KR950002164B1 - Electronic signature and authentication method - Google Patents

Abstract

The communication authentication method improves reliability. The method can certificates the document by using the electric signature. This method also decrease computing cost by using the modified Schnorr method and distributes computing cost between the sender and the receiver. Public coefficient of electric signature processing is hash function, GF(p), M in which signature inserted, and public key of signer.

Description

Digital signature and authentication method

FIG. 1 is a diagram illustrating a process in an electronic signature method in which an authenticator (signer) of the conventional Schnorr method signs an electronic document and a verifier (another person or his / her) verifies the signature.

2a to 2b are views showing the process of the electronic signature method according to the present invention.

3 is a process diagram of an identification method according to the present invention.

4 is a process diagram of a document transmission and reception authentication method for authenticating mutual identity and document receipt between a transmitter and a receiver in the present invention.

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a communication authentication method for authenticating a communication person and the contents of a communication in a data exchange system. In particular, an electronic signature and identity using a public key encryption method having different keys for encryption and decryption are used. Authentication and document transmission and reception authentication method.

In recent years, in the present stage of computerization in large quantities and computerization, reliable and efficient digital signature and authentication systems are required in the field of electronic documents and computer communication. Communication authentication is to verify the validity of a valid operator or to authenticate the transmission and reception of communication contents, which is achieved by using an encryption method for exchanged information data. As a cryptographic method used for communication authentication, conventional cryptography with the same key used for encryption and decryption is different from conventional cryptography with the same key used for encryption and decryption. Public key cryptography. Conventional cryptography uses the same key for encryption and decryption, so it is very effective for systems that require large data exchanges and high-speed operation. However, the reliability of the protection system is low due to the difficulty of key management. In other words, in conventional cryptography, when the number of subscribers using the same protection scheme is nn, the number of keys required for encryption and decryption must be set differently for each subscriber line, so the number of required keys is nnC _2, that is, nn As (nn-1) / 2, the number of subscribers increases exponentially, making key management difficult.

Public key cryptography is slower in processing speed than conventional cryptography, but has an advantage in that key management can be effectively performed. Algorithms related to public key cryptography include the RSA algorithm and the Diffie-Hellman algorithm. In particular, the digital signature and authentication method using the Diffie-Hellman algorithm includes the ELGamal method and the Schnorr method. The method seems to be more efficient in terms of function or throughput. In order to implement this, a system using a finite field regular basis becomes faster.

The basic Schnorr method is as follows.

First, in setting up the encryption system, the key authentication center (KAC) is called prime, which is the prime p, the prime factor q and the group q. An encryption system is configured by selecting e having an order q in Z _p *, that is, e _q = 1 (mod p) ≠ 1 and subscriber's private and public keys. KAC publishes p, q, e and subscriber's public keys in the system.

If a new subscriber wants to join the cryptosystem, the new subscriber is x∈ [1,... … , q] selects a random x that satisfies the condition of the subscriber as the private key, calculates Y as the public key with Y = e ^x (mod p), and submits it to the KAC. Sign I and Y pairs (I, Y) Create Here, KAC can sign the Authentication String I and the public key Y in various ways.

Looking at the basic algorithm of the authentication method between the authenticator and the verifier in such a cryptographic system, the first prover is n∈ [1,…]. … , q] selects random variable n and computes R = e _n (mod p). This can be calculated when exchanging data, and all R values corresponding to each random variable can be calculated in advance and stored in a table known only to the prover and used during data exchange. Therefore, the process of data exchange is as follows.

First, the prover signs the verifier with his identity string and his public key Y. And the R value to the identifier. In this case, the R value may be transmitted in the third step described below, or data obtained by simply transforming R instead of R may be transmitted.

Second, the verifier signs the KAC for I, the received public key Y and the Identification String. After checking the validity of f∈ [1,… … , 2 ^t- ₁ ] selects a random variable f that satisfies the condition and sends it to the prover.

Third, the prover calculates and sends S = n + xf (mod q) to the verifier.

Fourthly, the verifier closes the authentication by checking whether R = e ^s (Y ^- ₁ ) ^f (mod p) using the received R and S.

FIG. 1 shows the digital signature method of the conventional Schnorr method. The basic Schnorr method described above is slightly modified and applied to the electronic signature. Digital signature means that the authenticator (signer) signs the electronic document (M) to be sent to the verifier, and the verifier verifies the signature. The coefficients revealed at this time are the finite field GF (p), the prime number q as the argument of p-1, the element e with the rank q, the hash function h () with t bits, the document M to be signed and the user's public key Y. . Here, the user's public key Y has a certain relationship with x, which is the secret key of the user, which only the user knows, that is, Y = e ^x mod p.

The procedure in FIG. 1 is performed by the following procedure.

1. The prover (signer) selects random variable n. In this case, random variable n is a variable that is not disclosed, and is selected to satisfy the condition of o <n ≦ q with reference to q, which is an argument of p-1, in the finite field GF (p).

