JPWO2006057390A1 - Distribution process authentication system, distribution process authentication method - Google Patents

Abstract

A distribution history authentication system capable of detecting counterfeiting and falsification of distribution history information by a malicious third party is provided. Reader / writer 2-1 to 2-n having a transmitting / receiving unit 24 for transmitting / receiving information to / from the wireless IC tag 1 attached to the product, a signature creating unit 22 for creating a signature, and a signature verification unit 23 for verifying the signature At each base on the product distribution channel. The reader / writer 2-1 of the first base communicates with the wireless IC tag 1 attached to the product distributed to the base and signs the ID stored in the ROM unit 11 with the secret key of the base. The signature text is written in the RAM section 12 of the wireless IC tag 1 as distribution history information ui. The reader / writer other than the first base station communicates with the wireless IC tag 1 attached to the product distributed to the local base and signs the distribution history information written in the RAM section 12 with the private key of the local base. The signed text is derived as new distribution history information and replaced with the original distribution history information.

Description

  The present invention is a system for authenticating the distribution history of products or product packages for general consumers such as factory-produced products and foods, and in particular, a wireless IC tag represented by an RF-ID (Radio Frequency-IDentification) tag The present invention relates to a distribution history authentication system and a distribution history authentication method at each base such as manufacturing, processing, retailing, consumption / use, reuse, disposal, etc. of products.

  In the product distribution system, it may be desired to know how the product is distributed, that is, the distribution history. If the product is damaged during distribution, clarify the location of responsibility and clarify the production location, especially for the purpose of improving the safety and reliability of products such as food, etc. Need to know. As an example of a conventional method for knowing such a distribution history, there is a home delivery system using a wireless IC tag described in Patent Document 1. In this conventional home delivery system, an ID unique to a wireless IC tag is stored in a storage area in the wireless IC tag. The wireless IC tag is attached to the product, and the ID is read by a reader / writer installed at a collection store and a delivery store, and the read ID is transmitted to the host computer each time. Can manage the distribution history of the delivered goods (hereinafter referred to as the first prior art).

  Further, as an example of a conventional method for managing the distribution history by attaching a wireless IC tag having a writable memory area to a product, there is a product information management method disclosed in Patent Document 2. In this conventional product information management method, a reader / writer that writes information that certifies the distribution process (this information is referred to as distribution process information in this specification) to a wireless IC tag attached to the product is manufactured. In preparation for distribution, retail, consumption / use, reuse, and disposal bases, products are written by writing distribution background information to the wireless IC tag when passing through the bases and referring to the distribution background information as necessary. It is a method to know the distribution history of (the second conventional technology).

  As an example of another conventional method for managing the distribution history by attaching a wireless IC tag having a writable memory area to a product, there is a non-contact type IC tag management method for meat distribution shown in Patent Document 3. In this conventional technology, information related to meat to be distributed is encrypted with a secret key and a public key for decrypting the information is written on an IC tag, and the public key recorded on the IC tag is distributed at the distribution destination. This is a method for decoding the information recorded in the IC tag.

  Note that Non-Patent Document 1 is known as a document relating to a wireless IC tag.

  On the other hand, with the spread of computers and the Internet environment, opportunities for electronically transmitting and receiving messages are increasing. In such a case, an electronic signature is attached to the message in order to prevent the message from being tampered with during the transmission of the message. There are various types of electronic signatures, and so-called multiple signatures, which are performed by a plurality of signature devices as signatures, are also known. Signature schemes such as RSA and DSA are well-known signature schemes, but when creating a multiple signature using this scheme, all signature devices individually create a signature sentence to indicate that everyone has signed, All those signatures need to be saved. For this reason, the total value of the data length of the signature text is proportional to the number of signature devices. A non-patent document 2 and a non-patent document 3 disclose a signature method that improves such a problem and the total value of the data length of the signature text is not proportional to the number of signature devices. The method of Non-Patent Document 2 is based on the difficulty of the RSA problem, and the method of Non-Patent Document 3 relies on the difficulty of the Gap Diffie Hellman problem on a supersingular elliptic curve. Is shown.

JP 2001-206514 A JP 2002-49905 A JP 2004-43143 A All wireless IC tags, Nikkei BP, pp.197, 2004 AnnaLysyanskaya, Silvio Micali, Leonid Reyzin, Hovav Shacham. Sequential Aggregate Signatures from Trapdoor Permutations. InAdvances in Cryptology-EUROCRYPT 2004, vol. 3027 of LNCS, pp. 74-90. Springer-Verlag, 2004. D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and Verifiably Encrypted Signatures from Bilinear Maps. In Advances in Cryptolog y-EUROCRYPT 2003, vol. 2656 ofLNCS, pp. 416-432. Springer-Verlag, 2003.

  However, in the first prior art, at a site where information communication with the host computer is impossible, information cannot be transmitted to the host computer when the product passes, and distribution history information can be recorded. Can not. Further, it is impossible to know the distribution history of the product because it cannot receive passage information from the host computer. In addition, when centrally managing data with a host computer, it is necessary to operate a host computer that allows each base to communicate information in common, but an operating environment is assumed in which there are stores of different industries in the product distribution channel. In such a case, it has been difficult to prepare such an operating environment. In other words, until now, only operation in a closed environment in a specific industry could be realized.

  On the other hand, even in the second prior art, the writable memory area of the main writable wireless IC tag is a finite area of 1 Kbyte at most referring to Non-Patent Document 1, and passes through each base in the course of distribution. There is a problem that the distribution history information generated one after another cannot be recorded. If there is not enough storage area to record, the distribution history information cannot be recorded correctly, and the distribution history cannot be known. Further, even if the distribution history information to be recorded is stored in a finite writable memory area, the write memory area is not used to store only the information necessary to know the distribution history. Depending on the situation, various information may be stored, and it is desirable that distribution history information can be managed with as little capacity as possible.

  In addition, in the case of a method such as the second conventional technique for recording distribution history information in the local writing area, there is a problem that the authenticity of the distribution history cannot be guaranteed due to rewriting (falsification) of the distribution history information or falsehood. Latent. Referring to Patent Document 3, when recording such distribution history, the properties of the public key cryptosystem, that is, the data encrypted (signed) with the private key can only be correctly decrypted (signed) It is possible to prevent forgery and tampering by a third party in the distribution process by using the property that it cannot be verified. However, this method works only on the premise that the reader / writer (terminal) at each site in the distribution process does not work illegally. If the reader / writer at each location in the distribution process deliberately forges or falsifies the distribution process information to obtain an unfair advantage, it cannot respond. This is because if the information to be encrypted with the private key is replaced, the information is encrypted with the legitimate private key and the verification with the corresponding public key is passed.

  On the other hand, the so-called multiple signature method is known, but there are no cases where the multiple signature method is applied to a system for authenticating the distribution history of a product, and in particular, a product that is attached with a wireless IC tag represented by RF-ID. There are no examples of applying the multiple signature method to the distribution history authentication system.

“Purpose of invention”
The present invention has been made in view of the above-mentioned problems, and the object thereof is to be able to communicate with a host computer in a distribution process of products or product packages for general consumers such as factory products and foods. , Providing a distribution history authentication method and distribution history authentication system that can check distribution history and can detect forgery and falsification of distribution history information in readers / writers and malicious third parties at each location in the distribution history There is to do.

  Another object of the present invention is to provide a distribution history authentication method and distribution history authentication system that can easily verify whether the distribution history of a product is correct.

  Still another object of the present invention is to provide a distribution history authentication method and distribution history authentication system having scalability in the number of bases traced during distribution history.

  A first distribution history authentication system according to the present invention includes a reader / writer having a transmission / reception unit that transmits and receives information to and from a wireless IC tag attached to a product and a signature generation unit that generates a signature. The reader / writer provided at each site on the distribution channel communicates with the wireless IC tag attached to the product distributed to the site or its package, and responds to the initial value or the value derived from it. The signature text signed with the private key of the local site is written in the readable / writable memory of the wireless IC tag as distribution history information. The reader / writer provided at the base other than the first base Communicate with the wireless IC tag attached to the package, and the distribution history information written in the readable / writable memory of the wireless IC tag or information derived from it Deriving a signature statement signed with the private key of the own base as a new distribution history information, and characterized in that to replace the original distribution history information written in read-write memory of the wireless IC tag.

  The second distribution history authentication system of the present invention uses the identification number unique to the wireless IC tag stored in the read-only memory of the wireless IC tag as the initial value in the first distribution history authentication system. It is characterized by being.

  The third distribution history authentication system according to the present invention is the first or second distribution history authentication system, wherein the reader / writer provided in at least one site other than the first site is attached to the product distributed to its own site or its package. For the distribution history information written in the readable / writable memory of the attached wireless IC tag, use the public key of each base upstream from the base in order from the public key of the base close to the base. It is characterized by having a signature verification unit that determines that the product has been correctly processed to its own base by repeating the process and verifying the process until the initial value is finally obtained.

  A fourth distribution history authentication system according to the present invention includes a reader / writer having a transmission / reception unit that transmits and receives information to and from a wireless IC tag attached to a product and a signature generation unit that generates a signature. The reader / writer provided at each site on the distribution channel communicates with the wireless IC tag attached to the product distributed to the site or its package, and responds to the initial value or the value derived from it. The signature text signed with the private key of the local site is written into the readable / writable memory of the wireless IC tag as the distribution history information and the initial value or the value derived therefrom as auxiliary information. The writer communicates with the wireless IC tag attached to the product distributed at its base or its package, and is written in the readable / writable memory of the wireless IC tag. The distribution history information or the information derived from it, the signature sentence signed with the private key of the local site is derived as new distribution history information, the written original distribution history information or information derived therefrom as auxiliary information, and wirelessly It is characterized in that it replaces the original distribution history information and auxiliary information written in the readable / writable memory of the IC tag.

  The fifth distribution history authentication system of the present invention is the fourth distribution history authentication system, in which the reader / writer provided in at least one base other than the first base is attached to the product distributed to its own base or its package. The distribution history information written in the readable / writable memory of the wireless IC tag is verified using the public key of the site one upstream from the own site, and the wireless IC tag can be read / written in the verification result. Since the same auxiliary information as the auxiliary information written in the memory can be derived, it has a signature verifying unit that determines that the product has been correctly processed from the previous base.

The sixth distribution history authentication system of the present invention is the first distribution history authentication system, wherein the reader / writer's signature creation unit provided at the i-th location in the order of history has the private key di _i and the RSA modulus. n _i , initial value u ₀ or a value derived from it, or a distribution history information u _i-1 written in a readable / writable memory of a wireless IC tag attached to a product distributed to its own base or its package, or derived from it Information, ST, (u <n _i )? f _i (u) = u ^ {d _i } mod n _i
: The function defined as f _i (u) = u is f _i (u), and the security parameter is k bits (where n _i <2 ^k ) long natural number space φ (u) = (u + n _i ) When φ (u) is the function defined as mod2 ^k and φ ^-1 is the inverse function, φ ^-1 (f _i (φ (f _i (ST))))) is derived as new distribution history information. It is a thing to do.

7 Distribution Background authentication system of the present invention, in the sixth flow history authentication system, the ST is a bit string obtained by connecting the public keys of all bases upstream of the own base and own base T _i of the hash value H ( T _i ) and a value H (T _i ) ○ u obtained by exclusive OR of the initial value or the bit sequence u of the distribution history information written in the readable / writable memory of the wireless IC tag To do.

Eighth distribution history authentication system of the present invention, in the sixth distribution history authentication system, the ST may own base and own base than the hash value of a bit string T _i coupled to a public key and a message for all bases upstream H (T _i ) and the value H (T _i ) ○ u obtained by exclusive OR of the initial value or the bit sequence u of the distribution history information written in the readable / writable memory of the wireless IC tag Features.

In the ninth distribution history authentication system of the present invention, in the seventh or eighth distribution history authentication system, the reader / writer provided at the i-th site in the order of history is (u <n _i )? G _i (u) = u ^ {e _i }
mod n _i : When the function defined as g _i (u) = u is g _i (u), φ ^-1 (g ₁ (φ (g ₁ (H (T ₁ ○ φ ^-1 (g ₂ ( φ ((g ₂ (H (T ₂ ○ ... T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 )))) ...)))))))) )) = u ₀ is satisfied, the signature verification unit determines that the product has been correctly processed up to its own site.

The tenth distribution history authentication system according to the present invention is the fourth distribution history authentication system, wherein the reader / writer's signature creation unit provided at the i-th location in the order of history has the private key di _i and the RSA modulus. n _i , initial value u ₀ or a value derived from it, or a distribution history information u _i-1 written in a readable / writable memory of a wireless IC tag attached to a product distributed to its own base or its package, or derived from it Information, ST, (u <n _i )? f _i (u) = u ^ {d _i } mod n _i
: The function defined as f _i (u) = u is f _i (u), and the security parameter is k bits (where n _i <2 ^k ) long natural number space φ (u) = (u + n _i ) When the function defined as mod2 ^k is φ (u) and its inverse is φ ^-1 , φ ^-1 (f _i (φ (f _i (ST))))) is the new distribution history information and distribution The background information u _i-1 or its hash value h (u _i-1 ) is derived as new auxiliary information v _i , respectively.

11 Distribution Background authentication system of the present invention, in the tenth distribution history authentication system, the ST is a bit string obtained by connecting the public keys of all bases upstream of the own base and own base T _i of the hash value H ( T _i ) and a value H (T _i ) ○ u obtained by exclusive OR of the initial value or the bit sequence u of the distribution history information written in the readable / writable memory of the wireless IC tag To do.

The twelfth distribution history authentication system of the present invention is the tenth distribution history authentication system, wherein the ST is a hash value of a bit string T _i that concatenates public keys and messages of the base and all bases upstream from the base. H (T _i ) and the value H (T _i ) ○ u obtained by exclusive OR of the initial value or the bit sequence u of the distribution history information written in the readable / writable memory of the wireless IC tag Features.

In the thirteenth distribution history authentication system of the present invention, in the eleventh or twelfth distribution history authentication system, the reader / writer provided at the i-th base in the order of history is (u <n _i )? G _i (u) = u ^ {e _i }
mod n _i : When a function defined as g _i (u) = u is g _i (u), h (H (T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 ))))) ...)))))))))))))) =) Signature verification that the product is judged to have been correctly developed from the previous location when v _i-1 is satisfied. It has the part.

  A first distribution history authentication method according to the present invention provides a reader / writer having a transmission / reception unit that transmits and receives information to and from a wireless IC tag attached to a product and a signature generation unit that generates a signature. The reader / writer installed at each site on the distribution channel communicates with the wireless IC tag attached to the product distributed to the site or its package, and the initial value or the value derived from it The signature text signed with the private key of the local site is written in the readable / writable memory of the wireless IC tag as distribution history information, and the reader / writer provided at the base other than the first base is attached to the product or its package distributed to the local base. Communicating with a wireless IC tag that has been registered, the distribution history information written in the readable / writable memory of the wireless IC tag, or the information derived from it In the signed signature message derived as a new distribution history information, and replaces the read-write original distribution history information written in the memory of the wireless IC tag.

  The second distribution history authentication method of the present invention uses the identification number unique to the wireless IC tag stored in the read-only memory of the wireless IC tag as the initial value in the first distribution history authentication method. It is characterized by.

  The third distribution history authentication method of the present invention is the product in which the signature verification unit of the reader / writer provided in at least one base other than the first base distributes to the own base in the first or second distribution background authentication method. Or, for the distribution history information written in the readable / writable memory of the wireless IC tag attached to the package, the public key of each base upstream from the base is used in order from the public key of the base close to the base In this case, it is possible to repeat the verification and finally verify that the initial value can be obtained, thereby determining that the product has been correctly processed up to its own site.

