JPH10153956A - Electronic signing method, electronic signing system and recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To easily constitute the multiplexing system, in which various operational configurations are considered, by employing the signing system on an elliptical curve ad replacing the data in a signing inspection system based on a specific rule. SOLUTION: The system consists of a center 10 and a communication network 14 made of plural stations 11 to 13 for users. Then, electronic sign data corresponding to document data M are generated and the signing inspection is conducted. First, a use is made for the system information which includes an elliptical curve E/Fq and a reference point G on the curve, an open key Y of the person who signs and a secret key (x) of the person that satisfies Y=x.G. Then, the data for a portion of a point R on the curve, that depend on a random number (k) and the point G, and the signing data including document data M, the key x and an integer (s) that depends on the number (k) are generated. When an integer (m) that only depends on the data M, an integer (r) that depends on a point R among the data M, the integer (s) and the key Y are given, the signing inspection is conducted employing an equation ±s.G =±m.Y±r.R over E/Fq as a siging inspection equation.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an electronic signature method for realizing a function of signing and stamping an electronic document, an electronic signature system configured using the electronic signature method, and a program relating to the electronic signature method. It relates to the stored recording medium.

[0002]

2. Description of the Related Art Various methods have been devised as a method for creating an electronic signature (digital signature). The representative ones are a system based on the difficulty of the prime factorization problem and a system based on the difficulty of the discrete logarithm problem. Among them, methods based on the discrete logarithm problem include a method using a multiplicative group on a general finite field and a method using an additive group on an elliptic curve.
The discrete logarithm problem in the additive group on the elliptic curve is different from the discrete logarithm problem and the prime factorization problem in the multiplicative group on the finite field.
No efficient solution has been found, and it is said to be more secure.

Therefore, when a digital signature or a public key cryptosystem is constructed while securing the same security, a system constructed based on a discrete logarithm problem on an elliptic curve has a larger parameter than that based on other problems. It is known that it is possible to set the size of the image to a small size, and this has the effect of reducing the amount of processing.

When the characteristic of the finite field Fq is other than 2 or 3, the elliptic curve E / Fq on the finite field Fq is defined by the parameters a and b in the following equation (1) and the finite field Fq. The elliptic curve E / Fq can be defined even when the characteristic is 2 or 3, but is omitted here.

Y ＾ 2 = x ＾ 3 + ax + b (where a, b, x, and y are elements of a finite field Fq) (1) Here, y ＾ 2 represents the square of y, and x ＾ 3 represents 3 of x. It shall represent the power. Hereinafter, x ＾ a represents x to the power of a.

An element of the elliptic curve E / Fq is a pair of (x, y) satisfying the equation (1) (this is called a point on the elliptic curve).
Infinity point O. The point O at infinity cannot be expressed in the form of the original pair (x, y) of the finite field Fq, but a 1-bit flag representing the point at infinity may be prepared on implementation.
It is known that this set of points on the elliptic curve forms a group for addition. Regarding this addition, the point O at infinity becomes a unit element.

For a more detailed explanation of the elliptic curve E / Fq and the definition of addition, see, for example, Koblitz, “A Course in Number The
ory and Cryptography ”, Springer-Verlag. In the following, unless otherwise specified, uppercase letters represent points on an elliptic curve (ie, original pairs of finite fields Fq or points at infinity), and lowercase letters represent elements of finite fields Fq or The finite field Fq is composed of q = p ＝ t (where p is a prime number and t is a positive integer) elements, for example, a prime field Zp
(Composed of an integer from 0 to p−1) and an extended field GF (2 ＾ t) of 2 are typical.

A typical digital signature scheme on an elliptic curve is an ElGamal signature on an elliptic curve. In this method, a finite field Fq, a, which defines an elliptic curve as a public key,
b, base point G, and order z of base point G are used. Here, the order z of the base point G represents a minimum positive integer satisfying z · G = O over E / Fq.

The secret key of the signature creator is an integer x which is relatively prime to the order z and less than z, and the public key of the signature creator is the following point Y. Y = x · G over E / Fq The digital signature for an integer m that depends only on the document data M (this is generally digest information calculated by a cryptographic hash function on the document data M represented by a digital bit string) is as follows: Created by procedures. First, a random number k that is relatively prime to the order z and is a natural number less than z is determined, and from this k, R in the following equation is obtained.

R = k · G over E / Fq Next, the following r is obtained using a function f that converts point data on the elliptic curve into Zz (a natural number equal to or less than z−1). For example, a hash function may be used.

R = f (R) Further, the following s is obtained. s = (mx · r) / k (mod z) The signature data is a pair of (R, s). Inspection of the signature
This is done by checking that m, R, and s satisfy the following equation.

R = f (R) m · G = r · Y + s · R over E / Fq The ElGamal signature scheme is:
“T.ElGamal,“ A public key cryptosystem and a sign
ature scheme based on discrete logarithms ”, IEEE T
rans.IT, Vol.IT-31, No.4, July 1985, pp.469-472
".

With the above-described electronic signature method, a function of sealing a general electronic document can be realized.
There is also a need for a function for imprinting electronic circular documents by a plurality of signers. Such a function can be configured by linking signature data for the same document by a plurality of signers. However, such a configuration has a disadvantage that the amount of signature data and the amount of processing for signature verification increase in proportion to the number of signers. Compared to the case where individual signatures are simply concatenated, a method has been devised in which the increase in the signature data size is suppressed or the processing amount of signature verification is suppressed, and these are called multiple signature methods. I have.

[0014]

However, the above-described multiple signature method does not use the ElGamal signature method based on the difficulty of the discrete logarithm problem on an elliptic curve. The present invention has been made in view of such problems,
An object of the present invention is to provide an electronic signature method using an elliptic curve that can easily configure a multi-signature system in consideration of various operation modes, an electronic signature system configured using the electronic signature method, and the electronic signature method. An object of the present invention is to provide a recording medium in which a program relating to the method is stored.

