WO2010013571A2 - Group signature system and method - Google Patents

Group signature system and method Download PDF

Info

Publication number
WO2010013571A2
WO2010013571A2 PCT/JP2009/061915 JP2009061915W WO2010013571A2 WO 2010013571 A2 WO2010013571 A2 WO 2010013571A2 JP 2009061915 W JP2009061915 W JP 2009061915W WO 2010013571 A2 WO2010013571 A2 WO 2010013571A2
Authority
WO
WIPO (PCT)
Prior art keywords
group
signature
public key
group signature
tracking
Prior art date
Application number
PCT/JP2009/061915
Other languages
French (fr)
Japanese (ja)
Inventor
古川 潤
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Publication of WO2010013571A2 publication Critical patent/WO2010013571A2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures

Definitions

  • the present invention relates to a group signature system and method, and more particularly to a technique for identifying a signer.
  • Non-Patent Document 1 shows the overall configuration of the group signature system 1000.
  • the group secret key 1007 is an element ⁇ of a field Z / pZ randomly selected with p being a prime number.
  • W is ⁇ double point of G 2.
  • the tracking secret key 1018 is assumed to be composed of two points ⁇ 1 and ⁇ 2 on a randomly selected field Z / pZ.
  • the member private key 1009 is a point x on a randomly selected field Z / pZ.
  • the member secret key 1009 and the member certificate 1008 are generated by the member certificate-member secret key generation device 1005.
  • the group signature device 1013 receives a message 1012 to be signed, a group public key 1001, a tracking public key 1002, a member secret key 1009, a member certificate 1008, and a random number.
  • the group signature apparatus 1013 further uses the input random numbers to randomly generate points ⁇ ′, ⁇ ′, ⁇ ′ 1 , ⁇ ′ 2, and y ′ that are points on Z / pZ. Select.
  • the symbol “ ⁇ ” means power residue.
  • the group signature device 1013 includes a group public key 1001, a tracking public key 1002, a message 1012, U, V, T 1 , T 2 , T 3 , R 1 , R 2 , R 3 , R 4 and R 5. And generate a hash value. The group signature device 1013 sets this hash value as the challenge value c.
  • a signed message 1012 In the group signature verification apparatus 1015, a signed message 1012, a group public key 1001, and a tracking public key 1002 are input.
  • R 1 [s ⁇ ] U-[c] T 1
  • R 2 [s ⁇ ] V-[c] T 2
  • R 3 e (T 3 , G 2 ) ⁇ (s x ) ⁇ e (H, W) ⁇ (-s ⁇ -s ⁇ ) ⁇ e (H, G 2 ) ⁇ (-s ⁇ 1 -s ⁇ 2 ) ⁇ e (H, G 2 ) ⁇ (s y ) (e (G 1 , G 2 ) / e (T 3 , W)) ⁇ (-c),
  • R 4 [s x ] T 1- [s ⁇ 1 ] U
  • R 5 [s x ] T 2- [s ⁇ 2 ] U Is generated.
  • the group signature verification device 1015 includes a group public key 1001, a tracking public key 1002, a signed message 1012, U, V, T1, T2, T3, R1, R2, R3, R4, and R5. And generate a hash value.
  • the group signature verification device 1015 confirms whether this hash value matches the challenge value c.
  • the group signature verification apparatus 1015 determines that the group signature is valid if they match, and determines that the group signature is invalid if they do not match.
  • the tracking device 1017 receives a group signature 1014 including a ciphertext 1020 of member evidence and a tracking private key 1018.
  • the tracking device 1017 identifies a user who has A as member evidence 1019 in the member certificate as an unauthorized person.
  • the value A When tracking unauthorized persons using related technology, the value A must be decrypted from the signature using the tracking private key, and the corresponding person must be found.
  • This correspondence can be known only by the person who created the member certificate. Therefore, in order for a person other than the person who created the member certificate (hereinafter referred to as “tracker”) to track, the tracker asks the person who created the member certificate about the correspondence, or the member's action It is necessary to obtain a table in advance. In the former method, the person who created the member certificate needs to be involved in tracking all unauthorized persons. For this reason, in a large system, the burden on the person who created the member certificate increases. In the latter method, members belonging to the group are disclosed. For this reason, in a group having many group members who do not like this, it becomes a problem that members belonging to the group are disclosed.
  • an object of the present invention is to obtain a group signature that can be verified easily.
  • the present invention has the following configuration.
  • a group signature system is a group signature system having a member certificate acquisition device, a member certificate issuing device, and a group signature device, wherein the member certificate acquisition device includes an identifier of a signer A member evidence generating unit that generates a member evidence including a signature based on a member private key that is a signature private key, and a member including the member evidence when the signature is confirmed to be valid A member certificate verification unit that outputs a certificate, wherein the member certificate issuing device includes a public key list that is a list of a member public key corresponding to the member private key and the identifier, and the member evidence A signature verification unit that confirms that the signature is valid, the group signature device includes a group public key, a tracking public key, and the And Nba secret key, and the member certificate, on the basis of, and outputs a group signature that contains the encrypted text of the signature.
  • the member certificate acquisition device includes an identifier of a signer
  • a member evidence generating unit that generates a member evidence including a signature
  • the group signature method generates member evidence including an identifier of a signer and a signature based on a member private key that is a private key for signing, a member public key corresponding to the member private key, Based on the public key list, which is a list of pairs with identifiers, and the member evidence, the signature is confirmed to be valid, and the member evidence is confirmed when the signature is confirmed to be valid. And a group signature including the ciphertext of the signature based on the group public key, the tracking public key, the member private key, and the member certificate.
  • the ciphertext of the identifier of the group signature member is made a part of the group signature, and the unauthorized person tracking device extracts the unauthorized person identifier by directly decrypting it.
  • FIG. 2 shows the overall configuration of this embodiment.
  • the group signature system 600 includes a member certificate acquisition device 100, a member certificate issuing device 200, a group signature device 300, a group signature verification device 400, and a tracking device 500.
  • a block enclosed by a rectangle indicates information that is input or output
  • a block enclosed by a rounded rectangle indicates each device or means.
  • each of group 1, group 2, and group T is a group of order p.
  • Group 1, Group 2, and Group T are groups that are difficult to solve the Diffie-Hellman discrimination problem.
  • this problem in order for this problem to be difficult on group 1 and group 2, it is necessary that it is difficult to calculate isomorphisms from group 1 to group 2 and vice versa.
  • the public key list includes the identifier of the owner of the public key and the set of the public key.
  • Hash is a hash function that maps a character string to a field (Z / pZ).
  • g is a generator of group 1
  • G is a generator of group 2
  • is a generator of group T.
  • ⁇ and ⁇ are Z / pZ elements selected at random, and f and h are generators of group 1 selected at random.
  • is a randomly chosen encryption function
  • ⁇ -1 is a decryption function
  • Y G ⁇
  • the group secret key is ( ⁇ , ⁇ )
  • the group public key is (group 1, group 2, group T, p, e, g, G, Hash, ⁇ , Y, Z, f, h).
  • the member certificate acquisition apparatus 100 includes a member evidence generation unit 103, a signature unit 108, a knowledge proof unit 113, and a member certificate verification unit 117.
  • an information processing apparatus such as a computer including a communication device, an input / output device, an arithmetic device (CPU or the like), and a storage device (memory or the like) can be used.
  • a computer including a communication device, an input / output device, an arithmetic device (CPU or the like), and a storage device (memory or the like) can be used.
  • CPU or the like arithmetic device
  • storage device memory or the like
  • the member evidence generation unit 103 can be generally called member evidence generation means.
  • Signature section 108 can be generally referred to as signature means.
  • Knowledge proof unit 113 can be generally referred to as knowledge proof means.
  • Member certificate verification unit 117 can generally be referred to as member certificate verification means.
  • the group public key 101, the identifier 105 (ID), and the random number 102 are input to the member certificate acquisition apparatus 100.
  • the knowledge proof unit 113 waits for a challenge value c, which is the source of Z / pZ, to be sent from the member certificate issuing device 200.
  • the member certificate verification unit 117 waits for (a, ⁇ , ⁇ , ⁇ ′′), which is the member certificate source 116, to be sent from the member certificate issuing device 200.
  • the member certificate issuing device 200 includes a signature verification unit 208, a knowledge verification unit 209, and a member certificate source generation unit 211.
  • an information processing device such as a computer having a communication device, an input / output device, a computing device (CPU or the like), and a storage device (memory or the like) can be used.
  • a software program that uses these hardware and the hardware.
  • the signature verification unit 208 can be generally called signature verification means.
  • Knowledge verification unit 209 can be generally referred to as knowledge verification means.
  • Member certificate source generation unit 211 can be generally referred to as member certificate source generation means.
  • the member certificate issuing device 200 receives a group public key 101, a group secret key 210, a random number 201, a public key list 202, and a member list 203.
  • the signature verification unit 208 waits for the member evidence (ID, q, ⁇ ) 112 to be sent from the member certificate acquisition apparatus 100.
  • the signature verification unit 208 uses the public key list 202 to confirm that the signature 109 ⁇ is a legitimate signature of the ID for q that is the secret key knowledge 104.
  • the knowledge verification unit 209 selects the challenge value c randomly from (Z / pZ) from the input random number, and the challenge value c is a member certificate. Send to acquisition device 100.
  • the knowledge verification unit 209 waits for a response ( ⁇ ′′, ⁇ [3]) to be sent from the member certificate acquisition apparatus 100.
  • the member certificate issuing device 200 adds the identifier ID to the member list and outputs the member list 203.
  • the group signature device 300 includes an encryption unit 303 and a knowledge proof sentence generation unit 308.
  • an information processing apparatus such as a computer including a communication device, an input / output device, an arithmetic device (CPU or the like), and a storage device (memory or the like) can be used.
  • a computer including a communication device, an input / output device, an arithmetic device (CPU or the like), and a storage device (memory or the like) can be used.
  • CPU or the like arithmetic device
  • storage device memory or the like
  • the encryption unit 303 can generally be called encryption means.
  • Knowledge proof sentence generator 308 can generally be referred to as knowledge proof sentence generation means.
  • the group signature device 300 includes a group public key 101 (group 1, group 2, group T, p, e, g, G, Hash, ⁇ , Y, Z, f, h), and a tracking public key 301.
  • group public key 101 group 1, group 2, group T, p, e, g, G, Hash, ⁇ , Y, Z, f, h
  • a tracking public key 301 A certain (r, t), a member certificate 119 (a, ⁇ , b, ⁇ , ⁇ , ⁇ ), a member secret key 118 ⁇ , a message 302 m, and a random number 303 are input.
  • the knowledge certificate generator 308 performs the following processing.
  • the knowledge proof generation unit 308 has ( ⁇ , m * , n * , v ′ * , m ′ * , n ′ * ) as a commitment.
  • the knowledge proof sentence generation unit 308 uses a challenge value generation unit (not shown) to obtain a challenge value.
  • c Hash (p, g, G, ⁇ , Y, Z, f, h, r, t, v, m, n, v ', m', n ', u, ⁇ , m * , n * , v ' * , M' * , n ' * , m) Is generated.
  • the knowledge proof generation unit 308 uses ( ⁇ ′′, ⁇ ′′, ⁇ ′′, ⁇ ′′, ⁇ ′′, ⁇ ′′, ⁇ ′′, ⁇ ′′) as a response.
  • the knowledge proof sentence generation unit 308 sets the commitment and response as fsp which is the knowledge proof sentence 309. [End of knowledge proof generation]
  • the group signature device 300 outputs (v, m, n, v ′, m ′, n ′, u, fsp) as a group signature 313 for m that is the message 302.
  • the group signature verification apparatus 400 includes a knowledge verification unit 401 and a challenge value generation unit 402.
  • an information processing apparatus such as a computer including a communication device, an input / output device, an arithmetic device (CPU or the like), and a storage device (memory or the like) can be used.
  • a computer including a communication device, an input / output device, an arithmetic device (CPU or the like), and a storage device (memory or the like) can be used.
  • CPU or the like arithmetic device
  • storage device memory or the like
  • the group signature verification apparatus 400 includes a group public key 101 (group 1, group 2, group T, p, e, g, G, Hash, ⁇ , Y, Z, f, h), and a tracking public key 301.
  • fsp ( ⁇ , m * , n * , v ' * , m' * , n ' * , ⁇ '', ⁇ '', ⁇ '', ⁇ '', ⁇ '', ⁇ '', ⁇ '', ⁇ '').
  • the knowledge verification unit 401 can generally be referred to as knowledge verification means.
  • Challenge value generation unit 402 can be generally referred to as challenge value generation means.
  • the knowledge verification unit 401 outputs “valid” if this is true, and outputs “invalid” if this is not true.
  • the tracking device 500 includes a decryption unit 503, a decryption validity proving unit 510, and a signature verification unit 513.
  • an information processing device such as a computer including a communication device, an input / output device, a computing device (CPU or the like), and a storage device (memory or the like) can be used.
  • a computer including a communication device, an input / output device, a computing device (CPU or the like), and a storage device (memory or the like) can be used.
  • a storage device memory or the like
  • Decoding section 503 can generally be called decoding means.
  • Decryption validity proving unit 510 can be generally referred to as decryption validity proving means.
  • Signature verification unit 513 can generally be referred to as signature verification means.
  • the tracking device 500 includes a public key list 202 and a group public key 101 (group 1, group 2, group T, p, e, g, G, Hash, ⁇ , Y, Z, f, h), tracking public Key 301 (r, t), tracking private key 501 ( ⁇ , ⁇ ), message 302 m, group signature 313 (v, m, n, v ′, m ′, n ′, u , fsp) is input.
  • group public key 101 group 1, group 2, group T, p, e, g, G, Hash, ⁇ , Y, Z, f, h
  • tracking public Key 301 r, t
  • tracking private key 501 ⁇ , ⁇
  • message 302 m group signature 313 (v, m, n, v ′, m ′, n ′, u , fsp) is input.
  • fsp ( ⁇ , m * , n * , v ' * , m' * , n ' * , ⁇ '', ⁇ '', ⁇ '', ⁇ '', ⁇ '', ⁇ '', ⁇ '', ⁇ '').
  • the decryption unit 503 uses the private key knowledge ciphertext 304 and the private key knowledge ciphertext 307 to obtain the private key knowledge 504 and the private key knowledge that are part of the member evidence.
  • the decryption correctness proving unit 510 generates a certificate indicating that (q, b) is a decryption result of the ciphertext (v ′, v ′, v, m).
  • the generated proof text is called a decryption correctness proof text 511.
  • the signature verification unit 513 confirms that the signature ⁇ is a valid signature for q using the public key corresponding to the ID in the public key list 202.
  • the tracking device 500 outputs the decryption validity 514 and the IDs q, b and the signer identifier 105.
  • the member certificate acquisition device 100 acquires a member certificate 119 and a member secret key 118 by communicating with the member certificate issuing device 200.
  • the member certificate issuing device 200 obtains the member list 203 through this communication.
  • the group signature device 300 includes a member certificate 119 acquired by the member certificate acquisition device 100, a member private key 118 acquired by the member certificate acquisition device 100, a message 302, a group public key 101, and a tracking disclosure.
  • the key 301 is accepted and a group signature 313 for the message 302 is output.
  • the group signature verification device 400 accepts the message 302, the group public key 101, the tracking public key 301, and the group signature 313, and outputs a verification result 407 indicating that the group signature 313 is a valid group signature for the message 302. To do.
  • the tracking device 500 receives the tracking public key 301, the group signature 313, and the tracking private key 501, and outputs a member identifier 105 that represents the group signature 313 generated.
  • the group signature device 300 generates the group signature 313 using the member certificate 119 and the member private key 118 acquired by the member certificate acquisition device 100 communicating with the member certificate issuing device 200. .
  • the generated group signature 313 can be easily verified by the group signature verification device 400.
  • the signer identifier 105 can be directly extracted from the group signature 313.
  • the unauthorized person tracking device can extract the identifier of the unauthorized person by directly decrypting it.