2. The prover (signer) calculates the R value according to R = e ⁿ (mod p). Where n is a private key known only to the signer, and e is an element of order q shared by the data exchange system. In addition, the R value can be calculated in advance, and can be tabled in advance as described in the basic Schnorr method.

3. The prover (signer) calculates the H value according to the formula H = h (M, R) using the R value, the document M to be signed, and the hash function h. The hash function is a function whose result is t bits and includes the characteristics of the arguments that are applied as inputs. Various forms have been proposed.

4. The prover (signer) calculates the S value according to the formula S = n + x · H (mod q) using the H value.

5. The prover (signer) signs by adding (S, H) to document M.

6. The verifier calculates R '= e ⁵ ㆍ (Y ^-1 ) mod p.

7. The verifier checks H = H 'by calculating H' = h (M, R ').

The theoretical basis of the method is as follows. If the prover (signer) is a legitimate prover (signer), the verifier (other or myself) is R '= e ^s ㆍ (Y ^-1 ) (mod p) = e ^{(n + xH)} ㆍ (e ^-xH ) (mod p) = R and H '= h (M, R) = H can be confirmed. In this case, it is impossible for a third party who does not know n and x to find an S that satisfies the expression by knowing only the H value. In other words, the reliability of the Schnorr method depends on whether n and x can be easily understood by a third party, which results in a discrete algebra problem due to e ⁿ or e ^x .

The discrete algebra problem is easy to calculate in one direction, but the inverse calculation is very complicated, and the probability of calculating converges to almost zero, and the reliability of cryptography is determined by this property. In more detail, to solve the discrete logarithm a = log _y b 1 <b <q-1 in GF (q), O (exp ) Operation is required. Where c represents a constant. This is an operation that requires a huge amount of computation, which gives the cryptographic system reliability.

In addition, the R of the prover (signer) can be calculated in advance, so that the prover (signer) can generate the signature by one multiplication and addition without calculation of powers that take up most of the calculation time. However, the verifier needs two powers on the contrary, indicating that more than 90% of the total computational load is biased toward the verifier. This may be suitable for a smart card system, but when both conditions are equal, there is a disadvantage in that the checking time takes most of the time. In other words, the case of using the PC / AT class or more in a computer network, which is mostly used by both parties, is too much load on the verifier. In addition, in the Schnorr method, t = 72 and q, which are presented by Schnorr in selecting q and t, are integers of about 140 bits. That is, in order to increase the reliability, the value of t and the value of q must be increased.

Accordingly, it is a first object of the present invention to provide a communication authentication method capable of improving reliability.

The second object of the present invention is to apply the concept of the communication authentication method to sign a specific document (M) and confirm that the signature is signed by a valid signer, and at the same time reduce the overall calculation load and the signer and The purpose of the present invention is to provide an electronic signature method in which the calculation load of the identifier can be properly distributed.

It is a third object of the present invention to provide another electronic signature method which has high reliability and is capable of distributing a calculation load.

The fourth object of the present invention is to apply the concept of the communication authentication method so that the verifier can check whether the correspondent is communicating with the legitimate communicator, and at the same time reduce the overall computation load and distribute the computation load of the prover and the black person appropriately. It is about providing an identification method that can be used.

The fifth object of the present invention is to apply the concept of the communication authentication method to confirm that the communication partner is a legitimate communicator and to transmit any document and to authenticate that the document transmission is made to the legitimate counterpart, and at the same time the overall It is to provide a document transmission and reception authentication method that can reduce the computational load and distribute the computational load of the prover and the verifier appropriately.

In order to achieve the above objects, the present invention introduces the concept of the secret variable of the prover, unlike the conventional method, in performing the encryptor. In other words, the variable obtained using the random variable is also random. The encryption is performed using the secret variable Z in the form z = eX ^{1 + 1} ㆍ (mod p) when x is the prover's secret key. The decoding operation corresponding to the decoding is performed. In addition, in the conventional scheme, the verifier performs a multiplication in performing an operation to confirm the multiplication, which is to repeatedly perform a multiplication. Therefore, it introduces the process that the prover does part of the odds to perform the power, and only the remainder confirms. For example, it is assumed that the operation of the verifier is in the following form. If V is 27 = 2 ⁴ +2 ³ +2 ¹ +2 ⁰ in e ^v mod p, the verifier satisfies the condition 0≤W <V and selects a variable W that can distribute the computational load. If 3 = 2 ¹ +2 ⁰ is chosen, the multiplier in the calculation of e ^v mod p using the normal basis is Hamming weight when V is represented as binary, so the proofer performs 50% operation and the verifier 50% operation. Will be However, the data is sent so that the verifier knows the information about the variable W selected by the prover.

Next, the present invention will be described in more detail.