[0015]

In order to achieve the above object, an electronic signature method according to the present invention creates an electronic signature data for document data M and performs an electronic signature check based on the electronic signature data. A finite field Fq
System information including the above elliptic curve E / Fq, the base point G on the elliptic curve E / Fq, the signer's public key Y defined by the points on the elliptic curve E / Fq, and the public key Y =
Using the signer's private key x created to satisfy x · G, the random number k arbitrarily generated and the elliptic curve E / F
signature data including at least a part of data of a point R on the elliptic curve E / Fq depending on a base point G on q and an integer s depending on the document data M, a secret key x, and a random number k. A signature data generating step, an integer m depending only on the document data M, a point R on the elliptic curve E / Fq and an integer r depending on at least the point R of the document data M, Given at least part of the data of point R and an integer s, the system information, and the signer's public key Y, ± s · G = ± m · Y ± r
A signature checking step of performing a signature check using a relational expression defined by R over E / Fq (signs of + and-are determined by predetermined conditions) or a relational expression equivalent to this relational expression as a signature check expression; Have.

Further, the electronic signature system of the present invention comprises a signature data creation device for creating digital signature data for the document data M, and a signature verification device for performing signature verification based on the digital signature data. A signature data creation device comprising: an elliptic curve E / Fq on a finite field Fq; and a base point G on the elliptic curve E / Fq.
, A signer's public key Y defined by a point on the elliptic curve E / Fq, and a public key Y = x ·
G using the signer's secret key x created to satisfy G, and a point R on the elliptic curve E / Fq that depends on the randomly generated random number k and the base point G on the elliptic curve E / Fq. Means for generating signature data including at least a part of the document data and an integer s depending on the document data M, the secret key x, and the random number k.
An integer m that depends only on the point R, an integer r that depends on at least the point R of the point R on the elliptic curve E / Fq and the document data M, and data and an integer of at least a part of the point R that is the signature data. s, the system information, and the public key Y of the signer, a first term s consisting of a product of the integer s and a base point G on the elliptic curve E / Fq
A second consisting of G and the product of the integer m and the public key Y
, And a third term r · R defined by a specific operation, which is a product of the integer r and a point R on the elliptic curve E / Fq, or this relational expression. Means for performing signature verification using a relational expression equivalent to the above as a signature verification expression.

Further, the recording medium of the present invention stores the document data M
A computer-readable recording medium storing a program including an instruction for causing a computer to execute a process of creating digital signature data for and a process of performing a signature check based on the created electronic signature data,
The processing for creating the digital signature data includes an elliptic curve E / Fq on a finite field Fq and a base point G on the elliptic curve E / Fq.
, A signer's public key Y defined by a point on the elliptic curve E / Fq, and a public key Y = x ·
G using the signer's secret key x created to satisfy G, and a point R on the elliptic curve E / Fq that depends on the randomly generated random number k and the base point G on the elliptic curve E / Fq. Generating signature data including at least a part of the data and an integer s depending on the document data M, the secret key x, and the random number k, and performing the signature check depends only on the document data M. An integer m and a point R on the elliptic curve E / Fq
And at least an integer r depending on at least the point R of the document data M, at least part of the data of the point R, which is the signature data, and an integer s, the system information, and the public key Y of the signer. , A first term s · consisting of a product of the integer s and a base point G on the elliptic curve E / Fq
G, a second term m · Y composed of the product of the integer m and the public key Y, and a third term r ·· composed of the product of the integer r and a point R on the elliptic curve E / Fq. A signature check is performed using a relational expression defined by a specific operation with R or a relational expression equivalent to this relational expression as a signature check expression.

[0018]

DESCRIPTION OF THE PREFERRED EMBODIMENTS First, an outline of the present embodiment will be described. The electronic signature scheme according to the first outline is based on the Elliptic curve.
This is an electronic signature scheme modified from the Gamal signature scheme. The difference from the conventional ElGamal signature scheme on an elliptic curve is that the signature data R, the signature data R and the signature data R, which are generated from the document data M, the signature data s, and the random number in the signature verification equation. That is, at least each of the integers r depending on the signature data R in the document data M has been replaced with each other based on a predetermined rule. Since s to which each signer's private key operates is created in the form of s = mxxrk (mod z), even if there are a plurality of private keys x,
In the case of a multiple signature, since the document data M is common, a plurality of secret keys x are put together by addition. This has the advantage of facilitating extension to the same multi-signature scheme.

Since r · k is a term that is not affected even when the number of secret keys x becomes plural, the integer r depends only on the point R generated from the random number. A configuration that depends on both M may be used, and that is expected to improve security.

As described above, even if the ElGamal signature scheme on the elliptic curve is modified, the signer holding the private key x corresponding to the public key Y can create signature data R and s satisfying the check equation.
On the other hand, no method has been devised for obtaining the signature data R and s when the secret key x is not held, except for obtaining the discrete logarithm problem on the elliptic curve. Therefore, it is effective as an electronic signature scheme.

Next, a second outline will be described. In the second outline, the digital signature scheme in the first outline is applied as a multiple signature scheme. A plurality of signers create a random number k, and create a point R on the elliptic curve depending on each random number k by first making a round of data. Thereafter, each signer obtains a partial signature s from the random number k created by himself and the secret key x.
And go around it.

In the circulation of the partial signature s, each partial signature is fused with the partial signature of the previous signer.
Thus, the multisignature data R,
s is created.

The check formula in the signature check is obtained by replacing the public key Y of the check formula in the first outline with the sum of the individual public keys Yi of a plurality of signature creators. If no secret key xi is involved, R and s satisfying the check formula cannot be obtained. Therefore, it is effective as an electronic signature system by a plurality of signers.