Description

グループ署名システム及び方法Group signature system and method
 本発明は、グループ署名システム及び方法に関し、特に、署名者を特定する技術に関する。 The present invention relates to a group signature system and method, and more particularly to a technique for identifying a signer.
 本発明に関連する双線形写像を用いたグループ署名の技術としては、非特許文献1に記されているグループ署名があげられる。当該グループ署名の概略を図1を参照して以下に説明する。図1には、グループ署名システム1000の全体構成を示す。 As a group signature technique using a bilinear map related to the present invention, there is a group signature described in Non-Patent Document 1. An outline of the group signature will be described below with reference to FIG. FIG. 1 shows the overall configuration of the group signature system 1000.
 グループ秘密鍵1007は、pをある素数として、無作為に選ばれた体Z/pZの元γであるとする。 Suppose that the group secret key 1007 is an element γ of a field Z / pZ randomly selected with p being a prime number.
 グループ公開鍵1001は、
 素数pと、
 位数pである群1と群2と群Tと、群1と群2から群Tへの双線形写像eと、群2から群1への同型写像φと、文字列を体(Z/pZ) へと写像するハッシュ関数Hashと、を記述する文字列と、
 群2の生成子G2と、
 φ(G2)=G1なる群1の生成子G1と、
 無作為に選ばれた群1の元Hと、
 W=[γ]G2と、からなるものであるとする。 The group public key 1001 is
Prime number p,
Group 1 and group 2 and group T with order p, bilinear mapping e from group 1 and group 2 to group T, isomorphic mapping φ from group 2 to group 1, and a character string (Z / pZ) a string describing the hash function Hash that maps to
The generator G 2 of group 2, and
φ and (G 2) = generators G 1 in G 1 the group consisting 1,
Randomly selected group 1 former H,
It is assumed that W = [γ] G 2 .
 但し、WはG2のγ倍点である。 However, W is γ double point of G 2.
 追跡用秘密鍵1018は、無作為に選ばれた体Z/pZ上の2点であるξ12からなるものあるとする。 The tracking secret key 1018 is assumed to be composed of two points ξ 1 and ξ 2 on a randomly selected field Z / pZ.
 追跡用の公開鍵1002は、[ξ1]U=[ξ2]V=Hを満たす群2上の2点からなるものであるとする。 The tracking public key 1002 is assumed to be composed of two points on the group 2 that satisfy [ξ 1 ] U = [ξ 2 ] V = H.
 メンバ秘密鍵1009は、無作為に選ばれた体Z/pZ上の点xであるとする。 Suppose that the member private key 1009 is a point x on a randomly selected field Z / pZ.
 メンバ証明書1008は、無作為に選ばれた体Z/pZ 上の点yと、
A =[1/(γ+y)]([1-x]G1)を満たすA と、からなるものであるとする。メンバ秘密鍵1009とメンバ証明書1008は、メンバ証明書-メンバ秘密鍵生成装置1005にて生成される。 Member certificate 1008 has a point y on a randomly chosen body Z / pZ, and
And A satisfying A = [1 / (γ + y)] ([1-x] G 1 ). The member secret key 1009 and the member certificate 1008 are generated by the member certificate-member secret key generation device 1005.
 以下、グループ署名装置1013を説明する。 Hereinafter, the group signature device 1013 will be described.
 グループ署名装置1013には、署名が行われるメッセージ1012と、グループ公開鍵1001と、追跡用公開鍵1002と、メンバ秘密鍵1009と、メンバ証明書1008と、乱数とが入力される。 The group signature device 1013 receives a message 1012 to be signed, a group public key 1001, a tracking public key 1002, a member secret key 1009, a member certificate 1008, and a random number.
 グループ署名装置1013は、入力された乱数を用いて、無作為にZ/pZ 上の点であるαおよびβを選ぶ。その後、グループ署名装置1013は、メンバ証拠の暗号文1020を構成する、
T1 = [α]U、
T2 = [β]V、および
T3 = [α+β]H +A
を生成する。 The group signature device 1013 randomly selects α and β, which are points on Z / pZ, using the input random number. After that, the group signature device 1013 constitutes the ciphertext 1020 of the member evidence,
T 1 = [α] U,
T 2 = [β] V, and
T 3 = [α + β] H + A
Is generated.
 グループ署名装置1013は、さらに、入力された乱数を用いて、無作為にZ/pZ上の点であるα'とβ'とδ' 1とδ'2とy'
を選ぶ。その後、グループ署名装置1013は、コミットメントを構成する、
R1 = [α']U、
R2 = [β']V、
R3 = e(T3,G2)^(x')・e(H,W)^(-α'-β')・e(H,G2)^(-δ'1-δ'2)・e(H,G2)^(y')、
R4 = [x']T1 -[\delta'1]U、および
R5 = [x']T2 -[\delta'2]V
を生成する。ここで記号「^」 は冪乗剰余算を意味する。 The group signature apparatus 1013 further uses the input random numbers to randomly generate points α ′, β ′, δ ′ 1 , δ ′ 2, and y ′ that are points on Z / pZ.
Select. The group signature device 1013 then constitutes a commitment,
R 1 = [α '] U,
R 2 = [β '] V,
R 3 = e (T 3 , G 2 ) ^ (x ') · e (H, W) ^ (-α'-β') · e (H, G 2 ) ^ (-δ ' 1 -δ' 2 ) ・ E (H, G 2 ) ^ (y '),
R 4 = [x '] T 1 -[\ delta' 1 ] U, and
R 5 = [x '] T 2 -[\ delta' 2 ] V
Is generated. Here, the symbol “^” means power residue.
 グループ署名装置1013は、グループ公開鍵1001と、追跡用公開鍵1002と、メッセージ1012と、U,V,T1,T2,T3,R1,R2,R3,R4およびR5と、のハッシュ値を生成する。グループ署名装置1013は、このハッシュ値を挑戦値cとする。 The group signature device 1013 includes a group public key 1001, a tracking public key 1002, a message 1012, U, V, T 1 , T 2 , T 3 , R 1 , R 2 , R 3 , R 4 and R 5. And generate a hash value. The group signature device 1013 sets this hash value as the challenge value c.
 グループ署名装置1013は、レスポンスを構成する、
sα = α' + c α、
sβ = β' + c β、
sx = x' + c x、
sδ1 = δ'1 + c xα、
sδ2 = δ'2 + c xβ、および
sy = y' + x y
を生成する。 The group signature device 1013 constitutes a response,
s α = α '+ c α,
s β = β '+ c β,
s x = x '+ c x,
s δ1 = δ ' 1 + c xα,
s δ2 = δ ' 2 + c xβ, and
s y = y '+ x y
Is generated.
 グループ署名装置1013は、
T1,T2,T3,c,sα,sβ,sx,sδ1,sδ2,およびsy
を、メッセージ1012であるmに対するグループ署名1014として出力する。 The group signature device 1013
T 1 , T 2 , T 3 , c, s α , s β , s x , s δ1 , s δ2 , and s y
Is output as a group signature 1014 for m which is the message 1012.
 以下、グループ署名検証装置1015を説明する。 Hereinafter, the group signature verification apparatus 1015 will be described.
 グループ署名検証装置1015には、署名がなされたメッセージ1012と、グループ公開鍵1001と、追跡用公開鍵1002とが入力される。 In the group signature verification apparatus 1015, a signed message 1012, a group public key 1001, and a tracking public key 1002 are input.
 グループ署名検証装置1015は、
R1 = [sα]U -[c]T1
R2 = [sβ]V -[c]T2
R3 = e(T3,G2)^(sx)・e(H,W)^(-sα-sβ)・e(H,G2)^(-sδ1- sδ2)・e(H,G2)^(sy)(e(G1,G2) /e(T3,W) )^(-c)、
R4 = [sx]T1 -[sδ1]U、および
R5 = [sx]T2 -[sδ2]U
を生成する。 Group signature verification device 1015
R 1 = [s α ] U-[c] T 1 ,
R 2 = [s β ] V-[c] T 2 ,
R 3 = e (T 3 , G 2 ) ^ (s x ) ・ e (H, W) ^ (-s α -s β ) ・ e (H, G 2 ) ^ (-s δ1 -s δ2 ) ・e (H, G 2 ) ^ (s y ) (e (G 1 , G 2 ) / e (T 3 , W)) ^ (-c),
R 4 = [s x ] T 1- [s δ1 ] U, and
R 5 = [s x ] T 2- [s δ2 ] U
Is generated.
 続いて、グループ署名検証装置1015は、グループ公開鍵1001と、追跡用公開鍵1002と、署名がなされたメッセージ1012と、U,V,T1,T2,T3,R1,R2,R3,R4およびR5と、のハッシュ値を生成する。グループ署名検証装置1015は、このハッシュ値が挑戦値cと一致するかを確認する。グループ署名検証装置1015は、これらが一致すればグループ署名は正当である判断し、これらが一致しなければグループ署名は不当であると判断する。 Subsequently, the group signature verification device 1015 includes a group public key 1001, a tracking public key 1002, a signed message 1012, U, V, T1, T2, T3, R1, R2, R3, R4, and R5. And generate a hash value. The group signature verification device 1015 confirms whether this hash value matches the challenge value c. The group signature verification apparatus 1015 determines that the group signature is valid if they match, and determines that the group signature is invalid if they do not match.
 以下、追跡装置1017を説明する。 Hereinafter, the tracking device 1017 will be described.
 追跡装置1017には、メンバ証拠の暗号文1020を含むグループ署名1014と、追跡用の秘密鍵1018が入力される。 The tracking device 1017 receives a group signature 1014 including a ciphertext 1020 of member evidence and a tracking private key 1018.
 追跡装置1017は、メンバ証拠1019であるA =T3 -[ξ1]T1-[ξ2]T2を計算する。 The tracking device 1017 calculates member evidence 1019, A = T 3 − [ξ 1 ] T 1 − [ξ 2 ] T 2 .
 追跡装置1017は、メンバ証明書にメンバ証拠1019であるAを持つ利用者を、不正者として同定する。 The tracking device 1017 identifies a user who has A as member evidence 1019 in the member certificate as an unauthorized person.
 関連技術を用いて不正者を追跡する場合、追跡用の秘密鍵を用いて署名から値Aを復号し、これに対応する者を見つけなければならない。この対応はメンバ証明書を作成した者のみが知ることが出来る。よって、メンバ証明書を作成した者以外の者(以下「追跡者」と称する)が追跡を行うには、追跡者が、メンバ証明書を作成した者に、その対応を問い合わせるか、メンバの対応表を予め手にいれておく必要がある。前者の方法では、メンバ証明書を作成した者が全ての不正者追跡に関わる必要が生じる。このため、大きなシステムでは、メンバ証明書を作成した者の負担が大きくなる。後者の方法では、グループに属するメンバが公開されてしまう。このため、これを好まぬグループメンバーが多いグループでは、グループに属するメンバが公開されることが問題となる。 When tracking unauthorized persons using related technology, the value A must be decrypted from the signature using the tracking private key, and the corresponding person must be found. This correspondence can be known only by the person who created the member certificate. Therefore, in order for a person other than the person who created the member certificate (hereinafter referred to as “tracker”) to track, the tracker asks the person who created the member certificate about the correspondence, or the member's action It is necessary to obtain a table in advance. In the former method, the person who created the member certificate needs to be involved in tracking all unauthorized persons. For this reason, in a large system, the burden on the person who created the member certificate increases. In the latter method, members belonging to the group are disclosed. For this reason, in a group having many group members who do not like this, it becomes a problem that members belonging to the group are disclosed.