  According to a fourth distribution history authentication method of the present invention, a reader / writer having a transmission / reception unit for transmitting / receiving information to / from a wireless IC tag attached to a product or a package thereof and a signature generation unit for generating a signature is provided. The reader / writer installed at each site on the distribution channel communicates with the wireless IC tag attached to the product distributed to the site or its package, and the initial value or the value derived from it The signature sentence signed with the private key of the local site is written in the readable / writable memory of the wireless IC tag as the distribution history information, the initial value or the value derived therefrom as auxiliary information, and the reader / writer provided in the base other than the first base, Distribution history information written in the readable / writable memory of the wireless IC tag by communicating with the wireless IC tag attached to the product or its package distributed to its own base Or, the signature text signed with the private key of the local site is derived as new distribution history information, the original distribution history information written or information derived therefrom as auxiliary information, and the wireless IC tag The original distribution history information and auxiliary information written in the readable / writable memory are replaced.

  The fifth distribution history authentication method of the present invention is the fourth distribution history authentication method, wherein the signature verification unit of the reader / writer provided in at least one site other than the first site has distributed the product or its package to the local site. The distribution history information written in the readable / writable memory of the wireless IC tag attached to the wireless IC tag is verified using the public key of the base one upstream from the local base, and the wireless IC tag in the verification result Since the same auxiliary information as the auxiliary information written in the readable / writable memory can be derived, it is determined that the product has been correctly developed from the previous base.

Sixth flow history authentication method of the present invention, in the first distribution history authentication method, signature creation unit of the reader writer history order is provided in the i-th bases, the secret key of the own base d _i, the RSA modulus n _i , initial value u ₀ or a value derived from it, or a distribution history information u _i-1 written in a readable / writable memory of a wireless IC tag attached to a product distributed to its own base or its package, or derived from it Information, ST, (u <n _i )? f _i (u) = u ^ {d _i } mod n _i
: The function defined as f _i (u) = u is f _i (u), and the security parameter is k bits (where n _i <2 ^k ) long natural number space φ (u) = (u + n _i ) When φ (u) is the function defined as mod2 ^k and φ ^-1 is the inverse function, φ ^-1 (f _i (φ (f _i (ST))))) is derived as new distribution history information. It is characterized by doing.

According to a seventh distribution history authentication method of the present invention, in the sixth distribution history authentication method, the ST includes a hash value H (T of a bit string Ti obtained by concatenating the public keys of the base and all bases upstream from the base. _i ) and a value H (T _i ) ○ u obtained by exclusive OR between the initial value or the bit sequence u of the distribution history information written in the readable / writable memory of the wireless IC tag .

The eighth distribution history authentication method of the present invention is the sixth distribution history authentication method, wherein the ST is a hash value of a bit string T _i that concatenates public keys and messages of the base and all bases upstream from the base. H (T _i ) and the value H (T _i ) ○ u obtained by exclusive OR of the initial value or the bit sequence u of the distribution history information written in the readable / writable memory of the wireless IC tag Features.

The ninth distribution history authentication method of the present invention is the seventh or eighth distribution history authentication method, wherein the signature verification unit of the reader / writer provided at the i-th site in the history order is (u <n _i )? G _i (u) = u ^ {e _i }
mod n _i : When the function defined as g _i (u) = u is g _i (u), φ ^-1 (g ₁ (φ (g ₁ (H (T ₁ ○ φ ^-1 (g ₂ ( φ ((g ₂ (H (T ₂ ○ ... T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 )))) ...)))))))) )) = u ₀ is established, the method has a step of determining that the product has been correctly processed up to its own site.

The tenth distribution history authentication method of the present invention is the fourth distribution history authentication method, in which the reader / writer's signature creation unit provided at the i-th site in the order of history uses the private key di _i and the RSA modulus. n _i , initial value u ₀ or a value derived from it, or a distribution history information u _i-1 written in a readable / writable memory of a wireless IC tag attached to a product distributed to its own base or its package, or derived from it Information, ST, (u <n _i )? f _i (u) = u ^ {d _i } mod n _i
: The function defined as f _i (u) = u is f _i (u), and the security parameter is k bits (where n _i <2 ^k ) long natural number space φ (u) = (u + n _i ) When the function defined as mod2 ^k is φ (u) and its inverse is φ ^-1 , φ ^-1 (f _i (φ (f _i (ST))))) is the new distribution history information and distribution The background information u _i-1 or its hash value h (u _i-1 ) is derived as new auxiliary information v _i , respectively.

11 distribution history authentication method of the present invention, in the tenth distribution history authentication method, the ST may own base and bit string obtained by connecting the public keys of all bases upstream of the own base T _i of the hash value H ( T _i ) and a value H (T _i ) ○ u obtained by exclusive OR of the initial value or the bit sequence u of the distribution history information written in the readable / writable memory of the wireless IC tag To do.

The twelfth distribution history authentication method of the present invention is the tenth distribution history authentication method, wherein the ST is a hash value of a bit string T _i that concatenates public keys and messages of the base and all bases upstream from the base. H (T _i ) and the value H (T _i ) ○ u obtained by exclusive OR of the initial value or the bit sequence u of the distribution history information written in the readable / writable memory of the wireless IC tag Features.

The thirteenth distribution history authentication method of the present invention is the eleventh or twelfth distribution history authentication method, wherein the signature verification unit of the reader / writer provided at the i-th site in the history order is (u <n _i )? G _i (u) = u ^ {e _i }
mod n _i : When a function defined as g _i (u) = u is g _i (u), h (H (T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 ))))) ...)))))))))))))) =) Signature verification that the product is judged to have been correctly developed from the previous location when v _i-1 is satisfied. It has the part.

  A first reader / writer of the present invention has a transmission / reception unit that transmits and receives information to and from a wireless IC tag attached to a product or a package thereof, and a signature creation unit that creates a signature. Distribution writer information that is written in the readable / writable memory of the wireless IC tag that communicates with the product or the wireless IC tag attached to the package that has been distributed to the base. Alternatively, the signature text signed with the private key of the local site is derived as new distribution history information and replaced with the original distribution history information written in the readable / writable memory of the wireless IC tag. It is characterized by being.

  The second reader / writer of the present invention is the first reader / writer for the distribution history information written in the readable / writable memory of the wireless IC tag attached to the product distributed to its own base or its package. , Repeat the verification using the public key of each base upstream from the local base in order from the public key of the base close to the local base, and finally the preset initial value or the read-only memory of the wireless IC tag And having a signature verification unit that determines that the product has been correctly processed up to its own base by being able to verify retroactively to the point where the identification number unique to the wireless IC tag stored in is obtained.

  The third reader / writer of the present invention has a transmission / reception unit for transmitting / receiving information to / from a wireless IC tag attached to a product or a package thereof, and a signature generation unit for generating a signature. Distribution writer information that is written in the readable / writable memory of the wireless IC tag that communicates with the product or the wireless IC tag attached to the package that has been distributed to the base. Alternatively, the signature sentence signed with the private key of the local site is derived as new distribution history information, the original distribution history information written or information derived therefrom as auxiliary information, and the information of the wireless IC tag is derived. It is characterized in that it replaces the original distribution history information and auxiliary information written in the readable / writable memory.

  The fourth reader / writer of the present invention is the third reader / writer for the distribution history information written in the readable / writable memory of the wireless IC tag attached to the product distributed to its own base or its package. The product can be verified by using the public key of the site one upstream from the own site, and the same auxiliary information as the auxiliary information written in the readable / writable memory of the wireless IC tag can be derived in the verification result. Is characterized by having a signature verification unit that judges that it has been correctly developed from the previous base.

Fifth writer of the present invention, in the first reader-writer, the signature creation unit sets a secret key of the own base d _i, the value or own base derived the RSA modulus n _i, the initial value u ₀ or therefrom ST (u <n _i ), distribution history information u _i-1 written in the readable / writable memory of the wireless IC tag attached to the product distributed to the product or the package thereof, or information derived therefrom? f _i (u) = u ^ {d _i } mod n _i
: The function defined as f _i (u) = u is f _i (u), and the security parameter is k bits (where n _i <2 ^k ) long natural number space φ (u) = (u + n _i ) When φ (u) is the function defined as mod2 ^k and φ ^-1 is the inverse function, φ ^-1 (f _i (φ (f _i (ST))))) is derived as new distribution history information. It is a thing to do.

The sixth reader / writer of the present invention is the fifth reader / writer, wherein the ST is a hash value H (T _i ) of a bit string T _i concatenating the public key of the base and all bases upstream from the base. The initial value or a value H (T _i ) ○ u obtained by exclusive OR with the bit string u of the distribution history information written in the readable / writable memory of the wireless IC tag.

The seventh reader / writer of the present invention is the fifth reader / writer, wherein the ST is a hash value H (T _{i) of} a bit string T _i concatenating the public key and the message of the base and all bases upstream from the base. ) And a value H (T _i ) ○ u obtained by exclusive OR of the initial value or the bit sequence u of the distribution history information written in the readable / writable memory of the wireless IC tag.

The eighth reader / writer of the present invention is the sixth or seventh reader / writer, wherein (u <n _i )? G _i (u) = u ^ {e _i }
mod n _i : When the function defined as g _i (u) = u is g _i (u), φ ^-1 (g ₁ (φ (g ₁ (H (T ₁ ○ φ ^-1 (g ₂ ( φ ((g ₂ (H (T ₂ ○ ... T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 )))) ...)))))))) )) = u ₀ is satisfied, the signature verification unit determines that the product has been correctly processed up to its own site.

Ninth writer of the present invention, in the third writer, the signature creation unit sets a secret key of the own base d _i, the value or own base derived the RSA modulus n _i, the initial value u ₀ or therefrom ST (u <n _i ), distribution history information u _i-1 written in the readable / writable memory of the wireless IC tag attached to the product distributed to the product or the package thereof, or information derived therefrom? f _i (u) = u ^ {d _i } mod n _i
: The function defined as f _i (u) = u is f _i (u), and the security parameter is k bits (where n _i <2 ^k ) long natural number space φ (u) = (u + n _i ) When the function defined as mod2 ^k is φ (u) and its inverse is φ ^-1 , φ ^-1 (f _i (φ (f _i (ST))))) is the new distribution history information and distribution The background information u _i-1 or its hash value h (u _i-1 ) is derived as new auxiliary information v _i , respectively.

The tenth reader / writer of the present invention is the ninth reader / writer, wherein the ST is a hash value H (T _i ) of a bit string T _i concatenating the public key of the base and all bases upstream from the base. The initial value or a value H (T _i ) ○ u obtained by exclusive OR with the bit string u of the distribution history information written in the readable / writable memory of the wireless IC tag.

The eleventh reader / writer of the present invention is the ninth reader / writer, wherein the ST is a hash value H (T _{i) of} a bit string T _i concatenating the public key and message of the base and all bases upstream from the base. ) And a value H (T _i ) ○ u obtained by exclusive OR of the initial value or the bit sequence u of the distribution history information written in the readable / writable memory of the wireless IC tag.

The twelfth reader / writer of the present invention is the tenth or eleventh reader / writer, wherein (u <n _i )? G _i (u) = u ^ {e _i }
mod n _i : When a function defined as g _i (u) = u is g _i (u), h (H (T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 ))))) ...)))))))))))))) =) Signature verification that the product is judged to have been correctly developed from the previous location when v _i-1 is satisfied. It has the part.

  A thirteenth reader / writer of the present invention has a transmission / reception unit that transmits / receives information to / from a wireless IC tag attached to a product or a package thereof, and a signature verification unit that verifies a signature, and The signature verification unit is provided for a distribution history information written in a readable / writable memory of a wireless IC tag attached to a product distributed to the site or a package thereof. , Repeat the verification using the public key of each base upstream from the local base in order from the public key of the base close to the local base, and finally to the predetermined value or the read-only memory of the wireless IC tag It is possible to verify that the product has been correctly processed up to its own base by being able to verify retroactively to the point where the initial value, which is the identification number unique to the stored wireless IC tag, is obtained. It is characterized by that.

The fourteenth reader / writer of the present invention is the product that has been distributed to the i-th base in the thirteenth reader / writer, with the secret key of the i-th base d _i , the RSA modulus n _i , and the initial value u ₀ . Or, the distribution history information written in the readable / writable memory of the wireless IC tag attached to the package is u _i-1 , the bit string T _i linking the public keys of the i-th base and all bases upstream from it. H (T _i ) ○ u, (u <n _i )? G _i (u) = u ^ {e _i } is obtained by exclusive OR of the hash value H (T _i ) and distribution history information mod n _i : g _i (u) = u is a function defined as g _i (u), security parameter k bits (where n _i <2 ^k ) long natural number space, φ (u) = (u + When the function defined as n _i ) mod2 ^k is φ (u) and its inverse function is φ ⁻¹ , the signature verification unit is φ ⁻¹ (g ₁ (φ (g ₁ (H (T ₁ ○ _{^{φ -1 (g 2 (φ (}} (g 2 (H (T 2 ○ ... T i-1 ○ φ -1 (g i-1 (φ (g i-1 (u i-1))))) ))))))))) = By u ₀ is satisfied, wherein the product is one which determines that has been correctly history to own base.

The fifteenth reader / writer of the present invention is the product that has been distributed to the th th th th thirteenth reader / writer, with the secret key of the i th base d _i , the RSA modulus n _i , the initial value u ₀ , and the i th base. Or, the distribution history information written in the readable / writable memory of the wireless IC tag attached to the package is the bit string that concatenates the public key and message of u _i-1 , the i-th base and all bases upstream from it. T _i hash value H (T _i) and the value of H (T _i) obtained by the exclusive OR of the distribution history information _{○ u, (u <n i} )? g i (u) = u ^ {e _i } mod n _i : The function defined as g _i (u) = u is g _i (u), and the security parameter is k bits (where n _i <2 ^k ) long natural number space φ (u) = ( When the function defined as u + n _i ) mod2 ^k is φ (u) and its inverse function is φ ⁻¹ , the signature verification unit is φ ⁻¹ (g ₁ (φ (g ₁ (H (T ₁ ○ φ ^-1 (g ₂ (φ ((g ₂ (H (T ₂ ○… T _i-1 ○ φ ^-1 (g _{i-1 (φ (g i-1 (} u i-1))))) ...))))))))) = by u ₀ is satisfied, it is determined that the said product has been correctly history to own base It is characterized by being.

  A sixteenth reader / writer of the present invention has a transmission / reception unit that transmits / receives information to / from a wireless IC tag attached to a product or a package thereof, and a signature verification unit that verifies a signature. The signature verification unit is provided for a distribution history information written in a readable / writable memory of a wireless IC tag attached to a product distributed to the site or a package thereof. The product can be verified by using the public key of the site one upstream from the own site, and the same auxiliary information as the auxiliary information written in the readable / writable memory of the wireless IC tag can be derived in the verification result. It is characterized that it is judged that it has come from the previous base correctly.

The seventeenth reader / writer of the present invention is the product that has been distributed to the i-th base in the sixteenth reader-writer, with the secret key of the i-th base d _i , the RSA modulus n _i , and the initial value u ₀ . Or the distribution history information and auxiliary information written in the readable / writable memory of the wireless IC tag attached to the package is used for u _i-1 and v _i-1 , the i-th base and all the bases upstream from it. The values obtained by exclusive OR of the hash value H (T _i ) of the bit string T _i concatenated with the public key and the distribution history information are H (T _i ) ○ u, (u <n _i )? G _i (u ) = u ^ {e _i } mod n _i : a function defined as g _i (u) = u as a mapping in g _i (u), security parameter k bits (where n _i <2 ^k ) long natural number space When a function defined as φ (u) = (u + n _i ) mod2 ^k is φ (u), its inverse function is φ ⁻¹ , and h is a hash function, the signature verification unit is h (H ( T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 )))) ) ...)))))))))) = v _i-1 , it is judged that the product has been correctly developed from the previous base.

The eighteenth reader / writer of the present invention is the product that has been distributed to the i-th base in the sixteenth reader-writer, with the secret key of the i-th base being d _i , the RSA modulus being n _i , and the initial value being u ₀ . Or the distribution history information and auxiliary information written in the readable / writable memory of the wireless IC tag attached to the package is used for u _i-1 and v _i-1 , the i-th base and all the bases upstream from it. The values obtained by exclusive OR of the hash value H (T _i ) of the bit string T _i concatenating the public key and the message and the distribution history information are H (T _i ) ○ u, (u <n _i )? G _i (u) = u ^ {e _i } mod n _i : g _i (u) = u is a function defined as g _i (u), security parameter k bits (where n _i <2 ^k ) When a function defined as φ (u) = (u + n _i ) mod2 ^k as a mapping is φ (u), its inverse function is φ ⁻¹ , and h is a hash function, the signature verification unit is h ( H (T _i-1 ○ φ ^-1 (g _{i -1} by (φ (g _i-1 where _{(u i-1)))} )) ...))))))))) = v i-1 is satisfied, the product is properly from the previous site It is characterized in that it is determined that it has progressed.

