

(Equation 40)

At this time, Tn 'is the original matrix of R1. Next, the control unit 101 sends the Un to the private key storage unit 104.
Of the private key Xn of the following, Sn = S (n-1) * {H (M) * Kn + Xn * T
The signature matrix Sn is calculated by n ′} (step S306). Then, the signature order list ORDn that describes the signature order is ORD (n-
It is generated by linking your name to 1) (step S3).
07). Then, the control unit 101 informs the signature verifier V to M, T1, ..., Tn, Sn, OR via the communication unit 108.
Dn is transmitted (step S308).

Next, the process when the signature verifier V verifies whether the message sent from the signer Un and the signature are correct is described.

(Processing by Signature Verifier V) The signature verification device 20 of the signature verifier V receives M, T1, ..., T from the signer V.
n, Sn, and ORDn are received via the communication part 207 (step S401 of FIG. 7). Next, the control unit 201
Public key Y1, corresponding to the signer written in RDn
, Yn is read from the public key storage unit 204 (step S402). And F (Sn) = {F (H (M)) * T1 * Y1 * F (T
1 ')} ・ ・ ・ ・ ・ {F (H (M)) ・ Ti * Yi ・ F
(Ti ')} --- {F (H (M))-Tn * Yn-
It is checked whether F (Tn ')} holds (step S40).
3). When the check is OK, the control unit 201 determines that the signature matrix Sn is the signer U1, ..., Un for the message M.
, Is displayed on the display 206, which is a multiple digital signature created in the signature order U1 → ... → Ui → ... → Un (step S404).

In the present embodiment, U1 → ... → Un
, The signature matrix Sn is Sn = {H (M) × K1 + X1 × T1 ′} × ... × {H
(M) × Ki + Xi × Ti ′} × …… × {H (M) × K
It is given by the expression n + Xn × Tn ′}. As described above, since F is "one-way non-commutative ring homomorphism", the operation "+" is saved in the operation "*" and the operation "x" is saved in the operation "." Therefore, the verification formula is as described above.

Next, the fact that the signature order can also be verified will be described. The rings R1 and R2 that implement the multiple digital signature system of this embodiment are non-commutative rings. For example, when the signature order of Ui and Uj is exchanged, the operation "x" and the operation "." On the other hand, since A × B ≠ B × A X · Y ≠ Y · X holds, the signatures generated by reversing the order have different values. If the signature order is different, the signature value is different. Therefore, the signature verification check expressions are not the same unless signature generation is performed in the above-described signature order. Therefore, the signature order can be verified.

The private key Xi and public key Yi of the signer Ui used for signature generation in the multiple digital signature system according to the present embodiment are (1) normal signature generation with one signer, (2) In all aspects of multiplex digital signature generation with different combinations of signers and (3) multiplex digital signature generation with different signing orders, only one may be stored.

In the present embodiment, the rings R1 and R2 are
Are defined by (Equation 1) and (Equation 4), respectively, but may be defined as follows.

Using the prime number p as it is, q is (p-1)
Let be the prime factor of. Here, let z be a primitive root in mod p. Note that the existence and generation method of the primitive roots are described in detail on page 11 to page 13 of Document 3.
Further, when r and (p-1) / q, r is an integer, and when g and ^zr mod p, g is mod p and is an element of the order q. That is, the minimum natural number for which g ^x mod p = 1 is q. Here, using these g and q, the rings R1 ′ and R2 ′ are defined as (Equation 41).

[0088]

[Equation 41]

Then, the signers U1 and U of the previous embodiment
It is also possible to realize a multiple digital signature system on R1 ′ and R2 ′ that replaces (p−1) with q in the processing by i, Un and the processing by the signature verifier V. In this case, not only is it possible to verify the signature order as in the present embodiment, but since q <(p-1) is satisfied, it is possible to reduce the total communication volume.

[0090]

According to the present invention, the signature order can be verified in a multiple digital signature in which a plurality of signers sign the same sentence. Further, the generation of the public key does not require the hands of a third party such as the public key issuing center. Further, the public key held by the signature verifier may have the same value regardless of the configuration of the entire signer. Even if the signature order is different, the public key held by the signature verifier has the same value. Further, since the divisors required for signature generation in the system may have the same value, it is possible to realize high-speed calculation and simplification of the program.