 すなわち、メンバのリスト等を使わず、不正者追跡装置によりグループ署名から直接メンバの識別子が取り出せないことが問題である。 That is, there is a problem that the member identifier cannot be extracted directly from the group signature by the unauthorized person tracking device without using the member list or the like.
 そこで本発明は、上記実情に鑑みて、正当性の検証が容易なグループ署名を得ることを目的とする。 Therefore, in view of the above circumstances, an object of the present invention is to obtain a group signature that can be verified easily.
 上記目的を達成するために本発明は、以下の構成を備える。 In order to achieve the above object, the present invention has the following configuration.
 本発明に係るグループ署名システムは、メンバ証明書獲得装置と、メンバ証明書発行装置と、グループ署名装置と、を有するグループ署名システムであって、前記メンバ証明書獲得装置は、署名者の識別子と、署名用の秘密鍵であるメンバ秘密鍵に基づく署名と、を含むメンバ証拠を生成するメンバ証拠生成部と、前記署名が正当なものであることが確認された場合に前記メンバ証拠を含むメンバ証明書を出力するメンバ証明書検証部と、を備え、前記メンバ証明書発行装置は、前記メンバ秘密鍵に対応するメンバ公開鍵と前記識別子との組のリストである公開鍵リスト並びに前記メンバ証拠に基づいて、前記署名が正当なものであることを確認する署名検証部を備え、前記グループ署名装置は、グループ公開鍵と、追跡用公開鍵と、前記メンバ秘密鍵と、前記メンバ証明書と、に基づいて、前記署名の暗号文を含むグループ署名を出力する。 A group signature system according to the present invention is a group signature system having a member certificate acquisition device, a member certificate issuing device, and a group signature device, wherein the member certificate acquisition device includes an identifier of a signer A member evidence generating unit that generates a member evidence including a signature based on a member private key that is a signature private key, and a member including the member evidence when the signature is confirmed to be valid A member certificate verification unit that outputs a certificate, wherein the member certificate issuing device includes a public key list that is a list of a member public key corresponding to the member private key and the identifier, and the member evidence A signature verification unit that confirms that the signature is valid, the group signature device includes a group public key, a tracking public key, and the And Nba secret key, and the member certificate, on the basis of, and outputs a group signature that contains the encrypted text of the signature.
 本発明に係るグループ署名方法は、署名者の識別子と、署名用の秘密鍵であるメンバ秘密鍵に基づく署名と、を含むメンバ証拠を生成し、前記メンバ秘密鍵に対応するメンバ公開鍵と前記識別子との組のリストである公開鍵リスト並びに前記メンバ証拠に基づいて、前記署名が正当なものであることを確認し、前記署名が正当なものであることが確認された場合に前記メンバ証拠を含むメンバ証明書を出力し、グループ公開鍵と、追跡用公開鍵と、前記メンバ秘密鍵と、前記メンバ証明書と、に基づいて、前記署名の暗号文を含むグループ署名を出力する。 The group signature method according to the present invention generates member evidence including an identifier of a signer and a signature based on a member private key that is a private key for signing, a member public key corresponding to the member private key, Based on the public key list, which is a list of pairs with identifiers, and the member evidence, the signature is confirmed to be valid, and the member evidence is confirmed when the signature is confirmed to be valid. And a group signature including the ciphertext of the signature based on the group public key, the tracking public key, the member private key, and the member certificate.
 本発明によれば、正当性の検証が容易なグループ署名を得ることが可能となる。 According to the present invention, it is possible to obtain a group signature that can be easily verified for validity.
グループ署名の関連技術を説明するための図である。It is a figure for demonstrating the related technique of a group signature. 本発明の実施形態の全体構成を示すブロック図である。It is a block diagram which shows the whole structure of embodiment of this invention. 本発明の実施形態に係るメンバ証明書獲得装置の機能構成を示すブロック図である。It is a block diagram which shows the function structure of the member certificate acquisition apparatus which concerns on embodiment of this invention. 本発明の実施形態に係るメンバ証明書発行装置の機能構成を示すブロック図である。It is a block diagram which shows the function structure of the member certificate issuing apparatus which concerns on embodiment of this invention. 本発明の実施形態に係るグループ署名装置の機能構成を示すブロック図である。It is a block diagram which shows the function structure of the group signature apparatus which concerns on embodiment of this invention. 本発明の実施形態に係るグループ署名検証装置の機能構成を示すブロック図である。It is a block diagram which shows the function structure of the group signature verification apparatus which concerns on embodiment of this invention. 本発明の実施形態に係る追跡装置の機能構成を示すブロック図である。It is a block diagram which shows the function structure of the tracking apparatus which concerns on embodiment of this invention.
 以下、本発明の好適な実施の形態について図面を参照して説明する。 Hereinafter, preferred embodiments of the present invention will be described with reference to the drawings.
 下記実施形態においては、グループ署名メンバの識別子の暗号文をグループ署名の一部となし、不正者追跡装置はこれを直接復号することにより不正者の識別子を抽出する。 In the following embodiment, the ciphertext of the identifier of the group signature member is made a part of the group signature, and the unauthorized person tracking device extracts the unauthorized person identifier by directly decrypting it.
 図2は本実施形態の全体構成を示す。図2において、グループ署名システム600は、メンバ証明書獲得装置100と、メンバ証明書発行装置200と、グループ署名装置300と、グループ署名検証装置400と、追跡装置500とを有する。図2中、長方形で囲ったブロックは、入力又は出力される情報等を示し、丸め長方形で囲ったブロックは、各装置又は手段を示す。次に、以下の説明で用いる記号等の定義を説明する。 FIG. 2 shows the overall configuration of this embodiment. 2, the group signature system 600 includes a member certificate acquisition device 100, a member certificate issuing device 200, a group signature device 300, a group signature verification device 400, and a tracking device 500. In FIG. 2, a block enclosed by a rectangle indicates information that is input or output, and a block enclosed by a rounded rectangle indicates each device or means. Next, definitions of symbols and the like used in the following description will be described.
 pは素数であるとする。 Suppose that p is a prime number.
 群1と群2と群Tのそれぞれは、位数pの群であるとする。 Suppose that each of group 1, group 2, and group T is a group of order p.
 群1と群2の組から群Tへの双線形写像eが存在するとする。 Suppose that there is a bilinear mapping e from the set of group 1 and group 2 to group T.
 群1、群2、群Tは、ディフィヘルマン判別問題を解くことが困難な群とする。特に、群1、群2の上でこの問題が困難であるためには、群1から群2、及びその逆の同型写像の計算が困難であることが必要である。 Group 1, Group 2, and Group T are groups that are difficult to solve the Diffie-Hellman discrimination problem. In particular, in order for this problem to be difficult on group 1 and group 2, it is necessary that it is difficult to calculate isomorphisms from group 1 to group 2 and vice versa.
 公開鍵リストには公開鍵の所有者の識別子とその公開鍵の組が並んでいるとする。 Suppose that the public key list includes the identifier of the owner of the public key and the set of the public key.
 文字列を体(Z/pZ)へと写像するハッシュ関数がハッシュ関数Hashであるとする。 Suppose the hash function Hash is a hash function that maps a character string to a field (Z / pZ).
 gは群1の生成子、Gは群2の生成子、Γは群Tの生成子であるとする。 Suppose that g is a generator of group 1, G is a generator of group 2, and Γ is a generator of group T.
 φ、ψは、ランダムに選ばれたZ/pZの元であり、f,hは、ランダムに選ばれた群1の生成元であるとする。 Φ and ψ are Z / pZ elements selected at random, and f and h are generators of group 1 selected at random.
 πは、ランダムに選ばれた暗号化関数であり、π-1は復号関数であり、
Y =Gφ、Z=Gψが生成され、グループ秘密鍵が(φ,ψ)であり、グループ公開鍵が(群1、群2、群T,p,e,g,G,Hash,π,Y,Z,f,h) であるとする。 π is a randomly chosen encryption function, π -1 is a decryption function,
Y = G φ , Z = G ψ is generated, the group secret key is (φ, ψ), and the group public key is (group 1, group 2, group T, p, e, g, G, Hash, π , Y, Z, f, h).
 Z/pZ の元であるξ,ζがランダムに選ばれ、r = hξ, t = hζが生成され、追跡秘密鍵は(ξ,ζ)であり、追跡公開鍵は(r,t)であるとする。 Ξ and ζ that are the elements of Z / pZ are randomly selected, r = h ξ and t = h ζ are generated, the tracking secret key is (ξ, ζ), and the tracking public key is (r, t) Suppose that
 <メンバ証明書獲得装置100>
 図3を参照するとメンバ証明書獲得装置100の機能構成が示されている。メンバ証明書獲得装置100は、メンバ証拠生成部103と、署名部108と、知識の証明部113と、メンバ証明書検証部117と、を備える。なお、メンバ証明書獲得装置100として、例えば、通信デバイス、入出力デバイス、演算デバイス(CPU等)、記憶デバイス(メモリ等)を備えるコンピュータ等の情報処理装置が用いられることができる。上記各部は、これらハードウェアを利用するソフトウェアプログラムとハードウェアとの協働によって実現させることができる。 <Member certificate acquisition device 100>