Next, a third outline will be described. In the third outline, the digital signature scheme in the first outline is applied to a sequential (one-round) multiple signature scheme. A plurality of signers create a random number k, and create a point R on an elliptic curve depending on the random number k. Each signer adds his / her private key x and random number k used to generate the point R to the partial signature s obtained from the previous signer.
To create a new partial signature s and send it to the next signer. At the same time as the partial signature s, an independently generated point is added as a part of the signature data. Thus, the multi-signature data s, R ₁ , R
₂ ,..., R _n are created.

The check equation in the signature checking r by check equation of replacing the public key Y to the sum of the individual public key Y _i of the plurality of signatures authors further section of the point R of the individual signer in the first schematic The sum of _i · R _i is used.

Hereinafter, the outline described above will be described in detail with reference to the drawings. FIG. 1 is a diagram showing a basic configuration of an electronic signature system according to the first embodiment of the present invention. As shown in FIG. 1, a plurality of stations (entities conventions) 11, 12, 13 corresponding to the user the system is a center _{10 (U 1, U 2,} ..., U
_i ).
The center 10 generates and discloses parameters of the elliptic curve E / Fq as public information. Further, the base point G on the elliptic curve E / Fq and its order z are obtained and made public.

Further, functions f and h are disclosed. These are cryptographic hash functions and output a fixed-length integer of about 160 bits as digest information for an input of an arbitrary size. Specific examples are SHA and MD5,
RIPE-MD and the like. Further, the functions f and h may be common.

[0028] Each station U _i defines a random number x _i is a natural number of z-1 or less, to the x _i and the station secret key. Further, the station public key Y _i is determined by the following equation. Y _i = x _i · G over E / Fq The station U _i sends the station public key Y _i to the center 10 and
Registers Y _i in the area of station U _{i in} the public key list. Only the center 10 can rewrite the public key list, and any station can read the list. Note that the station U
_{It is} assumed that ID information (identification information) of _i is I _i .

[0029] Figure 2A is a procedure station U _i to create a digital signature for the document data M. <Procedure of the station U _i > 1: A random number k (1 <k <z−1) is determined. (Step 101) 2: R = k · G over E / Fq is calculated. (Step 102) 3: Calculate r = f (R). (Step 103) 4: m = h (M) is calculated. (Step 104) 5: s = x _i · m + k · r mod from m, r and secret key x _i
Calculate z.

[0030] ... R and s created by (step 105) or a digital signature for the document data M station U _i.

Step 10 in this signature creation procedure
Since 1 to 103 do not depend on the document data M, they are calculated before a request for creating a digital signature occurs, and (k, R,
r) can be stored several times. In this case, the processing at the time of the signature creation request is performed in steps 104 and 105.
Only, which is effective in processing time.

Next, the procedure for checking the digital signature will be described with reference to FIG. 2B. <Signature inspection procedure> 1: take out a public key Y _i from the public list station U _i.

(Step 106) 2: Calculate r = f (R). (Step 107) 3: Calculate m = h (M). (Step 108) 4: r. s, m, Y _i to confirm that satisfies the following equation.

(Step 109) s ・ G = m ・ Y _i + r ・ R over E / Fq If this relationship holds, (R, s) is a digital signature for the document data M of the station U _i. Is determined.

It is clear that (R, s) generated by the procedure of steps 101 to 105 satisfies the check formula of step 109. In a state where the document data M is given to the contrary, station without a discrete logarithm x _i of Y _i is Step 1
It is considered that finding a set of (R, s) that satisfies the check formula of 09 is as difficult as finding a discrete logarithm problem on an elliptic curve. For example, if R is determined first, sG
= Const over E / Fq, which is nothing but a discrete logarithm problem. On the other hand, if s is determined in advance, R will be obtained as r · R = const over E / Fq, and this solution is not generally known.

Various modifications of the signature verification formula used in the digital signature method according to the present embodiment are conceivable, and representative ones are shown below. Note that they perform essentially the same test.

Firstly, check equation of step 109, s · G-m · Y i -r · R = O over E / Fq, etc. _{-s · G + m · Y i} + r · R = O over E / Fq inspection It is clear from the transposition of the term on the left side or right side in the check expression that this is equivalent to the following. Further, (s / r) · G− (m / r) · Y _i = R over E / Fq,... (2) (s / m) · G− (r / m) · R = Y _i over E / Checking Fq, (m / s) · Y _i + (r / s) · R = G over E / Fq is equivalent to checking the transposition of the term on the left side or the right side in the check formula and s, m , R multiplied on both sides by the reciprocal of Fq.

Further, s · G, m · Y _i ,
Changing the sign of the three terms of r · R (that is, changing + to-or vice versa, specifically ± s · G = ± m · Y _i ± r
· R = O over E / Fq even better, +, - street sign the following description, s step 105 in to) be signature generation program determined by step in the signature generation process, x _i · m, k · It should also be noted that the signature scheme in which the sign of the three terms in the check equation is changed is equivalent to changing the sign of r, and is essentially equivalent to the scheme of the present embodiment.

In the signature system of the present invention, f
F (R, M) may be used instead of (R). f
(R, M) represents a hash value randomly determined by the signer and dependent on both the data of the point R on the elliptic curve and the document data M. Specifically, R and M are concatenated and hashed, and a keyed hash (Keye
d hash) method.

In the transformation procedure, step 103 and step 1
07 is changed to r = f (R, M). In general, the procedure modified in this way improves the security because it is guaranteed that r is created from R and M.

The feature of this embodiment, signer dependent only on the document data M is a public key Y _i and the signature subject of the signer and claim r · R that depends on the random number and the base point G to generate for each created signature determining whether addition of terms m · Y _i signer three sections of section s · G private key x _i has changed the number of times of adding the base point G by s that acts to match the point at infinity It is in.

When the expression (2) is a check expression, the signature data size can be reduced. The specific procedure is shown below. The procedure for the station U _i to create a digital signature for the document data M is basically the same as the previous procedure, but it is confirmed whether or not r in step 107 is relatively prime to the order z. If not, the process returns to step 101 to generate another random number k.
The digital signature data finally output is r and s, and r is used instead of point R. As a result, the signature data size can be reduced to about 2/3.