First, a communication authentication method will be described.

First, in setting up the encryption system, the Key Authentication Center (KAC) is defined as a finite field GF (p), a primitive source e and subscribers' private keys (x) and encryption and decryption operations. Select public keys (Y). Where Y = E ^X mod p. In addition, a cryptographic system is constructed by selecting a natural value i to be used in the relation Z = eX ^{1 + 1} mod p, which obtains a secret variable Z derived from the subscriber's private key. KAC discloses in the system the natural number i of the relational expression that obtains the finite field GF (p), the primitive source e and the subscriber's public keys (Y) and the subscriber's secret variable Z.

When a new subscriber wants to join the cryptosystem, the KAC selects random x as the subscriber's private key for the new subscriber, calculates Y after the public key with Y = e ^X (mod p), and an Authentication String. Sign pair I and Y (I, Y) Do Here, KAC can sign the identification string and public key in various ways. In other words, the signature Can be regarded as the process of establishing a reliable communication channel in a general communication protocol. Also, the prover's public key Y may not be transmitted. However, if the public key of the prover is not transmitted Y, the verifier must have a table or information available for the public key for the subscribers in the cryptographic system in order to know the public key of the prover.

Looking at the communication authentication between the authenticator and the verifier in such a cryptographic system, the authenticator is n∈ [1,… … p-1], then select random variable n and calculate Z = eX ^{1 + 1} mod p and R = Z ⁿ (mod p). Here, R can be calculated at the time of data exchange, or in advance, all R values corresponding to each random variable n can be calculated and stored in a table known only to the prover, and can be used at the time of data exchange. Therefore, the authentication process in data exchange is as follows.

First, the prover gives the verifier a signature for his Identity String I and his public key Y and (I, Y). And the R value to the identifier. If these variables are not sent by the prover, the verifier can obtain them from the published data. The R value can also be transmitted in the third step described below.

Secondly, the verifier signs the I with the obtained public key Y and the Identity String. After checking the validity of f f [1,... … 2 ^t-1 ], select a random variable f that satisfies the condition and send it to the prover.

Here, the first process and the second process is a process corresponding to the communication connection protocol in the normal communication system, it is possible to replace with another communication protocol. Therefore, the process for authenticating can be regarded as starting from the third process.

Third, the prover uses the f value, the R value, and the x value to perform operations in which the inverse is discrete algebraic and mutually promised between the systems or performs a hash function in the finite field GF (p). Sends the resulting variables to the resolver as a result of the operation and hash function. However, if f is not transmitted from the prover, there is no operation related to f.

Fourthly, the verifier closes the communication authentication by performing the operation and the hash function corresponding to the operation and the hash function used in the third step using the received variables and comparing the results.

In the digital signature method, the identity authentication method, and the document transmission / reception authentication method described below, the step of setting the encryption system and the process of joining a new subscriber are the same as the communication authentication method. However, the type of data and the method of verifying the data actually transmitted during data exchange are only different. Therefore, the description of the digital signature method, the identity authentication method, and the document transmission / reception authentication method will focus on the process of data exchange.

Next, the digital signature method of the present invention will be described in detail with reference to FIG. 2 of the accompanying drawings.

FIG. 2a is a diagram illustrating a process in which an authenticator (signer) signs an electronic document, and a verifier (other or himself) verifies the signature. Here, the coefficients to be disclosed are the finite field GF (p), the hash function h (), the document M to be signed, and the public key of the prover. Here, Y, the public key of the prover, has a certain relationship with x, which is the secret key of the prover, as described in the communication authentication method.

Y = e ^X mod p

Unlike the Schnorr method, the prover (signer) uses a Z value, which is a variable having a certain relation with x, in addition to the prover's secret key, x, as a secret variable known only to the prover (signer). Here, let Z = eX ^{1 + 1} mod p for the natural number i.

The procedure of Figure 2a is as follows.

1. The prover (signer) selects random variable n to satisfy the condition of 0 <n <p-1. Where n is not public.

2. The prover calculates R = Z ⁿ mod p.

3. The prover (signer) uses R, document M, and the hash function h to find the H value according to H = h (M, R).

4. The prover (signer) is 0≤G <p-1 and selects G that meets the condition that the multiplier of e ^G mod p is less than or equal to the multiplier of e ^H mod p, and then V = x (x ¹ ㆍ Calculate the V value according to n + G) mod p-1.

5. The prover (signer) selects W that can satisfy the multiplication factor of e ^V mod p at 0≤W <V and calculates C value according to C · e ^W mod p using it. .

6. The prover (signer) calculates S = V-W.

7. The prover (signer) signs by adding (S, C, H, G) to document M.

8. The verifier (or someone else) calculates the value of R 'according to R' = e ^S (Y ^-1 ) ^G C.

9. The verifier (the other person or me) uses the hash function h to calculate the H 'value according to H' = h (M, R ') and compares it with the received H value to verify the signature. In this case, it is determined that the valid prover is the case when H = H '.