Referring to FIG. 3, the functional configuration of the member certificate acquisition apparatus 100 is shown. The member certificate acquisition apparatus 100 includes a member evidence generation unit 103, a signature unit 108, a knowledge proof unit 113, and a member certificate verification unit 117. As the member certificate acquisition apparatus 100, for example, an information processing apparatus such as a computer including a communication device, an input / output device, an arithmetic device (CPU or the like), and a storage device (memory or the like) can be used. Each of the above-described units can be realized by cooperation between a software program that uses these hardware and the hardware.
 メンバ証拠生成部103は、一般的にメンバ証拠生成手段と呼ぶことができる。署名部108は、一般的に署名手段と呼ぶことができる。知識の証明部113は、一般的に知識の証明手段と呼ぶことができる。メンバ証明書検証部117は、一般的にメンバ証明書検証手段と呼ぶことができる。 The member evidence generation unit 103 can be generally called member evidence generation means. Signature section 108 can be generally referred to as signature means. Knowledge proof unit 113 can be generally referred to as knowledge proof means. Member certificate verification unit 117 can generally be referred to as member certificate verification means.
 メンバ証明書獲得装置100にはグループ公開鍵101と識別子105(ID)と乱数102が入力される。 The group public key 101, the identifier 105 (ID), and the random number 102 are input to the member certificate acquisition apparatus 100.
 メンバ証拠作成部103は、入力された乱数102を用いて、(Z/pZ)よりメンバ秘密鍵107であるχと、ω'を、ランダムに選ぶ。また、メンバ証拠作成部103は、秘密鍵知識104として、q = fχ を生成する。署名部108は、qに対する識別子105であるIDを保持する者の署名109として、σ, z=q hω'を生成する。これら (ID,q,σ)をメンバ証拠112と呼ぶ。メンバ証明書獲得装置100は、メンバ証拠(ID,q,σ) をメンバ証明書発行装置200に送る。 Using the input random number 102, the member evidence creation unit 103 randomly selects χ and ω ′, which are the member secret keys 107, from (Z / pZ). Further, the member evidence creating unit 103 generates q = as the secret key knowledge 104. The signature unit 108 generates σ, z = q h ω ′ as the signature 109 of the person holding the ID that is the identifier 105 for q. These (ID, q, σ) are called member evidence 112. The member certificate obtaining apparatus 100 sends member evidence (ID, q, σ) to the member certificate issuing apparatus 200.
 知識の証明部113は、以下の様に、二式、
q = fχ, z/q= hω'を満す(χ,ω')の知識をメンバ証明書発行装置200に対して証明する。
[手続き始め]
 知識の証明部113は、入力された乱数より、(Z/pZ) よりランダムにχ',ω[1]を選び、コミットメントとしてq'= fχ', z'= hω[2]を生成し、そのコミットメントを、メンバ証明書発行装置200に送る。 The knowledge proof part 113 has two types as follows:
The knowledge of (χ, ω ′) that satisfies q = f χ , z / q = h ω ′ is proved to the member certificate issuing device 200.
[Begin procedure]
The knowledge proof part 113 randomly selects χ ', ω [1] from (Z / pZ) from the input random number, and generates q' = f χ ' , z' = h ω [2] as a commitment The commitment is sent to the member certificate issuing device 200.
 知識の証明部113は、メンバ証明書発行装置200より、Z/pZ の元である挑戦値cが送られるのを待つ。 The knowledge proof unit 113 waits for a challenge value c, which is the source of Z / pZ, to be sent from the member certificate issuing device 200.
 知識の証明部113は、挑戦値cを受信したならば、レスポンスとして
χ'' = cχ +χ', ω[3] = cω[1] + ω[2] ,
を計算し、その計算結果(レスポンス)を、メンバ証明書発行装置に送る。
[手続き終わり] 
 メンバ証明書検証部117は、メンバ証明書発行装置200より、メンバ証明書源116である (a, α,β,ω'') が送られてくるのを待つ。 When the knowledge proof unit 113 receives the challenge value c, the response χ ″ = cχ + χ ′, ω [3] = cω [1] + ω [2],
And the calculation result (response) is sent to the member certificate issuing device.
[End of procedure]
The member certificate verification unit 117 waits for (a, α, β, ω ″), which is the member certificate source 116, to be sent from the member certificate issuing device 200.
 メンバ証明書検証部117は、上の値を受信したならば、
ω = ω' + ω'' , b = π(ID,σ),
を計算する。その後、メンバ証明書検証部117は、
e(a,Y Gα) e(b,Z Gβ) e(fχ,G) e(hω,G)=e(g,G)
が成り立つことを確認する。その後、メンバ証明書検証部117は、
(a,α,b,β,χ,ω) をメンバ証明書119として、
χをメンバ秘密鍵118として、出力する。 If the member certificate verification unit 117 receives the above value,
ω = ω '+ ω'', b = π (ID, σ),
Calculate Thereafter, the member certificate verification unit 117
e (a, Y G α ) e (b, Z G β ) e (f χ , G) e (h ω , G) = e (g, G)
Confirm that Thereafter, the member certificate verification unit 117
(a, α, b, β, χ, ω) as member certificate 119,
χ is output as the member secret key 118.
 ここで、b からπ-1(b) = (ID,σ)を復号でき, q=fχとメンバ証明書からqを復元できる為、メンバ証明書119はメンバ証拠112を含んでいるといえる。 Here, π -1 (b) = (ID, σ) can be decrypted from b, and q can be restored from q = f χ and the member certificate. Therefore, it can be said that the member certificate 119 includes the member evidence 112. .
 <メンバ証明書発行装置200>
 図4を参照するとメンバ証明書発行装置200の機能構成が示されている。メンバ証明書発行装置200は、署名検証部208と、知識検証部209と、メンバ証明書源生成部211と、を備える。なお、メンバ証明書発行装置200として、例えば、通信デバイス、入出力デバイス、演算デバイス(CPU等)、記憶デバイス(メモリ等)を備えるコンピュータ等の情報処理装置が用いられることができる。上記各部は、これらハードウェアを利用するソフトウェアプログラムとハードウェアとの協働によって実現させることができる。 <Member certificate issuing device 200>
Referring to FIG. 4, the functional configuration of the member certificate issuing device 200 is shown. The member certificate issuing device 200 includes a signature verification unit 208, a knowledge verification unit 209, and a member certificate source generation unit 211. As the member certificate issuing device 200, for example, an information processing device such as a computer having a communication device, an input / output device, a computing device (CPU or the like), and a storage device (memory or the like) can be used. Each of the above-described units can be realized by cooperation between a software program that uses these hardware and the hardware.
 署名検証部208は、一般的に署名検証手段と呼ぶことができる。知識検証部209は、一般的に知識検証手段と呼ぶことができる。メンバ証明書源生成部211は、一般的にメンバ証明書源生成手段と呼ぶことができる。 The signature verification unit 208 can be generally called signature verification means. Knowledge verification unit 209 can be generally referred to as knowledge verification means. Member certificate source generation unit 211 can be generally referred to as member certificate source generation means.
 メンバ証明書発行装置200にはグループ公開鍵101、グループ秘密鍵210、乱数201、公開鍵リスト202、および、メンバリスト203が入力される。 The member certificate issuing device 200 receives a group public key 101, a group secret key 210, a random number 201, a public key list 202, and a member list 203.
 署名検証部208は、メンバ証拠(ID,q,σ)112 がメンバ証明書獲得装置100より送られるのを待つ。 The signature verification unit 208 waits for the member evidence (ID, q, σ) 112 to be sent from the member certificate acquisition apparatus 100.
 署名検証部208は、署名109であるσが秘密鍵知識104であるqに対するIDの正当な署名であることを、公開鍵リスト202を用いて確認する。 The signature verification unit 208 uses the public key list 202 to confirm that the signature 109 σ is a legitimate signature of the ID for q that is the secret key knowledge 104.
 知識検証部209は以下の手続きにより、二式、
q = fχ, z/q= hω' を満す(χ,ω') の知識をメンバ証明書獲得装置100が保持していることを検証する。
[手続き始め]
 知識検証部209は、コミットメント(q',z') が、メンバ証明書獲得装置100より送られてくるのを待つ。 The knowledge verification unit 209 performs the following two procedures,
It is verified that the member certificate acquisition apparatus 100 holds knowledge of (χ, ω ′) satisfying q = f χ , z / q = h ω ′ .
[Begin procedure]
The knowledge verification unit 209 waits for the commitment (q ′, z ′) to be sent from the member certificate acquisition device 100.
 コミットメント(q',z') が送られてきたならば、知識検証部209は、入力された乱数より、挑戦値cを(Z/pZ) よりランダムに選び、その挑戦値cをメンバ証明書獲得装置100に送付する。 If the commitment (q ', z') is sent, the knowledge verification unit 209 selects the challenge value c randomly from (Z / pZ) from the input random number, and the challenge value c is a member certificate. Send to acquisition device 100.
 知識検証部209は、レスポンス(χ'',ω[3])が、メンバ証明書獲得装置100より送られてくるのを待つ。 The knowledge verification unit 209 waits for a response (χ ″, ω [3]) to be sent from the member certificate acquisition apparatus 100.
 レスポンス(χ'',ω[3])が送られてきたならば、知識検証部209は、
gχ''= qc q', hω[3] = (z/q)c z'
が成り立つことを確認する。
[手続き終わり] 
 メンバ証明書源生成部211は、入力された乱数より、Z/pZの元であるα, β, ω''を選び、a = (g f-1 h-ω'' π(ID,σ)ψ+β)φ+ α
を生成し、(a,α,β, ω'') をメンバ証明書源212として、メンバ証明書獲得装置100に送る。 If the response (χ ″, ω [3]) is sent, the knowledge verification unit 209
g χ '' = q c q ', h ω [3] = (z / q) c z'
Confirm that
[End of procedure]
The member certificate source generation unit 211 selects α, β, ω '' that is an element of Z / pZ from the input random numbers, and a = (g f -1 h-ω '' π (ID, σ) ψ + β ) φ + α
And (a, α, β, ω ″) is sent to the member certificate acquisition apparatus 100 as the member certificate source 212.
 また、メンバ証明書発行装置200は、識別子IDをメンバリストに追加して、メンバリスト203を出力する。 Also, the member certificate issuing device 200 adds the identifier ID to the member list and outputs the member list 203.