Next, a procedure for inspecting a digital signature which is a modification of the above-described inspection procedure will be described with reference to FIG. <Signature inspection procedure> 1: take out a public key Y _i from the public list station U _i.

(Step 1101) 2: m = h (M) is calculated. (Step 1102) 3: 1 / r (modZ) is calculated. … (Step 11
03) 4: Calculate the point R in the following equation. (Step 1104) R = (s / r) · G− (m / r) · Y _i over E / Fq 5: It is confirmed that the point R and the r of the signature data satisfy the following relationship.

[0045] ... If (step 1105) r = f where (R) This relationship is satisfied, (r, s) is determined that a digital signature for the document data M station U _i.

Next, an electronic signature method according to a second embodiment in which the digital signature shown in FIG. 1 is applied to a multiple signature will be described. 4A and 4B show the flow of information in the multiple signature, and FIGS. 5A and 5B show the processing procedure of each station.

[0047] Here, the station U _1, U _2, ... n stations U _n it is assumed that multiplexed sign a document data M. And creating round R _n of the multiple signature creation Figure 4A, s _n in Figure 4B
Consists of two round operations. FIG.
procedure station U _i in the _n Creating rounds, Figure 5B denotes a processing procedure of the station U _i in the creation round s _n. (1) Preparation of R _n Round <station U _i procedure> (i = 1,2, ..., n) 1: random number _{k i (1 <k i <} z-1) to create a. ... (Step 301) 2: station U _(i-1) information received from the R _(i-1) and the random number k _i
The following formula is used to create R _i .

[0048] _{R i = R (i-1} ) + k i · G over E / Fq
(Step 302) 3: The information R _i and the document data M are transmitted to the station U _{(i + 1)} . ... running (step 303) the above processing from station U ₁ to station U _n sequentially, R _n
Create The station U ₁ performs the process of step 302 with R ₀ = ₀ (infinity point).

[0049] In addition, the station U _n is from information R _n that was created r =
Calculate r by f (R _n ), transmit this to station U ₁ ,
Move on to _n creation round. (2) s <procedure of station U _i> create round of _{n (i = 1,2, ...,} n) 1: stations U _1, U _2, ..., the public key of _{U (i-1) Y 1} , Y ₂ ,
…, Y _(i-1) is extracted from the public key list. (Step 304) 2: R received from station U _{(i-1) in the} round of creation of R _n
(i-1) and r, received from station U _(i-1) in this round.
Confirm that s _(i-1) satisfies the following relationship. …
(Step 305) Calculate m = h (M), s _i−1 · G = m · (Y ₁ + Y ₂ +... + Y _i−1 ) + r · R
_i-1 over E / Fq 3: If the relationship of step 305 is not satisfied,
The processing is terminated assuming that the processing of the station U _i-1 has an abnormality. ... (step 306) 4: random number created in the previous round k _i and a private key x of the local station
_{Using i} , s _i of the following equation is calculated. … (Step 30
7) s _i = s _i−1 + x _i · m + k _i · r mod z 5: Send s _i , r to the station U _{i + 1} . ... running from (step 308) or more processing stations U1 to station U _n sequentially, s _n
Create Note that the station U ₁ performs the process of step 307 with s ₀ = 0.

(R _n , s _n ) created as described above is a multiple signature for the document data M by the stations U ₁ to U _n . Station signature information U _n is created (R _n, s _n) all stations as needed U _1, U _2, ..., and sends the U _n-1.

Steps 304 and 3 in the above procedure
Reference numerals 05 and 306 denote portions for executing a check of the partial signature si _-1 and may be omitted. If the partial signature check is omitted, the check is executed only after the multiple signature (R _n , s _n ) is created. In order to detect the injustice of the signature creator as early as possible, the inspection of the partial signature in steps 304, 305 and 306 is effective.

FIG. 6 shows a procedure for checking a multiple signature created according to the procedures of FIGS. 5A and 5B. At the time of inspection, the following processing is performed. Sign the inspection R _n, s _n, ID information I ₁ of M and station, I _2, ..., is required I _n.

[0053] 1: station U _1, U _2, ..., the public key of U _n Y
₁ , Y ₂ ,..., Y _n are extracted from the public key list. …
(Step 401) 2: It is confirmed that R _n , s _n , and M satisfy the following relationship. (Step 402) Calculate m = h (M), Calculate r = f (R _n ), s _n · G = m · (Y ₁ + Y ₂ +... + Y _n ) + r · R _n ov
er E / Fq If this relationship holds, it is determined that (R _n , s _n ) is a valid multiple signature.

In the above-described multi-signature creation procedure and multi-signature inspection procedure, r = f instead of r = f (R _n ).
(R _n , M), and further in step 402 in the multiple signature verification procedure, r = f (R _n , M).

Next, a procedure for applying the signature inspection procedure shown in FIG. 3 to this multiple signature will be described. Station U _i is steps to create a digital signature for the document data M are basically Figure 5A, is the same as 5B procedure wherein a, r to R _n generated as a result of the calculation in step 302 at station U _n = F (R _n ) and check whether r is relatively prime to order z. If, if not relatively prime, it generates a different random number k _n returns to step 301. R
_The r output from the station U _{n in} the generation round of _n is relatively prime to z. The data of multiple signatures second round is finally output ends are r and s _n.

Next, the procedure for checking the digital signature will be described. FIG. 7 shows a procedure for checking a multiple signature created by this procedure. 1: station U _1, U _2, the public key of _{U n Y 1, Y 2,} ..., Y n
From the public key list. (Step 1201) 2: Calculate m = h (M) ... (Step 1202) 3: Calculate 1 / r (mod Z). … (Step 1
203) 4: Calculate the point R _{n of the} following equation. ... (Step _{1204) R n = (s n} / r) · G- (m / r) · (Y 1 + Y 2 +
.. + Y _n ) over E / Fq 5: It is confirmed that the point R _n and r of the signature data satisfy the following relationship. (Step 1205) r = f (R _n ) If this relationship holds, it is determined that (r, s _n ) is a valid multiple signature.