  The wireless IC tag of the present invention transmits / receives information to / from a reader / writer provided at each site on the product distribution path in a wireless IC tag added to the product or its package in order to manage the distribution history of the product. A transmitter / receiver, a read-only memory that stores the identification number unique to the wireless IC tag, and a readable / writable memory that stores distribution history information. When distributed to the first site, the reader / writer When a signature sentence signed with the secret key of the base for the identification number or a value derived therefrom is written in the readable / writable memory as the distribution history information and distributed to a base other than the first base The distribution history information written in the readable / writable memory or information derived therefrom is read by the reader / writer provided at the base. Signature message signed with the private key of the point is derived as a new distribution history information, wherein the original distribution history information written in the writable memory is intended to be replaced.

"Action"
In the present invention, a wireless IC tag attached to a product or a package thereof is distributed along with the product, and a memory capable of reading and writing the wireless IC tag by a reader / writer provided at each site in the distribution process. The distribution history information inside is rewritten.

Specifically, a signature sentence signed with the private key of the base for the initial value u ₀ or a value uniquely derived by a hash function or the like by the reader / writer provided in the first base is used as the distribution history information u _1. It is written in the writable memory of the wireless IC tag, the reader-writer provided in the second base, the information that uniquely derived by and distribution history information u ₁ or from the hash function written in the read-write memory The signature text signed with the private key of the site is derived as new distribution history information u ₂ and replaced with the original distribution history information u _1, and is written in a readable / writable memory by the reader / writer at the third site. A signed sentence signed with the private key of the base for the distribution history information u ₂ or the information uniquely derived from it using a hash function etc. It is derived as new distribution history information u ₃ and is replaced with the original distribution history information u ₂ .

Whether a product that has been distributed to a certain base has been processed correctly is determined based on the distribution history information written in the readable / writable memory of the wireless IC tag attached to that product or its package. The verification can be repeated by repeatedly using the public key of each base in order from the public key of the base close to its own base, and finally verifying whether the initial value u ₀ can be obtained.

For example, a product that has been distributed to the third base must have gone through the first base and the second base in that order. Therefore, the distribution history information u ₂ stored in the readable / writable memory of the wireless IC tag attached to the product delivered to the third base is verified with the public key of the second base, and the verification result is 1 When verifying with the public key of the th site, the verification result matches the initial value. For example, for the distribution history information u ′ ₁ (≠ u ₁ ) stored in the readable / writable memory of the wireless IC tag attached to the product distributed from other than the first base at the second base Suppose that the signature sentence signed with the secret key of the second base is derived as new distribution history information u ₂ , replaced with the original distribution history information u ′ _1, and distributed to the third base. Distribution history information When u ₂ is verified with the public key of the second base and the verification result is verified with the public key of the first base, the verification result does not match the initial value u ₀ .

In this way, in the distribution process of products or product packages for general consumers such as factory-produced products and food products, the distribution process can be confirmed even in an offline environment where communication with the host computer is not possible, and the leader of each site in the distribution process Forgery and falsification of distribution history information by a writer or a malicious third party can also be detected. In addition, when a numerical value such as 0 is used as the initial value u ₀ , the distribution history information stored in the readable / writable memory of the wireless IC tag attached to the product A that is normally distributed is read and another product B is read. It is impossible to prevent fraud such as copying to a readable / writable memory of a wireless IC tag added to the wireless IC tag, but by using an identifier unique to the wireless IC tag stored in the read-only memory of the wireless IC tag as an initial value u ₀ Thus, it is possible to prevent such illegal acts and make it more difficult to forge and falsify distribution history information.

  In addition, in order to verify whether or not a product distributed to a certain base has been correctly processed, the base for the distribution history information written in the readable / writable memory of the wireless IC tag attached to the product. The method of repeating verification using all the public keys of each upstream site is highly reliable, but requires a large amount of calculation. On the other hand, the reader / writer provided at the first base distributes the signature text signed with the private key of the base for the initial value or the value derived therefrom, the distribution history information, and the initial value or the value derived therefrom as auxiliary information. The reader / writer provided in the base other than the first base is responsible for the distribution history information written in the read / write memory of the wireless IC tag or the information derived from it. The signature sentence signed with the private key of the original is derived from the new distribution history information, the original distribution history information that was written, or the information derived from it as auxiliary information, and the original that was written in the readable / writable memory of the wireless IC tag According to the method of replacing the distribution history information and auxiliary information, whether or not the product distributed to a certain base has been correctly Proof can be simplified. In other words, the distribution history information written in the readable / writable memory of the wireless IC tag attached to the product distributed to the base is verified using the public key of the base one upstream from the base. Based on the verification result, whether the same auxiliary information as the auxiliary information written in the readable / writable memory of the wireless IC tag can be derived can determine whether the product has been correctly developed from the previous base. However, in this case, the previous base must be a reliable base.

  As a signature scheme for generating distribution history information in the present invention, a known signature scheme such as the signature scheme described in Non-Patent Document 2 can be used. However, the signature method described in Non-Patent Document 2 increases the signature data length by 1 bit each time a signature is overlapped. On the other hand, according to the new signature method proposed in the second embodiment to be described later, the size of the distribution history information can be made constant.

  According to the present invention, the distribution process can be confirmed even in an offline environment where communication with a host computer is not possible in the distribution process of products or product packages for general consumers such as factory-produced products and foods. This can reduce operational costs. The reason is that the local storage area of the writable wireless IC tag attached to the product has information for managing the distribution process, and the distribution process can be confirmed by referring to the information as necessary. .

  Further, according to the present invention, it is possible to detect forgery and falsification of distribution history information in a reader / writer at each stage in the distribution history or a malicious third party. The reason is that the signature that certifies the distribution process can be verified using the public keys of all the sites in the distribution process.

1 is a block diagram showing a configuration of a first exemplary embodiment of the present invention. It is explanatory drawing of the distribution history information in the 1st Embodiment of this invention. FIG. 5 is a sequence diagram showing an operation when a product with a wireless IC tag is passed through a reader / writer in the first embodiment of the present invention. FIG. 5 is a diagram showing functions used for creating and verifying a signature for distribution history information in the first exemplary embodiment of the present invention. 6 is a flowchart showing a processing example of a signature creation unit of the reader / writer according to the first embodiment of the present invention. 5 is a flowchart showing a processing example of a signature verification unit of the reader / writer according to the first embodiment of the present invention. 6 is a flowchart illustrating another example of processing of the signature creation unit of the reader / writer according to the first embodiment of the present invention. 6 is a flowchart showing another example of processing of the signature verification unit of the reader / writer according to the first exemplary embodiment of the present invention. FIG. 5 is a block diagram showing a configuration of a second exemplary embodiment of the present invention. FIG. 12 is a diagram showing functions used for creating and verifying a signature for distribution history information in the second exemplary embodiment of the present invention. 7 is a flowchart showing a processing example of a signature creation unit of a reader / writer according to a second embodiment of the present invention. 10 is a flowchart showing a processing example of a signature verification unit of the reader / writer according to the second exemplary embodiment of the present invention. 10 is a flowchart showing another processing example of the signature creation unit of the reader / writer according to the second exemplary embodiment of the present invention. 10 is a flowchart showing another processing example of the signature verification unit of the reader / writer according to the second exemplary embodiment of the present invention. FIG. 10 is a block diagram showing a configuration of a third exemplary embodiment of the present invention. FIG. 10 is a sequence diagram showing an operation when a product with a wireless IC tag is passed through a reader / writer in the third embodiment of the present invention. 10 is a flowchart showing a processing example of a signature creation unit of a reader / writer according to a third embodiment of the present invention. 10 is a flowchart showing a processing example of a signature verification unit of a reader / writer according to a third embodiment of the present invention. 10 is a flowchart showing another processing example of the signature creation unit of the reader / writer according to the third exemplary embodiment of the present invention. 14 is a flowchart showing another processing example of the signature verification unit of the reader / writer according to the third exemplary embodiment of the present invention. FIG. 10 is a block diagram showing a configuration of a fourth exemplary embodiment of the present invention. 10 is a flowchart showing a processing example of a signature creation unit of a reader / writer according to a fourth embodiment of the present invention. 10 is a flowchart showing a processing example of a signature verification unit of a reader / writer according to a fourth embodiment of the present invention. 16 is a flowchart showing another example of processing of the signature creation unit of the reader / writer according to the fourth exemplary embodiment of the present invention. 14 is a flowchart showing another processing example of the signature verification unit of the reader / writer according to the fourth exemplary embodiment of the present invention.

Explanation of symbols

1… Wireless IC tag
2-1 to 2-n: Reader / writer
3 ... Public key issuer
11 ... ROM part
12 ... RAM section
13 ... Transceiver
21… Key Management Department
22 ... Signature creation department
23 ... Signature verification part
24 ... Transceiver
25… External information input section

"First embodiment"
Next, a first embodiment of the present invention will be described in detail with reference to the drawings.

  Referring to FIG. 1, a distribution history authentication system according to a first exemplary embodiment of the present invention is attached to a product to be distributed, and a wireless IC tag (RFID tag) 1 that follows the distribution route (delivery route) together with the product, It consists of reader / writers 2-1 to 2-n arranged at each base in the distribution channel. Here, the products to which the wireless IC tag 1 is attached are the first site where the reader / writer 2-1 is arranged, the second site where the reader / writer 2-2 is arranged,... The history (distribution) shall be in the order of the nth base.

  The wireless IC tag 1 includes a ROM unit 11, a RAM unit 12, and a transmission / reception unit 13.

  The ROM unit 11 is a read-only memory area, and stores a unique ID for distinguishing the wireless IC tag 1 from other wireless IC tags.

The RAM unit 12 is a memory area that can be read and written, and the writable memory size is limited. In the writable memory area, distribution history information u _i that can be expressed in a size s that fits in the memory size is stored. Distribution history information u _i whose subscript is i represents the history of the first to i-th bases. The initial value of the distribution history information is u ₀ indicating that there is no history. In u ₀ , a predetermined value, for example, 0, or an ID value unique to the wireless IC tag stored in the ROM unit 11 of the wireless IC tag 1 is set.

Referring to FIG. 2, the distribution history information ui is composed of signatures sequentially calculated using the secret keys sk ₁ ,..., Sk _i of the reader / writers 2-1,. That is, the first reader / writer 2-1 uses the private key sk ₂ to sign the signature calculated by using the private key sk ₁ for the initial value u ₀ , The distribution history information u _i is obtained by repeating the procedure of signing the signature by the reader / writer of the next site up to the i-th site.

  The transmission / reception unit 13 performs processing such as amplification, filtering, and modulation to exchange information by wireless transmission with the reader / writers 2-1 to 2-n arranged at each site. Specifically, when a read request is made from the reader / writer to the ROM section 11 ID or the distribution history information of the RAM section 12, the information is read and transmitted to the reader / writer, and a write request from the reader / writer to the RAM section 12 is also made. Sometimes, information to be written is received and written to the RAM unit 11.

  The reader / writers 2-1 to 2-n all have the same configuration, and FIG. 1 shows the internal structure only in the block of the reader / writer 2-1.

  Referring to FIG. 1, each reader / writer is based on a key management unit 21 that manages a pair of a public key and a private key in the RSA public key encryption algorithm, and a private key of the reader / writer stored in the key management unit 21. Information is sent and received between the wireless IC tag 1 and the signature creation unit 22 that creates the signature, the signature verification unit 23 that verifies the signature based on the public key of the reader / writer at each site stored in the key management unit 21 The transmitting / receiving unit 24 is configured. Also, information to be added to the product (attribute information such as time and temperature) is input to the reader / writer, and information on the reader / writer (information for notifying the success or failure of background authentication at the time of transit) is output. The external information input unit 25 may be provided.

The key management unit 21 holds the public keys of the reader / writers 2-1 to 2-n and the private key of the reader / writer. The public keys of the reader / writers 2-1 to 2-n and the private key of the reader / writer may be issued from a reliable public key issuer 3 outside the system. Here, a procedure in which the key management unit 21 generates a key pair of a public key and a secret key by itself will be described. It is assumed that the same procedure is followed when the public key issuer 3 generates a key pair. In this procedure, for each reader / writer 2-i, a key is generated so as to maximize security by a method based on the RSA public key encryption algorithm. The prime numbers p _i and q _i are selected so that the bit length of the product n _i = p _i q _i (RSA modulus) is equal to the security parameter k and the bit lengths of p _i and q _i are approximately the same. Further, a natural number e _i that is larger than n _i and that is relatively prime to ((p _i -1) (q _i -1)) is selected at random. Using the parameters determined in this way, the public key pk _i and the secret key sk _i of the reader / writer 2- _i are respectively (n _i , e _i ), d _i = e _i ⁻¹ mod
((p _i -1) (q _i -1)). The public key of each reader / writer generated in this way is disclosed by means outside the system, and each reader / writer makes the public key publicly available from means outside the system.

The signature creation unit 22 is obtained through the wireless IC tag 1 and the transmission / reception units 13 and 24 of the reader / writer, and the distribution history information u _i-1 held in the RAM unit 12 of the wireless IC tag 1, Using the private key d _{i of the} reader / writer managed by the key management unit 21 and the RSA modulus n _i , a signature creation process is performed, and the created signature is used as new distribution history information u _i to the wireless IC tag 1 And the distribution history information u _i-1 held in the RAM unit 12 of the wireless IC tag 1 via the transmission / reception units 13 and 24 of the reader / writer.

The signature verification unit 23 is obtained through the wireless IC tag 1 and the transmission / reception units 13 and 24 of the reader / writer, with respect to the distribution history information u _i-1 held in the RAM unit 12 of the wireless IC tag 1. If the reader / writer's public key pk _i-1 , ..., pk ₁ is used, the process of reaching the reader / writer's base will be verified in reverse order, and finally u ₀ can be obtained. Then, it is determined that all reader / writers have been processed correctly until reaching the base of the reader / writer.

  The transmission / reception unit 24 performs processing such as amplification, filtering, and modulation in order to exchange information by wireless transmission between the wireless IC tags 1. Specifically, when the reader / writer requests to read the ID of the ROM unit 11 or the distribution history information of the RAM unit 12, the information transmitted to the reader / writer is received. In addition, information to be written to the RAM unit 12 is transmitted at the time of a write request from the reader / writer to the RAM unit 12.

  Next, the operation when the product with the wireless IC tag 1 passes through the reader / writer 2-i will be described with reference to the sequence diagram of FIG.

First, the reader / writer 2-i distributes the wireless IC tag 1 stored in the RAM section 12 of the wireless IC tag 1 to the wireless IC tag 1 when a product with the wireless IC tag 1 is routed. When the ID specific to the wireless IC tag is used as the history information u _i-1 and the initial value u ₀ of the distribution history information, the ID of the ROM unit 11 is requested (S101).

  In response to this request, the wireless IC tag 1 sends the distribution history information ui-1 stored in the RAM unit 12 and the ID stored in the ROM unit 11 through the transmission / reception unit 13 when requested. The data is transmitted to the reader / writer 2-i (S201).

The reader / writer 2-i that has received the distribution history information u _i-1 (S102) receives the reader / writer 2-1 to 2- (i−1) held in the key management unit 21 by the signature verification unit 23. Using public keys pk _{1 to} pk _i-1 , signatures are sequentially verified for the distribution history information u _i-1 to verify whether or not the initial value u ₀ of the distribution history information can be obtained (S103). .

Here, if u ₀ is obtained, it is determined that the reader / writer 2-1 to 2- (i-1) has correctly gone through. If u ₀ cannot be obtained, there is something wrong with the distribution process. Is detected (S106).

If the verification is successful, the reader / writer 2-i can certify that the correct history has been obtained by the signature verification unit 23 in order to prove that the site where the reader / writer is located correctly has been authenticated. _{For i-1} , the signature creation unit 22 generates a signature using the private key sk _i of its own reader / writer held in the key management unit 21 (S104), and generates a new signature value u _i In order to overwrite the past u _i-1 as distribution history information, the wireless IC tag 1 is transmitted by the transmitting / receiving unit 24 (S105). When the wireless IC tag 1 receives u _i by the transmission / reception unit 13 (S202), it overwrites u _i−1 stored in the RAM unit 12 with the received u _i (S203).

The same operation as described above is also performed when a product to which the wireless IC tag 1 is added is delivered to the next base. Products writer 2-n is correctly history to base disposed in the wireless IC tag 1 against the flow history information u _n, using the public key pk ₁ ~pk _n interrogator 2-1 to 2-n If the signatures are verified in order, the initial value u ₀ of the distribution history information can be obtained. As a result, it is possible to know that all the base readers / writers have been properly processed.

  Next, the signature creation unit 22 will be described in more detail.

Signature generation processing in step S104 by the signature generating unit 22, the public key pk ₁ interrogator 2-1~2- (i-1), ... , pk i-1 are all different, and e _i is, n _i Greater than and ((p _i -1) (q _i -1)) and relatively prime, and after calculating T _i = pk ₁ ||… || pk _i , u = a || If s (a is k bits long), then (a <n _i )? E _i (u) =
((a ^ {d _i } mod n _i , s || 0): ((an _i ) ^ {d _i }
mod n _i, s || 1) using a defined function to be in FIG. 4 E _i (u) and, with respect to the distribution history information u _i-1 having the wireless IC tag _{1, E i (H (T} i ) ○ u _i-1 ) is derived as a signature. Here, the expression “expression 1? Expression 2: expression 3” used to define the function E _i (u) evaluates expression 2 when the condition of expression 1 is true, and when the condition of expression 1 is false. It means that expression 3 is evaluated, “||” is a concatenation of bit strings, “H” is a hash function that outputs a bit string having the same number of bits as n _i , and “O” is a bit-by-bit Exclusive OR, “^”, represents an arithmetic operator that calculates the value of the right operand as the exponent and the left operand as a power, and is used in the same meaning in the following. The detailed procedure of the signature creation process is shown in steps S314 to S319 in FIG. Hereinafter, the signature creation process as well as the preceding and following processes will be described in detail with reference to FIG.

Referring to FIG. 5, when the reader / writer 2-i reads the distribution route information u _i-1 stored in the RFID RAM unit 12 (S311), after verifying the validity of the possessed key ( The signature verification unit 23 verifies whether u _i-1 is valid (S312). After that, the signature creation unit 22 calculates T _i = pk ₁ || ... || pk _i from the public key of the current site and the public key of the upstream site (S314), and then E _i (H (T _i ) ○ u _i-1 ) is derived as distribution history information u _i in the reader / writer 2-i (S315 to S319). Specifically, first, v = H (T _i ) ○ u _i-1 is calculated (S315), the first security parameter k bit of v is a, the rest is s (S316), and a is the RSA modulus n _i when less than calculates the signature value according to the RSA scheme with the secret key d _i with respect to a (S317, S318). At this time, 1-bit information 0 is added to s as control information, and u _i is set together with the signature value. If a is larger than the RSA modulus n _i , the RSA signature cannot be calculated for a number greater than the modulus, so the signature value is calculated for a value obtained by subtracting a from n _i (S319). At this time, 1-bit information 1 is added to s as control information, and u _i is set together with the signature value. U _i calculated in this way is replaced with u _i−1 stored in the RAM portion of the RFID (S319).

As described above, the reader / writer 2-i basically signs the distribution path information u _i-1 already written in the wireless ID tag 1 with the private key d _i of the reader / writer. in the case of RSA, for RSA modulus n _i is greater than the number of self-writer can not calculate a signature, if Wakashi greater than u _i-1 is n _i signing since by subtracting the modulus n _i . At this time, in order to enable later verification, 1-bit control information (1 if the modulus has been exceeded, 1 if not) is added behind. Also, when calculating the signature, considering the security strength, the public key of each base in the background is input as a signature target to prevent the public key from being replaced. In other words, in order to create a signature in the usual way, you must first create your public key pair and then sign, but first you forge the signature and create a public key pair that matches the forged signature. To prevent this, put the public key in the hash. Having the public key in the hash ensures that the public key was created before signing.

  Next, the signature verification unit 23 will be described in more detail.

The signature verification processing in step S103 by the signature verification unit 23 is performed by the reader / writer 2-i with T _i = pk ₁ || ... || pk _i , u = a || s || b (a is a k-bit length, b (B = 0)? D _i (u) =
((a ^ {e _i } mod n _i , s): Using the function D _i (u) shown in Fig. 4 defined as ((a ^ {e _i } mod n _i ) + n _i , s) , D ₁ (H (T ₁ ) ○ (D ₂ (H (T ₂ ) ○… D _i-1 (u _i-1 )) ...)) = u ₀ The detailed procedure of this signature verification process is shown in FIG.

Referring to FIG. 6, first, the reader / writer 2-i stores the distribution route information u _i-1 in the variable v _i (S331).

  The verification process is performed in sequence from the reader / writer 2-i at the base in the process to the reader / writer 2-1 at the most upstream base (S332 to S342).

  First, i-1 is stored in a loop variable j that manages which base is verifying the signature (S332).

It is determined whether j is 1 or more (S333). If j is 1 or more, the following processing is performed. After calculating Tj = pk ₁ ||… || pk _j from the public key of the base provided for the reader / writer 2-j and the public key of the base located upstream thereof (S334), the first k bits of v _j to a, the last one bit to b, and stores the remaining bits in s (S335), what b is 0 if, that verifies the public key e _j a a, was added s at the end of the verification result And H (T _j ) are calculated and stored as v _j−1 (S336, S337).

If b is 1, a is verified with public key e _j , modulus n _j is added to the verification result, and s is added to the end and H (T _j ) is calculated as the exclusive OR. Is stored as v _j-1 (S338). Finally, the loop variable j is decremented (S339), and the above processing is repeated from the determination whether j is 1 or more again. When j is 0, it is confirmed whether v ₀ is equal to the initial value u ₀ of the distribution history information (S340).

  If they are equal, it follows that the correct process is followed, and it is assumed that the verification is successful that there was no fraud on the way, and this process is completed (S341). If they are not equal, it is assumed that the verification has failed, and this processing is completed (S342).

In this way, the signature verification in the reader / writer 2-i is processed retroactively, and when the initial value u ₀ is finally obtained, it is determined that the correct history has been followed. In addition, when verifying the signature, the public key of each site in the background is input as the verification target, so that the public key replacement can be detected.

  Next, as a modification of the present embodiment, referring to FIG. 7, the signature creation process of the signature creation unit 22 when a message to be written to the wireless IC tag 1 is input from the external information input unit 25 in each reader / writer. explain.

Referring to FIG. 7, when the message M _i to be written to the wireless IC tag 1 exists in the reader / writer 2-i, the signature creation unit 22 performs T ′ _i = M ₁ ||… || M _i || pk ₁ | | ... calculate the || pk _i (S314 '), the following, T' by treating _i as with T _i in Fig. 5, E _i
Derive (H (T'i) ○ u) as a signature. When calculating the signature in this way, by inputting the message to be added together with the public key of each site in the background as a signature target, not only the replacement of the public key but also the alteration of the message to be assigned by each reader / writer Detectable.

FIG. 8 shows a procedure of signature verification processing of the signature verification unit 23 when there is a message to be written to the wireless IC tag 1 in each reader / writer. T ′ _j = M ₁ ||… || M _j || pk ₁ ||… || pk _j is calculated (S334 ′), and T ′ _j is treated in the same manner as T _j in FIG. D ₁ (H (T'1 ₎ ○ (D ₂ (H (T ' ₂ ) ○… D _i-1 (u _i-1 )) ...)) = u ₀ To do. When verifying a signature in this way, by inputting the message to be given as a verification target together with the public key of each site in the history, it is possible to detect the replacement of the public key and the alteration of the message.

  Next, the effect of this embodiment will be described.

  The first effect is that the distribution process can be confirmed even in an offline environment where communication with the host computer is not possible in the distribution process of products or product packages for general consumers such as factory-produced products and foods. The reason is that the local storage area (RAM unit 12) of the writable wireless IC tag 1 attached to the product has information for managing the distribution process, and confirms the distribution process by referring to it as necessary. Because it can. This can reduce operational costs.

  The second effect is that the number of bases traced during distribution is scalable. This is because the distribution history information can be expressed by (signature size + (number of bases) × 1 bit).

  The third effect is that the price of the wireless IC tag 1 can be kept low. The reason is the same as the reason for the second effect, and it is not necessary to mount a large amount of write memory area. This facilitates use in large quantities for distribution purposes.

  The fourth effect is that it is possible to detect counterfeiting and falsification of distribution history information in each stage of the reader / writer and a malicious third party in the distribution history. The reason is that the signature that certifies the distribution process can be verified using the public keys of all the sites in the distribution process. In particular, when using an ID unique to the wireless ID tag stored in the ROM part 11 of the wireless ID tag 1 as the initial value u0, if it can be assumed that the data in the ROM part 11 cannot be tampered with, the RAM Even when the distribution history information of the unit 12 is illegally copied to the RAM unit 12 of another wireless ID tag, it can be detected.

“Second Embodiment”
Next, a second embodiment of the present invention will be described in detail with reference to the drawings.

  Referring to FIG. 9, in the distribution history authentication system according to the second exemplary embodiment of the present invention, each reader / writer 2-1 to 2-n replaces the signature creation unit 22 and the signature verification unit 23 with a signature creation unit 22A. 1 is different from the distribution history authentication system according to the first exemplary embodiment of FIG. 1 in that a signature verification unit 23A is provided, and the other points are the same as those of the first exemplary embodiment.

The signature creation unit 22A is obtained through the wireless IC tag 1 and the transmission / reception units 13 and 24 of the reader / writer, with respect to the distribution history information u _i-1 held in the RAM unit 12 of the wireless IC tag 1. Using the private key d _{i of the} reader / writer managed by the key management unit 21 and the RSA modulus n _i , a signature creation process is performed, and the created signature is used as new distribution history information u _i to the wireless IC tag 1 And the distribution history information u _i-1 held in the RAM unit 12 of the wireless IC tag 1 via the transmission / reception units 13 and 24 of the reader / writer. However, in the case of the present embodiment, the sizes of the distribution history information u _i and u _i-1 before and after replacement are not changed.

The signature verification unit 23A is obtained through the wireless IC tag 1 and the transmission / reception units 13 and 24 of the reader / writer, with respect to the distribution history information u _i-1 held in the RAM unit 12 of the wireless IC tag 1. If the reader / writer's public key pk _i-1 , ..., pk ₁ is used, the process of reaching the reader / writer's base will be verified in reverse order, and finally u ₀ can be obtained. Then, it is determined that all reader / writers have been processed correctly until reaching the base of the reader / writer.

  The operation when the product to which the wireless IC tag 1 is attached passes through the reader / writer 2-i is basically performed according to the sequence of FIG. 3 as in the first embodiment. However, the contents of the signature verification process in step S103 and the signature creation process in step S104 are different from those in the first embodiment.

  Next, details of the signature creation unit 22A will be described.

Signature generation processing in step S104 by the signature generating section 22A, the public key pk ₁ interrogator 2-1~2- (i-1), ... , pk i-1 are all different, and e _i is, n _i Is larger than ((p _i -1) (q _i -1)) and is relatively prime, and after calculating T _i = pk ₁ ||… || pk _i , (u <n _i )? f _i (u) = u ^ {d _i } mod n _i
: F (u) = (u) as a mapping in the function f _i (u) in FIG. 10 defined as f _i (u) = u and security parameter k bits (where n _i <2 ^k ) long natural number space + n _i ) mod2 ^{k Using} the function φ (u) in FIG. 10, the distribution history information u _{i-1 of} the wireless IC tag 1 is expressed as φ ⁻¹ (f _i (φ (f _i ((H (T _i ) ○ u _i-1 ))))) is derived as a signature. Here, φ ⁻¹ is an inverse mapping of the mapping φ. Then, the derived signature as a new distribution history information u _i, the distribution history information u stored in the RAM unit 12 of the wireless IC tag 1 via the transceiver 13, 24 of the wireless IC tag 1 and the reader-writer _i- Replaced with ₁ . The detailed procedure of the signature creation process is shown in steps S364 to S371 in FIG. Hereinafter, the signature creation processing by the signature creation unit 22A as well as the preceding and following processing will be described in detail with reference to FIG.

Referring to FIG. 11, the reader / writer 2-i reads the distribution route information u _i-1 stored in the RFID RAM unit 12 (S361), and after verifying the validity of the owned key ( In step S362), the signature verification unit 23A verifies whether u _i-1 is valid (S363). Thereafter, T _i = pk ₁ || ... || pk _i is calculated from the public key of the current site and the public key of the upstream site by the signature creation unit 22A (S364), and v: = H as the signature target (T _i ) ○ u _i-1 is calculated (S365) .If v is smaller than the RSA modulus n _i (YES in S366), the value obtained by calculating the signature of v with the private key d _i is set to 2 ^k Then, add n _i with modulo as v, and set the result as v ′ (S367). If larger (NO in S366), RSA signature cannot be calculated for numbers greater than the modulus, so no signature calculation is performed for v, and n _i is directly added to the value with a modulus of 2 ^k. And set the result as v ′ (S368).

Next, when v ′ is smaller than the RSA modulus n _i (YES in S369), subtract n _i with a modulus of 2 ^k from the value obtained by calculating the signature of v ′ with the secret key d _i , and the value Is the distribution history information u _i in the reader / writer 2-i (S370).

If it is larger (NO in S369), the RSA signature cannot be calculated for numbers greater than the modulus, so the signature calculation is not performed for v ', and the subtraction of n _i with a modulus of 2 ^k directly is performed from that value. The value is set as distribution history information u _i in the reader / writer i (S371). The u _i calculated in this way is replaced with u _i−1 stored in the RFID RAM 12 (S372).

As described above, the reader / writer 2-i basically signs the distribution path information u _i-1 already written in the wireless ID tag 1 with the private key d _i of the reader / writer. Unlike the first embodiment, instead of adding control bits, when calculating the number of signatures exceeding the modulus n _i , the signature is calculated after applying a function that maps to the larger by the modulus n _i. After that, the inverse mapping is applied to the smaller one by the modulus n _i . Similarly to the first embodiment, when a signature is calculated, the public key of each site on the background is input as a signature target, thereby preventing the public key from being replaced.

  Next, the signature verification unit 23A will be described in more detail.

In the signature verification processing in step S103 by the signature verification unit 23A, the reader / writer 2-i calculates T _i = pk ₁ || ... || _i k _{i -1} and (u <n _i )? G _i (u) = u ^ {e _i }
mod n _i : Using the function g _i (u) of FIG. 10 defined as g _i (u) = u and the mapping φ (u), φ ⁻¹ (g ₁ (φ (g ₁ (H ( T1 ○ φ ^-1 (g ₂ (φ ((g ₂ (H (T ₂ ○ ... φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 ))))) ...))) If)))))) = u _0, it is determined that the signature has been successfully verified, and the detailed procedure of this signature verification processing is shown in FIG.

  Referring to FIG. 12, first, the reader / writer 2-i performs verification processing in order from the reader / writer 2- (i-1) at the previous base to the reader / writer 2-1 at the first base. First, i is stored in a loop variable j that manages which base is verifying the signature (S381). If j is 1 or more (YES in S382), the following process is performed.

From the public key of the base equipped with the reader / writer j and the public key of the base located upstream thereof, T _j =
After calculating pk ₁ ||… || pk _j (S383), v: = H (T _j ) ○ u _j is calculated using u _j read from the RFID RAM 12 as the verification target (S384) When v is smaller than the RSA modulus n _j (YES in S385), n _j with a modulus of 2 ^k is added to the value obtained by verifying the signature of v with the public key e _{j as} it is, and the result is v ′ (S386). If it is larger (NO in S385), the RSA signature cannot be verified for numbers greater than the modulus, so no verification processing is performed on v, and n _j is directly added to the value with a modulus of 2 ^k. And set the result as v ′ (S387).

