WO2010067820A1 - ゼロ知識証明システム、ゼロ知識証明装置、ゼロ知識検証装置、ゼロ知識証明方法およびそのプログラム - Google Patents
ゼロ知識証明システム、ゼロ知識証明装置、ゼロ知識検証装置、ゼロ知識証明方法およびそのプログラム Download PDFInfo
- Publication number
- WO2010067820A1 WO2010067820A1 PCT/JP2009/070605 JP2009070605W WO2010067820A1 WO 2010067820 A1 WO2010067820 A1 WO 2010067820A1 JP 2009070605 W JP2009070605 W JP 2009070605W WO 2010067820 A1 WO2010067820 A1 WO 2010067820A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- zero knowledge
- data
- zero
- hash value
- pseudo random
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/04—Protocols specially adapted for terminals or networks with limited capabilities; specially adapted for terminal portability
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/3013—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/46—Secure multiparty computation, e.g. millionaire problem
- H04L2209/463—Electronic voting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Definitions
- the present invention relates to a discrete logarithm zero-knowledge proofing system, and more particularly, to a zero-knowledge proofing system, a zero-knowledge proofing device, a zero-knowledge validating unit, and a zero-knowledge proofing device which make it possible to reduce the storage capacity of devices required for zero-knowledge proofing. It relates to a method and its program.
- n is a natural number
- G is an element of Z / nZ
- x is an integer
- “x to the power of G” is described as “G x ” in lines other than mathematical expressions.
- This technology is widely used in technologies related to cryptography, and is applied in various situations such as public key cryptography, electronic signatures, group signatures, electronic voting, and the like.
- Patent Document 2 describes a technique related to the receipt of electronic money, which reduces the storage capacity of an ID to be transmitted for a challenge.
- Patent Document 3 describes a technique for generating challenges in a chain from one hash value.
- Patent Document 4 describes a technique in which even if an intermediary deletes a signature portion of a digitally signed data stream, the final receiver does not prevent the ability to verify the authenticity of the data.
- An object of the present invention is to provide a zero knowledge proving system, a zero knowledge proving device, a zero knowledge verifying device, a zero knowledge proving method, and a program that enable zero knowledge proof of discrete logarithm even with a device having a small main storage capacity. It is.
- a zero-knowledge proving system for performing discrete-log zero-knowledge proving that is a verification in a state in which the zero-knowledge verifying device does not know x, wherein the zero-knowledge proving device performs pseudorandom numbers and hash values obtained in the past Calculating a plurality of pseudo random numbers from a temporary storage unit storing the random number sequence, an arbitrary random number sequence and a pseudo random function, and calculating a hash value based on the calculated pseudo random numbers and the information stored in the temporary storage unit.
- a first processing unit which performs a process of overwriting the temporary storage unit with the calculated pseudorandom numbers and the hash value a plurality of times, a second processing unit which determines a part of the plurality of pseudorandom numbers based on the hash values;
- Department doubt Data receiving means having a third processing unit for transmitting a hash value obtained by recalculating the similar random number to the zero knowledge verifying device, the zero knowledge verifying device sequentially receiving new input data from the zero knowledge proving device
- Processing means for newly overwriting the temporary storage unit with the hash value of data including the variable and the input data stored in the temporary storage unit provided in advance each time the data receiving unit receives the input data;
- a determination unit which determines whether to authenticate or reject the zero knowledge proving device based on and sends the result of the determination back to the zero knowledge proving device.
- a zero knowledge verifying apparatus that causes a zero knowledge verifying apparatus to verify a temporary storage unit that stores pseudo random numbers and hash values obtained in the past, and calculates a plurality of pseudo random numbers from an arbitrary random number sequence and a pseudo random function;
- a first processing unit that calculates a hash value based on the calculated pseudo random number and information stored in the temporary storage unit and overwrites the calculated pseudo random number and hash value on the temporary storage unit multiple times
- a second processing unit that determines a part of the plurality of pseudo random numbers based on the hash value, and a third processing unit that transmits a hash value obtained by recalculating a part of the pseudo random numbers to the zero knowledge verification device
- the hash value A data receiving unit for receiving data representing rejection or certification from the zero knowledge verification apparatus after being transmitted to the knowledge verification apparatus;
- a determination unit for returning the result of the above to the zero knowledge proving device.
- the first processing unit calculates a pseudo random number from the pseudo random function, and based on the calculated pseudo random number, the pseudo random number stored in the temporary storage unit provided in advance, and the hash value obtained in the past
- the first processing unit calculates the hash value and overwrites the calculated pseudo random number and the hash value on the temporary storage unit multiple times, and the second processing unit performs the zero knowledge verification device based on the hash value Output to
- the third processing unit recalculates a part of the plurality of pseudo random numbers, sends the part to the zero knowledge verifying device,
- a procedure of performing a process of overwriting a storage unit multiple times, a procedure of determining a part of a plurality of pseudo random numbers based on a hash value, and a zero knowledge test on a hash value obtained by recalculating a part of the pseudo random numbers A computer is caused to execute a procedure of transmitting
- a zero-knowledge verification device that performs discrete-log zero-knowledge proofing that does not know x without knowing x
- causing the computer to execute a procedure of determining whether to make a decision and sending the result of the determination back to the zero knowledge proving device.
- the present invention is configured to perform the calculation processing for calculating the hash value as described above while reusing the memory for storing the pseudo random number and the hash value. Therefore, a plurality of random numbers and a hash value corresponding to each of them It is not necessary to store the entire set of (i) and (ii), so that even a device with a small main storage capacity can enable discrete logarithm zero-knowledge proofing.
- the zero knowledge proving system 1 comprises a zero knowledge proving device (the prover device 10) and a zero knowledge verifying device (the verifier device 20).
- the zero knowledge proving device (certifier device 10) calculates a plurality of pseudo random numbers from a temporary storage unit (RAM 12) storing pseudo random numbers and a hash value obtained in the past, and an arbitrary random number sequence and a pseudo random function.
- the zero knowledge verification apparatus is a data receiving means (communication interface 23) for sequentially receiving new input data from the zero knowledge proving apparatus, and a temporary storage provided in advance each time the data receiving means receives the input data.
- Processing means for overwriting the temporary storage unit with a hash value of data including a variable and input data stored in the unit (RAM 22) as a new variable based on the variable It has a determination unit (third processing unit 24c) that determines whether to authenticate or reject the zero knowledge proving device and sends the result of the determination back to the zero knowledge proving device.
- the first processing unit 14a of the zero knowledge proving device reads the elements G and H of the group, defines an initial value of data V representing a pseudo random number, and determines the first and second data.
- the second processing unit 14b following this gives a data Y representing a part of the plurality of pseudo random numbers to some initial value, and adds a value based on the hash value U of the data including V and j to Y. It has an iterative processing function that repeats the process of setting Y to N times.
- the third processing unit 14c following this repeats the process of setting G to Y and the power residue remainder as A, N times, and in the j-th process (1 ⁇ j ⁇ N), to Y0 and R0.