Next, a digital signature method according to a third embodiment in which the digital signature shown in FIGS. 2A and 2B is applied to a multiple signature will be described. FIG. 8 shows the flow of information in the third embodiment. Here, multi-signature data is generated only by making the information go around a plurality of times between a plurality of signature creation stations. Stations U ₁ , U ₂ , ..., U
_It is assumed that n stations of n create a multiple signature. FIG. 9 shows the station U
The procedure of _i is shown. <Station U _i procedure> (i = 1,2, ..., n) 1: station U _1, U _2, ..., the public key of _{U i-1 Y 1, Y} 2,
.., Y _i-1 are extracted from the public key list. (Step 601) 2: R ₁ , R ₂ ,..., R _i-1 s received from station U _i-1
Confirm that _i-1 and M satisfy the following relationship. …
(Step 602) Calculate m = h (M), calculate r _j = f (R _j ) (j = 1, 2,..., I−1), s _i−1 · G = m · (Y ₁ + ... + Y _i-1 ) + r ₁ · R ₁ +
r ₂ · R ₂ +... r _i-1 · R _i-1 over E / Fq 3: If the relationship of step 602 is not satisfied,
The processing is terminated assuming that the processing of the station U _i-1 has an abnormality. ... (Step 603) 4: random number _{k i (1 <k i <} z-1) to create a. (Step 604) 5: R _i of the following equation is created from the random number k _i . ... (Step _{605) R i = k i ·} G over E / Fq 6: station U information received from the _i-1 s _i-1 and the random number k _i, a s _i in the following equation from the private key x _i of the own station calculate. ... (Step _{606) r i = f (R} i) _{calculation, s i = s i-1} + x i · m + k i · r i mod z 7: Data _{s i, R 1, R 2} , ..., R i, Document data M
To the station U _{i + 1} .

[0058] ... running (step 607) the above processing from station U ₁ to station U _{n sequentially, s n, R 1, R} 2 created, ..., document by U _n R _n is from station U ₁ This is a multiple signature for the data M. Note that the station U
₁ is the process of steps 605 and 606 assuming that R _o = O (infinity point) and s _o = 0, and
Inspection processing of partial signatures up to 3 is not performed.

The procedure for checking the multiple signature created by the procedure shown in FIG. 9 will be described with reference to FIG. 1: station U _1, U _2, the public key of _{U n Y 1, Y 2,} ..., Y n
From the public key list. (Step 701) 2: It is confirmed that s _n , R ₁ , R ₂ ,..., R _n , M satisfy the following relationship.

(Step 702) Calculate m = h (M), calculate r _j = f (R _j ) (j = 1, 2,..., I−1), s _n · G = m · (Y ₁ + ... + Y _n ) + r ₁ · R ₁ + r ₂
· R ₂ + ... r _n · R _n over E / Fq If this relationship holds, then (s _n , R ₁ , R ₂ ,
, R _n ) are determined to be valid multiple signatures.

The multiple signature method shown in FIGS. 9 and 10 is disadvantageous in terms of data size and processing amount at the time of inspection as compared with the multiple signature method of FIGS. There is an advantage that the creation can be performed in one round of processing.

[0062] may also be utilized _{r = f (R i, M} ) in place of other embodiments as well as the multi-signature procedure also r = f (R _i). Specifically, r in step 602 in a multiple signature generation procedure station _{U i j = f (R j} , M)
(J = 1, 2,..., I−1), and step 606
Are changed so as to calculate r _i = f (R _i , M).

In the procedure for checking the multiple signature, step 702
Where r _j = f (R _j , M) (j = 1, 2,..., I−1)
Change to calculate FIG. 11 shows one configuration of an apparatus for executing creation / inspection of a digital signature system according to the present embodiment.

An arithmetic unit 901 executes a multiple length operation, and executes most of the arithmetic processing of the present electronic signature system. The random number generator 902 is a part that generates a random number k necessary for creating a signature. The random number memory 903 includes a random number generator 90
2, and R = k calculated from the random number k
A part for storing a pair of a value of G over E / Fq and a value of r = f (R). Random number generator 902, arithmetic unit 901
Operates not only at the time of signature creation / inspection but also at random (k, R,
The pair of r) is generated and stored in the random number memory 903. The secret key memory 904 is a memory for storing the secret key of the station. In addition, a control unit 905, a memory 906, and an input / output unit 9
07.

Lastly, a modified example of the signature system according to the present embodiment will be described. The procedure for the station U _i to create a digital signature for the document data M is as follows. <Procedure of the station U _i > 1: A random number k (1 <k <z−1) is determined. (Step 1001) 2: R = k · G over E / Fq is calculated. (Step 1002) 3: Calculate r = f (R). (Step 1003) 4: m = h (M, R) is calculated. … (Step 100
4) 5: s = x _i · m + k · r mod from m, r and secret key x _i
Calculate z.

[0066] ... R and s created (step 1005) or a digital signature for the document data M station U _i.

The procedure for checking the digital signature is as follows. <Signature inspection procedure> 1: take out a public key Y _i from the public key list station U _i.

(Step 1006) 2: Calculate r = f (R). (Step 1007) 3: m = h (M, R) is calculated. … (Step 100
8) 4: r, s, m, Y i to confirm that satisfies the following equation. .. (Step 1009) sｍG = m ・ Y _i + r ・ R over E / Fq If this relationship holds, it is determined that (R, s) is a digital signature for the document data M of the station U _i. I do.

In this method, hashing is performed by using not only the document data M but also data of a point R generated at random in the calculation of m. In general, it is considered that this method improves the safety. Note that m = h
(M, r) may be used.