Next, when v 'is smaller than the RSA modulus n _j (YES in S388), subtract n _j with a modulus of 2 ^k from the value obtained by verifying the signature of v' with the public key e _j V _j (S389). If it is larger (NO in S388), the RSA signature cannot be verified for numbers greater than the modulus, so no verification processing is performed on v ', and n _j with a modulus of 2 ^k directly for that value Subtraction is performed and the result is set to v _j (S390).

Finally, the loop variable j is decremented (S391), and the above processing is repeated from the determination whether j is 1 or more again. When j is 0, it is confirmed whether v ₀ is equal to the initial value u ₀ of the distribution history information (S392). If they are equal, it follows that the correct process is followed, and it is determined that there has been no fraud on the way, and this processing is completed (S393). If they are not equal, it is assumed that the verification has failed, and this processing is completed (S394).

In this way, at the time of signature verification, verification processing is performed by shifting the modulus by a larger value in the mapping function, and reverse mapping is performed again, verifying the base in the background, and finally releasing the first base If the initial value u ₀ is obtained by the key verification, it is determined that the correct process has been followed. In addition, when verifying a signature, it is possible to detect the replacement of the public key by inputting the public key of each site in the background as a verification target.

  Next, as a modification of the present embodiment, referring to FIG. 13, the signature creation process of the signature creation unit 22A when a message to be written to the wireless IC tag 1 is input from the external information input unit 25 in each reader / writer. explain.

Referring to FIG. 13, when the message M _i to be written to the wireless IC tag 1 exists in the reader / writer 2-i, the signature creation unit 22A causes T ′ _i = M ₁ || ... || M _i || pk ₁ | |… || pk _i is calculated (S314 ′), and T ′ _i is treated in the same manner as T _i in FIG. 11, so that u ′ _i = φ ⁻¹ (f _i (φ (f _i ((H (T ' _i ) ○ u _i-1 ))))) is derived as a signature. When calculating the signature in this way, by inputting the message to be added together with the public key of each site in the background as a signature target, not only the replacement of the public key but also the alteration of the message to be assigned by each reader / writer Detectable.

FIG. 14 shows the procedure of the signature verification process of the signature verification unit 23A when there is a message to be written to the wireless IC tag 1 in each reader / writer. T ′ _j = M ₁ ||… || M _j || pk ₁ ||… || pk _j is calculated (S334 ′), and T ′ _j is treated in the same manner as T _j in FIG. φ ^-1 (g ₁ (φ (g ₁ (H (T ' ₁ ○ φ ^-1 (g ₂ (φ ((g ₂ (H (T' ₂ ○ ... φ ^-1 (g _i (φ (g _i ( u ' _i ))))) ...)))))))))) =) It is assumed that the signature verification is successful if u ₀ is satisfied. By inputting the message to be given together with the public key as a verification target, it is possible to detect the replacement of the public key and the alteration of the message.

  Next, the effect of this embodiment will be described.

  The first effect is that the distribution process can be confirmed even in an offline environment where communication with the host computer is not possible in the distribution process of products or product packages for general consumers such as factory-produced products and foods. The reason is that the local storage area (RAM unit 12) of the writable wireless IC tag 1 attached to the product has information for managing the distribution process, and confirms the distribution process by referring to it as necessary. Because it can. This can reduce operational costs.

  The second effect is that the number of bases traced during distribution is scalable. The reason is that the distribution history information can be expressed by a constant (signature size) that is irrelevant to the number of bases traced during the distribution history.

  The third effect is that the price of the wireless IC tag 1 can be kept low. The reason is the same as the reason for the second effect, and it is not necessary to mount a large amount of write memory area. This facilitates use in large quantities for distribution purposes.

  The fourth effect is that it is possible to detect counterfeiting and falsification of distribution history information in each stage of the reader / writer and a malicious third party in the distribution history. The reason is that the signature that certifies the distribution process can be verified using the public keys of all the sites in the distribution process. In particular, when using an ID unique to the wireless ID tag stored in the ROM part 11 of the wireless ID tag 1 as the initial value u0, if it can be assumed that the data in the ROM part 11 cannot be tampered with, the RAM Even when the distribution history information of the unit 12 is illegally copied to the RAM unit 12 of another wireless ID tag, it can be detected.

“Third embodiment”
Next, a third embodiment of the present invention will be described in detail with reference to the drawings.

  Referring to FIG. 15, in the distribution history authentication system according to the third exemplary embodiment of the present invention, the wireless IC tag 1 includes a RAM unit 12A instead of the RAM unit 12, and each reader / writer 2-1 to 2-n Is provided with the distribution background authentication system according to the first embodiment of FIG. 1 in that it has a signature generation unit 22B and a signature verification unit 23B instead of the signature generation unit 22 and the signature verification unit 23, and other points. Is the same as in the first embodiment.

The RAM unit 12B in the wireless IC tag 1 has a finite memory size that can be written, and a set of distribution history information u _i and auxiliary information v _i (u _i , v _i) that can be expressed by a capacity s ′ that fits in the memory size ).

Distribution history information u _i is the same as the distribution history information u _i in the first embodiment, indicating that it has history bases from first to i-th. The initial value of the distribution history information u _i is u ₀ indicating that no history has occurred, and u ₀ is a predetermined value, for example, 0, or the wireless IC stored in the ROM unit 11 of the wireless IC tag 1 Tag-specific ID value is set.

The auxiliary information v _i is information generated by applying a predetermined hash function to the distribution history information u _i-1 representing the history from the first to the (i-1) th base. The initial value of the auxiliary information v _{i is the same as} the initial value of the distribution history information u _i and is a predetermined value, for example, 0 or an ID value unique to the wireless IC tag stored in the ROM unit 11 of the wireless IC tag 1 . By attaching such auxiliary information v _i to the distribution history information u _i , it becomes possible to easily verify the distribution history information u _i as will be described later.

The signature creation unit 22B is obtained through the wireless IC tag 1 and the transmission / reception units 13 and 24 of the reader / writer, the distribution history information u _i-1 and auxiliary information v held in the RAM unit 12 of the wireless IC tag 1. _For the distribution history information u _{i-1 in} the set of _i-1 , signature creation processing is performed using the private key d _{i of the} reader / writer managed by the key management unit 21 and the RSA modulus n _i. To create new distribution history information u _i and at the same time, create new auxiliary information v _i from distribution history information u _i−1 , and set the created u _i and v _i as new distribution history information u _i As a set of auxiliary information v _i , distribution history information u _i-1 and auxiliary information v _i− held in the RAM unit 12B of the wireless IC tag 1 via the wireless IC tag 1 and the transmission / reception units 13 and 24 of the reader / writer. Replace ₁ pair.

The signature verification unit 23B verifies the distribution history information u _i-1 held in the RAM unit 12 of the wireless IC tag 1 obtained through the wireless IC tag 1 and the transmission / reception units 13 and 24 of the reader / writer. It is. The signature verification unit 23 in the first embodiment uses the public keys pk _i−1 ,..., Pk ₁ of each reader / writer to the distribution history information u _i−1 to reach the base of the reader / writer. If we were able to verify the process in reverse order and go back to the point where u ₀ was finally obtained, we determined that all the readers / writers up to the base of the reader / writer had been correctly processed. The signature verification unit 23B according to the present embodiment performs simple verification using the auxiliary information v _i−1 . In other words, the distribution history information u _i-1 is verified using the public key pk _i-1 to verify whether the reader / writer signed immediately before its own reader / writer has signed correctly, and the hash value of the verification result Is equal to the auxiliary information v _i−1 , it is determined that the information has been correctly obtained from the previous reader / writer.

  Next, the operation of the present embodiment when a product to which the wireless IC tag 1 is attached passes through the reader / writer 2-i will be described with reference to the sequence diagram of FIG.

First, the reader / writer 2-i distributes the wireless IC tag 1 stored in the RAM section 12 of the wireless IC tag 1 to the wireless IC tag 1 when a product with the wireless IC tag 1 is routed. IDs unique to wireless IC tags are used as initial values u ₀ , v ₀ of sets of history information u _i-1 and auxiliary information v _i-1 and distribution history information u _i-1 and auxiliary information v _i-1 If so, the ID of the ROM unit 11 is requested (S111). In response to this request, the wireless IC tag 1 is a set of distribution history information u _i-1 and auxiliary information v _i-1 stored in the RAM unit 12, and stored in the ROM unit 11 when requested. The transmitted ID is transmitted to the reader / writer 2-i via the transmitter / receiver 13 (S211).

The reader / writer 2-i that has received the set of the distribution history information u _i-1 and the auxiliary information v _i-1 (S112) uses the signature verification unit 23B to correctly sign the reader / writer signed immediately before its own reader / writer. It is verified by using the public key pk _i-1 of the reader / writer 2- (i-1) held in the key management unit 21. (S113). That is, it is checked whether or not the hash value as a result of verifying the distribution history information u _i-1 using the public key pk _i-1 is equal to the auxiliary information v _i-1 . Here, if v ₀ is obtained, it is judged that the previous reader / writer 2- (i−1) has correctly gone through, and if v ₀ cannot be obtained, it is detected that there has been a fraud. (S116).

If the verification is successful, the reader / writer 2-i can certify that the correct history has been obtained by the signature verification unit 23 in order to prove that the site where the reader / writer is located correctly has been authenticated. _For signature _i-1 , the signature creation unit 22B generates a signature u _i using the private key sk _i of the reader / writer held in the key management unit 21, and assists with distribution history information u _i-1 Information v _i is generated (S114), and the set of the generated signature value u _i and auxiliary information v _i is overwritten on the past u _i-1 and v _i-1 as a set of new distribution history information and auxiliary information. Then, it is transmitted to the wireless IC tag 1 by the transmission / reception unit 24 (S115). The wireless IC tag 1, upon receiving a set of u _i and v _i by transceiver unit 13 (S212), stored in the RAM unit 12 by a set of the received u _i and v _i u _i-1 and v _i- The set of ₁ is overwritten (S213).

The same operation as described above is also performed when a product to which the wireless IC tag 1 is added is delivered to the next base. Relative distribution history information u _n product of the wireless IC tag 1 by the reader-writer 2-n is correctly Background to bases arranged, if verify the signature using the public key pk _n interrogator 2-n, the auxiliary Information v ₀ is obtained. As a result, it is possible to know that the reader / writer at the previous base has been correctly processed.

  Next, details of the signature creation unit 22B will be described.

Signature generation processing in step S114 by the signature generating unit 22B, a public key pk ₁ interrogator 2-1~2- (i-1), ... , pk i-1 are all different, and e _i is, n _i Greater than and ((p _i -1) (q _i -1)) and relatively prime, and after calculating T _i = pk ₁ ||… || pk _i , u = a || If s (a is k bits long), then (a <n _i )? E _i (u) =
((a ^ {d _i } mod n _i , s || 0): ((an _i ) ^ {d _i }
mod n _i, s || 1) using a defined function to be in FIG. 4 E _i (u) and, with respect to the distribution history information u _i-1 having the wireless IC tag _{1, E i (H (T} i ) ○ u _i-1 ) is derived as a new signature u _i , and at the same time, new auxiliary information v _i = h (u _i-1 ) is calculated. Here, h is a predetermined hash function. The difference from the signature creation unit 22 of the first embodiment is that new auxiliary information v _i = h (u _i-1 ) is calculated. The detailed procedure of the signature creation process is shown in steps S444 to S449 in FIG. Hereinafter, the signature creation processing in the present embodiment together with the preceding and following processing will be described in detail with reference to FIG.

Referring to FIG. 17, the reader / writer 2-i reads the set of distribution route information u _i-1 and auxiliary information v _i-1 stored in the RFID RAM unit 12 (S441) and owns it. After verifying the validity of the key (S442), the signature verification unit 23B verifies whether u _i-1 is valid (S443).

After that, the signature creation unit 22B calculates Ti = pk ₁ || ... || pk _i from the public key of the current site and the public key of the upstream site (S444), and then E _i (H (T _i ) ○ u _i-1 ) and h (u _i-1 ) are derived as distribution history information u _i and auxiliary information v _i in the reader / writer 2-i (S445 to S449). Specifically, first, w = H (T _i ) ○ u _i-1 is calculated (S445), the first security parameter k bits of w is a, the rest is s (S446), and a is the RSA modulus n _i when less than calculates the signature value with the secret key d _i with respect to (YES in S447), a (S448). At this time, 1-bit information 0 is added to s as control information, and it is set as distribution history information u _i together with the signature value. At this time, a hash of u _i-1 is calculated and used as auxiliary information v _i . Also, when a is greater than RSA modulus n _i (NO in S447), RSA signature cannot be calculated for numbers greater than modulus n _i, so the signature value is calculated for a value obtained by subtracting a from n _i Calculate (S449). At this time, 1-bit information 1 is added to s as control information, and it is used as distribution history information u _i together with the signature value. At this time, a hash of u _i-1 is calculated and used as auxiliary information v _i . The pair of u _i and v _i calculated in this way is replaced with u _i−1 and v _i−1 stored in the RFID RAM unit 12 (S450).

As described above, in the signature generation process according to the present embodiment, the signature value u _i is derived in the same manner as in the first embodiment. At this time, the hash value v _i of the signature value u _i-1 to be signed is used. Is redundantly calculated and written back to the RAM unit 12 in combination with the signature value u _i as auxiliary information v _i . In the present embodiment, the size to be written back becomes larger by the output value v _{i of the} hash function than in the first embodiment.

  Next, details of the signature verification unit 23B will be described.

The signature verification processing in step S113 by the signature verification unit 23B is performed by the reader / writer 2-i with T _i = pk ₁ || ... || pk _i , u = a || s || b (a is k bit length, b (B = 0)? D _i (u) =
((a ^ {e _i } mod n _i , s): Using the function D _i (u) shown in Fig. 4 defined as ((a ^ {e _i } mod n _i ) + n _i , s) , H (H (T _i-1 ) ○ D _i-1 (u _i-1 )) = v _i-1 is satisfied, it is judged that the signature has been successfully verified. Shown in 18.

Referring to FIG. 18, the reader / writer 2-i first reads a set of the distribution route information u _i-1 and auxiliary information v _i-1 stored in the RFID RAM unit 12 (S461). After calculating T _i = pk ₁ ||… || pk _i-1 from the public key of the base located upstream of the base equipped with the reader / writer 2-i (S462), the first k of u _i-1 The bit is stored in a, the last 1 bit is stored in b, and the remaining bits are stored in s (S463) .If b is 0 (YES in S464), a is the public key of reader / writer 2- (i-1) Then, the exclusive OR of H (T _i-1 ) and s added to the end of the verification result is calculated and stored as w _i-1 (S465). If b is 1 (NO in S464), a is verified with the public key of reader / writer 2- (i-1), modulus n _i is added to the verification result, s is added to the end, and H ( The exclusive OR of T _i-1 ) is calculated and stored as w _i-1 (S466).

Thereafter, it is confirmed whether or not the hash value of the w _i-1 hash function h is equal to the auxiliary information v _i-1 (S467). If equal, it is assumed that the verification of the correct process has been successful, and this processing is completed (S468). If they are not equal, it is assumed that the verification has failed, and this processing is completed (S469).

  In this way, if it can be assumed that the previous signature device in the course of distribution can be trusted, the verification process can be speeded up. The reason is that, unlike the first embodiment, the calculation process using the public key at the time of signature verification can be performed only once.

  Next, as a modification of the present embodiment, a signature creation process of the signature creation unit 22B when a message to be written to the wireless IC tag 1 is input from the external information input unit 25 in each reader / writer will be described with reference to FIG. explain.