- the first and second hash values T0 and T1 are calculated on the basis, and 1-bit data c is calculated from data including V, A and j, and if c is 0, Y0, R0 and T1, c is If it is 1, it has a hash value output processing function that performs processing of transmitting Y1, R1 and T0 to the zero knowledge verification apparatus.
- the zero knowledge proving device transmits the hash value to the zero knowledge verifying device, and then returns a data receiving unit (communication interface 13) which is returned from the zero knowledge verifying device and which represents the rejection or the authentication. Equipped with
- the processing means reads the elements G and H of the group, gives some initial value to the data V representing variables, and proves zero knowledge It receives data c, data Y, data T, and data R from the device as input, calculates first and second hash values including Y and R, and newly overwrites the temporary storage unit as data V A first processing unit 24a that repeats a number of times is provided.
- the processing means initializes data W to 0 and data C to 0, and sets a hash value of data including (1 ⁇ j ⁇ N) V and j in the jth process to U, and Wj and U
- a second processing unit 24b is repeated N times such that the product of W and W is newly added to W, and the product of Cj and U to C is newly added and C.
- the processing means further sets A to be the product of G multiplied by W and the product of H multiplied by C minus a product of multiplication by the power remainder and is A, and in the j-th process (1 ⁇ j ⁇ N) Repeat the procedure of outputting and stopping data indicating that the zero knowledge proving device is rejected if the hash value of one including V, A and j does not match Cj, and repeat this procedure N times.
- the third processing unit 24 c outputs data representing that the zero knowledge proving device is to be authenticated if the data representing the rejection is not output.
- the present embodiment does not need to store all pairs of a plurality of random numbers and their corresponding hash values, so that even if the device has a small main storage capacity, the discrete logarithm is zero Knowledge proof can be made possible. This will be described in more detail below.
- ⁇ , N, ⁇ , ⁇ , ⁇ , ⁇ , n be security parameters.
- ⁇ , N, ⁇ , ⁇ , ⁇ , ⁇ , and n may be 160, 1304, 60, 60, 1244, 1024, and 1024, respectively.
- ⁇ , N, ⁇ , ⁇ , ⁇ , and n can be set to 192, 2496, 112, 112, 2384, 2048, and 2048, respectively.
- F ⁇ + ⁇ be a pseudorandom function producing an output of ⁇ + ⁇ bits, and write the output of F ⁇ + ⁇ when data X and key K are input as F ⁇ + ⁇ (K, X).
- F ⁇ + ⁇ be a pseudorandom function that produces an output of ⁇ + ⁇ bits.
- the output of F ⁇ + ⁇ when data X and key K are input is written as F ⁇ + ⁇ (K, X). Note that “ ⁇ + ⁇ ” and “ ⁇ + ⁇ ” are subscripts in an actual expression.
- any F ⁇ + ⁇ and F ⁇ + ⁇ may be used as long as the output satisfies the above conditions, for example, a function that makes the hash value correspond to (K, X) can be F ⁇ + ⁇ and F ⁇ + ⁇ .
- Each character of “ ⁇ ”, “ ⁇ ”, and“ 1 ”of“ ⁇ , ⁇ , ⁇ 1 ” is a subscript character in an actual expression.
- FIG. 1 is an explanatory view showing the configuration of a zero knowledge proving system 1 according to a first embodiment of the present invention.
- the zero knowledge proving system 1 includes a prover device 10 which is a computer device operated by a prover, and a verifier device 20 which is a computer device operated by a verifier.
- the prover device 10 and the verifier device 20 are Connected to each other.
- the prover device 10 has a central processing unit (CPU) 11 which is an entity that executes a computer program, a random access memory (RAM) 12 in which a computer program executed by the CPU 11 is read and stored, and another computer. And a communication interface 13 for exchanging data. Then, the proving means 14 which is a computer program executed by the CPU 11 is stored in the RAM 12 and executed.
- the input device 16 is used to input initial data and the like necessary for the operation of the proving means 14.
- the verifier device 20 also includes a CPU 21, a RAM 22, and a communication interface 23.
- the verification means 24 which is a computer program executed by the CPU 21 is stored in the RAM 22 and executed.
- the input device 26 is used to input initial data and the like necessary for the operation of the verification means 24.
- the proving means 14 and the verifying means 24 are illustrated as being present and executed on the CPUs 11 and 21, respectively.
- a loop 15 exists in the algorithm of the proving means 14, and each time the loop 15 is executed, the proving means 14 outputs (c, Y, R, T) to the verifier device 20 through the communication interface 13.
- a loop 25 exists in the algorithm of the verification means 24, and each time it goes around the loop 25, it receives (c, Y, R, T) outputted from the proving means 14.
- the loops 15 and 25 are realized by, for example, a for statement, a while statement, a do-while statement, etc. in the C ++ language, but can be realized with a syntax corresponding to each language in other programming languages.
- the parameters of G, H and n are input by the prover to the prover device 10 and the verifier to the verifier device 20 using the input devices 16 and 26, respectively. Also, the prover inputs x to the prover device 10 using the input device 16.
- the prover or proving means 14 secures storage areas such as STORE [G] 12 g, STORE [H] 12 h, STORE [n] 12 n, STORE [x] 12 x on the RAM 12 and stores G and H respectively in these areas. , N, write x.
- the verifier or verification means 24 also secures storage areas such as STORE [G] 22 g, STORE [H] 22 h, and STORE [n] 22 n on the RAM 22, and stores G, H,. write n.
- the proving means 14 reserves storage areas such as storage areas STORE [V] 12 v, STORE [Rand X] 12 rx, STORE [Rand R] 12 rr, STORE [Y] 12 y, and STORE [A] 12 a on the RAM 12. Since these storage areas are areas required only during the execution of the proving means, they may be dynamically secured when the proving means 14 is executed. In the following description, it is assumed that each of the above areas is a different area on the RAM 12, but since the STORE [Y] 12y and the STORE [A] 12a are not used simultaneously, the same area is used. You may use
- the verification means 24 stores STORE [V] 22v, STORE [W1] 22w1, ..., STORE [WN] 22wn, STORE [C1] 22c1, ..., STORE [CN] 22cn, STORE [W] 22w, STORE A storage area [C] 22 c is secured on the RAM 22. Since these storage areas are areas required only during the execution of the verification means 24, they may be secured dynamically when the verification means 24 is executed.
- FIGS. 2 to 4 are flowcharts showing the operation of the proving means 14 shown in FIG.
- the part performing the operation (steps S101 to S114) described in FIG. 2 in the proving means 14 is referred to as “first processing unit” in the claims and the operation described in FIG.
- the part that performs (steps S115 to 123) is referred to as a "second processing unit” in the claims, and the part that performs the operation (steps S124 to 132) described in FIG. Department.
- the proving means 14 randomly selects RandX and RandR, both of which are bit strings of ⁇ bits, and writes the selected RandX and RandR into STORE [RandX] 12rx and STORE [RandR] 12rr, respectively (steps S102 to S103).
- the proving means 14 reads RandX from the STORE [RandX] 12rx, and calculates Y0 by the following equation (step S107).
- the proving means 14 reads Rand R from the STORE [Rand R] 12 rr, and calculates R 0 by the following equation (step S 108).