The procedure of the bicyclic multiple signature (FIGS. 5A, 5B and 6) in this modified scheme is simply m = h (M,
R). In the procedure of one-round multiple signature (FIGS. 9 and 10), the signer sets m ₁ = h (M, R
₁ ), m ₂ = h (M, R ₂ ),..., _Mn = h (M, R
_n ) different from _n ) is generated, so that the check expression is also s _i · G =
_{m 1 · Y 1 + ... +} m n · Y n + r 1 · R 1 + ... + r n ·
It is changed to R _n.

The inspection procedure shown in FIGS. 3 and 7 can be applied even when the multiple signature method having the procedure shown in FIGS. 12A and 12B is used. As described above, according to the present embodiment, the ElGamal signature on the elliptic curve is transformed,
It is possible to provide a digital signature method that can easily configure a two-round or one-round multiple signature.

In each of the above-described embodiments, the process of creating digital signature data and the process of performing signature verification based on the created digital signature data are stored in a computer-readable recording medium as a program. Can be executed.

[0073]

As described above, according to the present invention, it is possible to provide an electronic signature method, an electronic signature system, and a recording medium that can easily configure a multiple signature system in consideration of various operation modes.

[Brief description of the drawings]

FIG. 1 is a diagram showing a basic configuration of an electronic signature system according to a first embodiment of the present invention.

FIG. 2A is a diagram showing a signature creation procedure in the digital signature method according to the first embodiment of the present invention, and FIG.
FIG. 4 is a diagram showing an inspection procedure.

FIG. 3 is a diagram showing a signature inspection procedure obtained by modifying the digital signature method according to the first embodiment of the present invention.

FIG. 4 is a diagram showing a flow of information in a two-round multisignature method according to a second embodiment of the present invention.

FIG. 5 is a diagram showing a signature creation procedure of a two-way multiple signature scheme.

FIG. 6 is a diagram showing an inspection procedure of a two-round multiple signature scheme.

FIG. 7 is a diagram showing a signature inspection procedure in which a two-round multiple signature scheme is modified.

FIG. 8 is a diagram showing a flow of information in a one-round multiple signature method according to a third embodiment of the present invention.

FIG. 9 is a diagram showing a signature creation procedure in a one-round multiple signature method.

FIG. 10 is a diagram showing an inspection procedure of a one-round multiple signature method.

FIG. 11 is a diagram illustrating a configuration example of an apparatus that creates and checks digital signature data.

FIG. 12 is a diagram showing a modification of the signature procedure.

[Explanation of symbols]

 10 center, 11, 12, 13 station, 14 communication network.

Claims (11)