Referring to FIG. 19, when there is a message M _i to be written to the wireless IC tag 1 in the reader / writer 2-i, the signature creation unit 22 performs T ′ _i = M ₁ ||… || M _i || pk ₁ | | ... calculate the || pk _i (S444 '), the following, T' by treating _i as with T _i in Fig. 17, E _i
(H (T ′ _i ) ○ u _i-1 ) is derived as new distribution history information u _i , and h (u _i-1 ) is derived as auxiliary information v _i . When calculating the signature in this way, by inputting the message to be added together with the public key of each site in the background as a signature target, not only the replacement of the public key but also the alteration of the message to be assigned by each reader / writer It can be detected.

FIG. 20 shows the procedure of signature verification processing of the signature verification unit 23B when there is a message to be written to the wireless IC tag 1 in each reader / writer. _{T 'i = M 1 || ...} || M i-1 || pk 1 || ... calculate the _{|| pk i-1 (S462'} ), hereinafter, the T _'i as with T _i in FIG. 18 E _i by handling
(H (T ′ _i ) ○ u _i-1 ) is derived as new distribution history information u _i , and h (u _i-1 ) is derived as auxiliary information v _i . When verifying a signature in this way, by inputting the message to be given as a verification target together with the public key of each site in the history, it is possible to detect the replacement of the public key and the alteration of the message.

  Next, the effect of this embodiment will be described.

  The first effect is that the distribution process can be confirmed even in an offline environment where communication with the host computer is not possible in the distribution process of products or product packages for general consumers such as factory-produced products and foods. The reason is that the local storage area (RAM unit 12B) of the write-type wireless IC tag 1 attached to the product has information for managing the distribution process, and confirms the distribution process by referring to it as necessary. Because it can. This can reduce operational costs.

  The second effect is that the number of bases traced during distribution is scalable. The reason is that (signature size + (number of sites) × 1 bit + (auxiliary information size) can express information used for authentication of the distribution process.

  The third effect is that the price of the wireless IC tag 1 can be kept low. The reason is the same as the reason for the second effect, and it is not necessary to mount a large amount of write memory area. This facilitates use in large quantities for distribution purposes.

  The fourth effect is that if it is possible to assume that the previous base is a trustworthy base, forgery and falsification of the distribution background information at each stage of the distribution process or a malicious third party The signature verification process required for detecting the image can be speeded up. The reason is that the signature verification process can be performed at most once using auxiliary information.

"Fourth embodiment"
Next, a fourth embodiment of the present invention will be described in detail with reference to the drawings.

  Referring to FIG. 21, in the distribution history authentication system according to the fourth exemplary embodiment of the present invention, each reader / writer 2-1 to 2-n replaces the signature creation unit 22B and the signature verification unit 23B with a signature creation unit 22C. 15 is different from the distribution history authentication system according to the third exemplary embodiment in FIG. 15 in that a signature verification unit 23C is provided, and the other points are the same as those in the third exemplary embodiment.

The signature creation unit 22C is obtained through the wireless IC tag 1 and the transmission / reception units 13 and 24 of the reader / writer, the distribution history information u _i-1 and auxiliary information v held in the RAM unit 12 of the wireless IC tag 1. _For the distribution history information u _{i-1 in} the set of _i-1 , signature creation processing is performed using the private key d _{i of the} reader / writer managed by the key management unit 21 and the RSA modulus n _i. To create new distribution history information u _i and at the same time, create new auxiliary information v _i from distribution history information u _i−1 , and set the created u _i and v _i as new distribution history information u _i As a set of auxiliary information v _i , distribution history information u _i-1 and auxiliary information v _i− held in the RAM unit 12B of the wireless IC tag 1 via the wireless IC tag 1 and the transmission / reception units 13 and 24 of the reader / writer. Replace ₁ pair. However, in the case of the present embodiment, the sizes of the distribution history information u _i and u _i-1 before and after replacement are not changed.

The signature verification unit 23C verifies, using the public key pk _i-1 , whether or not the reader / writer signed immediately before its own reader / writer has signed the distribution history information u _i-1 correctly. If the hash value of the verification result is equal to the auxiliary information v _i−1 , it is determined that the background has been correctly obtained from the previous reader / writer.

  The operation when the product to which the wireless IC tag 1 is attached passes through the reader / writer 2-i is basically performed according to the sequence of FIG. 16, as in the third embodiment. However, the contents of the signature verification process in step S113 and the signature creation process in step S114 are different from those in the third embodiment.

  Next, details of the signature creation unit 22C will be described.

Signature generation processing in step S114 by the signature creating unit 22C is the public key pk ₁ interrogator 2-1~2- (i-1), ... , pk i-1 are all different, and e _i is, n _i Is larger than ((p _i -1) (q _i -1)) and is relatively prime, and after calculating T _i = pk ₁ ||… || pk _i , (u <n _i )? f _i (u) = u ^ {d _i } mod n _i
: F (u) = (u) as a mapping in the function f _i (u) in FIG. 10 defined as f _i (u) = u and security parameter k bits (where n _i <2 ^k ) long natural number space + n _i ) mod2 ^{k Using} the function φ (u) in FIG. 10, the distribution history information u _{i-1 of} the wireless IC tag 1 is expressed as φ ⁻¹ (f _i (φ (f _{i ((H (T i) ○} u i-1))))) was derived as a new distribution history information u _i, also with respect to the distribution history information u _i-1 having the wireless IC tag 1, h (u _i-1 ) is derived as new auxiliary information v _i . Thereafter, the newly derived set of distribution history information u _i and auxiliary information v _i is stored in the RAM unit 12 of the wireless IC tag 1 via the wireless IC tag 1 and the transmission / reception units 13 and 24 of the reader / writer. It is replaced with a set of history information u _i-1 and auxiliary information v _i-1 . The detailed procedure of the signature creation process is shown in steps S494 to S501 in FIG.

  Hereinafter, the signature creation processing by the signature creation unit 22C will be described in detail with reference to FIG.

Referring to FIG. 22, the reader / writer 2-i reads the set of distribution route information u _i-1 and auxiliary information v _i-1 stored in the RFID RAM unit 12 (S491) and owns it. After verifying the validity of the key (S492), the signature verification unit 23C verifies whether u _i-1 is valid (S492).

After that, the signature creation unit 22C calculates T _i = pk ₁ ||… || pk _i from the public key of the current base and the base public key located upstream (S494), and then w: = H as the signature target (T _i ) ○ u _i-1 is calculated (S495), and when w is smaller than the RSA modulus n _i (YES in S496), the value obtained by calculating the signature of w with the private key d _i is set to 2 ^k N _i is added as a modulus, and the result is set as w ′ (S497). If larger (NO in S496), RSA signature cannot be calculated for numbers greater than the modulus, so no signature calculation is performed on w, and n _i is directly added to the value with a modulus of 2 ^k. And set the result to w ′ (S498).

Next, when w ′ is smaller than the RSA modulus n _i (YES in S499), subtract n _i with a modulus of 2 ^k from the value obtained by calculating the signature of w ′ with the secret key d _i , and the value Is the distribution history information u _i in the reader / writer 2-i (S500). At this time, the hash function h is applied to the distribution route information u _i−1 , and h (u _i−1 ) is set as auxiliary information vi in the reader / writer 2-i. If it is larger (NO in S499), the RSA signature cannot be calculated for numbers greater than the modulus, so the signature calculation is not performed for w ', and the subtraction of n _i with 2 ^k as the modulus directly is performed from that value. The value is set as distribution history information u _i in the reader / writer i (S501). At this time, as in step S500, h (u _i-1 ) is set as auxiliary information v _i in the reader / writer 2-i. U _i and v _i calculated in this way are replaced with u _i−1 and v _i−1 stored in the RAM portion 12 of the RFID (S502).

As described above, the reader / writer 2-i basically signs the distribution path information u _i-1 already written in the wireless ID tag 1 with the private key d _i of the reader / writer. Unlike the third embodiment, instead of putting the control bits, in calculating the signature number greater than the modulus n _i, after applying a function to be mapped to the larger only the modulus n _i, and the signature calculation After that, the inverse mapping is applied to the smaller one by the modulus n _i . Similarly to the third embodiment, when the signature is calculated, the public key of each site on the background is input as the signature target, thereby preventing the replacement of the public key, and the distribution history information u _i. The hash value v _i of the distribution history information u _i-1 to be signed is extra calculated when the derivation is performed, and is written back to the RAM unit 12 as a pair with the distribution history information u _i as auxiliary information v _i .

  Next, the signature verification unit 23C will be described in detail.

In the signature verification process in step S113 by the signature verification unit 23C, the reader / writer 2-i calculates T _i-1 = pk ₁ || ... || _i k _{i -1} and (u <n _i )? G _i ( u) = u ^ {e _i }
mod n _i : Using the function g _i (u) of FIG. 10 defined as g _i (u) = u and the above mapping φ (u), h (H (T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 ))))) = v _i-1 is satisfied, the signature is successfully verified. A detailed procedure of the signature verification process is shown in FIG.

Referring to FIG. 23, first, the reader / writer i reads a set of the distribution route information u _i and auxiliary information v _i stored in the RFID RAM unit 12 (S511). Next, after calculating T _i-1 = pk ₁ || ... || pk _i-1 from the public key of each base located upstream of the base provided with the reader / writer 2-i (S512), the verification target W: = H (T _i-1 ) ○ u _i-1 is calculated (S513), and when w is smaller than the RSA modulus n _i-1 (YES in S514), w with the public key ei-1 as it is signing the value of verification of, performs addition of the n _i-1 of the 2 ^k and modulus result be w '(S515).

On the other hand, when it is greater (NO in S514), because for the modulus greater number not verify the RSA signature, without verifying processing on w, n _i to modulus directly 2 ^k for that value _-1 is added and the result is set as w '(S516). Next, when w ′ is smaller than the RSA modulus n _i (YES in S517), subtraction of n _i−1 with a modulus of 2 ^k is performed from the value obtained by verifying the signature of w ′ with the public key e _i−1. The value is set to w ″ (S518). If it is larger (NO in S517), the RSA signature cannot be verified for a number greater than the modulus, so the value is not verified for w ′. N _i-1 is subtracted directly with a modulus of 2 ^k , and the result is w ″ (S519).

Then, it is confirmed whether or not the hash value of W ″ is equal to the distribution history information v _i−1 (S520). If it is equal, it is assumed that the correct history has been successfully verified, and this processing is completed (S521). If they are not equal, it is assumed that the verification has failed, and this processing is completed (S522).

In this way, at the time of signature verification, the verification function is shifted to the larger modulus by the mapping function, the reverse mapping process is performed again, and the auxiliary information v _{i- is} verified by verification with the public key of the previous base in the process. _{If 1} is obtained, it is determined that the correct process has been followed, and the computation process using the public key at the time of signature verification can be performed only once, so the verification process can be speeded up. In addition, when verifying a signature, it is possible to detect the replacement of the public key by inputting the public key of each site in the background as a verification target.

  Next, as a modification of the present embodiment, referring to FIG. 24, the signature creation process of the signature creation unit 22C when a message to be written to the wireless IC tag 1 is input from the external information input unit 25 in each reader / writer. explain.

Referring to FIG. 24, when there is a message M _i to be written to the wireless IC tag 1 in the reader / writer 2-i, the signature creation unit 22C performs T ′ _i = M ₁ || ... || M _i || pk ₁ | |… || pk _i is calculated (S494 ′), and T ′ _i is treated in the same manner as T _i in FIG. 22 to obtain φ ⁻¹ (f _i (φ (f _i ((H (T ′ _i ) ○ u _i-1 ))))) is derived as new distribution history information u _i , and h (u _i-1 ) is newly added to distribution history information u _i-1 possessed by the wireless IC tag 1. Is derived as the auxiliary information v _i . When calculating the signature in this way, by inputting the message to be added together with the public key of each site in the background as a signature target, not only the replacement of the public key but also the alteration of the message to be assigned by each reader / writer Detectable.

FIG. 25 shows the procedure of signature verification processing of the signature verification unit 23C when there is a message to be written to the wireless IC tag 1 in each reader / writer. T ′ _i-1 = M ₁ ||… || M _i-1 || pk ₁ ||… || pk _i-1 is calculated (S512 ′), and T ′ _i-1 is expressed as T in FIG. By treating like _i-1 , h (H (T ' _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 )))))) = v _{i- If 1} is established, the signature is successfully verified. When verifying a signature in this way, by inputting the message to be given as a verification target together with the public key of each site in the history, it is possible to detect the replacement of the public key and the alteration of the message.

  Next, the effect of this embodiment will be described.

  The first effect is that the distribution process can be confirmed even in an offline environment where communication with the host computer is not possible in the distribution process of products or product packages for general consumers such as factory-produced products and foods. The reason is that the local storage area (RAM unit 12B) of the write-type wireless IC tag 1 attached to the product has information for managing the distribution process, and confirms the distribution process by referring to it as necessary. Because it can. This can reduce operational costs.

  The second effect is that the number of bases traced during distribution is scalable. The reason is that the information used for authentication of the distribution process can be expressed by a constant (signature size) + auxiliary information size irrelevant to the number of bases traced during the distribution process.

  The third effect is that the price of the wireless IC tag 1 can be kept low. The reason is the same as the reason for the second effect, and it is not necessary to mount a large amount of write memory area. This facilitates use in large quantities for distribution purposes.

  The fourth effect is that if it is possible to assume that the previous base is a trustworthy base, forgery and falsification of the distribution background information at each stage of the distribution process or a malicious third party The signature verification process required for detecting the image can be speeded up. The reason is that the signature verification process can be performed at most once using auxiliary information.

"Other embodiments"
While the present invention has been described with reference to some embodiments, the present invention is not limited to the above embodiments, and various other additions and modifications can be made. For example, the reader / writer in each of the above embodiments verified the signature object before signing, but the verification may be omitted, and in that case, the signature verification unit can be omitted. . In addition, a reader / writer that simply verifies whether a product with a wireless IC tag is routed through a correct route and does not perform a new signature is also conceivable. In that case, the signature creation unit can be omitted. Furthermore, the reader / writer can be realized by a computer and a program as well as by realizing the functions of the reader / writer as hardware. The program is provided by being recorded on a computer-readable recording medium such as a magnetic disk or a semiconductor memory, and is read by the computer at the time of starting up the computer, etc. The reader / writer functions as a signature creation unit, a signature verification unit, and a transmission / reception unit.

  Next, the application field of the present invention will be described.

  Consider distributors in economic activities. In other words, it is a company related to product sorting, processing, transportation, storage, sales, etc. that exists between producers of agricultural, forestry and fishery products or industrial products and consumers who purchase and consume / use the products. Here, a frozen food such as frozen tuna is assumed as a distribution product, and a refrigeration container trader, a truck trader, a warehouse trader equipped with a freezer, a processor, and a seller are considered as a trader. These distribution products go through the distributors in order according to the contract until the goods are delivered from the producers to the consumers. At this time, according to the present invention, it is possible to confirm whether or not the producers and individual distributors have passed through distributors who have a contractual relationship with them. At this time, there is no need for a common host computer among distributors, and each distributor does not need an infrastructure for communicating with the host computers. Also, the writable memory capacity to be mounted on the writable wireless IC tag is even enough memory capacity to record at most one signature of several hundred bytes to 1K bytes held by the existing writable wireless IC tag. If so, it is sufficient to store the distribution history information, and it is possible to manage the history information without using a high-cost wireless IC tag with a specially large writing capacity. In actual operation, it is necessary to cope with falsification and forgery of information, but with this method, falsification and forgery of written data can also be detected, and tamper resistance is prevented in order to prevent tampering. There is no need to prepare the memory. In addition, since all operations for assigning and verifying signatures are performed on the reader / writer side, no special arithmetic unit is required on the wireless IC tag side. As described above, authentication of distribution history can be realized at low cost.

  In addition, if information such as shock and temperature during distribution can be obtained by some means during distribution, it may be possible to manage the distribution by writing them in a wireless IC tag as a message. When adding the distribution history information, calculating the signature taking these message information into account, it is possible to simultaneously detect tampering of this information and to grasp the background, so trouble such as finding defective products can be detected. At the same time, it becomes easier to estimate the cause from the content of the defect and the recorded information of the wireless IC tag, leading to an early solution of the trouble.

  We also consider parts repair for industrial products such as personal computers and cars, and recycling of books and CDs. For example, in the case of parts repair of the former industrial product, a shop or a factory that specializes in repairing this product can be considered as a repairer. At this time, if repair is always performed at the same store, the repair history can be managed by sequentially recording the repair status with the host computer of the store, and the situation becomes clear. However, it may not always be brought into the same store depending on the location / content to be repaired and the convenience of the user of the product. In general, it is difficult to think of a situation where the host servers are commonly operated in different stores, and in this case, the user needs to manage the repair situation himself. Conventionally, a maintenance notebook is considered to exist for cars and the like, and if it was possible to manage the repair history, it was troublesome to manage the maintenance notebook itself. Also, in the case of small parts such as maintenance notebooks that do not have documents, the user has to prepare and manage a replacement for them. By managing this with the wireless IC tag attached to each product, it becomes possible to manage the repair status of each product and further the parts that constitute them, without the user having to do it consciously. Similarly, when recycling books and CDs, it is possible to know how much secondary distribution has been performed by managing the sales history at second-hand stores and the like, which can be utilized for the sale of merchandise. At this time, the present invention can also detect falsification or forgery of information that can be considered for managing data on the user side. In addition, it is not necessary to install a high-cost memory in the wireless IC tag attached to the product, so the operating cost can be reduced. At this time, there is a high possibility that the public key of each store or factory is not shared in advance with each other, but this can be obtained from the public key management station (CA) as necessary. In general, public key management stations are commonly operated in the PKI framework.

  Also, you may not know how the product has been distributed. At this time, all the distribution processes that can be considered with the public key possessed are verified, and if there is a process that passes the verification, it may be considered that the process has been followed. Of course, information for knowing the background may be written in the wireless IC tag in advance and verified in that order. At this time, the production number (ID) of each reader / writer can be used as information for knowing the background. By having a mechanism for deriving public keys corresponding to these IDs, verification of history information may be made more efficient.

Claims (57)

  A reader / writer having a transmission / reception unit for transmitting / receiving information to / from a wireless IC tag attached to a product or its package and a signature creation unit for creating a signature is provided at each site on the distribution channel of the product, and the first site The reader / writer in the product communicates with the product distributed at its base or the wireless IC tag attached to its package, and distributes the signature text signed with the private key of its base to the initial value or the value derived from it. The information is written in the readable / writable memory of the wireless IC tag as background information, and the reader / writer provided at the base other than the first base station communicates with the wireless IC tag attached to the product distributed to the base or the package. , A new signature text signed with the private key of the local site for the distribution history information written in the readable / writable memory of the wireless IC tag or information derived therefrom Distribution history authentication system characterized in that it is derived as simple distribution history information and replaces the original distribution history information written in a readable / writable memory of the wireless IC tag.   2. The distribution history authentication system according to claim 1, wherein an identification number unique to the wireless IC tag stored in a read-only memory of the wireless IC tag is used as the initial value.   The reader / writer provided in at least one site other than the first site is responsible for the distribution history information written in the readable / writable memory of the wireless IC tag attached to the product distributed to the site or the package. Using the public key of each base upstream from the base in order from the public key of the base closest to the base, the verification can be repeated, and finally the initial value can be obtained. 2. The distribution history authentication system according to claim 1, further comprising a signature verification unit that determines that the history has been correctly reached to the local site.   A reader / writer having a transmission / reception unit for transmitting / receiving information to / from a wireless IC tag attached to a product or its package and a signature creation unit for creating a signature is provided at each site on the distribution channel of the product, and the first site The reader / writer in the product communicates with the product distributed at its base or the wireless IC tag attached to its package, and distributes the signature text signed with the private key of its base to the initial value or the value derived from it. The background information, the initial value or the value derived therefrom is written as auxiliary information in a readable / writable memory of the wireless IC tag, and the reader / writer provided at the base other than the first base is the product distributed to the base or its Communicating with the wireless IC tag attached to the package, the distribution history information written in the readable / writable memory of the wireless IC tag or information derived from it A wireless IC tag readable / writable memory that derives the signature text signed with the private key of the local site as new distribution history information, the original distribution history information that has been written, or information derived therefrom as auxiliary information A distribution history authentication system, which replaces the original distribution history information and auxiliary information written in.   The reader / writer provided in at least one site other than the first site is responsible for the distribution history information written in the readable / writable memory of the wireless IC tag attached to the product distributed to the site or the package. The product can be verified by using the public key of the base one upstream from the base, and the same auxiliary information as the auxiliary information written in the readable / writable memory of the wireless IC tag can be derived in the verification result. 5. The distribution history authentication system according to claim 4, further comprising a signature verification unit that determines that the history has been correctly obtained from the previous base. Signature creation part of the reader-writer of history order is provided in the i-th base, the private key d _i of the site itself, the product of the RSA modulus has been distribution n _i, the initial value u ₀ or value or own base it from the derived or Distribution history information u _i-1 written in the readable / writable memory of the wireless IC tag attached to the package or information derived therefrom ST (u <n _i )? f _i (u) = u ^ {d _i } mod n _i
: The function defined as f _i (u) = u is f _i (u), and the security parameter is k bits (where n _i <2 ^k ) long natural number space φ (u) = (u + n _i ) When φ (u) is the function defined as mod2 ^k and φ ^-1 is the inverse function, φ ^-1 (f _i (φ (f _i (ST))))) is derived as new distribution history information. 2. The distribution history authentication system according to claim 1, wherein The ST is written in the hash value H (T _i ) of the bit string T _i concatenating the public key of the base and all the bases upstream from the base, and the initial value or the readable / writable memory of the wireless IC tag 7. The distribution history authentication system according to claim 6, wherein the distribution history authentication system is a value H (T _i ) ○ u obtained by exclusive OR with the bit string u of the distribution history information. The ST is written in the hash value H (T _i ) of the bit string T _i that concatenates the public key and message of the base and all the bases upstream from the base, and the initial value or the readable / writable memory of the wireless IC tag. 7. The distribution history authentication system according to claim 6, wherein the distribution history authentication system is a value H (T _i ) ○ u obtained by exclusive OR with a bit string u of distribution history information. The reader / writer at the i-th base in the order of history is (u <n _i )? G _i (u) = u ^ {e _i }
mod n _i : When a function defined as g _i (u) = u is g _i (u), φ ^-1 (g ₁ (φ (g1 (H (T ₁ ○ φ ^-1 (g ₂ (φ ((g ₂ (H (T ₂ ○ ... T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 )))) ...))))))))) ) = by u ₀ is established, distribution history authentication system according to claim 7 or 8, wherein the having the signature verification unit determines that the product has been correctly history to own base. Signature creation part of the reader-writer of history order is provided in the i-th base, the private key d _i of the site itself, the product of the RSA modulus has been distribution n _i, the initial value u ₀ or value or own base it from the derived or Distribution history information u _i-1 written in the readable / writable memory of the wireless IC tag attached to the package or information derived therefrom ST (u <n _i )? f _i (u) = u ^ {d _i } mod n _i
: The function defined as f _i (u) = u is f _i (u), and the security parameter is k bits (where n _i <2 ^k ) long natural number space φ (u) = (u + n _i ) When the function defined as mod2 ^k is φ (u) and its inverse is φ ^-1 , φ ^-1 (f _i (φ (f _i (ST))))) is the new distribution history information and distribution 5. The distribution history authentication system according to claim 4, wherein the history information u _i-1 or its hash value h (u _i-1 ) is derived as new auxiliary information v _i , respectively. The ST is written in the hash value H (T _i ) of the bit string T _i concatenating the public key of the base and all the bases upstream from the base, and the initial value or the readable / writable memory of the wireless IC tag 11. The distribution history authentication system according to claim 10, wherein the distribution history authentication system is a value H (T _i ) ○ u obtained by exclusive OR with the bit sequence u of the distribution history information. The ST is written in the hash value H (T _i ) of the bit string T _i concatenating the public key and message of the base and all the bases upstream from the base, and the initial value or the readable / writable memory of the wireless IC tag. 11. The distribution history authentication system according to claim 10, wherein the distribution history authentication system is a value H (T _i ) ○ u obtained by exclusive OR with a bit string u of distribution history information. The reader / writer at the i-th base in the order of history is (u <n _i )? G _i (u) = u ^ {e _i }
mod n _i : When a function defined as g _i (u) = u is g _i (u), h (H (T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 ))))) ...)))))))))))))) =) Signature verification that the product is judged to have been correctly developed from the previous location when v _i-1 is satisfied. 12. The distribution history authentication system according to claim 11, further comprising a section.   A reader / writer having a transmission / reception unit for transmitting / receiving information to / from a wireless IC tag attached to a product or its package and a signature creation unit for creating a signature is provided at each site on the distribution channel of the product, and the first site Reader / writer communicates with the wireless IC tag attached to the product or its package distributed at its own site, and distributes the signature text signed with its own private key to the initial value or the value derived from it The background information is written in the readable / writable memory of the wireless IC tag, and the reader / writer in the base other than the first base station communicates with the wireless IC tag attached to the product distributed to the base or its package, and the wireless Distribution history information written in the IC tag's readable / writable memory or information derived from it is signed with the private key of the local site. A distribution history authentication method which is derived as information and replaces the original distribution history information written in a readable / writable memory of the wireless IC tag.   15. The distribution history authentication method according to claim 14, wherein an identification number unique to the wireless IC tag stored in a read-only memory of the wireless IC tag is used as the initial value.   The signature verification unit of the reader / writer in at least one base other than the first base is in the distribution history information written in the readable / writable memory of the wireless IC tag attached to the product distributed to the base or its package. On the other hand, verification can be repeated by using the public key of each base upstream from the local base in order from the public key of the base closest to the local base, and finally the initial value can be obtained. 15. The distribution history authentication method according to claim 14, further comprising the step of determining that the product has been correctly developed up to its own base.   A reader / writer having a transmission / reception unit for transmitting / receiving information to / from a wireless IC tag attached to a product or its package and a signature creation unit for creating a signature is provided at each site on the distribution channel of the product, and the first site Reader / writer communicates with the wireless IC tag attached to the product or its package distributed at its own site, and distributes the signature text signed with its own private key to the initial value or the value derived from it The history information, the initial value, or the value derived from it is written as auxiliary information in the readable / writable memory of the wireless IC tag, and the reader / writer provided at the base other than the first base is attached to the product distributed to the base or its package. Communicating with a wireless IC tag that has been sent and the distribution history information written in the readable / writable memory of the wireless IC tag or information derived therefrom The signature text signed with the private key of the local site is derived as new distribution history information, the original distribution history information that has been written, or the information derived therefrom as auxiliary information, and is written in the readable / writable memory of the wireless IC tag. A distribution history authentication method characterized by replacing original distribution history information and auxiliary information.   The signature verification unit of the reader / writer in at least one base other than the first base is in the distribution history information written in the readable / writable memory of the wireless IC tag attached to the product distributed to the base or its package. On the other hand, by verifying using the public key of the site one upstream from the own site, the same auxiliary information as the auxiliary information written in the readable / writable memory of the wireless IC tag can be derived in the verification result, 18. The distribution history authentication method according to claim 17, further comprising the step of determining that the product has been correctly developed from a previous base. Signature creation part of the reader-writer of history order is provided in the i-th bases, private key d _i of the site itself, the product of the RSA modulus has been distribution n _i, the initial value u ₀ or value or own base it from the derived or Distribution history information u _i-1 written in the readable / writable memory of the wireless IC tag attached to the package or information derived therefrom ST (u <n _i )? f _i (u) = u ^ {d _i } mod n _i
: The function defined as f _i (u) = u is f _i (u), and the security parameter is k bits (where n _i <2 ^k ) long natural number space φ (u) = (u + n _i ) When φ (u) is the function defined as mod2 ^k and φ ^-1 is the inverse function, φ ^-1 (f _i (φ (f _i (ST))))) is derived as new distribution history information. 15. The distribution history authentication method according to claim 14, characterized in that: The ST is written in the hash value H (T _i ) of the bit string T _i concatenating the public key of the base and all the bases upstream from the base, and the initial value or the readable / writable memory of the wireless IC tag 20. The distribution history authentication method according to claim 19, wherein the distribution history authentication method is a value H (T _i ) ○ u obtained by exclusive OR with the bit sequence u of the distribution history information. The ST is written in the hash value H (T _i ) of the bit string T _i that concatenates the public key and message of the base and all the bases upstream from the base, and the initial value or the readable / writable memory of the wireless IC tag. 20. The distribution history authentication method according to claim 19, wherein the distribution history authentication method is a value H (T _i ) uu obtained by exclusive OR with the bit sequence u of the distribution history information. The signature verification part of the reader / writer at the i-th base in the order of history is (u <n _i )? G _i (u) = u ^ {e _i }
mod n _i : When the function defined as g _i (u) = u is g _i (u), φ ^-1 (g ₁ (φ (g ₁ (H (T ₁ ○ φ ^-1 (g ₂ ( φ ((g ₂ (H (T ₂ ○ ... T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 )))) ...)))))))) 21. The distribution history authentication method according to claim 20, further comprising the step of determining that the product has been correctly processed up to its own site when)) = u ₀ is established. Signature creation part of the reader-writer of history order is provided in the i-th bases, private key d _i of the site itself, the product of the RSA modulus has been distribution n _i, the initial value u ₀ or value or own base it from the derived or Distribution history information u _i-1 written in the readable / writable memory of the wireless IC tag attached to the package or information derived therefrom ST (u <n _i )? f _i (u) = u ^ {d _i } mod n _i
: The function defined as f _i (u) = u is f _i (u), and the security parameter is k bits (where n _i <2 ^k ) long natural number space φ (u) = (u + n _i ) When the function defined as mod2 ^k is φ (u) and its inverse is φ ^-1 , φ ^-1 (f _i (φ (f _i (ST))))) is the new distribution history information and distribution 18. The distribution history authentication method according to claim 17, wherein the history information u _i-1 or its hash value h (u _i-1 ) is derived as new auxiliary information v _i , respectively. The ST is written in the hash value H (T _i ) of the bit string T _i concatenating the public key of the base and all the bases upstream from the base, and the initial value or the readable / writable memory of the wireless IC tag 24. The distribution history authentication method according to claim 23, wherein the distribution history authentication method is a value H (T _i ) ○ u obtained by exclusive OR with the bit sequence u of the distribution history information. The ST is written in the hash value H (T _i ) of the bit string T _i that concatenates the public key and message of the base and all the bases upstream from the base, and the initial value or the readable / writable memory of the wireless IC tag. 24. The distribution history authentication method according to claim 23, wherein the distribution history authentication method is a value H (T _i ) ○ u obtained by exclusive OR with the bit sequence u of the distribution history information. The signature verification part of the reader / writer at the i-th base in the order of history is (u <n _i )? G _i (u) = u ^ {e _i }
mod n _i : When a function defined as g _i (u) = u is g _i (u), h (H (T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 ))))) ...)))))))))))))) =) Signature verification that the product is judged to have been correctly developed from the previous location when v _i-1 is satisfied. 25. The distribution history authentication method according to claim 24, further comprising: a section.   A reader / writer provided at a base on a distribution path of the product, having a transmission / reception unit for transmitting / receiving information to / from a wireless IC tag attached to the product or its package and a signature creation unit for creating a signature; Communicating with the wireless IC tag attached to the product or its package that has been distributed to its own base, the local base for the distribution history information written in the readable / writable memory of the wireless IC tag or the information derived therefrom A reader / writer characterized in that a signature sentence signed with a private key is derived as new distribution history information and replaced with the original distribution history information written in a readable / writable memory of the wireless IC tag.   For the distribution history information written in the readable / writable memory of the wireless IC tag attached to the product or its package distributed to your site, the public key of each site upstream from your site is the closest to your site The verification is repeated using the public key in order, and finally a predetermined initial value or an identification number unique to the wireless IC tag stored in the read-only memory of the wireless IC tag is obtained. 28. The reader / writer according to claim 27, further comprising: a signature verification unit that determines that the product has been correctly processed up to its own base by being able to verify the process retroactively.   A reader / writer provided at a base on a distribution path of the product, having a transmission / reception unit for transmitting / receiving information to / from a wireless IC tag attached to the product or its package and a signature creation unit for creating a signature; Communicating with the wireless IC tag attached to the product or its package that has been distributed to its own base, the local base for the distribution history information written in the readable / writable memory of the wireless IC tag or the information derived therefrom The signature sentence signed with the private key of the original is derived from the new distribution history information, the original distribution history information that was written, or the information derived from it as auxiliary information, and the original that was written in the read / write memory of the wireless IC tag A reader / writer characterized in that it replaces the distribution history information and auxiliary information.   Verify the distribution history information written in the readable / writable memory of the wireless IC tag attached to the product or the package distributed to your site using the public key of the site one upstream from your site. In the verification result, it is possible to derive the auxiliary information that is the same as the auxiliary information written in the readable / writable memory of the wireless IC tag, so that the signature verification that the product has been correctly processed from the previous base is determined. 30. The reader / writer according to claim 29, further comprising a section. The signature creation section, the private key of the own base d _i, the RSA modulus n _i, read and write the initial value u ₀ or products or wireless IC tag attached to the package has been distributed to the value or own base derived therefrom Distribution history information u _i-1 written in a possible memory or information derived from ST (u <n _i )? f _i (u) = u ^ {d _i } mod n _i
: The function defined as f _i (u) = u is f _i (u), and the security parameter is k bits (where n _i <2 ^k ) long natural number space φ (u) = (u + n _i ) When φ (u) is the function defined as mod2 ^k and φ ^-1 is the inverse function, φ ^-1 (f _i (φ (f _i (ST))))) is derived as new distribution history information. 28. The reader / writer according to claim 27, wherein: The ST is written in the hash value H (T _i ) of the bit string T _i concatenating the public key of the base and all the bases upstream from the base, and the initial value or the readable / writable memory of the wireless IC tag 32. The reader / writer according to claim 31, wherein the reader / writer is a value H (T _i ) ○ u obtained by exclusive OR with a bit string u of distribution history information. The ST is written in the hash value H (T _i ) of the bit string T _i that concatenates the public key and message of the base and all the bases upstream from the base, and the initial value or the readable / writable memory of the wireless IC tag. 32. The reader / writer according to claim 31, wherein the reader / writer is a value H (T _i ) u obtained by exclusive OR with a bit string u of distribution history information. (u <n _i )? g _i (u) = u ^ {e _i }
mod n _i : When the function defined as g _i (u) = u is g _i (u), φ ^-1 (g ₁ (φ (g ₁ (H (T ₁ ○ φ ^-1 (g ₂ ( φ ((g ₂ (H (T ₂ ○ ... T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 )))) ...)))))))) 33. The reader / writer according to claim 32, further comprising: a signature verification unit that determines that the product has been properly processed up to its own site when)) = u ₀ is established. The signature creation section, the private key of the own base d _i, the RSA modulus n _i, read and write the initial value u ₀ or products or wireless IC tag attached to the package has been distributed to the value or own base derived therefrom Distribution history information u _i-1 written in a possible memory or information derived from ST (u <n _i )? f _i (u) = u ^ {d _i } mod n _i
: The function defined as f _i (u) = u is f _i (u), and the security parameter is k bits (where n _i <2 ^k ) long natural number space φ (u) = (u + n _i ) When the function defined as mod2 ^k is φ (u) and its inverse is φ ^-1 , φ ^-1 (f _i (φ (f _i (ST))))) is the new distribution history information and distribution 30. The reader / writer according to claim 29, wherein the history information u _i-1 or its hash value h (u _i-1 ) is derived as new auxiliary information v _i , respectively. The ST is written in the hash value H (T _i ) of the bit string T _i concatenating the public key of the base and all the bases upstream from the base, and the initial value or the readable / writable memory of the wireless IC tag 36. The reader / writer according to claim 35, wherein the reader / writer is a value H (T _i ) ○ u obtained by exclusive OR with the bit string u of the distribution history information. The ST is written in the hash value H (T _i ) of the bit string T _i that concatenates the public key and message of the base and all the bases upstream from the base, and the initial value or the readable / writable memory of the wireless IC tag. 36. The reader / writer according to claim 35, wherein the reader / writer is a value H (T _i ) ○ u obtained by exclusive OR with the bit sequence u of the distribution history information. (u <n _i )? g _i (u) = u ^ {ei}
mod n _i : When a function defined as g _i (u) = u is g _i (u), h (H (T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 ))))) ...)))))))))))))) =) Signature verification that the product is judged to have been correctly developed from the previous location when v _i-1 is satisfied. 37. The reader / writer according to claim 36, further comprising a portion.   A reader / writer provided at a base on a distribution path of the product, having a transmission / reception unit for transmitting / receiving information to / from a wireless IC tag attached to the product or its package and a signature verification unit for verifying a signature; The signature verification unit discloses the distribution history information written in the readable / writable memory of the wireless IC tag attached to the product distributed to its own site or the package thereof, to each site upstream from its own site. The key is used in order from the public key of the base closest to its own base, and the verification is repeated, and finally, a predetermined value or a unique value of the wireless IC tag stored in the read-only memory of the wireless IC tag The reader / writer is characterized in that it can be determined that the product has been correctly processed up to its own base by being able to verify retroactively to the point where an initial value that is an identification number is obtained. . Write the private key of the i-th site to di, RS _i modulus to n _i , the initial value to u ₀ , and write to the readable / writable memory of the wireless IC tag attached to the product distributed to the i-th site or its package Is the exclusive logic of the distribution history information and the hash value H (T _i ) of the bit string T _i that concatenates the distribution history information u _i-1 , the public key of the i th base and all the bases upstream from it. The value obtained by the sum is H (T _i ) ○ u, (u <n _i )? G _i (u) = u ^ {e _i } mod n _i : a function defined as g _i (u) = u g _i (u), security parameter k bits (where n _i <2 ^k ), a function defined as φ (u) = (u + n _i ) mod2 ^k When the inverse function is φ ⁻¹ , the signature verification unit performs φ ⁻¹ (g ₁ (φ (g ₁ (H (T ₁ ○ φ ⁻¹ (g ₂ (φ ((g ₂ (H (T ₂ ○… T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 ))))) ...)))))))))))) =) u ₀ , The product is Writer according to claim 39, wherein a is to determined to have been Ku history. The secret key of the i-th site is d _i , the RSA modulus is ni, the initial value is u ₀ , and it is written to the readable / writable memory of the wireless IC tag attached to the product distributed to the i-th site or its package The distribution history information is exclusive of u _i-1 , the hash value H (T _i ) of the bit string T _i that concatenates the public keys and messages of the i th base and all bases upstream from it. A function defined by H (Ti) ○ u, (u <n _i )? G _i (u) = u ^ {e _i } mod n _i : g _i (u) = u g _i (u), security parameter k bits (where n _i <2 ^k ) A function defined as φ (u) = (u + n _i ) mod2k as a mapping in natural number space, φ (u), and vice versa when the function and phi ^-1, the signature verification _{^{unit, φ -1 (g 1 (φ}} (g 1 (H (T 1 ○ φ -1 (g 2 (φ ((g 2 (H (T 2 ○ ^{_{... T i-1 ○ φ -1}} (g i-1 (φ (g i-1 (u i-1))))) ...))))))))) = by u ₀ is established, The product is Writer according to claim 39, wherein a is to determined to have been correctly history to base.   A reader / writer provided at a base on a distribution path of the product, having a transmission / reception unit for transmitting / receiving information to / from a wireless IC tag attached to the product or its package and a signature verification unit for verifying a signature; The signature verifying unit, for the distribution history information written in the readable / writable memory of the wireless IC tag attached to the product distributed at its own site or its package, By verifying using the public key, and the auxiliary information that is the same as the auxiliary information written in the readable / writable memory of the wireless IC tag can be derived in the verification result, the product has been properly developed from the previous base. Reader / writer characterized in that it is determined to be written secret key of the i-th base d _i, the RSA modulus n _i, the initial value u _0, i-th products have been distributed in the base or read-write memory of the wireless IC tag attached to the package The distribution history information and auxiliary information that are stored are u _i-1 and v _i-1 , the hash value H (T _i ) of the bit string T _i that concatenates the public keys of the i th base and all bases upstream from it. H (T _i ) ○ u, (u <n _i )? G _i (u) = u ^ {e _i } mod n _i : g _i (u) A function defined as = u is defined as g _i (u), security parameter k bits (where n _i <2 ^k ) long natural number space is defined as φ (u) = (u + n _i ) mod2 ^k When the function is φ (u), the inverse function is φ ⁻¹ , and h is a hash function, the signature verification unit can calculate h (H (T _i-1 ○ φ ^-1 (g _i-1 (φ (g _{i-1 (u i-1} ))))) ...))))))))) = v _{by i-1} is satisfied, the product of the previous one bases Writer according to claim 42, wherein a from in which it is determined that what has been correctly history. Write the private key of the i-th site to di, RS _i modulus to n _i , the initial value to u ₀ , and write to the readable / writable memory of the wireless IC tag attached to the product distributed to the i-th site or its package The distribution history information and auxiliary information that are stored are u _i-1 and v _i-1 , and the hash value H (T _{i of} the bit string T _i that concatenates the public key and message of the i th base and all bases upstream from it. ) and the value determined by the exclusive OR of the distribution history information _{H (T i) ○ u,} (u <n i) g i (u) = u ^ {e i} mod n i:? g i ( u) = u is defined as g _i (u), security parameter k bits (where n _i <2 ^k ) long natural number space is defined as φ (u) = (u + n ⁱ ) mod2 _k And φ (u), the inverse function thereof is φ ⁻¹ , and h is a hash function, the signature verification unit determines that h (H (T _i-1 ○ φ ⁻¹ (g _i-1 (φ (g _i-1 (u _i-1 ))))) ...))))))))) = v _i-1 43. The reader / writer according to claim 42, wherein the product is determined to have been correctly developed from the previous base.   Transmission / reception means for transmitting / receiving information to / from a wireless IC tag attached to the product or its package to a computer constituting a reader / writer provided at a base on the product distribution path, a product distributed to the base or the Local base station which communicates with the wireless IC tag attached to the package through the transmission / reception means, and which is stored in the storage means for the distribution history information written in the readable / writable memory of the wireless IC tag or information derived therefrom A program for deriving a signature sentence signed with a private key as new distribution history information and replacing it with the original distribution history information written in the readable / writable memory of the wireless IC tag.   The computer further includes distribution history information written in a readable / writable memory of a wireless IC tag attached to a product distributed to the local site or a package thereof, from the local site stored in the storage unit. The verification is repeated using the public key of each upstream base in order from the public key of the base closest to its own base, and finally stored in the predetermined initial value or the read-only memory of the wireless IC tag 46. The program according to claim 45, wherein the program is made to function as signature verification means for determining that the product has been correctly processed up to its own base by being able to verify retroactively until the identification number unique to the wireless IC tag is obtained.   Transmission / reception means for transmitting / receiving information to / from a wireless IC tag attached to the product or its package to a computer constituting a reader / writer provided at a base on the product distribution path, a product distributed to the base or the Local base station which communicates with the wireless IC tag attached to the package through the transmission / reception means and which is stored in the storage means for the distribution history information written in the readable / writable memory of the wireless IC tag or information derived therefrom The signature sentence signed with the private key of the new IC was derived as new distribution history information, the original distribution history information that was written or information derived therefrom as auxiliary information, and was written in the readable / writable memory of the wireless IC tag A program for functioning as a signature creation means that replaces the original distribution history information and auxiliary information.   The computer further includes distribution history information written in a readable / writable memory of a wireless IC tag attached to a product distributed to the local site or a package thereof, from the local site stored in the storage unit. By verifying using the public key of one upstream base, the same auxiliary information as the auxiliary information written in the readable / writable memory of the wireless IC tag can be derived as a result of the verification. 48. The program according to claim 47, wherein the program is made to function as signature verification means for determining that the process has been correctly performed from the base of the company. The signature generating means, the secret key of the own base d _i, reading and writing of a wireless IC tag attached to RSA modulus to n _i, the product or its packaging has been circulated to the initial value u ₀ or a value or own base derived therefrom Distribution history information u _i-1 written in a possible memory or information derived from ST (u <n _i )? f _i (u) = u ^ {d _i } mod n _i
: The function defined as f _i (u) = u is f _i (u), and the security parameter is k bits (where n _i <2 ^k ) long natural number space φ (u) = (u + n _i ) When φ (u) is the function defined as mod2 ^k and φ ^-1 is the inverse function, φ ^-1 (f _i (φ (f _i (ST))))) is derived as new distribution history information. 46. The program according to claim 45, wherein: The ST is written in the hash value H (T _i ) of the bit string T _i concatenating the public key of the base and all the bases upstream from the base, and the initial value or the readable / writable memory of the wireless IC tag 50. The program according to claim 49, which is a value H (T _i )) u obtained by exclusive OR with a bit string u of distribution history information. The ST is written in the hash value H (T _i ) of the bit string Ti concatenating the public key and message of the base and all bases upstream from the base, and the initial value or the read / write memory of the wireless IC tag. 50. The program according to claim 49, which is a value H (T _i )) u obtained by exclusive OR with a bit string u of distribution history information. The computer is further (u <n _i )? G _i (u) = u ^ {e _i }
mod n _i : When the function defined as g _i (u) = u is g _i (u), φ ^-1 (g ₁ (φ (g ₁ (H (T ₁ ○ φ ^-1 (g ₂ ( φ ((g ₂ (H (T ₂ ○ ... T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 )))) ...)))))))) 51. The program according to claim 50, wherein, when)) = u ₀ is established, the program is made to function as a signature verification unit that determines that the product has been correctly processed up to its own site. The signature generating means, the secret key of the own base d _i, reading and writing of a wireless IC tag attached to RSA modulus to n _i, the product or its packaging has been circulated to the initial value u ₀ or a value or own base derived therefrom Distribution history information u _i-1 written in a possible memory or information derived from ST (u <n _i )? f _i (u) = u ^ {d _i } mod n _i
: The function defined as f _i (u) = u is f _i (u), and the security parameter is k bits (where n _i <2 ^k ) long natural number space φ (u) = (u + n _i ) When the function defined as mod2 ^k is φ (u) and its inverse is φ ^-1 , φ ^-1 (f _i (φ (f _i (ST))))) is the new distribution history information and distribution 48. The program according to claim 47, wherein the history information u _i-1 or the hash value h (u _i-1 ) thereof is respectively derived as new auxiliary information v _i . The ST is a own base and bit string obtained by connecting the public keys of all bases upstream of the own base T _i of the hash value H (T _i), it is written in the writable memory of the initial value or wireless IC tag 54. The program according to claim 53, wherein the value is H (T _i ) uu obtained by exclusive OR with the bit string u of the distribution history information. The ST is written in the hash value H (T _i ) of the bit string T _i that concatenates the public key and message of the base and all the bases upstream from the base, and the initial value or the readable / writable memory of the wireless IC tag. 54. The program according to claim 53, which is a value H (T _i )) u obtained by exclusive OR with a bit sequence u of distribution history information. The computer is further (u <n _i )? G _i (u) = u ^ {e _i }
mod n _i : When a function defined as g _i (u) = u is g _i (u), h (H (T _i-1 ○ φ ^-1 (g _i-1 (φ (g _i-1 (u _i-1 ))))) ...)))))))))))))) =) Signature verification that the product is judged to have been correctly developed from the previous location when v _i-1 is satisfied. 55. The program according to claim 54, wherein the program is made to function as a means.   In a wireless IC tag attached to a product or its package to manage the distribution process of the product, a transmission / reception unit that transmits / receives information to / from a reader / writer at each site on the product distribution route, and a self-wireless IC tag It has a read-only memory that stores a unique identification number and a readable / writable memory that stores distribution history information. When distributed to the first site, it is derived from the identification number or from it by a reader / writer provided at that site. A signature sentence signed with the secret key of the base for the value is written in the readable / writable memory as the distribution history information, and when distributed to a base other than the first base, by a reader / writer provided for the base, The distribution history information written in the readable / writable memory or information derived therefrom is signed with the secret key of the base. The wireless IC tag is characterized in that the signature text is derived as new distribution history information and the original distribution history information written in the readable / writable memory is replaced.

Images