- the proving means 14 calculates T0 by the following equation (step S109).
- the proving means 14 reads V from the STORE [V] 12v, calculates V by the following equation, and overwrites the obtained V on the STORE [V] 12v (step S110).
- the proving means 14 reads x from STORE [x] 12x and calculates Y1 by the following equation (step S111).
- the proving means 14 reads Rand R from the STORE [Rand R] 12 rr and calculates R 1 by the following equation (step S 112).
- the proving means 14 calculates T1 from the obtained Y1 and R1 by the following equation (step S113).
- the proving means 14 reads V from the STORE [V] 12v, calculates V by the following equation, and overwrites the obtained V on the STORE [V] 12v (step S114). After that, the processing of the proving means 14 returns to step S105, and j is increased by 1 and the processing of steps S107 to S114 is repeated until j ⁇ N + 1.
- the proving means 14 reads RandX from the STORE [RandX] 12rx and calculates Y0 by the following equation (step S119).
- the proving means 14 calculates U by the following equation (step S120).
- the proving means 14 reads Y from the STORE [Y] 12 y, calculates Y by the following equation, and overwrites the obtained Y on the STORE [Y] 12 y (step S 121).
- the proving means 14 reads G, Y and n respectively from STORE [G] 12 g, STORE [Y] 12 y, and STORE [n] 12 n and calculates A by the following formula (Step S122) The obtained A is written to STORE [A] (step S123).
- STORE [Y] 12 y and STORE [A] 12 a use different storage areas, since STORE [Y] 12 y is not used in subsequent steps, STORE [Y] 12 y is released. It is also good.
- the proving means 14 reads RandX from the STORE [RandX] 12rx and calculates Y0 by the following equation (step S127).
- the proving means 14 reads x from STORE [x] 12x and calculates Y1 by the following equation (step S128).
- the proving means 14 reads Rand R from STORE [Rand R] 12 rr, and calculates R 0 and R 1 by the following equation (step S 129).
- the proving means 14 calculates T0 and T1 by the following equation (step S130).
- the proving means 14 reads V and A from the STORE [V] 12 v and the STORE [A] 12 a, respectively, and calculates c by the following equation (step S 131).
- the proving means 14 calculates each of Y, T, R by the following equation, and outputs (c, Y, R, T) to the verifier device 20 through the communication interface 13 (step S132). .
- FIGS. 5 to 7 are flowcharts showing the operation of the verification means 24 shown in FIG.
- the part performing the operation (steps S201 to S211) described in FIG. 5 in the verification unit 24 is referred to as “first processing unit” in the claims, and the operation described in FIG.
- the part that performs (steps S212 to S218) is called a “second processing unit” in the claims.
- the "first processing unit” and the “second processing unit” are collectively referred to as “processing means”.
- a portion performing the operation (steps S219 to S226) shown in FIG. 7 is referred to as a "determination unit” or a "third processing unit".
- the verification means 24 first calculates V from G and H given in advance by the following equation, and writes V obtained in STORE [V] 22 v (step S 201).
- the verification unit 24 reads the value of V stored in the STORE [V] 22 v, calculates V by the following equation, and overwrites the obtained V on the STORE [V] 22 v (step S 209).
- the verification means 24 reads the value of V stored in STORE [V] 22 v again, calculates V by the following equation, and further overwrites the obtained V on STORE [V] 22 v (step S 210). .
- the verification means 24 defines Cj and Wj as the following equation, and writes Cj and Wj defined by these in STORE [Cj] 22cj and STORE [Wj] 22wj (step S211).
- step S203 the processing of the verification means 24 returns to step S203, and repeats the processing of steps S205 to S211 until j ⁇ N + 1 is obtained by increasing j by one.
- the verification means 24 calculates U by the following equation (step S216).
- the verification means 24 reads W and Wj from STORE [W] 22w and STORE [Wj] 22wj, respectively, calculates W by the following equation using the value of U calculated in step S216, and stores this W [ W] is overwritten (step S217).
- the verification means 24 reads C and Cj from the STORE [C] 22c and STORE [Cj] 22cj, respectively, calculates C by the following equation, and overwrites this C on the STORE [C] 22c (step S218). Thereafter, the processing of the verification means 24 returns to step S214, and j is increased by 1 and the processing of steps S216 to S218 is repeated until j ⁇ N + 1.
- step S214 the verification unit 24 reads G, H, n from STORE [G] 22 g, STORE [H] 22 h, STORE [n] 22 n, respectively, and calculates A by the following formula. (Step S219).
- Verification unit 24 reads V from STORE [V] 22 v, and determines whether or not the condition for C j shown by the following equation is satisfied (steps S 223 to 224), and if it is satisfied, verification unit 24 sends Reject is output (details will be described later), and the process ends (step S225).
- the verification means 24 does nothing in particular and returns to the process of step S221, increments j by 1 and repeats the processes of steps S223 to S224 until j ⁇ N + 1.
- step S222 Even if j ⁇ N + 1 is determined in step S222, if reject is not output by then, the verification means 24 outputs accept to the prover device 10 (details will be described later) and ends the processing (step S226).
- the “reject” that the verification means 24 outputs to the prover device 10 mentioned above means that the verifier device 20 has determined that the proof that the prover device 10 attempted to do is unfair, "Accept” means that it is judged to be valid.
- the prover device 10 may notify the user of the fact through the display device.
- the prover device 10 is notified of this zero-knowledge proof to another program using it as a subroutine, and when the "accept” output is received, the processing by the program is continued, and when the "reject” output is received, the processing is performed there. You may end the
- the operation according to the present embodiment is in the zero knowledge proving system 1 including the zero knowledge proving device (the prover device 10) and the zero knowledge verifying device (the verifier device 20).
- Processing unit 14a calculates a pseudo random number from an arbitrary random number sequence and a pseudo random function (FIG. 2: steps S107 to 108), and stores the calculated pseudo random number and the temporary storage unit (RAM 12) provided in advance.
- the first processing unit calculates the hash value and overwrites the calculated pseudo random number and the hash value on the temporary storage unit multiple times based on the calculated pseudo random number and the hash value obtained in the past ( 2: Steps S109 to 114), the second processing unit 14b determines a part of the plurality of pseudo random numbers to be output to the zero knowledge verification apparatus based on the hash value (FIG. 3: Steps S115 to 22), the third processing unit, sends the hash value obtained by recalculating the part of the pseudo-random number to zero knowledge verification device (Fig. 4: Step S125 ⁇ 132).
- the data receiving means communication interface 23 sequentially receives new input data from the zero knowledge proving device (FIG.
- step S205 the verifying means 24 receives the input data
- the hash value of data including the variable and input data stored in the temporary storage unit (RAM 22) prepared in advance each time is newly overwritten as a variable in the temporary storage area (FIG. 5: steps S209 to 210).
- steps S209 to 210 Whether to authenticate or reject the zero knowledge proving device is judged based on and the result of the determination is sent back to the zero knowledge proving device.