[Brief description of drawings]

FIG. 1 is a block diagram showing the configuration of a multiple digital signature system according to an embodiment of the present invention.

FIG. 2 is a block diagram showing a configuration of a signature generation device provided for each signer according to the embodiment of the present invention.

FIG. 3 is a block diagram showing a configuration of a signature verification device provided for a signature verifier according to an embodiment of the present invention.

FIG. 4 is a flowchart showing an operation at the time of signature generation of the signature generation device of the signer U1 according to the embodiment of the present invention.

FIG. 5 shows a signer Ui [i according to an embodiment of the present invention.
= 2, 3, ..., N-1], a flowchart showing the operation of the signature generation device at the time of signature generation.

FIG. 6 is a flowchart showing an operation at the time of signature generation of the signature generation device of the signer Un according to the embodiment of the present invention.

FIG. 7 is a flowchart showing an operation at the time of signature verification of the signature verification device of the signature verifier V according to the embodiment of the present invention.

FIG. 8 is a block diagram showing a configuration of a conventional example.

[Explanation of symbols]

 Ui [i = 1, 2, ..., N] Signer 9 Public key issuing center 10 Signature generation device V Signature verifier 40 Signature verification device 101, 201 Control unit 102, 202 ROM 103, 203 RAM 104 Private key storage unit 105 , 205 Input operation device 106, 206 Display device 107 Random number generator 108, 207 Communication unit 204 Public key storage unit

Continuation of the front page (72) Inventor Takao Nishiseki 2-17-38 Kongozawa, Taihaku-ku, Sendai City, Miyagi Prefecture

Claims (8)