Again, we can see that the prover (signer) can calculate R = Z ⁿ mod p in advance. If the value of W is selected as O, the authenticator (signer) can generate a signature to attach to the document without calculating the square. In addition, even when W ≠ 0, the Schnorr method has the same advantages as the overall calculation load.

First, when generating R, the Schnorr method proposed to linearly combine n smaller than 140 bits in order to simplify the calculation. However, since it poses a reliability problem, the Schnorr method suggests selecting a random variable with an arbitrary size. shall. However, in the present invention, even if n having a size smaller than 140 bits is selected, the power is raised to Z instead of e ⁿ to become R · e (X ^{1 + 1} · n) mod p. Compared with Schnorr's method, x ^{1 + 1} ㆍ n instead of n. Since x is a random secret key, x ^{1 + 1} ㆍ n is also a random variable, making the calculation simpler and more reliable. Able to know. In this case, if e ^xn = Y ⁿ instead of e ⁿ , it should be noted that Y = e ^x is disclosed and reliability is not improved. Unlike the Schnorr method, Z is used as a user's secret variable, so a memory is needed to store it. However, Z is not a problem for storage because the size of Z is a small amount of data of log ₂ p bits. In particular, when i = 1, R = e (X ² · n) mod p and V = x (x · n + G) mod p-1. It becomes a simple structure.

Second, the present invention introduces a process in which the prover (signer) pre-calculates a part of the calculation process using V on the verification side without sending V as it is, thereby reducing the load of the verification calculation and reducing the verification time. It is effective. Here, the load is adjusted according to how Hamming weight is constructed from the binary value of W. Also in this method, since S selects W to satisfy the expression, there is no problem in reliability, and there is no variation in the overall calculation load. Only one more multiplication is needed, but this can be ignored compared to the calculation load due to power.

Third, the present invention uses a method of reducing the computational load by using another G having a low Hamming weight in binary instead of H. Instead, we add it to the signature to inform the verifier about the information about G. Applying all of the above can improve the reliability compared to the Schnorr method, significantly reduce the overall computational load, and also distribute the computational load between the prover (signer) and the verifier (other or own).

The theoretical basis of the method of FIG. 2a also results in a discrete algebra problem in the same way as the Schnorr method. If the certifier (signer) is a valid certifier (signer), then the verifier (other or myself) is R '· e ^s ㆍ (Y ⁺¹ ) ^G mod p = eX (X ¹ ㆍ n + G) = e (X ^{1+ 1} ㆍ n) Mod p = R and H '= h (M, R) = H can be checked. A third party who does not know n and x can only know G, and cannot obtain S = x (x ¹ ㆍ n + G) that satisfies the following equation. That is, this problem needs to know X ^{1 + 1} ㆍ n or x, but since it is e (X ^{i + 1} ㆍ n) or e ^x, it is a discrete algebra problem and reliability is guaranteed. Here, if ⁱ = 1, R = e (X ² n) mod p and V = x (x n + G) mod p-1, which is the simplest to perform the operation on an operator with a binary structure. It becomes a structure.

FIG. 2b shows another method of digital signature. The electronic document is first outputted as a hash function to sign H. As a result, FIG. Here, the coefficients to be disclosed are the finite field GF (p), the hash function h (), the document M to be signed and the public key of the authenticator (signer) Y. As above, the public key Y of the prover (signer) has the following relationship with x, which is the secret key of the prover (signer).

Y = e ^x mod p

Referring to the procedure of the digital signature method shown in Figure 2b is as follows. In this case, the relational system for generating the secret variable Z of the subscriber is not required in setting up the encryption system.

1. The prover (signer) selects random variable n to satisfy the condition of 0 <n <p-1 and does not disclose it.

2. The prover calculates R = e ⁿ mod p.

3. The prover (signer) uses the hash function h to find the H value according to H = h (M).

4. The prover (signer) calculates the V value according to V = n · N + x · H mod p-1.

5. The prover (signer) meets the condition of 0≤W <V and selects W which can distribute the multipliers of e ^v mod p and calculates C value according to C · e ^w mod p using it. .

6. The prover (signer) calculates S = V-W.

7. The prover (signer) signs by adding (S, N, C) to document M.

8. The verifier (or someone else) finds H '= h (M).

9. The verifier (other or myself) verifies that e ^s C mod p = Y ^{H '} ㆍ N ^N mod p. If this expression is true, the prover (signer) is determined to be a valid prover (signer), otherwise the prover (signer) is found to be an invalid prover (signer).

Again, we can see that the prover (signer) can calculate R = e ⁿ mod p in advance. And if you select W = 0, the prover (signer) can generate a signature without any squares. Also, in case of W ≠ 0, unlike the Schnorr method, the prover (signer) replaces part of the calculation load of the confirmer (other or own).