- the first processing unit 14a of the zero knowledge proving device reads the elements G and H of the group (FIG. 2: step S101), reads the integer x, and defines an initial value of data V representing a pseudo random number, The process of calculating the first and second data pseudo random function values and newly setting the hash value of data including V and the first and second data pseudo random function values Y0 and R0 to V N times (N is Two or more natural numbers) are repeated (FIG. 2: steps S107-114).
- the second processing unit 14b of the zero knowledge proving device gives some initial value to the data Y representing a part of the plurality of pseudo random numbers, and in the j-th process, V and j at (1 ⁇ j ⁇ N) Y. Is repeated N times to newly add Y based on the value based on the hash value U of the data including N (FIG. 3: steps S119 to 121).
- the third processing unit 14c of the zero knowledge proving apparatus repeats the process of setting G to Y with a power remainder as A by N times (FIG. 4: steps S127 to 132), and the jth process And calculate the first and second hash values T0 and T1 based on Y0 and R0 (FIG. 4: steps S127 to 130), and 1 bit from data including V and A and j Data c (FIG. 4: step S131), and if c is 0, Y0, R0 and T1 are sent to zero knowledge verification apparatus 20 if c is 1 and Y1 and R1 and T0 are sent.
- a process is performed (FIG. 4: step S132).
- the first processing unit 24a of the processing means 24 of the zero knowledge verification apparatus reads the elements G and H of the group and gives some initial value to the data V representing the variable (FIG. 5: step S201)
- the data c, the data Y, the data T, and the data R are received as an input from the zero knowledge proving device 10 in the j th process (1 ⁇ j ⁇ N) (FIG. 5: step S205)
- a process of calculating 1 and second hash values and newly overwriting the temporary storage as data V is repeated N times (FIG. 5: steps S207 to S211).
- the second processing unit 24b initializes data W to 0 and data C to 0 (FIG. 6: step S212), and data including (1 ⁇ j ⁇ N) V and j in the j-th process
- the hash value of U is U (FIG. 6: step S216)
- the product of W j and U plus W is newly W (FIG. 6: step S 217)
- the product of C j and U plus C is new
- the procedure of C (FIG. 6: step S218) is repeated N times.
- the third processing unit 24c multiplies the product of G by W by a power of 2 and the data of C calculated by the second processing section by the product of H by a minus product of multiplication by H Represents A (FIG. 7: step S 219), and indicates that if the hash value including (1.ltoreq.j.ltoreq.N) V, A and j does not match Cj in the j-th process, the zero knowledge proving device is rejected Repeat the procedure of outputting and stopping the data (reject) (FIG. 7: steps S224 to 225) N times and repeating this procedure N times, if the reject is not output, the zero knowledge proving device is authenticated To output data (accept) representing (FIG. 7: step S226).
- each of the operation steps may be programmed to be executable by a computer, and may be executed by the prover device 10 and the verifier device 20, which are computers that directly execute the steps.
- the present embodiment has the following effects.
- This embodiment can reduce the required storage capacity as compared to the technique described in Patent Document 1.
- the reason is as follows.
- the first reason is that in the present embodiment, some of the data including Yi are generated by a pseudo-random function using the same key. As a result, if only the keys of the pseudorandom function are stored, those data can be calculated from the keys as needed. Therefore, there is no need to store those data, and as a result, the storage capacity can be reduced.
- the third reason is that the output of data is small.
- the amount of data to be output is proportional to N.
- the data after calculation can be output immediately and deleted from the storage area.
- the required storage capacity can be small, so that the present embodiment can be used even in a device with a small storage capacity.
- the second embodiment of the present invention is the same as the first embodiment described in FIGS. 1 to 7 in the network and hardware configuration, and the rough configuration of software.
- the second embodiment is different from the first embodiment in that the zero knowledge proving device (the prover device 10) outputs the pseudo random number and the hash value to the zero knowledge verifying device (the verifier device 20).
- a zero knowledge verification apparatus (verifier apparatus 20) having a first storage apparatus (storage 317) for storing and outputting sets collectively and from which the data receiving means is the zero knowledge proving apparatus (certifier apparatus 10)
- the point is that it has a second storage device (storage 327) which collectively stores the set of the received pseudo random number and the hash value.
- the storage device Since the storage device has a large storage capacity per unit price compared to volatile storage means, it is easy to increase the capacity. Also by providing this configuration, the present embodiment can obtain the same effect as that of the first embodiment described above. This will be described in more detail below.
- FIG. 8 is an explanatory view showing the configuration of the zero knowledge proving system 301 according to the second embodiment of the present invention.
- the zero knowledge proving system 301 includes a prover device 310 which is a computer device operated by a prover, and a verifier device 320 which is a computer device operated by a verifier.
- the prover device 310 and the verifier device 320 Connected to each other.
- the same elements as those of the first embodiment of the present invention are referred to by the same names and reference numerals.
- the prover device 310 includes the CPU 11, the RAM 12, the communication interface 13, and the input device 16 as in the case of the prover device 10 according to the first embodiment described above.
- the prover device 310 includes a storage 317 which is a large capacity nonvolatile storage means.
- the storage 317 is a hard disk or a flash memory.
- a proving means 314 which is a computer program to be executed by the CPU 11 is stored in the RAM 12 and executed.
- the verifier device 320 also includes a storage 327 which is a large capacity nonvolatile storage means such as a hard disk or a flash memory.
- the verification means 324 which is a computer program executed by the CPU 21 is stored in the RAM 22 and executed.
- FIG. 9 is a flowchart showing the operation of the proving means 314 shown in FIG.
- FIG. 9 shows only the difference from the operation of the proving means 14 shown in FIGS.
- Steps S101 to 131 are the same as the operation of the proving means 14 shown in FIGS. 2 to 4, but (c, Y, R, T) calculated in step S 132 is not transmitted to the verifier device 20 but It is stored in the storage 317 (step S132 b). Then, if j ⁇ N + 1 in step S126, all (c, Y, R, T) stored in the storage 317 are transmitted to the verifier device 320 through the communication interface 13 (step S133 b), and the process is performed. Finish.
- FIG. 10 is a flow chart showing the operation of the verification means 324 shown in FIG. After step S201, the verification means 324 receives all (c, Y, R, T) from the proving means 314, and stores it in the storage 327 (step S201 b).
- the subsequent operations are the same as the operations of the verification unit 24 shown in FIGS. 5 to 7 and steps S202 to S226 except that step S205 is changed to “read data from storage 327” (step S205 b). is there.
- the storages 317 and 327 which are nonvolatile storage means, have a large storage capacity per unit price as compared with the RAMs 12 and 22, which are volatile storage means, so that the capacity can be easily increased. Therefore, the same effect as that of the first embodiment described above can be obtained also in the second embodiment.
- the embodiment of the present invention is configured as hardware, a program for realizing the functions of the zero knowledge proving system, the zero knowledge proving device, and the zero knowledge verifying device described above on software It may be constructed as In this case, the program is recorded on a recording medium and becomes a target of commerce.
- the present invention can be widely used in situations where discrete logarithm zero-knowledge proofing is used. More specifically, there are public key encryption, electronic signature, group signature, electronic voting and the like. In particular, such technology is suitable for use in a device with a small storage capacity, such as a mobile phone terminal or a PDA (Personal Digital Assistant).