[Claims] 1. A signer and a signature verifier of n persons (n is an integer of 2 or more), and the signature verifier verifies whether or not the order in which the signer generates signatures is a specified order. A first multiple digital signature system capable of adding F to an addition operation "+" and a multiplication operation "x"
From the non-commutative ring R1 to the second non-commutative ring R2 with addition operation "*" and multiplication operation ".", And it is easy to find F from x to F (x). However, it is difficult to obtain x from F (x), and F (x + y) = F (x) * F (y), F (x × y) = F (x) · F (y) As a mapping satisfying the condition, the secret information of the i-th signer (i is an integer satisfying 1 ≦ i ≦ n) is Xi, and the public information Yi of the i-th signer is Yi = F (Xi ) Is published and the first signer calculates the first converted random number information T1 using the first random number information K1 and the mapping F, and the first converted random number information T1 is the first non-commutative ring R1
To the first signature creation information T1 ′, which is the source of the
Using the secret information X1 of the first signer, the first random number information K1 and the first signature creation information T1 ′, the message M, the first converted random number information T1, first
Signature information S1 of the second signer, and the m-th (m is an integer satisfying 2 ≦ m ≦ (n−1))
Of the message M, the first converted random number information T1, ..., The (m−1) th converted random number information T (m−) transmitted from the (m−1) th signer. 1), the above (m-
1) The signature information S (m-1) is received, the mth converted random number information Tm is calculated using the mth random number information Km and the mapping F, and the mth converted random number information Tm is calculated. First non-commutative ring R1
To the mth signature creation information Tm ′ which is the source of the above, and for the message M, the mth signature information Sm, the secret information Xm of the mth signer, and the mth random number information Km. And the m-th signature creation information Tm ′, the message M, the first converted random number information T1 ,.
The mth converted random number information Tm, the mth signature information Sm
To the (m + 1) th signer, and the nth signer sends the message M and the first converted random number information T1 sent from the (n-1) th signer. , ..., The (n-1) th converted random number information T (n-1), the (n-th)
1) The signature information S (n-1) is received, the nth converted random number information Tn is calculated using the nth random number information Kn and the map F, and the nth converted random number information Tn is calculated. First non-commutative ring R1
To the nth signature creation information Tn ′, which is the source of the above, and for the message M, the nth signature information Sn, the secret information Xn of the nth signer, and the nth random number information Kn. And the n-th signature creation information Tn ′, the message M, the first converted random number information T1 ,.
The nth converted random number information Tn, the nth signature information Sn
To the signature verifier, and the signature verifier sends the message M, the first converted random number information T1, ..., The nth converted random number information Tn, transmitted from the nth signer. The n-th signature information Sn is received, and the i-th random number conversion information Ti is transferred to the first non-commutative ring R1.
Of the i-th signature verification information Ti ″, the i-th conversion random number information Ti, the i-th signature verification information Ti ″, and the i-th signer's public key information Yi.
And the nth signature information Sn and the message M are
Only when the signature verification expression is satisfied, and only at that time, the nth signature information Sn is a signature generated from the first signer by the nth signer in the specified order. A multiple digital signature system characterized by certifying that 2. The first converted random number information T1 is T1 = F
(T1), the first signature information S1 is S1 = M × K1 + X1 × T
1 ′, the mth converted random number information Tm is Tm = F (Km), and the mth signature information Sm is Sm = S (m−1) × {M
× Km + Xm × Tm ′}, the nth converted random number information Tn is Tn = F (Kn), and the nth signature information Sn is Sn = S (n−1) × {M
× Kn + Xn × Tn ′}, and the signature verification formula is F (Sn) = {F (M) · T1 * Y1 · F (T1 ″)}
・ …… ・ {F (M) ・ Tm * Ym ・ F (Tm ”)} ・ ・ ・ ・
.. {F (M) .Tn * Yn.F (Tn ")}, wherein the multiple digital signature system according to claim 1. 3. p is a large prime number, g is an integer satisfying 1 <g <p, the first non-commutative ring R1 is (Equation 1), and The calculation “+” is set to (Equation 2) (where α mod β is α
Is the remainder when dividing by β), and The calculation “×” is defined as (Equation 3), and Let the non-commutative ring R2 be (Equation 4) The above calculation “*” is defined as (Equation 5), and Let the calculation “·” be (Equation 6), and Let the mapping F be (Equation 7), and When the i-th (i is an integer that satisfies 1 ≦ i ≦ n) converted random number information Ti is (Equation 8), Let the i-th signature creation information Ti ′ be (Equation 9), and 3. The multiple digital signature system according to claim 1, wherein the i-th signature verification information Ti ″ is set to (Equation 10). 4. When H is a hash function, when the i-th (i is an integer satisfying 1 ≦ i ≦ n) signature information is created, and in the signature verification formula, the message M is replaced by H (M 4. The multiple digital signature system according to claim 1, 2 or 3, wherein the multiple digital signature system is calculated. 5. Output values of h1, h2, and h3 from 1 to p-
5. The multiple digital signature system according to claim 4, wherein H (M) is set to (Equation 11) when the hash function is an integer up to 2. [Equation 11] 6. The first non-commutative ring R1 wherein p is a large prime number, q is a prime factor of (p-1), and g is an integer in the range of 1 <g <p satisfying g ^q modp = 1. And (Equation 12) The calculation “+” is set to (Equation 13) (where αmodβ is the remainder when α is divided by β), and Let the calculation “×” be (Equation 14), and Let the non-commutative ring R2 be (Equation 15) Let the calculation “*” be (Equation 16), and Let the calculation “·” be (Equation 17), and When the mapping F is (Equation 7) and the i-th (i is an integer that satisfies 1 ≦ i ≦ n) converted random number information Ti is (Equation 8), the i-th signature creation information Ti ′ is ( 18), and The multiple digital signature system according to claim 1 or 2, wherein the i-th signature verification information Ti "is set to (Equation 19). 7. When H is a hash function, when the i-th (i is an integer that satisfies 1 ≦ i ≦ n) signature information is created, and in the signature verification formula, the message M is replaced by H (M 7. The multiple digital signature system according to claim 6, wherein the multiple digital signature system is calculated. 8. Output values of h1, h2, and h3 are from 1 to q-.
The multiple digital signature system according to claim 7, wherein when the hash function is an integer up to 1, the H (M) is set to (Equation 11).