[Claims] An electronic signature method for creating electronic signature data for document data M and performing signature verification based on the electronic signature data, comprising: an elliptic curve E / Fq on a finite field Fq; /
System information including a base point G on Fq, a signer's public key Y defined by a point on the elliptic curve E / Fq, and a signer created to satisfy this public key Y = x · G Using at least a part of data of a point R on the elliptic curve E / Fq depending on a random number k arbitrarily generated and a base point G on the elliptic curve E / Fq using the secret key x of the document A signature data generating step of generating signature data including data M, a secret key x, and an integer s depending on a random number k; an integer m depending only on the document data M; and a point on the elliptic curve E / Fq. R and an integer r depending on at least the point R of the document data M, data and an integer s of at least a part of the point R which is the signature data, the system information, and the public key Y of the signer. ± s · G = ± m · Y ± r · Rove r E / Fq (signs of + and-are determined by predetermined conditions) or a signature checking step of performing a signature check using a relational expression equivalent to the relational expression or a relational expression equivalent to the relational expression. A digital signature method. 2. An electronic signature method for generating electronic signature data for document data M and performing signature verification based on the electronic signature data, comprising: an elliptic curve E / Fq on a finite field Fq; /
System information including a base point G on Fq, a signer's public key Y defined by a point on the elliptic curve E / Fq, and a signer created to satisfy this public key Y = x · G Using at least a part of data of a point R on the elliptic curve E / Fq depending on a random number k arbitrarily generated and a base point G on the elliptic curve E / Fq using the secret key x of the document A signature data generating step of generating signature data including data M, a secret key x, and an integer s depending on a random number k; an integer m depending only on the document data M; and a point on the elliptic curve E / Fq. R and an integer r depending on at least the point R of the document data M, data and an integer s of at least a part of the point R which is the signature data, the system information, and the public key Y of the signer. The integer s and the elliptic curve E A first term s · G composed of a product of a base point G on Fq, a second term m · Y composed of a product of the integer m and the public key Y, and an integer r and the elliptic curve E / A signature check is performed using a relational expression defined by a specific operation with a third term r · R formed by a product with a point R on Fq or a relational expression equivalent to this relational expression as a signature check expression. A digital signature method. 3. An electronic signature method in which electronic signature data for document data M is created between a plurality of signers composed of n persons and a signature check is performed based on the electronic signature data. For a signer of (i = 1, 2, 3,..., N), system information including an elliptic curve E / Fq on a finite field Fq, a base point G on the elliptic curve E / Fq, and the elliptic curve Signer's public key Y _i defined by a point on E / Fq
And the signer's private key x _i created to satisfy this public key Y _i = x _i · G, and the random number k _i generated for each of the plurality of signers and the ellipse Elliptic curve E depending on base point G on curve E / Fq
/ Fq to generate signature data including at least a part of data of the point R on the document data M, an integer s depending on the document data M, a secret key x _i for each of a plurality of signers, and each random number k _i. A data generation step; an integer m that depends only on the document data M; a point R on the elliptic curve E / Fq and an integer r that depends on at least the point R of the document data M; and a point that is the signature data. Given at least a part of data R and an integer s, the system information, and each public key Y _i , ± s · G = ± m · (Y ₁ + Y ₂ +... + Y _n ) ± r · Ro
ver E / Fq (signs of + and-are determined by predetermined conditions) or a signature inspection step of performing signature inspection using a relational expression equivalent to this relational expression or a relational expression equivalent to the relational expression. A digital signature method. 4. An electronic signature method in which electronic signature data for document data M is created among a plurality of signers composed of n persons, and signature verification of the plurality of signers is performed based on the electronic signature data. For the i-th (i = 1, 2, 3,..., N) signer, system information including an elliptic curve E / Fq on a finite field Fq and a base point G on the elliptic curve E / Fq And the signer's public key Y _i defined by a point on the elliptic curve E / Fq
And the signer's private key x _i created to satisfy this public key Y _i = x _i · G, and the random number k _i generated for each of the plurality of signers and the ellipse Elliptic curve E depending on base point G on curve E / Fq
/ Fq to generate signature data including at least a part of data of the point R on the document data M, an integer s depending on the document data M, a secret key x _i for each of a plurality of signers, and each random number k _i. A data generation step; an integer m that depends only on the document data M; a point R on the elliptic curve E / Fq and an integer r that depends on at least the point R of the document data M; and a point that is the signature data. Given at least a part of data of R and an integer s, the system information, and each public key Y _i , a first consisting of a product of the integer s and a base point G on the elliptic curve E / Fq S · G, the integer m and each public key Y _i
(I = 1, 2, 3,..., N), the second term m · (Y ₁ + Y ₂ +... + Y _n ), and the integer r and the elliptic curve E / Fq A third term r ·
A signature check step of performing a signature check using a relational expression defined by a specific operation with respect to R or a relational expression equivalent to this relational expression as a signature check expression. . 5. An electronic signature method in which electronic signature data for document data M is created among a plurality of signers composed of n persons, and signature verification of the plurality of signers is performed based on the electronic signature data. For the i-th (i = 1, 2, 3,..., N) signer, system information including an elliptic curve E / Fq on a finite field Fq and a base point G on the elliptic curve E / Fq And the signer's public key Y _i defined by a point on the elliptic curve E / Fq
And the signer's private key x _i created to satisfy this public key Y _i = x _i · G, and the random number k _i generated for each of the plurality of signers and the ellipse Elliptic curve E depending on base point G on curve E / Fq
/ Fq, at least a part of the data of each point R _i , and the secret key x _i for each of the document data M and the plurality of signers.
A signature data generation step of generating signature data including an integer s dependent on each random number k _i , an integer m dependent only on the document data M, each point Ri on the elliptic curve E / Fq, and and each integer r _i which depends on at least the point R _i of the document data M, at least a portion of the data and integer s of the points R _i which is the signature data
Given the system information and each public key Y _i , a first term s · G consisting of a product of the integer s and a base point G on the elliptic curve E / Fq, and the integer m And each public key Y _i
(I = 1, 2, 3,..., N), the second term m · (Y ₁ + Y ₂ +... + Y _n ), and the integer r _i and the elliptic curve E / Fq a relational expression or a relationship is defined by a particular operation between the third term is a sum of a product _{(r 1 R 1 + r 2} R 2 + ... + r n R n) between the points R _i of A signature checking step of performing a signature check using an equivalent relational expression as a signature check expression. 6. An electronic signature system comprising: a signature data creation device for creating electronic signature data for document data M; and a signature inspection device for performing signature inspection based on the electronic signature data. The creation device calculates the elliptic curve E / Fq on the finite field Fq and this elliptic curve E /
System information including a base point G on Fq, a signer's public key Y defined by a point on the elliptic curve E / Fq, and a signer created to satisfy this public key Y = x · G At least a part of data of a point R on the elliptic curve E / Fq depending on a random number k arbitrarily generated and a base point G on the elliptic curve E / Fq using the secret key x of the document Means for generating signature data including data M, a secret key x, and an integer s depending on a random number k, wherein the signature checking device includes: an integer m depending only on the document data M; A point R on Fq and an integer r depending on at least the point R of the document data M, at least a part of data and an integer s of the point R which is the signature data, the system information, and disclosure of the signer Given a key Y, the integer s and the A first term s · G consisting of a product of a base point G on the elliptic curve E / Fq; a second term m · Y consisting of a product of the integer m and the public key Y; Using a relational expression defined by a specific operation with a third term r · R consisting of a product with a point R on the elliptic curve E / Fq or a relational expression equivalent to this relational expression as a signature check expression An electronic signature system comprising means for performing signature verification. 7. A signature data creation device for creating digital signature data for document data M among a plurality of signers composed of n persons, and performing a signature check of the plurality of signers based on the electronic signature data. An electronic signature system comprising: a signature verification device; and the signature data creation device, for an i-th (i = 1, 2, 3,..., N) signer, an elliptic curve on a finite field Fq. E / Fq, system information including a base point G on the elliptic curve E / Fq, and a signer's public key Y _i defined by a point on the elliptic curve E / Fq.