 <グループ署名装置300>
 図5を参照するとグループ署名装置300の機能構成が示されている。グループ署名装置300は、暗号化部303と、知識の証明文生成部308と、を備える。なお、グループ署名装置300として、例えば、通信デバイス、入出力デバイス、演算デバイス(CPU等)、記憶デバイス(メモリ等)を備えるコンピュータ等の情報処理装置が用いられることができる。上記各部は、これらハードウェアを利用するソフトウェアプログラムとハードウェアとの協働によって実現させることができる。 <Group signature device 300>
Referring to FIG. 5, the functional configuration of the group signature device 300 is shown. The group signature device 300 includes an encryption unit 303 and a knowledge proof sentence generation unit 308. As the group signature apparatus 300, for example, an information processing apparatus such as a computer including a communication device, an input / output device, an arithmetic device (CPU or the like), and a storage device (memory or the like) can be used. Each of the above-described units can be realized by cooperation between a software program that uses these hardware and the hardware.
 暗号化部303は、一般的に暗号化手段と呼ぶことができる。知識の証明文生成部308は、一般的に知識の証明文生成手段と呼ぶことができる。 The encryption unit 303 can generally be called encryption means. Knowledge proof sentence generator 308 can generally be referred to as knowledge proof sentence generation means.
 グループ署名装置300には、グループ公開鍵101である(群1,群2,群T,p,e,g,G,Hash,π,Y,Z,f,h)、追跡用公開鍵301である(r,t)、メンバ証明書119である(a,α,b,β,χ,ω)、メンバ秘密鍵118であるχ、メッセージ302であるm、および、乱数303が入力される。 The group signature device 300 includes a group public key 101 (group 1, group 2, group T, p, e, g, G, Hash, π, Y, Z, f, h), and a tracking public key 301. A certain (r, t), a member certificate 119 (a, α, b, β, χ, ω), a member secret key 118 χ, a message 302 m, and a random number 303 are input.
 暗号化部303は、体Z/pZ より、ρ,τ,θをランダムに選び、
秘密鍵知識104に係る秘密鍵知識の暗号文304である(v',m',n')=(fχ hτ,rτ,tτ)と、
秘密鍵知識104に対する署名109に係る署名の暗号文305である(v,m,n) =(b hρ,rρ,tρ)と、
メンバ証明書の一部のコミットメントであるu = a hθ
を生成する。 The encryption unit 303 randomly selects ρ, τ, θ from the field Z / pZ,
(V ′, m ′, n ′) = (f χ h τ , r τ , t τ ), which is a ciphertext 304 of the secret key knowledge related to the secret key knowledge 104,
(V, m, n) = (b h ρ , r ρ , t ρ ), which is the ciphertext 305 of the signature related to the signature 109 with respect to the secret key knowledge 104,
U = a h θ, which is a partial commitment of the member certificate
Is generated.
 知識の証明文生成部308は以下の処理を行う。 The knowledge certificate generator 308 performs the following processing.
 以下の処理は、以下の式 
(v,m,n) = (b hρ,rρ,tρ)、
(v',m',n') = (fχ hτ,rτ,tτ)、および
e(g,G)e(u,Y)-1 e(v,Z) -1 = e(f,G)χ e(u,G)αe(v,G)β e(h,Y) e(h,Z)e(h,G)ω
を満す(χ,α,β,θ,ρ,τ,ω)の知識の証明である。
[知識の証明文生成始め] 
 知識の証明文生成部308は、コミットメント生成部(不図示)を用いて、
体Z/pZ より、ρ',τ',θ',χ',α',β', ω'をランダムに選び、
Δ = e(f,G)χ' e(u,G)α'e(v,G)β' e(h,Y)-θ' e(h,Z)-ρ'e(h,G)ω'
m = rρ'
n = tρ'
v' =fχ' hτ'
m' = rτ'
n' = tτ'
を生成する。 The following processing is the following formula
(v, m, n) = (b h ρ , r ρ , t ρ ),
(v ', m', n ') = (f χ h τ , r τ , t τ ), and
e (g, G) e (u, Y) -1 e (v, Z) -1 = e (f, G) χ e (u, G) α e (v, G) β e (h, Y) e (h, Z) e (h, G) ω
Is a proof of knowledge that satisfies (χ, α, β, θ, ρ, τ, ω).
[Begin generating proof of knowledge]
The knowledge proof generation unit 308 uses a commitment generation unit (not shown),
From the field Z / pZ, ρ ', τ', θ ', χ', α ', β', ω 'are randomly selected,
Δ = e (f, G) χ ' e (u, G) α' e (v, G) β ' e (h, Y) -θ' e (h, Z) -ρ ' e (h, G) ω '
m * = r ρ '
n * = t ρ '
v ' * = f χ' h τ '
m ' * = r τ'
n ' * = t τ'
Is generated.
 知識の証明文生成部308は、(Δ,m,n,v',m',n') をコミットメントとする。 The knowledge proof generation unit 308 has (Δ, m * , n * , v ′ * , m ′ * , n ′ * ) as a commitment.
 知識の証明文生成部308は、挑戦値生成部(不図示)を用いて、挑戦値である
c = Hash(p,g,G,π,Y,Z,f,h,r,t,v,m,n,v',m',n',u,Δ,m,n,v',m',n',m)
を生成する。 The knowledge proof sentence generation unit 308 uses a challenge value generation unit (not shown) to obtain a challenge value.
c = Hash (p, g, G, π, Y, Z, f, h, r, t, v, m, n, v ', m', n ', u, Δ, m * , n * , v ' * , M' * , n ' * , m)
Is generated.
 知識の証明文生成部308は、レスポンス生成部(不図示)を用いて、
χ'' =χc +χ', α'' =αc +α', β'' =βc +β', θ'' =θc +θ', ρ''= ρc +ρ', τ''= τc +τ', ω''= ωc + ω'
を生成する。 The knowledge proof generation unit 308 uses a response generation unit (not shown),
χ '' = χc + χ ', α''= αc + α', β '' = βc + β ', θ''= θc + θ', ρ '' = ρc + ρ ', τ''= τc + τ ', ω''= ωc + ω'
Is generated.
 知識の証明文生成部308は、(χ'',α'',β'',θ'',ρ'',τ'',ω'')をレスポンスとする。 The knowledge proof generation unit 308 uses (χ ″, α ″, β ″, θ ″, ρ ″, τ ″, ω ″) as a response.
 知識の証明文生成部308は、上記コミットメントとレスポンスを、知識の証明文309であるfspとする。
[知識の証明文生成終わり] 
 グループ署名装置300は、(v,m,n,v',m',n',u,fsp)を、メッセージ302であるmに対するグループ署名313として出力する。 The knowledge proof sentence generation unit 308 sets the commitment and response as fsp which is the knowledge proof sentence 309.
[End of knowledge proof generation]
The group signature device 300 outputs (v, m, n, v ′, m ′, n ′, u, fsp) as a group signature 313 for m that is the message 302.
 <グループ署名検証装置400>
 図6を参照するとグループ署名検証装置400の機能構成が示されている。グループ署名検証装置400は、知識の検証部401と、挑戦値生成部402と、を備える。なお、グループ署名検証装置400として、例えば、通信デバイス、入出力デバイス、演算デバイス(CPU等)、記憶デバイス(メモリ等)を備えるコンピュータ等の情報処理装置が用いられることができる。上記各部は、これらハードウェアを利用するソフトウェアプログラムとハードウェアとの協働によって実現させることができる。 <Group signature verification device 400>
Referring to FIG. 6, the functional configuration of the group signature verification apparatus 400 is shown. The group signature verification apparatus 400 includes a knowledge verification unit 401 and a challenge value generation unit 402. As the group signature verification apparatus 400, for example, an information processing apparatus such as a computer including a communication device, an input / output device, an arithmetic device (CPU or the like), and a storage device (memory or the like) can be used. Each of the above-described units can be realized by cooperation between a software program that uses these hardware and the hardware.
 グループ署名検証装置400にはグループ公開鍵101である(群1,群2,群T,p,e,g,G,Hash,π,Y,Z,f,h)、追跡用公開鍵301である(r,t)、メッセージ302であるm、グループ署名313である(v,m,n,v',m',n',u,fsp)が入力される。 The group signature verification apparatus 400 includes a group public key 101 (group 1, group 2, group T, p, e, g, G, Hash, π, Y, Z, f, h), and a tracking public key 301. A message (r, t), m, which is a message 302, and (v, m, n, v ′, m ′, n ′, u, fsp), which are group signatures 313, are input.
 但し、fsp =(Δ,m,n,v',m',n',χ'',α'',β'',θ'',ρ'',τ'',ω'')であるとする。 However, fsp = (Δ, m * , n * , v ' * , m' * , n ' * , χ'',α'',β'',θ'',ρ'',τ'', ω '').
 なお、グループ署名313には、秘密鍵知識の暗号文304である(v',m',n')=(fχ hτ,rτ,tτ)と、秘密鍵知識に対する署名の暗号文307である(v,m,n) =(b hρ,rρ,tρ)が含まれている。 The group signature 313 includes (v ′, m ′, n ′) = (f χ h τ , r τ , t τ ) that is the secret key knowledge ciphertext 304 and the signature ciphertext for the secret key knowledge. 307 (v, m, n) = (bh ρ , r ρ , t ρ ) is included.
 知識の検証部401は、一般的に知識の検証手段と呼ぶことができる。挑戦値生成部402は、一般的に挑戦値生成手段と呼ぶことができる。 The knowledge verification unit 401 can generally be referred to as knowledge verification means. Challenge value generation unit 402 can be generally referred to as challenge value generation means.
 知識の検証部401は、挑戦値生成部402を用いて、挑戦値
c = Hash(p,g,G,π,Y,Z,f,h,r,t,v,m,n,v',m',n',u,Δ,m,n,v',m',n',m)
を生成する。 The knowledge verification unit 401 uses the challenge value generation unit 402 to
c = Hash (p, g, G, π, Y, Z, f, h, r, t, v, m, n, v ', m', n ', u, Δ, m * , n * , v ' * , M' * , n ' * , m)
Is generated.
 また、知識の検証部401は、以下の式、
(e(g,G)e(u,Y)-1 e(v,Z) -1)cΔ = e(f,G)χ'' e(u,G)α''e(v,G)β'' e(h,Y)-θ'' e(h,Z)-ρ''e(h,G)ω''
mc m = rρ''
nc n = tρ'
v'c v' = fχ'' hτ''
m'c m' = rτ''
n'c n' = tτ''
が成り立つことを確認する。 The knowledge verification unit 401 has the following formula:
(e (g, G) e (u, Y) -1 e (v, Z) -1 ) c Δ = e (f, G) χ '' e (u, G) α '' e (v, G ) β '' e (h, Y) -θ '' e (h, Z) -ρ '' e (h, G) ω ''
m c m * = r ρ ''
n c n * = t ρ '
v ' c v' * = f χ '' h τ ''
m ' c m' * = r τ ''
n ' c n' * = t τ ''
Confirm that
 知識の検証部401は、これが成り立てば「正当」を出力し、これが成り立たなければ「不当」を出力する。 The knowledge verification unit 401 outputs “valid” if this is true, and outputs “invalid” if this is not true.
 <追跡装置500>
 図7を参照すると追跡装置500の機能構成が示されている。追跡装置500は、復号部503と、復号正当性証明部510と、署名検証部513と、を備える。なお、追跡装置500として、例えば、通信デバイス、入出力デバイス、演算デバイス(CPU等)、記憶デバイス(メモリ等)を備えるコンピュータ等の情報処理装置が用いられることができる。上記各部は、これらハードウェアを利用するソフトウェアプログラムとハードウェアとの協働によって実現させることができる。 <Tracker 500>