The theoretical basis of the digital signature method shown in FIG. 2b also results in a discrete algebra problem. If the prover (signer) is correct, the verifier (other or myself) can be verified as e ^s C mod p = e ^{xH '} ㆍ e ^nN mod p = Y ^H' ㆍ N ^N mod p. Here, of course, if the contents of the electronic document are modified, H '= H is not satisfied, and thus the above formula is not satisfied. If a third party who does not know n and x tries to disguise itself as a prover, the third party can only know H, and thus cannot obtain an S value that satisfies the following equation. In other words, S = n · N + x · H mod p-1 cannot be obtained. This problem requires knowing x, but since the published one is Y = e ^x mod p, it comes down to a discrete algebra problem, ensuring reliability.

The digital signature method shown in FIG. 2b is a variation of the ElGamal signature method, which has the same reliability but has the following two advantages.

First, the ElGamal method (not described herein; for reference, see A TRANSACTIONS ON INFORMATION THEORY, VOL. IT-31, NO. 4, JULY 1985, A Public Key Crptosystem and a Signature Scheme Based on Discrete). Logarithms) has an inverse calculation, but not here. Thereby, the calculation time can be shortened.

Second, we introduced a method in which the prover (signer) replaces the computational load of the verifier. This reduction method can also be applied to Y ^H , N ^N and the like. By distributing the calculation load in this way, it is possible to obtain the effect of reducing the calculation time of the confirmer (other or the person).

Next, the identification authentication method will be described with reference to FIG.

Identity verification means verifying your identity to a correspondent. 3 shows a process in which the inventor (sender) authenticates the identity of the prover (sender) to the verifier (receiver). The open source here is Y, the public key of the finite field GF (p) and the authenticator (sender). Like the digital signature method, Y, the public key of the prover, has the following relationship with X, the secret key of the prover (sender).

Y = e ^x mod p

Referring to the identification method shown in Figure 3 as follows.

1. The prover (sender) chooses random variable n to satisfy the condition of 0 <n <p-1 and does not disclose it.

2. The prover calculates R = Z ⁿ mod p. Z is a value of Z = eX ^{1 + 1} mod p as in the digital signature method shown in FIG. 2a.

3. The prover (sender) sends R to the confirmer (receiver) and receives T from the confirmer.

4. The prover (sender) uses x as the secret key of the prover, the random variable n, and the T value received from the verifier (receiver) according to the formula V = x (x ¹ ㆍ n + T) mod p-1. Calculate the V value.

5. The prover (transmitter) selects W that can meet the condition of 0≤W <V and can distribute the multipliers of e ^V mod p and calculates C value according to C · e ^W mod p using it. .

6. The prover (sender) calculates S = V-W.

7. The prover (sender) sends (S, C) to the verifier (receiver).

8. The identifier (receiver) calculates R '= e ^S (Y ^-1 ) ^T C mod p.

9. The verifier verifies that R '= R. If this expression holds, the prover (sender) is determined to be a valid proof (sender), otherwise the prover (sender) is found to be an unjust proof (sender).

Again, the R of the prover can be calculated in advance. If W = 0 is selected, the prover (sender) can generate an identity certificate only by multiplication. Even when W ≠ 0, the total computational load can be reduced compared to the Schnorr's identity authentication method. In addition, although the number of data bits to be stored and the number of data bits to be transmitted are larger than those of the Schnorr method, they are not a problem when actually storing or transmitting. On the other hand, they are highly reliable and can adjust the distribution of calculation loads between the two parties, and reduce the overall calculation load. You can.

Next, the document transmission and reception authentication method will be described with reference to FIG.

Document transmission and reception authentication means that both the identity authentication between the carrier and the transmission and reception confirmation of the document are proved together. Referring to Figure 4 describes the document transmission and reception authentication process as follows. The coefficients to be disclosed are finite field GF (p), the sender's public key Y and the receiver's public key B. Here, the sender's public key Y has a relationship with the sender's private key x and Y = e ^x mod p, and the receiver's public key B has a relationship with the receiver's private key B = e ^b mod p. The procedure for document transmission and reception is as follows.

1. The sender selects random variable n to satisfy the condition of 0 &lt; n &lt;

2. The sender computes the equation R = B ⁿ mod p to use as the transport key. And H = h (M).

3. The sender finds H '= E _R (H). Here, E _R () means a decoding function that can be decoded, and R used as a subscript means that an encoding key used for encoding is R.

4. The sender obtains the V value according to V = n + x mod (p-1) using the random variable n and x, which is the secret key of the sender.

5. The sender finds the appropriate W with 0≤W <V and calculates C = e ^W mod p.

6. The sender calculates U = V-W.

7. The sender sends (H ', U, C) with the document.

8. The receiver computes R '= (e ^U C · Y ^-1 ) _d mod p. Where Y is the sender's public key.

9. The receiver checks G = G 'by obtaining G = h (M) and G' = D _R ㆍ (H ').

Here, D _R '= () denotes a decoding function corresponding to the coding function E _R = (), and the subscript R' denotes a key used for decryption.

10. If the above conditions are met, the receiver explains G to the sender by the digital signature method.

11. The sender checks H = G.

The theoretical basis of the present invention also results in discrete algebra problems as in identity verification. If the sender is correct, the identifier obtains R '= (e ^U C · Y ^-1 ) _d mod p = (e ^{x + n} ㆍ e ^-x ) _d mod p = e ⁿ _d mod o = R, thus G' = D _{R '} (H) = G and G = h (M) to confirm the amorphousness of the document. If the integrity is verified, G is signed and transmitted by the signature method of the present invention. The original sender can verify receipt by checking G = H to confirm that the original document was sent flawlessly and to keep a signature for G.

In addition, the digital signature method shown in FIGS. 2a and 2b may be applied to the digital signature method used in the process of transmitting the document to the sender by signing the G in the document transmission and reception authentication method. In this case, the receiver becomes a signer and the sender becomes an identifier.

The associations in the digital signature method, the identity authentication method, and the document transmission / reception authentication method described above are the addition and multiplication of mod p-1 and the power of the finite field GF (p). In this case, for efficient multiplication and power multiplication, we use p = 2 ^m as follows.

First, the multiplication process of two integers A and B that satisfies the condition of 0≤A, B <p-1 is described. When A is expressed as a binary vector, the binary coefficient of this vector is a ¹ and the same method is used. Let b ¹ for B. Then 2 ^k ㆍ A only needs to move the binary vector k times, so in mod (2 ^m -1), Therefore, A and B can be multiplied by the coefficient of 1 of the binary vector of B. Since mod (2 ^m -1), if Kerry occurs, it can be added again.

Since multiplication must be repeated by the power of exponent, we must devise an efficient method. Massy ④ and Vanstone ⑤ showed that the normal basis of the finite field GF (2 ^m ) can be used to increase and decrease at high speed. In particular, it is most effective to use a multiplication matrix with the smallest number of 1s corresponding to EX-OR in the structure of the multiplication function (multiplication matrix) among the normal basis. The roots of the generated polynomial that make the finite field GF (2 ^m ) satisfy the condition of being a normal basis, and the smallest number of "1s" corresponding to EX-OR in the structure of the multiplication function (multiplication matrix) using the normal basis. A multiplication matrix characterized by having m values satisfying a condition is used. Reference papers related to this are described in Discrete Applied Mathematics 22 (1988/1989) pp. "Optiaml Normal Bases in Gf (p ^m )" by R. Mullin, I. Onyszchuk, S. Vanstone and R. Wilson, published in 149-161. Of these prime numbers, the multiplication matrix in the case of m = 89 is shown in Table 1-1 to Table 1-4.

Table 1-1

TABLE 1-2

Table 1-3

Table 1-4

As described above, the present invention is modified by the Schnorr method, thereby reducing the overall calculation load and increasing the reliability. In addition, the computational load is appropriately distributed to the signer and the verifier so that the verification time can be shortened. Therefore, the verification time can be reduced, and the digital signature, identity authentication, and even the receipt and receipt of the electronic document can be authenticated.

Claims (18)

In the cryptographic system constructed using the finite field GF (p) and the public key Y of the subscribers having the relation between the source source e and the subscriber's secret key x and Y = e ^x mod p, In the method of authenticating the contents, the prover has the secret variables z and n∈ [1,... Of the prover having a relationship of Z = eX ^{i + 1} · (mod p) with respect to his private key x and the natural number i. selecting R = Z ^x (mod p) by selecting a random variable n that satisfies the condition p-2]; The prover performs an operation in which the inverse operation is discrete algebra in the finite field GF (p) or the hash value of the prover's secret key x, etc., and transmits the result values to the verifier. The process of doing; The verifier uses the result values transmitted from the prover to authenticate the result values transmitted by the prover performing an operation or hash function corresponding to the operation and hash function performed in the finite field GF (p). Communication authentication method characterized in that. The communication authentication method according to claim 1, wherein the i value in the secret variable Z = eX ^{i + 1} · (mod p) of the prover is 1. The multiplication matrix of claim 1, wherein the operations performed by the authenticator and the verifier upon encryption and decryption are performed by using a multiplication matrix such that the number of "1s" in the multiplication matrix composed of the regular basis of the finite field GF (2 ^m ) is reduced. Communication authentication method characterized in that. In a data exchange system using data encoded in a cryptographic system consisting of the finite field GF (p) and the public key Y of the subscribers having the relation between the source source e and the subscriber's secret key x and Y = e ^x mod p In the method of transmitting a digital signature to a specific document M and confirming it at the receiving end, the signer is a signer whose relationship is Z = eX ^{i + 1} · (mod p) with respect to his secret key x and the natural number i. Secret variables z and n∈ [1,… p-2] and select random variable n that satisfies the condition and use the hash function h and document M published in the system according to the formula R = Z ^x mod p and H = h (M, R) Calculating the H value; When the source of the finite field is e, the signer selects ^G using the H value and the e value so that the multiplier of e ^G mod p is smaller than the multiplier of e ^H mod p, and V = x (x ^j. n + G) calculating the V value according to mod p-1; Using the V value, the signer selects W that satisfies the condition of 0≤W <V and calculates C value and S value according to C = e ^w mod p and S = VW; The signer adds the S, C, H, and G values to the document M and transmits the document together with the document; The verifier receives the S, C, H, and G together with the document M and uses R '= e ^s (Y ^-1 ) ^G C mod p and H' by using the user's public key Y value and the hash function h. and verifying the signature by calculating H 'value according to = h (M, R') and checking whether it is equal to the received H value. The digital signature method of claim 4, wherein the i value of the signer's secret variable Z = eX ^{i + 1} · (mod p) is 1. 5. The multiplication matrix of claim 4, wherein the operations performed by the signer and the verifier upon encryption and decryption are performed using a multiplication matrix such that the number of "1s" in the multiplication matrix composed of the regular basis of the finite field GF (2 ^m ) is reduced. Digital signature method. In the data exchange system using the encoded data in the cryptographic system composed of the finite field GF (p) and the public key Y of the subscribers having the relation between the source source e and the subscriber's secret key x and Y = e ^x mod p In a method of attaching and sending an electronic signature to a specific document M and confirming it at the receiving end, the signer is n∈ [1,... p-2] and select the random variable n that satisfies the condition and use the hash function h and the document M published in the system. N and H values according to N = e ⁿ mod p and H = h (M) The process of finding The signer uses the signer's private key, x, the N value, and the H value to obtain a V value according to the formula V = n · N + x · h (mod p-1); A signer selects W that satisfies a condition of 0≤W <V using the V value, and then obtains C and S values according to C = e ^w mod p and S = VW; A signer completes an electronic signature by adding the S, N, and C values to the document M and transmits it to the verifier; The verifier uses the document M together with the S, N, and C values, the Y value that is the signer's public key, and the hash function h, e ^s C (mod p) = Y ^{h (M)} N ^N (mod p) And verifying the validity of the digital signature by calculating H 'value according to H' = h (M, R ') and checking whether it is equal to the received H value. Way. 8. The multiplication matrix of claim 7, wherein the operation performed when the signer and the verifier are encrypted and decrypted is performed by using a multiplication matrix such that the number of "1s" in the multiplication matrix composed of the regular basis of the finite field GF (2 ^m ) is reduced. Digital signature method. In the cryptographic system composed of the finite field GF (p) and the public key Y of the subscribers having the relation between the source source e and the subscriber's secret key x and Y = e ^x mod p, In the method of authenticating to the other party that it is a legitimate communicator, the prover who wants to prove that he is a legitimate communicator has a relation of Z = eX ^{i + 1} ㆍ (mod p) with respect to his secret key x and natural number i. Secret variables z and n∈ [1,… selecting the first random variable n that satisfies the condition p-2], calculating R = Z ⁿ (mod p), and transmitting the same to the identifier; The identifier selects the second random variable T and transmits it to the prover; Using the prover's secret key x, the first random variable n, and the second random variable T, calculating a V value according to the formula V = x (x ¹ ㆍ n + T) mod p-1; The prover selects W that satisfies the condition of 0≤W <V using the V value, calculates C value and S value according to the equations C = e ^W mod p and S = VW, and sends S and C to the verifier. The process of doing; The verifier checks whether R = e ^s (Y ^-1 ) ^T C (mod p) using the S, C and Y values of the prover's public key. Identity verification method. 10. The identity authentication method according to claim 9, wherein i is 1 in the secret variable Z = eX ^{i + 1} · (mod p) of the prover. The method of claim 9, wherein the operation the prover and the verifier are performed during encryption and decryption are made using the multiplication matrix is less the number of finite field GF (2 ^m) "1" of the multiplication matrix consisting of a normal basis of Identification method characterized by. Sending and receiving a document using a coded data sequence in a cryptographic system composed of the finite field GF (p) and the public key Y of the subscribers having the relation between the source source e and the subscriber's secret key x and Y = e ^x mod p In the method for authenticating the sender / receiver and the transmission / reception contents of the document, the sender who wants to send the document is n 문서 [1,... p-2] is selected, and the formula R = B ⁿ mod is selected using the hash function h disclosed in the system, the document M and the public key B of the receiver to receive the document. obtaining R and H values according to p and H = h (M); The sender uses an encoding function E _A () and R, which are decodable when the encoding key is A, and uses H, the first random variable n, and x, which is the sender's secret key, as H '=. Obtaining H 'which is E _R (H) and V having V = (n + x) mod p-1; The transmitter selects W that satisfies the condition of 0≤W <V using the V value, and then obtains C and U according to C = e ^W mod p and U = VW; The sender transmits the H ', U, and C together with the document to the receiver; Obtaining a R 'according to the formula R' = (e ^u ㆍ C · Y ⁻¹ ) ^b mod p using the U, C, Y as the sender's public key, and b as the receiver's private key; The receiver uses the R 'as a decoding key of the decoding function D _A () corresponding to the coding function E _A (), and uses G = h (M using the H ′, the document M, and the hash function h (). ) And G '= D _R ㆍ (H') to check the validity of the received document by checking that G '= G; The receiver can check the recipient's private keys b and m∈ [1,…, if the received document is valid. , selecting a second random variable m that satisfies [p-2] to generate an electronic signature, and adding it to G and transmitting it to the sender; And the sender checks that H = G and stores the signature of the recipient added to G as proof of document transmission. 13. The method of claim 12, wherein the receiver adds the digital signature to G and transmits it to the sender. The receiver has a relationship in which Z = eb ^{i + 1} · (mod p) for its secret key b and natural number i. Receiver's secret variables z and m∈ [1,… , p-2], selects a random variable m that satisfies the condition and uses the hash function h and G disclosed in the system according to Q = Z ^m mod p and T = h (G, Q) Calculating a T value; When the source of the finite field is e, the receiver selects ^{F such that} the multiplier of e ^F mod p is smaller than the multiplier of e ^T mod p using the T value and the e value, and K = b (b ^1. m + F) calculating the K value according to mod p-1; Using the K value, the receiver selects L that satisfies the condition of 0≤L <K and calculates I value and J value according to I = e ^L mod p and J = KL; A receiver adding the J, I, T, and F values to the G and transmitting the G; The sender receives the J, I, T, and F together with G and uses the hash value h and the B value, which is the public key of the receiver, Q '= e ^J (B ⁻¹ ) ^F I and T' = h ( Calculating a T 'value according to F, Q'), and checking whether the signature is equal to the received T value. The method of claim 13, wherein the i value is 1 in the secret variable Z = eb ^{i + 1} · (mod p) of the receiver. 13. The method of claim 12, wherein the receiver adds the digital signature to G and transmits it to the sender. , p-1], select a random variable m that satisfies the condition, and using the hash functions h and G published in the system, the values of N and T according to N = e ^m mod p and T = h (G) The process of finding; Obtaining a V 'value according to the formula V' = m · N + b · T (mod p-1) by using the receiver b, the N value and the T value; Selecting a L satisfying a condition of 0 조건 L <V 'using the V' value and then obtaining an I value and a J value according to I = e ^L mod p and J = V'-L; Receiving, by the receiver, adding the values of J, N, and I to the document G, completing the digital signature, and transmitting the same to the sender; The sender uses the document G together with the J, N, I value, B value, which is the recipient's public key, and the hash function h, e ^J I (mod p) = B ^{h (G)} N ^N (mod p) And verifying the validity of the digital signature by calculating the T 'value according to T' = h (G, Q ') and examining whether it is equal to the received T value. Authentication method. 13. The multiplication matrix of claim 12, wherein the operation performed when the sender and the receiver are encrypted and decrypted is performed using a multiplication matrix such that the number of " 1 " is reduced in the multiplication matrix composed of the regular basis of the finite field GF (2 ^m ). Document transmission and reception authentication method. In a cryptographic system constructed using finite field GF (p) and the public key Y of the subscribers having the relation between the source e and the subscriber's private key x and Y = e ^x mod p, the prover is random with its secret key x. A first step of performing operations in which the inverse operation is discrete algebra using the variable n and transmitting the result values to the identifier; When the identifier checks one of the values transmitted from the prover as S, R = e ^s ㆍ (Y ^-1 ) mod corresponding to the operation performed by the prover using the prover's public key Y and the transmitted value S. A communication authentication method comprising a second process of authenticating received values by performing a p-type operation, wherein the first process uses a value of S to prove that a prover satisfies a condition of 0∈S '<S. Selecting S 'capable of distributing a multiplier of S, and then performing operations of C = e ^s' 'mod p to transmit C and S'; In the second process, instead of performing an operation of R = e ^s ㆍ (Y ⁻¹ ) mod p using the received C and S ', the second process performs R = e ^s' · (Y ⁻¹ ) mod p · C Communication authentication method characterized in that to perform the operation of. 18. The multiplication matrix of claim 17, wherein the operation performed by the authenticator and the verifier when encrypting and decrypting is performed by using a multiplication matrix such that the number of "1s" in the multiplication matrix composed of the regular basis of the finite field GF (2 ^m ) is small. Communication authentication method characterized in that.