And the signer's private key x _i created to satisfy this public key Y _i = x _i · G, and the random number k _i generated for each of the plurality of signers and the ellipse Elliptic curve E depending on base point G on curve E / Fq
/ At least a part of the data of the R point on Fq, means for generating a signature data including the integer s which depends on the secret key x _i and the random number k _i for each of said document data M and a plurality of signers The signature verification apparatus includes: an integer m that depends only on the document data M; a point R on the elliptic curve E / Fq and an integer r that depends on at least a point R of the document data M; Given at least a part of the data of the point R and an integer s, the system information, and each public key Y _i , the product of the integer s and the base point G on the elliptic curve E / Fq S · G, the integer m, and each public key Y _i
(I = 1, 2, 3,..., N), the second term m · (Y ₁ + Y ₂ +... + Y _n ), and the integer r and the elliptic curve E / Fq A third term r ·
An electronic signature system comprising means for performing signature verification using a relational expression defined by a specific operation with R or a relational expression equivalent to this relational expression as a signature verification expression. 8. A signature data creation device for creating digital signature data for document data M among a plurality of signers composed of n persons, and performing signature inspection of the plurality of signers based on the electronic signature data. An electronic signature system comprising: a signature verification device; and the signature data creation device, for an i-th (i = 1, 2, 3,..., N) signer, an elliptic curve on a finite field Fq. E / Fq, system information including a base point G on the elliptic curve E / Fq, and a signer's public key Y _i defined by a point on the elliptic curve E / Fq.
And the signer's private key x _i created to satisfy this public key Y _i = x _i · G, and the random number k _i generated for each of the plurality of signers and the ellipse Elliptic curve E depending on base point G on curve E / Fq
/ Fq, at least a part of the data of each point R _i , and the secret key x _i for each of the document data M and the plurality of signers.
And signature data including an integer s dependent on each of the random numbers k _i , wherein the signature checking device includes: an integer m depending only on the document data M; and an integer m on the elliptic curve E / Fq. A point R _i and each integer r _i depending on at least the point R _i of the document data M, and at least a part of data and an integer s of each point R _i which is the signature data
Given the system information and each public key Y _i , a first term s · G consisting of a product of the integer s and a base point G on the elliptic curve E / Fq, and the integer m And each public key Y _i
(I = 1, 2, 3,..., N), the second term m · (Y ₁ + Y ₂ +... + Y _n ), and the integer r _i and the elliptic curve E / Fq a relational expression or a relationship is defined by a particular operation between the third term is a sum of a product _{(r 1 R 1 + r 2} R 2 + ... + r n R n) between the points R _i of An electronic signature system comprising means for performing a signature check using an equivalent relational expression as a signature check expression. 9. A computer-readable program storing a program including an instruction for causing a computer to execute a process of creating digital signature data for the document data M and a process of performing a signature check based on the created digital signature data The processing for creating the digital signature data includes: an elliptic curve E / Fq on a finite field Fq;
System information including a base point G on Fq, a signer's public key Y defined by a point on the elliptic curve E / Fq, and a signer created to satisfy this public key Y = x · G Using at least a part of data of a point R on the elliptic curve E / Fq depending on a random number k arbitrarily generated and a base point G on the elliptic curve E / Fq using the secret key x of the document A process of generating signature data including data M, a secret key x, and an integer s depending on a random number k, and performing the signature check includes: an integer m depending only on the document data M; and an elliptic curve E / Fq. An integer r depending on at least the point R among the above point R and the document data M, at least a part of data and an integer s of the point R which is the signature data, the system information, and a public key of the signer. Given Y, the integer s and the ellipse A first term s · G consisting of a product of a base point G on the curve E / Fq, a second term m · Y consisting of a product of the integer m and the public key Y, the integer r and the ellipse A signature is defined by using a relational expression defined by a specific operation between the third term r · R, which is a product of a point R on the curve E / Fq, and a relational expression equivalent to this relational expression as a signature check expression. A recording medium for performing an inspection. 10. A process of creating digital signature data for document data M among a plurality of signers composed of n persons, and a process of checking signatures of the plurality of signers based on the created digital signature data. Is a computer-readable recording medium storing a program including an instruction for causing a computer to execute the electronic signature data. The processing for creating the digital signature data is performed in the i-th (i = 1, 2, 3,..., N) ), System information including an elliptic curve E / Fq on a finite field Fq, a base point G on the elliptic curve E / Fq, and a signer defined by a point on the elliptic curve E / Fq. Public key Y _i
And the signer's private key x _i created to satisfy this public key Y _i = x _i · G, and the random number k _i generated for each of the plurality of signers and the ellipse Elliptic curve E depending on base point G on curve E / Fq
/ Fq, and signature data including at least a part of data of the point R on the document data M, an integer s depending on the document data M, a secret key x _i for each of a plurality of signers, and each random number k _i , The processing for performing the signature check includes: an integer m that depends only on the document data M; a point R on the elliptic curve E / Fq and an integer r that depends on at least the point R of the document data M; Given at least a part of the data of the point R and the integer s, the system information, and each public key Y _i , from the product of the integer s and the base point G on the elliptic curve E / Fq S · G, the integer m, and each public key Y _i
(I = 1, 2, 3,..., N), the second term m · (Y ₁ + Y ₂ +... + Y _n ), and the integer r and the elliptic curve E / Fq A third term r ·
A recording medium characterized by performing a signature check using a relational expression defined by a specific operation with respect to R or a relational expression equivalent to this relational expression as a signature check expression. 11. A process of creating digital signature data for document data M among a plurality of signers composed of n persons, and a process of checking signatures of the plurality of signers based on the created digital signature data. Is a computer-readable recording medium storing a program including an instruction for causing a computer to execute the electronic signature data. The processing for creating the digital signature data is performed in the i-th (i = 1, 2, 3,..., N) ), System information including an elliptic curve E / Fq on a finite field Fq, a base point G on the elliptic curve E / Fq, and a signer defined by a point on the elliptic curve E / Fq. Public key Y _i
When, by using the secret key x _i of the public key Y _i = created to meet the x _i · G signatory, and the random number k _i generated for each of a plurality of signers the ellipse Elliptic curve E depending on base point G on curve E / Fq
/ Fq, at least a part of the data of each point R _i , and the secret key x _i for each of the document data M and the plurality of signers.
And generating signature data including an integer s that depends on each random number k _i, and performing the signature check includes: an integer m that depends only on the document data M; and each point on the elliptic curve E / Fq. R _i and each integer r _i depending on at least the point R _i of the document data M, and at least a part of data and integer s of each point R _i which is the signature data
Given the system information and each public key Y _i , a first term s · G consisting of a product of the integer s and a base point G on the elliptic curve E / Fq, and the integer m And each public key Y _i
(I = 1, 2, 3,..., N), the second term m · (Y ₁ + Y ₂ +... + Y _n ), and the integer r _i and the elliptic curve E / Fq a relational expression or a relationship is defined by a particular operation between the third term is a sum of a product _{(r 1 R 1 + r 2} R 2 + ... + r n R n) between the points R _i of A recording medium for performing a signature check using an equivalent relational expression as a signature check expression.