Referring to FIG. 7, the functional configuration of the tracking device 500 is shown. The tracking device 500 includes a decryption unit 503, a decryption validity proving unit 510, and a signature verification unit 513. As the tracking device 500, for example, an information processing device such as a computer including a communication device, an input / output device, a computing device (CPU or the like), and a storage device (memory or the like) can be used. Each of the above-described units can be realized by cooperation between a software program that uses these hardware and the hardware.
 復号部503は、一般的に復号手段と呼ぶことができる。復号正当性証明部510は、一般的に復号正当性証明手段と呼ぶことができる。署名検証部513は、一般的に署名検証手段と呼ぶことができる。 Decoding section 503 can generally be called decoding means. Decryption validity proving unit 510 can be generally referred to as decryption validity proving means. Signature verification unit 513 can generally be referred to as signature verification means.
 追跡装置500には公開鍵リスト202、グループ公開鍵101である(群1,群2,群T,p,e,g,G,Hash,π,Y,Z,f,h)、追跡用公開鍵301である(r,t)、追跡秘密鍵501である(ξ,ζ)、メッセージ302であるm、グループ署名313である(v,m,n,v',m',n',u,fsp)が入力される。 The tracking device 500 includes a public key list 202 and a group public key 101 (group 1, group 2, group T, p, e, g, G, Hash, π, Y, Z, f, h), tracking public Key 301 (r, t), tracking private key 501 (ξ, ζ), message 302 m, group signature 313 (v, m, n, v ′, m ′, n ′, u , fsp) is input.
 但し、fsp =(Δ,m,n,v',m',n',χ'',α'',β'',θ'',ρ'',τ'',ω'')であるとする。 However, fsp = (Δ, m * , n * , v ' * , m' * , n ' * , χ'',α'',β'',θ'',ρ'',τ'', ω '').
 なお、グループ署名313には、秘密鍵知識の暗号文304である(v',m',n')=(fχ hτ,rτ,tτ)と、秘密鍵知識に対する署名の暗号文307である(v,m,n) =(b hρ,rρ,tρ)が含まれている。 The group signature 313 includes (v ′, m ′, n ′) = (f χ h τ , r τ , t τ ) that is the secret key knowledge ciphertext 304 and the signature ciphertext for the secret key knowledge. 307 (v, m, n) = (bh ρ , r ρ , t ρ ) is included.
 復号部503は、追跡用の秘密鍵501を用いて、秘密鍵知識の暗号文304と秘密鍵知識に対する署名の暗号文307とから、メンバ証拠の一部である秘密鍵知識504と秘密鍵知識に対する署名507を以下のように復号する。すなわち、復号部503は
q = v' m', b = v m, (ID,ρ)=π-1(b)
を生成する。 Using the private key 501 for tracking, the decryption unit 503 uses the private key knowledge ciphertext 304 and the private key knowledge ciphertext 307 to obtain the private key knowledge 504 and the private key knowledge that are part of the member evidence. The signature 507 is decrypted as follows. That is, the decoding unit 503
q = v 'm' , b = v m , (ID, ρ) = π -1 (b)
Is generated.
 復号正当性証明部510は、(q,b) が暗号文(v',v',v,m) の復号結果であることを示す証明文を生成する。生成された証明文を復号の正当性証明文511と呼ぶ。署名検証部513は、公開鍵リスト202にある、IDに対応する公開鍵を用いて、署名σがqに対する正当な署名であることを確認する。追跡装置500は、復号の正当性証明514と、q,b,署名者の識別子105であるIDとを出力する。 The decryption correctness proving unit 510 generates a certificate indicating that (q, b) is a decryption result of the ciphertext (v ′, v ′, v, m). The generated proof text is called a decryption correctness proof text 511. The signature verification unit 513 confirms that the signature σ is a valid signature for q using the public key corresponding to the ID in the public key list 202. The tracking device 500 outputs the decryption validity 514 and the IDs q, b and the signer identifier 105.
 <グループ署名システム600>
 再度、図2を参照する。図2において、メンバ証明書獲得装置100は、メンバ証明書発行装置200と通信することで、メンバ証明書119とメンバ秘密鍵118を獲得する。メンバ証明書発行装置200は、この通信により、メンバリスト203を得る。 <Group signature system 600>
Reference is again made to FIG. In FIG. 2, the member certificate acquisition device 100 acquires a member certificate 119 and a member secret key 118 by communicating with the member certificate issuing device 200. The member certificate issuing device 200 obtains the member list 203 through this communication.
 グループ署名装置300は、メンバ証明書獲得装置100が獲得したメンバ証明書119と、同じくメンバ証明書獲得装置100が獲得したメンバ秘密鍵118と、メッセージ302と、グループ公開鍵101と、追跡用公開鍵301とを受け付けて、メッセージ302に対するグループ署名313を出力する。 The group signature device 300 includes a member certificate 119 acquired by the member certificate acquisition device 100, a member private key 118 acquired by the member certificate acquisition device 100, a message 302, a group public key 101, and a tracking disclosure. The key 301 is accepted and a group signature 313 for the message 302 is output.
 グループ署名検証装置400は、メッセージ302とグループ公開鍵101と追跡用公開鍵301と、グループ署名313とを受け付け、グループ署名313がメッセージ302に対する正当なグループ署名であることを示す検証結果407を出力する。 The group signature verification device 400 accepts the message 302, the group public key 101, the tracking public key 301, and the group signature 313, and outputs a verification result 407 indicating that the group signature 313 is a valid group signature for the message 302. To do.
 追跡装置500は、追跡用公開鍵301と、グループ署名313と、追跡用秘密鍵501とを受け付けて、グループ署名313を生成したものを表す、メンバの識別子105を出力する。 The tracking device 500 receives the tracking public key 301, the group signature 313, and the tracking private key 501, and outputs a member identifier 105 that represents the group signature 313 generated.
 <本実施形態の効果>
 本実施形態においては、メンバ証明書獲得装置100がメンバ証明書発行装置200と通信して獲得したメンバ証明書119とメンバ秘密鍵118を用いて、グループ署名装置300が、グループ署名313を生成する。生成されたグループ署名313は、グループ署名検証装置400で、その正当性を容易に検証できることに加え、追跡装置500を用いれば、署名者の識別子105が直接グループ署名313より抽出可能になる。換言すれば、グループ署名メンバの識別子の暗号文がグループ署名の一部となっているため、不正者追跡装置は、これを直接復号することにより、不正者の識別子を抽出することができる。 <Effect of this embodiment>
In this embodiment, the group signature device 300 generates the group signature 313 using the member certificate 119 and the member private key 118 acquired by the member certificate acquisition device 100 communicating with the member certificate issuing device 200. . The generated group signature 313 can be easily verified by the group signature verification device 400. In addition, when the tracking device 500 is used, the signer identifier 105 can be directly extracted from the group signature 313. In other words, since the ciphertext of the identifier of the group signature member is a part of the group signature, the unauthorized person tracking device can extract the identifier of the unauthorized person by directly decrypting it.
 以上、実施形態を参照して本願発明を説明したが、本願発明は上記実施形態に限定されるものではない。本願発明の構成や詳細には、本願発明のスコープ内で当業者が理解し得る様々な変更をすることができる。 The present invention has been described above with reference to the embodiments, but the present invention is not limited to the above embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.
 この出願は、2008年7月28日に出願された日本出願特願2008-194024を基礎とする優先権を主張し、その開示の全てをここに取り込む。 This application claims priority based on Japanese Patent Application No. 2008-194024 filed on July 28, 2008, the entire disclosure of which is incorporated herein.
 100  メンバ証明書獲得装置
 101  グループ公開鍵
 102  乱数
 103  メンバ証拠生成部
 104  秘密鍵知識
 105  識別子
 107  メンバ秘密鍵
 108  署名部
 109  署名
 112  メンバ証拠
 113  知識の証明部
 117  メンバ証明書検証部
 118  メンバ秘密鍵
 119  メンバ証明書
 200  メンバ証明書発行装置
 201  乱数
 202  公開鍵リスト
 203  メンバリスト
 208  署名検証部
 209  知識検証部
 211  メンバ証明書源生成部
 212  メンバ証明書源
 300  グループ署名装置
 301  追跡用公開鍵
 302  メッセージ
 303  暗号化部
 304  秘密鍵知識の暗号文
 305  署名の暗号文
 308  知識の証明文生成部
 309  知識の証明文
 313  グループ署名
 400  グループ署名検証装置
 401  知識の検証部
 402  挑戦値生成部
 500  追跡装置
 503  復号部
 504  秘密鍵知識
 507  秘密鍵知識に対する署名
 510  復号正当性証明部
 511  復号の正当性証明文
 513  署名検証部
 514  復号の正当性証明 DESCRIPTION OF SYMBOLS 100 Member certificate acquisition apparatus 101 Group public key 102 Random number 103 Member evidence generation part 104 Secret key knowledge 105 Identifier 107 Member secret key 108 Signature part 109 Signature 112 Member evidence 113 Knowledge proof part 117 Member certificate verification part 118 Member secret key 119 Member certificate 200 Member certificate issuing device 201 Random number 202 Public key list 203 Member list 208 Signature verification unit 209 Knowledge verification unit 211 Member certificate source generation unit 212 Member certificate source 300 Group signature device 301 Tracking public key 302 Message 303 Encryption Unit 304 Secret Key Knowledge Cipher Text 305 Signature Cipher Text 308 Knowledge Proof Text Generation Unit 309 Knowledge Proof Text 313 Group Signature 400 Group Signature Verification Device 401 Knowledge Testimony unit 402 challenge value generating unit 500 tracking device 503 decoding unit 504 private key knowledge 507 private signature for key knowledge 510 decoding correctness proof unit 511 validity proof text 513 signature verification unit 514 correctness proof of the decoding of the decoding

Claims (6)

  1.  メンバ証明書獲得装置と、メンバ証明書発行装置と、グループ署名装置と、を有するグループ署名システムであって、
     前記メンバ証明書獲得装置は、
     署名者の識別子と、署名用の秘密鍵であるメンバ秘密鍵に基づく署名と、を含むメンバ証拠を生成するメンバ証拠生成手段と、
     前記署名が正当なものであることが確認された場合に前記メンバ証拠を含むメンバ証明書を出力するメンバ証明書検証手段と、を備え、
     前記メンバ証明書発行装置は、
     前記メンバ秘密鍵に対応するメンバ公開鍵と前記識別子との組のリストである公開鍵リスト並びに前記メンバ証拠に基づいて、前記署名が正当なものであることを確認する署名検証手段を備え、
     前記グループ署名装置は、
     グループ公開鍵と、追跡用公開鍵と、前記メンバ秘密鍵と、前記メンバ証明書と、に基づいて、前記署名の暗号文を含むグループ署名を出力する、グループ署名システム。     A group signature system having a member certificate acquisition device, a member certificate issuing device, and a group signature device,
    The member certificate acquisition device includes:
    Member evidence generating means for generating member evidence including a signer identifier and a signature based on a member private key that is a private key for signature;
    Member certificate verification means for outputting a member certificate including the member evidence when the signature is confirmed to be valid, and
    The member certificate issuing device
    A signature verification means for confirming that the signature is valid based on a public key list which is a list of a set of a member public key corresponding to the member secret key and the identifier, and the member evidence;
    The group signature device is:
    A group signature system that outputs a group signature including a ciphertext of the signature based on a group public key, a tracking public key, the member private key, and the member certificate.
  2.  前記グループ署名システムは、さらに追跡装置を有し、
     前記追跡装置は、
     前記グループ署名と、前記追跡用公開鍵に対応する追跡用秘密鍵と、に基づいて、前記識別子を復号する復号手段を備える、請求項1記載のグループ署名システム。     The group signature system further comprises a tracking device,
    The tracking device comprises:
    The group signature system according to claim 1, further comprising decryption means for decrypting the identifier based on the group signature and a tracking private key corresponding to the tracking public key.
  3.  前記グループ署名システムは、さらにグループ署名検証装置を有し、
     前記グループ署名検証装置は、
     前記グループ公開鍵と、前記追跡用公開鍵と、を用いて、前記グループ署名が正当なものであるか否かを検証する、請求項1又は2記載のグループ署名システム。     The group signature system further includes a group signature verification device,
    The group signature verification device includes:
    The group signature system according to claim 1, wherein the group signature system verifies whether the group signature is valid by using the group public key and the tracking public key.
  4.  署名者の識別子と、署名用の秘密鍵であるメンバ秘密鍵に基づく署名と、を含むメンバ証拠を生成し、
     前記メンバ秘密鍵に対応するメンバ公開鍵と前記識別子との組のリストである公開鍵リスト並びに前記メンバ証拠に基づいて、前記署名が正当なものであることを確認し、
     前記署名が正当なものであることが確認された場合に前記メンバ証拠を含むメンバ証明書を出力し、
     グループ公開鍵と、追跡用公開鍵と、前記メンバ秘密鍵と、前記メンバ証明書と、に基づいて、前記署名の暗号文を含むグループ署名を出力する、グループ署名方法。     Generating member evidence including a signer's identifier and a signature based on a member private key that is a private key for signing;
    Confirming that the signature is valid based on a public key list that is a list of a member public key corresponding to the member private key and the identifier and the member evidence,
    When the signature is confirmed to be valid, a member certificate including the member evidence is output,
    A group signature method for outputting a group signature including a ciphertext of the signature based on a group public key, a tracking public key, the member secret key, and the member certificate.
  5.  前記グループ署名と、前記追跡用公開鍵に対応する追跡用秘密鍵と、に基づいて、前記識別子を復号することをさらに含む、請求項4記載のグループ署名方法。 The group signature method according to claim 4, further comprising decrypting the identifier based on the group signature and a tracking private key corresponding to the tracking public key.
  6.  前記グループ公開鍵と、前記追跡用公開鍵と、を用いて、前記グループ署名が正当なものであるか否かを検証することをさらに含む、請求項4又は5記載のグループ署名方法。 6. The group signature method according to claim 4, further comprising verifying whether or not the group signature is valid by using the group public key and the tracking public key.
PCT/JP2009/061915 2008-07-28 2009-06-30 Group signature system and method WO2010013571A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2008-194024 2008-07-28
JP2008194024A JP2011233943A (en) 2008-07-28 2008-07-28 Group signature system and method of the same

Publications (1)

Publication Number Publication Date
WO2010013571A2 true WO2010013571A2 (en) 2010-02-04

Family

ID=41610804

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2009/061915 WO2010013571A2 (en) 2008-07-28 2009-06-30 Group signature system and method

Country Status (2)

Country Link
JP (1) JP2011233943A (en)
WO (1) WO2010013571A2 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10250383B1 (en) * 2018-03-20 2019-04-02 Mocana Corporation Dynamic domain key exchange for authenticated device to device communications
KR102360944B1 (en) * 2020-07-13 2022-02-08 고려대학교 산학협력단 Techniques for group signature
KR102439195B1 (en) * 2022-05-03 2022-08-31 세종대학교산학협력단 Method and system for generating multi signature, and computing device for executing the same

Also Published As

Publication number Publication date
JP2011233943A (en) 2011-11-17

Similar Documents

Publication Publication Date Title
US7634085B1 (en) Identity-based-encryption system with partial attribute matching
US9698984B2 (en) Re-encrypted data verification program, re-encryption apparatus and re-encryption system
JP4546231B2 (en) ID-based signature and encryption system and method
JP4872908B2 (en) Member certificate acquisition device, member certificate issuing device, group signature device, group signature verification device
Zhou et al. ExpSOS: Secure and verifiable outsourcing of exponentiation operations for mobile cloud computing
JP5293745B2 (en) Data reference system, database presentation distributed system, and data reference method
CN110545279A (en) block chain transaction method, device and system with privacy and supervision functions
US20150326392A1 (en) Matrix-based cryptosystem
JP4776906B2 (en) Signature generation method and information processing apparatus
JP2014220661A (en) Certification device, output device, verification device, input device, certification method, verification method and program
CN104767612A (en) Signcryption method from certificateless environment to public key infrastructure environment
CN114095181B (en) Threshold ring signature method and system based on cryptographic algorithm
CN111786786A (en) Agent re-encryption method and system supporting equation judgment in cloud computing environment
CN104767611A (en) Signcryption method from public key infrastructure environment to certificateless environment
JP5327223B2 (en) Signature system
JP4867916B2 (en) Shuffle decoding correctness proving apparatus and method, shuffle decoding verifying apparatus and method, program and recording medium
CN114095171A (en) Identity-based wearable proxy re-encryption method
WO2010013571A2 (en) Group signature system and method
CN116346336B (en) Key distribution method based on multi-layer key generation center and related system
JP5434925B2 (en) Multi-party distributed multiplication apparatus, multi-party distributed multiplication system and method
JP2004228916A (en) Signcryption method, its device and its program
CN113779593A (en) Identity-based dual-server authorization ciphertext equivalence determination method
KR20170087120A (en) Certificateless public key encryption system and receiving terminal
CN112511310B (en) Confusion method for encrypted identity blind signature
Abdalla et al. Anonymous Pairing-Free and Certificateless Key Exchange Protocol for DRM System.

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09802816

Country of ref document: EP

Kind code of ref document: A2

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct app. not ent. europ. phase

Ref document number: 09802816

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: JP