- a device with a small storage capacity such as a mobile phone terminal or a PDA (Personal Digital Assistant).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
Description
以下、本発明の実施形態の構成について添付図に基づいて説明する。
最初に、本実施形態の基本的な内容について説明し、その後でより具体的な内容について説明する。
本実施形態に係るゼロ知識証明システム1は、ゼロ知識証明装置(証明者装置10)とゼロ知識検証装置(検証者装置20)とからなる。ゼロ知識証明装置(証明者装置10)は、疑似乱数と過去に求めたハッシュ値とを記憶する一時記憶部(RAM12)と、任意の乱数列と疑似ランダム関数とから複数の疑似乱数を計算し、この計算された疑似乱数と一時記憶部に記憶された情報に基づいてハッシュ値を計算すると共に計算された疑似乱数およびハッシュ値を一時記憶部に上書きするという処理を複数回行う第1の処理部14aと、ハッシュ値に基づき複数の疑似乱数の一部を決定する第2の処理部14bと、一部の疑似乱数を再計算して得られるハッシュ値をゼロ知識検証装置に送信する第3の処理部14cとを有する。ゼロ知識検証装置(検証者装置20)は、ゼロ知識証明装置から新しい入力データを順次受けとるデータ受信手段(通信インターフェイス23)と、データ受信手段が入力データを受信するたびに予め備えられた一時記憶部(RAM22)に記憶された変数と入力データとを含むデータのハッシュ値を新しく変数として一時記憶部に上書きする処理手段(第1~第2の処理部24a~24b)と、変数に基づいてゼロ知識証明装置を認証するか拒絶するかを判断して判断の結果をゼロ知識証明装置に返信する判断部(第3の処理部24c)を有する。
以下、これをより詳細に説明する。
図2~4は、図1で示した証明手段14の動作を表すフローチャートである。図2~4で、証明手段14の中で図2に記載された動作(ステップS101~114)を行う部分を請求項内では「第1の処理部」といい、図3に記載された動作(ステップS115~123)を行う部分を請求項内では「第2の処理部」といい、図4に記載された動作(ステップS124~132)を行う部分を請求項内では「第3の処理部」という。
図5~7は、図1で示した検証手段24の動作を表すフローチャートである。図5~7で、検証手段24の中で図5に記載された動作(ステップS201~211)を行う部分を請求項内では「第1の処理部」といい、図6に記載された動作(ステップS212~218)を行う部分を請求項内では「第2の処理部」という。「第1の処理部」と「第2の処理部」とを合わせて「処理手段」という。そして、図7に記載された動作(ステップS219~226)を行う部分を請求項内では「判断部」もしくは「第3の処理部」という。
次に、上記の実施形態の全体的な動作について説明する。本実施形態に係る動作は、ゼロ知識証明装置(証明者装置10)とゼロ知識検証装置(検証者装置20)とからなるゼロ知識証明システム1にあって、ゼロ知識証明装置側では、第1の処理部14aが任意の乱数列と疑似ランダム関数とから疑似乱数を計算し(図2:ステップS107~108)、この計算された疑似乱数と、予め備えられた一時記憶部(RAM12)に記憶された疑似乱数と過去に求めたハッシュ値とに基づいて、第1の処理部がハッシュ値を計算すると共に計算された疑似乱数およびハッシュ値を一時記憶部に上書きするという処理を複数回行い(図2:ステップS109~114)、第2の処理部14bが、ハッシュ値に基づきゼロ知識検証装置に出力する複数の疑似乱数の一部を決定し(図3:ステップS115~122)、第3の処理部が、一部の疑似乱数を再計算して得られるハッシュ値をゼロ知識検証装置に送付する(図4:ステップS125~132)。ゼロ知識検証装置側では、データ受信手段(通信インターフェイス23)が、ゼロ知識証明装置から新しい入力データを順次受けとり(図5:ステップS205)、検証手段24が、データ受信手段が入力データを受信するたびに予め備えられた一時記憶部(RAM22)に記憶された変数と入力データとを含むデータのハッシュ値を新しく変数として一時記憶領域に上書きして(図5:ステップS209~210)、この変数に基づいてゼロ知識証明装置を認証するか拒絶するかを判断して判断の結果をゼロ知識証明装置に返信する(図7:ステップS219~226)。
この動作により、本実施形態は以下のような効果を奏する。
本発明の第2の実施形態は、ネットワークおよびハードウェアの構成、さらにソフトウェアの大まかな構成は、図1~7で述べた第1の実施形態と同一である。第2の実施形態が前述の第1の実施形態と異なる点は、ゼロ知識証明装置(証明者装置10)がゼロ知識検証装置(検証者装置20)に出力される疑似乱数とハッシュ値との組を一括して記憶して出力する第1のストレージ装置(ストレージ317)を有し、ゼロ知識検証装置(検証者装置20)が、データ受信手段がゼロ知識証明装置(証明者装置10)から受信した疑似乱数とハッシュ値との組を一括して記憶する第2のストレージ装置(ストレージ327)を有するという点である。
以下、これをより詳細に説明する。
10、310 証明者装置
11、21 CPU
12、22 RAM
12g STORE[G]
12h STORE[H]
12n STORE[n]
12x STORE[x]
12v STORE[V]
12rx STORE[RandX]
12rr STORE[RandR]
12y STORE[Y]
12a STORE[A]
13、23 通信インターフェイス
14、314 証明手段
14a、24a、324a 第1の処理部
14b、24b 第2の処理部
14c、24c、314c 第3の処理部
15、25 ループ
16、26 入力装置
20、320 検証者装置
22g STORE[G]
22h STORE[H]
22n STORE[n]
22v STORE[V]
22w1 STORE[W1]
22wn STORE[WN]
22c1 STORE[C1]
22cn STORE[CN]
22w STORE[W]
22c STORE[C]
24、324 検証手段
317、327 ストレージ
Claims (9)
- ゼロ知識証明装置とゼロ知識検証装置とからなり、前記ゼロ知識証明装置が「H=Gxを満たすxを知っている」か否かを、前記ゼロ知識検証装置が前記xを知らない状態での検証である離散対数のゼロ知識証明を行うゼロ知識証明システムであって、
前記ゼロ知識証明装置が、疑似乱数と過去に求めたハッシュ値とを記憶する一時記憶部と、任意の乱数列と疑似ランダム関数とから複数の疑似乱数を計算し、この計算された疑似乱数と前記一時記憶部に記憶された情報に基づいてハッシュ値を計算すると共に前記計算された疑似乱数およびハッシュ値を前記一時記憶部に上書きするという処理を複数回行う第1の処理部と、前記ハッシュ値に基づき前記複数の疑似乱数の一部を決定する第2の処理部と、前記一部の疑似乱数を再計算して得られる前記ハッシュ値を前記ゼロ知識検証装置に送信する第3の処理部とを有し、
前記ゼロ知識検証装置が、前記ゼロ知識証明装置から新しい入力データを順次受けとるデータ受信手段と、前記データ受信手段が前記入力データを受信するたびに予め備えられている一時記憶部に記憶された変数と前記入力データとを含むデータのハッシュ値を新しく前記変数として前記一時記憶部に上書きする処理手段と、前記変数に基づいて前記ゼロ知識証明装置を認証するか拒絶するかを判断して前記判断の結果を前記ゼロ知識証明装置に返信する判断部と
を有することを特徴とするゼロ知識証明システム。 - 前記請求項1記載のゼロ知識証明システムにおいて、
前記ゼロ知識証明装置の前記第1の処理部が、群の元G、Hを読み込み、前記疑似乱数を表すデータVの初期値を定義し、第1および第2のデータ疑似ランダム関数値を計算し、前記Vと前記第1および第2のデータ疑似ランダム関数値Y0およびR0を含むデータのハッシュ値を新しくVとする処理をN回(Nは2以上の自然数)繰り返す繰り返し処理機能を有し、
前記ゼロ知識証明装置の前記第2の処理部が、前記複数の疑似乱数の一部を表すデータYに何らかの初期値を与え、j回目の処理で(1≦j≦N)前記Yに前記Vと前記jを含むデータのハッシュ値Uに基づく値を加えたものを新しくYとする処理を前記N回繰り返す繰り返し処理機能を有し、
前記ゼロ知識証明装置の前記第3の処理部が、前記Gを前記Yで冪乗剰余したものをAとするという処理を前記N回繰り返し、そのj回目の処理で(1≦j≦N)、前記Y0および前記R0に基づいて第1および第2のハッシュ値T0およびT1を計算し、前記Vと前記Aと前記jを含むデータから1ビットのデータcを計算し、前記cが0であれば前記Y0と前記R0と前記T1を、前記cが1であれば前記Y1と前記R1と前記T0を、前記ゼロ知識検証装置に対して送信する処理を行うハッシュ値出力処理機能を有する
ことを特徴とするゼロ知識証明システム。 - 前記請求項2記載のゼロ知識証明システムにおいて、
前記ゼロ知識検証装置の前記処理手段が、
群の元G、Hを読み込み、前記変数を表すデータVに何らかの初期値を与え、前記ゼロ知識証明装置からデータcとデータYとデータTとデータRを入力として受けとり、前記Yと前記Rとを含む第1および第2のハッシュ値を計算して新たに前記データVとして前記一時記憶部に上書きする処理を前記N回繰り返す第1の処理部と、
データWを0、データCを0と各々初期設定し、j回目の処理で(1≦j≦N)前記Vと前記jを含むデータのハッシュ値をUとし、前記Wjと前記Uの積に前記Wを加えたものを新しくWとし、前記Cjと前記Uの積に前記Cを加えたものを新しくCとするという手順を前記N回繰り返す第2の処理部とを備え、
前記ゼロ知識検証装置の前記判断部が、前記Gを前記Wで冪乗剰余したものに前記Hを前記Cにマイナスをかけたもので冪乗剰余したものを乗じたものをAとし、j回目の処理で(1≦j≦N)前記Vと前記Aと前記jとを含むハッシュ値が前記Cjと一致しなければ前記ゼロ知識証明装置を拒絶する旨を表すデータを出力して停止するという手順を繰り返し、この手順をN回繰り返した後で前記拒絶する旨を表すデータを出力していなければ前記ゼロ知識証明装置を認証する旨を表すデータを出力する第3の処理部を備える
ことを特徴とするゼロ知識証明システム。 - 前記ゼロ知識証明装置が、前記ゼロ知識検証装置に出力される前記疑似乱数と前記ハッシュ値との組を一括して記憶して前記ゼロ知識検証装置に対して出力するストレージ装置を有し、
前記ゼロ知識検証装置が、前記データ受信手段が前記ゼロ知識証明装置から受信した前記疑似乱数と前記ハッシュ値との組を一括して記憶するストレージ装置を有することを特徴とする、請求項1ないし請求項3のうちいずれか1項に記載のゼロ知識証明システム。 - ゼロ知識検証装置との協働により、自らが「H=Gxを満たすxを知っている」か否かを前記xを知らない前記ゼロ知識検証装置に検証させるゼロ知識証明装置であって、
疑似乱数と過去に求めたハッシュ値とを記憶する一時記憶部と、
任意の乱数列と疑似ランダム関数から複数の疑似乱数を計算し、この計算された疑似乱数と前記一時記憶部に記憶された情報に基づいてハッシュ値を計算すると共に前記計算された疑似乱数およびハッシュ値を前記一時記憶部に上書きするという処理を複数回行う第1の処理部と、
前記ハッシュ値に基づき前記複数の疑似乱数の一部を決定する第2の処理部と、
前記一部の疑似乱数を再計算して得られる前記ハッシュ値をゼロ知識検証装置に送信する第3の処理部と、
前記ハッシュ値をゼロ知識検証装置に送信した後に前記ゼロ知識検証装置からの拒絶する旨もしくは認証する旨を表すデータを受信するデータ受信部と
を有することを特徴とするゼロ知識証明装置。 - ゼロ知識証明装置からの要求に基づいて、前記ゼロ知識証明装置が「H=Gxを満たすxを知っている」か否かを前記xを知らない状態で検証するゼロ知識検証装置であって、
前記ゼロ知識証明装置から新しい入力データを順次受けとるデータ受信手段と、
前記データ受信手段が前記入力データを受信するたびに、予め備えられた一時記憶部に記憶された変数と前記入力データとを含むデータのハッシュ値を新しく前記変数として前記一時記憶部に上書きする処理手段と、
前記変数に基づいて前記ゼロ知識証明装置を認証するか拒絶するかを判断して前記判断の結果を前記ゼロ知識証明装置に返信する判断部と
を有することを特徴とするゼロ知識検証装置。 - ゼロ知識証明装置とゼロ知識検証装置とからなるゼロ知識証明システムにあって、前記ゼロ知識証明装置が「H=Gxを満たすxを知っている」か否かを、前記ゼロ知識検証装置が前記xを知らない状態での検証である離散対数のゼロ知識証明を行う方法であって、
前記ゼロ知識証明装置側では、
任意の乱数列と疑似ランダム関数とから、第1の処理部が疑似乱数を計算し、
この計算された疑似乱数と、予め備えられた一時記憶部に記憶された疑似乱数と過去に求めたハッシュ値とに基づいて、前記第1の処理部がハッシュ値を計算すると共に前記計算された疑似乱数およびハッシュ値を前記一時記憶部に上書きするという処理を複数回行い、
前記ハッシュ値に基づき、第2の処理部がゼロ知識検証装置に出力する前記複数の疑似乱数の一部を決定し、
前記一部の疑似乱数を、第3の処理部が再計算して前記ゼロ知識検証装置に送付し、
次に、前記ゼロ知識検証装置側では、
前記ゼロ知識証明装置から、データ受信手段が新しい入力データを順次受けとり、
前記データ受信手段が前記入力データを受信するたびに、検証手段が前記一時記憶領域に記憶された変数と前記入力データとを含むデータのハッシュ値を新しく前記変数として予め備えられた一時記憶領域に上書きし、
前記変数に基づいて、判断部が前記ゼロ知識証明装置を認証するか拒絶するかを判断して前記判断の結果を前記ゼロ知識証明装置に返信する
ことを特徴とするゼロ知識証明方法。 - ゼロ知識検証装置との協働により、自らが「H=Gxを満たすxを知っている」か否かを前記xを知らない前記ゼロ知識検証装置に検証させるゼロ知識証明装置にあって、
疑似乱数と過去に求めたハッシュ値とを予め備えられた一時記憶部に記憶する手順と、
任意の乱数列と疑似ランダム関数から複数の疑似乱数を計算する手順と、
この計算された疑似乱数と前記一時記憶部に記憶された情報に基づいてハッシュ値を計算すると共に前記計算された疑似乱数およびハッシュ値を前記一時記憶部に上書きするという処理を複数回行う手順と、
前記ハッシュ値に基づき前記複数の疑似乱数の一部を決定する手順と、
前記一部の疑似乱数を再計算して得られる前記ハッシュ値をゼロ知識検証装置に送信する手順と、
前記ハッシュ値をゼロ知識検証装置に送信した後に前記ゼロ知識検証装置からの拒絶する旨もしくは認証する旨を表すデータを受信する手順と
をコンピュータに実行させることを特徴とするゼロ知識証明プログラム。 - ゼロ知識証明装置からの要求に基づいて、前記ゼロ知識証明装置が「H=Gxを満たすxを知っている」か否かを前記xを知らない状態で検証するゼロ知識検証装置にあって、
前記ゼロ知識証明装置から新しい入力データを順次受けとる手順と、
前記データ受信手段が前記入力データを受信するたびに、予め備えられた一時記憶部に記憶された変数と前記入力データとを含むデータのハッシュ値を新しく前記変数として前記一時記憶部に上書きする手順と、
前記変数に基づいて前記ゼロ知識証明装置を認証するか拒絶するかを判断して前記判断の結果を前記ゼロ知識証明装置に返信する手順と
をコンピュータに実行させることを特徴とするゼロ知識証明プログラム。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/133,110 US20110246779A1 (en) | 2008-12-11 | 2009-12-09 | Zero-knowledge proof system, zero-knowledge proof device, zero-knowledge verification device, zero-knowledge proof method and program therefor |
EP09831924.7A EP2378706A4 (en) | 2008-12-11 | 2009-12-09 | Zero-knowledge proof system, zero-knowledge proof device, zero-knowledge verification device, zero-knowledge proof method and program therefor |
JP2010542116A JPWO2010067820A1 (ja) | 2008-12-11 | 2009-12-09 | ゼロ知識証明システム、ゼロ知識証明装置、ゼロ知識検証装置、ゼロ知識証明方法およびそのプログラム |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2008316022 | 2008-12-11 | ||
JP2008-316022 | 2008-12-11 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2010067820A1 true WO2010067820A1 (ja) | 2010-06-17 |
Family
ID=42242807
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2009/070605 WO2010067820A1 (ja) | 2008-12-11 | 2009-12-09 | ゼロ知識証明システム、ゼロ知識証明装置、ゼロ知識検証装置、ゼロ知識証明方法およびそのプログラム |
Country Status (4)
Country | Link |
---|---|
US (1) | US20110246779A1 (ja) |
EP (1) | EP2378706A4 (ja) |
JP (1) | JPWO2010067820A1 (ja) |
WO (1) | WO2010067820A1 (ja) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102169592B1 (ko) * | 2020-04-07 | 2020-10-23 | 장예위 | 증명 도구 공유 시스템 |
CN113794567A (zh) * | 2021-09-13 | 2021-12-14 | 上海致居信息科技有限公司 | 一种sha256哈希算法零知识证明电路的合成加速方法及装置 |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR3018378A1 (fr) * | 2014-03-12 | 2015-09-11 | Enrico Maim | Systeme et procede transactionnels a architecture repartie fondees sur des transactions de transferts d'unites de compte entre adresses |
WO2016179525A1 (en) | 2015-05-07 | 2016-11-10 | ZeroDB, Inc. | Zero-knowledge databases |
US11265165B2 (en) * | 2015-05-22 | 2022-03-01 | Antique Books, Inc. | Initial provisioning through shared proofs of knowledge and crowdsourced identification |
FR3059802B1 (fr) * | 2016-12-07 | 2018-11-09 | Safran Identity & Security | Procede de generation d'une signature electronique d'un document associe a un condensat |
EP3698514B1 (en) | 2017-10-19 | 2024-02-21 | Autnhive Corporation | System and method for generating and depositing keys for multi-point authentication |
US10903997B2 (en) | 2017-10-19 | 2021-01-26 | Autnhive Corporation | Generating keys using controlled corruption in computer networks |
US20210233064A1 (en) * | 2018-06-06 | 2021-07-29 | Enrico Maim | Secure transactional system in a p2p architecture |
US10721069B2 (en) | 2018-08-18 | 2020-07-21 | Eygs Llp | Methods and systems for enhancing privacy and efficiency on distributed ledger-based networks |
CN110995438B (zh) * | 2019-10-24 | 2022-07-12 | 南京可信区块链与算法经济研究院有限公司 | 一种非交互零知识证明方法、系统及存储介质 |
CN114880109B (zh) * | 2021-12-15 | 2023-04-14 | 中国科学院深圳先进技术研究院 | 基于cpu-gpu异构架构的数据处理方法、设备以及存储介质 |
CN114880108B (zh) * | 2021-12-15 | 2023-01-03 | 中国科学院深圳先进技术研究院 | 基于cpu-gpu异构架构的性能分析方法、设备以及存储介质 |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000067141A (ja) | 1998-08-25 | 2000-03-03 | Nippon Telegr & Teleph Corp <Ntt> | 電子マネー譲渡方法、その装置及びそのプログラム記録媒体 |
JP2003218858A (ja) | 2002-01-25 | 2003-07-31 | Nippon Telegr & Teleph Corp <Ntt> | 署名生成方法及び署名検証方法及び署名生成装置及び署名検証装置及び署名生成プログラム及び署名検証プログラム及び署名生成プログラムを格納した記憶媒体及び署名検証プログラムを格納した記憶媒体 |
JP2005252349A (ja) * | 2004-03-01 | 2005-09-15 | Japan Process Development Co Ltd | 擬ゼロ知識証明法 |
JP2006077701A (ja) | 2004-09-10 | 2006-03-23 | Matsushita Electric Ind Co Ltd | 密閉型圧縮機 |
WO2006077701A1 (ja) * | 2005-01-21 | 2006-07-27 | Nec Corporation | 署名装置、検証装置、証明装置、暗号化装置、及び復号化装置 |
WO2007007836A1 (ja) * | 2005-07-13 | 2007-01-18 | Nippon Telegraph And Telephone Corporation | 認証システム、認証方法、証明装置、検証装置、それらのプログラム及び記録媒体 |
JP2007503134A (ja) | 2003-08-15 | 2007-02-15 | 株式会社エヌ・ティ・ティ・ドコモ | 損失を適応制御したデータストリームの認証方法及び装置 |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3456993B2 (ja) * | 1991-02-07 | 2003-10-14 | トムソン マルチメデイア ソシエテ アノニム | 識別および/またはディジタル署名を行うための方法および識別装置並びに検証装置 |
FR2700430B1 (fr) * | 1992-12-30 | 1995-02-10 | Jacques Stern | Procédé d'authentification d'au moins un dispositif d'identification par un dispositif de vérification et dispositif pour sa mise en Óoeuvre. |
FR2714780B1 (fr) * | 1993-12-30 | 1996-01-26 | Stern Jacques | Procédé d'authentification d'au moins un dispositif d'identification par un dispositif de vérification. |
US6011848A (en) * | 1994-03-07 | 2000-01-04 | Nippon Telegraph And Telephone Corporation | Method and system for message delivery utilizing zero knowledge interactive proof protocol |
US6108783A (en) * | 1998-02-11 | 2000-08-22 | International Business Machines Corporation | Chameleon hashing and signatures |
US6857024B1 (en) * | 1999-10-22 | 2005-02-15 | Cisco Technology, Inc. | System and method for providing on-line advertising and information |
JP4298146B2 (ja) * | 2000-08-22 | 2009-07-15 | キヤノン株式会社 | 印刷データを生成する情報処理装置及び方法 |
JP4306232B2 (ja) * | 2002-11-25 | 2009-07-29 | 日本電気株式会社 | 証明システムと評価システム |
JP4940592B2 (ja) * | 2005-08-11 | 2012-05-30 | 日本電気株式会社 | 否認可能零知識対話証明に適用される証明装置及び検証装置 |
-
2009
- 2009-12-09 WO PCT/JP2009/070605 patent/WO2010067820A1/ja active Application Filing
- 2009-12-09 JP JP2010542116A patent/JPWO2010067820A1/ja not_active Withdrawn
- 2009-12-09 EP EP09831924.7A patent/EP2378706A4/en not_active Withdrawn
- 2009-12-09 US US13/133,110 patent/US20110246779A1/en not_active Abandoned
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000067141A (ja) | 1998-08-25 | 2000-03-03 | Nippon Telegr & Teleph Corp <Ntt> | 電子マネー譲渡方法、その装置及びそのプログラム記録媒体 |
JP2003218858A (ja) | 2002-01-25 | 2003-07-31 | Nippon Telegr & Teleph Corp <Ntt> | 署名生成方法及び署名検証方法及び署名生成装置及び署名検証装置及び署名生成プログラム及び署名検証プログラム及び署名生成プログラムを格納した記憶媒体及び署名検証プログラムを格納した記憶媒体 |
JP2007503134A (ja) | 2003-08-15 | 2007-02-15 | 株式会社エヌ・ティ・ティ・ドコモ | 損失を適応制御したデータストリームの認証方法及び装置 |
JP2005252349A (ja) * | 2004-03-01 | 2005-09-15 | Japan Process Development Co Ltd | 擬ゼロ知識証明法 |
JP2006077701A (ja) | 2004-09-10 | 2006-03-23 | Matsushita Electric Ind Co Ltd | 密閉型圧縮機 |
WO2006077701A1 (ja) * | 2005-01-21 | 2006-07-27 | Nec Corporation | 署名装置、検証装置、証明装置、暗号化装置、及び復号化装置 |
WO2007007836A1 (ja) * | 2005-07-13 | 2007-01-18 | Nippon Telegraph And Telephone Corporation | 認証システム、認証方法、証明装置、検証装置、それらのプログラム及び記録媒体 |
Non-Patent Citations (2)
Title |
---|
"Claus-Peter Schnorr. Efficient Signature Generation by Smart Cards", J. CRYPTOLOGY, vol. 4, no. 3, 1991, pages 161 - 174 |
See also references of EP2378706A4 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102169592B1 (ko) * | 2020-04-07 | 2020-10-23 | 장예위 | 증명 도구 공유 시스템 |
CN113794567A (zh) * | 2021-09-13 | 2021-12-14 | 上海致居信息科技有限公司 | 一种sha256哈希算法零知识证明电路的合成加速方法及装置 |
CN113794567B (zh) * | 2021-09-13 | 2024-04-05 | 上海致居信息科技有限公司 | 一种sha256哈希算法零知识证明电路的合成加速方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
JPWO2010067820A1 (ja) | 2012-05-24 |
EP2378706A1 (en) | 2011-10-19 |
EP2378706A4 (en) | 2017-06-28 |
US20110246779A1 (en) | 2011-10-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2010067820A1 (ja) | ゼロ知識証明システム、ゼロ知識証明装置、ゼロ知識検証装置、ゼロ知識証明方法およびそのプログラム | |
Delgado-Segura et al. | A fair protocol for data trading based on bitcoin transactions | |
JP5497677B2 (ja) | 公開鍵を検証可能に生成する方法及び装置 | |
CN109377215B (zh) | 区块链交易方法及装置、电子设备 | |
US8856524B2 (en) | Cryptographic methods, host system, trusted platform module, computer arrangement, computer program product and computer program | |
JP4155712B2 (ja) | オンボードシステムによって生成される公開鍵の使用を検証する方法 | |
CN110730963B (zh) | 用于信息保护的系统和方法 | |
JP5488596B2 (ja) | 署名装置、署名検証装置、匿名認証システム、署名方法、署名認証方法およびそれらのプログラム | |
US20140089670A1 (en) | Unique code in message for signature generation in asymmetric cryptographic device | |
CN110505067B (zh) | 区块链的处理方法、装置、设备及可读存储介质 | |
CN103718500A (zh) | 证书确认 | |
JP2012512574A (ja) | 鍵合意プロトコルの加速 | |
KR102218188B1 (ko) | 블록체인 기반의 인증서 관리를 수행하는 노드 장치 및 그 동작 방법 | |
US20160269397A1 (en) | Reissue of cryptographic credentials | |
CA2554368A1 (en) | Group signature system, method, device, and program | |
JP2024029184A (ja) | コンピュータネットワークの間のタスクの分配のためのアキュムレータに基づくプロトコルのためのコンピュータ実施システム及び方法 | |
CN114064800A (zh) | 用户资产视图计算方法、系统、计算机设备及存储介质 | |
EP1266364A1 (fr) | Procede cryptographique de protection contre la fraude | |
WO2013153628A1 (ja) | 演算処理システムおよび演算結果認証方法 | |
CN115550073A (zh) | 可监管隐身地址构造方法 | |
CN114503509B (zh) | 密钥-值映射承诺系统和方法 | |
Hou et al. | Blockchain-based efficient verifiable outsourced attribute-based encryption in cloud | |
US20220345312A1 (en) | Zero-knowledge contingent payments protocol for granting access to encrypted assets | |
Chalkias et al. | HashWires: Hyperefficient Credential-Based Range Proofs | |
CN111311264A (zh) | 一种交易发送者的监管方法和系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09831924 Country of ref document: EP Kind code of ref document: A1 |
|
REEP | Request for entry into the european phase |
Ref document number: 2009831924 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2009831924 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2010542116 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13133110 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |