JPH1185016A - Method for designing authentication system and digital signature system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make it possible to check the safety of even the authentication protocol which is heretofore unsable and to use the same by verifying whether the communication contents of the formed authentication protocol and another authentication protocol are metrically identifiable or not. SOLUTION: The authentication protocol of the unknown safety is selected (S11) and thereafter, two bit commitment protocols are selected (S12). The authentication protocol is corrected by using the selected bit commitments (S13) and the safety of the corrected protocol is verified (S14). If the verification of the safely of the corrected protocol is successful, the authentication protocol is completed as the safe authentication protocol and further this protocol is packaged in the authentication system. In case of a failure in the safety verification of the corrected protocol, the other two bit commitment protocols are selected and the verification of the safety is executed by correcting the authentication protocol by using the same. The safe authentication protocol is finally obtd. by repeating the processing described above.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a design method for an authentication system and a digital signature system, and more particularly to a design method for certifying the security of an authentication protocol by a novel method when designing the authentication system and the digital signature system. About.

[0002]

2. Description of the Related Art When designing an authentication system, it is necessary that the security of an authentication protocol implemented in the system be proven.

For example, the security (non-transferability: non-transferabili) of a three-round authentication protocol
The proof technique of (ty) is that (A) a plurality of private keys exist for one public key,
A technique for proving security using the concept of ss indistinguity (Feige)
U. and Shamir A. , "Witness
Indistinguishable and Wit
ness hiding protocols ", 22
nd STOC, 1990), (B) A technique for proving security by utilizing the fact that secret information exists in addition to the secret key and that the secret information can be used to simulate the prover (Shho)
up V. , "On the Security of
a Practical Identificati
on Schema ", Eurocrypt '96),
Has been proposed.

[0004] However, some of the three-round authentication protocols do not apply to any of the above-described certification techniques (A) and (B), and there are protocols whose security is unknown and which is difficult to actually use. . For example, Schnorr's authentication protocol based on the discrete logarithm problem (Schnor's authentication protocol)
r C.I. P. , "Efficient Signature
re Generation by Smart Ca
rd ", Journal of Cryptolog
y, 1991), the security of which is currently unknown.
Similarly, Guillou-Quis based on prime factorization
Quarter's authentication protocol has not been proven to be secure.

Accordingly, an object of the present invention is to provide a new method of certifying the security of an authentication protocol when designing an authentication system and a digital signature system, and to confirm the security of an authentication protocol that could not be used conventionally. Another object of the present invention is to provide a design method that can be used as a computer.

[0006]

According to the present invention, it is verified whether the communication contents between a created authentication protocol and at least one other authentication protocol different from the created authentication protocol can be identified in terms of computational complexity. However, if the communication content is computationally indistinguishable and the security of the other authentication protocol described above is proved, a method for designing an authentication system that constructs an authentication system using the created authentication protocol is provided. You.

If the communication content between a certain authentication protocol and another authentication protocol is computationally indistinguishable and the security of the other authentication protocol is proved, it is verified that the authentication protocol is also safe. , This is implemented in the authentication system. As described above, since a new method of proving the security of the authentication protocol is used, it is possible to confirm the security of an authentication protocol that could not be used conventionally and to make it usable.

If it is verified that the communication content is computationally identifiable, the created authentication protocol is modified, and the communication content between the modified authentication protocol and the other authentication protocol is computationally identifiable. It is again verified whether it is possible or not, and if the communication content is computationally indistinguishable and the security of another authentication protocol is proved, it is preferable to construct an authentication system using a modified authentication protocol.

If the communication contents are verified to be computationally identifiable with respect to the modified authentication protocol, the above-described modification and verification of the authentication protocol are repeated until the communication contents become computationally indistinguishable. Is preferred.

In one embodiment of the present invention, the created or modified authentication protocol is an authentication protocol using a bit commitment without a trapdoor, and the other authentication protocol is a bit with a trapdoor. This is an authentication protocol using commitment.

According to the present invention, it is further verified whether or not the communication contents between the created authentication protocol and at least one other authentication protocol different from the created authentication protocol can be identified in terms of computational complexity. Is not computationally identifiable and if the security of another authentication protocol is proved, Fiat-Sh
A design method of a digital signature system for constructing a digital signature system by performing conversion processing using an amir conversion method is provided.

If the communication content between a certain authentication protocol and another authentication protocol is computationally indistinguishable and the security of the other authentication protocol is proved, it is verified that the authentication protocol is also safe. , And this, Fi
A digital signature system is created by performing conversion processing using the at-Shamir conversion method.

If it is verified that the communication content is computationally identifiable, the created authentication protocol is modified, and the communication content between the modified authentication protocol and another authentication protocol is computationally identifiable. Is verified again, and if the communication content is computationally indistinguishable and the security of another authentication protocol is proved, a conversion process is performed on the modified authentication protocol using the Fiat-Shamir conversion method. Therefore, it is preferable to construct a digital signature system.

[0014] When it is verified that the communication content is computationally identifiable with respect to the modified authentication protocol, it is also preferable to repeat the modification and verification of the authentication protocol until the communication content becomes computationally indistinguishable. .

In one embodiment of the present invention, the created or modified authentication protocol is an authentication protocol using a bit commitment without a trapdoor, and the other authentication protocol is an authentication protocol using a bit commitment with a trapdoor. It is.

[0016]

Embodiments of the present invention will be described below in detail with reference to the drawings.

FIG. 1 is a flowchart showing a schematic flow of a general authentication system designing method.

As shown in FIG. 1, an authentication protocol is first created, and the security of the created authentication protocol is verified. If the security is not satisfied, the authentication protocol is modified, and then the security is verified for the modified authentication protocol (step S1). If the created or modified authentication protocol satisfies the security, the authentication protocol is implemented in the authentication system (step S2).

FIG. 2 is a flowchart showing a schematic flow in an embodiment of a method for designing an authentication system according to the present invention, and shows a portion for performing a process corresponding to step S1 in FIG.

In step S11, first, an authentication protocol whose security is unknown is selected. FIG. 3 shows a generalized three-round authentication protocol. Although many such three-round authentication protocols are known, there are many authentication protocols whose security is unknown. Therefore, in step S11, one of which security is unknown is selected.

Briefly describing the three rounds of the authentication protocol, the prover P first generates a random number r, calculates x = A (r), and transmits it to the verifier V. The verifier V generates a random number e as a challenge bit and transmits this to the prover P. The prover P calculates y = B (r, e, s) using e and r and the secret key s, and transmits this to the verifier V. Verifier V uses public key v, and x =
Check C (v, e, y) and accept if this is satisfied.

As a specific example of a three-round authentication protocol, Schnorr based on the discrete logarithm problem described above is used.
Authentication protocols exist. This protocol includes, as initialization processing, prime numbers p and q satisfying q | p-1 and an order q
Keep generating the original g∈Z _p ^* of. Further, a secret key s∈Z _q is randomly selected, and a public key v = g ^−s modp is calculated. First, the prover P generates a random number r∈Z _q , and x = g
Calculate ^r modp and send it to verifier V. Verifier V generates a random number E∈Z _q as the challenge bits and transmits it to the prover P. Prover P is y = r + esm
odq is calculated and transmitted to the verifier V. Verifier V
Is that of receiving if the met x = v ^e g ^y modp.

Next, in step S12, two bit commitment protocols are selected. The bit commitment protocol is a basic element of the cryptographic protocol and is a well-known method used in many authentication protocols.

FIG. 4 shows a general bit commitment protocol. As shown in FIG.
Generates a random number r and transmits a function z = BC (b, r) to the verifier V from the random number r and the value b to be committed. The verifier V cannot estimate the value of b even if it receives z. The prover P cannot change the value of b after transmitting z. After that, the prover P transmits the random number r and the value b to be committed to the verifier V. The verifier V thereby obtains z = BC (b,
Check r).

In step S12, (1) Bit commitment BC _t with trap door (2) Bit commitment B without trap door
_Assume that two bit commitment protocols, C _n , have been selected.

Hereinafter, a protocol using these two bit commitments BC _t and BC _n based on the quadratic residue determination problem will be described. Here, the prover is the committing side. If N is the product of two prime numbers P and Q, given a random number x∈Z _N ¹ , it is difficult to determine whether x is a quadratic remainder or a square non-remainder. I have. Where Z _N ¹ = ｛x | x∈Z _N ^*
and (x / N) = 1｝.

[0027] In the bit commitment BC _t with trapdoors protocol, N and quadratic residue z is generated as an initialization process. First, the prover P has b∈ ｛0,
When we want to commit to 1｝, we choose a random number r∈Z _N ^* and c = B
Calculate C _t (z, b, r) = z ^b r ² modN and transmit to the verifier V. At the time of decommit, send the b and r to the verifier V, the verifier V is to check the c = z ^b r ² modN. In this case, P and Q (or the square root of z) are trapdoors.
Is committed to either {0 or 1}.

In the bit commitment BC _n protocol having no trapdoor, N and the quadratic non-remainder z are generated as initialization processing. The subsequent procedure is the same as in the case of the bit commitment BC _t with a trap door. However, there is no trapdoor.

In the next step S13, this step S
The authentication protocol is modified using the bit commitment BC selected in step 12.

FIG. 5 shows the authentication protocol of FIG. 3 modified by the bit commitment BC. The prover P generates random numbers r, b, and r ′ to obtain x = A (r) and z =
BC (b, r ') is calculated and transmitted to the verifier V. The verifier V generates a random number e as a challenge bit and transmits this to the prover P. Prover P is b, e and r
Further, y = B (r, e + b, s) is calculated using the secret key s, and this is transmitted to the verifier V. Further, b and r '
Is transmitted to the verifier V. Verifier V uses public key v,
Check x = C (v, e + b, y) and z = BC (b, r ') and accept if they are satisfied. However, in the above equation, the symbol + represents exclusive OR.

A modified protocol of Schnorr's authentication protocol will be described. First, Prover P
Generate random numbers r∈Z _q , b∈Z _q , r′∈Z _N ^* , and x = g
Calculate ^r modp and c = BC (z, b, r ') and send them to the verifier V. Verifier V generates a random number E∈Z _q as the challenge bits and transmits it to the prover P. The prover P calculates y = r + (e + b) smodq, and sends y, b, r ′ to the verifier V. Verifier V,
^{x = v e + b g y} modp and c = BC (z, b, r ') and is accepted if satisfied. In this modified protocol, e + b plays the role of the challenge bit, and this value is obtained by the coin flip protocol using the bit commitment BC.

In the next step S14, the security of the modified protocol is verified. If BC _t and BC _n are adopted as two bit commitments,
In step S14, verifying the safety of modified protocol by bit commitment BC _n without a trap door. This verification of safety, two authentication protocols that are corrected using the BC _t and BC _n is performed by verifying that indistinguishable.

[0033] As described above, since it is difficult to quadratic residue determination problem, as bit commitment BC _t with _{trapdoors, BC t (b) = c} = z b r 2 modN
(R is a random number; in this case, z is a quadratic residue modulo N), and a bit commitment B having no trapdoor
As C _n , BC _n (b) = c = z ^b r ² mod _N (r
The random number: If you select this case z is quadratic non-residue modulo N), 2 two authentication protocols that were fixed in these BC _t and BC _n is said to satisfy the indistinguishability. The authentication protocols that are fixed in bit commitment BC _t with trap doors, have safety has already been demonstrated. Therefore, in this case, it can be said that also modified protocol by bit commitment BC _n without a trapdoor meets safety.

In the following, this point will be considered under the assumption that the problem of the quadratic residue determination is difficult. Here, the prover and the verifier according to the protocol are P 'and V'
, And a prover and a verifier that do not follow the protocol are represented by P ″ and V ″, respectively. In particular, it is assumed that P ″ does not hold a secret key. The authentication protocol (P, V) is such that (P ′, V ′) succeeds with a probability of 1, and the verifier V accepts (P ′, V When the communication history obtained by V "after executing") "is transferred to P", there is no pair (P ", V") in which (P ", V ') succeeds with a nonnegligible probability. If conditions are met, it is safe (satisfies non-divertability).

[0035] First of all, to prove its safety for the case of BC = BC _t. This proof is based on the technique of proving security by utilizing the fact that secret information exists in addition to the secret key and that the certifier can be simulated using the secret information (S
hoop V. , "On the Security"
of a Practical Identifica
Tion Scheme ", Eurocrypt'9
6). In this case, even if the user does not have the secret key s, if the user has the trap door, the prover P can be simulated. The reason is that the value of e + b can be freely manipulated. The following shows that the discrete logarithm problem can be calculated in polynomial time, assuming that the protocol's non-divertability is not satisfied.

By assumption, there is a pair (P ", V") under the above conditions. Given a v, q, and p, a polynomial time algorithm that computes the discrete logarithm of v using the pair (P ″, V ″) is described. First, v, q
And p as input, generate N = PQ and quadratic remainder z. Next, using the trap doors P and Q, (P ′,
V "), where v is the public key of P '. Using the communication history obtained by this, simulates (P", V') and (P " ,
Confirm that V ′) succeeds. Then, the discrete logarithm s is calculated using P ″. (P ″, V ′) succeeds with a nonnegligible probability, and the quadratic residue determination problem is difficult, so P ″ cannot have a trapdoor. Therefore, x =
v ^{e1 + b} g ^y1 modp = ve ^{2 + b} g ^y2 modp (e1 ≠ e
(X, b, e1, y1, e2, y2) that satisfies 2) are calculated. That is, the discrete logarithm s of v is calculated.

Next, the security of the case where BC = BC _n will be proved. The proof is based on two protocols were used, respectively the BC _t and BC _n are indistinguishable. Under the assumption that the quadratic residue determination problem is difficult, V ″ is the BC used in the protocol.
C _t is the or BC _n and even difficult to determine a a. The following shows that the discrete logarithm problem can be calculated in polynomial time, assuming that the protocol's non-divertability is not satisfied.

First, v, s, q, and p are generated by initialization with N and z as inputs. Then, simulate (P ', V ") using s. Using the communication history obtained thereby, simulate (P", V') and (P ", V '). 0 if successful, 1 if unsuccessful
Is output. If z is quadratic residue, since it is BC = BC _t, the proof of non-diversion of the aforementioned, (P ", V ')
Succeeds and the probability that 0 is output is negligible. On the other hand, when z is a quadratic non-residue, BC = BC _n , and the probability that (P ″, V ′) succeeds and 0 is output cannot be ignored by the assumption. It can be solved in polynomial time.

If the security of the modified protocol has been successfully verified in step S14, the process proceeds to step S15.
, A modified protocol using BC _n is completed as a secure authentication protocol.
Proceed to and implement the protocol in the authentication system. If the security verification of the modified protocol fails, the process returns to step S12, selects another two bit commitment protocols, and uses them to execute step S13.
The process of correcting the authentication protocol in step S14 and verifying the security in step S14 is repeated to finally obtain a secure authentication protocol.

Although the above embodiment has been described with reference to the modified protocol of the Schnorr method based on the discrete logarithm problem, it is completely equivalent to a parallel version (3 rounds) of zero knowledge proof of any NP problem. A modification protocol that satisfies a certain non-divertability can be constructed.

According to the present invention, in the above-described embodiment,
When the secure authentication protocol is completed (step S15 in FIG. 2), the authentication protocol is set to Fiat-Shami.
By performing a conversion process using the conversion method of r, a digital signature system can be constructed. This Fia
The t-Shamir conversion technique is a well-known technique for obtaining a digital signature system by converting an authentication protocol. and S
hamir A. , "How to probe Yo
urself ", Crypto, 1986.

As an example, a digital signature method in which the authentication protocol described in step S11 of FIG. 2 is converted by using a Fiat-Shamir conversion method will be described below. To generate a digital signature for message m, first generate a random number r and calculate x = A (r),
Further, e = H (x, m) is calculated, and y = B (r, e, s) is calculated using e, r and the secret key s. However,
H () is a hash function. This (e, y) is the generated signature information. To verify the signature (e, y) for message m, use public key v and e = H
It is checked whether (C (v, e, y), m) holds.

The embodiments described above are merely examples of the present invention, and do not limit the present invention. The present invention can be embodied in other various modifications and alterations. Therefore, the scope of the present invention is defined only by the appended claims and their equivalents.

[0044]

As described above in detail, according to the present invention, the communication contents between a certain authentication protocol and another authentication protocol cannot be identified in terms of computational complexity, and the security of the other authentication protocol is proved. If so, verify that the authentication protocol is also secure and implement it in the authentication system, or use the Fiat-Shami
A digital signature system is constructed by performing conversion processing using the conversion method of r. As described above, since a new method of proving the security of the authentication protocol is used, it is possible to confirm the security of an authentication protocol that could not be used conventionally and to make it usable.

[Brief description of the drawings]

FIG. 1 is a flowchart showing a schematic flow of a general authentication system designing method.

FIG. 2 is a flowchart illustrating a schematic flow in an embodiment of a method for designing an authentication system according to the present invention.

FIG. 3 is a diagram showing a generalization of a three-round authentication protocol.

FIG. 4 is a diagram illustrating a general bit commitment protocol.

FIG. 5 is a diagram illustrating an authentication protocol obtained by modifying the authentication protocol of FIG. 3 by the bit commitment of FIG. 4;

Claims (9)

[Claims] 1. A method for designing an authentication system, characterized in that when communication contents of two different authentication protocols cannot be discriminated in terms of computational complexity, an authentication system is constructed by utilizing the characteristics. 2. Verification that the communication content between the created authentication protocol and at least one other authentication protocol different from the created authentication protocol is computationally identifiable, and that the communication content is computationally identifiable. If it is impossible and the security of the other authentication protocol is proved, an authentication system is constructed using the created authentication protocol. 3. If the communication content is verified to be computationally identifiable, the created authentication protocol is modified, and the communication content between the modified authentication protocol and the other authentication protocol is calculated. If the communication content is computationally indistinguishable and the security of the other authentication protocol is proved, construct an authentication system using the modified authentication protocol. 3. The method of claim 2, wherein: 4. With respect to the modified authentication protocol,
4. The method according to claim 3, wherein when the communication content is verified to be computationally identifiable, the authentication protocol is modified and verified until the communication content is not computationally identifiable. Method. 5. The authentication protocol created or modified is an authentication protocol using a bit commitment without a trapdoor, and the other authentication protocol is an authentication protocol using a bit commitment with a trapdoor. The method according to any one of claims 2 to 4, wherein 6. A method for verifying whether the communication content between the created authentication protocol and at least one other authentication protocol different from the created authentication protocol is computationally identifiable, and that the communication content is computationally identified. If it is impossible and the security of the other authentication protocol is proved, a digital signature system is constructed by performing a conversion process on the created authentication protocol by using a conversion method of Fiat-Shamir. How to design a digital signature system. 7. If the communication content is verified to be computationally identifiable, the created authentication protocol is modified, and the communication content between the modified authentication protocol and the other authentication protocol is calculated. If the communication content is computationally indistinguishable and if the security of the other authentication protocol is proved, the Fiat-Shamir conversion method is added to the modified authentication protocol. 7. The method according to claim 6, wherein the digital signature system is constructed by performing a conversion process using. 8. With respect to the modified authentication protocol,
8. The method according to claim 7, wherein when the communication content is verified to be computationally identifiable, the authentication protocol is corrected and verified repeatedly until the communication content is not computationally identifiable. Method. 9. The authentication protocol created or modified is an authentication protocol using a bit commitment without a trapdoor, and the other authentication protocol is an authentication protocol using a bit commitment with a trapdoor. The method according to any one of claims 6 to 8, wherein: